Viewing Your Anti-Corruption Efforts Through the Lens of ... · PROTIVITI • Viewing Your Anti-Corruption Efforts Through the Lens of the Hallmarks of an Effective Compliance Program

Viewing Your Anti-Corruption Efforts Through the Lens of the Hallmarks of an Effective Compliance Program

PROTIVITI • Viewing Your Anti -Corruption Effor ts Through the Lens of the Hallmarks of an Effect ive Compliance Program • 1

IntroductionIn November 2012, the Criminal Division of the U.S. Department of Justice (DOJ) and the Enforcement Division of the U.S. Securities and Exchange Commission (SEC) jointly released A Resource Guide to the U.S. Foreign Corrupt Practices Act (“the Guide”). While the 130-page guide is packed with useful information and written in an approachable style that is free from legalese, it provides perhaps its best and most useful information beginning on page 57 in the section titled, “Hallmarks of an Effective Compliance Program.” In the introduction to this section, the authors note that there is no such thing as a one-size-fits-all compliance program, and that it is expected that small to midsize companies’ compliance programs will very likely differ from those in place at much larger organizations. They also point out that companies may consider a variety of factors in tailoring a compliance program to their specific organizations.

Not unexpectedly, the Guide points out that the information about the hallmarks of effective compliance programs is not intended to be a substitute for a company’s own assessment of the risks that are nuanced to their organization. Organizations must consider a wide array of risk factors, including products and services, geographic markets, customer base, and the extent to which the company is likely to come into contact with foreign officials.

Despite this somewhat lawyerly disclaimer, this is an important document, one that anyone with any role in Foreign Corrupt Practices Act (FCPA) compliance should read over and over again. It is a clear statement from the government that “this is what we are looking for” in your anti-corruption program. Indeed, when evaluating a compliance program and designing audit procedures to test the efficacy of such programs, it is prudent to consider the elements that the government construes to be of critical importance. This white paper summarizes these program hallmarks and includes excerpts from each section of the Guide and information intended to provide further insight.1

1 It is recommended that interested parties read the entire section so as not to take any guidance out of context. The full guide is available on the SEC website: www.sec.gov/spotlight/fcpa/fcpa-resource-guide.pdf.

www.sec.gov/spotlight/fcpa/fcpa-resource-guide.pdf


Corruption

J. Mergers and Acquisi�ons:

Pre-Acquisi�on Due Diligence

and Post-Acquisi�on Integra�on

E. Training and

Con�nuing Advice

The Hallmarks of an Effective Compliance Program

As depicted in the accompanying graphic, the 10 hallmarks of an effective compliance program are:

A. Commitment from Senior Management and a Clearly Articulated Policy Against Corruption

B. Code of Conduct and Compliance Policies and Procedures

C. Oversight, Autonomy and Resources

D. Risk Assessment

E. Training and Continuing Advice

F. Incentives and Disciplinary Measures

G. Third-Party Due Diligence and Payments

H. Confidential Reporting and Internal Investigation

I. Continuous Improvement: Periodic Testing and Review

J. Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration


Within every organization, there is a cultural divide between compliance and business operations. Many individuals inside of organizations refer to compliance as the “business prevention department” or other equally disparaging terms. But inside every joking reference, no matter how innocent, is a little bit of truth in terms of how the organization views compliance. Even seemingly tongue-in-cheek references to compliance using such terms can convey the message that compliance is not to be taken seriously and the sales organization rules the roost. Compliance is not just the responsibility of compliance and legal; it is every organization’s collective responsibility and it starts with the board of directors and the C-suite. Without clear and persistent messaging emanating from the top of the organization and rooted in a clearly articulated policy against corruption, an anti-corruption program is not likely to be taken seriously by employees, business partners and other stakeholders.

The Guide also notes that the DOJ and SEC have frequently encountered companies with anti-corruption programs that were “strong on paper,” but observed that those organizations still had significant FCPA violations, which the agencies attributed to management’s failure to implement the program effectively even “in the face of obvious signs of corruption.” Absent the commitment of the board and senior management, as well as persistent and varied communication across the organization that corruption of any kind will not be tolerated, some employees may take this to be a signal of tacit approval of the types of behaviors that lead to liability under the FCPA, U.K. Bribery Act, and other anti-corruption laws and regulations.

Senior management’s anti-corruption messaging and training need to be tailored to the different constituencies across an organization, with particular attention being paid to employees and managers in a position to do the most harm. Sales executives, outside sales agents, country managers, distributors and other employees who are likely to have contact with foreign officials are on the front lines and represent your first line of defense. If they are not clear in their under-standing of what their obligations are under the company’s anti-corruption policy, then there is a much greater likelihood their actions may lead to liability under the law.

