I have previously written about the Open Compliance and Ethics Group (OCEG) Anti-Corruption Illustrated Series on Managing Corruption Risks and Third Party Anti-Corruption Due Diligence. Today I will review another in the Illustrated Series on Anti-Corruption Issue Management. This installation of the OCEG series is designed to assist companies to implement or refine an investigation process and to avoid some of the common problems that arise in when trying to identify, prioritize, investigate and resolve corruption.
I. Capture and Filter
A company should establish “multiple pathways” which will allow it to receive tips on potentially corrupt activity. Further, a company should monitor high risk activity and relationships based upon “identified factors including country, sales channel and third-party compliance data.” Some of these data sources could include continuous controls monitoring, controls violations which are noted, hotlines and informal intakes, third party or customer reports, audits, both internal and external, interviews, third party due diligence or media reports of other companies, locations, sales models or conduct.
These above mechanisms could raise a number of Red Flags which should be investigated more thoroughly. These Red Flags can include allegations of commercial bribery, customs and offset commitments, out of policy gifts, entertainment and travel, misreported accounting records, cash vendor disbursements and other high risk transactions, charitable giving and commission payments and unusually high or too-frequent facilitation payments.
- Have we categorized types of conduct and areas of operations into threat-level categories as a part of our risk assessment process?
- Do we proactively monitor potential high-threat-level conduct and activities and provide multiple pathways for issue intake?
- Do we have contingency plans to manage issues that arise in each risk category including identified investigation teams, reporting requirements and escalation paths?
If any of your company mechanisms pick up or alert you to a Red Flag, the first thing you need to do is to secure your records to prevent the loss or destruction of any data and to try and preserve the attorney/client privilege to the extent possible. Next you should triage and assess the threat and rank it by risk level. The next step should be to determine your reporting obligations within the company. If you have a pre-existing contingency plan, you should report to those persons listed in the plan for the level of risk assessed. From this step you should execute a defined plan for the identified risk level and then refer the matter to the designated investigation and communication teams.
One thing that OCEG emphasizes is the need for high level oversight, whether that is a corporate Board of Directors or something akin to the Board of Trustees at college or university. Senior management and the Board of Directors need to be informed about potential issues of bribery and corruption early and should be kept abreast of the investigation as it progresses and “take a hands on approach to ensure protection of the organization and resolution of the issue.”
- Do we have policies and procedures to secure evidence, protect privilege and bring in legal teams?
- Who is on our investigation team? From legal, internal audit, security, operations?
- Have we identified an authorized spokesperson and informed everyone about what may and may not be said, and by whom, about issues that have been identified or are being investigated?
Here the OCEG suggests a tri-parte approach. First, a company should investigate by collecting, reviewing and analyzing the evidence. Attention should be paid to issues which cannot be quickly resolved that may require re-assignment and notice to either senior management or the Board of Directors. Second, the company should execute a communications plan for management, employees and external stakeholders. This communications plan should keep the appropriate level of management informed on the change in status of any issue throughout the investigation. Lastly, the company should obtain an independent report and resolve any signals of systemic violations and ensure that any unlawful conduct has been terminated and appropriate disciplinary actions taken. This final step should present senior management with the requisite information to make business decisions about changes in business operations; the discipline/termination of employee/contractors/business partners.
Additionally, the company should define the legal strategy it will pursue if a violation is determined. Under the Foreign Corrupt Practices Act (FCPA) this could include an evaluation of whether the company should self-disclose to the Department of Justice (DOJ) and/or Securities and Exchange Commission (SEC).
- Have all illegal practices been identified, stopped, and had controls revised or added?
- Do we have a communications plan and team that protects our reputation?
- Have we found systemic problems that require correction or deeper investigation?
- Are there potential violations of law that must be, or should be, disclosed and if so how quickly?
- Is the investigation report sufficiently independent and thorough to facilitate cooperation with prosecutors or regulators, and aid in defense of civil or criminal actions?
Finally, the company needs to be prepared to defend its reputation. OCEG suggests that the company identify those who will speak on the company’s behalf and to the extent possible have a consistent, controlled and truthful message.
- Have we adequately briefed senior management and the board about strategic, financial, reputational impact of the case?
- Do the findings indicate gaps in company governance or culture that might require significant leadership changes?
- Do we need to revise business strategy, or terminate lines of business, withdraw from geographic regions or sever third party relationships?
- Will there be significant lost revenue and can we control it? IV. Continuous Improvement
The process should not stop at the conclusion of each issue resolution. OCEG suggests that a company conduct a root-cause analysis “including leadership weaknesses, culture issues and flaws in the performance of management activities and controls.” Patterns both in relationships and the aggregate should be analyzed and reviewed. Continuous controls monitoring should also be implemented.
OCEG continues its excellent illustrated series with this Primer on corruption issue management. It not only provides the compliance practitioner with a road map to follow but provides some very pointed questions that you can ask yourself to give a preliminary assessment of the state of your compliance program to detect and then respond to an issue. With the Dodd-Frank Whistleblower statute in full force, a quick directed response is mandatory to both comply with the law and to protect a company. I once again heartily recommend that you take a look at the OCEG series, as it will be well worth your time.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2012