Beruflich Dokumente
Kultur Dokumente
BRIBERY
AND
CORRUPTION
THE ESSENTIAL GUIDE TO MANAGING THE RISKS
CONTENTS
Failing to Manage Bribery and Corruption Risks Can Be Very Expensive…_____________________________________________ 4
A Global Risk______________________________________________________________________________________________________________________ 8
What Can Be Done to Address the Risks Associated with Bribery and Corruption?__________________________________ 10
The FCPA also requires issuers to maintain accurate books and records and have a system of internal controls sufficient to, among other things, provide
reasonable assurances that transactions are executed and assets are accessed and accounted for in accordance with management’s authorization.
The sanctions for FCPA violations can be significant. The SEC may bring civil enforcement actions against issuers and their officers, directors, employees,
stockholders, and agents for violations of the anti-bribery or accounting provisions of the FCPA. Companies and individuals that have committed
violations of the FCPA may have to disgorge their ill-gotten gains plus pay prejudgment interest and substantial civil penalties.
Companies may also be subject to oversight by an independent consultant.”
The U.S. Securities and Exchange Commission
The U.S. Foreign Corrupt Practices Act (FCPA) and the U.K. Bribery Act are just two
examples of government legislation that aim to address the problem by levying
massive fines and other penalties against organizations and individuals involved in
bribery. The specifics of regulations vary by region and applicable laws.
The FCPA, for example, is only applicable to public Despite increasing global legislation and enforcement,
companies whose shares are traded in U.S. exchanges the extent of bribery and corrupt payments does not
and only relates to corrupt payments to government appear to be in decline. PwC’s 2014 Global Economic
officials. The U.K. Bribery Act is more wide-ranging and Crime Survey reported that most organizations have
also applies to corrupt payments to non-government actually seen an increase in the problem. Bribery and
officials. Other national legislation, such as the Chinese corruption, along with other forms of fraud and economic
Article 164, the Brazilian Clean Company Act and the crime, continue to be a major concern for companies of
Canadian Corruption of Foreign Public Officials Act, all sizes across all regions and in virtually every sector.
among many others, all seek to do essentially the same
thing and impose very severe penalties on corporations More than 40 countries have
that resort to bribery. adopted the OECD Anti-Bribery
Convention, which establishes
“legally binding standards to
criminalize bribery of foreign
public officials in international
business transactions.”
8 - Bribery & Corruption: The essential guide to managing the risks
SO WHY IS BRIBERY STILL COMMONPLACE AND SUCH A RISK?
Dealing with the problem of bribery and corrupt payments is not always easy. Formal
policies in most large companies clearly forbid such practices, but this does not mean
they will not occur. Behavioral education and compliance training is simply not
enough to mitigate the risk.
Payment and receipt of bribes, as well as other forms of As a result, in spite of the implementation of increasingly
facilitation and consulting fees, gifts, entertainment, travel stringent corporate policies, the temptation is to do
and other benefits, are a well-established part of business whatever is necessary to close a deal and then find a way
and government culture in many parts of the world. Until to avoid getting caught. This often means that large
relatively recently, these practices were widely accepted payments manage to make their way into the bank
by large, global companies as simply a part of the cost of accounts of influential individuals in governments or
doing business. The reality for many business managers is corporations in order to win a contract, but are carefully
that it can be extremely difficult to remain competitive disguised in a way that makes them difficult to detect
and win new business in foreign markets without through normal control mechanisms.
resorting to some form of activity that may be illegal or, at
best, in a “grey area.”
Chief Compliance Officer General Counsel Chief Risk Officer Chief Financial Officer Internal Audit
The CCO role owns overall General Counsel usually plays an Many organizations now have a The CFO bears responsibility As with most areas of risk,
responsibility for protecting the active role in regulatory formal role of Chief Risk Officer for financial controls, while line internal audit needs to consider
organization from compliance compliance and establishment that focuses on facilitation and and regional executives are the risks and controls related to
risk and enforcement actions of levels of risk appetite around coordination of overall directly responsible for the ABAC as they develop and
and often directly leads the specific activities. enterprise risk management appropriateness of payments execute their audit plan. Internal
creation and management of an (ERM) processes, ensuring that that take place within their audit’s procedures provide
ABAC program. appropriate procedures are area of budgetary and assurance that ABAC processes
implemented by those with business control. and controls are effective and
more direct responsibilities for working as intended. It is of
avoiding potentially corrupt course the job of business
payments. The CRO is usually management to actually
responsible for identifying and implement and maintain the
prioritizing material risks and ABAC processes and controls.
discussing them with senior
management and the Board.
TIP >> As there are various stakeholders in the ABAC Program process, the important thing is that all are aware of their respective roles and how they fit within the process. In order
to achieve this there needs to be an effective central system that can be accessed in order to clearly communicate and share information on the process and its current status.