Policies and procedures; the training and corporate communications that convey and reinforce them; the controls implemented to deter, detect and investigate potential violations of the policy;

“DOJ anD SEC COnSiDEr thE COmmitmEnt Of COrpOratE lEaDErS tO a ‘CulturE Of COmplianCE’ anD lOOk tO SEE if thiS high-lEvEl COmmitmEnt iS alSO rEinfOrCED anD implEmEntED by miDDlE managErS anD EmplOyEES at all lEvElS Of a buSinESS.”2

A. COMMITMENT FROM SENIOR MANAGEMENT AND A CLEARLY ARTICULATED POLICY AGAINST CORRUPTION

Corruption




E. Training and

Con�nuing Advice

2 Ibid.


B. CODE OF CONDUCT AND COMPLIANCE POLICIES AND PROCEDURES

“aS DOJ haS rEpEatEDly nOtED in itS Charging DOCumEntS, thE mOSt EffECtivE CODES arE ClEar, COnCiSE, anD aCCESSiblE tO all EmplOyEES anD tO thOSE COnDuCting buSinESS On thE COmpany’S bEhalf.”3

Codes of conduct and compliance policies and procedures are a lot like insurance policies. Most companies could not imagine choosing not to insure against casualty, theft, fire, errors and omissions, directors’ and officers’ indemnity, and other forms of loss. Yet some companies operating internationally do not have meaningful codes of conduct and compliance policies and procedures that are specific to anti-corruption. Being able to demonstrate that your organization’s anti-corruption program has all the “hallmarks” of an effective compliance program, or that it constitutes “adequate procedures” as they are defined under the U.K. Bribery Act, can significantly lower a company’s potential criminal and civil liability under those statutes, even if a substantive violation has occurred.

According to the Guide, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf. Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it.”

If the policy sets the organizational tone and articulates the compliance “mission statement,” the code of conduct and compliance policies and procedures provide the master blueprint and tactical plan on how the organization will execute on that policy, how it will communicate it, the systems and processes it will use to implement and monitor it, and the techniques it will use to hold people accountable and to reward those who embody the policy’s ideals through extraordinary execution.

and the audit programs undertaken to ensure they have been properly implemented and are being adhered to, all set an organization’s tone and corporate culture. Properly implemented, an anti-corruption program reinforces corporate leadership’s unambiguous messaging that corruption of any kind is unacceptable and individuals found to be in violation of the anti-corruption program will be held accountable. Without the commitment and support of senior management, most anti-corruption programs will fall flat.

Corruption




E. Training and

Con�nuing Advice

3 Ibid.


C. OVERSIGHT, AUTONOMY AND RESOURCES

“in appraiSing a COmplianCE prOgram, DOJ anD SEC alSO COnSiDEr whEthEr a COmpany haS aSSignED rESpOnSibility fOr thE OvErSight anD implEmEntatiOn Of a COmpany’S COmplianCE prOgram tO OnE Or mOrE SpECifiC SEniOr ExECutivES within an OrganizatiOn. thOSE inDiviDualS muSt havE apprOpriatE authOrity within thE OrganizatiOn, aDEquatE autOnOmy frOm managEmEnt, anD SuffiCiEnt rESOurCES tO EnSurE that thE COmpany’S COmplianCE prOgram iS implEmEntED EffECtivEly. aDEquatE autOnOmy gEnErally inCluDES DirECt aCCESS tO an OrganizatiOn’S gOvErning authOrity, SuCh aS thE bOarD Of DirECtOrS anD COmmittEES Of thE bOarD Of DirECtOrS (E.g., thE auDit COmmittEE).”4

An organization’s chief compliance officer (CCO) is the company’s ambassador of the firm’s ethics and compliance program, both within the company and on the outside. CCOs are the public face of the company’s corporate ethos. The process of evaluating whether a compliance program is

The Guide also makes mention of the importance of making the policy, code of conduct, compliance program and procedures available in the languages spoken in each country where your company has operations and employees. This is part of the broader topic of “localizing” a code of conduct and compliance program. Typically, a global policy sets forth the guiding principles and rules that the company embraces to ensure it is operating in adherence with the laws in each country where it is operating. Most often, the bar is set by the highest global standard of the statutes being actively enforced across the world.

At present, the highest anti-corruption standards are delineated in the U.K. Bribery Act and the FCPA. Although companies may be subject to these two laws spanning many countries, they must also be in compliance with the relevant anti-corruption laws in each jurisdiction in which they operate, regardless of whether they are actively enforced. Bringing local laws into the local version of the anti-corruption policy and procedure documents, having them available in the local language, and training employees on them, including the localized aspects of the program, are critically important steps in ensuring the procedures underlying the program become enmeshed in the overall fabric of each local office and the way it conducts business.

Corruption




E. Training and

Con�nuing Advice

4 Ibid.


effective often starts with an appraisal of who the CCO is, what his or her qualifications are to hold the position, and whether that person is empowered and has sufficient resources.

While it is recognized that organizational size and complexity must play a part, there is an expectation that the person or people responsible for compliance are of sufficient stature and seniority that they will be taken seriously, are empowered, and have high-level, direct access to senior management and the board of directors. It is further expected that they will have the funding, headcount, and support of upper management in proportion to the size and complexity of the organization and its compliance needs.

There was a time when the CCO was a functionary – the keeper of the policies and procedures and someone who kept track of annual training. That is no longer the case – not by a long shot. Increasingly, CCOs lead investigations, drive critically important global initiatives, and are on equal footing with other executives in the C-suite. Some organizations have even gone so far as to completely separate the compliance function from in-house counsel and elevate the CCO to the same level as the general counsel, with each reporting to the chief executive officer (CEO) or board of directors. While those situations are still somewhat rare, it speaks to the critical role the CCO plays. And it certainly corresponds to the Guide, which notes that compliance program oversight should have “appropriate authority within the organization, adequate autonomy from management …”

The Guide also states that the CCO and the compliance program should have “sufficient resources to ensure that the company’s compliance program is implemented effectively.”

