Minimize corruption risks by rethinking your anti-bribery risk assessment

By Alexandra Wrage

Alexandra Wrage (wrage@traceinternational.org, +1 410.990.0076) is President of TRACE in Annapolis, Maryland, USA.

In September, at SCCE’s 19th Annual Compliance & Ethics Institute, it was my pleasure to host a conversation with Dan Seltzer, senior director of anticorruption and government compliance at Accenture. We discussed corruption risk assessments: where to start, how to structure, how to navigate internal dynamics, and what makes a successful interview. In this article, I’ve summarized the main points from our discussion.

There’s no question that companies are reeling from the ongoing public health and economic crises. In a poll we conducted during our session at the Compliance & Ethics Institute, 93% of respondents said the COVID-19 pandemic has caused mild to moderate disruption to their companies’ risk assessment procedures. Indeed, in the face of travel restrictions, many compliance teams have had to give up on-site risk assessments, replacing them with phone or video interviews. Some are operating on reduced budgets and, in some cases, with reduced teams. Fortunately, compliance personnel have proven to be adaptable, implementing creative solutions as they redefine what day-to-day compliance looks like.

This is a positive development, as anti-bribery enforcement authorities have continued with a steady pace of enforcement. In fact, 2020 was a record-breaking year for U.S. Foreign Corrupt Practices Act (FCPA) settlements. Despite closed borders and lockdowns, authorities have continued to coordinate with their foreign counterparts to resolve FCPA cases, resulting in massive settlements and sometimes criminal charges. Companies should respond accordingly by continuing to invest in their compliance functions—and as the U.S. Department of Justice has emphasized, conducting a successful risk assessment is central to an effective compliance program.[1]

Getting started

The risk assessment process can be daunting as compliance professionals are tasked with gauging corruption risk throughout complex business processes in multiple markets with limited resources. It’s important to dive in and make a start, wherever your program is currently. It’s easy to become preoccupied with developing a perfect plan, which doesn’t exist, at the expense of launching a solid program that can be refined over time. A geographic risk assessment using an index such as TRACE’s Bribery Risk Matrix[2] is a logical starting point for interpreting the corruption landscape in a specific market. From there, for companies with limited compliance resources, an informal, low-cost undertaking such as a survey can help map the next steps. As Dan made clear during our conversation, it’s less about the resources you have and more about using them efficiently and effectively, learning as much as you can, and applying high-level compliance concepts to your company’s culture.

As you refine your compliance priorities, look to the unique risks your business faces in combination with the geographic risk associated with each market. When determining where to allocate resources, it is prudent to examine where your company has government touchpoints, relies on third-party intermediaries, or requires a high number of licenses and permits. For example, you might consider taking a closer look at a market in which your company relies on third-party intermediaries to obtain licenses and permits that also has a high score in the TRACE Matrix’s “Interaction” trends subdomain; a high score here indicates more opportunities for government officials to solicit bribes.

Developing internal buy-in

Even compliance programs that appear ideal on paper can fail if business executives don’t buy in to them. You can build trust, confidence, and commitment internally by treating risk assessment as a relationship-building opportunity and maintaining a two-way channel of communication with business leadership. Solicit feedback from your colleagues about what works and what doesn’t, and for their concerns, questions, and ideas for improvement in the compliance function. When you do implement a suggestion based on feedback from business leadership, highlight it so they know you’re listening and taking them seriously. As the U.S. Department of Justice has repeatedly emphasized,[3] a company’s compliance program should be integrated into the business, not siloed off.

Conducting successful interviews

Whether conducting risk assessments virtually or on the ground, make your interactions as personal as possible and try to avoid “over-lawyering.” If you’re conducting the assessment on-site, scheduling social activities such as a working dinner can be an effective way to personalize the visit. If you’re conducting virtual interviews, begin your call or video chat with some time for small talk. If the process is very formal and people don’t feel at ease, you risk missing out on critical information that could inform your compliance decisions.

It’s also important to make sure you have the right people in the room or on the call. Consider dividing interviewees into smaller peer groups or holding one-on-one conversations as necessary; junior personnel may not necessarily divulge concerns in front of senior personnel.

Finally, make it clear that you value interviewees’ concerns, opinions, and feedback. Interviews should be a two-way dialogue, and they will be more successful if you remain agile and keep an open mind. An overly structured approach to risk assessment and the interview process almost always reduces the value of the discussions.

Continuing risk assessment

Remember that risk assessment is not a singular event; it’s an ongoing process. You should continue to look for trends across the company but also within markets, which can be an early warning sign that something is amiss. Don’t let the relationships you build during the risk assessment process dry up when it’s over. Continue the dialogue with internal and external contacts, and keep open all lines of communication.

At the same time, you should make continual improvements to the risk assessment process and maintain a forward-looking approach to keep pace with the enforcement environment and evolving techniques used by criminals. Insert yourself into the business group and the compliance cycle and keep your finger on the pulse, adjusting the risk assessment process as you go.

A note on outside counsel

Companies with limited personnel may hire outside counsel, such as local law firms, to advise on risks associated with a particular market. Local law firms can be a helpful resource, with the caveats that (1) no one knows as much about your company as you do, and (2) outside counsel tends to be more conservative in their recommendations. A logical approach is for companies to do as much as they can in-house by leveraging the networks they have, and then look to outside counsel as necessary and appropriate.

Prioritize and think outside the box

While the COVID-19 pandemic has upended many normal business operations and required compliance teams to think creatively, most of the core principles of corruption risk assessments remain the same. Securing internal buy-in for risk assessments and personalizing interviews, for example, are certainly as important as they ever have been, even though our methods of communication may be different.

Anti-bribery enforcement authorities will expect companies to have maintained a thoughtful approach to compliance as they navigate the pandemic and resulting travel restrictions, budget restraints, lockdowns, border closures, and supply chain disruptions. Companies should continue to prioritize compliance, find creative ways to integrate it into day-to-day business functions, and approach resource allocation purposefully—starting with a thorough risk assessment.

Takeaways

  • When conducting a risk assessment, examine the unique risks your business faces in combination with the geographic risk associated with each market.

  • Develop buy-in internally by treating risk assessment as a relationship-building opportunity and maintaining a two-way channel of communication with business leadership.

  • Whether conducting risk assessment interviews virtually or on the ground, make your interactions as personal as possible and try to avoid “over-lawyering.”

  • Risk assessment is an ongoing process. Continue to look for trends across the company and within markets, as well as opportunities for improvement.

  • Companies should continue to prioritize compliance, find creative ways to integrate it into day-to-day business functions, and approach resource allocation purposefully.

 
1 U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs (Updated June 2020), http://bit.ly/2Z2Dp8R.
2 “TRACE Bribery Risk Matrix,” TRACE, accessed February 3, 2021, https://bit.ly/3oOBNfs.
3 U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs.
This publication is only available to members. To view all documents, please log in or become a member.
Become a Member Login

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings