Anti-bribery and anti-corruption compliance and enforcement continues to march around the globe, despite an unpredictable political environment in the US. Kroll, the spy firm, has compiled a report on the subject.

Recent regulatory developments include an anti-bribery and corruption law in France and new guidance from the International Standards organisations in the form of ISO 37001. Most recently, the US Department of Justice issued DOJ Guidance 2.17, a paper entitled “Evaluation of Corporate Compliance Programmes”, which sets out the expectations—in the form of key questions asked by category—of this powerful and often trend-setting law enforcement agency about the autonomy, independence, and reach of the compliance-related plans of action or ‘programmes’ that the DOJ expects some firms to have in place. Indeed, the report mentions the word ‘programme’ 70 times but does not say what it means by it. In the US, one of the countries in the survey, the phrase “anti-money laundering/BSA programme” has always been a strange way of referring to each firm’s never-ending efforts to combat money laundering and obey the Bank Secrecy Act 1970 in a way that pleases regulators such as FinCEN or the Federal Reserve and this might (or might not) be the meaning here.

The benchmark survey

Perhaps in line with this regulatory trend, or perhaps as a way of dealing with ‘reputational risk,’ firms that responded to a Kroll survey on the subject during the winter said that they were concentrating more than ever on something that Kroll calls “anti-bribery and corruption compliance initiatives.” They also indicated that company-wide involvement in efforts to tackle bribery and corruption was on the increase.

The survey was conducted in the winter months and produced 388 complete and partial responses. Nearly half of respondents (44%) represented publicly listed companies; an additional 43% represented privately held companies, and 13% identified their organisationss as a non-profit or other type of organisations. The majority of organisations were headquartered in North America (43%), followed by the United Kingdom (14%), Western Europe (14%), Brazil (8%), and Australia/New Zealand/Pacific Islands (7%). 30% of respondents held the title of compliance and ethics officer or chief compliance officer, followed by director (17%). A wide range of other titles trailed closely behind, all of them related to compliance or anti-corruption activities.

For the whole of this century so far, it has been a commonplace to note that firms with the best corporate governance tend to perform about 15% better than their less-well-ruled counterparts. Kroll has allied itself with the Ethisphere Institute, an ethical business standard-setter, for this project and notes that the publicly traded companies on Ethisphere’s “World’s Most Ethical Companies” list outperformed the Standard & Poor 500 by 9.6% over the last four years.

The majority (57%) of survey respondents expect their organisation’s risks in respect of bribery and corruption or ‘ABC risks’ to persist at the same levels as last year; 35% expect them to rise this year; and 8% expect them to fall. The ones who expect them to rise were worried about more ‘third party’ relationships and an increase in global regulatory enforcement — both factors out of the compliance officer’s control. Those who reported a decrease in risk from last year credited the improvement to the money they had invested in their mysterious ‘programmes.’ Kroll uses the phrase ‘third party’ to mean “any person or entity you partner with in order to do business.”

Key findings from the study

Respondents believe that the top risks to their anti-bribery and corruption programmes will come from “third party violations” (40%), a complex global regulatory environment (14%), and employees making improper payments (12%).

No doubt this risk level is weighing heavily on the minds of compliance officers. Not only do a majority believe their resources to be inadequate for ABC purposes; they are also, as always, worried about their own personal liability, with one-third reporting a greater level of concern in this area than last year. However, there is good news as well; many respondents say that they are drawing invaluable support from their chief financial officers and finance teams. With its organisation-wide view of operations and transactions, ‘finance’ is turning into a formidable line of defence in the fight against corruption.

Monitoring after the ‘onboarding’ of third parties

Regulators around the globe—from the UK to the US to Brazil—have repeatedly said that companies are expected to know the third parties with whom they are transacting business and what services those third parties are performing for them. The new ISO 37001 standards on Anti-Bribery Management Systems – which so far lack regulatory backing – say the same. Simultaneously, however, increasingly complex third party networks have become the norm. 40% of respondents do business with more than 1,000 third parties in a given year (excluding customers), and nearly one-third (29%) of respondents manage more than 5,000 third party relationships.

Despite efforts to evaluate third parties during the selection and ‘onboarding’ phase, the majority of respondents (55%) experienced problems after the initial screening process. They attribute this to a wide variety of reasons, including misconduct that arose subsequent to the time of onboarding, non-compliant behaviour that was concealed or not disclosed by third parties at some stage, and ‘red flags’ that the original screening passed by. The results show that the most common way in which firms identify these problems is through continuous monitoring. Mergers and acquisitions continue to bedevil compliance officers from an anti-bribery and anti-corruption perspective.

Reputational risk in more detail

The issue of reputational risk surfaced in all aspects of this year’s research— from interviews with Kroll’s subject matter experts, to Ethisphere’s analysis of data it obtained when compiling its list of ethical companies, to the results of the survey. All uncovered a marked increase in boardroom discussions about the exposure of firms to bribery and corruption. Among the leading companies on Ethisphere’s list, 14% more are performing anti-bribery and anti-corruption exercises when they take on new directors this year than last. Similarly, there was a 20% increase in the number of firms on the list that now look at problems regarding bribery and corruption during their “ethics and compliance programme updates” that involve their boards. Directors, in the words of one of Ethisphere’s analysts, want to know how they can help. Fifty-one percent of respondents state that senior leadership at their organisations is “highly engaged” with anti-bribery and corruption efforts, reflecting a 4 percentage point increase over the previous year. At the end of the report Kroll explains why with some words of wisdom: “While we may live in a time of regulatory uncertainty, the court of public opinion is stronger than ever.”

Kroll and Ethisphere asked companies the question: “What Do You Perceive to Be the Top Risk to Your Anti-Corruption Programme in 2017?” Their answers, broken down into percentages, were as follows.

