Practical Approaches to Fighting Corruption: Where to Begin

You have heard about the Foreign Corrupt Practices Act (FCPA) and similar laws enacted by other countries.  Perhaps your company sells products or builds projects in other countries.  Whether the company uses local agents in those countries or sends its own staff there, FCPA risk exists.  How do you go about assessing and then managing this risk?

 Let’s suppose the company gave a jump start to FCPA risk management by publishing an anti-corruption policy.  Senior executives then made a point of talking to business development and sales staff about the importance of both legal compliance and protecting the company’s reputation.  Legal and accounting personnel were trained on how to spot corruption “red flags” in contracts and expense reports.

Those are all elements of a best practices program but they are not enough.  Because the company can be punished for “deliberate ignorance” of corrupt behavior occurring in another country, the company must also conduct initial risk assessments for each country where it is does business and focus its anti-corruption program to address what it learns from those assessments.  The more countries the company sells to, the harder it seems to accomplish a serious assessment of risk.  It can be done, and here is how.

First, sort your risks from high to low by creating a simple risk matrix.  Factors you might assess in your matrix are:

·        Country Risk – Transparency International publishes its annual Corruption Perspectives Index (CPI), which is available for free on its website.  The 2013 CPI ranks 177 countries from least to most corrupt, in terms of how each country’s public sector is perceived.  Those rankings would be one rational basis upon which to decide how to prioritize risk assessments.

·        Local Relationship – If the company uses local representatives, risk depends on the nature of that relationship.  A local agent who has authority to enter contracts on the company’s behalf or a distributor that sells company products for its own account impose far greater risks than a consultant with no power to do anything other than refer opportunities to company headquarters.

 

·        Government Role – Consider whether the local government is a customer.  If so, is it the only customer (high risk) or a very small percentage of sales (low risk)?  Another approach is to assess whether government approvals are needed for a project or how government regulations impact a sale.  The more intrusive the government role, the higher the risk.

 By scoring each of the above on a 1-5 scale, the company can determine which countries merit the most urgent due diligence for FCPA compliance. 

 Second, the company needs to create FCPA due diligence records appropriate to the severity of risk.  Begin with the most dangerous countries, as determined from the matrix created in step one, and work down the list.  Use a mix of internal and external sources.  Internal business leaders who own the relationship with the local representative should be able to answer tough questions.  This is an excellent way to audit the effectiveness of the company’s FCPA training.  Have them describe the project, exactly what the representative will do and whether the representative actually lives in the country where the business will be done.  They ought to have a sense of what the typical compensation rates are for the work, and raise concerns if the representative requested that any part of payment be sent to a third party or a bank account in a different country.  They should also be able to tell you whether the representative has:

·        A business or operates as an individual

·        An office located in business space or at home

·        Employees

·        Support infrastructure for company local hiring, banking, visas and other needs

The company should also vet the local representative through external sources.  The representative’s name can be searched in international and local databases of criminal and regulatory enforcement, as well as through common search engines.  The local US Embassy can provide research and references.  If the representative has worked for other foreign companies, those should be contacted for references.  The representative must also respond to a questionnaire regarding whether the representative has:

·        A business that any government agency owns an interest in

·        A position with any government agency or political party

·        Any other business or professional relationship with government or political figures

·        Been employed by the government in past

Once the documentation has been gathered, the third step is to analyze the material.  There are a host of potential red flags that can be found.  Examples include:

·        The particular country has a reputation for bribery and corruption

·        The representative lacks third party business references

·        A foreign government official recommends the representative

·        The representative proposes unusual invoicing, expense reporting or payment methods

If the representative passes the data analysis, the fourth step is to negotiate a written contract with the representative that contains strong protections against corrupt practices.  Must have provisions are:

·        Representations, warranties and covenants of no past or future violations of the FCPA

·        Immediate right to terminate the contract for breach of FCPA compliance promises

·        The power to audit books and records related to expense reimbursements

·        A commitment to abide by the company’s code of business conduct

·        Participation in company anti-corruption training programs

The fifth and final step in the FCPA risk management process proceeds from the recognition that no program, no matter how well constructed, can be left to manage itself.  The FCPA policy must have dedicated internal owners alert to the need for updating their risk analyses based on changes occurring within an industry or a country, or due to the passage of time.   Representatives in high risk countries should be made to recertify their compliance annually, while representatives in countries ranked as low risk in the CPI may go two or three years before recertification. 

As with any other compliance initiative, an anti-corruption policy makes a difference only if it becomes part of the normal operating rhythm of a company.  Initial and ongoing risk assessments are a key aspect of a robust FCPA policy – and great evidence to offer in any government corruption investigation.