ETHIC Intelligence is very pleased to host its third annual international conference on Standards and Guidelines in corruption prevention on September 10, 2018 at the OECD Conference Centre in Paris. Click below to view photos and videos from last year’s event where experts from business, civil society and government exchanged and debated issues related to the fight against corruption.
It is important for three reasons:
The first reason is because compliance is efficient only if it is tailored to the organization’s specific corruption risk.
If corruption risks are not evaluated sufficiently, underestimated or overestimated, a compliance program will not be effective.
If underestimated, corruption risks will not be properly mitigated.
Overestimating corruption risk with a view to implementing a very sophisticated compliance program leads – paradoxically – to the same result: corruption risk will not be properly mitigated. Why? Simply because people who have to follow compliance rules will quickly discover that it is overly bureaucratic, and they will find ways to bypass compliance processes or to apply them only partially.
Mapping corruption risks, without underestimating or overestimating them, is essential for a compliance program which is efficient when it is well implemented. And it will be well implemented only if people find it legitimate. And they will find it legitimate only if it is tailored to the business organization.
The second reason is because compliance needs appropriate resources.
In the same vein, underestimating corruption risks leads to inappropriate resources being devoted to compliance.
Overestimating corruption risk with the hope that it will result in a higher budget from management is equally misguided. Overestimating corruption risk will not convince Top Management as they will challenge the information. It is counterproductive to be perceived as an “arsonist firefighter” as it will impact negatively on the legitimacy of the compliance function.
The third reason is that – as for every support function – the limited resources allocated to compliance should be used in the most efficient way.
For top managers as well as for operations, compliance is first and foremost a cost, even in organizations where everyone agrees that compliance matters.
A well-designed corruption risk mapping ensures that resources are focused where risks are high and balances prevention policies (ex-ante) and detection actions (ex-post). These two dimensions – prevention versus detection – are two considerations that should be taken into account when designing an efficient corruption risk mapping as described below.
An efficient corruption risk mapping exercise should approach corruption from different angles in order to draw different consequences. The four angles listed below will help compliance officers with what is needed to mitigate the risk in an appropriate manner, either at the organizational level or at the business processes level.
It is relatively easy to have a global evaluation of corruption risk. This can be done by disaggregating the turnover of the organization by:
Rating each of these three indicators by high, medium or low corruption risk, will give an indication of the importance of the resources that should be given to mitigate corruption risks.
However, it is not because an organization has a high corruption risk at a global level that the corruption risk will be high in every country or operation.
A global approach is a first step but should be supplemented at the local level and take into account the specificities of business processes. This will facilitate an understanding of where corruption risks really are, and where compliance rules should really be implemented and controlled.
Applying the same compliance rules throughout is often a mistake when the organization is present in many countries, has different types of operations or is active in different business sectors.
Only such a disaggregated approach of both corruption risk and compliance program implementation will guarantee that the overreaching imperative of zero tolerance in corruption will be understood and applied everywhere. When compliance is perceived as an unnecessary burden in some low risk sectors, those operating in high risk sectors will more readily ignore their compliance obligations.
Mapping corruption risk is probably the most important and most useful piece of a compliance program
My experience shows that when local managers i) understand a risk and ii) appreciate the usefulness of preventative tools they adopt them easily and in a business-oriented manner
The difficulty with corruption is that it takes different forms: from a bribe paid directly to the selection of an inappropriate business agent, from an undue invitation of a prospect to the hiring of an employee linked to a client’s family …At the local level, involving all the directors in charge of the entity’s day-to-day management with the risk mapping exercise has proven to be extremely useful. Each department manager will understand his responsibility and role in the implementation of the compliance programme. Such a risk mapping exercise might require an hour of collective training upstream to ensure that everyone has the same understanding of corruption risk.
A risk mapping exercise indicates where corruption risks are high and therefore what kind of preventative actions need to be designed and implemented.
For instance, it helps to identify which type of employees should be trained, or what type of content should be included in the training. It will also help to identify which tools are needed e.g. due diligence questionnaires, who will have to apply them e.g. managers working with sales agents, etc.
But the risk mapping should also help to identify what kind of controls should be implemented to ensure that corruption risks are properly mitigated. In a very decentralized organization, the compliance program will also be naturally decentralized, but this decentralization will require centralized and regular control processes.
A risk mapping exercise will ensure a sound balance between preventative and detection tools whose combination ensures a robust compliance program.
It is noteworthy to remember that the drafting group of the ISO 37001 decided, in its very first meeting, to add a specific requirement on bribery risk mapping in section 4 of the standard.
It should be recalled that section 4 of every ISO related Management System requires the Organisation to describe the context in which it operates: mainly its business operations, the stakeholders’ expectations and the applicable laws and rules.
The ISO 37001 drafting group considered very early that with respect to an Anti-Bribery Management System, Section 4 of the standard should be complemented by a specific section on “bribery risk assessment” (4.5), a section which moreover relies on detailed guidance (Clause A.4).
In other words, the ISO 37001 drafting group experts considered that a solid Anti-Bribery Management System requires a solid corruption risk mapping… and this risk assessment is a constant reference to all requirements throughout the standard to ensure that prevention and detection tools are always adequate to mitigate the identified risks.
To conclude: there is no efficient compliance program without a well-designed corruption risk mapping.
Philippe Montigny is CEO of ETHIC Intelligence and Chairman of its Certification Committee. Philippe has over 20 years of experience in advising companies on strategies to prevent corruption and leverage business integrity.
The compliance community must navigate amidst an ever-changing landscape of laws, recommendations, emerging corruption risks, trends in investigations and the threat of prosecution. The ambition of this blog is to bring this landscape into focus while raising compliance effectiveness from both a business and legal perspective.
Anti-corruption compliance is a major asset to companies; ETHIC Intelligence Certification of compliance programs and Validation of business partner commitments leverage this asset in a concrete way to help business.