Anti-Corruption Illustrated

An e-Book Publication
INSIDE THIS PUBLICATION:
Designing an Anti-Corruption Capability
Performing Third Party Due Diligence
Managing Mergers & Acquisitions
Identifying and Resolving Issues
Conducting Investigations
Using Data Analytics
Anti-Corruption Illustrated
Visualizing an Effective Capability
Brought to you by
COMPLIANCE WEEK
3
In control?
Legal requirements.
Regulatory demands.
It’s hard to keep everything on
track. We can help you embed
compliance and risk management
across your entire organization.
We will work closely with you on
alignment, coordination and cost
sustainable results. That’s how
we make a difference.
See More | Results
© 2012 Ernst & Young LLP. All Rights Reserved. ED: 0113. 1205-1355890.
ey.com
Welcome
A
nti-corruption efforts at the modern global company can be overwhelming and, for
all the talk about effective anti-corruption regimes, sometimes it helps to step back
and visualize the bigger picture—literally.
Hence we welcome you to our first-ever “Anti-Corruption Illustrated” publication.
This e-book is a compendium of anti-corruption articles Compliance Week has published jointly with the Open Compliance & Ethics Group for the last six
months. Here you will find all those articles, plus the roundtable discussions OCEG has run about anti-corruption with chief compliance officers
and other compliance thinkers, plus OCEG’s famed illustrations: doublepage spreads you can print out, stare at, and contemplate as you structure
your own anti-compliance program.
The articles address all the fundamentals of compliance programs: due
diligence on third parties and acquisition targets; sifting through reams
of corporate data effectively to find those few clues that expose possible
misconduct; the role of the modern chief compliance officer as one part
cheerleader for good conduct, one part counselor to business unit leaders, and one part
fraud investigator.
Each article also has an accompanying illustration. We know the images are somewhat
abstract, and have a certain flowchart appeal to them. That’s intentional. Successful anticorruption consists of several basic principles that can apply to all, and myriad small details that apply to your business alone. The illustrations capture those basic principles; the
articles provide context; the details we leave to you, since only you know what compliance
program will work best at your business.
We hope you find our anti-corruption e-book useful as you continue to develop and implement anti-corruption regimes around the world. The cliché is that a picture speaks 1,000
words. Considering the huge and diverse audiences a chief compliance officer must reach
these days, and the complex subject matter, visualization can only help. ■
Matt Kelly, Editor & Publisher
[email protected]
4
e-Book
5
A Compliance Week publication
Anti-Corruption Programs
Enable Business Agility
Inside this e-Book:
Matt Kelly Introductory Letter
3
Anti-Corruption Programs Enable Business Agility
5
Illustration: Managing Corruption Risk
6
Managing Corruption Risk: An OCEG Roundtable
8
Third-Party Corruption Risk: Know What You Should
11
Illustration: Third-Party Anti-Corruption Due Diligence
12
Preventing Corruption Through Third-Party Due Diligence: An OCEG Roundtable
14
A Holistic Approach to Diagnosing Corruption
16
Illustration: Anti-Corruption Issue Management
18
Corruption Issues: An OCEG Roundtable
20
How to Boost Your Merger and Acquisition IQ
23
Illustration: M&A Corruption Due Diligence
24
Buyer Beware of Corruption Risk: An OCEG Roundtable
26
Finding the Corruption Needle in the Haystack
28
Illustration: How to Conduct Corruption Investigations
30
Investigating Corruption: An OCEG Roundtable
32
Brad Pitt: The New Anti-Corruption Compliance Officer
35
Illustration: Data Analytics for Anti-Corruption
36
Anti-Corruption Data Analytics: An OCEG Roundtable
38
Illustration: OCEG: Your Path to Principled Performance
40
Company Descriptions
41
Thank you to our series sponsor
And installment co-sponsors
playing field by reducing the frequency and severity of
corruption in their markets.
Executives who foster this point of view through the
development
of an effective and efficient anti-corrupne of the most frequently asked questions I hear
tion program pursue a similar approach to those emabout managing corruption risk demonstrates
braced by any top-notch CFO, CIO, or business conthe compliance profession’s passion for benchmarking:
tinuity manager. These functional leaders continually
“What do companies with the best anti-corruption prostrive to share leading finance, information technology
grams do differently?”
and business resiliency practices throughout their supThe answer I give does not offer details about proply and demand chains. And they also strive, through
cess or technology, at least not directly; instead, it boils
continual process improvement, to make their “lightsdown to philosophy and vision. Compliance, risk,
on” finance, IT, and disaster recovering capabilities as
internal audit, and other executives leading the most
efficient as possible, so that they can invest more time
effective (and, not coincidentally, the most efficient)
and effort marshaling their resources to support strateanti-corruption programs think of their efforts as an
gic offensive.
integral part of their organization’s offensive capabilThis approach calls to mind the philosophical conity—efforts that enable business agility and business
cept of a paradox; call it the “process paradox:” the
resiliency to flourish.
more leading practitioners focus
This vision does not downon their anti-corruption processes
play the importance of process
and other building blocks of antiExecutives at the helm of and programs, the less time these
efforts ultimately consume. This
corruption capabilities. Indeed,
organizations with leading occurs as anti-corruption beleading practitioners also share a
anti-corruption programs say comes more integrated into strapenchant for crafting comprehensive, dynamic programs—the sort
their intent is twofold: tegic decision making and daily
work throughout the organizaof capabilities that this six-part
to strengthen organizational tion. Additionally, by investing in
“Anti-Corruption Illustrated Seagility and resiliency while a sturdy anti-corruption frameries” will examine in detail. Each
installment conducts this analysis
also bolstering anti-corruption work, leading practitioners create
a foundation from which they can
through diagrams, guidance, and
mindsets and capabilities more easily add lean GRC prinfield insights provided by leading
throughout their business ciples and practices that can help
experts.
While the focus of this seecosystems. achieve continual improvements
over the long haul.
ries centers on process—the
This process work begins with
“how” of anti-corruption proa philosophy; one that envisions
grams—it is valuable for those
anti-corruption as a valuable enabler of business agility
overseeing and managing these programs to also reand business resiliency—qualities whose strategic value
flect on “why” they invest in these programs. The exhas never been higher. ■
ecutives at the helm of organizations with leading anticorruption programs say their intent is twofold: to
strengthen organizational agility and resiliency while
also bolstering anti-corruption mindsets and capabiliCarole Switzer is the president of OCEG, a non-profit think
ties throughout their business ecosystems. This extertank that develops standards and guidance to help organizations
nal reach not only helps customers, suppliers, and other
achieve Principled Performance—the reliable achievement of obbusiness partners and stakeholders strengthen their anjectives while addressing uncertainty and acting with integrity.
ti-corruption programs, but also helps the competitive
www.oceg.org
Carole Switzer
OCEG Pesident
O
OCEG Anti-Corruption Illustrated Series
2
DEVELOP THE PROGRAM
Design a comprehensive and balanced
anti-corruption program that corresponds
to the risks identified during the assessment
process. Establish policies, procedures and
controls in all levels of the business, with
owners for each. Obtain board and management endorsement of strategies, short and
long term expectations, and resources, with
ongoing communication of this support.
Organizations must address global corruption challenges with a comprehensive
and dynamic program. To succeed, the board and management must demonstrate
and demand an anti-corruption culture.
PROGRAM OWNERS
AN ANTI-CORRUPTION PROGRAM
IS GOOD FOR BUSINESS
RISK
AUDIT
START: ASSESS RISKS
Identify corruption risks considering factors
including nature and location of business
activities, third party relationships, methods
for generating business, and applicable
laws. Evaluate and rank risks based on the
organization’s established risk appetite, and
be prepared to respond to internal and
external changes that affect the assessment.
7
IDENTIFICATION
CORRUPTION
Anti-corruption efforts require coordinated
action involving many in the C-suite and
managers of operations that present
corruption risk. A management committee or internal stakeholder group can
ensure that necessary communication
takes place, resources are committed,
and sufficient support for effectiveness of the program exists.
POLICY DESIGN
REVIEW, REALIGN,
AND REPORT
3
PERFORM DUE DILIGENCE
Knowing how and where your vendors, agents and
customers operate, and understanding the activities and
controls of any planned acquisition, as well as the risks
they present, is an essential part of the anti-corruption
program. Due diligence should include analyzing whether
established steps of an effective program are followed.
MONITOR AND EVALUATE
U
YB
KE
SCREENING
SCREEN
monitor internal and external information
and compare vendor, partner and customer
records against trusted data sources for red
flags that indicate issues
THIRD PARTY
RELATIONSHIPS
M&A
Track and assess policies and controls for
effectiveness and performance in various ways:
AUDITING/
TESTING
SIN
P E R AT I O N S / S TA K
EHO
ESS O
LDE
Write policies that map to
regulations, obligations and
business processes. Establish
owners responsible to ensure
continued appropriateness and
effectiveness. Communicate to
key stakeholders including
staff, third parties, auditors,
and customers.
