Everyone reading this post should have conducted a corporate risk assessment (CRA) in the past couple years. If not, stop reading and go conduct one now. Seriously, how can you know if your compliance program resources, training, policies and controls address the correct risks if you haven’t identified them through a rigorous CRA process?
If you are still reading, I assume you have conducted a CRA. Now, look at the top right quadrant of your heat map for high likelihood and high magnitude risks. This is where you should be able to find your company’s anti-corruption and bribery (ABC) risks. If you find this ABC risk at the top of your risk ranking, you can probably be confident that you have conducted a meaningful and accurate risk assessment.
Close to that quadrant, you should see third parties—because they are often the culprits when ABC non-compliance happens. For evidence of this, read the 2014 OECD Foreign Bribery Report. This report found that more than 75 percent of the 427 bribery and corruption cases studied involved third parties.
If, however, your CRA is missing either ABC or third-party risks—or if these risks fall below something innocuous like hotline posters in every break room—then it’s time to re-evaluate (or call in a partner like NAVEX Global) unless you are confident that your ABC program mitigation addresses all elements listed in this post.
New Survey Of ABC Risks Reminds Us That Many Gaps Exist
If you are wondering whether concerns about ABC risk are hyperbole or a GRC sales technique, then you probably have not seen the recent KPMG survey. Its findings, based on a survey of 659 risk managers, include several key points:
- There was a sharp increase, compared with a KPMG survey four years ago, in the proportion of respondents who say they are highly challenged by the issue of ABC.
- As companies continue to globalize, management of third parties poses the greatest challenge in executing ABC programs.
- Despite the difficulty of monitoring their business dealings with third parties, more than one third of respondents do not formally identify high-risk third parties. More than half of those respondents with right-to-audit clauses over third parties have not exercised the right.
- ABC considerations are accorded too low a priority by companies preparing to acquire, or merge with, other corporations across borders.
- Respondents complain they lack the resources to manage ABC risk.
- A top-down risk assessment would help companies set priorities, but executives admit that an ABC risk assessment is one of their companies’ top challenges.
- Data analytics is an increasingly important and cost-effective tool to assess ABC controls. Yet only a quarter of respondents use data analysis to identify violations and, of those that do, less than half continuously monitor data to spot potential violations.
Solutions To Help Minimize ABC and Third-Party Risks
These findings demonstrate the critical need for companies to identify and address ABC risks and the related roles third parties play in these risks. It is often daunting or overwhelming for companies to develop and undertake a program, yet doing nothing is not an acceptable defense. In fact, the U.S. Department of Justice and U.S. Securities and Exchange Commission provided guidance for compliance programs and third parties in 2012 when they jointly published A Resource Guide to the U.S. Foreign Corrupt Practices Act (FCPA Guide).
This FCPA Guide addresses elements of effective compliance programs in the context of the FCPA and issues of bribery and corruption of foreign government officials. The FCPA Guide stated, “In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how small or large the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.” The FCPA Guidance goes on to say that, “Assessment of risk is fundamental to developing a strong compliance program.”
So, to address these survey findings and satisfy the SEC and DOJ, what common factors should every compliance program contain and be able to document?
- Conduct a robust corporate risk assessment that identifies and implements plans to mitigate, or reduce to acceptable levels, ABC and other top corporate and compliance risks. This process should involve document review, surveys and interviews with SMEs and compliance stakeholders to address the likelihood, magnitude and mitigating controls of various risks. Document the process and regularly update it to adjust for changes in laws, industry regulations, risk tolerance, industry issues, and cultural expectations. NAVEX Global’s Advisory Services team can assist companies in creating and developing risk assessments and mitigation plans.
- Create or update written policies and procedures to address these risks, particularly the highest risks. The best practice is to have a policy database (such as our policy and procedure management software tool, PolicyTech) to assist in this process. A centralized database should be easily accessible to users, regularly updated and a source for documentation of policy updates, training and investigations.
- Identify and address your company’s third-party risks. This is often the most challenging for company compliance programs, large and small. There are often hundreds to tens of thousands of third parties considered or engaged by companies for both routine and critical roles, e.g. agents, distributors, resellers, etc. The FCPA Guidance advises that, “Risk-based due diligence is particularly important with third parties…in assessing the effectiveness of a company’s compliance program.” This due diligence should also extend to third parties engaged by M&A targets. As the acquirer, your company would become the owner of that liability.
Trying to conduct appropriate due diligence is a struggle for resource-challenged companies and even a struggle for bigger companies due to the large numbers of third parties and geographic and language challenges. Even with these challenges, a company cannot defend doing nothing. Every company must have a clear third-party policy and plan and implement them consistently.
Again, the FCPA Guide suggests that every compliance program should address the following guiding principles:
- As part of risk-based due diligence, understand the qualifications and associates of its third parties. Scrutiny should increase as “red flags” surface.
- Companies should understand the business rationale for including a third party in the transaction.
- Companies should undertake some form of ongoing monitoring of third party relationships.
- The company should inform the third party of the company’s compliance program and commitment to ethical and lawful business practices.
To accomplish this risk-based due diligence and the ongoing monitoring of your third parties, look for a robust Software as a Service (SaaS) solution, such as NAVEX Global’s RiskRate. Automated tools like RiskRate provide due diligence and review of hundreds of databases in search of “red flags.” If red flags are identified, your policy and mitigation process can be used and documented to support the decisions to pursue or terminate the arrangement. For third parties who are engaged, the considerable advantage of RiskRate is that it will continuously monitor the databases for updates and provide real-time notices of changes. This type of data-driven analytics addresses most of the third-party concerns identified in the KPMG survey and the FCPA Guidance.
There is no need to boil the ocean—but you do must turn on the stove. You can’t ignore the challenges because they seem insurmountable. The best way to address many of these concerns is to devise a plan to implement changes in stages—and determine how technology can help you create a significantly stronger program, while making it more efficient and defensible.
To learn more about any of our SaaS tools or to talk to someone on our Advisory Services team about a consultation, contact us today.