There is a real risk to a wide array of businesses from bribery, corruption and fraud - these are no longer concerns only for multinational enterprises or those operating in countries where corruption is rife.  Why? Because of:

• the expansion and toughening of bribery and corruption laws (including increased, and in the case of the UK, unlimited financial penalties) and the very real extraterritorial reach of many of those laws (including laws in Australia, the US and the UK);
• the increased vigour and global cooperation with which these laws are being enforced;
• the evolution of the global economy and efforts to take advantage of new markets, some of them in areas with high risks of corruption and bribery; and
• the economic downturn’s encouragement of fraudulent and corrupt behaviours while at the same time shrinking available resources to prevent, detect and combat such behaviours.

Recent articles in this series have highlighted Australia’s relative lack of enforcement, and indeed Transparency International’s 2011 progress report on enforcement by those parties to the relevant OECD Convention characterised Australia as having little or no enforcement. [1]  However, the tentacles of enforcement by the US the UK are long and active, and Australian authorities have not only been increasingly active in enforcement, they have signalled their commitment to redouble efforts.  This, coupled with the fact that many Australian enterprises do business in markets ranking highly in terms of corruption risk, means that businesses cannot afford complacency.

The risks of corruption and bribery are significant and include:

• regulatory censure and increased oversight;
• criminal prosecution of the company and senior management, and resulting fines, penalties and imprisonment;
• civil liabilities, such as disgorgement (proceeds of crime) and potential civil claims and class actions;
• cost of internal investigations and corrective action;
• management distraction;
• loss of business and business opportunity, including exclusion from bidding processes and access to government and other contracts; and
• damage to reputation, brand and share price.

If this is not enough incentive to invest in a robust compliance program, then consider the added incentive offered by the other defensive benefits of such a program.  For example:

• Under the UK Bribery Act provisions, any commercial organisation carrying on even part of its business in the UK will be guilty of an offence if an associated entity (defined very broadly to include nearly any sort of representative or agent of the entity) bribes another person (private or public, anywhere in the world) in order to obtain or retain a business advantage or advantage in the conduct of the business for the organisation.[2]  However, the commercial organisation will have a complete defence to this provision if it had ‘adequate procedures’ in place to ‘prevent persons associated from undertaking such conduct’.
• Under the Australian Criminal Code provisions regarding bribery of foreign public officials, the requisite intent for the offence will be attributed to the company where the actor was within the actual or apparent scope of employment or authority and the company expressly, tacitly or impliedly authorised or permitted the offence.  This can be established by proving that the company failed to create and maintain a corporate culture that required compliance with the anti-bribery provisions.[3]
• In US Foreign Corrupt Practices Act (FCPA) matters, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have recently shown a willingness to prosecute only the involved individual(s) and not the company where the individual (the ‘rogue actor’) circumvented the company’s anti-bribery and corruption program and controls, and where the company’s program and controls were robust.[4]  The DOJ and SEC have previously noted that they consider the existence, strength and implementation of compliance programs in deciding whether to prosecute companies, but their more recent publication of such decisions has been geared, it would appear, to better encourage such programs.

Although all effective compliance programs will share some features, the details of each will vary depending on the circumstances of the company enacting it—that is, one company’s robust program may be too weak for another.  Each company must assess its own risk profile and adopt those measures which are appropriate in the light of that assessment.  Some of the elements of an effective compliance program are identified in the UK Ministry of Justice’s Guidance Statement (the UK Guidelines)[5], and additional guidance is offered by recent US DOJ and SEC settlement statements.  Sensible provisions can also be developed from consideration of the most common ways in which corruption and bribery is conducted and detected.  Drawing on all of these, I have set out below some of the primary features of an effective and robust compliance program.

1. Clear statement of proportionate policies and procedures

A company’s anti-bribery and corruption policies should communicate a clear anti-bribery and corruption position and identify the related policies and procedures which will be used to implement them.  Where there are multiple arms of the policy, some of the arms may be contained in separate policy documents, and these should be coordinated and linked to the main policy.  The scope of the measures necessary to implement, support and enforce the policies will depend on the corruption and bribery risk profile of the company, but the policies should err on the side of robustness. Best practice would be to address all relevant areas, including: bribery, secret commissions, money laundering, gifts and entertainment, books and recordkeeping, business acquisitions/ partnerships/relationships (joint ventures, agents, distributors, suppliers, acquisitions), contract review, audit policy review, detection mechanisms, and whistleblower policy.