It is a rare situation when a CCO is flush with resources. Most compliance programs are “lean and mean,” and many are doing what they can with very little in the way of headcount and budget. It is important to understand how the government may perceive a situation wherein a compliance program is so under-resourced that it is incapable of doing all that is required. An under-resourced program is very likely to be construed as having a lack of “commitment from senior management.” Further, it sends a message across the organization that the CCO and the compliance program are not organizational priorities, and the obligations they are trying to convey are not important and need not be taken seriously.

The vast majority of CCOs are knowledgeable, committed and mission-oriented. Some, though, are a bit disillusioned since they were brought in to drive a culture of compliance, only to discover that their chosen profession is not an organizational priority, and the commitments made to them at the outset have not been backed up by resources needed to be effective. If the CCO is the company’s compliance ambassador and a symbol of its commitment to a culture of compliance, is pulling the rug out from under that person a sustainable business strategy? Of course not.

Part of the trust companies put in CCOs is associated with their understanding of what an effective compliance program looks like and what resources it takes to sustain it. Metrics, charts and graphs showing measurable results to the board of directors must include the growth of the program itself, not just its accomplishments. While there is no magic formula in terms of headcount and budget, there is a clear expectation that the department and its resources should be proportionate to the size and complexity of risk that a company faces. Most global organizations apply sophisticated management techniques to measure performance, optimize their operations,


D. RISK ASSESSMENT

“DEvOting a DiSprOpOrtiOnatE amOunt Of timE pOliCing mODESt EntErtainmEnt anD gift-giving inStEaD Of fOCuSing On largE gOvErnmEnt biDS, quEStiOnablE paymEntS tO thirD-party COnSultantS, Or ExCESSivE DiSCOuntS tO rESEllErS anD DiStributOrS may inDiCatE that a COmpany’S COmplianCE prOgram iS inEffECtivE … Similarly, pErfOrming iDEntiCal DuE DiligEnCE On all thirD-party agEntS, irrESpECtivE Of riSk faCtOrS, iS OftEn COuntErprODuCtivE, DivErting attEntiOn anD rESOurCES away frOm thOSE thirD partiES that pOSE thE mOSt SignifiCant riSkS.”5

While it is important for your program to align with each hallmark of an effective compliance program, risk assessment is where the rubber meets the road. Companies are like snowflakes: No two are exactly alike. That is why, in order for a compliance program to be truly effective, it must be tailored to a given organization’s unique risk profile. Risk assessments examine the business lines, products and services, sales process, distribution channels, customer base, compliance headcount and resources, activities, culture, training, corporate communications, human resources, policies and procedures, control environment, and geographies. Without a thorough examination of these aspects of the business, the company cannot state with confidence that it understands where it faces the greatest risk for violation of the FCPA.

FBI agents, SEC enforcement staff and federal prosecutors all have a keen understanding of where corruption risk tends to come from and know the exact questions to ask you in order to test your knowledge of risk factors. They also will be able to assess quickly whether you have ever conducted a risk assessment and acted upon what was learned. Simple questions such as “How many of your customers are state-owned?” and “How do you determine which of your business intermediaries represent a heightened risk of corruption?” often come early in the initial meeting – and set the tone for whether that meeting goes well.

Corruption




E. Training and

Con�nuing Advice

and determine appropriate staffing and budgets. Applying this same level of analysis in planning for the resource and staffing needs of the compliance organization, and then translating the results into actions, will go a long way toward satisfying regulators that the compliance program has sufficient resources and the support of upper management.

5 Ibid.


E. TRAINING AND CONTINUING ADVICE

“DOJ anD SEC will EvaluatE whEthEr a COmpany haS takEn StEpS tO EnSurE that rElEvant pOliCiES anD prOCEDurES havE bEEn COmmuniCatED thrOughOut thE OrganizatiOn, inCluDing thrOugh pEriODiC training anD CErtifiCatiOn fOr all DirECtOrS, OffiCErS, rElEvant EmplOyEES, anD, whErE apprOpriatE, agEntS anD buSinESS partnErS.”6

Remarkably, in some organizations, ethics and compliance programs are well-kept secrets. Years ago, when performing a risk assessment, we asked a CEO of a company operating in a highly regulated industry how frequently he sent a message companywide about the compliance program. He became very sheepish and owned up to the fact that he had never done so. To his credit, he was also horrified; he immediately called his head of corporate communications and sent his first such communication across the company a few hours later.

Training and communication are what put an anti-corruption program into action and begin to sow the seeds of a culture of compliance. Frequent, varied communication across different media, coupled with training that instills knowledge, raises awareness, is interactive and, ideally, is tailored to both the company’s unique attributes and the organizational roles of training recipients, represents the ideal. Computer-based training is an excellent way to provide a baseline of knowledge cost-effectively to the broadest possible audience. But if that is all the training you have done, it may be falling a bit short.

Part of the output of the risk assessment process is the identification of the various organizational touch points at which some of your employees, executives and business intermediaries may come into substantive contact with foreign officials. Whether they know it or not, these are high corruption risk employees and business partners. Knowing that, are you comfortable that the off-the-shelf training they just received provides them with enough information to respond adequately when a potential bribery scenario is unfolding in front of them?

Since these are the individuals on the front lines in the war against corruption, it stands to reason that they need more advanced, in-depth training and more frequent communication to better prepare them to protect the company from exposure under the FCPA. Such advanced training and communication should contemplate the kind of risk scenarios likely to be encountered given what the company does, where it does it, and a specific individual’s responsibilities. Business development professionals and sales agents, for example, should receive training and work through case studies that include activities that may take place at trade shows and conferences, during the request for proposal or public tendering processes, or through corporate gift-giving and entertainment.

