Anti-Corruption Due Diligence – Part 2
Anti-corruption due diligence is proving to be one of the most challenging areas of Bribery Act compliance. In this debate, GoodCorporation led the discussion with an assessment of anti-corruption due diligence practices and the problems businesses are facing in order to demonstrate adequate procedures.
Leo Martin, director of GoodCorporation, introduced the topic by stating that even the most well prepared companies are struggling with due diligence. From the 50 Anti-Bribery and Corruption (ABC) assessments that GoodCorporation has conducted to date for leading international organisations, even some businesses in the top quartile have inadequate due diligence.
This presents a real danger to businesses, despite the lack of prosecutions from the Serious Fraud Office. The behaviour of third parties has been a key aspect of Department of Justice prosecutions (under the FCPA) and the current cases with the Serious Fraud Office (SFO) suggest that this will also be a major issue under the UK Bribery Act.
It was suggested that one reason why this is proving such a problem is in part structural: those responsible for compliance are physically remote from the sales and procurement teams that are appointing and using third parties on the ground. In addition, many companies are falling into one of two traps, either using databases to undertake a large process of ineffectual checks or doing more rigorous checks on too few third parties. Assessing existing as well as new third parties is also a real challenge, particularly as many larger organisations have tens of thousands of suppliers and in some cases these are inherited from a merger or acquisition and are therefore harder to find and check.
Developing a process to ensure that due diligence is manageable and proportionate to risk is clearly vital. Carefully designed decision trees can be invaluable, but few companies are using them effectively. Decision trees help businesses to identify ‘the animals in the park’, what level of due diligence is proportionate and reasonable and what practical tools can be applied to each one.
Key areas for concern:
- Sales agents, joint venture (JV) partners and intermediaries
- Permitting/commercial agents
- Recruitment of employees and contractors
- Managing the recruitment of suppliers
Managing the ‘animals in the park’
Sales agents, JV partners and intermediaries: Most companies know who they are, but care must be taken to ensure that ALL are properly identified and managed. These intermediaries present the greatest risk to companies and should be subject to the maximum due diligence in the form of questionnaires, client references, database checks and policy checks as well as certification and training.
A key area of risk, which is not normally considered as part of ‘due diligence’ is the remuneration structure, this should be realistic, proportionate and sensible. Excessive sales incentives can create risk and many leading businesses are moving away from commission only structures wherever possible. It is essential to ensure that sales agents and intermediaries have the same attitude, integrity and motivation as the company’s regular sales force.
A number of organisations are also consciously reducing the number of sales agents that they are using and bringing sales activities more in-house to control these activities more effectively and to reduce risks.
This extensive due diligence should also be applied to joint ventures, acquisitions and long-term partnerships. GoodCorporation’s experience on the ground is that these types of structures can present the largest one-off ABC risks. Despite this, most organisations are not doing ABC testing in newly set-up structures.
Permitting/commercial agents: This is the hardest area to manage for three key reasons: there can be so many of them, they operate in high and low risk areas and there is no ‘one size fits all’ approach. The following steps are crucial:
- Be sure to know who they all are – a check list of all of the types of permitting and licence-getting activities is invaluable in this regard
- Risk-assess each one to place into high, low and medium risk hoppers (Is it a high-risk activity? Is it a high-risk country? What is the volume and frequency of the activities?)
- Adopt a risk-based response e.g.
- Inform all of policy and ABC stance
- Inform in a contractually binding format e.g. PO or contract (all if possible)
- Ask them to complete an annual self-certification (where higher risks exist)
- Due Diligence Questionnaires and client references (for more extreme cases only)
- Training in extremis
Recruitment of employees and contractors: A checking process is needed to review employees and contractors for conflicts of interest and political connections. This may be more easily managed if channelled through existing HR structures that provide a natural opportunity for checks. The problem that companies most often face with this, is that they can lose sight of why they are carrying out this type of due diligence. The key is to identify the conflicts that exist with the organisations with which the company is trying to do business. It is not necessary to identify every contact with every government employee. This approach can lead to long and irrelevant lists of connections to teachers and doctors and others that are unrelated to the business and its activities.
