Recent corruption investigations in Brazil, China and Mexico have highlighted the risks confronted by multinational companies operating in a global enforcement environment. Governments throughout the world are demanding that companies have effective compliance programs that prevent, detect and respond appropriately to potential corruption.
While standards of compliance are often expressed differently among jurisdictions — such as the guidance issued under the U.S. Federal Sentencing Guidelines and the U.K. Bribery Act — the conduct that governments expect is increasingly uniform and consistent across the world. To satisfy these converging expectations, companies must design and implement programs that can be applied anywhere to manage risk. The place to start is to ­thoroughly understand the risk environment. Because all companies face limitations to the resources they can devote to the task, they must instill an overall culture of compliance but focus on the areas of greatest operational risk. Some industries by nature have governments as customers and face significant corruption risks associated with direct commercial dealings with those customers. Other industries are subject to heavy government regulation and individual government officials have significant influence on the company’s ability to conduct business. Finally, as a practical matter, virtually all companies conduct business in multiple countries and confront daily issues of moving goods across borders and obtaining permits and other approvals. All of these are touch points where corrupt acts can and often do arise.
Accordingly, effective compliance policies — and the controls and approvals associated with those policies — are critically dependent on a risk assessment whereby the company analyzes the nature of the industry and the areas of world in which it operates, and considers what compliance infrastructure it needs to manage those risks. For example, companies in heavily regulated industries such as pharmaceutical or health care may need more extensive reviews and process-oriented controls of their government interactions, whereas other industries that have limited government interactions, such as less-­regulated consumer products, may rely on training and education to convey expectations and more general rules regarding employee conduct.
Once a company has identified its risk environment and considers the way in which it operates its business, including through subsidiaries or third parties like distributors, key decisions can be made about whether its policies and procedures can inform employees and related third parties about acceptable conduct in dealing with governments and government officials. Some aspects of programs will apply worldwide, subject to local laws and regulations and concerns about local risks.
Once appropriate rules and policies have been developed, the challenge is to communicate those standards to employees and third parties while at the same time requiring, where needed, business process changes to ensure that the company can meet these challenges.
Effective training allows employees to understand not only the written standards, but also how to apply them in particular circumstances. Written policies are often less important than the way in which employees assimilate them in their daily work. Guiding employees through practical case studies of government interactions is essential. Merely requiring an employee to read policies and procedures is usually never enough.
Typically, the development of an adequate compliance infrastructure will require employees to conduct business differently than in the past. The challenges should not be underestimated — this is the most important aspect of refining a compliance program, the core of how a company implements its standards. Any significant change to enhance controls to meet government expectations can take a year or more to achieve.
The global standard for effective compliance also requires appropriate oversight of both employee and third-party conduct. Without this oversight, a company will have no idea how well its employees are performing, how effectively its rules have been implemented, and how it can determine what changes may be needed to encourage compliance.
Oversight, just like other essential elements of a globally effective compliance program, must be risk-based. What should a company’s compliance function and the business look for to ensure that rules in the anticorruption area are being followed? Are transactions or interactions that are subject to prior approval being approved as required? Are the financial payments that may result from government interactions consistent with the prior compliance review and approval?
Given the rapid development and increasing sophistication of many global companies’ financial control systems, the coordination and integration of compliance with financial controls is another challenge that should not be underestimated. Unless the finance function coordinates well with compliance controls, there can be no assurance that improper payments will be prevented.
The global standard for controlling anticorruption risks also requires an effective response when misconduct might have occurred. Appropriate investigation of incidents, corrective action, employee discipline or termination, or program redesign are all part of an effective and responsive compliance effort.
An effective anticorruption compliance program therefore contains relatively straightforward elements. It must be risk-based, with controls designed to address the risks a company is likely to confront. It must include clear standards of conduct to prevent, detect and respond to those risks. It must communicate both expectations and rules of conduct and enable businesses to incorporate them in their daily activities. And it must watch to ensure that employees and third parties follow these rules, and respond appropriately when there is risk that they do not.
Implementing and sustaining a compliance policy for a company operating in multiple time zones in different cultures and with different management teams is no easy task. No compliance program can be static: Companies must periodically reassess their programs using the evolving enforcement environment as a guide for program enhancements.
There are several key structural lessons to be learned from the evolution of global anticorruption programs. Perhaps the most important is that the business function in the company must “own” the compliance process and answer for its successes and failures. When the business owns compliance, it becomes an everyday activity that is inherently local and more effectively implemented.
At the same time, centralized oversight is necessary to ensure that the program is working well across the board. Senior management must not only approve an appropriate and effective compliance framework, but also must also understand that framework and address problems as they arise. While many decentralized companies have historically relied on remote decision-making, that is no longer sufficient in itself from a global compliance perspective.
Another key lesson is that business leadership must embrace a compliance culture. This means in both spoken word and how management acts on a day-to-day basis. Without active and vocal support from the top, no program is sustainable. Employees immediately perceive any wavering in senior management’s commitment to compliance.
Just as important is the burden of controls. Who will provide the compliance review and what resources will be needed? Without resources, controls can be established on paper but implementation often fails.
Relationships with third parties who act on a company’s behalf must be a high priority. Companies increasingly use third parties, including agents and distributors, to outsource key activities and expand their businesses. To the extent these involve interactions with governments on behalf of the company, major corruption risks can arise quickly. Indeed, many of the reported enforcement cases involve third-party misconduct that is attributed to the retaining company. Accordingly, third parties need to be controlled in ways that advance the company’s compliance goals. Third-party management, including diligence, oversight and periodic review, are hallmarks of any compliance program that will meet today’s global compliance standard.
Regardless of how individual governments express their expectations on compliance, it is clear that global companies, regardless of nationality, sector or countries of operation, must use the approach outlined above to manage risks and to prevent and deter misconduct. A company that designs, implements and refines a compliance program guided by these processes will be in a position to operate a truly global program designed to meet the expectations of governments worldwide.
Keith Korenchuk is a partner and Samuel Witten and Christopher Yukins are counsel in the Washington office of Arnold & Porter. Yukins is also a professor of public procurement law at George Washington University Law School.