12 - Bribery & Corruption: The essential guide to managing the risks
A FORK IN THE PROCESS ROADMAP:
CHOOSE A STANDALONE OR AN INTEGRATED PROCESS
Although it is preferable that the processes for managing the risks of bribery and
corruption are integrated into an overall enterprise risk management “ERM” process, As noted, if a formalized ERM process
this is not always feasible within some organizations. exists within an organization, then the
anti-bribery and anti-corruption
The benefits of integration are that a full range of risks can (ABAC) risk assessment process should
be assessed and compared with a consistent approach
and within one system. This allows specific bribery risks to
ideally be carried out within the
be evaluated within the overall business context of corporate ERM framework. However, in
organizational objectives. Appropriate resources can then some organizations the overall risk
be allocated for management and mitigation of a range
management process is fragmented
of different risks, based on the organization’s tolerance for
different types of risk. and the reality is that risks of bribery
If an integrated ERM approach is not practical, the and corruption are considered in
specific processes for managing an ABAC program relative isolation.
remain essentially the same, except without
the element of comparison of the relative
Whichever approach is taken within an
impact of different risks. organization, the process of defining
the risks should involve individuals
with sufficient knowledge of
regulations and the ways that the
business actually works.
1 IDENTIFY
AND
ASSESS
RISKS
The first thing to do is fully understand the nature of the risks of bribery and corrupt
payments across the organization. The specific risks can vary considerably according
to factors such as:
■■
■■
■■
■■
Applicable legislation
Types of business carried out
Geographical locations in which business
takes place
Types of customers
<< TIP
The use of spreadsheet technology for risk identification and assessment can itself be risky, due to the
inherent problems of maintaining control over the integrity of information recorded, avoiding errors and
accidental changes and being able to share information in an efficient way.
Bribery & Corruption: The essential guide to managing the risks - 15
BUILD AN ANTI-BRIBERY & ANTI-CORRUPTION PROGRAM: 5 STEP PROCESS
2
IDENTIFY
MITIGATION
PROCEDURES Risks are a normal part of business. Some, such as investing in new products and
TO REDUCE THE markets, are very desirable for any healthy, growing, innovative company. Other types
of risks, such as those related to bribery and corrupt payments are clearly not
RISKS AND generally desirable. The issue is to weigh the negative aspects of risks against the cost
of managing the risks. In some cases it may make good business sense to accept that
THEIR IMPACT a risk will sometimes turn into a negative event as the cost of managing and reducing
the risk is simply too high.
Once the nature of the types of bribery and corruption ■■ Specific controls, such as approval, authorization,
risk is properly understood, an important part of the risk and review processes, for payments that take
management process is to identify the ways in which the place through systems for vendor payables,
risks can be monitored, reduced, or eliminated through purchasing cards, travel & entertainment
mitigation efforts. expenses.
In the case of ABAC, mitigation efforts could include ■■ Systematic monitoring of payments to look for
examples such as: suspect outliers, unusual patterns and other
■■ Corporate policies that are documented and indicators of potential cases of bribery and
expressly prohibit the payment of bribes or other corruption.
forms of corrupt payments. For each type of mitigation procedure, whether policy,
■■ Compliance training programs for those most likely specific control, or program, it is important to consider at
to be exposed to bribery and corrupt activities, a detailed level all the things that could go wrong and
designed to increase awareness and educate on reduce make the process or program ineffective.
what constitutes illegal or “grey area” activities.
3 MONITOR The ABAC risks have been defined, assessed, and ranked and decisions made about
the risk mitigation processes that need to be in place. What’s left to do…?
Quite a lot.
CLICK TO
LEARN MORE, What is Human Analytics?
ON THE In its simplest of forms, surveys or questionnaires are
ACL BLOG >> forms of human analytics. But the possibilities of solving
significant problems and adding strategic value are
18 - Bribery & Corruption:
The essential guide to managing the risks
endless with human analytics.
DOWNLOAD ACL’S LIST
OF THE “TOP 10
ANTI-BRIBERY
ANALYTICS”
The single most effective method of monitoring is to Entire populations of payment transactions, across
examine every payment transaction and every benefit disparate business systems, are examined in detail to look ABAC TECHNOLOGY REQUIREMENTS:
provided by the organization in order to determine if for indicators of problems such as some of the following: oo L inks between individual controls and the tests
there are signs that non-compliant activities occurred, in ■■ Payments made to individuals on the “Politically used to examine transactions and other data.
spite of the policies and controls that are meant to be in Exposed Persons (PEP)” database of foreign oo A
bility to perform a wide range of data analysis
place. This form of detailed testing of transactions and government officials tests on an automatic basis and link the results
controls, based on data analysis, is used widely by internal back to the description of the control.
