Anti-corruption Due Diligence
GoodCorporation began the first Business Ethics Debate of 2013 with an assessment of anti-corruption due diligence and the problems businesses are facing in ensuring compliance with the UK Bribery Act in this area.
Leo Martin, director of GoodCorporation introduced the topic by stating that ensuring adequate due diligence appears to be the most challenging area of work for organisations that are trying to develop adequate procedures. From the work that GoodCorporation has completed in this area, it is clear that even the most well prepared companies are struggling with due diligence, often doing too much or too little.
This presents a real danger to businesses, despite the lack of prosecutions from the Serious Fraud Office. The behaviour of third parties has been a key aspect of Department of Justice prosecutions and the Rolls-Royce case suggests that it will also be a major issue under the UK Bribery Act.
It was said that the reason why this is proving such a problem is in part structural: those responsible for compliance are physically remote from the sales and procurement teams that are appointing and using third parties on the ground. In addition, many companies are falling into one of two traps, either using databases to undertake a large process of ineffectual checks or doing more rigorous checks on too few third parties. Assessing existing as well as new third parties is also a real challenge, particularly as many larger organisations have tens of thousands of suppliers and in some cases these are inherited from merger or acquisitions and are therefore harder to find and check.
Developing a process to get this challenging area of anti-corruption due diligence right is clearly vital. Carefully designed decision trees can be invaluable, but few companies are using them effectively. Decision trees help businesses to identify ‘the animals in the park’, what level of due diligence is proportionate and reasonable and what practical tools can be applied to each one.
Key third parties to check are:
- Sales agents and Intermediaries
- Joint Venture partners
- Permit/commercial agents
- New employees and contractors
- Recruiters of suppliers
Managing the ‘animals in the park’
Sales agents and intermediaries: Most companies know who they are, but care must be taken to ensure that ALL are properly identified and managed, including sub-agents and non-standard sales agents. These intermediaries present the greatest risk to companies and should be subject to the maximum due diligence in the form of questionnaires, client references, database checks and policy checks as well as certification and training.
A key area of risk, which is not normally considered as part of ‘due diligence’ is the remuneration structure, this should be realistic, proportionate and sensible – avoiding commission only structures wherever possible.
A number of organisations are consciously reducing the number of sales agents that they are using and bringing sales activities more in-house to control these activities more effectively and to reduce risks.
Joint ventures, acquisitions, long term partnerships: These all require the same type of full due diligence activities and GoodCorporation’s experience on the ground is that these types of structures can present the largest one-off ABC risks. Despite this most organisations are not doing ABC testing in newly set-up structures.
Permit/commercial agents: This is the hardest area to manage for three key reasons: there can be so many of them, they operate in high and low risk areas and there is no ‘one size fits all’ approach. The following steps are crucial:
¢ Be sure to know who they all are – a check list of all of the types of permitting and licence-getting activities is invaluable in this regard
¢ Risk-assess each one to place into high, low and medium risk hoppers (is it a high-risk activity? Is it a high-risk country? What is the volume and frequency of the activities?)
¢ Adopt a risk-based response e.g.
- Inform of policy and ABC stance (all)
- Inform in a contractually binding format e.g. PO or contract (all if possible)
- Ask them to complete an annual certification (where higher risks exist)
- Due Diligence Questionnaires and client references (for more extreme cases only)
- Training in extremis
Recruitment of employees and contractors: A checking process is needed to review new employees and contractors for conflicts of interest and political connections. However this should be more easily managed through existing HR structures that provide a natural opportunity for checks. The problem that companies face is that they can get lost and lose sight of why they are carrying out this type of due diligence.
Recruitment of suppliers: Where intermediaries are used to help select suppliers, there are obvious corruption risks of bribes being paid by suppliers to be selected. This passive bribery risk falls outside the adequate procedures defence, but in some sectors can present an important risk.
Finally it was noted that due diligence is the beginning of the process not the end. Often due diligence will require monitoring and remedial actions to ensure that risks are reduced.
With the majority of companies present feeling they were not doing enough anti-corruption due diligence, the debate focussed on some of the key problems this process presents.
Implementing a centralised policy across autonomous divisions is a real challenge. Some companies feel they know what to do and have a good process that is working well in some areas, but rolling this out globally in a systematic way is proving problematic. Should a mandatory set of instructions be given to all business units to follow? Or is it more effective to explain the principles and allow each business unit to develop its own tailored approach?
Culture clash: ABC due diligence is new for many organisations and in some cultures it is a struggle to convince colleagues of the need to do due diligence. This makes it essential to have proportionate systems that direct the due diligence to the third parties where there are genuine risks. It also requires a lot of ‘change management’ to convince colleagues and bring them on-board.
JV challenges: Some reported that while they had successfully completed adequate due diligence on suppliers, such a robust approach was harder to implement with JV partners where trust forms a key part of the relationship. Implementing checks without damaging relationships can be a major challenge. Conversely, it was also suggested that no one is above scrutiny; anyone carrying out activities on a company’s behalf should be checked and JV partners and JVs themselves should be subject to a due diligence process.
Financial risk assessment: Some companies are assessing risk and due diligence needs according to the value of the contract – this in itself could be a high-risk approach. The group debated that due diligence must be proportionate to the risks identified, but that some very high-risk activities might be very small in terms of value and therefore harder to spot.
Managing red flags: A number of participants commented on the fact that due diligence is not necessarily the hard part of the job. The harder part is applying the judgement needed when red flags are identified. It is too easy to say ‘red flag – don’t do business’. The reality is that in some markets and sectors red flags are bound to exist. The problem is how to put in place sensible monitoring and remedial action plans to bring the third-party up to scratch so that it can be safely engaged.
Logic checks: Some companies noted that due diligence can be too formulaic and lack any logic check. The important and obvious corruption risks can be missed by a due diligence questionnaire. It is more important to stand back and ask questions such as ‘where is the corruption risk with this activity?’ ‘What is the potential for kick-backs?’ ‘Is the contract structure creating more risks?’ ‘Do we really need to use a third party at all?’
Despite the many challenges that this element of adequate procedures presents, some companies reported that robust anti-corruption due diligence can be developed as a commercial opportunity. More customers will be looking to protect themselves by using suppliers with robust due diligence and ABC controls. A company can enhance its reputation therefore by having a robust process in place.
From the discussion, it is clear that this is a difficult problem to solve. Few companies felt that they were doing enough and they are not alone. Our anti-corruption assessments show that due diligence of third parties is the weakest anti-corruption practice and even the upper quartile companies are generally failing to put in place adequate procedures.
Despite the difficulty, it is a problem that businesses must solve, as the risk is great and the penalty for failure high. Identifying those who pose the greatest risk is an essential first step and decision trees should be used more widely to do this. Anti-corruption procedures must then be put in place to mitigate risk and on-going monitoring carried out to ensure continued compliance. Programmes must be carefully designed so that they are achievable. A good programme could also have genuine commercial benefits for the company.
GoodCorporation Business Ethics Debate February 2013
The digitisation of our personal information has made that data vulnerable: as HMRC found out in 2007 it is relatively easy to lose the records of 25 million individuals when they are contained on a couple of floppy discs –…