Based on a review of compliance and ethics program ...



PREVENTING CORRUPTION: AN EFFECTIVE COMPLIANCE AND ETHICS PROGRAM

By Joseph E. Murphy, CCEP

For companies determined to prevent violations of anti-corruption laws it is necessary to have a focused approach to the task. This takes a strong commitment by management to do the right thing and to prevent wrongdoing, and sound management steps to make that happen. This commitment is what is known as a compliance and ethics program.

Compliance with laws against corruption is one area where faint-hearted efforts will likely fail. These laws are designed to prevent bribery and corruption; by their nature corrupt acts are not much affected by mildly phrased codes of conduct and lectures by lawyers. Bribes are deliberate acts by those who know what they are doing is wrong, sometimes abetted by naïve employees or those who choose to turn a blind eye. Any compliance and ethics program must educate and motivate, but also must be aggressive in addressing the motives and means for committing crimes. Training is certainly necessary, but do not depend on it to make dishonest people suddenly honest. Also, do not overlook senior management. Even the most senior officers can commit crimes, and their words and actions can certainly set the tone for employees around the world.

There is a substantial amount of literature on the area of compliance and ethics programs in general, as well as coverage of anti-corruption programs in particular. What follows here is a brief overview of points for a compliance and ethics program. These steps, taken together and intelligently applied, can help drive a corporate culture that says the company will only conduct business ethically and legally. This overview is based on a review of compliance and ethics program standards globally and the author’s experience in various types of programs:

1. Risk assessment. Periodically assessing the risks of bribery occurring, and allocating appropriate resources based on that assessment. Risk can be affected by the location of the business activity and the nature of the industry, but bribery can occur anywhere. Risk assessment should consider the likelihood of a violation occurring, and the impact if one does. This is not a one-time event; each day the business press reveals new risks and new enforcement initiatives. For new business activities such as acquisitions, joint ventures, and activities in new markets, require a risk assessment and management plan as a condition for going forward; the plan would assess the compliance risks and detail how each risk would be met.

2. Standards and procedures. Standards and procedures designed to prevent and detect bribery. Standards include codes of conduct and organizational policies including values. Procedures include internal controls to prevent or reduce the risk of bribery. Written guides need to be employee-friendly, and provide useful advice for those confronted with difficult circumstances. They should include a commitment to values and ethics – more than just a simple direction to follow the laws. The best codes and guides are those that reflect input from all parts of the business. Internal controls need to be designed to ensure that no one individual has unlimited power anywhere in the world. If there is one local corporate potentate who controls all the information and activities in any corner of the world this is a prescription for corruption. Internal controls can include such things as multiple signature requirements, mandatory vacations away from the work location, and legal reviews required for certain categories of activities.

3. Chief ethics and compliance officer. Having a senior compliance and ethics officer responsible for the compliance and ethics program who is independent, empowered, professional and participates in senior management decision making. This officer, the Chief Ethics and Compliance Officer (“CECO”), is the key to any program’s success. Whether the question is the amount of compliance resources, commitment by other executives, or rigor in enforcing the rules, if there is not this high-level champion of compliance the compliance effort will be seriously imperilled. This officer needs to be a member of the senior management team and a player in all the key decisions, but with enough power and independence to be able to say “no” when necessary. The CECO should be professional in approach; SCCE’s Code of Professional Ethics for Compliance and Ethics Professionals sets a good standard for any CECO and his/her staff. Combining the CECO position with another role, like general counsel, head of Human Resources, or head of administration, will likely compromise the independence and professionalism of the officer. Except for small companies where a combination of functions is necessary, the CECO needs to be focused on the difficult compliance and ethics mission.

4. Supervision by the board. Supervision of the compliance and ethics program by the highest governing authority of the organization or an appropriate subgroup of that authority, including required direct reporting by the CECO and control over that officer’s appointment and role in the organization. This is necessary to assure the CECO’s empowerment and independence, as well as providing the board or other governing body with the means to oversee the compliance effort directly. There should be no filtering of this reporting relationship, and there should be reviews by the board or a board committee in executive session with no other company managers or officers present. One way to strengthen the board’s ability in this area is to recruit as a board member a CECO from another company.

