Since the UK Bribery Act 2010 came into force in July 2011, the expected standards and scope of anti-bribery and corruption (ABC) compliance programmes have evolved significantly in many jurisdictions.

Norton Rose Fulbright recently carried out a global survey to assess how companies’ ABC compliance programmes compare against current global best practice expectations, as documented in guidance from the US, UK, and French authorities, and other bodies including the World Bank.

Such public guidance provides a valuable tool in setting out how compliance programmes will be assessed by authorities, and what defences or mitigation may apply. It therefore warrants close analysis from in-house legal and compliance professionals at a time when regulators around the globe are becoming increasingly sophisticated in their scrutiny of ABC compliance programmes.

We have set out below a summary of where companies are doing well, and where enhancements may commonly be advisable.

Click here to download the full results of the survey.

If you have any questions, or if you would like to discuss the findings of the survey or how to put in place or test an ABC compliance programme, please do not hesitate to get in touch with any of the contacts listed below or your usual NRF contact.

Key findings: What organisations are doing well:

  1. 68% of respondents had conducted documented ABC risk assessments within the last three years (and 51 percent in the last 12 months);
  2. 62% took a values-based approach or a combined values and rules-based approach to ABC compliance; 
  3. 66% of respondents noted that ABC compliance is discussed in a board sub-committee; and 
  4. 57% of respondents monitor key compliance programme metrics as part of their senior management of ABC compliance within the overall corporate strategy.

Key findings: Where enhancements can be made:

1. Post-acquisition due diligence: only one third of respondents conduct any form of regular or scheduled post-acquisition DD reviews following acquisitions or JVs

This bears out our experience: while most companies are alive to the need to conduct pre-acquisition due diligence, fewer go the extra step of seeking to conduct post-acquisition due diligence as part of integration once the deal has been completed.

Post-acquisition due diligence is crucial: companies need to get under the hood of newly acquired subsidiaries and new JVs to ensure that ABC risks are being managed appropriately, and any issues can be remediated quickly. Many bribery investigations start following a site visit to, or speak up report from, a subsidiary bought years earlier that has not been properly integrated into the group. The extent to which a company can subject its newly acquired subsidiaries and JVs to appropriate scrutiny to track and remediate misconduct is indicative of a company’s overall effectiveness of its compliance programme.

2. Oversight in relation to joint ventures and subsidiaries 

Over half of respondents said that there was only a small/some degree of oversight of joint ventures (JVs) and subsidiaries in relation to ABC.

This is surprising given that the actions of subsidiaries and JVs give rise to a significant proportion of bribery cases globally (for example as associated persons under the UK Bribery Act). While the degree of centralisation that is appropriate varies between corporate groups, it is important that there is sufficient oversight and management of ABC risks – many ABC issues occur a long way from “home”.

3. 49 percent of companies are not building into their risk assessments issues faced by their peers 

Respondents said that when performing their risk assessment process they focused mainly on addressing risks relating to (i) the involvement of third parties; (ii) specific transactions; and (iii) the geographical location of their business activities.

Whilst those areas are important, an evaluation of issues facing peer organisations in similar industries and/or regions should also inform the risk assessment (and this is emphasised in the DOJ guidance).

In our experience, this is crucial because many peer companies face similar issues in particular markets (see for example the issues faced by telecoms companies in a number of jurisdictions).

4. Only half of respondents (51 percent) could provide evidence that resources are deployed in accordance with their risk assessment

Risk-tailored resource allocation is important for two reasons.

First, and most importantly, it gives a company the best chance to ensure that its finite resources are deployed efficiently in order to make the compliance programme as effective as possible.

Second, authorities across the world expect to see a risk-based compliance programme.  This will be difficult to show if resources are not utilised to address key risks identified by the company.

5. Lack of ongoing third party monitoring

Only 34 percent of respondents indicated that ongoing monitoring of third parties is conducted on a regular (i.e. annual) basis. While we can see that for lower risk third parties less frequent monitoring may be appropriate, regular monitoring is crucial for medium and high risk third parties. This is borne out by respondents having indicated that ongoing third party monitoring is a key area resulting in the identification of instances of non-compliant behaviour in relation to ABC.

Third parties are at the heart of ABC risk; in most companies if third parties are not appropriately monitored then ABC risks will not be appropriately monitored. The DOJ expects organisations to engage in ongoing monitoring through various methods, such as updated due diligence, training, audits and/or annual compliance certifications. The MOJ expects appraisals and continued monitoring of a company’s associated persons proportionate to the identified risks.

Click here to register for our fifth and final webinar in our Anti-Bribery and Corruption Compliance series, taking place on Wednesday, 19 January. In this webinar we will be taking a deep dive into the survey results, and addressing:

  • The incorporation of effective monitoring (such as internal audits or control testing); and
  • The importance of regular review, evaluation and adaptation of an ABC compliance programme in order to address changing risks, updated regulator guidance and recent enforcement action.


Co-Head of the Contentious Financial Services Group, London
Head of Dispute Resolution and Litigation, EMEA
Head of Investigations, Amsterdam
Senior Counsel
Senior Associate

Subscribe and stay up to date with the latest legal news, information and events . . .