CONTROLS
LOGISTICS/
DISTRIBUTION/
PURCHASING
SALES/
MARKETING
establish hotline and other open channels for
reporting and resolution of questions and issues
DEFINE AND
IMPLEMENT
POLICIES
RS
ACCOUNTING/
FINANCE
IDENTIFY
obtain and assess information about observed or
suspected misconduct, using appropriate qualified
teams, and considering privilege issues
DATA
ANALYZE
PO
ANALYTICS
AUDIT
provide regular internal audit oversight and inspection of the
anti-corruption program; test and assess controls to determine if
additional or modified action is necessary
contact Scott L. Mitchell [email protected] for
comments, reprints or licensing requests
©2012 OCEG
Establish procedures and controls to
prevent,
detect, correct and mitigate
E
OC
the risks. Include process, technology,
PR
human capital and physical controls.
Establish owners to monitor controls to ensure
effective workflow, continued appropriateness of
design, and operation in business units. Regularly
document, assess and test controls.
R
DU
5
t64'PSFJHO$PSSVQU1SBDUJDFT"DU
t6,#SJCFSZ"DU
t64%PEE'SBOLBOE1BUSJPU"DUT
t1VCMJD1SPDVSFNFOU-BXT
and Regulations
t(VJEBODFGSPN0&$%World Bank,
and Non-Governmental Organizations
t0$&((3$4UBOEBSET
t$POUSBDUVBM0CMJHBUJPOT
REINFORCE BRAND AND
CORPORATE REPUTATION
t&OIBODF#SBOE$SFEJCJMJUZ
t4PMJEJGZ4IBSFIPMEFS5SVTU
tø(BJO3FTQFDUJOUIF.BSLFUQMBDF
BUILD AND
OPERATE CONTROLS
HOTLINE
evaluate data to locate concerns and potential problems by
applying analytic techniques, tools and reporting capabilities
FULFILL LEGAL OBLIGATIONS
AND GUIDANCE
4
MANUFACTURING
INVESTIGATIONS
INVESTIGATE
BUSINESS
COMPLIANCE OPERATIONS
AND LEGAL
ESTABLISH PROGRAM
OWNERSHIP AND OVERSIGHT
OBJECTIVES
Take timely corrective and disciplinary action for
violation of the anti-corruption program.
Continually evaluate the program and adjust it
to ensure alignment with changes in risk profile.
Keep management and the board informed of
program outcomes and needs through regular
reporting. Strengthen assurance of program
sufficiency with external review and certification.
6
FINANCE
AND
OTHERS
RISKS
1
Strong anti-corruption programs help
to build a climate of integrity and an
ethical culture across the extended
enterprise that drives desired conduct
and supports compliance overall.
Compliant companies perform better in
the marketplace and have a competitive
advantage. An effective anti-corruption
program enables the company to:
TRAIN AND EDUCATE
Develop and deliver training in various forms to raise stakeholder awareness and
competence regarding anti-corruption goals, policies, procedures and controls.
Identify role-specific programs with desired outcomes and develop content and
delivery methods appropriate for each target audience, taking cultural and
language issues into account. Assess, certify, and track training results.
LIC
IES
ES
ASSURE THE BOTTOM LINE
t1SPUFDU$PSQPSBUF"TTFUT
and Operations
t&OBCMF1VCMJD1SPDVSFNFOU
Lines of Business
t&OBCMF0QFSBUJPOJO
Corruption-Prone Countries
t1SFWFOU3FWFOVF-PTT'SPN
Non-Compliance
t"WPJEPS3FEVDF'JOFT
and Penalties
©2012 Dachis Group
8
e-Book
9
A Compliance Week publication
Managing Corruption Risk: An OCEG Roundtable
SWITZER: There’s a lot of talk about FCPA
enforcement and U.K. Bribery Act requirements, but there is confusion about what to
do. How do you determine how well your
company is managing corruption risk?
and a good set of supporting procedures
enable the implementation of the company’s values and strategies, create the framework for consistent and fair practices across
business units, mitigate risk, and ensure accountability among employees.
MARTIN: A thoughtful and comprehensive
risk assessment is fundamental for any anticorruption program. An adequate risk assessment gives an organization a systematic
view of its compliance risks so that it can
develop detailed policies, procedures, and
controls to effectively manage these risks.
KUZMA: Take a phased approach to validate
whether efforts are sufficient given the risk
assessment. First, ensure that the program
covers all necessary areas for the company’s industry and geographic footprint,
including outside counsel review and consideration of information such as industry
guidelines and programs of other companies. Then, regularly conduct an assessment to determine if there are any unidentified or poorly controlled risks that require
program changes.
SWITZER: We often hear “It is overwhelming;
I don’t know where to start.” What steps do
you recommend to begin the process and
gain some “quick wins”?
MARTIN: A strong anti-corruption policy
KUZMA: Two more quick-win areas are
training and analytics. Train throughout
the company and focus on raising awareness about how bribery and corruption
can occur, including real world examples;
what regions in the company are at most
exposure and why; relevant legal requirements; and details of the company’s anticorruption policy. Then perform analytic
testing to expose expenditures that may
create potential for corruption. Data analytics focusing on accounts payable, travel
and entertainment, and petty cash provide
great insight.
SLAVIN: To avoid becoming overwhelmed,
address highest-risk areas first. Successfully remediating a few high-risk areas
through improved training, a more effective hotline system, or better third-party
due diligence, will create early wins and
help build momentum. A well-conceived,
multi-year plan that considers relative
risks, budgets, and available manpower
will make an overwhelming undertaking
feel much more manageable.
ROST: It’s key to start with the most significant risk, and for many this is the risk presented by vendors and suppliers. Since these
firms may be located where the organization does not have in-country resources, it’s
important to have upfront and ongoing due
diligence that includes assessing risk based
on country of origin; targeted screening of
the organization and key employees; and
enhanced due diligence for high-risk areas
in the form of detailed background reports.
SWITZER: How do you establish oversight
and ownership of each aspect of the anticorruption program to avoid, confusion,
gaps, and unnecessary overlaps?
SLAVIN: Decisions regarding ownership,
oversight, and tactical responsibility differ by company and are impacted by staff
size, budget, and corporate structure. That
being said, high-level central oversight is
critical. Individual components may be
delegated to different people, departments,
or regions as necessary, but someone must
have broad oversight of the entire program
with authority to make executive decisions.
MARTIN: It is important to have a chief compliance officer at the vice president level,
over a centralized compliance group to
provide thought leadership and staff support for essential elements of the program.
Steven Kuzma
Global Leader,
Corporate Compliance
Advisory Services, Ernst
& Young LLP
KUZMA: That’s right, and to establish comprehensive ownership you have to review
the program that is in place, determine who
is responsible for each element, and identify
areas where no one is currently responsible.
You also need to make sure that there are
effective compliance officers in countries
where corruption risks surface, and that
the chief compliance officer back at headquarters has strong working relationships
with them. A facilitated group discussion
can be the starting point to iron out responsibilities to avoid confusion, gaps and
duplication of effort.
ROST: Also, an important way of achieving
coordinated ownership is by standardizing
a common taxonomy of policy, risk, and
control with identified owners responsible
for the documentation, communication,
testing, and monitoring of each. Standardizing common methodologies and systems
will enforce the consistency and transparency of information.
SWITZER: What specific steps should corporate leadership take to establish and drive
home the proverbial “tone at the top” to
build corporate culture that is intolerant of
corruption?
MARTIN: Senior management must consis-
ROUNDTABLE PARTICIPANTS
MODERATOR
Carole Switzer
President,
OCEG
To succeed and ensure consistency across
business units, the program also must be
embraced by the employees and business
partners.
Jay Martin,
Vice President, Chief
Compliance Officer and
Sr. Deputy General
Counsel, Baker Hughes
Incorporated
Mike Rost,
Vice President,
Thomson Reuters GRC
Jim Slavin,
Senior Director,
Advisory Services,
Bribery & Corruption Risk
Management, SAI Global
Compliance
tently demonstrate the correct tone-at-thetop through clear statements on the commitment of a culture of integrity and a zero
tolerance approach to corruption. Also,
for a compliance program to succeed, line
managers at all levels of the organization
must be held accountable for the compliance performance of the employees in their
organization.
