Anti-corruption Due Diligence
The first GoodCorporation Business Ethics Debate of 2013 revealed that for many companies, anti-corruption due diligence is proving to be the most challenging aspect of implementing robust adequate procedures to comply with the UK Bribery Act.
Despite the lack of prosecutions to date, this presents a real problem for businesses. The behaviour of third parties has been a key aspect of Department of Justice prosecutions and the Rolls-Royce case suggests that it will also be a major issue under the UK Bribery Act.
The key problems were broken down into a number of areas:
Implementing a centralised due diligence process across autonomous divisions is a real challenge. Some companies feel they know what to do and have a good process that is working well in some areas, but rolling this out globally in a systematic way is proving problematic.
Culture clash: ABC due diligence is new for many organisations and in some cultures it is a struggle to convince colleagues of the need to do due diligence. This makes it essential to have proportionate systems that direct the due diligence to the third parties where there are genuine risks. It also requires a lot of ‘change management’ to convince colleagues and bring them on-board.
JV challenges: Some reported that while they had successfully completed adequate due diligence on suppliers, such a robust approach was harder to implement with JV partners where trust forms a key part of the relationship. Implementing checks without damaging relationships can be a major challenge.
Financial risk assessment: Some companies are assessing risk and due diligence needs according to the value of the contract – this in itself could be a high-risk approach. Due diligence must be proportionate to the risks identified and some very high-risk activities might be small in terms of value and therefore harder to spot.
Managing red flags: A number of participants commented on the fact that due diligence is not necessarily the hard part of the job. The harder part is applying the judgement needed when red flags are identified, in some markets and sectors red flags are bound to exist. The problem is how to put in place sensible monitoring and remedial action plans to bring the third-party up to scratch so that it can be safely engaged.
Logic checks: Some companies noted that due diligence can be too formulaic and lack any logic check. The important and obvious corruption risks can be missed by a due diligence questionnaire. It is more important to stand back and ask questions such as ‘where is the corruption risk with this activity?’ ‘What is the potential for kick-backs?’ ‘Is the contract structure creating more risks?’ ‘Do we really need to use a third party at all?’
Despite the many challenges that this element of adequate procedures presents, some companies reported that robust anti-corruption due diligence can be developed as a commercial opportunity. More customers will be looking to protect themselves by using suppliers with robust due diligence and ABC controls. A company can enhance its reputation therefore by having a robust process in place.
GoodCorporation confirmed that many organisations are struggling with anti-corruption due diligence. Part of the problem is structural: those responsible for compliance are physically remote from the sales and procurement teams that are appointing and using third parties on the ground. In addition, many companies are falling into one of two traps, either using databases to undertake a large process of ineffectual checks or doing more rigorous checks on too few third parties. Assessing existing as well as new third parties is also a real challenge, particularly as many larger organisations have tens of thousands of suppliers and in some cases these are inherited from merger or acquisitions and are therefore harder to find and check.
Developing a process to get this challenging area of anti-corruption due diligence right is clearly vital. Carefully designed decision trees can be invaluable, but few companies are using them effectively. Decision trees help businesses to identify ‘the animals in the park’, what level of due diligence is proportionate and reasonable and what practical tools can be applied to each one.
Key third parties to check are:
¢ Sales agents and Intermediaries
¢ Joint Venture partners
¢ Permit/commercial agents
¢ New employees and contractors
¢ Recruiters of suppliers
Managing the ‘animals in the park’
Sales agents and intermediaries: Most companies know who they are, but care must be taken to ensure that ALL are properly identified and managed, including sub-agents and non-standard sales agents. These intermediaries present the greatest risk to companies and should be subject to the maximum due diligence in the form of questionnaires, client references, database checks and policy checks as well as certification and training.
A key area of risk, which is not normally considered as part of ‘due diligence’ is the remuneration structure, this should be realistic, proportionate and sensible – avoiding commission only structures wherever possible.
A number of organisations are consciously reducing the number of sales agents that they are using and bringing sales activities more in-house to control these activities more effectively and to reduce risks.
Joint ventures, acquisitions, long term partnerships: These all require the same type of full due diligence activities and GoodCorporation’s experience on the ground is that these types of structures can present the largest one-off ABC risks. Despite this most organisations are not doing ABC testing in newly set-up structures.
Permit/commercial agents: This is the hardest area to manage for three key reasons: there can be so many of them, they operate in high and low risk areas and there is no ‘one size fits all’ approach. The following steps are crucial:
¢ Be sure to know who they all are – a check list of all of the types of permitting and licence-getting activities is invaluable in this regard
¢ Risk-assess each one to place into high, low and medium risk hoppers (is it a high-risk activity? Is it a high-risk country? What is the volume and frequency of the activities?)
¢ Adopt a risk-based response e.g.
· Inform of policy and ABC stance (all)
· Inform in a contractually binding format e.g. PO or contract (all if possible)
· Ask them to complete an annual certification (where higher risks exist)
· Due Diligence Questionnaires and client references (for more extreme cases only)
· Training in extremis
Recruitment of employees and contractors: A checking process is needed to review new employees and contractors for conflicts of interest and political connections. However this should be more easily managed through existing HR structures that provide a natural opportunity for checks. The problem that companies face is that they can get lost and lose sight of why they are carrying out this type of due diligence.
Recruitment of suppliers: Where intermediaries are used to help select suppliers, there are obvious corruption risks of bribes being paid by suppliers to be selected. This passive bribery risk falls outside the adequate procedures defence, but in some sectors can present an important risk.
Finally it was noted that due diligence is the beginning of the process not the end. It will require monitoring and remedial actions to ensure that risks are reduced. Few companies felt that they were doing enough and they are not alone. Despite the difficulty, it is a problem that businesses must solve, as the risk is great and the penalty for failure high. A good programme, however, can have genuine commercial benefits for the company. Companies must identify those who pose the greatest risk, possibly using decisions trees, put anti-corruption procedures in place to mitigate risk and conduct on-going monitoring to ensure continued compliance. It will take time to get right but is vital to any anti-corruption programme.
Published by Sally McGeachie – March 2013