Fighting corruption is a major global initiative. The World Trade Organization, European Union and Association of Southeast Asian Nations, among others, require their members to address it. In the United States, the governing statute is the Foreign Corrupt Practices Act (FCPA). Last year, the United Kingdom passed the first major overhaul of its anti-corruption laws in more than a century, putting companies operating in that country under even more stringent regulations than those set down by FCPA by prohibiting commercial bribes in addition to bribes to foreign officials. This year, several other countries, including China and Russia, have issued new anti-corruption regulations. For multinationals, the proliferation of new requirements raises the compliance bar.
Consequences of corruption violations include criminal and civil enforcement actions, profit disgorgements, mega fines, suspensions from government contracting, jail terms for employees and reputation-damaging headlines. To avoid these consequences, firms should consider an anti-corruption program intended to prevent, deter and detect improper payments by employees and agents. A robust program typically includes:
- Risk assessment: A risk identification process that includes inventorying the applicable legal and regulatory requirements and explicit consideration of the risk of corruption involving foreign officials and employees or agents who operate outside of the home country, especially at locations known for unethical business practices, as well as the risk of commercial bribery, as applicable under the relevant laws and regulations. When assessing corruption risk, consider the risk profile of the countries in which the company operates (i.e., the cultural, political and regulatory environment), foreign and commercial relationships (i.e., the level and nature of involvement with government and company officials), and the nature of payments made in order to conduct business (e.g., business licenses, permits, certifications and inspections), among other things.
- Board oversight: Proactive understanding of potential corruption risks and oversight of the anticorruption compliance program by the board.
- Executive management supervision: Oversight of the compliance program by a designated senior executive, supported by appropriate resources and reinforced through consistent and ongoing “tone at the top” messages about compliance.
- Policies, standards, procedures and reporting mechanisms: Documented global anti-corruption policies, standards, procedures and reporting mechanisms, along with communication of the importance of same to employees. Effective escalation mechanisms should be in place for individuals to report criminal conduct and other concerns involving potential anti-corruption violations. Note that there isn’t an authoritative “one-size-fits-all” approach to designing an anti-corruption risk program. Implementation will vary widely depending upon the nature of the company’s business.
- Due diligence activities: Ensure appropriate due diligence is performed on employees, vendors, suppliers, potential business partners, representatives and third-party agents.
- Effective internal controls and monitoring: Internal controls for books and records, as well as proper accounting, including effective controls over cash accounts. Active monitoring of anti-corruption controls within financial and operational processes should occur to identify and report potential red flags. Periodic audits of the anti-corruption program policies, procedures and controls are advisable to assess their effectiveness at ensuring compliance at all levels and across the organization.
- Communication, training and awareness programs: Internal communications should convey the firm’s expectations that bribery and corruption will not be tolerated. Conduct awareness training on the appropriate behavior and legal requirements for employees, third-party agents and consultants conducting business on behalf of the organization.
- Investigation and disciplinary mechanisms: Thorough investigation and remediation of reported potential corruption violations, as well as disciplinary mechanisms that are consistently enforced for those who violate the global corruption compliance policy.
Companies should establish risk-based policies and procedures that provide reasonable assurance the organization and its agents are adhering to the provisions of applicable anti-corruption laws and implementing adequate systems of internal controls.
Questions for Boards
Following are some suggested questions that boards of directors may consider, based on the risks inherent in the entity’s operations:
- Does management periodically identify and prioritize the organization’s key corruption risks?
- Does management understand situations in which the organization may be exposed to corruption in the normal course of business? For example:
- For business conducted in a high-risk country, has management assessed the level of exposure if corruption violations were to occur in that country?
- Does management use this understanding to enhance the company’s prevention, deterrence and detection capabilities?
- Does it make sense to cease doing business in the high-risk country?
- Has management considered how new requirements outside of a company’s home country jurisdiction may affect the company and its business in that jurisdiction and/or broaden the company’s compliance obligations?
How Protiviti Can Help
Protiviti assists companies with building sustainable corruption risk assessment processes and developing anti-corruption programs to meet fiduciary and regulatory responsibilities. We support efforts to prevent and detect corruption risk at every level.
Board Perspectives: Risk Oversight (Issue 21)