Corruption




E. Training and

Con�nuing Advice

6 Ibid.


F. INCENTIVES AND DISCIPLINARY MEASURES

“DOJ anD SEC will … COnSiDEr whEthEr, whEn EnfOrCing a COmplianCE prOgram, a COmpany haS apprOpriatE anD ClEar DiSCiplinary prOCEDurES, whEthEr thOSE prOCEDurES arE appliED rEliably anD prOmptly, anD whEthEr thEy arE COmmEnSuratE with thE viOlatiOn. many COmpaniES havE fOunD that publiCizing DiSCiplinary aCtiOnS intErnally, whErE apprOpriatE unDEr lOCal law, Can havE an impOrtant DEtErrEnt EffECt, DEmOnStrating that unEthiCal anD unlawful aCtiOnS havE Swift anD SurE COnSEquEnCES. DOJ anD SEC rECOgnizE that pOSitivE inCEntivES Can alSO DrivE COmpliant bEhaviOr.”7

Another one of those questions that tends to get asked by regulators, the FBI and federal prosecutors is: “What steps have you taken to discipline people for breaches of your compliance program?” While there may be a whole array of reasons why no one has yet been disciplined under a compliance program, the government may see the lack of such action as a signal that it is a paper program you have no appetite to enforce. This frame of reference can then reverberate into other aspects of the program and call its effectiveness into question, particularly the hallmarks of the Commitment of Senior Management and the Code of Conduct and Compliance Policies and Procedures. There is a very reasonable expectation that periodically, documented breaches of the program will result in disciplinary actions, including dismissals. Countering with the argument that there have not been any breaches likewise may not go according to plan, since that may call into question the program’s overall ability to detect and deter problematic behaviors as opposed to showcasing how well you are doing. Your self-assessment of the program and the audit procedures should consider these issues, examine the reasons for these issues, and seek to apply what you have learned before an issue ever becomes an area of regulatory focus.

It is only with this type of advanced training – bringing together key facts about the law, the risks unique to a given organization, the scenarios that a high-risk individual is likely to encounter, and what to do and who to call when things start to unravel – that the light bulbs start to come on overhead. Suddenly, it is very clear what must be done. If your anti-corruption program can accomplish this lofty goal, you are well on your way to building a culture of compliance.

Corruption




E. Training and

Con�nuing Advice

7 Ibid.


The name of this particular hallmark is Incentives and Disciplinary Measures – the proverbial carrot and the stick. So far, we have only discussed the stick. Indeed, many corporate compliance programs fall short when it comes to recognizing and rewarding performance as it relates to compliance. There are a few reasons for this; perhaps the biggest is that compliance is seldom, if ever, considered when formulating individual performance goals.

For most organizations, goal-setting is the foundation of performance management. Each year, companies set goals across different categories of organizational and individual performance. Revenue generation, profitability, mentoring, and teamwork, and the achievement of individual milestones such as the receipt of a professional credential, are examples of performance goals. If compliance is not part of goal-setting and performance measurement, what is that saying to individual employees about the importance of compliance? Even if compliance is not often a part of formal performance management, which is the situation in the vast majority of organizations, there are still ways to recognize individuals formally when they take some action that makes a dramatic difference to the organization from a compliance perspective.

Consider this scenario: A facilities manager in one of your overseas manufacturing plants is meeting with a safety inspector from the local government. The inspector notices that several of the company’s employees are not wearing their required protective gear, points it out, and further states that he is required by law to shut the plant down until the deficiencies have been remedied. He then says that he could “let it go this time” if he and the facilities manager could “come to an understanding.” Instead of acquiescing to the not-so-subtle request, the facilities manager stands his or her ground and offers to escalate it to the respective supervisors, at which point the inspector backs off.

This is the sort of “learning moment” that senior management and the CCO should shout from the rooftops as an example of how well their compliance program is working. It is also an opportunity to recognize someone for doing what was right, rewarding them for it, and using it as a means of continuing the culture of compliance conversation across the company.


G. THIRD-PARTY DUE DILIGENCE AND PAYMENTS

The vast majority of FCPA enforcement actions involve bribery payments made by third parties, as opposed to those made directly by employees or officers. While the Guide makes mention of what might be termed the “usual suspects” (e.g., sales agents, consultants and distributors), there are a wide range of business intermediaries who may be interacting with foreign officials on your behalf. Still, the Guide is the most detailed document coming out of the U.S. government on the subject of third-party due diligence since the publication of Opinion Procedure Release 08-02.9 Given the potentially devastating implications of failing to get third-party due diligence right, this is the hallmark to which we have dedicated the most attention.

In essence, the Guide states that while due diligence may and should vary depending upon the degree of risk and other factors, “some guiding principles always apply.” These guiding principles are summarized below:

1. Qualifications and Associations

What is the third party’s business reputation, and relationship, if any, with foreign officials? How long has the third party been in business, and is the proposed relationship consistent with its business experience? Equally important considerations include whether other companies were considered, whether there was a competitive bidding process, and whether the company was “recommended” by a foreign official.