Recruitment of suppliers: This tends topresent a passive bribery risk. Where intermediaries are used to help select suppliers, there is the obvious risk of the supplier paying a bribe in order to be selected. Although this passive bribery risk falls outside the adequate procedures defence, in some sectors it can still present a real risk of corruption.
Finally it was noted that proper risk assessment is the crucial first step in making due diligence really work. Once the risks are identified, due diligence itself is often the beginning of a long and complex process involving on-going monitoring and the implementation of remedial actions to ensure that risks are reduced.
With the majority of companies feeling that there was still work to be done, the debate focussed on some of the key problems this process presents.
Time scale: There were few companies that felt they had robust ABC due diligence in place.
Those that did had undertaken the following:
- Ending all contracts and insisting on issuing new ones for all sales agents
- Use of external support to conduct due diligence on third parties being awarded a contract
- Significant reduction in the number of third parties used
- Implementation of a risk matrix for all sales agents
- Use of a strict approval procedure including an approval panel for selecting sales agents
Although confident that this is effective, it is extremely time consuming and it was suggested that this route may not be sustainable or even feasible in a fast-moving industry. And despite this level of due diligence it was admitted that calculated risks were occasionally taken as due diligence should not be about business prevention.
Effectiveness: Concerns were expressed about the value of the information that is sometimes obtained through due diligence. Is it necessarily a red flag if no information can be found at all? Some felt not, as no information can be a good sign as it is often the “bad stuff” that is flagged up and available. Others felt that if nothing could be found, companies should walk away or find an alternative provider.
Companies asked if it would be acceptable to proceed on the basis that due diligence had been conducted even if it had revealed nothing? Without a test case, this is a hard question to answer with confidence and opposing views were expressed. Some felt that the Bribery Act was not designed to restrict trade so if you had looked and found nothing it would be acceptable to go ahead. Others argued strongly that the Act was designed to prevent corruption and that this would not be an adequate defence if corruption subsequently occurred.
Some also warned against box-ticking exercises that produced information that was of little value. These organisations preferred to focus attention and resources on thorough checks but of fewer, high risk third parties.
Informal networks that use information from sources such as journalists were suggested as a way of avoiding box-ticking and ensuring that some information can be obtained. Some welcomed this option, as it could be more effective in parts of the world where people sign anything to win business. Others worried that it could be risky precisely because it was so informal.
Existing suppliers: This was identified as being another challenging problem. Companies that identified issues as a result of retrospective due diligence are then faced with the problem of how to mitigate the risks or end the contract. This can be difficult, depending on the existing contracts, but may be necessary to be fully protected.
Hard Choices: Many businesses are worried that the information revealed by due diligence presents extremely difficult choices. Some asked if it is reasonable to expect a company to mitigate corruption risks, if doing so causes the business to lose money. Is it safe to work with the best of a bad bunch of suppliers? Should we leave high-risk markets altogether? Some companies admitted to having already walked away; others felt this was not an option, particularly for those businesses that had been contracted to provide a service in a particular market.
It was acknowledged that there are certain jurisdictions that pose significant risks for businesses and a number of companies would welcome guidance from governments about whether or not to operate in these areas at all. Some even asked if governments should consider banning their national companies from operating in certain high-risk parts of the world. This would solve the issue of whether or not to trade here while also ensuring that they would not lose out to national competitors.
From the discussion, it is clear that this is a difficult problem to solve. Most companies felt that they had more to do and from the work that GoodCorporation has done in this area we know they are not alone.
Despite the difficulty, it is a problem that businesses must solve, as the risk is great and the penalty for failure high. We are still at the early stages of anti-corruption due diligence, but we do know that more and more businesses are expecting third parties to co-operate. Identifying and mitigating those risks will be the most vital aspect of any successful anti-corruption programme and one that will be essential in demonstrating adequate procedures.
GoodCoroporation Business Ethics Debate April 2013