5. Active senior management support. Active senior management participation in and support of the compliance and ethics program. Employees can usually detect what is serious and what is not in a company. If the CEO and other leaders merely mouth the words but do not really care, employees typically know. Executive steps like being the first to take the compliance training, calling field managers to ask what they are doing to promote the compliance and ethics program, and rewarding those who speak out on questions of right and wrong are all much more effective than merely signing the “standard” CEO statement on bribery.

6. Program infrastructure. Having appropriate resources and infrastructure for the program, so that the CECO can operate effectively, and the program has an effective presence in all parts of the organization that are at risk. In headquarters there should be an interdepartmental compliance and ethics committee to support the CECO. There should also be someone with expertise in anti-corruption laws and knowledgeable about compliance programs in that risk area. But it is especially important that the program have real presence in the field, with particular focus on high-risk areas. If a company is pursuing business in a country with a high corruption rating from Transparency International, it needs a field compliance and ethics professional in that location, with a reporting relationship to the CECO.

7. Diligence in hiring and promotions. Diligent personnel practices, including measures to prevent delegation of authority to those likely to engage in bribery based on prior criminal conviction or conduct inconsistent with the organization’s code of conduct. Background checks should be conducted based on the risk involved in each position being filled. When new managers are being selected or promotions are being planned, each person’s commitment to compliance and ethics should be a factor in that determination. Leadership in the compliance and ethics program should be a plus factor.

8. Training and communications. Providing ongoing effective and results-oriented communications, including practical training and other guidance, for the highest governing authority, senior management, and all other managers and employees who may participate in or be in a position to become aware of bribery. The training and communications needs to be ongoing and memorable. The ready availability of online training means it is now possible to train employees around the world on very short notice; there is no longer an excuse for sending employees to other countries without training. Intensive, on-site, small group live training presented by an expert is essential for high-risk personnel. There is a great variety of training and communications devices available, including web sites, written Qs and As, company newsletters, company social networks, e-newsletters, podcasts, and management meetings. Anti-corruption messages can also be embedded in other business training.

9. Actively managing third party risks. Systems to address the risk of dealing with third parties, including due diligence in retaining and monitoring such parties, and requirements that such third parties institute effective anti-bribery compliance and ethics programs. Third parties represent a great risk in preventing corruption. Selection of third parties needs to be diligent. At least in high risk areas if not in all cases, the selection should be reviewed by the legal and/or compliance and ethics department and not left solely to those whose sole objective is to make sales or complete transactions. Contractual arrangements with the third party are a crucial focus, but this is not sufficient in itself. Agents and others acting for the company need to be trained on the rules against bribery. It is best if any third party has its own program against bribery; larger companies could assist their agents in developing such programs. Third parties and any employees acting for the company should have access to the company’s reporting system.

10. Auditing, monitoring and reviews. Auditing, monitoring and other review processes designed to detect bribery. It is not enough just to write codes and present training. Companies need to be vigilant in determining what is actually happening on the ground. This is more than financial auditing; the standard financial audit is not designed to assure the absence of corruption. Typically the focus of financial audits is material weaknesses and the fairness of financial statements. Bribery can fall below this level and still be very dangerous. Moreover, not all auditors have training in forensic matters. Companies should plan and implement an auditing, monitoring and review program that is based on the degree of risk, and is designed to ferret out wrongdoing.

11. Measuring the program. Systems to measure compliance and ethics program performance and effectiveness. Companies should be checking to determine if their programs are actually working and meet appropriate standards. There is a broad range of measurement devices, ranging from audits and monitoring, to deep dives, surveys, focus groups, exit interviews, statistical analyses, and individual employee interviews. If a company is doing business in high risk areas members of the compliance and ethics team should be there, on the ground, testing to see if the program is working. The board of the company should ensure it is satisfied with the level of review, and should from time to time retain outside experts for an independent assessment.