SLAVIN: Employees will quickly discount
these messages as hollow rhetoric unless
executives not only “talk the talk” but also
“walk the walk.” The steps that leadership
takes must show employees that they are
willing to walk away from deals requiring bribes; that anyone, regardless of their
contributions or stature, will be fired for
unethical behavior; and that the CEO’s
commitment to profitability does not overshadow commitment to ethical behavior.
Employees must believe that good-faith
reporting of suspected wrongdoing is not
only welcome, but expected.
ROST: Senior management should communicate zero tolerance for bribery and corruption, with messages tailored to different
audiences. U.K. Ministry of Justice guidance suggests that messages include:
»
»
»
»
»
»
A commitment to carry out business
fairly, honestly, and openly
Zero tolerance toward bribery
Consequences of breaching the policy
Articulation of the business benefits
of rejecting bribery
Reference to bribery prevention procedures the organization has, or is
putting in place
Reference to the organization’s involvement in any collective action
against bribery
SWITZER: Today, many companies have a lot
of data but not a lot of information because
they can’t easily consolidate and analyze
what they have. How can technology help?
ROST: Two important technology investments are an enterprise GRC platform
and a third-party due diligence solution.
The platform provides a common environment to manage the documentation,
testing, communication, workflow, and
reporting related to policy, compliance,
and risk management and internal audit.
It supports a common language for policy,
risk, and control that enhances information transparency. Third-party due diligence solutions provide global intelligence
on heightened risk individuals and entities,
including screening for Politically Exposed
Persons, enhanced due diligence reporting,
and geopolitical risk solutions that provide
the means to address the full spectrum of
risk across all markets and industries, no
matter what type and size organization.
SLAVIN: Third-party due diligence is a great
example. Making consistent and defensible partnership decisions based upon efficiently collected and accurately analyzed
data is important for all organizations.
Inquiries to legal, audit, HR, or procurement departments may uncover existing
technologies that compliance departments
can leverage to meet these objectives. For
example, many companies utilize litigation case management, GRC, and hotline
systems that are suitable for use in the anti-corruption arena. Also, a software tool
with features such as e-mail distribution,
workflow management, external data integration, a secure & centralized repository,
and a business rules engine is essential for
large-scale data analysis and risk profiling.
MARTIN: Baker Hughes has successfully
employed technology solutions in key areas such as the vetting and certifying of
third-party agents, delivery of the worldwide training program, maintenance of a
comprehensive case management system,
and ongoing delivery of a wide variety of
compliance messages.
KUZMA:
Data analytics tools and
techniques used in regular audits and investigations also can be used proactively
to prevent, detect, and monitor against
corruption. These systems test and analyze data by looking at trends and abnormal activity, uncovering exposure
in key areas such as petty cash, accounts
payable, and travel and expense submissions. Companies are starting to use tools
to look at the unstructured data that is
resident in the financial systems such as
the text within journal entries, a/p disbursement descriptions, entries in the
travel system that describe individual
submissions, and information that
describes how and why petty cash was
used. Internal e-mail communication also
is often a treasure chest of information. ■
11
Third-Party Corruption Risk:
Know What You Should
$230 million combined related to bribes in Nigeria and
elsewhere in a group of cases commonly referred to as
“CustomsGate.” Many of these bribes stemmed from
a third-party logistics firm the oil services companies
“The beginning of knowledge is the discovery of
used, Switzerland-based freight-forwarder Panalpina.
something we do not understand.”
Panalpina acknowledged that it bypassed customs,
—Frank Herbert, novelist
paid bribes, and submitted fake customer documentation from 2002 through 2007 as part of its “culture of
ant to know one of the surest ways to strengthen
corruption.” The well-known global companies that
your organization’s anti-corruption capabilities?
used Panalpina paid tens of millions of dollars in crimiStart by discovering what you do not understand about
nal fines as well SEC-mandated disgorgements because,
the third parties who help you do business abroad.
in some cases, the court found that they should have
The prevailing FCPA and U.K. Bribery Act stoknown what was being done on their behalf, despite
rylines focus on intensifying enforcement activity, but
their ignorance of their third-parfail to drive home the fact that
third-party
agents—suppliers,
The reality is that success in ty agent’s bribes.
Avoiding CustomsGate situjoint venture partners, service
today’s global marketplace ations has grown increasingly
providers, facilitators, and others—are the main characters in
hinges on acting upon what difficult as more companies rely
the story.
you know while continually on more third parties to operate
abroad. The sheer volume of data
As a recent Bloomberg Law
striving to learn what you required to conduct sufficient due
Report indicates; 10 of the 11 corporate FCPA investigations initishould know. diligence on foreign partners can
be staggering.
ated during the first 11 months of
Fortunately, there have never
2009 involved payments made by
been more tools available to support anti-corruption
third parties. Not much has changed.
due diligence. For example, Transparency InternationIf your company fails to expand its knowledge about
al’s 2011 Bribe Payers Index (http://bpi.transparency.
the activities of your business partners, the Department
org/results/), released in November, ranks 28 leading
of Justice (DoJ) or the U.K. Serious Fraud Office (SFO)
international and regional exporting countries by the
may define your “knowledge” for you in stark, legal
likelihood of their companies to bribe abroad. Comterms. These results often sound like a cruel twist from
panies from Russia and China are seen as most likely
a novel: companies find themselves stained with crimito pay bribes abroad; those from the Netherlands and
nal liability, forced to pay hefty fines, and with their
Switzerland are least likely to bribe; and U.S.-based
reputation in tatters because—unbeknownst to them—
organizations figure as the 10th least likely to bribe
a third-party agent bribed an official.
among the 28 countries.
Unfortunately, this isn’t fiction. The reality is that
The index is only one tool. Many consulting, legal,
success in today’s global marketplace hinges on acting
and software firms have developed information soluupon what you know while continually striving to learn
tions for anti-corruption analytics to transform raw
what you should know. Failure to do so is “willful igdata related to third-party agents into actionable infornorance,” a condition that pervades the failed defenses
mation.
of numerous regulatory and criminal cases inside and
By collecting and analyzing such data, following a
outside the realm of corruption. And yet, taking the
rigorous risk assessment and third-party selection pronecessary steps to avoid a finding of willful ignorance
cess, and establishing ongoing third-party controls and
and liability is too often neglected.
monitoring; compliance and risk managers can tame the
Just ask companies that have endured disruptive
due diligence data deluge. By doing so, these managers
investigations and costly penalties as a result of their
can also help ensure that their companies continually
lack of third-party agent knowledge. In 2010, more
understand what they should know. ■
than a half-dozen oil service companies paid more than
Carole Switzer
OCEG Pesident
You Know
that you have the skills to help any business
achieve Principled Performance®
Let Everyone Else Know!
www.grccertify.org
W
0$&("OUJ$PSSVQUJPO*MMVTUSBUFE4FSJFT
Global organizations may have thousands of third-party relationships that present corruption risks. An effective
worldwide anti-corruption program must include comprehensive and consistent due diligence in the selection
of agents, suppliers, and other partners; and methods for monitoring and evaluating compliance once they are
on-boarded. This demands a proportionate approach to ensure the right level of process is applied to each.