2. Business Rationale

Why is it important to the company to include the third party in the transaction? What is the role of, and need for, the third party? Ensure the contract terms specifically describe the goods or services to be provided. Other important considerations under these guiding principles are payment terms, including how they compare to typical terms in that industry and country, and

“DOJ’S anD SEC’S fCpa EnfOrCEmEnt aCtiOnS DEmOnStratE that thirD partiES, inCluDing agEntS, COnSultantS, anD DiStributOrS, arE COmmOnly uSED tO COnCEal thE paymEnt Of bribES tO fOrEign OffiCialS in intErnatiOnal buSinESS tranSaCtiOnS. riSk-baSED DuE DiligEnCE iS partiCularly impOrtant with thirD partiES anD will alSO bE COnSiDErED by DOJ anD SEC in aSSESSing thE EffECtivEnESS Of a COmpany’S COmplianCE prOgram.”8

Corruption




E. Training and

Con�nuing Advice

8 Ibid.9 “Foreign Corrupt Practices Act Review,” Opinion Procedure Release, No.: 08-02, U.S. DOJ, June 13, 2008: www.justice.gov/criminal/

fraud/fcpa/opinion/2008/0802.pdf.

www.justice.gov/criminal/fraud/fcpa/opinion/2008/0802.pdf

www.justice.gov/criminal/fraud/fcpa/opinion/2008/0802.pdf


whether there is anything about the timing of the third party’s introduction to the company that may call into question the motives and legitimacy of the business rationale. Often, after long pursuit of a business opportunity and perhaps a bureaucratic delay (real or orchestrated), a government official may suggest retaining a consultant to help usher the process along through bureaucratic processes. The timing of the bureaucratic snarl and the introduction of the consultant could be a way for the foreign official to exact an improper payment through his undisclosed ownership and cooperation with the consultant he is urging you to retain.

It is also a good idea to confirm and document that the third party is actually performing the agreed-upon work and that compensation is commensurate with the value being delivered.

3. Ongoing Monitoring

The Guide suggests that ongoing monitoring may include “updating due diligence periodically, exercising audit rights, providing periodic training, and requesting annual compliance certifications by the third party.” The DOJ and SEC are also interested in whether the company has informed third parties of the compliance program and the company’s commitment to ethical and lawful business practices, and whether it has sought assurances that they, too, are committed to ethical and lawful business practices.

4. The Eight Essentials of a Third-Party Anti-Corruption Program

You won’t find these in the Guide, but here are the “Eight Essentials” of a third-party anti-corruption program. These are detailed further below:

a. Scopeb. Sponsorshipc. Justificationd. Collectione. Certificationf. Scoringg. Contracts h. Communication

Justification

Collection

Certification Communication

Scoring Contracts

Scope

Sponsorship

04

03

02

01

05

06 07

08


a. Determining Program Scope

The first step in conceptualizing a third-party anti-corruption program is determining which categories of third parties are “in scope.” Frequently, companies make a “bright line” distinc-tion between “business intermediaries” and “suppliers” and focus most, if not all, of their attention on business intermediaries. While suppliers certainly may represent a spectrum of compliance risks, most do not represent high corruption risk since they don’t typically inter-act with other parties on a company’s behalf. This lessens the likelihood that they would be in a position to pay bribes on the company’s behalf.

A business intermediary is a commercial entity or individual who represents your company in the marketplace in some way and may interact with foreign officials as part of that role. This category includes many of the usual suspects who frequently violate the FCPA, such as sales agents, consultants (often sales agents in sheep’s clothing), distributors, freight forwarders and customs brokers. But the category is considerably broader than just those types of busi-nesses. What is essential to any program design process is to understand the key elements of what makes someone a business intermediary, and then inventory those relationships so you can group them under a common descriptive label across your organization and assign risk levels to each.

Some examples of business intermediaries that are not always top of mind include environ-mental consultants, visa expeditors, attorneys and accountants. It is important to understand the entire range of business intermediary types with which your company is engaging. Doing this preparatory scoping work will provide a very strong foundation for the third-party pro-gram that follows.

b. Business Sponsors

The designation of an internal business sponsor as the responsible party for each third party deemed to be within the scope of the program is a critical success factor for any third-party anti-corruption program. Often, the business sponsor role defaults to the person advocating for the company to engage the third party or renew its relationship with an existing third party. Under a third-party anti-corruption program, this individual takes on added respon-sibilities, including that of the company’s “point person,” whose role includes ongoing communication to the third party regarding program requirements and an acknowledgement that, by playing the role, this person is putting his or her personal reputation on the line and accepting responsibility for the relationship – including if anything goes awry. This last component is an important way to drive accountability and raise program awareness across your global organization. Business sponsors are your first line of defense, so they need to be keenly aware of the risks that third parties may represent in general, and also the specific risks among the third parties for which they are individually responsible.

c. Justification

While much of this essential element comes from the business sponsor who must lay out the business case for the proposed relationship, the review process undertaken by legal and/or


compliance must likewise consider the justification in support of the proposed relationship in comparison with potential risks that have been identified when weighing whether to approve the relationship.

d. Data Collection

In the not-so-distant past, the data companies were collecting from commercial partners was quite minimal. Most often, it was limited to the name of the entity, a mailing address, a tax identification number, payment instructions and a contact person. Even today, this describes most vendor records found in the master vendor file or chart of accounts at many companies. This limited data is wholly insufficient to make informed, risk-based decisions about poten-tial risks a given relationship may pose from a corruption standpoint.

