Pitfalls to avoid when building an Anti-Corruption Program

Welcome and thank you for joining today's webinar, hosted by me, Bethany Sirven of MyComplianceOffice and Robin Singh. Today's webinar will cover reasons why anticorruption programs fail, practical ways to strengthen an anticorruption practice that needs to be incorporated, advise on how to improve your existing program, and we'll end with a live Q&A section to answer your questions.

Now, allow me to introduce my co-host today, Robin Singh

How is your anti-bribery corruption program structured? Is it a standalone with no separate compliance and ethics program or is it standalone with the compliance and ethics program, embedded in a compliance and ethics program or you do not have one? Well, that's perfect. Embedded in compliance and ethics program. That's I guess the most mature model of them all because the compliance and ethics program is there to address all forms of your risk. If you are making it standalone but you do not have a separate ethics and compliance program, probability is that you might not be covering all the risks. For those who do not have one, they would need to seriously think of developing ethics and compliance program by starting off with the compliance risk assessment.

With that, we will move back to the presentation and get into the critical area. Why and when would the anticorruption bribery program fail which is now with I believe everybody's understanding, is a part of a compliance and ethics program or ethics and compliance program.

With that, we would move to our first pitfall. I read this pitfall as the number one pitfall. Non having the right mindset. Before you can set the culture, you need to ensure that you get your managements buy in. Management generally tends to establish the compliance and ethics department in the beginning just to fulfill their obligations, a check-the-box approach. I say that is because of a survey that I came across carried out by [PWC 00:19:17]. That noted about 80% of the compliance department were either under-sourced or had very low budget, especially with the companies having a turnover of $1 billion and above, so just imagine that. As we all know, management is all about the bottom line, revenue generation. No matter whatever you do, that's the thing that they will speak to you about. As ethics and compliance people, I believe we need to turn the table around to demonstrate our values. The table that you see on your screen is something which has helped previously my clients to demonstrate the two true values to the management.

How does this work is? You have a matrix with four to six quadrants, covering various aspects of your business. Common runs being as demonstrated on the screen, investigations, compliance, enforcement, opportunities, and whistleblowing. The lined items under each quadrant are equated to opportunity cost or the amount that you would say as ethics and compliance department. Naturally enough, all these numbers would be zero in the beginning and as you go quarter and quarter doing your task, these numbers will increase and this would give a totally different perception to the management. The idea is to show a near reality number. Say for instance, an example, you carried out an investigation and you help recovered an asset with, say, $25,000. Now, that's the amount you saved and you would put that number in.

Now, moving onto the next quadrant, imagine that there was an incident, a small incident which you came across if somebody told you about it, that a salesperson is offering regular gifts to a foreign official on his birthday. Now, hoping that no one constitutes this as an offense and has not already reported to [ACC 00:21:29], you might have a chance to train those group of people and might be able to save the actual enforcement cost. Imagine if you take even 1% of the whole enforcement cost, that could be levied on the organization, it would be 100,000, $100,000. You need to put that number in. Similarly, you would update the new business opportunities quadrant, as well as the whistleblowing part. From the point of view that now that you have established some sort of trust with the management ... We come now to one the most cliche stuff, read in all the books and it still exist that would say commitment from the organization.

The whole essence behind this is to make sure that the management can walk the talk. Basically demonstrate the support that is needed for the implementation of a compliance or a anticorruption program. Definitely, if you have a big organization, you require resources and you would need to identify some people beyond your department to help you carry out your agenda as most of the department around the world in ethics and compliance will not have all the required resources. You need to identify confidants of the management and their confidants. Basically some reliable resources whom you can reach out or they can reach out with what has been happening at the ground level and they can be your eyes and ears for all good reasons in the organization.

This would just create a multiplier effect of your resources and, obviously, the best target for this multiplier effect is going to be the mid-managers, the actual ground level workforce depending on your organization's hierarchy. These are people who will help you execute the compliance program and as well as cascade your anticorruption policies and procedures to employees and make sure that they can get feedback to you which is more practical and valid when it comes to updating your anticorruption policies.

It all boils down to tell the management that you require a resources. Otherwise, the faith would be same as that of the [inaudible 00:24:01] case where this company hired agents to conduct sales in the foreign market and they did not bother to oversee them and at the end, they went on to give bribes and kickbacks to various foreign officials and finally, they had to pay a penalty of nearly about $2 million. It is important that there is a strong commitment and focus from the management and they can keep an eye out, a constant eye or a hand to compliance and ethics to execute their implementation.

