You have heard about the
Foreign Corrupt Practices Act (FCPA) and similar laws enacted by other
countries. Perhaps your company sells
products or builds projects in other countries.
Whether the company uses local agents in those countries or sends its
own staff there, FCPA risk exists. How
do you go about assessing and then managing this risk?
Those are all elements of a
best practices program but they are not enough.
Because the company can be punished for “deliberate ignorance” of
corrupt behavior occurring in another country, the company must also conduct
initial risk assessments for each country where it is does business and focus
its anti-corruption program to address what it learns from those
assessments. The more countries the
company sells to, the harder it seems to accomplish a serious assessment of
risk. It can be done, and here is how.
First, sort your risks from
high to low by creating a simple risk matrix.
Factors you might assess in your matrix are:
·
Country Risk – Transparency International publishes
its annual Corruption Perspectives Index (CPI), which is available for free on
its website. The 2013 CPI ranks 177
countries from least to most corrupt, in terms of how each country’s public
sector is perceived. Those rankings
would be one rational basis upon which to decide how to prioritize risk
assessments.
·
Local Relationship – If the company uses local
representatives, risk depends on the nature of that relationship. A local agent who has authority to enter
contracts on the company’s behalf or a distributor that sells company products
for its own account impose far greater risks than a consultant with no power to
do anything other than refer opportunities to company headquarters.
·
Government Role – Consider whether the local
government is a customer. If so, is it
the only customer (high risk) or a very small percentage of sales (low
risk)? Another approach is to assess
whether government approvals are needed for a project or how government
regulations impact a sale. The more
intrusive the government role, the higher the risk.
·
A business or operates as an individual
·
An office located in business space or at home
·
Employees
·
Support infrastructure for company local hiring,
banking, visas and other needs
The company should also vet
the local representative through external sources. The representative’s name can be searched in
international and local databases of criminal and regulatory enforcement, as
well as through common search engines.
The local US Embassy can provide research and references. If the representative has worked for other
foreign companies, those should be contacted for references. The representative must also respond to a
questionnaire regarding whether the representative has:
·
A business that any government agency owns an
interest in
·
A position with any government agency or
political party
·
Any other business or professional relationship
with government or political figures
·
Been employed by the government in past
Once the documentation has
been gathered, the third step is to analyze the material. There are a host of potential red flags that
can be found. Examples include:
·
The particular country has a reputation for
bribery and corruption
·
The representative lacks third party business
references
·
A foreign government official recommends the
representative
·
The representative proposes unusual invoicing,
expense reporting or payment methods
If the representative passes
the data analysis, the fourth step is to negotiate a written contract with the
representative that contains strong protections against corrupt practices. Must have provisions are:
·
Representations, warranties and covenants of no
past or future violations of the FCPA
·
Immediate right to terminate the contract for
breach of FCPA compliance promises
·
The power to audit books and records related to
expense reimbursements
·
A commitment to abide by the company’s code of
business conduct
·
Participation in company anti-corruption
training programs
The fifth and final step in
the FCPA risk management process proceeds from the recognition that no program,
no matter how well constructed, can be left to manage itself. The FCPA policy must have dedicated internal owners
alert to the need for updating their risk analyses based on changes occurring
within an industry or a country, or due to the passage of time. Representatives in high risk countries
should be made to recertify their compliance annually, while representatives in
countries ranked as low risk in the CPI may go two or three years before
recertification.
As with any other compliance
initiative, an anti-corruption policy makes a difference only if it becomes
part of the normal operating rhythm of a company. Initial and ongoing risk assessments are a
key aspect of a robust FCPA policy – and great evidence to offer in any
government corruption investigation.