What can companies do to manage bribery and corruption risk better?
Kathryn Higgs is Director of Transparency International’s Business Integrity Programme. Prior to that she was head of ethics and compliance at Tesco and chief compliance officer at Balfour Beatty. In an exclusive interview with LexisNexis, she says that technology has increased the risk of bribery and corruption facing businesses, but if used correctly it can help them to manage those risks more effectively.
Q: What are the main things a company should do to manage the risk of bribery and corruption?
A: The first and most important thing a company needs is a leadership team that is taking the issue seriously. The first thing they need is a risk assessment of their operations and what bribery and corruption really looks like in their industry. They need an understanding of how they can apply these learnings to their business, and from that follows the steps they need to take to manage risk.
Q: What should the risk assessment process look like?
A: Any company needs to be looking at where they are their doing business and what the nature of their operations is, and they need to be considering the full suite of their operations rather than just what they consider to be their core business. They also need to be mindful that it may not be their largest unit of core business activity that is generating greater risks, but it is often the small activities around the periphery, the exploratory areas and things which are done on a shoestring budget. For a large company, they may have some spin-off businesses or associated activities which are not generating the company’s major profits, so they are not on the radar of the leadership team.
Comment [SL1]: Link to eBook L/P or PDF Comment [SL2]: Link to eBook L/P or PD
Q: Are CEOs today taking bribery and corruption more seriously than in the past?
A: I definitely think bribery and corruption is now more on the radar of chief executives and senior leadership teams but not all companies look at it in the same way. Some are only looking at risk because they know it is something they have to do, because they are aware of legislation and know they need to make sure they are covered. They see it as something that needs to be ticked off—once they have a programme in place, that’s that done. But risk is not something you can finish, and companies require an ongoing risk management programme. Some companies have very sophisticated attitudes to evaluating the risks they face and about how those risks factor into their business, and they will analyse that in a very technical way.
Then there is a third group of companies who are the most sophisticated of all in terms of their approach to risk. They are focused on sustainability, they are thinking about risk as more than just a piece of legislation, but in terms of the impact it has on their brand, their reputation, and their ability to attract and retain talented staff who care about these issues. These companies make the management of risk part of their DNA and they think about it from a values perspective—they are driven by the carrot not the stick.
Q: What has been the most successful approach taken by CEOs?
A: You see CEOs operating in the world today who talk about the impact that their company has on the communities in which they work. These leaders are aware that their company’s purpose is about more than just numbers, share price and maximisation of profit. They care about the impact their company has and the legacy of their tenure as CEO. They care about the happiness and satisfaction of their employees in their day-to-day work, that they feel fulfilled to work in an organisation that strives for a positive impact on the world.
Q: How does a commitment to ethics benefit a CEO and their business?
A: There is a lot of evidence that companies who run their operations on a sustainable and positive, values-based model with good corporate governance are actually more successful. They are ultimately a better run company that is likely to be more profitable. There are a lot of reasons why this might be. If they are a consumer-facing company, their license to operate in the world is enhanced by working on a values-based model, so they will attract customers by being able to promote themselves as a company that cares about important issues. Operating with an ethical business model and having good management of bribery and corruption risks minimises the chance of something going wrong and a bribery and corruption scandal arising.
Q: And how does a bribery or corruption scandal damage a company?
A: There are costs in investigating after a company first discovers the issue. These can be external costs for legal services brought in, and internal costs as staff are taken away from what they should be doing and spending countless hours working on the investigation or participating in interviews. Then there are costs if the company is under investigation by a regulatory or law enforcement body in interacting with them, negotiating with them and defending themselves during legal proceedings. There is also the cost of a legal settlement but in fact if you look at the top ten FCPA settlements, you will see that it is normal for the legal costs to equal any fine.
