In this article, we are going to discuss what an effective compliance program should include by going more in-depth. An anti-corruption program is important to a company not only because it lays out policies and procedures to help prevent corruption, as well as policies and procedures to remediate any issues that arise, but because it can also help to mitigate a company's liability if corruption happens within its ranks.
The Benefits of a Compliance Program
In addition to mitigating risk and liability for a company, an anti-corruption compliance program can also be good for business in general. It makes a company more reputable and trustworthy. In addition, it can mean more business for a company.
If your company does not have a compliance program in place, it is more likely that your company will be the focus of a corruption investigation. This is not because companies without compliance programs want to be corrupt. Instead, it is because the leadership and employees are not trained on the laws and regulations regarding bribery and corruption.
What may seem like a legitimate act to gain business, such as compelled giving or facilitation payments, might be illegal. These acts could put your company under investigation. Even if your company is cleared of wrongdoing, just the publicity from an investigation can damage your reputation. When your reputation is damaged, you face losing valuable business opportunities.
Some business partners and suppliers that you may need to - or even seek - to do business with might require you to document your anti-corruption compliance program. They do not want to be liable for any corruption within your company, so they want to be sure you have the appropriate policies and procedures in place. Not having a compliance program, in this case, can cause your company to lose valuable contracts.
Finally, companies who are convicted of corruption face being blacklisted from contracts. No compliance program is complete, 100% protection against corruption, but they do go a long way to prevent it - and also can mitigate the company's liability. Without a compliance program, you open yourself up to instances of corruption rather than protecting yourself against it. If convicted of corruption, you could be excluded from bidding on contracts; therefore, damaging your company's reputation and chance for growth.
Introduction to the Compliance Guide
Throughout the rest of this article, we are going to provide a guide to help you know and understand what needs to be part of any effective anti-corruption compliance program. This is not by any means a comprehensive guide. Instead, it is an in-depth look at the basic components your anti-corruption compliance program needs. You will also need to consult the FCPA laws and regulations, as well as the laws and regulations for any country with which you do business.
Commitment from Company Leadership
The first thing any anti-corruption program needs to be effective is commitment from a company's top management. Top management sets the example for the rest of the company and helps to create the culture of the company. Those in top management should show support for the company's policies on corruption. They should also be committed to preventing corruption within the company.
The top management in a company should not only set an example and show support. They should also be involved in setting prevention policies and assigning management to create, implement, and monitor policies and procedures. Top management should formalize the company's new anti-corruption policies and procedures in a written document available for everyone in the company to read.
The policies and procedures included in an anti-corruption compliance program vary based on the nature of a business, the size of the business, and other factors.
When creating policies and procedures for a compliance program, your company should take the following things into consideration:
1. Any policies and procedures created should apply to everyone within the company.
2. The company should take steps to ensure that the policies and procedures are implemented by assigning someone with the resources, autonomy, and authority to be responsible for this.
3. A code of conduct should be created by taking into account your company's geographic scope, industry, products, third-parties, customers, and government interactions. The code of conduct needs to apply to how, where, and with whom your company does business. In order to to this, you need to take into account these aspects of your business. You want to set policies and procedures that follow the code of conduct.
4. Policies and procedures should also assign responsibility for the compliance program, internal controls, documentation, auditing, and discpline for violations.
5. Protocols for dealing with foreign public officials should be put into place. You also want protocols to prevent the creation and/or use of false documents.
6. Reporting and assistance methods should be clearly outlined in your procedures. Those within your company should know and feel comfortable reporting any suspected issues.
7. You also need to create accounting procedures so the company's books stay accurate and transparent. This should include internal controls.
Part of your compliance program should be regular risk assessments to assess both internal and external risks. The most serious risks are the ones that your company should focus on. A risk assessment will help you identify the risks and then help you to determine which risks should be your priorities.
Listed below are some different kinds of risks that your company will want to monitor and assess:
1. Representatives. Representatives are anyone who represents your company and its interests, including consultants, joint venture partners, and third parties. It is important to identify these representatives and evaluate the risks.
2. Products and Industry. The industry your company is in may present a higher corruption risk than other industries, especially if your industry is dependent on large government contracts or licenses. Things like this put you at risk of agents acting on your behalf committing corruption to gain an advantage for your company.
