Bribery risk management: Walk the talk

Eleftherios Tsintzas

Eleftherios Tsintzas

Eleftherios Tsintzas (lefti4@yahoo.com) is the Head of Internal Audit at Thessaloniki Port Authority SA in Thessaloniki, Greece. Eleftherios serves as a team leader in the IIA Global Exam Development Committee and as a member of the IIA Greece North Greece Advocacy Committee.
Listen to article
10 minute read

By Eleftherios Tsintzas, CIA, CFE, CRMA, CFSA

All organizations inherently face bribery risks to some degree, whether it is the organization itself or persons related to it that offer a bribe (active bribery) or when the organization or persons related to it receive or act on the expectation of receiving a bribe (passive bribery). In this respect, on December 9, 2003, the United Nations (UN) passed the Convention Against Corruption, and International Anti-Corruption Day is observed annually on that date. In addition, the 2030 Agenda for Sustainable Development was launched in 2015 during a UN summit. Target 16.5 of that agenda aimed at substantially reducing corruption and bribery in all their forms (emphasis mine).[1]

Corruption can be defined as a scheme in which an employee misuses their influence in a business transaction to gain a direct or indirect benefit, violating their duty to the employer.

Bribery is categorized as one of the corruption schemes; it is the act of offering, promising, giving, accepting, or soliciting an undue advantage of any value (monetary or not), directly or indirectly, as an inducement or reward for a person acting or refraining from acting in relation to the performance of that person’s duties.

However, the target of “substantially reducing corruption and bribery in all their forms” set in the 2030 agenda is far from being met. According to the Association of Certified Fraud Examiners 2022 Report to the Nations, the percentage of cases involving corruption is on the rise—from 33% in 2012 to 50% in 2022—while corruption was by far the most common occupational fraud scheme around the globe.[2]

What can organizations do to address this rising risk?

A road trip

The idea hit me while driving my car on a cloudy and cold day on a mountainous road. I had been invited to participate in a panel discussion at the 2023 Conference of the Institute of Internal Auditors of Albania, titled “The Road to Building Trust,” to share my experience related to bribery and corruption. Seeing that the road trip from my hometown to Tirana, Albania, would last approximately six hours, I invited my wife, Sofia, to come along.

During the trip, I rehearsed points I wanted to make at the panel discussion. I was going to present successful practices to fight corruption and the significance of an anti-bribery policy.

It was then that Sofia asked me, “So, does having a well-designed, anti-bribery management system actually limit bribery risk?” It was that question that prompted me to write this article.

What is an anti-bribery management system

Most organizations are active in environments where bribery flourishes. Thus, customers may ask employees to serve them with priority or to obtain preferential pricing; suppliers may attempt to entice managers to prefer their products or services, and so on.

So, what can an organization do against this threat?

Let me recount what an organization I was part of did to respond to this threat. The organization formed a project team, including the internal audit department in a consulting capacity, the compliance department, and other units involved in the organization’s operations.

The team decided not only to design an anti-bribery policy but also to take an additional step: to set up an anti-bribery management system and have it certified against the requirements of ISO 37001.

An anti-bribery management system provides an organization with guidance on implementing anti-bribery measures commensurate to its type and size and the nature and extent of the bribery risk the organization faces. It is a series of policies, procedures, and controls tailored to each organization’s specifics that help it establish, implement, and improve.

An anti-bribery management system is designed to instill an anti-bribery culture within an organization and implement appropriate controls. This will, in turn, increase the chance of preventing, detecting, and responding to bribery risk and complying with anti-bribery laws. The system can be independent of, or integrated into, an overall management system.

Having an anti-bribery management system ensures that the shareholders, board of directors, investors, employees, customers, and other interested parties take the appropriate measures to respond to the risk of bribery.

Components of the system

An anti-bribery management system includes:

  • The anti-bribery policy;

  • Management leadership and commitment;

  • Risk register design and population;

  • Risk and control assessments;

  • Employee training;

  • Due diligence on projects and business associates;

  • Financial, commercial, and contractual controls;

  • Segregation of duties, approval authorities, and workflows;

  • Reporting, monitoring, and review;

  • Continuous improvement.

Setting up the system

After management approved the anti-bribery management system project, we started by preparing a well-thought-out project plan with clear timelines, roles, and actions.

Then we went on to design the anti-bribery policy that:

  • Set the appetite and tolerance of the organization toward bribery risk;

  • Provided the framework for setting, reviewing, and achieving anti-bribery objectives;

  • Encouraged raising bribery concerns in good faith without fear of retaliation, discrimination, or disciplinary action; and

  • Explained the consequences of not complying with the anti-bribery policy.

