Leaders in Global Risk Management
Freeh Group International Solutions graphic

Anti-Bribery Compliance: Tips for Developing an Effective Program

Blake Coppotelli & Thomas Melvin Oct. 15, 2014

Depending on the severity of the underlying conduct, anti-bribery compliance could be a matter of life and death for a domestic or foreign company under the jurisdiction of the United States Foreign Corrupt Practices Act (FCPA), the United Kingdom Bribery Act 2010 (UK Bribery Act), or any other foreign anti-bribery law that is applicable to a company where it, or a third party acting on its behalf, conducts business and/or has a sufficient presence.

A robust anti-bribery compliance program, strong internal controls, and a commitment to ethical business practices from the top of the organization down, are not only essential parts of good corporate governance and business strategy, but are key factors in mitigating or defending against possible criminal and civil liability, substantial fines, and damage to a company’s reputation and consumer confidence.

The extent of a company’s compliance program in place at the time of misconduct can significantly impact whether the company will be a subject or target of an enforcement action, offered a deferred or non-prosecution agreement, and/or face severe penalties and sanctions. For example:

In reviewing the Sentencing Guidelines, the Resource Guide and the UK Guidance, 11 common themes emerge as critical to an effective anti-bribery program:

Tone at the Top
The board of directors and senior management must have a complete commitment to anti-bribery compliance and all applicable bribery laws. This commitment needs to be disseminated throughout the organization, and periodically reaffirmed in clear and unambiguous communications and actions.

Clearly Articulated Policy against Bribery
The company should have a code of conduct that states at a minimum: (1) its commitment to anti-bribery compliance; (2) the relevant law and the proscribed conduct; (3) the obligation of all employees to adhere to the code and report suspicious behavior; (4) the process for reporting complaints; (5) a non-retaliation policy; and (6) the penalties and consequences for any violation of the code. Additionally, the code should be updated on a routine basis, and made accessible to all employees, third parties, and business partners. When warranted, the code should be provided in foreign languages to ensure clarity.

Additionally, depending on the company’s size and risk profile, the code should be supplemented with detailed standards and process guidelines that set forth the roles and procedures for all anti-bribery compliance program functions and initiatives, including those discussed in this article.

Program Roles, Oversight, Autonomy, and Resources
The program should be overseen by a senior executive with appropriate experience and authority to report directly to the company’s governing body, with sufficient autonomy from management and with adequate allocation of funding and resources. The day-to-day functions of the program can be delegated to experienced senior employees, but the overall responsibility and reporting duties need to rest with a senior executive. The nature and extent of the anti-bribery program should be determined by the company’s size, structure, complexity and bribery risks.

Risk Assessments
A one-size-fits-all approach to risk is ineffective, too costly, and fails to meet government expectations. An organization must assess its bribery risks on an enterprise-wide basis, and then design a program that can adapt depending on the company’s risks, allowing for the greatest allocation of resources to be placed where the risks are the most significant. Assessments need to consider where the company and its third parties operate, the bribery culture within those locations, the business services offered, the extent of government contacts, vendor and employee hiring practices, long- and short-term business objectives and strategies, its business partners, the emerging political landscape, and the critical functions and areas that will be touching bribery risks within and without the organization.

Training and Continuing Advice
Anti-bribery training must be provided to all employees. The nature and extent of that training, however, depends on the company’s risk profile. An effective training program is dynamic, regularly monitored and evaluated, and presented in a manner appropriate for the targeted audience. For employees within higher bribery risk business lines or locations, or who are employed in positions that touch on anti-bribery compliance functions, more detailed training should be provided in the form of in-person and web-based instruction that includes hypotheticals or sample situations that mirror the actual circumstances employees may encounter as part of their duties.

