At Ethisphere we are fortunate to work with companies around the world to assess and improve anti-corruption programs. As a result, we have a robust data set that tells us where companies have strong controls in place and where improvements should be made.
Although there are some regional differences in maturity of anti-corruption programs, in looking at our data, we see that the scores of Latin American companies are very similar to global averages across the categories that we measure. In fact, we see significant variation within the LATAM region, with large, publicly traded companies more likely to have the most mature programs.
Even Robust Programs Have Gaps
Ethisphere’s anti-corruption assessments cover the seven aspects of an effective program, including:
- Risk assessment
- Policies, procedures, and controls
- Senor leadership and anti-corruption compliance team
- Management of third parties
- Training and communication
- Monitoring and measurement
- Investigations, corrective actions, and improvements
Our data shows that the Policies and Procedures and Anti-Corruption Compliance Teams are the most mature processes within LATAM and globally. Except for a few large and very mature companies, most companies we have worked with have some policy weakness. Most commonly, these are policy gaps or a lack of clarity in company rules on gifts, travel, and entertainment; treatment of government officials (particularly important in a region where public sector work represents a significant amount of economic activity); donations; due diligence; and reporting and non-retaliation.
Companies should have a full set of policies that address specific risks identified through a formal assessment process and all the common ways that bribery can occur. We do not always see this. Companies should also take greater care when drafting policies to ensure they are clear and written in the local language. If policies are too complex, lack key definitions, or are internally inconsistent, employees may not follow them.
Similarly, many companies lack formal, written procedures. Any policy that requires employee action should have a corresponding procedure that is detailed enough for an employee to follow. This is particularly important for employees engaged in higher-risk activities. Where possible, we recommend that new procedures should track existing procedures and be put in place with users in mind.
Mature companies routinely review and revise their policies and procedures and update them when risks change, such as when acquiring a company, entering a new market, or closing a business unit, or when otherwise triggered by a risk assessment or audit.
The Importance of a Cross-Functional Team
While most companies assign responsibility for the anti-corruption program to someone, the role itself is often part time and roles and responsibilities are ill defined. Even when an anti-corruption compliance function or team exists, it is often informal. Having a competent, senior-level “compliance officer” in place to build out a formal cross-functional team is critical to managing corruption risk.
Effectively implementing a program requires company-wide input. Cross-functionality helps the team build awareness among employees, create alignment between the compliance message and actual behaviors, and provide practical support and guidance for employees. Of course, responsibility for anti-corruption compliance should be part of the compliance officer’s formal job description, and he or she should be required to report on program implementation to senior management and the governing body at regular, planned intervals.
Where Programs Fall Short
The least mature processes, both globally and in LATAM, are Management of Third Parties and Monitoring and Measurement.
While most companies perform some level of business-focused due diligence on third parties, half do not perform due diligence specific to anti-corruption, even though third parties present a significant corruption risk. That risk is primarily addressed in contracts, but often not specifically. Companies can improve program maturity and reduce risk by implementing a risk-based due diligence program, communicating with third parties, and monitoring their compliance throughout the life cycle of the relationship. Third party agreements should also be risk based in terms of the type of provisions included and should be approved by the company’s compliance officer or other appropriate representative.
Issues with Monitoring and Training
Most companies do not have a documented system for monitoring anti-corruption compliance internally or in their third parties. Monitoring is a mature activity and usually put in place after other elements of the program are up and running. Monitoring is essential, but there still seems to be some confusion about what monitoring means in practice. Companies should review their program processes on a regular basis to ensure that they are being followed and are effective. This can include analyzing data for trends, testing specific transactions, interviewing and surveying employees and third parties, and other activities designed to uncover control weaknesses. Routine monitoring helps compliance teams continually improve the program, and it sends a message that compliance is important.
There also is room for improvement when it comes to training. Many companies do not routinely train employees after an initial onboarding training, and even fewer give specialized training based on role or function (for example, to managers or specifically to accounting/finance or sales staff). Without ongoing, effective training and communication, a compliance program will likely fail. We recommend that companies replace once-a-year, one-size-fits-all training—still the most common training type—with shorter, more frequent, and more engaging training modules and other communications, as well as training tailored to risks, roles, and responsibilities.
No anti-corruption program is perfect. However, taking a risk-based approach, assessing business processes against leading guidance to identify strengths and weaknesses, and working on continual improvements can go a long way toward mitigating issues and positioning companies for success.
About the Author:
Leslie Benton is a Vice President at Ethisphere, where she engages with global companies on assessing and benchmarking anti-corruption programs and building capabilities across organizations and with third parties. Additionally, she leads the anti-corruption initiatives at the Center for Responsible Enterprise And Trade (CREATe.org); and is one of the ISO 37001 Anti-Bribery Management Systems Standard drafters as a member of the U.S. Technical Advisory Group to the ISO committee developing ISO 37001.
She is a former Senior Vice President of Levick Strategic Communications, where she led the anti-corruption and compliance communications practice. Previously, she was the Senior Policy Director for the U.S. chapter of Transparency International, where she spearheaded the chapter’s outreach to the U.S. Government, international institutions, and the private sector.