We made sure that this anti-bribery policy was:

  • Available in a single document;

  • Approved by management;

  • Using appropriate and easy-to-understand language for the target audience; and

  • Published through the organization’s internal and external communication channels so it was easily accessible (e.g., intranet portal, website, social media accounts).

The next step was critical to setting up an effective system. We had to identify the bribery-related risks the organization could face, assess them, and decide which were the most significant to address to effectively prevent, detect, and respond to them.

So, we identified the organization’s activities that make it vulnerable to bribery, the circumstances that could make bribery more likely to occur, and the way in which a bribe can be transferred. Thus, a risk register was created and populated, forming the basis for assessing and prioritizing the identified bribery risks.

Identification of potential risk events can come through a wide range of external and internal resources, such as:

  • Publicly available information;

  • Cases where bribery risk materialized;

  • Interviews and surveys performed with board members, management, and employees;

  • Surveys to suppliers, customers, and other external stakeholders;

  • Internal audit findings and compliance reports;

  • Concerns raised through hotlines; and

  • Risk and control self-assessment exercises.

The next step was to assess the bribery-related risks in the risk register in accordance with the instructions provided by the organization’s risk management policy. The assessment took into consideration two characteristics of the risk events: the probability that a specific risk will materialize and the impact the specific risk event would have on the organization’s objectives.

After that, the organization’s risk responses to the most significant bribery risks were identified and put in the risk register. Then, the design and effectiveness of these responses were evaluated, and we ended up with the residual bribery risks—prioritized based on their probability and possible impact.

For those residual risks outside the appetite set by the organization’s board of directors, the risk owners were asked to develop action plans that would enhance the existing risk responses or develop new ones. In this respect, policies and procedures that clearly define the standards and controls could be developed to ensure the organization’s employees are aware of and can execute their duties and responsibilities in line with these expectations.

The next step was employee training and stakeholder awareness of the anti-bribery management system and its requirements. This was achieved through workshops, emails, postings on the organization’s intranet and website, and inclusion of relevant terms in contracts with customers and suppliers.

Next steps

But, as Sofia so correctly asked me, “Does having a well-designed anti-bribery management system actually limit bribery risk?”

Indeed, not even designing a best-in-class, anti-bribery management system can provide absolute assurance against bribery risk.

Aristotle emphasized that virtue is practical, and that the purpose of ethics is to become good, not merely to know what good is.[3]

An organization should consider enforcing and monitoring the implementation of its anti-bribery management system as a continuous process. Only through enforcing and monitoring will employees know what bribery is and how to recognize it, be aware of areas where the risk of bribery is significant, know how to act when confronted with situations where bribes are offered or requested, and act in the right way.

Enforcing the system

Enforcing the anti-bribery management system can be achieved through a series of steps.

Appropriate tone at the top

The board of directors and senior management should lead by example through their support, statements, behavior, and activities. Because, let’s be honest: if management exhibits unethical behavior, employees may adopt a similar attitude.

Moreover, the board of directors and senior management should communicate the organization’s appetite and tolerance toward bribery risk clearly and consistently with any possible means and in any given opportunity (e.g., in the annual financial reports, social media postings, speeches, interviews).

Appropriate tone from the middle

Middle managers should respect the stated organization’s appetite and tolerance toward bribery risk, as this will be effectively communicated downward through the organization. Most of an organization’s employees work closer with middle rather than senior management. Consequently, they will likely follow middle management’s example of how to behave.

Spread the word

The board of directors and senior management should consistently spread the word about the organization’s appetite and tolerance toward bribery risk during their visits to the organization’s offices, production areas, remote units, customers, suppliers, and stakeholders. They should ensure this word is not spread only through remote messages from the head office.

Candidate screening

Due diligence should be conducted on people’s backgrounds before they are hired, transferred, or promoted. Such screening should be more extensive for candidates who will hold managerial positions or sensitive roles, such as internal audit, compliance, procurement, and so on.

Regular awareness and training sessions

Use case studies, scenario analysis, and practical guidance aligned to the specifics of the organization that exemplify the anti-bribery management system requirements. This will teach employees what is expected from them and what behaviors are unacceptable, stimulating employee vigilance to bribery risks. Involve internal audit, compliance, human resources, and legal affairs in preparing and communicating employee awareness and training sessions. Ensure that all employees—including the board of directors and senior management—receive a set minimum level of training based on their position.

Training and acknowledgment

Include training on the anti-bribery management system in the training provided to new recruits—regardless of position or seniority—as well as to newly appointed board of directors and senior management members. Get signed acknowledgments of the anti-bribery policy obtained from all employees.

