Phasing-In Your Company's New Anti-Corruption Compliance Program
With all the hysteria surrounding anti-corruption compliance programs, companies try to react quickly, adopt a compliance program and then implement it. If done too quickly, it is certain to “fail.”
An anti-corruption program needs to be phased in, while assuring adequate buy-in, modification and monitoring. With a phased-in and continuous monitoring approach, a compliance program will be securely established and in the end, more successful. It is too easy and even unrealistic for companies to roll out a program, expect buy in, and then sit back and watch it work. The reality is far different.
Starting with a plan, the company needs to set out a realistic and appropriate timeline,which reflects available resources, current risks and business needs. Trade offs are inevitable — compliance cannot be the one and only corporate goal, although it is certainly an important one.
In most cases, companies need to map out, at a minimum, a three-year plan, or at a minimum three phases. Of course, two of the phases can be collapsed but you need to be realistic. As always, we need to assume that the process is continuous and modifications are made as the program continues.
Year One
In Year One, the company should complete an individualized risk assessment which will require significant time and resources. Based on the risk assessment a more appropriate timeline can be developed but assuming that the risk assessment is fairly straightforward, and depending on existing controls and procedures, the company should then move to drafting and adopting a statement by senior leadership of corporate commitment to corporate policy against violations of anti-corruption laws and the adoption and release of of a compliance code and policy.
Year One should also include the appointment of an anti-corruption compliance officer and creation of direct reporting relationship to Board or appropriate Board committee (audit or compliance).
The company will also need to draft written policies and procedures for gifts; hospitality, entertainment, and expenses; customer travel; political contributions; charitable donations and sponsorships; facilitation payments; and solicitation and extortion. As always, these can be tweaked and modified as time goes on but something needs top be put into place fairly soon after the risk assessment is completed.
Finally, as part of Year One, the company should begin to craft due diligence policies and procedures for the hiring, retention and oversight of all third parties, including agents, representatives, distributors, consultants or other third party relationships. As part of this process, the company will first need to identify all existing third-party relationships and agreements.
Year Two
In Year Two, much of the effort will be devoted to rounding out the third-party due diligence procedure, expanding it to include joint venture partners and mergers and acquisitions, and most importantly, the process of training the Board, officers and employees of the new policies and procedures, as well as basic anti-corruption requirements.
With respect to the due diligence procedures and third parties, the triage process will lead to increased scrutiny, termination and modification of existing relationships. More controls and reviews will be put into place, including new requirements for written agreements, annual certifications, anti-corruption provisions and expansion of training programs to include third-party agents.
Year Three
In Year Three, the finer points of a compliance program will be implemented. These include:
— Establishment of internal guidance and advice procedures, and a system for internal and confidential reporting by directors, officers, employees, and agents and business partners who wish to report violations of law, compliance policies or other misconduct.
— Implementation of a revised discipline program to ensure that directors, officers, employees and third party agents are disciplined for any violations of the company’s anti-corruption compliance programs and policies.
— Ongoing monitoring and auditing of the compliance policies and procedures to ensure that they are effective at preventing and detecting foreign bribery.
— Periodic review and testing of anti-corruption compliance code, standards, and procedures, including internal controls, ethics, and compliance programs.
— Review and revision of financial and accounting internal controls specifically designed to keep accurate books and records and protect against bribery.
I am sure everybody on the verge to design and implement a compliance program wishes to have a timeline described in this article. But in most cases the stakeholders are not so laid back to wait three years to receive the message, the compliance program is up and running. It is important, that someone like Michael is stressing this point, that such an implementation needs time to be effective. Just rushing through the process does not create a sustainable compliance and ethics program.