Designing a state-of-the-art anti-bribery and anti-corruption program and impressing on everybody in the company to comply with it doesn’t mean the program works.
To ensure your business is meeting authorities’ expectations, you must test whether the efforts you have in place are effective, said Matt Queler, a principal in Deloitte’s financial advisory services and a former assistant chief in the US Department of Justice’s Foreign Corrupt Practices Act unit.
Take hotlines, for example, Queler said. Multinational companies set them up for employees to report problems, but that doesn’t ensure they’re effective. A company that tests how well its hotline works might be concerned and could take remedial steps if it had 20,000 employees in a particular location and none of them ever called the hotline.
Third-party due-diligence assessments are another example, he said. To ensure contractors, suppliers, and vendors that pose a corruption potential are flagged, multinationals should review whether the people doing the due diligence are effectively assessing third-party bribery and corruption risks.
“The companies that are testing the effectiveness of their program … are better able to detect and prevent future misconduct,” Queler said. “They’re better able … to deter people from ever engaging in the conduct in the first place.”
Improving the effectiveness of your anti-bribery effort
Do you understand the bribery and corruption risks specific to your industry, geography, business structure, business partners, and level of government oversight?
And have you installed clear policies, procedures, and financial controls tailored to those risks?
Then consider these four insights suggested by Queler and the Ethisphere Institute, a US research organization focused on corporate compliance and ethics, to improve the effectiveness of your efforts in preventing corruption and bribery:
Beware the tone in the middle
It’s not enough for senior managers to create a culture that doesn’t allow bribery and corruption. Middle managers must be held accountable for fully implementing compliance efforts because most compliance risks arise at this level.
Ensure the compliance function has independent authority
Assign responsibility for anti-corruption compliance to senior-level representatives who have independence, authority, and adequate resources.
Customize training in high-risk markets
Regular training for all employees isn’t enough. Provide specialized training for employees in high-risk markets or business units and require that high-risk business partners also receive training.
Test for effectiveness
Due-diligence reports and other data generated by monitoring a compliance program can be used to assess, for example, whether employees call a hotline to report problems or whether third parties made the right hiring choices.
Data analytics allow companies to dig even deeper and identify problems that might otherwise have been missed, such as potentially fraudulent sales practices.
Many forward-thinking companies are using advanced data analytics to make sure their compliance systems are working.
For example, Queler said, companies can monitor hotline reports from all over the world to determine the promptness of responses and whether people are comfortable calling the hotline and unafraid of retaliation.
A company that reviewed and approved 200 third parties can monitor the performance of those third parties and use data to assess whether the right decisions were made on whether to hire the third parties.
Banks and financial institutions are using analytics to identify potentially fraudulent practices within their sales teams, such as rewards for opening accounts that may be abused by taking advantage of unwitting customers.
The largest companies that face the most substantial risks need to understand where their biggest areas of risk are, Queler said. Most of the largest multinational companies have a plan for testing certain aspects of their program every year.
“They may not test everything every year, but they’re going to test certain aspects,” he said. “And it’s going to be in a risk-based, thoughtful way, and they’re going to [test] their highest-risk areas most often, and they’re going to [test] their lesser-risk areas less often.”
It’s impossible to prescribe exactly the right testing and monitoring regimen, he said, because every company is different and faces its own unique risks. But finding the right way to test and monitor risks is critical.
“There is no one right answer, except to say that depending on your risk and your resources, having some testing and some monitoring is considered very, very important to an effective compliance program,” Queler said.
About the author
Sabine Vollmer is an FM magazine senior editor.
Copyright © FM Financial Management. All rights reserved
This article first appeared in FM Financial Management, which is published by the Association of International Certified Professional Accountants. The AICPA combines the strengths of the American Institute of CPAs (AICPA) and the Chartered Institute of Management Accountants (CIMA).