START: DEFINE
OP
1
t4DPQFPGUIFUIJSEQBSUZEVFEJMJHFODF
process considering countries of concern,
and aspects of operations and business
relationships that present significant
corruption risks
t0CKFDUJWFTBOEEFTJHOPGUIFQSPDFTT
define goals, key roles and responsibilities,
JOGPSNBUJPONBOBHFNFOUSFRVJSFNFOUT
policies and procedures
t,FZGPSNTBOEUFNQMBUFTGPS
OFXUIJSEQBSUZSFRVFTUT
UIJSEQBSUZRVFTUJPOOBJSFT
(3) due diligence level analysis,
(4) background checks, and
(5) third-party certifications
t1SPDFEVSFTUPBEESFTTiSFEýBHTw
BOESFRVJSFSFSFWJFXPGBOZQBSUZ
2
ERA
TIO
NS
INITIAL DATA
COLLECTION
DEFINE
SUPPLY AND SALES CHAIN
COLLECT INITIAL DATA
t$PVOUSZSFWJFXUPJEFOUJGZQPUFOUJBMIJHISJTL
t3FBMUJNFDIFDLUPJEFOUJGZDPOOFDUJPOTPGFOUJUZBOEJOEJWJEVBMTUPGPSFJHO
government-owned or -controlled entity, high-risk business relationships, and history of investigation for criminal or civil violations
t4FMGEJTDMPTVSFTVSWFZGPSUIJSEQBSUZDBOEJEBUFTUBJMPSFEUP
UIFVOJRVFMPDBMSJTLBOBMZTJTBOEUIFTQFDJåDGBDUTSFMBUJOH
to each entity or person
t/BUVSFTDPQFBOEWBMVFPGJOUFOEFESFMBUJPOTIJQ
and transactions
3
LOW
MED
HIGH
ASSESS
t4VQQMJFST$VTUPN.BOVGBDUVSFST
t"HFOUT3FQSFTFOUBUJWFT
t3FTFMMFST%JTUSJCVUPST
t$VTUPNFST
REGULATORY FACILITATORS
t7FIJDMFMJDFOTJOHBHFOUT
t7JTBQSPDFTTPST
t$VTUPNTCSPLFST
t'SFJHIUGPSXBSEFST
PROFESSIONAL SERVICES
t-PCCZJTUT
t-BXZFST
t"DDPVOUBOUT
t$POTVMUBOUT
t5SBWFMBHFODJFT
t3FBMFTUBUFBHFOUT
t%FåOFIJHINPEFSBUFBOEMPXSJTLDBUFHPSJFT
for third parties based upon factors researched
in initial data review
t3BOLFBDIUIJSEQBSUZCBTFEPOJOJUJBMEBUB
t1FSGPSNBEEJUJPOBMEVFEJMJHFODFCBTFEPOMFWFM
ASSESS
6
-083*4, -FWFM%VF%JMJHFODF
DATA
MANAGEMENT
MONITOR / REVIEW
t&TUBCMJTINPOJUPSJOHBOE
SFBQQSPWBMSFRVJSFNFOUTGPS
each risk level
t$POEVDUSFHVMBSPOHPJOH
review of third parties through
automated or manual screening
leveraging trusted data sources
t"DUPOSFEýBHTBOEDIBOHFTJO
risk rankings
t3FRVJSFSFBQQSPWBMQFSJPEJDBMMZ
on schedule appropriate for
each risk level
WHO IS A THIRD PARTY?
Trusted Data Source Search and Risk Screening
PROGRAM PRINCIPLES
*4:063130(3".3&"40/"#-&
t1VCMJTIFEDPOWJDUJPOTQFOBMUJFTBOETBODUJPOT
%POUJOUFSGFSFXJUI
operations or be a
burden on the business.
t1PMJUJDBMMZ&YQPTFE1FSTPOT1&1T
IFJHIUFOFESJTL
JOEJWJEVBMTBOEPSHBOJ[BUJPOTBOEQVCMJDXBUDIMJTUT
t.VMUJQMFNFEJBPVUMFUTJODMVEJOHMPDBMJOEVTUSZBOE
HFOFSBMCVTJOFTT
APPROVE
4
MONITOR &
REVIEW
5
RESOLUTION
TRAIN / CONTROL
t&TUBCMJTIBOUJDPSSVQUJPOUSBJOJOH
and controls for each risk level
t"ENJOJTUFSUSBJOJOHGPSEJGGFSFOU
third-party audiences, taking cultural
issues into consideration and addressing
role-specific needs
t"TTFTTBOEDFSUJGZUIJSEQBSUZBXBSFOFTTBOE
competence in anti-corruption
t%FåOFSFRVJSFEDPOUSBDUDMBVTFTBOEBVEJUSJHIUT
CONTROLS
APPROVE / DENY /
APPROVE WITH
CONDITIONS
t&TUBCMJTICVTJOFTTSVMFTBOE
automated and process
triggers, to facilitate control
and monitoring throughout
the life of each contract
t"QQMZNPSFTUSJOHFOUDPOUSPMT
BOENPSFGSFRVFOUNPOJUPSJOH
to higher-risk level entities,
individuals, and contracts
RAISE
OR RISK
OR
LEVEL
DENY
.0%&3"5&3*4, -FWFM%VF%JMJHFODF
Enhanced Evaluation
t-FWFMBDUJWJUJFTQMVTy
t"EEJUJPOBMUSVTUFEEBUBCBTFT
*4:063130(3".$0/4*45&/5
&TUBCMJTITUBOEBSEJ[FEQSPDFTTFT
that apply to all areas of the
business everywhere in the world.
Incorporate standardized forms
and templates to drive consistency.
t*ODPVOUSZQVCMJDSFDPSETTVDIBTDPVSUåMJOHT
t%FUBJMFECBDLHSPVOESFQPSUTGSPNUSVTUFEQSPWJEFS
t3FTFBSDIJOUPDPSQPSBUFSFMBUJPOTIJQT
BOEIVNBOOFUXPSLT
t5IJSEQBSUZJOUFSWJFXTRVFTUJPOOBJSFTBOE
TVQQPSUJOHEPDVNFOUT
)*()3*4, -FWFM%VF%JMJHFODF
*4:063130(3".3&410/4*7&
4VQQPSUUSBOTQBSFOUBOE
sound decision making with
strong management oversight
and robust reporting.
*4:063130(3".*/%&1&/%&/5
Deep Dive Assessment
TRAINING
t-FWFMBOEBDUJWJUJFTQMVTy
t"VEJUBOESFWJFXPGUIJSEQBSUZDPOUSPMTBOEåOBODJBMSFDPSET
.JOJNJ[FQPUFOUJBMDPOýJDUT
of interest and ensure
EFDJTJPOTBSFPCKFDUJWF
t%FUBJMFEJOUFSWJFXTPGSFGFSFODFTQPMJUJDBMBTTPDJBUFTCVTJOFTTBTTPDJBUFT
DPOUBDU4DPUU-.JUDIFMMTNJUDIFMM!PDFHPSHGPSDPNNFOUTSFQSJOUTPSMJDFOTJOHSFRVFTUT
ª0$&(
t*OWFTUJHBUJWFCBDLHSPVOESFQPSUTMFWFSBHJOHMPDBMEBUBTPVSDFT
©2012 Dachis Group
14
e-Book
15
A Compliance Week publication
Preventing Corruption Through Third-Party
Due Diligence: An OCEG Roundtable
SWITZER: Many companies that operate
globally have thousands of agents, suppliers, and other partners. You can’t do even
minimal due diligence on all of them, or
can you? How do you determine the level
of due diligence for each one?
WALDEN: Filtering the population of vendors and business partners is a critical step
before determining due diligence procedures. We meet with clients to understand
their current efforts, specific challenges
within their industry, geographic areas
of operation, and business strategy. We
then build a filtering model that separates
the third parties into risk-based categories and proceed with different levels of
due diligence: Level 1 is an open source
background check; Level 2 adds an “incountry” focus with respect to local court
records or business filings; and Level 3 is
a deep dive into the company which may
include interviews, site visits, and financial
analysis. Typical risk factors used in the
filtering process include type of relationship with the vendor, industry sector, services provided, geographic location, nature
of the contract, existence of government
links, and response to monitoring controls. By using this approach, only entities
considered high and medium risk undergo
a deeper level of scrutiny, which results in
lower costs and maximized results for the
client.
ROST: Another filtering factor is the criticality of the partner to the continued business operations. For example, high-risk
partners may include those who handle
your intellectual property, have access to
your IT systems or provide unique products or services to your company. After filtering, the next step is to rigorously screen
each business partner commensurate with
the risk category to which each is assigned.
Where screening raises red flags, a more
thorough, detailed, assessment is required,
focusing not only on the company, its owners and its operating and litigation history
but also on management and key decisions
makers. Include an assessment of their
backgrounds, track records, real competencies, potential conflicts of interest, and
political and criminal links. And don’t
forget that a lot can happen in six months,
so adequate procedures require that higher-risk business relationships should be
screened at least twice a year and a full rescreening should be applied annually.
HAUSERMAN: Thousands of third parties is
certainly considered by most compliance
professionals an almost impossible number
to be able to research and risk forecast accurately. But there are significant lessons
in the reaction of financial institutions
over a decade ago, to the then new antimoney laundering regulatory obligations.
At its core, be it AML or third-party due
diligence, poor information management
is the biggest impediment to doing due
diligence right. Today, modern information management technology coupled with
sophisticated analytics to prioritize third
-party risk mitigation activities is available and affordable to solve the problem
the right way. But risk is in the eyes of the
beholder, and the first place a company has
to start is to review its own risk tolerances.
SWITZER: There is a phenomenal amount of
data to be considered in third-party due
diligence, and it is constantly changing.
How can you collect and keep track of it
all and be sure it is fed into your approval
system?
HAUSERMAN: This is actually a quite straightforward information management problem
that has been solved many times. That is
not to say it is easy, but there are plenty of
examples for how information can be captured and maintained in a continuously accurate state. Organizations can make thirdparty due diligence effective by connecting
all the systems and people who have the
necessary information. For instance, thirdparty business sponsors should be required
to monitor and maintain accurate data for
their third parties. Likewise a third-party
primary contact should be accountable for
maintaining the third-party records. But it
takes good information management sys-
tems to make all of this possible.