This data shortfall must be addressed if your organization is to have even an adequate third-party anti-corruption program. The best and most efficient way to collect richer data about commercial partners and associated control persons is to require them to complete a questionnaire. Ideally, you’ll want to make use of some type of technology platform that can securely transmit and receive these completed questionnaires in a variety of languages. If, however, you need to make use of paper instead, it is important to collect and then act upon this information, even if the way you are collecting it is less than ideal.

While questionnaires vary in depth and length, they should, at minimum, seek to collect the following information:

i. Descriptive Data

This data provides detailed descriptive information about the entity and its control persons, including address, identifying information, date of incorporation, business activities, revenues, headcount and the extent of the entity’s activities. Descriptive data gives informa-tion about the inherent risks of a given third party, irrespective of the proposed relationship.

ii. Relationship Data

This is descriptive information about the proposed relationship, including the primary label that describes it (e.g., sales agent, distributor or freight forwarder), the expected volume of business, amount of sales commission or distributor discount, or other payment terms and any unusual payment instructions (e.g., payment to a bank in Latvia for the benefit of a company based in Russia). This information will enable you to understand the risks this relationship may pose to your organization based upon the way you will be interacting with the entity on an ongoing basis.

iii. Questions and Answers

It is advisable to ask a series of direct questions about prior bribery or corruption enforce-ment actions, other criminal or regulatory matters (pending or historic), and other questions designed to explore the various ways the proposed relationship could trigger liability under a bribery statute.


iv. External Data

All of the foregoing data is being provided by the third party and has yet to be corroborated. Comparing some portion of it to publicly available information such as company profile databases, government watch lists, and lists of known state-owned companies and politically exposed persons can both help corroborate or refute some of the data provided. This process also can serve as the first level of investigative screening in an overall, risk-based due dili-gence program.

e. Certifying to the Anti-Corruption Program

While you have control of the third party’s computer screen when they are completing the questionnaire, it is prudent to use the opportunity to get them to make certain representa-tions as part of your overall efforts at driving accountability. Many organizations include language in their questionnaires such as, “I have read, understand and agree to abide by [your company’s] anti-corruption program.” Obtaining further representations that they will not pay or solicit bribes and commit other violations of any law are also advisable, as is having them certify to your anti-corruption policies and program on an annual basis.

f. Risk Scoring

Think of your third-party anti-corruption program as a series of funnels. You apply the first funnel to your overall third-party population in determining which entities should be within the scope of the program; this narrows the number of third parties to be examined. Risk scoring can be used as the second funnel. By using objective risk scoring criteria to apply a numeric score to different risk attributes within the description, relationship, questions and answers, and the watch list risk categories, you can further narrow your focus. Specifically, you may want to group the risk scoring results into risk bands (low, medium and high). You can then focus your limited compliance resources on the third parties that represent the greatest potential risk relative to your population by holding that smaller subset to a higher standard of care. Most often, that higher standard of care is some enhanced level of due dili-gence investigation.

g. Written Agreements

Part of the eye-opening experience of getting ready to implement a third-party anti-corrup-tion program occurs when you learn how many of your existing third-party business partners are either not subject to any form of written agreement or the agreement that is in place makes no mention of the third party’s anti-corruption obligations to the company. Remedy-ing this situation can be a painstaking process. Ultimately, the goal should be to have in place with each third party a contract that includes specific language indicating the third party’s agreement to abide by the company’s anti-corruption policy and to not pay or solicit bribes in any form. To the extent that there are a large number of existing third parties not subject to an agreement, or the agreement does not contain sufficient anti-corruption language, it is advisable to prioritize the remediation of this issue by addressing the highest-risk third par-ties first.


H. CONFIDENTIAL REPORTING AND INTERNAL INVESTIGATION

“OnCE an allEgatiOn iS maDE, COmpaniES ShOulD havE in plaCE an EffiCiEnt, rEliablE, anD prOpErly funDED prOCESS fOr invEStigating thE allEgatiOn anD DOCumEnting thE COmpany’S rESpOnSE, inCluDing any DiSCiplinary Or rEmEDiatiOn mEaSurES takEn. COmpaniES will want tO COnSiDEr taking ‘lESSOnS lEarnED’ frOm any rEpOrtED viOlatiOnS anD thE OutCOmE Of any rESulting invEStigatiOn tO upDatE thEir intErnal COntrOlS anD COmplianCE prOgram anD fOCuS futurE training On SuCh iSSuES, aS apprOpriatE.”10

A thoughtfully conceived and well-implemented anti-corruption program will produce various categories of alerts or “red flags” that require investigation. An important mechanism of your program is providing the means for individuals to communicate confidentially to the company any suspicions or allegations of improper or illegal acts. Typically, companies will contract with an outside party that provides hotline and issue-tracking services, which allow individuals to provide information about suspected misconduct on a confidential basis. While some callers (or emailers) may request anonymity, often anonymity can inhibit the company’s ability to investigate an allegation fully. Many organizations encourage tipsters to instead provide information on a confidential basis, which gives them the latitude to re-engage and ask follow-up questions as an investigation progresses.

Since so much of an anti-corruption program is geared toward the establishment of a framework to generate red flags, it is vital for the company to have a protocol for the intake, triage, investigation and disposition of any allegations received. An investigative protocol is an outline

h. Training

While many organizations provide some level of anti-corruption training to their employees, officers and board members, few extend that training out to third-party business partners. Given the fact that the vast majority of FCPA violations are committed by third parties, it would seem prudent to provide anti-corruption training to this very important extension of your business and reinforce your message that bribery of any kind is unacceptable.

