Anti-bribery act guidance: adequate procedures for an anti-corruption programme
Learn what top-level commitment looks like, how to ensure your procedures are adequate and proportionate, optimising your risk process and the benefits of embracing technology.
2020 marked a decade of the Bribery Act, the primary anti-corruption law in the United Kingdom. After it came into force in July 2011, it applied to public and private sector bribery while covering UK citizens, residents and organisations as well as entities conducting business in the country. Now more than ever, both UK and international entities need to ensure that their anti-bribery and corruption (ABC) programmes are up to scratch.
Why companies should pursue an anti-corruption programme
Ethical conduct and the prevention of corruption should be of paramount importance to all companies, regardless of whether they operate in countries with strong anti-bribery laws or not. Organisations of all sizes are realising that corruption and bribery can dent their competitive advantage, increase costs and impede growth. According to Transparency International, companies are now becoming more open about their anti-corruption efforts and anti-bribery standards for five key reasons:
- Transparency is the new normal and is expected by the marketplace
- Anti-bribery and corruption programmes have been consistently seen as measures correlated with good company performances
- Countering corruption and being open can have a positive influence on a business’s bottom line
- Increased transparency is a good means to flag corruption risks
- Transparent reporting on anti-corruption programmes can lead to better overall corporate compliance with regulations
Companies with an effective anti-corruption policy or anti-bribery procedures benefit from risk reduction, cost savings and sustainable growth while helping to level the playing field for all. It also demonstrates a company’s response to the legal obligation and responsibility to reduce the risk of corruption while also representing a commitment to operating a clean business.
What should be included in such a programme? It should typically encompass elements such as a statement of values, risk management measures, internal and external communication policies, training and guidance, internal controls, oversight mechanisms, assurance measures and a code of conduct.
Companies that demonstrate efforts to reduce the risk of bribery and corruption through such measures are increasingly treated favourably under national laws in the United Kingdom and other countries such as the United States and Brazil. Legislation allows for reductions or even the suspension of penalties imposed on companies if they have put strong anti-corruption practices into place.
Cost savings are generated by being up front and transparent about anti-bribery and corruption efforts. The market tends to attach a higher value to companies that are honest with stakeholders such as investors and this can in turn lead to favourable risk evaluations resulting in better access to capital, lower interest rates for borrowing or a higher stock price valuation. Operational costs can also be reduced due to streamlined internal processes that address operational weaknesses leading to cost reductions.
Anti-corruption programmes and transparency also allow organisations to gain access to preferential treatment such as commercial advantages offered by public institutions or private business partners such as favourable payment terms or lower due-diligence requirements.
UK Bribery Act: a summary
The UK Bribery Act is considered one of the most robust pieces of anti-bribery legislation worldwide. It came into force in July 2011, and it covers four main offenses related to the failure of commercial organisations to prevent bribery and the bribing of a foreign public official. It also grants the UK government extra-territorial jurisdiction which allows corruption offenses committed by individuals with a “close connection” to the UK to be pursued overseas.
In its guidance on the Bribery Act, the Ministry of Justice presented six principles.
Six guiding principles for implementing adequate procedures to prevent
- Top-level commitment
- Risk assessment
- Due diligence
- Monitoring and review
When it comes to penalties for violating the Bribery Act, individuals can receive a prison sentence of up to 10 years along with unlimited fines, depending on the severity of the offences committed. Companies can also receive unlimited fines, confiscation orders, exclusion from bidding in public contracts and long-term sanctions against directors convicted of wrongdoing.
Companies can take a number of steps to manage risks successfully such as refusing to compromise on principles while being ready to refuse what could be a promising deal. The right internal controls and reporting procedures should also be implemented while staff should be properly trained. It is essential to follow UK and local regulations while embracing the Bribery Act’s guiding principles.
Before making any business arrangement with a client, agent or distributor, thorough background checks should be carried out such as ownership, structure and financing as well as industry standing and reputation. The qualifications and accreditations of staff should also be investigated, as should the presence and locations of physical infrastructure. Finally, customer references and case studies should be explored along with third party references – for example banks, accountants and industry bodies.
Anti-bribery: top-level commitment
Board level ethics and compliance expertise as well as Executive Committee support are crucial. It is important to have at least two people on the company board who have a deep understanding of the ethics and compliance landscape with the ability to push the Executive Committee if required. Ultimately, getting the Executive Committee onboard is crucial as they will be the ones providing the resources to execute a robust compliance programme.
Indeed, there are often resource constraints on compliance and ABC programmes that do not necessarily reflect a lack of top-level commitment but simply economic circumstances, something that was readily apparent during the Covid-19 pandemic. Several strategies can be helpful. It is beneficial to have ethics and compliance champions across the business that can be its eyes and ears. It is also useful to try and get others on board with the mission so making friends with the legal team and finance is advised. The latter in particular have an overview of the whole business so they can spot issues and assist in securing extra resources.
It is advised to avoid limiting communication from the CEO on ethics and compliance matters to the annual ‘state of the nation’ address. To increase the effectiveness of the ‘tone from the top’, messages from senior management should be woven into existing communications, ideally at the point of risk such as during gift giving seasons like Christmas or Chinese New Year. That line of messaging will resonate more with employees so it is prudent to make friends with the communication team.