ROST: Many organizations struggle to cope
with overwhelming levels of data that need
to be screened and rescreened. Some organizations have the resources to hire a large
and competent compliance department.
For others, the answer is to outsource to
experts who can absorb the complexity
of the requirements and deliver results at
a reasonable cost. Dedicated providers leverage professional research teams located
in strategic hotspots around the world and
have the capacity to do on-the-ground
research in local languages, and physically check paperwork and tangible assets.
These teams know what to look for and
how to recognize a potential red flag, perhaps the kind of detail that a less experienced, distantly located, compliance staff
member would overlook. Even a partial
outsourcing of compliance processes can
greatly enhance a program and provide
peace of mind, while keeping costs low.
WALDEN: The role of individual owners of
data sources, who are responsible for monitoring changes, can’t be underestimated.
Data management systems are critical, but
they are only as good as the information
that goes into them, and getting that right
takes some human judgment.
SWITZER: How do you manage change in
WALDEN: Given the constant changes of
MODERATOR
Carole Switzer
President,
OCEG
Bill Hauserman,
SVP, Bribery and
Corruption Risk
Management, SAI Global
Mike Rost,
Vice President,
Thomson Reuters GRC
Vince Walden,
Partner, Fraud Investigation
and Dispute Services,
Ernst & Young
HAUSERMAN: First you have to have a mechanism to monitor for such changes. And realize that your information will never cover everything, so start with obviously risky
items. These are typically monitored by an
external database provider such as WorldCheck, Dow Jones, or RDC, which track
millions of companies and individuals for
sanctions and PEP (“politically exposed
person”) exposure, criminal conduct, and
financial irregularities. Good providers
can actually monitor a third-party continuously for changes that increase risk
and inform you about issues. While this
monitoring is for higher-risk type changes,
these are exactly the ones a regulator would
question how you could possibly miss, given the regulatory requirements.
SWITZER: Even if an entity passes due diligence, corruption can still occur. How can
companies prevent or detect this? And are
there established criteria for the frequency
and extent of ongoing due diligence?
WALDEN: Third-party due diligence is a
partner relationships that may raise concerns (including change in ownership, new
suppliers to your supplier, and new customers to your distributor)?
ROUNDTABLE PARTICIPANTS
appraised of any significant development
on the vendors’ end. Periodic requests for
information, random testing, and independent due diligence reviews are also recommended to test the effectiveness of the
compliance programs.
the business world and mounting pressure
from regulators, compliance programs
need to undergo periodic reviews to make
sure they remain current, effective, and
reasonable. As new information becomes
available, it is important to occasionally
re-run past searches at random to verify
that the information is accurate and up-todate. In addition, compliance officers must
work with their business partners to stay
continuing effort that requires collaboration between the company and its business
partners. To monitor significant changes
on the vendor’s end, establish vendor reporting obligations for any changes in
activities conducted on the company’s
behalf, or to the vendor’s business model
and strategy. This includes any new contracts, entrance in new markets, or the
establishment of links to government
entities or officials. Companies are also
requiring annual certifications and disclosure statements of key vendors or third
parties, some of which require a right to
audit records clause. And this voluntarily
provided information should be complemented with periodic checkpoint reviews
and independent due diligence research
to verify that the information is reliable,
current, and complete.
ROST: Regardless of the strength of controls, those looking to break the rules will
continue to exploit any potential weakness
in a system that they are familiar with. A
reasonably designed and effectively implemented risk-based approach will provide
an appropriate control structure to manage these risks. Simply asking a partner
to fill in a form that includes the question
“are you corrupt” is naive in the extreme.
In today’s environment, it is reasonable
to expect that the partner has a robust
anti-corruption program. However, not all
partners have the resources to construct an
adequate compliance response, so it may
be necessary to assist in the building of expertise in partner organizations. This can
be done through on-site training , e-learning , and by providing professional advice
and resources to support the partner compliance processes. Without this institutional support, partners may overestimate
risk, thus wasting a lot of time and money
during remediation, or even miss the risk
altogether, which can be disastrous for all
involved in the relationship.
HAUSERMAN: Some would say that the
half-life of a successful due diligence that
clears a third party for use is measured in
minutes. That is the speed of economic activity and information flow. The not-sosimple fact is that you have to find a proportionate balance for all third parties to
earn regulator relief. It doesn’t have to be
full-proof and stop all bribery; the regulators don’t expect that. But they do insist
an organization be serious and consistent in applying due diligence around the
globe. The regulatory term is “continuous
due diligence to the balance of probability.” An organization based on budgets
and risk tolerances must define continuous. The one thing that can be assured is
that the regulators will define it more precisely if organizations are too lax. ■
16
e-Book
A Compliance Week publication
A Holistic Approach to Diagnosing Corruption
Carole Switzer
OCEG Pesident
I
n the long-running television drama “House,” the
ornery and unconventional medical genius Dr. Gregory House masterfully diagnoses the sources of mysterious illnesses. The secret to House’s success stems
from his ability to see the big picture, understand how
all of a human body’s various systems interact with
each other, and spot patterns that no one else detects.
The same skills would enable House to thrive in the
complex field of corruption issue intake and management. Conventional wisdom holds that this is a relatively simple, straightforward, and discrete process. But the
conventional wisdom is wrong.
Companies with the most sophisticated anti-corruption capabilities do more than resolve the issue and
identify its direct cause. They also periodically examine their entire portfolio of corruption issues to better understand how they interact and to identify ways
to improve corruption defenses throughout the entire
organizational system. By conducting such “portfolio
examinations” on a periodic basis, these companies
continuously improve their anti-corruption capabilities
in several different ways, including process improvements, efficiency gains and more effective crisis communications, and litigation preparation in the event that
a significant corruption issue arises.
The last point is important. When an instance of
corruption is raised, communications about the event
(and the response) must be quickly disseminated to all
relevant stakeholders while initial review of the issue
takes place. In some cases, a crisis response effort and
litigation preparation activities must also begin right
away. So, even a single investigation involves a tangle
of moving parts.
Consider how complex issue intake and management becomes in an enterprise that operates in dozens
of countries around the world. Each response produces
a body of information related to what went wrong, why
it went wrong, and the steps to be taken to prevent the
issue from arising in the future.
Companies with leading anti-corruption capabili-
ties—those that occupy the third level of the following
maturity scale—leverage this body of information to
their benefit:
Level 1: Response. Almost every company has
achieved this level of maturity (if they have not, the
first bribery issue that arises might put them on life
support). Once an issue occurs, it is assessed, assigned,
investigated, and resolved.
Level 2: Root Cause Analysis. Many organizations
try to operate at this level; as part of resolving a corruption issue, those responsible for the investigation
also attempt to understand why the individual event
occurred in the first place.
Level 3: True Continuous Improvement. Achieving
continuous improvement requires a periodic analysis
of all corruption issues, including a systemic examination that helps expose patterns of problems and other
vulnerabilities. These findings and insights in turn
stimulate the sharing of best practices throughout the
enterprise, as well as the identification of specific process improvements designed to lessen the likelihood of
future occurrences of corruption problems. And when
push comes to shove, in some cases tough decisions
must be made about whether the company should avoid
using specific agents, or even cease operations in some
markets.
The risk of not evolving beyond the second level of
this maturity model can be significant: Without a bigpicture understanding, any individual root cause analysis may be incorrect or incomplete. What looks like
a root cause in isolation may actually turn out to be a
symptom of a more systemic problem.
To ensure a strong prognosis for success in international markets, more anti-corruption managers should
consider diagnosing corruption issues the way Dr.
House would: by taking a big-picture view and tenaciously examining all of the causal factors, and how
they influence each other, until the issues are understood and resolved in a holistic manner. ■
OCEG Anti-Corruption Illustrated Series
SPEED, RIGOR, INDEPENDENCE, IMPROVEMENT – Every organization should have a strong capability to identify, prioritize,
investigate and resolve bribery and other corrupt activities, as well as compliance system weaknesses. While this can be a
daunting task, this illustration can help implement or refine an investigation process and avoid common pitfalls.
CAPTURE AND FILTER
THE TOUGH QUESTIONS
REVIEW
Establish multiple pathways for receiving tips about suspected
or observed corrupt activity and actively monitoring high risk
activities and relationships based on identified factors including
country, sales channel and third-party compliance data. Sort
issues into established risk level categories for action.
Assess Threat
Prevent data loss
or destruction and
preserve privilege.
Confirm veracity
and triage by
risk level.
RED FLAGS
COMMERCIAL
BRIBERY
ARE WE PREPARED?
Secure Records
Determine
Reporting
Comply with any
immediate reporting
requirement in
contingency plan
for risk level.