Reporting

Produce written and publicly available procedures for reporting violations of the anti-bribery policy. This will encourage the organization’s employees, customers, suppliers, and other stakeholders to report breaches of the anti-bribery policy in good faith, assuring them that the organization will protect their anonymity and that they will not suffer retaliation, discrimination, or disciplinary actions for concerns they raised in good faith.

Policies and procedures

Written procedures enable the organization to take disciplinary actions against employees who violate the anti-bribery policy. Ensure the procedures are clear that deviations from the anti-bribery policy will affect salary and promotions and could even lead to termination of employment.

Remuneration policies

Remuneration policies should not inadvertently reward behaviors undermining the organization’s appetite and tolerance toward bribery risk. To this end, remuneration policies should include risk-adjustment measures on employee performance assessments and describe the awarding, deferral, and payout structure of the bonuses. These should be linked to risks, including violation of the anti-bribery policy.

Monitoring the system

Monitoring the implementation of the anti-bribery management system is a continuous process of paramount importance, as it ensures the constant improvement of the system. The following are noteworthy ways to monitor the system:

  • Administer surveys to employees to identify areas of potential improvement and their views on whether the organization acts with integrity and honesty. Incentives could be provided to employees to encourage suggestions for improving the anti-bribery management system.

  • Assess whether the anti-bribery policy is sufficiently communicated and that employees are aware of and understand the requirements of the anti-bribery management system. Assess whether employees are confident they can handle bribery risk events.

  • Monitor the completion rates and pass rates of awareness and training sessions.

  • Administer customer satisfaction surveys.

  • Interview key internal and external stakeholders.

  • Host roundtable discussions to exchange views on specific cases and scenarios relevant to the organization’s specifics.

  • Review reports on possible bribery violations, deviations from the anti-bribery policy, and resolution progress.

  • Second-line organizational units should ensure that the organization’s ethical values are applied to business behavior—both in the conduct of individuals and the organization as a whole.[4] Ethical behavior applies to all aspects of business conduct, from boardroom strategies and how companies treat their employees and suppliers, to sales techniques and accounting practices.

The internal audit unit of the organization should also contribute by providing ethical assurance as an independent unit of the organization. Internal audit should:

  • Assess whether the organization’s appetite and tolerance toward bribery risks are sufficiently restrictive and validate that they have been adequately communicated, ingrained, and managed throughout the organization.

  • Perform standalone assurance engagements with the objective of assessing completeness and adequacy of the anti-bribery management system design and its proper enforcement and monitoring.

  • Embed requirements of the anti-bribery management system into the scope of other assurance engagements. For example, an integrity principle could be part of a procurements, sales, or employee recruitment audit.

  • Participate in investigations about violations of the anti-bribery policy.

Conclusion

Bribery is a significant risk that can undermine an organization’s reputation, profitability, and operations. An anti-bribery management system signals an organization’s commitment to ethical behavior. It supports the organization in preventing, detecting, and responding to anti-bribery risk through the development of an anti-bribery policy, risk and control assessments, employee training, financial, contractual, and other operational controls, reporting, and monitoring.

However, an anti-bribery management system can only be effective through proper enforcement and monitoring. Management should walk the talk and demonstrate leadership and commitment to the system. Anonymous reporting of anti-bribery policy breaches in good faith should be encouraged. Remuneration policies should not reward behaviors that undermine the organization’s bribery risk appetite. Surveys should be conducted to identify areas of potential improvement. Second-line organizational units should ensure that the ethical values of the organization are applied to business behavior, while internal audit should provide ethical assurance as an independent unit of the organization.

Takeaways

  • Bribery—and corruption in general—is on the rise.

  • An anti-bribery policy is not enough by itself.

  • Design an anti-bribery management system tailored to the organization.

  • The organization needs to “walk the talk”: Enforce, continuously monitor, and improve the implementation of the anti-bribery management system’s requirements.

  • The organization’s board of directors, senior management, internal auditors, and compliance officers should act ethically, follow the policies and procedures, and be role models to all.

 
1 United Nations, UNODC, “UNODC and the Sustainable Development Goals,” February 1, 2018, https://www.unodc.org/documents/SDGs/UNODC-SDG_brochure_LORES.pdf.
2 Association of Certified Fraud Examiners, Occupational Fraud 2022: A Report to the Nations, 2022, https://acfepublic.s3.us-west-2.amazonaws.com/2022+Report+to+the+Nations.pdf.
3 Wikipedia, s.v. “Aristotelian ethics,” last modified February 23, 2024, https://en.wikipedia.org/wiki/Aristotelian_ethics.
4 The Institute of Internal Auditors, The IIA’s Three Lines Model: An update of the Three Lines of Defense, July 2020, https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf.
This publication is only available to members. To view all documents, please log in or become a member.
Become a Member Login

What to read next...

First Amendment audits

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings