For many corporations, bribery and corruption rank among the most significant risks, and their prominence is increasing. Though virtually no business is completely free of risks associated with bribes and other corrupt payments, the danger is particularly significant for multinationals and those in industries like construction, retail and resource extraction.
According to a recent survey by Transparency International, the Global Corruption Barometer 2013, which asked more than 114,000 people in 107 countries about their views on corruption, one in four people paid bribes “when accessing public services and institutions in the last 12 months.” To most people in Europe and North America, this statistic may seem shocking. However, the reality is that some form of bribery is a normal part of life in many countries.
The vast majority of the bribes are likely small payments to officials made by ordinary people — a sum given to a policeman to expunge a minor infraction, for example. While they are difficult to condone, these practices are a basic part of the economy in many regions. From a corporate perspective they are unlikely to represent a significant risk or concern.
While nowhere near as commonplace, the bribes that are paid through corporations have a very different profile. They are likely to be few in number but involve large amounts and are carefully disguised. Often intended to help secure major contracts, they may be paid to a range of different influential individuals in foreign governments and corporations. Formal policies in most large companies clearly forbid such practices, but this does not mean they don’t occur.
The U.S. Foreign Corrupt Practices Act (FCPA) and the U.K. Bribery Act are just two examples of government legislation that aim to address the problem by levying massive fines against organizations involved in bribery. Some of the steepest fines and settlements include the $1.36 billion paid by Siemens and the $579 million paid by Kellogg, Brown & Root (KBR). The direct impact of financial penalties is not the only problem for business, as the damage to brand and reputation from negative publicity can have a greater and more long-term effect.
Dealing with the problem is not always easy. Payment and receipt of bribes, as well as other forms of facilitation fees and benefits, are a well-established part of business and government culture in many parts of the world. And despite increasing legislation and enforcement, the extent of bribery and corrupt payments is not in decline. PwC’s 2014 Global Economic Crime Survey reported that most organizations have actually seen an increase in the problem.
The reality for many business managers is that it can be extremely difficult to remain competitive and win new business in foreign markets without resorting to some form of inappropriate activity. As a result, despite the implementation of increasingly stringent corporate policies, the temptation to do whatever is necessary to close a deal and then find a way around getting caught is always present.
What can be done to address the risks associated with bribery and corruption?
The C-suite, including the CEO, CFO, chief risk officer and functional area leaders, all have roles to play in addressing the issue. They are ultimately responsible for ensuring that appropriate policies, processes and controls to reduce and manage all forms of risks are in place and working effectively.
While companies are increasingly appointing a CRO, this role usually involves overall coordination of risk management processes and does not have direct responsibility for the policies and controls. The most direct responsibility should rest with the business managers who are accountable for the areas in which the highest potential for bribes exists.
Management may have an expectation for internal audit to alert them if there’s a problem, but this isn’t sufficient. Audit can provide some degree of assurance, but it is management’s responsibility to ensure that corrupt payments are not being made.
Preferably, the risks arising from bribery and corrupt payments are not treated in isolation but as part of an overall process to identify, monitor and manage the range of risks a corporation faces. This means first understanding the practical extent of risk arising from bribery and corruption in terms of factors such as regional location, business functions and applicable legislation, all of which can vary considerably from one company to another.
This approach also allows for the risks from bribery and corruption to be assessed against the organization’s level of risk appetite. It helps provide context for the extent of effort and resources that should be put into managing the risks of bribery.
Once an assessment has been made, the next step is to develop and communicate policies and implement training programs. Specific control procedures are then put in place, typically involving approval and authorization processes for all forms of payments or benefits that could be considered a violation.
The challenge is to monitor the process in order to determine whether or not it is actually effective. While unlikely to be interested in the granular details, how can the CEO, CFO and other leaders be assured that their names are not going to show up in tomorrow’s top news story about a bribery scandal?
Just as in any other essential business area, technology systems play a key role: They provide a means to identify and rank risks across the organization, as well as document policies and controls.
Software is particularly effective in identifying specific indicators of problems and in reporting risk trends so that they can be remediated. Entire populations of payment transactions can be analyzed and tested for a wide range of indicators of potential bribes (some examples of tests from ACL.)
Any suspect transactions can be routed through an exception management system to ensure problems are properly addressed. The Department of Justice has indicated that if a company has performed proactive monitoring of payments, it will take this into account when instances of bribery still occur, and it may reduce penalties accordingly.
Senior management should be able to look at a smartphone, tablet or laptop and see a recent quantified assessment of the effectiveness of anti-bribery controls and, most importantly, any red flags for problems in the organization. There should be a comprehensive system that identifies, assesses and quantifies the risks according to each operating region. The system should also allow the executive to drill down into specifics when necessary.
Some organizations are highly advanced in their approach to managing the risks associated with bribery and corrupt payments. However, given the increasing magnitude of threats posed from failing to comply with anti-bribery and corruption legislation, it’s surprising that there are still so many organizations behind in their efforts to address the problem.
John Verver, CPA, CISA, CMC is a strategic adviser to ACL, where he has also held vice president responsibilities for product strategy, as well as ACL’s professional services organization. ACL is an audit and risk management technology solutions firm.