3. Country and Region. It is critical to know the anti-corruption laws and regulations in the countries where your company does business. For example, some countries have state-owned enterprises. Since the representatives and employees of these enterprises are often considered public officials, it increases the risk of corruption.
4. Record Keeping. Your compliance policies, procedures, and activities should be documented. This includes your risk assessments. It is important that your company can demonstrate the steps it takes to prevent corruption within its ranks and with its representatives.
5. The Types of Corruption. Your company should also evaluate its risks for different types of corruption. Facilitation payments are considered bribery in some countries while they are legal in others. If your company gives gifts or donations, this might be a huge risk, because the most seemingly innocent payment might be viewed as a way to influence officials.
6. Determine the Priorities. Evaluate risks for likelihood, velocity, and impact to determine risk levels. Focus on the highest risks first.
Your company should appoint departments, units, and officers who are responsible for preventing corruption. These individuals should be independent from management and have access to the resources they need to implement your program. They should have full power to implement policies and procedures, as well as anything else needed to prevent corruption in your company.
It is important that you understand that your company is liable for corruption committed by any member of management, employee, or representative, including business partners and other third parties. Third parties represent a higher risk for corruption than your management or employees because you do not have as much control over their actions. That said, you must practice due dilligence before allowing others to represent your company.
Due diligence is defined as the steps you take to satisfy a legal requirement. Conducting due diligence on a third-party is taking steps to evaluate their risk for corruption and, in turn, the risks your company might face if they become representatives.
That said, due diligence can be a huge undertaking. Due diligence tools help your company assess and avoid corruption risks when dealing with third parties. They provide information you should obtain and steps you should take. Listed below are some model due diligence tools that can be used.
1. Capture Key Data
It is important to collect all organizational information on the third party, as well as the department that initiates the due diligence, into a third party management system.
The information that should be gathered when conducting due dilligance includes:
- Business information
- Relationships with governments and officials
- Business references
- Prior reputation issues, bankruptcies, and investigations
- Services to be rendered
2. Identify Third Parties
What type of third party are you dealing with? For example, is it a joint venture partner, a sales agent, an event agency, or a customs clearing agent? Third parties are a higher risk than your employees, because you have less control. However, you can still be held liable for corruption committed by a third party.
After your data has been authorized, you should evaluate the risk of a third party by asking questions contained in a questionnaire. Red flag questions in the questionnaire will trigger requests for more information. You can use this information to determine the depth of investigating that you need to do for the third party. What's more, background checks should be performed on all third parties. A risk score should be calculated based on the responses in the questionnaire and the results of the background check.
Red flags you should watch out for when assessing the risk of any third party include:
1. Reputation issues that include bankruptcies, allegations of corruption, etc.
2. Unable to contact business references
3. Based in a high-risk country
4. Close ties with government officials
5. Unusual payment arrangement requests
6. Roles and services are unclear
4. Submit the Questionnaire for Review and Approval
Compliance reviewers or officers should make the decision to approve or reject a third party once the questionnaire and background check are complete.
5. Finalize Approval and Contract
Once the due diligence process is approved, a business relationship can be started. Transactional or contract details should be stored with the third party's due diligence information.
If you choose to enter into an arrangement with a third party, the agreement should include but are not limited to:
1. Commitment to FCPA training for relevant employees.
2. An anti-corruption certification.
3. A specific process for making payments.
4. Termination rights.
5. Audit rights.
Training and Communication
Now that we have discussed due diligence as part of a compliance program, let's move forward and talk about training and communication. Policies and procedures should be communicated throughout the company. They should also be understood by everyone in the company, as well as by stakeholders. As well as training employees, you may also want to train suppliers, contractors, and external stakeholders. Document all communication and training, especially the communication and training you provide on your code of conduct and anti-corruption policy.
Monitoring and Reviewing
The policies and procedures that are established and implemented should be monitored and reviewed constantly to account for new risks and effectiveness.
There should be clear reporting mechanisms in place so that employees can report violations or suspected corruption. They should be able to do this confidentially without fear of retalation. In addition, there should be clear displinary measures put into place for non-compliance.
Make sure your compliance program is compliant with the laws of the countries where your company does business. It's highly recommended that your company ensures its compliance program is 100% in accordance with laws and regulations not only in the United States, but wherever it does business across the globe.