Insufficient third party management. This is a critical one. Unable to manage a third party conflict or a situation is one of the biggest risk a company faces. No matter how good your controls are, this risk has a high probability of [inaudible 00:24:57]. Thus, it is important that you have a contract, a third party framework, with the help of your contract owners to execute this framework, such as you would make sure you join hands so that you can get to do a background check, due diligence on the third party that you're hiring, and in case it's going for a merger, it is a definite must, but the company profiles keeps on changing with time, with the change in people, and the environment. This is an activity which needs to be repeated over and over again. The biggest problem is going to come when you want to enforce your program which you do not have a jurisdiction for. Why would they listen to you?

Some of the techniques that are applied by the company is to have a onboarding training for third party over a particular month or a particular day in a month and make sure that you have a conduct, something like a third party code of conduct which you can discuss with your third parties on the onboarding day and take assigned declaration from them to make sure that they understand the seriousness of it.

Lastly, most companies have this right to audit clause in almost all their contract, however, most of them or hardly anyone of them choose to exercise it in order to maintain good [inaudible 00:26:31] relationships. No matter how much trouble you might have to go through, you need to carry out these sort of reviews and the best way to do it is to give the third parties a heads up, right up in the onboarding training. Tell them that they will be performing such an activity once in a year or something like that, depending on the third party profile and the risk assessment that you've done and depending on that, you would continue your monitoring activities.

We would move to the next slide from here which is a polling question. Do you have a right to audit clause or do you exercise your right to audit clause? Yes, often. Yes, often. If there's a substantial allegation, no. No such clause exist in our contract.

We have quite a mix bag of answers here. For those who do not have clause should seriously think of placing this clause. It is very important with the growing third party risk. There's no doubt about it. For those who do it frequently, hats off. I'm so sure that you would be managing your risk better than most of us are able to manage. For those who have chosen the option that they do it in case of a substantial allegation, I believe that's a start but that would be only a one-time journey. There has to be a regular monitoring, some day. The best benchmark would be do to it often, depending on the breadth of the company, obviously, but there has to be a sort of an audit plan to make sure that you can tell them that you would do something like that.

We would move back to the next slide. This is one of the key ones. An incident reporting or a whistleblowing helpline. This is one of the major monitoring mechanism. It is a also a tool for your employees to voice out their concerns. According to [ACFE 00:28:56], this is one of the top three methods by which you can receive details about if there is a corruption or a fraud occurring. It is sort of a benchmark for your compliance program as well, depending on the type of allegations you're receiving, which is the risk area, does it match your compliance risk assessment, is your program working, do people rely on it?

Now, the terms whistleblowing hotline has transitioned from hotline to helpline. Helpline increases the scope of reporting, though, and why has there been this change? First of all, a survey was conducted where a lot of corporate white-collar people were taken into a room and were asked to write synonymous for the word of whistleblower. Out of the 150 odd names that the survey people gathered, not even one word reflected a positive outcome. Most of them were surrounding it as negatives like tattletale, snitch, and that is why ... So the sake of these people who want to come forward, you need to tone it down a bit.

Secondly, there are other type of reporting such as the regulatory reporting where the person would like to openly seek compliance and ethics [inaudible 00:30:18], so pre-regulatory aspects where he or she is not able to fulfill his daily requirements. Thus, he or she would like to talk to the compliance and ethics person and tell them "Okay, I'm not able to do this regulation because of lack of resources of the program or our process works this way," and this is what you have to make sure that you note, you report, and you solve it and just make sure you are training over a period of time. That is why a helpline is such an important tool and it also forms as one of your benchmarks for your compliance program.

Lastly, since it was two elements, it is imperative that at least one of the options that you present to your employees is either confidential at minimum or preferably has a anonymous way of reporting things. Some things which will help the reporter protect his or her identity.

Additionally, it's important to know that people report basically their concerns for only two major reasons. One, will there be any corrective action taken if they're reported or will there be any retaliation against them if they report their concern? The answer to this question will reflect how good your ethics and compliance program is and reflect the image of the compliance and ethics department.

With that, we would move to the next slide. Now that you have allowed an option of anonymity in your system, the anonymous complaints and most of the people then really choose it to be anonymous, it is going to be like a Pandora's box of unknown. You might get vague allegations such as [inaudible 00:32:19] leader of custom department is cooking the books, anonymous. Now, what do you do? First and foremost, you need to double up a matrix such as this, similar to your business requirements. This is more customized towards the healthcare requirement but this is what you would develop depending on your key parameters and risk in the industry. Then once you place the allegation that you receive, you would get an idea that where does the issue stand amongst other competing allegations that you received because you have limited resources to execute your plan. Depending on the high, medium, and low, you would categorize the issue.