Anti-bribery – proportionate procedures
The anti-bribery policy and associated procedures should be related to an organisation’s actual business. They should be based on a robust risk assessment that includes understanding past issues and the experiences of the ethics and compliance team in the business. Are there gaps in policies and procedures that need to be addressed? Where possible, they should be made more relevant to employees with concrete examples provided from the business or industry.
A robust policy framework should be introduced. Policies that exist in isolation with owners across the business with no coordination leads to policy conflict and employee confusion. A policy framework will ensure that policies are kept up to date and do not conflict or override each other. Many organisations tend to use a Code of Conduct as the overall reference while acting as a hub for additional policies.
In order for policies to serve their purpose, they need to be read and understood by employees. Keeping policies engaging is a real skill and they should be short, principle-based and in plain language. Essentially, anybody in the business should be able to access a policy and understand it. Legal jargon should be avoided and particular attention should be paid to translations of policies (where relevant), ensuring they are consistent. If good writers are available within the organisation, they should be involved! Writing policies is not an easy task.
Pursuing an anti-corruption certification standard such asISO 37001 is an effective strategy for companies striving to demonstrate their commitment to fighting corruption and a desire to comply with any international anti-bribery act. ISO 37001 is a certification standard for anti-bribery management systems and it has been in place since October 2016 and has been endorsed by 37 countries worldwide.
When it comes to compiling a risk assessment, questions that will need to be answered include whether there was a consistent methodology, if all aspects of the business were involved, the scope and why, as well as how often a full risk assessment was undertaken. Essentially, prosecutors try to understand whether the risk assessment was taken seriously and the attempts made to mitigate risk.
It is vital to really understand the business where the right questions are asked and whether they are specific enough to identify previously unearthed risks. This also links to the experience of the team undertaking the risk assessment: do they understand what has happened in other companies and the potential implications for their own organisation? After the desktop research about the business, does the team understand where the real interactions are and where focus is needed?
Ultimately, the business has to see the value in the risk assessment so that the process receives full support and cooperation. If the team understands the business and asks the right questions, they gain respect. Where relevant, findings from the risk assessment can be shared with business units that boost progress – validation is important when it comes to getting risk owners to engage with mitigation steps that need to be taken. For example, it is possible to provide information about the total amount of commissions paid and how this is affecting the margin. For those in the business who are still reluctant to engage, sometimes it simply needs to be said that it is the law and that it has to be done.
When it comes to due diligence, it cannot be emphasised enough that resources should be directed to the highest risk. Compliance teams are often under-resourced, and it is likely that very few of a company’s third parties will actually carry out a significant ABC risk assessment. Therefore, screening all partners using a one-size-fits-all approach is disproportionately time and labour-intensive. The best approach is to tailor due diligence to the ABC risk third parties represent.
Ideally compliance should have the final say when it comes to third parties but this does not mean operating in isolation. It helps to create a two-way street between compliance and the business. Engaging with the business will help educate and forge mutual understanding. In exceptional circumstances, the business may need to work with a third party despite high levels of risk, in which case compliance can work with them to put mitigation measures in place and ensure that these actions are executed.
There are instances when short notice suppliers are required and an emergency approval process is necessary. This should however be rare if compliance is training the business on how to onboard new suppliers and why that is important. At the other end of the spectrum are longstanding partners who have not yet been through the due diligence process. They do not get a pass and the level of urgency of course depends on their risk rating.
Training and communications
Training should reflect the risk assessment and, surprisingly, this is not the case in the majority of companies. When training does not reflect the risk assessment, the real risks specific to the business might be mitigated, potentially creating a higher level of risk.
Face-to-face training also wins over online. While the latter certainly has its place, in-person training can be more thought-provoking with challenging scenarios that are both interesting and relevant. These can be from daily operations or from the enforcement actions of the industry. When it comes to virtual training, it should not be dry and generic with pictures of a shady businessman handing over a bag of cash.
Effective communication is vital for any speak-up program and its role is to build trust. As well as letting employees know about the channels, they should also be informed about outcomes (while maintaining confidentiality). This shows that the company values people speaking up, takes action and maintains whistleblower confidentiality. The employee survey is also a good opportunity to test staff on when they would be prepared to speak up by adding short scenarios to questions. This provides a better overview of the speak-up culture that really exists in an organisation and the steps that can be taken to improve it.
Monitoring and review
1st and 2nd level tests deliver the most value with the former offering the business real-time feedback. 2nd level testing is a good way to show the business the controls that are in place and how compliance is both supporting and adding value to the business. 3rd level testing which is carried out by internal or external auditing will always be more of a lagging indicator.
As testing can be extremely labour-intensive, it is advised to automate where possible and effective automation of 1st and 2nd level testing is advantageous.
When it comes to dashboards, effort must be proportional to the result. Everyone loves a dashboard but the resources needed to get the right inputs are frequently out of proportion to the value they deliver. Dashboards only make sense when they produce meaningful data and insights that should always tie back to the risks identified. While dashboards are very useful, they should not be a substitute for having proper conversations with business units to identify where risks might be emerging.