12. Reporting and advice systems. Systems for employees and agents to obtain advice and to report any suspicion of bribery without fear of retaliation and without first having to raise these issues with their supervisors, and for such reports to be acted on promptly and effectively. It is especially important for compliance and ethics professionals to be sceptical of all the imaginative excuses for resisting such systems. The reality is that there is no place on earth where people like whistleblowers. But in every society there are ways to implement such systems that will maximize their chances for success. Generally, such systems are least effective where: 1) employees do not trust management; 2) employees think nothing will happen; 3) there is a high risk of retaliation and no one believes retaliation is ever punished; and, 4) the reporting system is answered in a foreign language and/or in another country. There are many ways to establish effective systems that are culturally sensitive, such as: a) a trusted and independent ombudsperson; b) a telephone helpline; c) an online anonymous system; d) email; and, e) a local compliance and ethics person who is respected. But there should never be a situation where employees have no choice but to go through local management to raise issues and obtain advice.

13. Discipline and incentives. Discipline, incentives, rewards, and employee evaluation and promotion systems designed to: a) deter bribery; b) deter failure by management to take steps to prevent and detect bribery; and c) promote ethical behaviour and a culture that opposes bribery. Violations need to result in discipline, and the higher up someone is, the stronger the discipline needs to be. Discipline should also be directed at managers who fail to take steps to prevent and detect possible violations. Retaliation and threats of retaliation merit severe discipline. The incentive system also needs much attention, because it can either drive improper behaviour, or help focus employees on doing the right thing. In addition to rewarding those who make sales and close deals, those who champion ethics and compliance should be rewarded as well.

14. Responding to violations. Responding reasonably to violations, and allegations of violations, by conducting investigations professionally and enhancing the program to prevent recurrence of violations. The investigation process needs to be independent of those being investigated, and protected from executive level pressure. Steps should be taken to determine while violations occurred and how to prevent recurrence. Publicizing actual disciplinary cases (while shielding individual identities) has been a very effective technique for companies.

15. Improving the program. Ongoing efforts to keep the program diligent, and at least as good as industry practice. Compliance and ethics programs are intended to prevent all types of misconduct, including the crime of bribery. But people who engage in crimes can be very clever in finding weaknesses in any system. Thus the efforts to prevent and detect misconduct need to keep evolving in their effectiveness and diligence. There is a great deal of information available about compliance and ethics programs, and professionals in this field have traditionally been very open in sharing their experiences and resources. For example, the SCCE provides a wealth of resources and contacts in this field, including opportunities to share with others. See .

16. Documenting the program. Keeping the program sufficiently well documented to demonstrate the organization’s diligence. If it is ever necessary to convince enforcement authorities that a company was serious about preventing wrongdoing, the burden of proof will likely be on the company. It is important to document all the steps in the program for this purpose. For example, there should be due diligence files on agents and other third parties. While no enforcement authority will accept a mere “paper program,” even the most diligent program needs to be documented to prove that it actually was in effect.

Each of these elements is important for the effectiveness of a compliance and ethics program, and together the elements tend to reinforce each other. Chief among these, however, is the active commitment of senior management, and having a senior officer fully empowered to implement the program (the CECO). If management is indifferent, or the person responsible for the program is too junior or isolated to be effective, the risk of failure is greatly increased.

Some Additional Resources

Compliance and Ethics, magazine published by SCCE.

Ethikos, bi-monthly compliance and ethics journal, .

Kaplan & Murphy, Compliance Programs and the Corporate Sentencing Guidelines (Thomson/West; 1993 & ann’l supp.)

Murphy, 501 Ideas for Your Compliance and Ethics Program (SCCE; 2008).

Society of Corporate Compliance and Ethics (), a membership organization for compliance and ethics professionals worldwide.

SCCE, Code of Professional Ethics for Compliance and Ethics Professionals,

These are publications in which the author has an interest, or which are from SCCE.

Joseph E. Murphy, CCEP

Director, Public Policy

Society of Corporate Compliance and Ethics

30 Tanner Street

Haddonfield, NJ 08033 USA

1 (856) 429-5355

JEMurphy@

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download