Many companies in Asia are not sufficiently prepared to manage a potential fraud or corruption allegation, finds a report from Kroll Advisory Solutions.
According to the third perspective in the firm’s Complying with Global Anti-Corruption Legislation: Perception Versus Reality campaign, supported by the Hong Kong Corporate Counsel Association (HKCCA), Asian companies should establish a clearly-defined and formal response plan which enables managers to quickly and effectively assess any allegations made and determine the appropriate action.
Few companies in the region currently have such a response plan in place.
This is surprising, when considering the results of the 2012/2013 Kroll Advisory Solutions’ Global Fraud Report, which identified that 70.2% of Asia Pacific companies believe they are slightly to highly vulnerable to corruption and bribery.
Despite this figure, Asian companies that fall within the FCPA and UK Bribery Act requirements, just under a half of them (48.7%) have made a thorough assessment of risks arising from the enforcement of the UK Bribery Act and/or US Foreign Corrupt Practices Act (FCPA), and have set in place a monitoring and reporting system to assess on-going risks.
Worryingly, over a half of the respondents (51.3%), believe their systems are not sufficient or simply do not know.
“In Asia, internal compliance and legal teams are often not suitably staffed or experienced to handle a serious whistleblower allegation, and they don’t always know what to do when accusations are made,” says Penelope Lepeudry, Managing Director Southeast Asia for Kroll Advisory Solutions in Singapore. “Investigations are highly complex procedures which require specialized skills as well as technological support, which most companies simply don’t have. Given the potentially high cost should a violation be discovered by regulators, organizations need to quickly determine a course of action.”
According to Kroll, the first step of any formal response plan is to convene a small committee of appropriate key leadership comprising of management, general counsel and compliance officers to discuss the credibility of the claim and determine whether a formal investigation is required. This decision should be reached within 24 hours of the allegation.
The committee must preserve any evidence of wrongdoing within this period, and news of the situation should be limited to as small a circle as possible. The committee should consider the immediate suspension of the individual or parties accused, limiting access to company systems and networks and, therefore, their ability to destroy or remove important documents.
Companies should not terminate suspected individuals, of course, as the allegation may be untrue. Furthermore, if the allegation is found to be true, the individuals need to be available for further investigation.
Assuming the company is aware of the identity of the whistleblower, it should let them know that their allegation is being addressed and taken seriously. This is important, as whistleblowers may report the incident directly to regulators under the Dodd-Frank or Consumer Protection Act for potential personal reward.
Should the committee decide the allegation has merit; the second step is to conduct a comprehensive internal investigation. While the company may have the ability to conduct this in-house, it is advisable to bring in outside experts. In this way, the company will have access to specialist investigative systems and tools and, if the allegation is proven true and the company decides to self-report, the regulator will almost certainly insist on an independent investigation, which will increase the costs.
Who to hire becomes the next question. The best approach is to engage external legal counsel, who then hires a suitable independent investigator; thereby extending attorney-client privilege to all three parties.
Upon engagement, the investigator will undertake a variety of tasks to garner information, including interviewing employees; identifying non-employee witnesses; analyzing critical documents; use computer forensics to examine electronic documents and communication data; and review weaknesses in internal compliance control procedures. They will also red flag suspicious payments or conflicts of interest. The findings of these investigations are then analyzed to determine whether the allegation has substance.
The final step is reporting to authorities.
Companies that have uncovered an FCPA or UK Bribery Act violation then face a critical decision – whether to self-report to regulators. While the US Department of Justice has clearly stated that companies who do self-report will be treated “favorably”, companies - understandably - remain reluctant to self-report corrupt practices. However, given the increase in scrutiny on the region and the incentives now offered to whistleblowers, the likelihood of a violation being uncovered is high.
“Each company must use its own judgment and weigh up the advantages and disadvantages of reporting wrong-doing,” adds Lepeudry. “Of course, a far better option is to ensure there are processes in place to reduce potential risks in the first place. ‘Be prepared’ is the best advice for corporations operating in Asia in the current regulatory environment.”