CUSTOMS
and OFFSET
COMMITMENTS
Execute Plan
Assign Tasks
Apply defined plan for
identified risk level
(immediate communication
and responses in advance
of further investigation).
Refer to designated
investigation and
communication
teams.
TASKS
OUT-of-POLICY
GIFTS and
ENTERTAINMENT
CASH VENDOR
DISBURSEMENTS
and OTHER HIGH
RISK TRANSACTIONS
RESOLUTION
MISREPORTED
ACCOUNTING
RECORDS
HIGH-LEVEL
OVERSIGHT
CHARITABLE GIVING
and COMMISSION
PAYMENTS
HOTLINE &
INFORMAL INTAKE
THIRD-PARTY OR
CUSTOMER REPORT
Do we proactively monitor
potential high-threat-level
conduct and activities and
provide multiple pathways
for issue intake?
PLAN
PROACTIVE
MONITORING
CONTROL
VIOLATIONS
Have we categorized types
of conduct and areas of
operation into threat-level
categories as part of our risk
assessment process?
FACILITATION
PAYMENT
BUSINESS
DECISIONS
Provide senior management with
information needed to make decisions
about changes in business operations,
disciplining or terminating employees/
contactors/ business partners,
management of financial impact,
and leadership changes.
SENIOR
EXECUTIVE
TEAM
Senior management and
the board must be told
about suspected corruption
issues early, stay informed
as investigations progress,
and take a hands on approach
to ensure protection of the
organization and resolution
of the issue and underlying
causes.
AUDITS
Investigate
Collect, review and analyze
evidence. Issues might be resolved
quickly or may progress into
different or multiple issues
that require re-assignment
and notice to senior
management/board.
PR
OG
RE
SS
Communicate
Execute communications
plan for management,
employees and external
stakeholders; keep
management informed of
any changes in issue status
throughout investigation.
Report and Resolve
Obtain thorough, independent
reports; focus on signals of
systemic violations; ensure
unlawful conduct has stopped
and disciplinary action has
been taken.
INTERVIEWS
MEDIA
THIRD-PARTY
DUE DILIGENCE
CONTINUOUS IMPROVEMENT
REPUTATION
LEGAL DEFENSE
Conduct root-cause analysis including leadership weaknesses,
culture issues, and flaws in performance of management
activities and controls. Look for patterns in relationships and
in aggregate. Implement improved compliance controls
including changes in training and frequency of audits.
Identify authorized speakers or
representatives, prepare for rapid
release and response and have
consistent, controlled, truthful
messaging.
Determine legal strategy
including potential disclosure
and cooperation with
regulators and prosecutors.
contact Scott L. Mitchell [email protected] for comments, reprints or licensing requests
©2012 OCEG
Do we have contingency
plans to manage issues that
arise in each risk category
including identified
investigation teams,
reporting requirements
and escalation paths?
Do we have policies and
procedures to secure
evidence, protect privilege
and bring in legal teams?
Have we identified
authorized spokespeople
and informed everyone
about what may and may
not be said, and by whom,
about issues that have
been identified or are
being investigated?
CAN WE DEFEND THE ORGANIZATION?
Have all illegal practices
been identified, stopped,
and had controls revised
or added?
Are there potential
violations of law that must
be, or should be, disclosed
and if so, how quickly?
Do we have a communication plan and team that
protects our reputation?
Is the investigation report
sufficiently independent
and thorough to facilitate
cooperation with
prosecutors or regulators,
and aid in defense
against civil or criminal
actions?
Have we found systemic
problems that require
correction or deeper
investigation?
DO WE KNOW THE BUSINESS IMPACTS?
Have we adequately briefed
senior management and the
board about strategic,
financial and reputational
impact of the case?
Do the findings indicate
gaps in company
governance or culture
that require significant
leadership changes?
Do we need to revise
business strategy, or
terminate lines of business,
withdraw from geographic
regions or sever third party
relationships?
Will there be significant
lost revenue and can we
control it?
©2012 Dachis Group
20
e-Book
21
A Compliance Week publication
Corruption Issues: An OCEG Roundtable
SWITZER: Companies learn of corruption issues through many pathways, including
hotlines, comments to supervisors, and unfortunately sometimes only when a government investigation takes place. What are the
best ways to drive early notice so that the
problem can be addressed quickly?
important to train and remind employees,
managers, and third parties about reporting options and responsibilities. And using
a sophisticated case management system
ensures accurate collection of issues, facilitates workflow, and helps in managing investigations and generating useful reports.
MEFFORD: Employees are the best eyes and
REISMAN: I agree with everything said and
ears of the organization because they see
the action from the front lines. I am always
amazed at how many employees knew
something was going on, but didn’t say anything. The challenge is making employees
feel secure enough to say something when
they see it. It takes courage to step forward.
We have to fight the negative stigma associated with being a “snitch” and help employees understand how speaking up protects
the company, coworkers, and themselves.
Having an employee tell coworkers “it’s
OK to say something; I did and nothing
happened to me. In fact, I was thanked for
my help,” is powerful and the grapevine
will spread that message quicker than any
corporate communication program.
can add a few points. First, help employees
and others know how to identify corruption risks, and train managers about communicating reports to compliance officers
and company lawyers. Second, paradoxically, reduce reliance on employee calls and
tips by proactively monitoring known risk
areas and capturing data from your compliance processes. For example, periodically
assess payments or commissions made to
certain third parties, due diligence reports
for appointment of agents and distributors,
T & E accounts in high-risk countries, and
any charitable or political contributions.
Also hold periodic face-to-face reviews
with sales teams in remote locations. Last
but not least, promptly identify and escalate
potentially significant issues with a structured and tested process for communication, assessment and assignment of cases,
and metrics for cycle time.
C AMPBELL: It’s so true that companies must
establish an ethical, “speak-up” culture, and
they should make it as convenient as possible for employees and third parties to report issues internally. Provide and advertise
multiple points of contact; offer anonymity
but encourage personal contact; acknowledge receipt of issues and act promptly; and
maintain centralized, accurate records. It’s
SWITZER: Given the number of sources of
information and the volume of potential issues, what are the key steps in filtering and
ensuring the right level of investigation for
each?
REISMAN: Start by getting the issue to a
knowledgeable first responder—someone
in compliance or legal who can sift through
potentially unclear reports, ask follow-up
questions, and identify a corrupt practice.
Whether the issue was communicated in
person, by telephone, e-mail, or instant
message, the first responder should create
a record in an electronic case-management
system, for routing to those responsible for
the second step—mobilizing investigations
and assembling global teams. For that step
to be effective, global teams should be on
standby for quick response in places where
a risk assessment indicates that a significant issue is likely to surface. They have to
be ready to handle a hot case quickly and
comprehensively: secure the evidence; contact the witnesses; conduct interviews; keep
employees and management informed; and
handle customer and public inquiries. Standard protocols and team rehearsals are important.
C AMPBELL: You definitely have to be ready to
deal with the highest-risk issues first, and
that is part of what the first responder has
to determine. Wasting time, personnel, and
money chasing low-priority items while
critical issues remain unattended can be
the undoing of a compliance program and
the organization. Issues can be prioritized
based on the risk they carry to your objectives and available resources. And it’s helpful to estimate how successful an investiga-
tion might be, measured by the likelihood
of issue resolution as well as successful risk
mitigation. Companies that have leveraged
technology have an advantage in sorting
through all this. They can easily filter accumulated data by the risk criteria they deem
important such as allegation type, vendor
type, or gift recipient and identify the riskiest issues.
MEFFORD: A good first step is discussing
what sorts of issues will demand the highest attention. Most companies categorize
issues into buckets, which the governance
group should rank by priority and impact
to the organization. This allows the first
responder to make a better initial assessment. Having the right people involved in
the governance group is also important to
ensure you are thinking of each issue holistically and assessing it from different points
of view. We have a representative from human resources, legal, finance, and internal
audit to ensure each issue is viewed from
those perspectives. Another factor to consider is the level of individual in the organization against which the claim is made.
An organization faces greater liability if a
country manager or executive is involved
than if it is a low-level employee.
SWITZER: Some issues are so hot they require
immediate escalation. What are some triggers for sending issues up the chain quickly,
even to the point of informing the board?
sue has been previously investigated. Given
the size and nature of potential penalties
and the need to demonstrate integrity in
this area, escalation should be prompt once
credibility has been established, especially
if there has been a history of problems.
REISMAN: Ask yourself a few key questions.
First and foremost: Is there evidence to indicate that a crime has been committed, so
that the company might need to make a voluntary disclosure to prosecutors and regulators? Is it likely that the claim is true? Is it
probable that other people know and might
make a disclosure before the company can
respond, for example, an employee seeking a bounty under the Dodd-Frank Act’s
whistleblower rules? Is there significant
legal, operational financial, or reputational
risk to the company?
