Taking a Risk Management Approach to Anti-Corruption
Written by Leslie Benton
As daily headlines attest, a corruption scandal can be devastating for a company. Once caught up in a bribery scandal, a business can be exposed to significant legal risk, including the possibility of multi-million dollar fines and the attendant costs of internal investigations, legal and consulting fees, and other costs necessary to remediate the problem.
It doesn’t stop there—corporate executives can face prison terms, and reputational damage can be equally severe. The demand for good governance comes from a number of fronts, among them, investors, who increasingly call for information about a company’s commitment to corruption prevention. The European Union also recently adopted a directive requiring companies to disclose information on their anti-corruption efforts, among other non-financial data.
As governments around the world intensify their focus on corruption through the adoption and enforcement of laws aimed at corrupt practices, it is incumbent upon companies to step up efforts. It’s not just large multinationals that need to be concerned. Last year, the Securities and Exchange Committee (SEC) settled a case against Smith & Wesson Holding Corporation for violating the Foreign Corrupt Practices Act (FCPA) when employees and representatives of the US-based parent company authorized and made improper payments to foreign officials while trying to win contracts overseas.
“This is a wake-up call for small and medium-size businesses that want to enter into high-risk markets and expand their international sales,” said Kara Brockmeyer, Chief of the SEC Enforcement Division’s FCPA Unit in the settlement announcement. “When a company makes the strategic decision to sell its products overseas, it must ensure that the right internal controls are in place and operating.”
The risks of corruption are clear. The question is: how can a company move from a reactive stance to a proactive, preventative approach to combating it? For many companies, the answer lies in existing Enterprise Risk Management (ERM) programs. ERM, once considered primarily in the context of contingency planning before a risk becomes reality, has evolved to take a more comprehensive and ongoing approach of identifying, assessing, and managing a broad range of risks that could impact a company’s reputation, competitive edge or bottom line.
Identify: What Risks Does the Company Face?
In many companies, the process of identifying risks focuses on issues such as financial stability, compliance requirements, and operational risks such as quality control, health and safety, environmental, and labor issues. However, as the risk of corruption increases, so should a company’s focus on identifying it before a corruption event occurs.
As a first step, ERM calls for looking at the relevant context of the issue in relation to the company’s objectives, business environment, and other factors. For corruption risk, it is useful to further consider:
- Geographic risk: The legal, regulatory, and business environment in which the company operates. Transparency International’s annual Corruption Perceptions Index offers good insights into perceived corruption in markets around the world;
- Industry or sectoral risk: The extent to which the company is heavily regulated, relies on government contracts, or has a history of corruption-related incidents;
- Business or organizational risks posed by the company’s overall structure;
- Transactional risk: Scenarios in which the business holds unique risks, such as charitable or political contributions, licenses or permits, public procurement projects, or the use of intermediaries or agents;
- Third-party risks: A dependence upon business partners to carry out particular activities or functions; and
- Risk management philosophy and tolerance.
Assess: How serious are those risks?
Once risks have been identified, the next step is to assess them. This includes an evaluation of the probability or likelihood that a risk will be realized, and the relative severity or consequences for the company if it happens. As a starting point, these risks can be ranked as low, medium, or high in probability.
Taking these two steps alone could have helped the case for Goodyear. The company was recently fined $16 million by the SEC for, in part, not conducting effective due diligence on African subsidiaries alleged with paying more than $3.2 million in bribes from 2007 to 2011.
Manage: What steps should you take to manage risks?
Of course, it is vital to identify and assess corruption risks. However, a truly effective anti-corruption program involves putting business processes in place to systematically reduce risks by decreasing the likelihood of an event occurring and the impact if it does occur.
A robust anti-corruption program: starts with sound policies, with procedures and record-keeping to back up those policies; involves a team across the organization and with senior-level support; includes systems and training for employees and managing third parties; features ongoing monitoring; and includes corrective actions and improvements when something goes wrong.
In today’s interconnected marketplace, where companies have operations, employees, and partners spanning the globe, corruption compliance can seem a daunting task. By taking a proactive risk management approach, companies can address corruption risk in a thoughtful and intelligent way.
Author Biography:
Leslie Benton is the Vice President of Advocacy and Stakeholder Engagement of the Center for Responsible Enterprise And Trade (CREATE.org), a non-governmental organization dedicated to helping companies prevent corruption and protect intellectual property. She previously led the anti-corruption and compliance communications practice at Levick Strategic Communications and was the Senior Policy Director for the US chapter of Transparency International.