A joint effort between Kroll and Compliance Week
Table of Content
All voices in the compliance community say that bribery and corruption are significant risks for modern global corporations, but the findings of the Anti-Corruption Benchmarking survey paint a markedly different picture of how much compliance officers take that message to heart. Consider the following results drawn from this survey:
Each of those statistics alone is unsettling. Taken collectively, they (and many more statistics discussed later in this report) give rise to the idea of two groups in modern global business: large corporations headquartered in the United States, that take anti-corruption compliance programs seriously; and corporations that are smaller ($1 billion or less in annual revenue) or based elsewhere in the world, that worry about bribery and corruption much less.
To some extent that gap can be explained. Larger companies deal with more third parties and have more complex business systems; businesses based in the United States face vigorous enforcement of the Foreign Corrupt Practices Act. But those two realities cannot explain all of the gap, and comments from survey respondents (samples are on Page 21) add anecdotal evidence that, yes, considerable portions of the corporate world still do not take anti-corruption programs too seriously. In the words of one chief audit executive at a small financial services company: "Enforcement is weak and takes forever, and nobody goes to jail or is personally financially affected. The company's clients pay for anything."
Still, while those different attitudes about anti-corruption compliance do exist, they are not gulfs; for every one overseas company that doesn't bother with anti-corruption training at all, four others do. Most companies do try to accomplish the basic tenets of anti-bribery and corruption compliance—understanding the applicable laws, conducting a risk assessment, training employees and third parties, auditing adherence to policy—but they still struggle with the execution of those tasks.
To explore each of those basic elements, this report is divided into four sections: risks, due diligence, third parties, and effectiveness.
Risks. Forty-three percent of respondents say their bribery and corruption risks have increased in the last two years, and another 39 percent say those risks have remained mostly the same. Only 7.7 percent say their risks have actually fallen.
More interesting are predictions about future corruption risks; exactly half say they expect those risks to rise in the next 12 months, and half do not. A deeper analysis shows several divides. More large companies expect corruption risks to rise than small ones (54 percent to 41 percent), as do more North American companies than overseas businesses (53 percent to 41 percent). The single most common reason given for increasing risks was expansion into new markets, followed by more vigorous enforcement of current anti-bribery laws. Tellingly, 62 percent of overseas companies cited more vigorous enforcement as a main driver of risk, while only 55 percent of North American companies did—suggesting that North American respondents already believe anti-corruption enforcement is running at full steam.
The good news is that 57 percent of respondents say they conduct an enterprise-wide assessment of bribery and corruption risk annually. The bad news: the other 43 percent conduct such an assessment less than once a year, and 16.9 percent say they’ve never conducted a corruption risk assessment at all.
A solid majority of companies also say they have some sort of documented approach to managing bribery and corruption risks; 37.7 say they have a “well-defined, documented process dedicated solely to global bribery risks,” and another 42.7 percent say they treat corruption risks as part of a larger documented process to address all compliance risks.
Due diligence. Respondents seem to have a solid understanding of performing due diligence on third parties or acquisition targets. Fully 87 percent perform at least some sort of due diligence on third parties, and the criteria that help a compliance department decide how much diligence to perform generally seem risk-based. The top criteria were, in order, the nature of the work a third party would provide; the amount of contact the third party has with foreign officials; and where the third party is domiciled.
The tools that companies use for due diligence are also standard-issue for modern compliance departments: certifications from the third party that it has no corruption problems (75 percent); reviews by your company’s legal or finance team (65 percent); and data collected by your local business-unit leaders (65 percent). Reference checks, on-site interviews, and research from professional investigators were some of the less-used techniques. As further explored on Page 14, however, smaller businesses seem to use almost every due diligence technique (other than reference checks) less often than large companies do.
Third parties. Many respondents seem to be struggling with ongoing anti-corruption monitoring and training for their third parties. Forty-seven percent say they conduct no anti-corruption training with their third parties at all, and the numbers are worse for companies based outside of North America (51 percent) or smaller companies (55 percent).
The efforts companies do take to educate and monitor third parties are somewhat pro forma. More than 70 percent require certification from their third parties that they have completed anti-corruption training; 43 percent require in-person training and another 40 percent require online training. Large companies require training considerably more often than smaller ones, although when looking at all the common training methods, fully 100 percent of respondents say their company uses at least one method, if not more.
Effectiveness. For all a company’s efforts at risk assessment, due diligence, and monitoring third parties, the ultimate question for a compliance officer is simply does my system work? Questions about effectiveness, therefore, get to that core issue of whether all the compliance activities outlined above actually make the business less vulnerable to corruption risk.
