Creating a culture of compliance


Creating a culture of compliance Ethical BoardroomBy Alexandra Wrage, Founder and President at TRACE International Inc



Implementing a cohesive third-party risk strategy is essential for avoiding financial and reputational damage.

When it comes to anti-bribery compliance in international trade, third-party risk is a given – specifically, that is, the risk that arises when a company retains intermediaries to assist it with business development and operations abroad.

Intermediaries can perform crucial functions for companies seeking to expand their presence worldwide: opening local markets to a company’s products, providing easy access to decision-makers and identifying new opportunities and market trends. At the same time, third-party intermediaries are by definition not under the company’s absolute control. While a company may try to ensure that its intermediaries perform their work honestly and in line with the company’s values, circumstances can easily push in the other direction.Intermediaries often find themselves under extraordinary pressure to ‘do what it takes’ to close a deal or expedite a project, compliance and corporate ethics notwithstanding.

That’s the ever-present danger. What makes it a true corporate risk is the fact that under most anti-bribery laws, including the US Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act (UKBA), a company on whose behalf an intermediary pays or offers to pay a bribe can itself be held liable for the infraction – whether or not the company authorised the bribe, or even if the company wasn’t aware of it. The fines for such infractions can be enormous, reaching into hundreds of millions of dollars. On top of that prospect, one can add the cost of internal inquiries, cooperation with government investigations and potential harm to the company’s reputation. Not to mention the ethical and societal costs of participating in and tolerating a culture of bribery.

To an extent these risks are unavoidable. No company can completely dictate the behaviour of its own employees, let alone third-party intermediaries. And although precautions can be taken, there are practical limits to the amount of diligence a company can undertake, particularly when dealing with multiple intermediaries in various markets worldwide. But even in the face of such limits, there are steps companies can take to reduce their exposure to financial and reputational damage and to maintain and promote ethical standards. By so doing, companies can have a very real impact on international business norms.  Doing so effectively requires attention to three interrelated considerations – strategy, implementation and cohesiveness.

Addressing third-party risk strategically

Strategy, in this case, is the art of making the most out of limited resources. As every businessperson knows, your company can’t be everywhere at once and it can’t take on every opportunity with the same degree of attention. Risk management is no different. You need to focus your resources and you need to have a reasoned basis for doing so. Without a strategy, you may find yourself dealing with problems reactively and haphazardly. And if improper actions by one of your intermediaries comes to the attention of the authorities, you make have difficulty defending yourself against liability.

At TRACE, we recommend a multi-tiered approach, under which intermediaries and potential intermediaries are divided into three to five separate risk-level groups. Each group is subject to a minimum level of scrutiny, but more costly and intrusive forms of due diligence are brought to bear where circumstances indicate a higher likelihood of non-compliant behaviour.

“Even where the risk is determined to be relatively low, there is a significant amount of information that should be obtained and verified”

A number of factors should be considered in determining the compliance risk posed by a given intermediary. For example, what is the intermediary being retained to do?  How challenging is the market in which they’ll operate? How much contact will the intermediary have with government officials? How much will the intermediary be paid, and how? Will it be a flat hourly or monthly fee, or will the intermediary be compensated on a purely contingent basis? Is the intermediary an individual, a closely-held company, or a publicly-traded corporation?  If a publicly-traded company, does it trade on a recognised stock exchange? Has the intermediary represented your company in other countries? How much compensation has the intermediary received from you for its work in those countries? If promoting a highly technical product, does the intermediary have the relevant technical training? How much business does the company do in the territory in which the intermediary operates? Does the intermediary have exclusive rights to market the company’s products in that territory? If the company is pursuing a government contract or concession in the intermediary’s territory, what is the value of that contract or concession?

These and other factors can help your company determine the level of risk presented by an intermediary. Depending on that determination, differing degrees of background scrutiny will be appropriate. Even where the risk is determined to be relatively low, there is a significant amount of information that should be obtained and verified, including contact information, the organisational structure and ownership of a corporate intermediary, information about the intermediary’s employees, relevant reputational references, disclosures regarding past or pending investigations and convictions and certifications regarding the intermediary’s financial stability and accounting practices. Where the risk is more pronounced, the level of detail should be more searching as well, with additional information concerning corporate structure and registration, individuals’ biographies, the potential involvement of other third parties and possible conflicts of interest. At the highest levels of risk, the inquiry may extend to in-person interviews, an interview with the relevant embassy, a review of the intermediary’s financial statements and records, and a more comprehensive account of how the intermediary will interact with government officials.

Implementing your risk strategy effectively

A strategy is only as good as its implementation. Regardless of how your company plans to allocate its resources to select and scrutinise third-party intermediaries, it needs to carry out that plan thoroughly, methodically and consistently across your third-party community, with appropriate documentation at every stage. This will allow you not only to be certain you are doing everything you reasonably can to ensure compliance, but also to defend your approach before the enforcement authorities if something goes wrong.