MEFFORD: This will vary from organization
to organization, so it is extremely important to understand your board’s expectations. That is the most important criteria
for knowing when to escalate an issue and
notify the board. As a general rule, if a
high-level employee is involved, if the magnitude of the wrongdoing or potential fines
are material, or if there is the chance of a
significant reputational risk, you should
notify the board sooner than later. One
of the worst things that can happen is for
the board to read about an incident in the
media before they were made aware of the
issue.
C AMPBELL: As a general rule, any report reROUNDTABLE PARTICIPANTS
MODERATOR
Carole Switzer
President, OCEG
Colin Campbell,
Global Head of GRC Product
Management, SAI Global
Jason Mefford,
VP Business Process
Assurance, Ventura Foods
Andrew Reisman,
Senior Manager, Fraud Investigation
& Dispute Services, Ernst & Young
garding suspected corruption needs to be
escalated as soon as possible to the general
counsel and the chief compliance officer, or
to a specific individual designated by them.
Also, there needs to be a single focal point
in the organization with the perspective to
make connections between reports. Having this kind of process helps organizations
identify areas of emerging risk. Escalation
up from that point will depend on the nature of the allegation, the type of risk involved, such as reputation or financial, the
credibility of the report, and whether the is-
SWITZER: What are some of the information
management and communication needs
when an investigator determines criminal
investigation or voluntary disclosure to
prosecutors may be likely?
C AMPBELL: Information must be readily available in one central location. This
is where technology can really help. For
example, having all the communication
between relevant parties on one centralized platform makes data collection and
disclosure more cost-effective and accurate.
A centralized platform should include systems for case management,for tracking or
registering gifts and entertainment, and for
capturing information about third-party
due diligence. Clearly, centralized oversight, on-demand reporting, and data storage are real advantages of such a system.
MEFFORD: Once an investigator determines a
criminal investigation or voluntary disclosure to prosecutors may be likely, it’s time
to check back in with the governance group
responsible for investigations. There should
be one procedure for determining if this is
necessary and how to notify prosecutors
and the board. This is a decision that needs
to be made by the right individuals, who
are usually represented on the governance
group. I think one of the biggest issues is
to ensure that any statements made by the
company or its employees are factual and
consistent. Nothing is more damning, to
the public or prosecutors, than an organization changing its story as the events unfold.
REISMAN: Keep in mind one central point:
Nothing in today’s world stays secret for
long, despite attorney-client legends on
documents and admonitions to employees. I have this vision of people tweeting
as the investigation team walks down the
hall. Employees being interviewed tend to
get nervous, and understandably so. That
makes planning communications to the
people who might be involved critical. Be
prepared to describe the issue and the investigation process, and to let employees
know whether the company will retain
counsel for them. Have a communication
plan for local managers who need to answer
customer inquiries and questions from employees after the investigation team leaves;
and for senior management who will be involved in decisions about legal issues and
making changes in business operations.
And ensure strong coordination and information flow between the investigation
teams and the compliance officer and general counsel, who may need to provide information to the board. ■
23
How to Boost Your Merger and Acquisition IQ
Times to describe the pressure to get the deal done that
obscures the downside of a deal to management. Companies that treat the experts responsible for M&A corruption due diligence as the “Department of Know” inere’s a quick quiz to test your merger and acquisistead of the “Department of No” are better positioned
tion (M&A) IQ. The success and value of a proto strengthen decision-making no matter how intense
posed deal hinges more on:
the deal heat becomes.
By participating in the strategic planning meetings
A. The “deal-drivers;” or
that hash out whether it is better to build or buy, what
B.
The “organization protectors.”
markets a company targets or avoids and other upstream
determinations, anti-corruption experts help lower the
It’s a trick question. The right answer, and the key to
likelihood of selecting acquisition targets with high
effective M&A corruption due diligence, is:
corruption risks. By sniffing out top-level corruption
threats in the risk assessment phase, the company can
C.
This distinction should not exist.
identify and resolve corruption issues earlier and at a
lower cost than it would incur when scrambling to react
The team driving the deal is protecting the organizato these same issues later in the transaction process.
tion by enhancing its value. The team conducting corruption due diligence is driving
There are other benefits as
the deal and enhancing organizawell. Knowledge of corruption
tional value by ensuring that the
Knowledge of corruption risk risk strengthens the acquiring
company makes the right acquisicompany’s negotiating hand and
strengthens the acquiring may result in a more effective deal
tion at the best terms. Too often,
these teams are pitted against each
company’s negotiating hand structure or more favorable purother in a tug of war that prevents
and ultimately may result in a chasing terms. Early detection of
corruption due diligence from
corruption risk gives the acquirmore effective deal structure ing company an opportunity to
taking place in a sufficiently timely and comprehensive fashion.
or more favorable purchasing proactively meet with relevant
The need to replace the “deal
terms. regulators to negotiate resoludrivers vs. organizational protions to outstanding issues so that
tectors” mindset with a more efthese distractions and potential
fective approach has never been
business interruptions are firmly
greater. M&A activity is on the rise, particularly in
in the rear-view mirror once the deal is finalized. Planregions and countries with high corruption risks. The
ning for post-closing changes can take place as well.
rapidly developing economies of Brazil, Russia and
To get these types of returns on their M&A knowlIndia rate relatively poorly on Ernst & Young’s M&A
edge investments, organizations should deploy corrupMaturity Index—an analytical tool that evaluates M&A
tion due diligence efforts as early as possible. The cost
risk and opportunity globally—and corruption risk is a
of neglecting this need can be extreme: “Failed M&A
large reason why.
can destroy a company’s market value, destabilize its
It’s not only a matter of how, but of when to evaluate
financial position and credit ratings, impair its stratecorruption risks in a proposed deal. The best solution
gic position, weaken the organization and damage the
is to use a structured risk assessment approach in due
company’s reputation,” warns the Ernst & Young paper
diligence well before the decision to consummate a deal
“Increased Oversight of M&A: An Expanding Role for
is finalized.
Audit Committees.”
