When compliance policies fail: addressing the monitoring deficit
May 2017 | LEGAL & REGULATORY | FRAUD & CORRUPTION
Financier Worldwide Magazine
Many companies are finally ‘getting it’ when it comes to anti-corruption compliance. Nonetheless, whether it is in the due diligence review of a partner or potential acquisition target, conducting internal investigations, or defending organisations in enforcement matters, many companies still operate under the dreaded ‘paper policy’ – a beautifully drafted compliance policy that has been simply rubber stamped by the board of directors and then essentially ignored by management.
It is still happening all too often. The policies and procedures have little to do with the practical realities of the day-to-day business of the company. No risk assessment was conducted prior to development of the measures and there is no documented evidence of their implementation. In the end it seems that management and the board have paid only lip service to the idea that anti-corruption compliance is a priority for the company.
There are a variety of reasons why compliance policies fail. Even if your organisation has conducted an effective risk assessment and established a strong tone from the top for implementation, if you fail to support and nourish your policies and procedures on an ongoing basis you may be left with little more than a paper policy.
The monitoring imperative
A necessary component of any anti-corruption compliance programme structure is monitoring. You can have the most sophisticated controls that are clearly articulated across your organisation with an accessible policy and procedures manual and regular and comprehensive training of employees, but how do you know it is all working?
Some may take comfort from the fact that they have not run into any problems yet. On the contrary, however, the lack of any instances or reports of potential non-compliance, particularly for companies operating in higher risk jurisdictions, is more likely to be a sign of failure rather than success in your compliance system. Sometimes no news is bad news.
Anti-corruption enforcement authorities in the US, Canada and other jurisdictions have made it clear that, in order for it to be effective, a compliance programme must include mechanisms for both the monitoring and evaluation of controls. In short, you need to have feedback that the system is working, or alternatively, that it is not working, in which case steps must be taken to fix any deficiencies. Even the most established compliance systems need regular adjustments to respond to constantly evolving risk and business environments – no one will get it exactly right, especially in the early days of implementation, so having mechanisms for reviewing performance and correcting on an ongoing basis is critical.
For example, the US Federal Sentencing Guidelines require an organisation to monitor, audit and periodically evaluate the effectiveness of a compliance programme. Similar expectations from Canadian enforcement have been reflected through the probation order imposed on Niko Resources Ltd since it pled guilty to violating the Corruption of Foreign Public Officials Act.
Internal audit and review
At its heart, the monitoring and audit process should generate answers to basic questions about the functioning of each of the key elements of your anti-corruption compliance programme. Although the following is only one example of how a company focuses its periodic audits and reviews, it is instructive of the kinds of topics and questions that may be addressed in this process ('Anti-Corruption Ethics and Compliance Handbook for Business', OECD, UNDOC, World Bank, 2013):
Governance. Assess tone at the top and middle. Are active commitment and visible support given by management? Has there been clear, practical and accessible communication of the compliance programme and standards to employees? Has management established a trust-based organisational culture, adopting the principles of openness and transparency?
Risk assessment. Review management’s engagement in the compliance risk assessment. Are there any new areas of business which should be reflected? Does management engage in any other formal risk-assessment process? If not, how does it assess its risk of fraud, corruption or other legal or regulatory risk?
Due diligence and management of business partners. Have business partners been identified? What processes are in place for the selection and appointment of business partners? Are risk-based background checks in place? Do these extend to joint ventures? Has it been effectively communicated that entities are required to adopt the company’s code of conduct or equivalent standards? How is risk assessed and kept under review?
Education and training. Determine the level of awareness and understanding of the company’s standards, policies and procedures among employees (including casual staff) of over three months’ tenure. Have all relevant employees participated in required training? Has management identified high-risk employees, such as senior executives and business unit leaders? Has tailored training been requested and, if so, provided?
Anti-bribery and corruption controls and procedures. Do HR practices reflect the company’s commitment to the programme? Assess the integrity of employee data: are there any instances of duplicate employees or payments to spouses, associated persons or entities? Assess the business unit’s processes regarding reporting facilitation payments. Assess the business unit’s processes regarding gifts, entertainment, hospitality, lobbying, sponsorship, charitable/political contributions, reimbursement of expenses commission payments, petty cash and cash advances among others.