Third-Party Management
The use of third parties and agents is the predominant method for concealing bribes. Companies should institute a risk-based third party procurement and management process that includes (1) a background investigation of the “at risk” third parties, (2) an invoicing process that is transparent and backed up by supporting documentation, (3) a written commitment from these third parties that they will adhere to the company’s code of conduct and standards, (4) annual certificates that attest to their continued compliance with the company’s anti-bribery policies, and (5) verification of work performed, costs incurred, and the nature of any interaction with government officials engaged in on behalf of the company.

At-risk third parties also should have contracts that clearly set out the anti-bribery laws governing their activities, audit rights to the benefit of the company, and terms allowing the company to review a vendor’s own anti-bribery program and training, or the right to require the vendor to complete the company’s training program.

Confidential Complaint Reporting
Organizations should have detailed procedures for employees and third parties to report suspected violations of the company’s policies. Most companies use “open door” and anonymous hotline reporting to satisfy their compliance requirements. Whatever risk-based method your company chooses, it should allow for confidential reporting, without fear of retaliation and, when warranted, should include foreign language considerations, adequate notification to employees and third parties, and appropriate signage in higher risk locations.

Investigations and Remediation
Bribery is notoriously difficult to investigate and prove because of the complexity and often latent and hidden nature of the unlawful behavior. There is usually no complaining victim, and obtaining credible evidence (e.g., business records, written communications, and financial documentation) almost always requires forensic specialists. Additionally, most bribery occurs in foreign locations, where access to witnesses and documentary evidence can be difficult and often triggers complicated domestic and foreign (e.g., blocking statutes and data privacy) legal issues. An effective investigative process needs to include: (1) a detailed recording and tracking mechanism for all complaints, investigations, and disciplinary steps taken against any employee; (2) expert internal and external resources that understand the legal and evidentiary complexities of investigating the suspected misconduct in foreign locations; (3) reporting mechanisms that govern when and how to disclose the complaint and investigation to the audit committee and/or the board of directors; and (4) use of the investigative results to revise and enhance vulnerable aspects of the company’s anti-bribery program.

Mergers and Acquisitions
Companies must conduct adequate pre-transaction anti-bribery financial and investigative due diligence on entities that they seek to merge with or acquire. Inadequate due diligence creates risks, and the opportunity for corrupt behavior to occur or continue. Effective due diligence mitigates legal and business consequences, protects reputational damage, and potentially allows the company to estimate and negotiate with the entity for costs that may be imposed on the company for the entity’s past misconduct in any resulting criminal and/or civil action. Importantly, the company should evaluate the adequacy of the acquired entity’s anti-bribery compliance program and then enhance the program post-acquisition to bring it on par with the themes discussed in this article.

Incentive and Disciplinary Measures
Incentive and disciplinary programs that reward compliant behavior and punish non-adherence are critical to establishing an effective anti-bribery program. Adequate disciplinary measures coupled with positive compliance incentives drive ethical behavior and demonstrate the company’s commitment to anti-bribery compliance.

Periodic Testing and Review
An anti-bribery program must be tested periodically to determine its effectiveness, employee and third party compliance, and to detect possible violations of the company’s code of conduct and anti-bribery standards. The risk assessment, discussed above, should determine the extent, focus, and frequency of the reviews. Depending on the results of the assessment and risk profile, organizations should consider adopting three basic testing mechanisms:

Adequacy Assessments – internal anti-bribery experts evaluate whether all of the components of the company’s anti-bribery program meet industry standards and regulatory expectations.

Internal Audits – the company’s internal audit group and/or its anti-bribery compliance program experts review employee and third party compliance with the code, internal controls, and all anti-bribery processes.

Bribery Detection Reviews – the company’s anti-bribery compliance specialists conduct targeted reviews of higher risk functions to detect possible violations of the code and applicable anti-bribery laws.

To the extent a company does not have adequate internal resources to conduct periodic testing, the organization should consider hiring independent experts. Outside help from anti-bribery specialists provides a clear indication that the company is committed to anti-bribery compliance and ethical business practices, and helps the company benchmark its program against industry standards and regulatory expectations.