Then you have the cost of rebuilding the business, the damage to the brand, the loss of customers, and the risk of other litigations like shareholder class actions and competitor lawsuits. If a brand is damaged, it can take a tremendously long time to recover. There are incidents that have occurred in consumer-facing brands a decade ago that people still associate the company with today, so sales of products and services can take more than ten years to return to their pre-scandal levels.
Q: What does a good due diligence programme look like?
A: A risk assessment lets you map all types of third parties you are going to be interacting with, such as customers, service providers, joint venture partners, or merger and acquisition targets. Then you can assess what level of risk each third party poses to your company, taking into account what jurisdiction they operate in. From there you structure what level of due diligence you need to do on each third party. Then you scale up to the highest risk third parties by doing different kinds of due diligence, from desktop enquiries, to asking third parties to fill in questionnaires about their risks, to visiting the premises of third parties on the ground and having conversations with them about how they manage their bribery and corruption risk, and perhaps even building in training elements to your relationship with them.
Companies should also consider doing due diligence on some hires. So, for example if you are looking to bring in a new chairperson, CEO, finance director or CFO in a high-risk jurisdiction, you might want to do some quite detailed due diligence on them, to have the compliance officer have a conversation with them before hiring them and give some training to the successful candidate.
Q: How should technology be used in the due diligence process?
A: It is best practice to use technology because of the sheer scale of due diligence that needs to be done, particularly in large companies. It is not enough to just run a Google search, it is a great starting point, but you need to be able to sift through the quality of results you find and assess the caliber of the source material, and with Google you are mainly relying on news and blogs about companies’ behaviour.
So, it is important for an effective due diligence programme to use a service which offers access to information like Politically Exposed Persons and sanctions databases. Depending on how many third parties a company deals with, it can be hugely valuable to use a technology platform to manage a large caseload, and there are a lot of platforms these days that allow ongoing monitoring, so you can continue to refresh your third party due diligence thoroughly, accurately and on an ongoing basis
Q: What about human rights risks?
A: We believe the fight against corruption is a human rights issue because very often corrupt conduct involves human right abuses. Screening for human rights abuses should be incorporated into third party due diligence and done in a similar way to evaluating your bribery and corruption risk. So, you might look to do site visits to third parties working in an industry with a lot of employees at a low level of technical skills in a high-risk jurisdiction for modern slavery issues.
Q: What are the main trends that you have noticed in bribery and corruption?
A: Bribery and corruption is not a static environment. Risk continues to evolve, and criminals are creative individuals who will continue to come up with ways to tackle the system. In a game of chess, it is not only the white pieces that move but also the black pieces, so you cannot simply set up a programme and think you have covered all risks because these will evolve.
Technology is the main area where things are changing, and it both challenges and helps companies as they try to tackle bribery and corruption. Technology is clearly being harnessed by criminals and technological advances are leading to additional ways to perpetrate corruption. Technology is also making it harder to detect corruption when you look at the use of encrypted messaging systems and Snapchat where things aren’t backed up. So, there are definite risks caused by technology which are on the rise.
Another trend coming out is that there is constant pressure on compliance departments to manage risk as cost effectively as possible, but at the same time with increasing accuracy and sophistication. Part of this pressure comes from the mistaken view from executive leadership that this is a risk that can be covered off and finished. That means technology is a hugely vital tool to tackle some of that pressure on compliance teams.
Q: Why is important that business seek to earn the trust of their customers and investors?
A: Trust is essential in any relationship in life for it to be successful. Organisations are not machines, they cannot be engineered - they are collections of people. So internally there needs to be trust within a business. Likewise, your customers are individuals. Relationships are vital to successful business and trust is vital to successful relationships.
I think people are forgiving of companies and the evidence suggests that if a company finds themselves involved in a bribery incident, they will not automatically lose trust of their customers and the public if they can demonstrate this is aberrant behaviour, that it is not condoned by organisation, and that they are actively taking steps to address and fix the problem so that it doesn’t happen again. People will be forgiving of a business provided there is a clear plan and a roadmap for remediation and prevention.