If your third-party anti-corruption program includes these eight essential elements, over time, it will very likely lower your exposure to potential bribery and corruption violations.

Corruption




E. Training and

Con�nuing Advice

10 A Resource Guide to the U.S. Foreign Corrupt Practices Act, jointly released by the Criminal Division of the U.S. Department of Justice and the Enforcement Division of the U.S. Securities and Exchange Commission, 2012: www.sec.gov/spotlight/fcpa/fcpa-resource-guide.pdf.




I. CONTINUOUS IMPROVEMENT: PERIODIC TESTING AND REVIEW

“DOJ anD SEC EvaluatE whEthEr COmpaniES rEgularly rEviEw anD imprOvE thEir COmplianCE prOgramS anD nOt allOw thEm tO bECOmE StalE. DOJ anD SEC will givE mEaningful CrEDit tO thOughtful EffOrtS tO CrEatE a SuStainablE COmplianCE prOgram if a prOblEm iS latEr DiSCOvErED. Similarly, unDErtaking prOaCtivE EvaluatiOnS bEfOrE a prOblEm StrikES Can lOwEr thE appliCablE pEnalty rangE unDEr thE u.S. SEntEnCing guiDElinES.”11

An anti-corruption program should be a living, breathing embodiment and reflection of the current and contemplated corruption risks that are nuanced to the world at large, the industry in which the company operates, and the organization’s unique characteristics – including its products and services, customer base, organizational structure and geographic footprint.

Benjamin Franklin wrote, “ … in this world nothing can be said to be certain, except death and taxes.” In the business world, a third universal certainty is change. Your business will expand or contract. You will enter new markets and perhaps withdraw from others. You may acquire companies, divest parts of the company, merge or form joint ventures. You may launch new products or new lines of business. These are just a few examples of changes that may occur within your organization. But what about changes on the outside?

One ongoing phenomenon is the extent to which the DOJ and SEC in the United States and the Serious Fraud Office in the United Kingdom are looking more broadly at certain industries as part of the investigation of one or more industry participants. If you learn a competitor has a bribery problem, it is an excellent time to dust off your anti-corruption program and consider refreshing it.

of the steps to be taken as part of the investigation and the resulting documentation. Equally important is the designation of who is responsible for the investigation, who from legal or compliance will oversee it, and the escalation steps that may be warranted depending upon the findings. The importance of ensuring you have appropriate subject-matter expertise both in the performance of an investigation and its supervision cannot be overstated. Some companies give short shrift to this critically important part of their program. Since the entire program is geared toward generating red flags, part of the government’s appraisal of its overall efficacy is ensuring you have allocated sufficient resources with the right skills to investigate them.

Corruption




E. Training and

Con�nuing Advice

11 Ibid.


J. MERGERS AND ACQUISITIONS: PRE-ACQUISITION DUE DILIGENCE AND POST-ACQUISITION INTEGRATION

“inaDEquatE DuE DiligEnCE Can allOw a COurSE Of bribEry tO COntinuE – with all thE attEnDant harmS tO a buSinESS’S prOfitability anD rEputatiOn, aS wEll aS pOtEntial Civil anD Criminal liability. in COntraSt, COmpaniES that COnDuCt EffECtivE fCpa DuE DiligEnCE On thEir aCquiSitiOn targEtS arE ablE tO EvaluatE mOrE aCCuratEly EaCh targEt’S valuE anD nEgOtiatE fOr thE COStS Of thE bribEry tO bE bOrnE by thE targEt.”12

There is a well-known maxim in the realm of criminal investigation, as well as psychology: “The best predictor of future behavior is past behavior.” That is an important lesson in understanding the value – and limitations – of due diligence. Due diligence is one of those terms that means different things to different people. It used to be that mergers and acquisitions due diligence was an analysis of the finances and legal implications of the acquisition. It has expanded into something much broader and now often includes background investigations of the acquisition target, its key executives/control persons, and critical business intermediaries, including sales agents and distributors, to the extent they are an important part of the business model.

This last part is particularly important if you have an existing third-party anti-corruption process. Neglecting to hold critical third parties of an acquisition target to the same or a similar standard of care as your existing third parties could serve to undermine the efficacy of that program should

Whether the changes are occurring internally, externally or both, having a mechanism to track, consider and apply those changes to your anti-corruption program will help keep your program from becoming stale and out of step with the current and emerging risks it is intended to help mitigate.

Most often, a key part of the mechanism to measure organizational performance and perform periodic testing and review is the internal audit function. As noted earlier, internal audit is on the front lines in the war on corruption. In most organizations, internal auditors are generalists. But when considered an extension of the organization’s anti-corruption program, internal audit should receive some advanced training on anti-corruption. Specifically, internal auditors should understand key concepts comprising the FCPA, the risk factors that can trigger liability, the types of red flags indicative of potential problems, and the investigative steps to follow in the event they suspect a potential violation.

Corruption




E. Training and

Con�nuing Advice

12 Ibid.


the deal go forward and those third parties are integrated into the company without first having been vetted properly.

