Compliance officers do not have much confidence in their companies’ financial controls to catch books-and-records violations of the Foreign Corrupt Practices Act, according to a recent survey conducted by Compliance Week and Kroll.
Released earlier this month, the 2015 Anti-Bribery and Corruption Benchmarking Report examined the types of anti-bribery and corruption risk compliance officers face; the resources available to mitigate them; and how those resources can be implemented into anti-corruption programs.
According to the report, only 48 percent of 242 ethics, compliance, and audit executives polled said they’re confident in those financial controls. Within that unconfident group, the single biggest reason was “poor reporting relationships or collaboration” with the finance department, cited by 71 percent of them.
That means better relations with the finance department are crucial for compliance officers to gain greater confidence in their ability to spot FCPA books-and-records violations. “Having that cross-pollination between finance and compliance is going to make it easier for them to work side-by-side on both reporting and acting upon areas of concern,” says Robert Huff, a managing director of compliance with Kroll.
Aside from concerns about FCPA books-and-records violations, compliance departments continue to struggle with bribery and corruption. More than half of respondents (51 percent) said they expect such risks to increase over the next couple of years, primarily due to their companies expanding into new markets or engaging more third parties. This figure remains unchanged from last year’s survey. Another 29 percent said they expect their risks to remain steady.
For the second year in a row, the report asked respondents what types of misconduct qualify as “corrupt behavior” that the chief compliance officer is responsible for policing. Aside from bribery—which took the No. 1 spot as usual—respondents cited money-laundering (61 percent), bid-rigging (60 percent), and price-fixing (56 percent) as other prevalent corruption risks, findings that closely mirror last year’s results.
The good news is that the vast majority of respondents say they employ a variety of tactics to assess the integrity of their third parties, and seem to use risk-based factors to decide the appropriate amount of diligence each party deserves. Fifty-eight percent rate their due diligence procedures as effective.
Only 8 percent perform no due diligence at all, “which is still a bit surprising, given the regulatory focus that’s increasing year-over-year,” Huff says. The rest of the respondents said they tackle due diligence in numerous ways: from formal contracts to information collected by the business unit to professional investigations, according to the report.
“Having that cross-pollination between finance and compliance is going to make it easier for them to work side-by-side on both reporting and acting upon areas of concern.”
Robert Huff, Managing Director, Kroll
Zoe Newman, a managing director with Kroll, said in the report that compliance officers are taking a more active approach on third-party due diligence. Five years ago, few compliance officers actively sought potential problems and mitigated them in advance. “Nowadays we’re finding it being done more,” she said.
Companies also seem to be using more of a risk-based approach to decide how much due diligence to perform, considering factors such as how much a third party will interact with foreign officials, the nature of the work to be performed, and where the third party is based.
Respondents further cited numerous reasons for not doing business with a third party: general or reputational integrity concerns (72 percent); evidence of bribes in previous dealings (63 percent); and questionable relationships with politically exposed persons (62 percent). Other reasons cited were unusual contract and payment structures and known dealings with sanctioned entities.
Although companies are proficient at due diligence at the start of a third-party relationship, however, they do not do as well at ongoing monitoring—despite having an average of 2,900 third-party relationships, according to the report.
Forty-eight percent of respondents said that they never train third parties on anti-bribery and corruption concerns. That’s an improvement from the 58 percent who said the same in last year’s survey, “but still alarmingly high given the large number of enforcement actions regulators take that involve third parties,” the report stated.
Just as self-certification has become a precondition for engaging a third party, participation in training should become “a second distinct precondition for moving a contract forward,” says Kevin Braine, managing director with Kroll’s compliance practice in Europe, the Middle East, and Africa. “That’s the only way to motivate third parties to start taking this a bit more seriously.”
THIRD PARTIES & DUE DILIGENCE
Below is an excerpt from Kroll and Compliance Week’s 2015 Anti-Bribery and Anti-Corruption Benchmarking Report.
Respondents who admit they never train third parties on their anti-bribery policies fell from 58 percent last year to 48 percent this year. That’s the good news. The bad news is 48 percent still are not training their third parties— an alarmingly high number considering how often third\ parties figure into FCPA or other anti-corruption enforcement.