Channels for questions, concerns and advice. Has management established a culture in which questions will be raised? Do managers regularly communicate the requirement for reporting concerns? Does the business unit have a clearly defined plan for response to such concerns? Are procedures in place to ensure that any issues are communicated to the appropriate group function?
Monitoring and reviewing processes. Ensure that changes in compliance risks are identified and that procedures reflect the current risks. Have local policies and procedures been revised to reflect previous recommendations? Are any changes to the monitoring plan required to reflect issues identified in this review?
There are a number of factors you need to consider for the structure of this process. First, who is going to conduct these reviews and evaluations of our compliance programme? If your organisation is large enough, you may have an internal audit department and compliance programme already established for auditing financial controls with some expertise in auditing procedures. This is a good place to start but you will also need to ensure they have specific anti-corruption expertise. Smaller organisations may not have the internal resources and may look to external audit expertise.
Many companies will use both internal and external resources for this function, depending on the extent and focus of the audit. For example, a broad cut across all operations or a more focused review of your procedures for screening and monitoring third parties in a certain jurisdiction. However you staff the process, the overriding consideration should be the principle of independence. The auditors, whether internal or external, should be independent of the staff and function they are reviewing. Sometimes internal compliance staff may conduct the audit but if the compliance department or CCO’s performance is being reviewed, that may be best done by external parties.
Second, where should companies focus their audit and monitoring efforts? There is no one-size-fits-all answer to this question. In an ideal world, there would be all the necessary financial and other resources to conduct anti-corruption reviews of all your organisation’s activities in all of its locations around the world. The reality is that resources are limited and you need to prioritise the deployment of those resources to the areas where they are most needed. The risk assessment process will feed into this. The most significant audit and monitoring resources should focus on those areas of your organisation’s highest risk. This will mean more thorough and frequent reviews for your operations in high risk countries, for those parts of the business that have greater government touch points (for example, by virtue of sales to government or state owned enterprises, the negotiation of production sharing agreements, or regulatory permit or licence requirements), or where your organisation has more dealings with third-party agents or business partners (sales in jurisdictions where you do not have an established office, for example).
Third, what tools and techniques are needed to get this done? This too will vary by company and by the intensity of the review or audit being conducted. These can include a formal site visit and comprehensive audit or the circumstances may call for a combination of less resource-intensive processes that may be conducted from head office, such as transaction sampling, electronic surveys and questionnaires and employee interviews. The key here is to ensure that the tools and techniques you are using are aligned with the level of risk exposure for the office, location or function under audit.
Fourth, how should the results be reported? Once the audit or review is complete, there should be an established mechanism in place for documenting and reporting the results, and most importantly, for ensuring appropriate action is taken to address any shortcomings or vulnerabilities identified. Reporting of audit and review results, whether from the CCO or an external resource, should be made directly to the board of directors or its audit committee to ensure independence is maintained in the review process, as well as in any decisions on necessary remedial or mitigation measures.
Finally, it is important that input on the functioning of the compliance programme be obtained from employees and third parties on the ‘front line’. Although you are already gathering information and generating feedback from employees through your internal audit and review process described above, there must be a separate mechanism to allow for the independent and confidential reporting of suspected or actual non-compliance. No compliance structure is complete without such a ‘whistleblowing’ mechanism.
Your first consideration will be whether to set up a whistleblower line internally or use an external provider, of which there are many. Given the internal resources required and the level of sophistication of these mechanisms today (such as multiple languages, 24/7 availability, access for employees and third parties, and multiple channels such as email, web app and phone line), many organisations, especially SMEs, will opt for using an outside party to administer this process and report to the CCO, compliance department or even the chair of the board’s audit or compliance committee. The whistleblowing mechanism must ensure, and be seen to ensure, anonymity and confidentiality in accordance with the employee’s wishes and that the employee will not face retaliation for coming forward and reporting.
John W. Boscariol and Peter Brady are partners at McCarthy Tétrault LLP. Mr Boscariol can be contacted on +1 (416) 601 7835 or by email: firstname.lastname@example.org. Mr Brady can be contacted on +1 (416) 601 8222 or by email: email@example.com.
© Financier Worldwide
John W. Boscariol and Peter Brady
McCarthy Tétrault LLP