Another important and sometimes overlooked aspect of acquisition due diligence is the performance of an anti-corruption risk assessment. In a perfect world, all acquisition targets have robust anti-corruption programs. In actuality, many small to midsize companies operating overseas do not have any type of anti-corruption program. That is why the performance of a high-level anti-corruption risk assessment is so important. Gaining an understanding of the company’s ownership group, executive team, customer base, distribution channel, sales and marketing, products and services, activities, and overall nexus to foreign officials will better position you as a potential acquirer in evaluating the true purchase price, inclusive of any compliance remediation work that may be necessary to properly integrate the entity, post-acquisition. Not only will doing an anti-corruption risk assessment on the front end lower your risk of a future bribery violation, it could provide you with additional leverage in negotiating a more favorable purchase price.

The FCPA Guide recognizes that even the most robust acquisition due diligence is based upon limited information and allows for a grace period (although no time period is defined) to integrate the acquired company into the acquirer’s ethics and compliance program and overall control environment. Indeed, the post-integration actions a company has taken factor heavily into whether it will be held liable for the actions of the acquired company. According to the Guide:

DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program.

The clear implication of this statement is that simply performing robust due diligence on the front end of an acquisition is not enough. There needs to be an urgency with which the newly acquired entity is brought into alignment with all of the hallmarks and associated controls of your anti-corruption program. Failing to do so can lead to the same types of fines, penalties and market capitalization impact that could result if improper acts of the acquired company were committed by the company itself.


In ClosingWe tend to see the world from our own particular points of view, full of our own preconceptions and shaped by our own somewhat unique set of experiences. Those points of view likely are shaped, at least in part, by our role within the organization and efforts at trying to anticipate what is important to the company and its senior leadership. If you take nothing else away from this white paper, consider the following: The most important perspective regarding your anti-corruption program is not yours, senior management’s or the audit committee’s; it is that of the government.

When evaluating your anti-corruption program, you need to set aside all of those biases and preconceptions – and the company’s perspective. Instead, force yourself to consider only whether an objective outsider would conclude that your program embodies all of the hallmarks of an “effective” compliance program. In doing so, you can then “war game” the steps that the DOJ or SEC might take in evaluating your program in advance of that actually happening. This is a proven technique that has been successfully applied across a wide range of regulatory compliance areas spanning multiple industries.

If you can replicate the regulatory process, focus specifically on the issues that regulators are likely to assess, and then remediate them well before the regulators even know they need remediation, your organization will be in a much better state of regulatory readiness.


About ProtivitiProtiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.

Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

About Our Investigations and Fraud Risk Management Practice

Protiviti’s Investigations and Fraud Risk Management consultants help organizations build a solid infrastructure for evaluating, mitigating, investigating, reporting and monitoring their risk of fraud, corruption and misconduct.

Understanding organizational vulnerabilities and establishing an appropriate framework to identify and respond to them is essential in today’s global marketplace, as regulators are demanding more active management and investigation for a wide range of risks, including financial crime, fraud and corruption.

Our Investigations and Fraud Risk Management professionals assist organizations with building sustainable anti-corruption, investigative and fraud risk assessment processes and developing anti-fraud, anti-corruption and investigative programs and controls to meet fiduciary and regulatory responsibilities. We support organizations in their efforts to identify, triage, investigate, report and monitor a wide array of risks at every level, from the performance of risk assessments, program design or remediation, risk governance, and employee training to audits of anti-corruption, fraud and investigation programs and processes. Our team’s unique blend of anti-corruption, fraud risk management and investigative subject-matter expertise can quickly identify program shortcomings and remediate your critically important programs. We also have extensive experience in undertaking investigations of suspected violations of those programs by leveraging investigative, forensic accounting and technology disciplines across our global footprint to provide our clients with the experience and local resources necessary to gather the facts to make informed business decisions.

Contacts

Scott Moritz Managing Director +1.212.603.8356 [email protected]

Peter Grupe Director +1.212.399.8613 [email protected]

Pamela Verick Director +1.703.338.2322 [email protected]

http://www.protiviti.com

mailto:[email protected]



© 2013 Protiviti Inc. An Equal Opportunity Employer. PRO-PKIC-0713-113 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

ASIA-PACIFIC

AUSTRALIA BrisbaneCanberraMelbournePerthSydney

CHINA BeijingHong KongShanghaiShenzhen

INDIA BangaloreMumbaiNew Delhi

INDONESIA** Jakarta

JAPAN Osaka Tokyo

SINGAPORE Singapore

SOUTH KOREASeoul

* Protiviti Member Firm ** Protiviti Alliance Member

THE AMERICAS

UNITED STATESAlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort LauderdaleHouston

Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento

Salt Lake City San Francisco San Jose Seattle Stamford St. Louis Tampa Washington, D.C. WinchesterWoodbridge

ARGENTINA*Buenos Aires

BRAZIL*Rio de Janeiro São Paulo

CANADAKitchener-WaterlooToronto

CHILE*Santiago

MEXICO* Mexico City Monterrey

PERU* Lima

VENEZUELA* Caracas SOUTH AFRICA*

Johannesburg

EUROPE/MIDDLE EAST/AFRICA

FRANCE Paris

GERMANY Frankfurt Munich

ITALY Milan Rome Turin

THE NETHERLANDSAmsterdam

UNITED KINGDOMLondon

BAHRAIN* Manama

KUWAIT* Kuwait City

OMAN* Muscat

QATAR*Doha

UNITED ARAB EMIRATES* Abu Dhabi Dubai

Documents

Viewing Your Anti-Corruption Efforts Through the Lens of ... · PROTIVITI • Viewing Your Anti-Corruption Efforts Through the Lens of the Hallmarks of an Effective Compliance Program