Several trends are leading companies to increase the frequency of their internal investigations. Soon, internal investigations will no longer be the exception, but the rule.
The Compliance Officer must be prepared for this development which has three important consequences on: i) the confidential status of any information collected, ii) the protection of staff and iii) the credibility of the CCO and his or her compliance program.
Many compliance managers have asked me if the fact that their business associates were certified ISO 37001 would relieve them of the responsibility of conducting further due diligence.
It is a relevant question which requires a detailed response.
Every act of corruption involves a conflict of interest. The receiver or corrupted individual acts in his own interest and not in that of the organization he represents.
Is it necessary to conduct due diligence on clients, and if so, how? I have been asked this question frequently over the past few months.
Conducting due diligence on third parties who work for or with the company is manifestly necessary and useful. If the third party represents a corruption risk, the risk can be mitigated with anti-corruption clauses, modifications to working conditions, anti-corruption training, more intensive monitoring or by demanding audit rights and subsequent controls.
Carrying out due diligence on third parties which is not based on a risk assessment is counterproductive for the following reasons:
A whistleblowing system is now an incontrovertible tool for compliance.
But it is not enough to have a whistleblowing system; it must be one that works….one that raises alarms on suspicion of fraud or corruption effectively.
If the whistleblowing system results in very few alerts being raised, the Compliance Officer is faced with a paradox:
Either the compliance program is particularly effective
or – the opposite – the whistleblowing system is ineffective
In other words, is a procedure which raises very few alerts reassuring or...alarming?
Why mapping corruption risk is important ?
It is important for three reasons:
The first reason is because compliance is efficient only if it is tailored to the organization’s specific corruption risk.
If corruption risks are not evaluated sufficiently, underestimated or overestimated, a compliance program will not be effective.
If underestimated, corruption risks will not be properly mitigated.
40 years after the publication of the FCPA and 20 years after the signature of the OECD Anti-Bribery Convention, 2017 saw several developments in the fight against corruption.
And if these developments, although relatively isolated for the time being, were to become more commonplace I could, we all could, dream of a world where corruption disappears. My dream for 2018 is that the three following wishes become reality:
The intensification of investigations and criminal prosecutions of executives from large companies as well as of politicians and high level public servants in Brazil this past year is particularly significant.
I remember the satisfaction of the signatory countries’ representatives when, 20 years ago, an agreement was reached at the OECD on Combating Bribery of Foreign Public Officials in International Business Transactions. Finally, there was a legal instrument to combat this insidious practice. Yet the text was only signed by a few states and countries’ willingness to prosecute its companies for acts of corruption committed overseas - acts which resulted in contracts and profits at home - was, except for the United States, largely absent.
When I first started working with companies on corruption prevention 20 years ago, their primary concern was related to the issue of passive corruption: how could they ensure that no staff member would accept a bribe, for example, from a supplier or even a client, in exchange for special treatment? If an employee accepts a bribe from a supplier, it is not to benefit the company; instead, passive bribery impacts negatively on a business’ profitability and hampers its competitiveness, making it one of the organization’s main sources of concern. Which is why companies focused primarily on passive as opposed to active corruption for a time.
Although incidents of passive corruption often originate within the purchasing department, it is not an activity exclusive to this branch. Passive corruption can also occur with employees responsible for product specifications, or managers occasionally needing to use emergency or exceptional purchasing procedures.
For small to medium-sized enterprises that need to implement an anti-corruption compliance policy the ISO 37001 is a useful, easy-to-use and affordable reference.
One of the most common questions I am asked is “to which function should the anti-corruption compliance post be attached?” As previously mentioned, it cannot be connected to an operations role for reasons of conflict of interest.
Mid-sized companies’ structure differs greatly from their larger or multinational counterparts. Multinationals, as listed companies, are obliged to have at the headquarters level, resources and processes necessary to secure compliance with regulations that apply to listed companies. These companies have been respecting other international requirements for years so do not see the addition of an investment in compliance as an excessive burden.
A few months after the publication of the ISO 37001 standard, ETHIC Intelligence was carrying out its first ISO 37001 certification. Later, I received feedback from the Compliance Officer of that certified company. He stated that the ISO 37001 audits had strengthened the organization’s compliance culture thus rendering the compliance program more effective.
This chapter’s title is a little provocative. The role of the Chief Compliance Officer is not to increase profit but to ensure that business is conducted in complete respect of relevant laws.
The question of what budget should be allocated to anti-corruption compliance is a difficult one for any company. For Top Management, compliance has a cost – undoubtedly necessary – whose expenditure cannot be reconciled in a tangible manner or with a physical receipt. The impossibility of defining return on investment often results in the compliance budget being kept to a minimum. The Compliance Officer, on the other hand, is aware of an allegation or act of corruption’s potentially dramatic effects on the company and views a compliance budget as a sort of insurance policy which should cover the company’s identified risks to an appropriate degree.
Compliance Officers have long been preoccupied by their potential exposure to legal liability; worries seemingly justified by recent cases of prosecutions – and convictions – of compliance officers.
The ISO 37001 standard declares: “This document specifies the implementation by the organization of policies and procedures and controls which are reasonable and proportionate”. Two lines later it states, “this document can help the organization implement reasonable and proportionate measures designed to prevent, detect and respond to bribery”.
The publication of the ISO Standard 37001 and its certifiability has caused a debate as to whether the standard offers legal protection or not in the event an act of corruption is discovered at a company. As corruption is an offense that can result in the corporation’s criminal prosecution, companies want to know what kind of legal protection comes with an ISO 37001 certification.
Philippe Montigny is the founder of ETHIC Intelligence, a leading anti-corruption certification agency that has been certifying companies since 2006. He is currently the Chairman of the Technical and Impartiality committees and has over 20 years of experience in anti-corruption compliance, beginning at the Office of the OECD Secretary-General, for which he was involved in the ministerial negotiations that led to the OECD Anti-Bribery Convention in 1997. Philippe Montigny was also a co-drafter of the compliance management system standard (ISO 19600) published in 2014 and of the anti-bribery management system standard (ISO 37001) published in 2016 and served as ISO liaison officer between the two.