“It’s a concern in this day and age that this number still exists,” said David Holley, a senior managing director with Kroll. Holley wonders whether that 48 percent is somewhat driven by the sheer volume of third parties most companies use; more than one-fifth of this year’s respondents report upwards of 5,000 third parties.
“Trying to conduct due diligence on a large number of third parties with whom you are doing business on a regular basis is like trying to change out the engine of a moving car,” Holley says. “It’s a daunting proposition, and one that companies may avoid because of the logistics and difficulties involved.”
Still, if a company can send invoices or other materials to its third parties, the company should be able to send its Code of Conduct as well and ask those parties to certify to it, he adds. Companies have improved at spreading anti-bribery and corruption awareness to their workforce; 66 percent report they train employees annually on ABC issues.
The percentage reporting annual training for third parties rose from 2014, but still hit only 27 percent. The mechanisms used to train both groups are similar, but companies tend to rely on self-certification for third parties rather than in-person training, which is more common for employees.
“While there has been phenomenal progress in the extent to which anti-bribery and anti-corruption issues have now made it on the training agenda for most large organizations, that’s still not really the case when it comes to training third parties,” says Braine.
Companies may be reluctant to spend money and time to push training to third parties because they suspect they will not get much enthusiasm from third parties, who may view it as one more compliance exercise. But just as self-certification has become a precondition for engaging a third party, participation in training should become “a second distinct precondition for moving a contract forward,” said Kevin Braine, managing director with Kroll’s Compliance practice in Europe, the Middle East and Africa. “That would be the only thing to motivate third parties to start taking this a bit more seriously, therefore it also motivates large corporates to actually spend time and effort in rolling these things out.”
Sources: Compliance Week; Kroll.
Companies that do provide anti-bribery and anti-corruption training to third parties typically deliver those messages by various means, and 74 percent said they provide training in local languages. Still, barely one-third of respondents rated their training “effective,” and even fewer said the same about their efforts to audit anti-corruption risks among their third parties.
Certain circumstances dictate more than others when to conduct third-party training. For example, “upon onboarding a new relationship, you’ll want to have that initial training,” Huff says. “As changes are made to the Code of Conduct or policies and procedures, those also need to be communicated to the third parties.”
“At a minimum, you want to make sure on an annual basis that you’re reaching out to your third parties and securing some sort of attestation of their continued compliance with the Code of Conduct,” Huff adds. Another prime opportunity to reinforce third-party training is when a contract renewal comes up, he says.
The report also found that the number of companies automating at least some part of their anti-bribery compliance program continues to grow, from 49 percent last year to 66 percent this year. That being said, the compliance program elements automated most often are training-related.
For example, 50 percent automate training for domestic employees, while 41 percent do so for training overseas employees. Other elements of anti-corruption compliance—vetting third parties, training third parties, tracking payments through subsidiaries, for example—are all automated much less frequently.
Braine cautions that not all training should be automated. “For senior executives in very high-risk roles—such as heads of procurement, heads of distribution, and other people involved at the top of supply chain management—nothing beats face-to-face training,” he says.
Such training should stress how things can go wrong not just in a generic sense, but also how in your industry and among your competitors, Braine adds. Compliance also shouldn’t be shy about highlighting “misses or near misses they’ve had within their own organizations, because that’s the most effective way of making anti-bribery and anti-corruption training relevant to the people you have in the room,” he says.
Many companies tend to assume that if a third party hasn’t had any issues directly with law enforcement or regulators, it doesn’t need additional vetting, Huff says. “It’s a risk exposure that continues to loom for those companies that do not define their third-party population broadly enough.”
In that sense, sophisticated data analytics tools can help companies tame their risks by flagging high-risk transactions or relationships. For example, a lot of automation tools today send out a third-party questionnaire, which compliance can then use to risk-score each third party, based on where it does business, with whom it does business, and the nature of the third party’s work.
That initial risk-based evaluation can then serve as a way to segment third parties that may need additional due diligence. Regulators don’t expect companies to do an exhaustive level of due diligence on hundreds of thousands of third parties, Huff says, but what they do expect is that companies will employ a risk-based approach to evaluate their third-party relationships.