Kanupriya Jain (kanupriya.Jain@controlrisks.com) is Director of Control Risks in Dubai, UAE.
All compliance executives, investigators, and general counsels are aware of the concept of building strong policies and a tone from the top when discussing compliance frameworks. Although these are some of the key principles defined by the UK Bribery Act, they are increasingly being used by organizations as a simple tick-the-box exercise, giving the appearance of compliance when, in reality, the organization has no robust compliance framework in place to manage effectively the risks it faces.
Policy vs. risk-based compliance programs
In most cases, senior corporate employees request policy-based compliance programs to fulfill a regulatory requirement, or a prebid qualification or a prerequirement to receive investments from more mature or regulated countries. Budgetary constraints often result in these programs being a one-time, high-level exercise where policies define an organization’s vision, but they do not provide enough guidance to employees on what to do if a certain situation arises. For example, if an organization’s policy says, “do not bribe” and “conduct business ethically,” the employee reads and follows it. But when the same employee travels to countries where anti-money laundering, corruption, or sanctions risks are high, and they receive a bribe request during business interactions, they may not know how to respond without jeopardizing their career, causing reputational damage to their employer, or even endangering their own life. Should they say no immediately? Should they consider the demand as a way of doing business and fulfill the request? And if a bribe is paid, how should the employee report it or claim reimbursement?
This uncertainty is where policy-based compliance plans fail. For some companies, this policy-based approach might prove to be successful in the short term, but when put to the test in today’s age of technology, the Internet of Things, artificial intelligence, and the volume of data every organization processes, are these policy-based compliance programs enough to protect against a breach or violation and potential regulatory action?