Are you sure your anti-bribery efforts work?

Designing a state-of-the-art anti-bribery and anti-corruption programme and impressing on everybody in the company to comply with it doesn’t mean the programme works.

To ensure your business is meeting authorities’ expectations, you must test whether the efforts you have in place are effective, said Matt Queler, a principal in Deloitte’s financial advisory services and a former assistant chief in the US Department of Justice’s Foreign Corrupt Practices Act unit.

Take hotlines, for example, Queler said. Multinational companies set them up for employees to report problems, but that doesn’t ensure they’re effective. A company that tests how well its hotline works might be concerned and could take remedial steps if it had 20,000 employees in a particular location and none of them ever called the hotline.

Third-party due-diligence assessments are another example, he said. To ensure contractors, suppliers, and vendors that pose a corruption potential are flagged, multinationals should review whether the people doing the due diligence are effectively assessing third-party bribery and corruption risks.

“The companies that are testing the effectiveness of their programme … are better able to detect and prevent future misconduct,” Queler said. “They’re better able … to deter people from ever engaging in the conduct in the first place.”

4 insights that target effectiveness

Do you understand the bribery and corruption risks specific to your industry, geography, business structure, business partners, and level of government oversight? And have you installed clear policies, procedures, and financial controls tailored to those risks? Then consider these four insights suggested by Queler and the Ethisphere Institute, a US research organisation focused on corporate compliance and ethics, to improve the effectiveness of your efforts in preventing corruption and bribery:

• Beware the tone in the middle. It’s not enough for senior managers to create a culture that doesn’t allow bribery and corruption. Middle managers must be held accountable for fully implementing compliance efforts because most compliance risks arise at this level.
• Ensure the compliance function has independent authority. Assign responsibility for anti-corruption compliance to senior-level representatives who have independence, authority, and adequate resources. 
• Customise training in high-risk markets. Regular training for all employees isn’t enough. Provide specialised training for employees in high-risk markets or business units and require that high-risk business partners also receive training. 
• Test for effectiveness. Due-diligence reports and other data generated by monitoring a compliance programme can be used to assess, for example, whether employees call a hotline to report problems or whether third parties made the right hiring choices. Data analytics allow companies to dig even deeper and identify problems that might otherwise have been missed, such as potentially fraudulent sales practices.

Many forward-thinking companies are using advanced data analytics to make sure their compliance systems are working. For example, Queler said, companies can monitor hotline reports from all over the world to determine the promptness of responses and whether people are comfortable calling the hotline and unafraid of retaliation.

A company that reviewed and approved 200 third parties can monitor the performance of those third parties and use data to assess whether the right decisions were made on whether to hire the third parties. Banks and financial institutions are using analytics to identify potentially fraudulent practices within their sales teams, such as rewards for opening accounts that may be abused by taking advantage of unwitting customers.

The largest companies that face the most substantial risks need to understand where their biggest areas of risk are, Queler said. Most of the largest multinational companies have a plan for testing certain aspects of their programmes every year.

“They may not test everything every year, but they’re going to test certain aspects,” he said. “And it’s going to be in a risk-based, thoughtful way, and they’re going to [test] their highest-risk areas most often, and they’re going to [test] their lesser-risk areas less often.”

It’s impossible to prescribe exactly the right testing and monitoring regimen, he said, because every company is different and faces its own unique risks. But finding the right way to test and monitor risks is critical.

“There is no one right answer, except to say that depending on your risk and your resources, having some testing and some monitoring is considered very, very important to an effective compliance programme,” Queler said.

Bribery enforcement hotspots

In the past 40 years, Asia Pacific has been the region with the highest share of enforcement cases involving the alleged bribery of a government official by a foreign company (26%), followed by Africa (22%), Europe and the Americas (16% each), and the Middle East (12%), according to a database maintained by global risk management provider TRACE International.

Individual countries topping the list:

1. China
2. Iraq
3. Brazil
4. Nigeria
5. India
6. Russia

Source: TRACE International Global Enforcement Report 2017.

— Sabine Vollmer (Sabine.Vollmer@aicpa-cima.com) is an FM magazine senior editor.