Technology: Digital compliance and its benefits are new to most organisations
Most companies still rely on general purpose software such as spreadsheets, emails and Sharepoint. If they do have specialist software, it is usually only for specific aspects of their compliance programme such as an e-learning tool or policy management software. Very few companies have digitised their programme throughout and use a unified dashboard. However, financial institutions are increasingly using AI/robotic process automation in their transaction monitoring and trader surveillance.
When it comes to using technology to improve employee engagement, it should be about making compliance accessible and user friendly. If policy management is taken as an example, it is standard practice for companies to save all of their policies on an intranet page but this makes it difficult for employees to find the information they need. Policy management technology can help companies categorise policies and make them searchable which makes it far easier to find policy information from the user’s perspective.
Communication and training can be improved through the use of short online training sessions that employees can attend in their own time and at their own pace. Mobile apps can also help with “compliance on the go”, enabling employees to access the latest policy via smartphone and view online training sessions while on the move. Notifications and banners provided by the apps can also help to #nudge’ certain behaviours and actions.
Another benefit of technology is that it can act as a deterrent. When actions are being tracked, it makes it more likely that employees violating ethics and compliance rules are identified and prosecuted. Technology also helps to reduce employee temptation to engage in misconduct.
Harnessing data and KPIs
Data and KPIs allow you to track the effectiveness of your compliance programme. As soon as a process is automated, it starts to generate data. These insights allow you to identify trends as well as any gaps or potential blind spots in your programme. To take one example, a whistleblowing system offers a full overview of all reports but if none come in from a particular geographic area, it might be a red flag for the compliance team. It could be that the system has not been well communicated in that region, it might be a cultural issue or a fear of retaliation. The data gives you the anomaly and then you have to dig deeper to interpret the data and rectify the problem.
Getting the buy-in from the business and stakeholders is key to a successful compliance programme. The process of gathering, cleaning and embedding data while establishing analytical processes can also benefit other departments. For example, implementing policy management software requires comprehensive employee data and, if this does not already exist in one place in the right format, the process of building this clean and unified data set is a useful service to HR.
Useful recommendations on working with data and KPIs
When it comes to working with data and KPIs, there are a number of elements that need to be kept in mind:
- Start by working out what risks you want to measure, and then find the relevant data – Doing things in this order is key to ensuring that what you are doing is effective. Think about the risks and what data is required to track and measure the risks. Where is the data, what format is this data in, what stakeholders do I need to engage with and how accessible is the data? Don’t be afraid to look outside your organisation for external data sets to enrich your internal data.
- Gain a comprehensive data overview – Many compliance teams use different vendors and processes for different compliance areas which makes it difficult to get the complete data overview and often leads to time-consuming manual data collection and analysis work. Gain the overview by either switching to one provider with a holistic dashboard or using APIs and an overarching business intelligence tool to create dashboards and analyse the data.
- Start small – Don’t try and solve everything at once. Pick one risk area such as third-party supplier risk and work out what data you will need. This will prove to your organisation the benefits of technology and analytics and this makes it much easier to move onto another risk area. It also gives you useful insights on your team and organisational capability.
- Choose the right data analysis technique for the task – There are many different data analysis techniques for ABC which range in complexity. While there is a lot of hype around AI, the compliance journey begins with less complex techniques such as rules, descriptive tests and risk scoring. Starting with these will give you time to help you to identify and prepare your data, learn your tests and determine what testing is suitable.
- We all love dashboards – They provide a great global overview, look pretty and help compliance teams to spot trends.
- Don’t get caught up in your dashboard charts and KPIs – They may give you a false impression that everything is running smoothly. It’s still important to engage with people and connect with the workforce. There might be risks out there which your dashboard doesn’t measure.
AI will not take over the compliance function any time soon. There are far too many grey areas and ethics-related decisions involved in compliance for AI to take over completely. However, we are seeing more process automation where humans set the rules and robots help streamline and analyse data. This increases efficiency and takes away a lot of the mundane tasks but there are risks.
It is important to know what is under the bonnet. If a compliance programme needs to be explained to a prosecutor, the AI being used has to be understandable, as do limitations and why those limitations are acceptable.
AI can be used to demonstrate continuous compliance improvement to regulators. Indeed, regulators are encouraging greater use of technology and in their DPA language, the US Department of Justice has started asking whether AI and data analytics are being used to monitor risks and test policies and procedures.
Focus on continuous improvement
The feedback loop must not be forgotten. Tests, rules and alerts need to be reviewed so the process is continuously improved. Take the example of financial transaction processing: while machine learning tests generate alerts for suspicious transactions, these tests can generate false positives and there is a real cost to compliance teams when it comes to the review process. Human intervention is essential in reviewing and optimising this alert generation.
An early and continued buy-in from stakeholders from also be ensured because they will be needed on an organisation’s technological compliance journey. These typically include the business, internal audit, analytics, IT and legal.
Key principles of establishing an effective ABC programme