■■ Expenses in high risk regions described using
auditors in many of their assurance activities. oo Visual analysis of testing results.
suspect keywords such as “facilitation”,
This approach is even more effective when used by those “consulting”, “donation”, “training”
directly responsible for maintaining effective payment ■■ Payments made in high risk regions to one time
control systems, including the financial, business, and
or new vendors that do not fit the typical vendor
operational managers of an organization, as well as those
profile
in specific compliance functions.
■■ High value transaction amounts that have not
been subject to required approvals
■■ Payments made through and to unusual offshore
bank accounts
4 MANAGE
EXCEPTIONS
The transaction monitoring process can produce a high or low number of exceptions,
depending on the thresholds and parameters used in the data analysis tests. In order
to determine whether the ABAC Program is working effectively, it is important to have
a strong process for dealing with exceptions.
5 REPORTING
AND ONGOING
ASSESSMENT
Reporting is one of the most important and valuable steps in the ABAC Program process.
This is where risk managers, compliance officers, auditors, C-suite executives, and other
stakeholders can really get visibility into how effectively the ABAC program is working.
Ideally, the reporting system should be able to go from a top level overview of overall risk trends, all the way down to the
detail of specific red flags of potential violations, including the resolution of each issue that was identified. It is a critical
part of the ongoing risk assessment process.
One of the great benefits of using data analysis in the ABAC Program process is that the monitoring and assessment
process can be accurately quantified.
This could mean, just as an example, that a report or visual dashboard shows –
Tests
Risk & Controls
Database
Payment/Benefits
Transactions
Respond
& Resolve
Manage
Exceptions
Report
The business media regularly reports news showing the increasing WE’RE HERE TO HELP
magnitude of threats posed from failing to comply with anti-bribery
ACL has drawn upon its two
and anti-corruption legislation.
decades of experience working
with thousands of customers
We know that some organizations are well down the path worldwide to develop detailed
of implementing effective programs to manage these methodologies and best practices
risks, while others still have a very long way to go. for managing anti-bribery and
Where does your organization fit in this spectrum? anti-corruption compliance.
We hope that this eBook has provided you with some
For a free assessment of how your
helpful information on how to best manage the risks
organization can best integrate
associated with bribery and corrupt payments, using
technology into your
technology including data-centric compliance
compliance program,
management as a key driver.
call 1-888-669-4225
We are here to help. or email info@acl.com
1. IDENTIFY AND ASSESS RISKS 4. MANAGE EXCEPTIONS 6. REPORTING AND ONGOING ASSESSMENT
oo A
bility to record, assess, and rank a range of risks in a oo F lexible workflow capabilities that can accommodate a oo T he ability to quickly and easily get an overview of the status
structured and consistent way that provides sufficient range of alternate actions depending on the nature of of the entire ABAC process and move down to whatever
detailed information for comparison and reference purposes exceptions generated detailed level is appropriate
oo C
omprehensive visual reporting on the status of exception oo P
rovide an executive storyboard that shows all material
2. IDENTIFY MITIGATION PROCEDURES TO management activities, in summary and at a detailed level issues identified in the organization, across all risk mitigation
programs, as it relates specifically to ABAC
REDUCE THE RISKS AND THEIR IMPACT oo A
bility to collaborate with any stakeholder of the
organization – including vendors, partners, contractors, oo M
ultiple levels of access control and security in order to
oo A
bility to clearly identify the relevant mitigation procedures clients and employees and request confirmation or evidence ensure that sensitive data is only available to those who
and controls for specific bribery and corruption risks for the validity of a transaction or payment should be involved in a particular part of the process
oo A
bility to assess the effectiveness of each mitigation oo “ Human analytic” capabilities, meaning the ability to assess oo V
isual reporting capabilities that, where needed, are fully
procedure or control and combine responses that individuals provide when integrated into an overall risk management dashboard
following up on exceptions oo R
eporting that can be accessed from a range of
oo A
bility to perform a wide range of data analysis tests on an oo Software runs on a range of mobile devices
automatic basis and link the results back to the description oo S eamless integration across functional capabilities, including
of the control data analysis
oo Visual analysis of testing results oo Modern, simple design and best practices user interface
#
#
Bribery & Corruption: The essential guide to managing the risks - 27
ABOUT ACL
ACL delivers technology solutions that are transforming audit,
compliance, and risk management. Through a combination of
software and expert content, ACL enables powerful internal
controls that identify and mitigate risk, protect profits, and
accelerate performance.
Driven by a desire to expand the horizons of audit and risk
management so they can deliver greater strategic business value,
ABOUT THE AUTHOR: we develop and advocate technology that strengthens results,