Answers here fell along similar lines to companies’ perceptions of risk: smaller or non-U.S. businesses, which were less likely to expect rising bribery or corruption risks in the future, were also more likely to deem their compliance programs effective. Large North American companies, which were more likely to say their corruption risks will be rising, also had the most worry about how effective their compliance programs truly are.
Respondents’ confidence in their anti-corruption procedures depended on how close to home the tasks actually are. Seventy-three percent rated their training of domestic employees as “effective” or “very effective.” That figure dropped to 63.8 percent for foreign employees, and only 30 percent for third parties.
Lastly, the most significant event in anti-corruption compliance to happen in 2012 was the publication of long-awaited guidance from the Justice Department and Securities and Exchange Commission on effective compliance with the Foreign Corrupt Practices Act. So we asked survey takers: was that guidance any help?
Nearly 53 percent rated the guidance as “a good read, but it didn’t tell me anything new.” Another 23.5 percent deemed it very helpful, 18.8 percent didn’t know, and 4.6 percent said the guidance actually left them more confused.
Who Took This Survey
“If you’re a global company, I can’t see any reason why you would not do everything in your power to have an anti-bribery program and to drive that through your organization as best as you possibly can to mitigate any potential bribery.”
- Michael Varnum, Managing Director for Kroll
Compliance officers are a house divided in their perceptions of bribery and corruption risk. Respondents split exactly even on the question of whether their risks are likely to increase in the next 12 months: 130 responses yes, 130 responses no. The group believing that risks will increase cited multiple reasons, although the biggest single factor was planned expansion into new markets. (Not surprisingly, that was also the same reason why a plurality of respondents said their risks had increased in the previous 12 months as well.)
The divisions, however, go deeper than that. When you compare smaller companies to larger ones, or those headquartered in the U.S. versus those elsewhere around the globe, more cracks in the consensus emerge. Larger businesses are much more likely to predict more risks coming soon than their smaller brethren (54 percent to 41 percent), as are the U.S. businesses compared to overseas businesses (53 percent to 41 percent).
To some extent these divisions have natural causes: larger businesses have more complex operations; North American businesses face the most rigorous anti-bribery enforcement from their regulators. Still, when you consider these gaps in tandem with the gaps respondents showed in the effectiveness of their compliance programs (discussed in Section 4 of this report), one cannot help but wonder whether middle-market and overseas companies underestimate the corruption risks looming in front of them — either because opportunities for corruption will increase, or because the companies’ abilities to fight those risks aren’t as good as some compliance executives believe.
Another potential sea change in companies’ anti-corruption risk is the proliferation of anti-corruption laws outside the United States. Most notable is the U.K. Bribery Act, but similar laws in Russia, Brazil and elsewhere are coming onto the books.
“I think the number of bodies that are looking at this as a serious problem has grown over the years, and it’s led by organizations like Transparency International and OECD,” says Michael Varnum, managing director for Kroll Advisory Solutions. “The problem is going to be there, and I think what’s going to happen is corporations are going to be compelled to look at it, and I think they will.”
Somewhat comforting news: a solid majority of respondents do conduct an enterprise-wide assessment of corruption risks annually, as do majorities for small companies, large ones, U.S.-based or overseas. Still, a considerable fraction turn their attention to anti-corruption much less often; 16 percent of respondents at large companies admitted they do no such assessment at all.
Revising anti-corruption guidance has been cited “as slowing [enforcement] up a bit,” Varnum says, but he warns that nobody should take anti-corruption compliance lightly: “If you’re a global company, I can’t see any reason why you would not do everything in your power to have an anti-bribery program and to drive that through your organization as best as you possibly can to mitigate any potential bribery.”
“At the end of the day, you have to know who you’re doing business with.”
- Lonnie Keene, Managing Director, Kroll
Given the proliferation of bribery and corruption risks (as discussed in Section 1), the mantra among compliance professionals is that due diligence—on customers, new acquisitions, and business partners of all stripes—is an absolute necessity; the phrase is a cornerstone of every best practice uttered about modern compliance programs. So what does “due diligence” actually entail?
The good news is that more than 87 percent of all respondents perform some sort of due diligence on their business partners, and similar large majorities hold true for smaller businesses and those domiciled overseas. Still, the average respondent reports that his/her company conducts business with more than 3,500 third parties, so adopting a risk-based approach to due diligence is critical.
Compliance departments seem to be doing just that. When asked about the importance of various criteria to determine how much due diligence is necessary, respondents ranked a third party’s interactions with government officials as “important” or “very important” more than 93 percent of the time; second was the nature of work a third party will perform, which also scored more than 90 percent. Where a third party is based and its score on various anticorruption indices were also top answers.
