Don’t look now, but anti-bribery laws are breaking out all over the place.
In Europe, new laws either have come into effect, or will come into effect within 12 months, in France, Italy, and Ireland; Britain, of course, has already had its Bribery Act in force since 2011.
what does this shift mean for ethics and compliance officers trying to build and manage corporate compliance programs?
In Latin America, Brazil adopted the Clean Companies Act in 2014, and this fall the state of Rio De Janeiro adopted its own law requiring government contractors to have a compliance program. Argentina has a new anti-corruption law, including consideration companies should receive for having a compliance program.
Elsewhere in the world, Australia has introduced legislation to expand foreign bribery offenses and an “adequate procedures” defense. Even Saudi Arabia, no stranger to the lower end of business corruption rankings, is considering a whistleblower protection law.
At an abstract level, ethics and compliance officers can welcome this news: the world is trying to take corruption more seriously, one painstaking step at a time. Moreover, the laws coming into force generally acknowledge the importance of corporate compliance programs, and induce companies to build those programs.
At the practical level, however, what else does this shift mean for ethics and compliance officers trying to build and manage corporate compliance programs? A few things.
White Paper: Three Crucial Steps to Head Off Corporate Corruption
Think Global, Act Local
As cliché as that phrase may be, it fits for this situation. Anti-corruption laws are emerging around the world and those laws are pushing companies to have compliance programs. That means the calculus for creating a global anti-bribery policy, complete with global compliance program capabilities (I chose that word deliberately; we’ll get to why in a moment), becomes all the more compelling.
First, a global anti-bribery policy makes sense for simplicity’s sake alone. As more countries prosecute foreign bribery, those countries where bribery isn’t an enforcement risk dwindle down to zero. For global organizations – working in multiple markets, hiring employees from multiple countries, with stock trading on multiple exchanges – any act of bribery will expose the company to enforcement risk somewhere.
having more than one anti-bribery policy undermines the spirit of what anti-bribery statutes want to see: a culture of compliance
One policy that covers the whole enterprise keeps your policy management challenge simpler. Moreover, having more than one anti-bribery policy undermines the spirit of what anti-bribery statutes want to see: a culture of compliance. Using multiple anti-bribery policies says, subtly but essentially, “We have one expectation of conduct in this country, another in that country, and another in that third country,” and so forth. It’s more difficult to communicate that your corporate culture takes anti-corruption seriously, when different parts of the organization define “seriously” in different ways.
Does that mean all of a company’s anti-bribery procedures should be uniform across the world? No.
A policy only defines objectives: “we will not pay bribes to any government officials to win business,” or “business units must have adequate accounting procedures to block bribes from being paid.” Those objectives can be global.
The procedures to achieve those policy goals, however, can - and often should - be left to local business units, working in consultation with the compliance, audit, and corporate finance functions. I explored that idea earlier this summer: that policy and procedure aren’t the same thing, and one global policy could be achieved in multiple ways.
Remember Compliance Capabilities
Along similar lines, these new anti-bribery statutes generally reward companies that have some form of a compliance program – but they focus on what a compliance program must be able to do, rather than how it should operate. That is, they focus on capabilities.
For example, almost all the statutes say a compliance program should provide for anonymous reporting. They all require training, and risk assessments, and some sort of “tone at the top” (even if the exact wording differs). Most of their requirements trace back to the U.S. Sentencing Guidelines and its seven elements of an effective compliance program.
The question is how to build program capabilities at a global scale. If you delegate the procedures to local compliance officers and business units, as they follow global policies and achieve global capabilities – then you have a program that’s both robust and flexible. That’s the goal.
Easy to say, and easy to envision. But remember the other practical challenge: the more a chief compliance officer (and other risk management functions) focuses on policy and objectives, the more the whole organization needs strong agreement for those goals. That is, the more the organization needs strong tone at the top, core values, and a culture that believes in ethical conduct. Then you can entrust the local units to develop and follow procedures that work for you and them.