• 40.4% - third-party violations
• 14.2% - the complex global regulatory landscape
• 12.4% - employees making improper payments
• 10.2% - lack of resources or proper controls
• 8.4% - risks related to joint venture or M&A activity
• 7.1% - lack of sufficient automation and/or monitoring
• 5.3% - lack of support for the compliance programme from internal leadership
• 1.8% - other

The survey asked companies the question: “Do You Believe You Have Enough Resources to Support Your organisations's Anti-Corruption Efforts?” 51% said yes (down from 53% in 2016) and 47% said no (down from 49% in 2016).

Personal risks

People who manage anti-bribery and anti-corruption programmes run personal risks. One-third of respondent companies are expressing more concern about personal liability in this area than in last year’s survey, which itself betrayed greater concern than in previous years. Kroll thinks that this may be related to the cumulative effect of the UK’s Senior Managers Regime, the Yates Memo in the US, the increasing use of deferred prosecution agreements (DPAs) around the world, and tough new legislation such as the French Loi Sapin 2 (Law n° 2016-1691). Together, these developments present directors with the potential for higher fines and prison sentences. Even though DPAs typically do not pave the way for personal prison sentences, Kroll thinks that there is a “very real possibility” that governments in future will offer favourable DPAs to organisations that “deliver over...a culpable individual.”

Finance teams providing new lines of defence

The survey asked respondents: “Does Your Chief Financial Officer (CFO) Maintain an Active or Supporting Role in Development Your Anti-Bribery and Corruption Programme?” The results were as follows.

• 'Ownership role' - 8%
• Active role - 37%
• Supporting or passive role - 36%
• Not involved - 14%
• Don't know - 6%

Zoë Newman, the managing director at Kroll, says in the report: “No matter how many compliance controls and procedures you have in play, the finance function and ultimately the CFO will always be the third line of defence.

“Local country operations are often the most at risk in terms of bribery and corruption. They’re often small, acquired, and isolated from the head office. As a result, the practicalities of implementing head office compliance controls locally are more complex and fraught with risk, particularly when dealing with an autocratic country head. In these situations, the finance function plays an even more important role. Even if they report directly to the country head, it is critical that there is sufficient oversight by the CFO, and that the local function is empowered to question transactions, ensuring that they are carefully reviewed before being signed off and authorised by finance.”

In fact, those respondents who said that their CFOs played an active role in their organisations’ programmes were almost four times as likely to feel “extremely prepared” to manage the risks that their firms were running in relation to bribery and corruption. Meanwhile, 70% of those who did not have an actively involved CFO felt that they did not have enough resources to manage such risks (as opposed to the overall rate of 49%).

Third-party problems

Recent regulatory guidance, such as the British Bribery Act’s call for “continued and regular monitoring,” is drawing attention to the need for firms to monitor ‘third party’ (i.e. external) service providers long after they have screened them at the beginning of their relationships with them. We have already seen how firms are having to deal with problems long after they have ‘onboarded’ their third parties.

Kroll points out: “With hundreds, if not thousands, of third-party relationships around the world, having a robust compliance programme that incorporates some level of automation is going to be key for helping organisations effectively manage these relationships, both initially at onboarding and later through ongoing monitoring.”

To the question “If You Experienced Issues With Third Parties Post Onboarding, Why Do You Think This Issue Occurred?” respondents replied:

• 40% - issues or risks did not exist at the time of onboarding.
• 35.4% - due diligence assessment did not return risk-relevant information.
• 33.1% - third party concealed issues upfront.
• 26.2% - issues identified at the time of onboarding were not adequately addressed.
• 15.4% - initial risk categorisation or risk scoring of the third party was incorrect (and therefore an improper due diligence scope was selected).
• 10.8% - other.

As part of their efforts to comply with ethical and legal standards, nearly four out of every five respondents report that their organisations engage in ‘ongoing monitoring’ of third parties, and nearly half say that they also conduct in-depth audits. Furthermore, 30% monitor all third parties, regardless of their risk profiles.

Roughly half of Ethisphere’s ideal companies divide their intermediaries into tiers – low, medium and high – for the purpose of monitoring and auditing. Ethisphere recommends “enhanced due diligence” to those that fall into the high-risk category.

These are the factors that led to legal, ethical or regulatory problems relating to third parties coming to light.

• Disclosure by the third party itself - 17.9%
• Audit of the third party - 30.6%
• Regulatory enforcement - 26.9%
• ‘Ongoing monitoring’ - 50.0%
• ‘Ad-hoc due diligence’ - 45.5%

David Liu, Kroll’s head of compliance for the Asia Pacific region, thought that regulators in his area were forcing firms to make individuals more accountable for their transgressions and encouraging firms to report their problems to the authorities more than ever before. He also detected an upsurge in the speed of regulators’ responses to problems and the penalties they levied on recalcitrant firms. Liu added: “Recent AML regulations focus on tightening internal controls, with new disclosure requirements, enhancement of suspicious transactions reporting, and heightening of reputational risks associated with sanctions.”

Robert Huff of Kroll added: “With vague regulatory guidance, optimal frequency [of monitoring checks] is subject to interpretation. Firms need to find a level of monitoring where they are able to appropriately react, in a timely manner, to any changes in a third party’s risk profile.”

Nearly 80% of those respondents who monitor all third parties, regardless of their risk profiles, believe that they are either extremely or ‘appropriately’ prepared to handle global risks that pertain to bribery and corruption. Complacency about preparation drops as the level of continual monitoring goes down: 69% of respondents who monitor only the most risky of third parties feel extremely or appropriately prepared, while just 29% of respondents who do not monitor third parties have the same confidence.