Fair enough—but what tools and techniques are compliance departments actually deploying? Smaller businesses seem to rely more on self-reported certifications from third parties and references from trusted sources or U.S. government agencies. Larger companies are more likely to use dedicated investigators, information collected by local business units working closer to the third party, and reviews by their own corporate legal, accounting, or finance departments.
“At the end of the day you do have to know who you’re in business with,” says Lonnie Keene, managing director for Kroll Advisory Solutions. “That is not a function of just geography, but a range of other factors” such as the nature of the work a partner does or who its senior executives are. Regulators expect due diligence efforts to be commensurate with the risks posed by a corporation’s size, location, nature, and volume of the business, Keene says, so not every business needs to perform exhaustive due diligence on every third party. Still, that leaves smaller businesses in an awkward dilemma of getting due diligence done effectively.
“There’s a risk there,” adds Varnum. “If you look back at all of the enforcement actions that have happened over the last few years, whenever there has been an enforcement action, it really always has come back to a third party.”
Little surprise, then, that most companies (79 percent) will drop a potential third party even upon rumor of bribery without any hard proof. Other common reasons a business partner might flunk the due diligence process: executives at the partner were politically exposed persons or the third party had a history of litigation.
“We’re planning to extend our third-party compliance program to include suppliers and vendors. Previously we only included sales agents, distributors and freight forwarders. We’re also intending
- Compliance manager, $3 billion industrial manufacturer
“Lots of companies have very good intentions of thoroughly looking at their third parties. But ultimately you don’t have the resources to look at every single one.”
- Violet Ho, Senior Managing Director, Kroll
Performing due diligence to find reliable business partners is one task, as discussed in Section 2. Training third parties on your anti-corruption program and monitoring their adherence to it is quite another, and apparently one with some alarming shortfalls.
An astonishing 47 percent of all respondents said they conduct no anti-corruption training with their third parties at all. The numbers are even higher for companies based outside of North America (51 percent) and those with less than $1 billion in annual revenue (55 percent).
Training is one of the hallmarks of an effective anticorruption program. “Particularly important is the communication of relevant policies and procedures to the company’s employees, and where appropriate, third parties and business partners. Companies that conduct no anti-corruption training with their third parties are missing an opportunity to ensure that the third parties understand and appropriately implement the company’s anti-corruption policies and procedures.” Keene says.
Violet Ho, senior managing director for Kroll’s practice in greater China, is not surprised by the 47 percent statistic and speculates that in Asia specifically the percentage is probably higher. Corporations often don’t even know how many third parties they use, which makes training all of them impossible. Moreover, corporations typically have much less bargaining power with third parties, especially when they are located in far-flung jurisdictions. The result: if a company is using only one vendor to source an item and asks that vendor to promise to follow some anticorruption code of conduct, the vendor feels emboldened to refuse.
“A lot of companies have very good intentions of doing a thorough job looking at their third parties,” Ho says. “But ultimately when you are a very large organization with more than 10,000 vendors, it’s not financially viable. You do not really have the time or resources to look deep into each and every one of them.”
Trying to reach all third parties with a generic, headquarters-issued policy is a waste of time and money, Ho says. Such policies tempt employees and third parties to find loopholes, and they ignore important regional differences. On-the-ground workers, Ho says, are focused on revenue and profit, not compliance. Those goals aren’t mutually exclusive, but they do require coordination for a policy’s effective implementation—which adds all the more pressure on compliance officers to articulate why strong anti-corruption programs are good for business.
“Maintaining the independence of the authority of compliance, but also having an open mind and listening to the local business folks about what they’re seeing in their specific market, that’s critical,” Ho says.
Keene suggests that all companies, regardless of size, take a risk-based approach to managing their third-party anticorruption training program. Whether using a multi-pronged approach, or relying on certifications, the company’s training and third-party communications program should be proportionate to the corruption and bribery risk faced by the company.
For companies lacking the resources to monitor third parties, Ho advises an incident-based approach. When a problem emerges, investigate thoroughly, seek the highest level of disciplinary action possible, terminate a third party in violation, and publicize it to other employees and third parties as an example of why they need to comply. “You’re not going to catch everything,” she says, “but an incident-based response and investigational approach will sometimes give you a lot of leverage in terms of managing staff and third party risks.”
“The challenge is you should be collecting that data on the problems that you find and then figure out ways of addressing those problems. People don’t necessarily pay attention to that back end.”
- Melvin Glapion, EMEA Managing Director, Kroll
Is your anti-bribery and corruption program effective? Can you demonstrate that effectiveness to regulators in the event of an investigation? These two questions are ultimately the most important that compliance executives must be able to answer.