Now, this is, again, a benchmarking tool. A benchmark which will show how good is your compliance and ethics program. Now, once you've doubled up and evaluated a matrix such as this, you can present it to your CEO, to the board, to the audit committee, and you can seek their advice as well that because you've received the word, financial statement, and according to [inaudible 00:33:27], you need to report it and carry out investigation, it is not feasible to do so because there isn't any details mentioned in the allegation. With the limited resources, you need to prioritize the complaints and allegations well enough to make sure that you do not lose the integrity of your compliance program. At least for those who have reported substance in their allegation get to see the actual power of compliance and ethics that they have done their work, they have maintained their promise, they executed, and [inaudible 00:34:05] are either disciplined or let go.

With the rotten apples, we would move to the next slide. Now that we have derived a matrix in which one can plot all the cases, may be anonymous, non-anonymous, and get a sign of relief basically to know that we have a prioritization matrix with us, so that we can use our resources efficiently and effectively, it all comes down to this pitfall where it would test the integrity of your anticorruption bribery program.

Now, no matter how good your program, there will be someone who would have or who will cross the line. Someone from a junior resource to a senior management, someone, definitely. However, the disciplinary measures should not be based on the designation. It should be based on the acts and evidence, obviously. I've seen companies sometimes turn a blind eye towards some of the key stuff. When I say key stuff, I mean the actual rainmakers who get in a lot of money, business who keep the big bucks rolling. This is where the going gets tough for the compliance officer. A compliance officer who does not bring in any revenue when he needs to punish or discipline the person who has done something wrong, but at the end of the day is a main rainmaker for the company or brings in huge business.

What does the compliance officer do? He's caught up into a stage of quandary at this point in time and this is where I believe the compliance committee plays a very important role. Since it's a panel, it's not made out of an individual and you can avoid bias and you can make sure that there are corrective decisions which are applied all across the organization a consistent. The committee will help the ethics and compliance apply consistent action plans and probably disciplinary actions as well across the organization in respective of the type of level the person is at.

With that, we would move to the next one. Now that we are going to constantly apply corrective actions and make sure we are doing the right thing as always. Some important elements which I'm going to be pointing around in the compliance program or the anticorruption program is the element to assess and prioritize risk. At the end of the day, risk assessment is a key component not only for developing the compliance and ethics yearly plan but also to run the business and make sure that the management is aware of the risk and rewards, both ends. If a company misses out on assessing the risk correctly or misses out the coverage of a risk, then it simply means that people unaware of something that could go wrong. If that thing which could go wrong and everybody is unaware of occurs suddenly, it would mean that there are no safeguards, no controls to help the company come out of that situation or protect itself.

Now, wrestling back to the case which we just spoke of previously, the [inaudible 00:37:45] case, where they hire the third party. They did not carry out any risk assessment while they were hiring the third party. They were unaware of the quantity or the jurisdiction they are in however they thought that they could make money. They, at the end of the day, failed to make money and they have to pay a heavy price for it. The risks do not end there. During the monitoring stage, a stage which is almost embedded in all the elements of a compliance or anticorruption program, if you miss out what is to be covered or you are unable to prioritize your risk or you do not know the coverage of it in more often than not situations, you would be fixing something that is not broken.

If employees with third party, at the end, know that the compliance department is pretty strict about their risk. They are constantly measuring and monitoring their risk. They tend to obey and comply. These are these ... The other ones who know that compliance department is not super active and cannot do much, and in turn, they would disobey and they would make a mockery out of the rules. Monitoring the risk ... First of all, knowing the risk and then monitoring it in all the stages is a very key component and if you aren't able to do that, more often than not, your compliance and ethics or your anticorruption program would fail.

With that, we would just try to round up things. What all we've covered until now is basically some key elements or pitfalls that could cause serious damage to your anticorruption or compliance and ethics program. You need to know the way you need to get the management's commitment. You need to show a value to the management. Show and speak in their terms, that is the money. Have adequate resources, if not of yours, then from some other department. Know your risk. Make sure you have a coverage. Besides that, these are the leftovers. You need to ensure that your policy procedures are in place. They are simple to read and explain. You have a communication right from the top-down approach and everybody is able to speak and there's a lot of transparency, a lot of notes going around, emails going around from the CEO side, talking about their commitment, talking about a policy, maybe a newsletter coming in the way to tell them what could happen if you miss out, looking out a risk, what happens if you pay a foreign official. Maybe people are just unaware.

Finally, making sure that you can customize the program because not one size fits all. Something that you take off the shelf might not necessarily work for you because it might just work in some other jurisdiction and for some other company. You need to make sure that you can customize all of it depending on the organization, people, the type of operations you have, jurisdiction you are in, and definitely around the laws and regulations, at the end of the day.