The Board’s role in managing corruption risk: asking the right questions before a regulator does

Companies need to “consider how to monitor and evaluate the effectiveness of their procedures and adapt them where necessary…Organisations could…consider formal periodic reviews and reports for top-level management… [and] might wish to consider seeking some form of external verification or assurance of the effectiveness of procedures” - UK Bribery Act Adequate Procedures Guidance

Anti-corruption compliance is a challenging area for Boards. On the one hand, directors are aware of the ever-increasing expectations on them to ensure compliance and the risks of failing to do so; on the other hand, as companies’ global footprints increase, exercising effective oversight becomes more demanding and complex.

Guidance from regulators and others focuses on effectiveness-in-fact, not on the mere existence of a compliance programme.  For example, the US DOJ and SEC ask three key questions when assessing an anti-corruption compliance programme:

• Is [it] well designed?
• Is it being applied in good faith?
• Does it work?¹

Directors should regularly ask these questions of management, ensure they receive adequate reporting, and critically evaluate the information provided. In itself, however, this is unlikely to be enough to give the Board comfort that corruption controls are working because there is a limit as to the granularity of the information a Board can review – and reports from management or compliance will always involve a degree of marking their own homework.

To have a clear line of sight on the anti-corruption compliance programme, the Board should ensure that on a periodic basis it obtains an independent and rigorous assessment of its design, implementation and effectiveness.

In this article, we set out the types of questions the Board should be asking and explain how an independent review can help to answer them.

“the Board should be responsible for setting bribery prevention policies, tasking management to design, operate and monitor bribery prevention procedures, and keeping these policies and procedures under regular review” - UK Bribery Act Adequate Procedures Guidance

The question of good design breaks down into three issues: (i) whether the programme is in line with legal requirements and market expectations; (ii) whether the programme is efficient in terms of focusing on the key risks of the business; and (iii) whether the programme is an integrated and central element of the operation of the business.

It is ultimately the Board’s responsibility to make sure that the compliance programme is in line with relevant laws and the guidance and principles that define market expectations, such as the World Bank Integrity Principles, the ISO standard for anti-corruption management programmes and the guidance set out in the OECD Anti-Corruption Ethics and Compliance Handbook.

A high quality compliance programme will not be an “add-on” feature of the organisation, but rather will be designed to complement and support the organisation’s strategic objectives. While compliance is a function on the organisational chart, it should also be considered an essential element within every other operation.

Boards should ask on a periodic basis for an independent assessment of whether the compliance programme covers relevant requirements and expectations and the extent to which it is structured to meet the business’ key compliance risks, particularly when changes to the business mean its risk profile changes (e.g. acquisitions, overseas expansion or joint ventures). This is not only a matter of meeting regulatory expectations, but of ensuring that the programme is effective in terms of reducing the incidence of corruption and efficient in terms of the allocation of compliance resources.

“Culture is understood to be the largest influencer of business conduct…Leaders are recognized as the primary drivers of that culture. In [high quality compliance programmes], leaders throughout the organization are expected – and held to – a shared responsibility for making central ethical conduct and ethical decision-making a central part of the organization’s DNA” - ECI Principles of High Quality Ethics & Compliance Programmes

Well-designed policies and procedures count for little if they are not properly implemented. Implementation requires effective training, adequate resourcing and strong tone from the top. It is up to the leaders of the organisation to drive ethics and compliance forward as a routine but essential part of daily operations by ingraining ethics and compliance into the organisation’s culture. A company’s culture is a key driver for the success of the company’s compliance programme and an increasing area of regulatory focus.

The Board needs to understand how training and messaging works in the company, how that training is tailored to the risk profile of the business, and – crucially – how effective that training is. The recent deferred prosecution agreement between the UK Serious Fraud Office and Standard Bank Plc noted that the compliance training was deemed to be inadequate and the internal policies not sufficiently well-understood. The compliance procedures as a whole were found to be lacking. By contrast, the US DOJ declined to bring enforcement action against an American financial institution in 2012 in part due to the effectiveness of its training programme. The key takeaway is that regulators are focused not only on ensuring that training happens but that the message hits home.

As well as tone from the top, another important element of good faith implementation is resourcing. Different compliance structures work for different companies, but Boards should ensure that the compliance resources are sufficient to allow effective integration across the business, and to mitigate the risk of doing business in the relevant jurisdictions.² Public statements that a company has a zero tolerance approach to corruption count for little if compliance is side-lined and inadequately resourced to implement and monitor the programme properly.

Boards should consider obtaining independent assessments of the implementation of the compliance programme and, in particular, the extent to which a ‘compliance culture’ is embedded in the organisation (including an assessment of training and messaging throughout the company) which may involve surveys and interviews with management and employees in order to assess training effectiveness and management ethical reflex.

An organisation should “take reasonable steps…to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct [and]…to evaluate periodically the effectiveness of the organization’s compliance and ethics program” - US Federal Sentencing Guidelines

A compliance programme works satisfactorily if it achieves two aims: (i) to reduce the incidence of corruption within an organisation; and (ii) to meet regulatory expectations such that the company avoids serious penalty in the event of corruption occurring, or at least mitigates or reduces any penalty imposed.

The US Federal Sentencing Guidelines point to “the existence of an effective compliance and ethics program” as a factor that mitigates the ultimate punishment of an organisation. Having a programme in itself is not enough but this does not mean that a compliance programme has to prevent every incidence of corruption. FCPA declinations provide good examples of regulators demonstrating leniency where the firm in question has shown that it has an effective compliance programme³.

What is the Board’s role in monitoring? The Board should know who within the organisation or externally is responsible for ongoing monitoring and what this involves (e.g., whether a sample of third party due diligence reviews is monitored; and whether gifts and entertainment spending data is analysed to identify any trends of concern). A Board should review the results of the monitoring process and ensure that any gaps noted are remediated as soon as practicable and the programme is reinforced accordingly.

For a Board really to know whether a compliance programme is effective, it has to seek independent assurance as to its effectiveness. This goes beyond seeking self-certifications from business units and country heads as to implementation and compliance: what is needed is testing whether compliance processes are effective on a transactional level, including the accuracy and completeness of the information that management receives.

Boards are increasingly coming under pressure to ensure that their company’s compliance programme is effective. Independent assurance allows the Board to benchmark the company’s compliance programme against that of its peers and assess whether the design and implementation of the compliance programme are working on a day-to-day basis.