To no surprise, compliance officers are more confident that their anti-bribery efforts work among their domestic employees: 73 percent rated their procedures for training domestic employees as effective or very effective. That figure dropped to 63.8 percent for overseas employees, and 60 percent for vetting third parties before establishing a business relationship. Confidence plunged, however, when asked about other anti-bribery tactics. Monitoring compliance after a third-party relationship begins, auditing third parties, training them on antibribery policies and procedures none of those totaled even 40 percent for “effective” or “very effective.”
Melvin Glapion, Kroll managing director in EMEA, calls this the “downward and outward” problem: companies overestimate how seriously messages sent from corporate headquarters are received elsewhere. Cultural differences abound, and many employees don’t see how anti-bribery policies apply to them in their daily jobs. Worse, the person doing compliance checks is often less senior than the executives he or she is monitoring.
Companies with less than $1 billion in revenue were actually more confident in their procedures’ effectiveness than larger businesses, the survey showed. (Example: 55 percent reported effective or very effective procedures to track payments through intermediaries, versus 33.5 percent of larger companies.) Glapion says that may be because smaller organizations have less bureaucracy and fewer third parties, or they may feel that they are “not necessarily in the firing line.”
Regardless of size, Glapion stresses, businesses won’t be able to deem their anti-bribery efforts effective unless they have a centralized program that documents their efforts, monitors compliance, and reacts to the data collected.
Monitoring and tracking compliance is not without cost, but Glapion cautions that skimping on those efforts is a “false economy.” He warns that even those conducting annual assessments of anti-corruption risk (let alone the 16.5 percent who say they never do such an assessment) aren’t going far enough; he recommends quarterly reviews of collected data. That gives a company the opportunity to correct problems within the company’s control or to sever relationships when the problem is outside its control.
The Compliance Week-Kroll Anti-Corruption Benchmarking Survey was drafted by senior Compliance Week editors and Kroll managing directors in January, and then pushed out to an audience of seniorlevel corporate compliance officers worldwide from Feb. 28 through March 22, 2013.
The survey produced 286 responses. Any submission where the respondent’s title was not directly related to corporate activities (“partner” or “administrative assistant,” for example) was excluded from the data analysis. The result was 260 qualified responses from senior-level executives working in ethics, compliance, or anti-corruption somehow. Of those 260 respondents, 31.2 percent held the title of chief ethics & compliance officer, followed by director of FCPA compliance (11.9 percent), and then chief audit executive (9.2 percent). A wide range of other titles then trailed behind, all of them somehow related to compliance or anti-corruption activities.
The survey also went to a wide range of industries. Of the 260 qualified responses, the single largest industry group was financial services (11.2 percent), followed by energy & utilities (10.4 percent), and industrial manufacturing (10 percent). A total of 16 different major industries was represented in the data pool.
Median revenue of the 260 qualified respondents was $3.53 billion, median worldwide employee headcount was 9,630.
This was a self-reported survey from Compliance Week’s audience of ethics & compliance professionals, and Compliance Week did not attempt to verify or audit the data reported by survey-takers.
Q: Have you re-engineered your anti-corruption program to be less country-specific, and more global in scope?
“Our approach is to comply with the most stringent regulation and not piecemeal it by country. A country-by-country approach may create a perception of exceptions to the rules, which some employees may misconstrue.”
—$200 million energy trading business
“Our program has been set with the U.K. Bribery Act as its baseline, and to date no other legislation in countries where we operate has had a higher standard that would require revisions to the program.”
—$2 billion insurer
“Nope. Our hands are full with what we’ve got.”
—$150 million aerospace business
“Not really. Enforcement is weak, takes forever, and nobody goes to jail or is personally financially affected. The company’s clients pay for anything.”
—$250 million financial services business
“As a company with headquarters in the European Union, we are definitely structuring our program to be more global and country-neutral in scope.”
—$5 billion healthcare business
“We are definitely more global, but focus on known high-risk areas, and adding more forensic testing.”
—$13 billion electronics manufacturer
Q: Has the focus of your compliance program changed in the last 12 months?
“Yes. We’ll be performing our first risk assessment in this area.”
—$3 billion telecom equipment company
“The most important guidance to us in the last 12 months was the Morgan Stanley case and the clear value of repeated and documented employee training and communication. We are focusing efforts in that area.”
—$10 billion insurance firm
“We’ve taken a programmatic approach to develop enhanced anti-bribery controls, along with a deliberate effort to socialize the new elements face-to-face with the leadership teams engaged in international business.”
—$10 billion energy business
“We published a global anti-bribery and anti-corruption policy and compliance is included in the internal audit plan.”
—$8 billion manufacturer
“I implemented a compliance program from scratch. None existed prior to that.”
—$200 million healthcare firm
Click to download Kroll's guide: "2013 Anti-Bribery and Corruption Benchmarking Report".