Three basic steps can help detect an ineffective Anti-Bribery and Corruption compliance program.
Anti-Bribery and Corruption (ABC) compliance programs are increasingly being mandated by legislators, boards, customers, contractors and bankers.
The basic requirements for these programs are fairly well known, but many organisations are unsure how effective or efficient their ABC compliance programs actually are.
The August 2013 Compliance Trends survey undertaken internationally by Compliance Week and Deloitte noted that ABC risks were the top four key risks for compliance executives, but these same executives struggled to measure the effectiveness of their programs. Indeed, over 30 percent of these executives simply threw their hands up and did not attempt any measurement at all.
It is no wonder therefore, that many clients have reported that once they had covered off the minimum requirements of their ABC programs they were uneasy, not knowing how they could be satisfied that they had done enough, measure their effectiveness, or determine where to next for their ABC efforts.
This is particularly troubling given that recent ABC prosecutions indicate the problem is not so much an absence of an ABC compliance program as the presence of an ineffective program.
In this article we'll tease out some of the challenges of implementing and upgrading ABC compliance programs, and point to three key practical strategies that will enhance your bang for your ABC buck.
- Do a high-level health check of your current ABC arrangements to check they cover the basics
Covering the basics is important– so assessing your current arrangements/compliance program is a useful first step to ensure that all of the minimum requirements are present.
If you are starting out see The ABCs of an anti-bribery and corruption corporate compliance program for an Australian business for some tips.
If you are further advanced, use the UK Standard BS 10500:2011 – Specification for an Anti-Bribery Management system.
These resources will assist you in ensuring that there are no glaring gaps in your approach and that you have a system that is designed to detect, check and prevent all key adverse ABC issues.
- Drill down and stress test a key ABC risk – how embedded are your ABC programs?
Many organisations have ABC Compliance programs that look great on paper but don't make the transition to being a fully implemented business policy and procedure.
Select one of your key ABC risks and then stress test it at its weakest link to see how it stands up on the front line.
For example, many of our clients find contracting with third parties (alliance arrangements and the like) form the potential weakest link of their ABC arrangements.
Do your contractual arrangements permit auditing and ongoing monitoring of the performance of the required activities on the ground? What are the key results areas (KRAs) and the key performance indicators (KPI) for these – and what do you expect them to be evidence for in an audit? In particular, what would a defensible position of having taken "adequate procedures" or acting "duly diligently" look like?
In a perfect world all of these issues would be addressed in the relevant contractual arrangements, even if they are not, this should not prevent a stress test being undertaken by mutual agreement after discussion.
A well conducted audit having both announced and unannounced features can be a useful methodology to assess whether your ABC Compliance program has been embedded into the front line.
Clearly, it would be useful for this assessment to be carefully scoped to ensure it will accurately reflect actual conditions and realistic expectations. I have found in practice that the assessment is most useful when it is developed on the basis of learning what's happening, rather than seeking to catch people out or to allocate blame.
You should also consider HR/employment issues and the desirability and availability of legal professional privilege when developing the assessment (particularly if developed in conjunction with a third party).
While it doesn't determine anything by itself, in my experience it's often illuminating to take what you've learnt from testing your potential weakest link, and compare those findings to that which has been reported and your usual methods of assessing ABC compliance effectiveness. Doing this will either give you additional assurance or identify potential unexpected weaknesses.
After this step, other assessments can then be calibrated to provide further assessment, verification and assurance of your ABC compliance program.
- Review the cultural and framework aspects of your ABC compliance program to gain strategic uplift
Often ABC compliance programs are focused on technical matters: forms, paperwork, or processes requiring completion.
What can be missing is the strategic aspect – namely, how ABC risks and issues feed into the wider organisational goals and objectives. This is a key issue in building effectiveness into ABC compliance programs.
For example, if an Australian business is seeking to grow offshore in a high-risk ABC area, a key strategic objective may be to establish, develop and strengthen key alliances and entrench staff in desirable behaviours in that other country. Perfunctory due diligence on third parties and staff without taking into account the wider strategic objectives would mean you'd miss the opportunity to create significant synergy between your organisational strategic objectives and the mandatory ABC assessment. Indeed, in my experience organisations which take this wider strategic view not only add great value (real and perceived) to their ABC program, but ensure continued business buy-in and support down the track.
Two key ways to test whether this strategic aspect is present to the desired degree are
- to cross-check if the ABC Compliance program is actually having a significant positive impact on the organisational culture; and
- to see to what extent the ABC Compliance program forms part of the wider governance risk and compliance (GRC) framework of the organisation.
Let's examine these two issues in turn.
Many clients are now seeking to better assess and manage their organisational corporate culture. Even the most diehard sceptic of culture measurement concedes that there is a rising stakeholder focus upon and value given to a healthy corporate culture in which innovation, doing more with less, and constructive challenge drive staff to greater discretionary effort.
Clayton Utz is currently working with a number of clients and culture consultants to develop improved culture measurement methodologies, so they can discover where their efforts can be better targeted and therefore build a stronger GRC program sooner. So far, it seems that an important factor is the GRC program's ethical basis and its underpinnings in specific behaviours, organisational strategy and individual KPIs. This is particularly the case in uncertain economic times when the temptation to take a short cut to meet challenging revenue targets in locales far from head office is likely to become greater.
A key discovery by some of our ABC clients is that further integration of the ABC compliance program into the wider organisational GRC framework can improve its effectiveness and efficiency. For example, a number of our clients removed the barriers between the ABC function and the wider GRC functions, giving them a much simpler and more transparent regular GRC line reporting while also significant reducing the paperwork and time spent by the line in assessments and report preparation.
In summary then, the more that organisational culture is being impacted by an integrated ABC compliance program the more likely in my experience that the organisation is getting a strategic focus to its ABC program and thus a better bang for its ABC buck.
Where to now?
These three suggestions will help you get a better understanding of how effective your ABC Compliance program actually is, and what steps you should take next. Over the next few months our ABC team will publish further practical resources to help you get the most out of your ABC Compliance program.
If you'd like more information about developing and measuring the effectiveness and efficiency of your ABC, or more generally your GRC frameworks, or would like an external review and assessment as part of an upgrade of them, please contact one of the Clayton Utz Governance and Compliance team.
You might also be interested in...
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this bulletin. Persons listed may not be admitted in all states and territories.