Creating a culture of compliance Ethical BoardroomThe process begins with the initial selection. You need to make sure that there is an adequate business justification for the choice of a particular intermediary and that the reasoning behind that decision is documented. Were alternative candidates considered? Are there employees in-country who could fulfil the same role? Does the proposed intermediary possess the requisite expertise and resources to carry out the task? Considering and memorialising these factors at the outset will go a long way towards ensuring not only that you’re making the right decision from a business perspective, but that your expectations are clear that the intermediary’s role is a legitimate one.

When a potential intermediary has been identified, it is time to implement your risk-based strategy for vetting that intermediary. The level of apparent risk needs to be determined and the relevant information needs to be gathered. Depending on the risk level, that information can be verified and other information reviewed at various levels of intensity. References should be consulted about the intermediary’s effectiveness, reputation, government relations and business ethics. A media search should be undertaken to determine whether the proposed intermediary has been involved in any high-profile investigations or charges. Government databases should be reviewed to ensure that neither the intermediary nor any of its owners, partners or key employees has been flagged for violation of any relevant laws or regulations. These types of investigation can be conducted at varying depths, and it is appropriate to tailor your investigation to the determined level of risk for a given intermediary in a given situation. Where your initial investigation uncovers something of concern, the level of risk increases, and additional inquiry will be required.

Your implementation efforts won’t end once the intermediary has been selected and vetted. To the extent you have retained the intermediary to assist your company in a new territory or market, you will probably not be in a position to provide day-to-day oversight of the intermediary’s activities.

“A clearly defined and consistently implemented strategy, functioning in and arising out of a culture of compliance, not only reduces the likelihood of non-compliant activity, but also serves as a clear signal of what your company will and will not accept”

Nevertheless, you will want to make sure that adequate structures are in place within your organisation to ensure a proper measure of accountability. To whom does the intermediary report? Is that person aware of the bribery risks that may exist in territory in which the intermediary is operating and the particular pressures the intermediary might face in connection with a given project? Does that person have the incentive and the ability within the organisation to sound the alert when it appears that the intermediary may be acting improperly? Does your company’s compliance team have sufficient independence and authority to follow up on reports of possibly improper activity? Do your intermediaries and those who oversee their work receive regular training concerning applicable anti-bribery laws and your company’s anti-bribery policies and expectations? Your initial risk assessment can help you determine the appropriate level of ongoing instruction and oversight, but it is critical that you and your company be attuned to the risks inherent in third-party activity, and that your internal compliance mechanisms are calibrated accordingly.

The cohesiveness of your strategy

In one sense, the idea of cohesiveness represents an internal aspect of your risk-management strategy. You want that strategy and its implementation to have a principled basis – one that you can articulate and that you have documented. If compliance issues do arise with a third-party intermediary, you want to know, and to be able to demonstrate, that you have acted proactively and reasonably to guard against such an occurrence, and you want to be able to defend your course of action before governmental authorities.

In another sense, though, to say that your strategy is cohesive is to say that it coheres with and is an expression of your company’s values and ethics. Although we discussed the idea of risk in terms of potential corporate liability, a truly cohesive third-party risk strategy isn’t designed merely to guard against financial exposure. All of the vetting and training your company can provide will be of limited use if there isn’t a clear message from the top of the organisation, through middle management and out to the field that corruption is unacceptable and will not be tolerated. Your company must make it clear that you will walk away from business rather than engage in bribery directly or through third parties.  Both your company and its intermediaries need to understand that those who are retained to further the company’s work abroad are not just opening up business opportunities, but are also representing to the world what the company stands for.

Cohesiveness also requires consistency

A clearly defined and consistently implemented strategy, functioning in and arising out of a culture of compliance, not only reduces the likelihood of non-compliant activity, but also serves as a clear signal of what your company will and will not accept. This includes not only government regulators at home and abroad, but also the intermediaries themselves, who are more likely to understand your expectations and to accept the inconveniences inherent in the vetting process. In addition, the consistency of that signal can make it easier for your intermediaries to stand firm in the face of foreign officials’ solicitations, knowing that they will have the company’s full support, both in spirit and in practice. Ultimately, through its implementation of a cohesive third-party risk strategy, your company’s expansion efforts can contribute to the long-term goal of fostering a global culture of compliance.

About the Author:

Alexandra Wrage is the president of TRACE, a business association established to advance commercial transparency worldwide by support the compliance efforts of multinational companies and their third party intermediaries.  A lawyer, she is the author of Bribery and Extortion: Undermining Business, Governments and Security, co-editor of How to Pay a Bribe: Thinking Like a Criminal to Thwart Bribery Schemes and the host of the training video Toxic Transactions: Bribery, Extortion and the High Price of Bad Business produced by NBC.

Ms. Wrage served on FIFA’s Independent Governance Committee for two years before resigning from that body.  She has participated in anti-bribery working groups with the OECD and the UN Global Compact. She was named one of the “Canadians Changing the World” by the Toronto Globe & Mail and received the 2014 Women in Compliance “Lifetime Achievement Award for Service to the Compliance Industry.”  A Canadian, Ms. Wrage read law at King’s College, Cambridge.