The policies and procedures should provide for specific accounting controls (such as expense approval and documentation/records policies) and red flag mechanisms (for example, triggering of audit or review upon submission of irregular invoices, requests for approval of payments to unknown agents or odd accounts, or to cash).  They should also include appropriate contractual controls (eg, requiring suppliers/partners/agents to agree in writing to comply with the company’s anti-bribery and corruption policies and consent to audit), and detection mechanisms.  (See also, monitoring and enforcement, below)

2. Leadership and commitment to the policies from the directors and highest levels of management

The company directors and officers must lead by example and publicly endorse the policies.  Moreover, appropriate resources must be devoted to implementation and enforcement of the policies.  Depending on the company size and risk profile, this may include dedicated anti-corruption compliance officers with expertise in the risks prevalent in the various businesses and geographical areas in which the company operates.  This will also include appropriate resourcing for the remaining aspects of the compliance program set out below.

3. Communication and training

Internally-- Top level commitment must be clearly communicated, as noted above.  Regular training sessions regarding the policies and procedures should be conducted in person, in writing, and electronically.  Make the training sessions comprehensive but practical, including clear definitions of the sorts of conduct prohibited (and why), warning signs and red flags, reporting procedures and safeguards, practical ‘real world’ examples directly addressing the ‘grey areas’, and Q&A time.  Where particular groups being trained will be exposed to particular cultural or geographic issues, deal with those directly and clearly.  Make sure the training also communicates the potential serious consequences of offending conduct, including criminal sanctions and incarceration (as well as internal disciplinary measures, such as summary termination). 

Require all management and all personnel in high risk or potential risk positions or geographical locations to attend in person training sessions.  Test understanding and compliance in writing, require signed agreement to abide by the policies as a term of employment, and maintain all training and compliance records and agreements on employment files.  Provide ongoing reminders and updates about the issues and developments, requiring their receipt to be acknowledged.  Finally, update and repeat the sessions regularly.

Externally— Clear communication of expectations and prohibitions with all business partners, suppliers and agents of any sort is essential.

4. Risk assessment/due diligence

Regularly assess the risk of bribery and corruption in the markets in which the company operates.  Pay particular attention to high risk zones, to people in marketing, sales, and contracting, and people interacting with governments (any level) or state run/owned organisations.  Assess policies regularly and update them based on experience and developments (for example, lessons from prosecutions or publically available information on settlements).

Conduct due diligence on any proposed new operations, and critically consider country risk before committing to operations.  Conduct corruption and bribery due diligence on any takeover or merger targets, checking anti-corruption policies, history of relevant difficulties with bribery or corrupt practices, ties to government or state owned enterprise and information on the officers and directors.  Also conduct due diligence on any proposed business partners, agents or suppliers.  For agents in riskier foreign jurisdictions, pay particular attention to appropriateness of fees (eg, look for padding which might be destined for improper payments), ties to government, willingness to agree in writing to abide by company anti-corruption and bribery policies, to submit to associated audits, etc. 

5. Monitoring and enforcement

Ensure that lines of responsibility and reporting are clear.  Create alternative lines of reporting of potential corrupt activities to minimise the effectiveness of any attempts to suppress reporting of issues. Make whistle-blower lines and policies available and establish help-lines to field sensitive or urgent enquiries.  Protect reporting persons from retaliation.

Have clear and appropriate investigation procedures, including dedicated anti-corruption compliance officers and investigations headed by appropriate independent, qualified persons reporting to the risk committee of the board.

Have regular audits and, in high risk areas, external audits.  Ensure that procedures are in place for specific accounting controls and activation of red flag procedures (see policies and procedures, above).  Ensure that records are kept of all monitoring and enforcement activities and follow communications policies.

When investigations lead to disciplinary measures, announce outcomes where possible, so that the company’s commitment to the policies is understood and appreciated.

Conclusion

A company implementing and enforcing a compliance policy crafted with the above characteristics and proportionate to the risks faced by the company should establish a strong and effective anti-bribery and corruption culture and framework, and should place itself in the best possible position to minimise the risk and damage to the company from rogue actors and incidents involving corruption or bribery.

A robust anti-bribery and corruption policy is an essential element of good corporate governance and risk management, and yet recent surveys seem to indicate that a great many corporations are either ignorant of or indifferent to this fact, and many more believe that corruption and bribery, and acceptance of corruption and bribery, is on the rise, but are doing little to combat it.[6]  Those seeking to toughen and enforce anti-bribery and corruption measures are no doubt keen to change all of that.