Alison Taylor, Senior Managing Director, Control Risks, in a white paper, “Risk, An Organizational Perspective,” states “the traditional preventative approach to risk management is proving inadequate in the face of regulatory complexity, volatility and an environment of constant change. What should replace it is not yet clear.” Indeed, lately there has been a great deal of writing relating on the subject of risk, specifically corruption risk, including the recent OECD Foreign Bribery Report. The reports include a number of comprehensive surveys, such as the one I commented upon from E&Y. When I read these pieces I always try to remain focused as to what practical use they might have to practitioners and professionals who confront corruption risk on the front lines of business, as well as to those who are tasked with helping them to manage that risk.
Accordingly, with that viewpoint in mind, I strongly recommend a ‘deep read’ of a recently released Control Risks survey “International Business Attitudes To Corruption,” which articulates a key-finding right up front: “Paper compliance is not enough.” As the authors continue, when it comes to compliance, companies fall into two categories “those who mean it, and those who don’t.” So, with respect anti-bribery compliance “what do companies need, and what do they lack?” According to the authors, whose data set includes 638 respondents among legal, audit and compliance executives, those elements include:
- Board level leadership and responsibility.
- A strong and consistent message communicated to staff.
- Penalties for breaches.
- An appreciation that the benefits of a robust and meaningful anti-corruption program go beyond simple compliance (emphasis added).
What about the “those who don’t mean it?” Where and why do they fall afar? One dynamic which the authors elevate, and which I echo from my own perspective, is the ‘remote office’ problem, where there is a “disconnect between what the head offices believe about the adequacy and effectiveness of their anti-corruption program and what actually happens in high-risk markets.” In these cases, compliance runs afoul, sometimes due to “general ignorance; sometimes it is a form of willful blindness,” but as the authors remind us “neither is a credible explanation in the eyes of the regulators.” As the survey addresses in a section called “Failure to follow through,” “these days many companies are good at talking about principles. Not all of them are able to demonstrate that they put them into practice.”
As Alison states in her paper, “numerous research studies have determined that rules and processes do not exist in a vacuum and that organizational culture is a critical explanatory factor of employee behavior.” The survey, in my opinion, provides significant value to the compliance community by going beyond the data to drill into what a more robust compliance program necessitates. In other words, what are the “lessons learned” from failed programs in order to embrace compliance as going beyond a set of rules and procedures that might be viewed as a ‘work around’ at the front lines of international business.
Accordingly, here are the “three key qualities” relative to a “robust and meaningful” compliance program that the survey addresses:
Invest in leadership
The work speaks to the fact that less than half of their respondents had an anti-corruption program at the Board level. Not surprising given the OECD finding that “in 41% of the cases management level employees paid or authorized the bribe, whereas the company CEO was involved in 12% of the cases.” As the survey addresses, when there is a Board level commitment, it cascades down throughout the organization by “providing compliance teams with the support they need.” Indeed, having employees sign anti-bribery representations and watch on-line corruption videos does not exactly demonstrate a firm leadership commitment to anti-bribery compliance. Nor do executive proclamations of “we don’t break the law” when combined with aggressive financial forecasts and lucrative short-term incentive plans in high-risk (low integrity regions). As Alison states in her white paper “if employees do not believe that risk management is an essential component of organizational success, processes will not solve the problem.”
Consistency, Consistency, Consistency
“Having an anti-corruption program is not sufficient in itself,” Accordingly, as the authors state “effective two way communication is essential.” Furthermore, when it comes to third parties, “well-drafted contracts are essential but not sufficient,” as companies need “to be able to demonstrate that they have assessed the potential integrity risks thoroughly and consistently.” Indeed, as I have often shared, companies need to start bringing in their business teams to listen to the risks which they are facing in the field, and the more upset they are by what they hear, the better those conversations are going. You can fix what you know, and corruption risk in the Middle East is very different from corruption risk in Asia.
As Alison states in her white paper “all risks are not created equal, and different risks require fundamentally different responses.” Hearing the specifics of how risk is confronted on a regional or country-by-country basis is an important step in establishing that response. Listening to those who confront risk on the front lines of international business will help organizations to develop practical tools calibrated to the industry and region. In addition, attending to the concerns of field personnel will go a long way in getting front-line buy in as the participants in such discussions will likely takeaway a vision that “management is serious” about supporting risk management. I call that front-line “buy-in.”
As Harvard Business School Professor Paul Healy states in an article Corrupting Silence: Companies Must Speak Up Against Bribes, “It’s harder to rationalize corruption if you are receiving a consistent message that we don’t do this.”
Get ready to resist
Here is where it can get challenging, as “the third requirement is a willingness to resist bribery, even in, or especially in, high risk environments.” According to the authors, “resistance to demands is tough but entirely feasible,” requiring “skill, determination-and vision.” The ‘how to,’ is best elevated by Alison when she states that “companies must therefore make strategic decisions as to whether to enter some markets, accepting a certain level of inherent corruption risk, or stay out of them so they can maintain stated ethical commitments.” But where those markets are entered, if delays, sales targets and growth plans to do reflect the inherent market risks, then those at the front line will at some point take compliance decisions into their own hands as they ponder “what does management really want, compliance or sales?”
As the survey states “often the most realistic approach is to accept a short-term failure to win business, while preparing the ground for greater success in the future.” Indeed, when field personnel see that management understands that to be successful and compliant, short-term sacrifices will be necessary, then an important step will have been reached to embrace a more “robust and meaningful anti-corruption program” as going “beyond simple compliance.”
From my perspective, when those who confront risk in the field see that management has embraced anti-bribery corruption as reflected in business strategy and growth forecasts through making “clear-eyed” strategic decisions, especially in low integrity regions, then the “what we say” will be well balanced and aligned with the “way we do things around here.” This commitment, as Alison states, will then go beyond the traditional “bolt on” compliance model as to “tackle the full scale of the corruption challenge, which cuts across every aspect of a multinationals company’s business.”