If the parties driving the deal and those tasked with
By treating their deal-drivers as organizational promanaging corruption risk cooperate, they can help pretectors and vice versa, acquiring companies can ace
vent the due diligence process from wilting under the
their due diligence and improve their odds of avoiding
pressure of “deal heat,” a term coined by The Financial
a failed deal. ■
Carole Switzer
OCEG Pesident
H
CONNECTED
GOVERNANCE, RISK
& COMPLIANCE
© REUTERS/TOM CHONG
Our solutions dynamically connect business transactions, strategy, and
operations to the ever changing regulatory environment. Thomson Reuters Accelus™
is a comprehensive suite of information and software solutions for:
ȕ
GLOBAL REGULATORY INTELLIGENCE
ȕ
E-LEARNING
ȕ
FINANCIAL CRIME
ȕ
RISK MANAGEMENT
ȕ
ANTI-BRIBERY AND CORRUPTION
ȕ
POLICY MANAGEMENT
ȕ
COMPLIANCE MANAGEMENT
ȕ
BOARD PORTAL
ȕ
INTERNAL AUDIT
ȕ
DISCLOSURE SERVICES
accelus.thomsonreuters.com
0$&("OUJ$PSSVQUJPO*MMVTUSBUFE4FSJFT
.FSHFSBOEBDRVJTJUJPOBDUJWJUZJTPOUIFSJTFJOIJHIDPSSVQUJPOSJTLDPVOUSJFT5PPNBOZDPNQBOJFTGPDVTPOåOBODJBM
EVFEJMJHFODFJOUSBOTBDUJPOTBOEIBWFVOEFSUBLFOJOTVGåDJFOUQSFBDRVJTJUJPODPSSVQUJPOEVFEJMJHFODFQSPDFEVSFT
FWFOXIJMFSFHVMBUPSZEFNBOEIBTJODSFBTFE5IJTJMMVTUSBUJPOPVUMJOFTLFZTUFQTUIBUTIPVMECFUBLFO
3FNPWF
UBSHFUGSPN
DPOTJEFSBUJPO
TOP TEN RED FLAGS
1. )JTUPSZPGDPSSVQUJPOJODPVOUSZPSJOEVTUSZ
PLAN
5&$)/0-0(:
2. /PBOUJCSJCFSZDFSUJåDBUJPO
1SPDFFEBT
QMBOOFE
3. 5JFTUPHPWFSONFOUPGåDJBMTPSSPZBMGBNJMZ
4. 6TFPGTIFMMDPNQBOJFT
5. &YDFTTJWFVTFPGDBTIBOEPSQBZNFOUTNBEFJODBTI
NE
ST
5
6
ANALYZE
t%FUFSNJOFSJTLTGPSPOHPJOHCVTJOFTT
t1SJPSJUJ[FPOHPJOHDPNQMJBODFOFFET
t&WBMVBUFBOUJDPSSVQUJPOUSBJOJOH
t&WBMVBUFBDDPVOUJOHQSPDFTTQPMJDJFT
BOEQSPDFEVSFT
EP
S
6. *OWPJDJOHEJTDSFQBODJFT
FIX IDENTIFIED
SHORTCOMINGS
7
t5POFBU5PQ
t$PEFPG$POEVDU
t5IJSE1BSUZ0WFSTJHIUBOE5SBJOJOH
t1PMJDJFTBOE1SPDFEVSFT
t5IJSE1BSUZ%VF%JMJHFODF
t-PDBM/FFET
t5SBJOJOH
Determine & Inspect
8
INTEGRATE
t&TUBCMJTIDPSQPSBUFDVMUVSF
t*NQMFNFOUFOUJUZXJEFQPMJDJFT
t1SPWJEFVOJGPSNUSBJOJOH
t&TUBCMJTIVOJGPSNBDDPVOUJOH
t$POTJEFSVOJGPSNUFDIOPMPHZ
COMMUNICATE
7. &YDFTTJWFHJGUTUSBWFMFOUFSUBJONFOUBOEDPOUSJCVUJPOT
t.BOBHFDIBOHFXJUIFNQMPZFFT
BOETUBLFIPMEFST
t*OGPSNNBOBHFNFOUCPBSEBOE
SFHVMBUPSTBTSFRVJSFEPSEFFNFE
BQQSPQSJBUF
PGJTTVFTJEFOUJåFE
ASSESS
'03&/4*$
"$$06/5*/(
RISKS
XT
$IBOHF
USBOTBDUJPO
UZQFPSUFSNT
03
SFRVJSF
QSFDMPTJOH
åYFTPS
EJTDMPTVSFT
POST CLOSING ACTIVITIES
8. 1BZNFOUTPSQSPNJTFTUPQBZHPWFSONFOUBMPGåDJBMT
9. *OBEFRVBUFUIJSEQBSUZTFMFDUJPOPSDPOUSPM
10. QUESTIONABLE AGENTS
4"-&4"/%
01&3"5*0/4
OBJECTIVES
-&("-
Strategic
Decisions
Redux
PRE-TRANSACTION ACTIVITIES
Transaction Testing
t4BMFTBOECVTJOFTTFYQFOEJUVSFT
%FDJEFOFYUTUFQT
t1BZNFOUTUPBHFOUTDPOTVMUBOUT
DPOUJOVFPSOFHPUJBUF
PUIFSUIJSEQBSUZJOUFSNFEJBSJFT
MJBCJMJUZBOEFOGPSDFNFOU
t1BZNFOUTUPUIJSEQBSUZSFQSFTFOUBUJWFT
PVUDPNFTQSFDMPTJOH
t3FMBUFEQBSUZUSBOTBDUJPOT
t4VDDFTTPSMJBCJMJUZ
t5SBWFMBOEFOUFSUBJONFOUFYQFOEJUVSFT
tø6OTVTUBJOBCMF
t$IBSJUBCMFEPOBUJPOTBOETQPOTPSTIJQT
#VTJOFTT.PEFM
t(JGUTBOEQPMJUJDBMDPOUSJCVUJPOT
tø$PTUPG3FNFEJBUJPO
t1FUUZDBTI
t*OUFSWJFXFYFDVUJWFUFBNQFSTPOOFM
t#BDLHSPVOEDIFDLUIFUBSHFUPXOFST
LFZQFSTPOOFMBOEUIJSEQBSUJFT
t0CUBJOGVSUIFSEPDVNFOUBUJPO
t"OBMZ[FBOEEJTDVTTJEFOUJåFE
JTTVFTXJUINBOBHFNFOU
t*OUFSWJFXLFZMPDBMQFSTPOOFM
BOEUIJSEQBSUJFT
Determine
t1PMJDJFTBOEQSPDFEVSFTGPS
SFDPSEJOHBOEBQQSPWJOH
FOUFSUBJONFOUIPTQJUBMJUZ
FYQFOTFTBQQSPWJOHHJGUTBOE
NPOJUPSJOHBOESFRVJSJOH
TVQQPSUJOHEPDVNFOUBUJPOGPS
DBTIBEWBODFTUPFNQMPZFFT
& Inspect
Assess
t-PDBUFIBSEDPQZ t-FWFMPGLOPXMFEHFPG
EPDVNFOUBUJPO
BOUJDPSSVQUJPOMBXT
JODMVEJOH
t"OUJDPSSVQUJPOUSBJOJOH
BDDPVOUJOHSFDPSET BOEVOEFSTUBOEJOH
BOEDPOUSBDUT
t/BUVSFPGHPWFSONFOUEFBMJOHT
t6UJMJ[FBDDPVOUJOH t1PMJDJFTQSPDFEVSFTBOE
TZTUFNT
EPDVNFOUBUJPOPGQBZNFOUT
t4FMFDUJPOBOEPWFSTJHIUPGBHFOUT
NE
ST
HOT AGENT ISSUES
tø/PBQQBSFOUCVTJOFTTQVSQPTFGPSBHFOU
Establish Team
tø$MBJNTUPCFSFMBUFEUPHPWFSONFOUPGåDJBMT
tø"TLTGPSJNQSPQFSJOWPJDFTPSQBZNFOUT
tø4FFLTFYDFTTJWFDPNNJTTJPOTPSEJTDPVOUT
4FOE
UISPVHI
NPSFEVF
EJMJHFODF
tø0CKFDUTUPCFJOHBVEJUFE
tø3FGVTFTUPEJTDMPTFPXOFSTQBSUOFSTPSQSJODJQBMT
tø-BDLTBDDPVOUJOHUSBOTQBSFODZ
ENHANCED DUE DILIGENCE
FOR RED FLAG ISSUES
EP
S
START
XT
#30"%&3
*/5&37*&84
MAKE STRATEGIC DECISIONS
t%PXFBWPJETPNFNBSLFUTBMUPHFUIFS
t%PXFCVJMEJOTUFBEPGCVZ
t%PXFMJNJUUPUBMOVNCFSPGCVZT
UPMJNJUSJTL
2
IDENTIFY TOP LEVEL CORRUPTION THREATS
t0QFSBUJPOJOIJHISJTLDPVOUSJFTPSJOEVTUSJFT t%JSFDUTBMFTUPHPWFSONFOUTPSTUBUF
t)JHISJTLBHFOUTTVQQMJFSTPSDVTUPNFST
SVODPNQBOJFT
t5BSHFUFNQMPZFFPSBHFOUUJFTUPHPWFSONFOU t)JTUPSZPGQBZNFOUTGPSUSBWFMPS
PGåDJBMTSPZBMGBNJMZPSLFZDVTUPNFST
FOUFSUBJONFOUPGHPWFSONFOUPGåDJBMT
tø.PWFNFOUPGHPPET
t)JTUPSZPGDPSSVQUJPOCZDPNQBOZPS
LFZJOEJWJEVBMT
t#BDLHSPVOEDIFDLUIFUBSHFUJUTPXOFST
contact Scott L. Mitchell [email protected] for comments, reprints or licensing requests
LFZQFSTPOOFMBOEUIJSEQBSUJFT
ª0$&(
%"5"
"/"-:5*$4
%&5"*-&%%&&1
%*7&3&1035
4*5&
7*4*54
3FNPWF
UBSHFUGSPN
DPOTJEFSBUJPO
ADVANCE RISK ASSESSMENT
1
"6%*5
LOOK DEEPER
4
Dig Even Deeper
$0.1-*"/$&
3
MAKE TACTICAL
DECISIONS
Analyze findings for
each target location
4FMFDU
EJGGFSFOU
USBOTBDUJPO
TUSVDUVSF
'03&/4*$
"$$06/5*/(
"/"-:4*4
"%%*5*0/"7&/%03
"(&/5
$6450.&3
4$3&&/*/(
©2012 Dachis Group
&-&$530/*$
%0$6.&/5
"/%&."*3&7*&8
26
e-Book
27
A Compliance Week publication
Buyer Beware of Corruption Risk: An OCEG Roundtable
SWITZER: Not all mergers or acquisitions are
between U.S. based companies or those
that are located where they are likely to
have established anti-corruption programs.
What are the biggest challenges in completing effective due diligence for corruption
concerns when the company is acquiring
an entity that operates completely within a
high corruption risk country?
WOLSKI: Ironically, the confidential nature
of a deal often results in overly restrictive
access to the proper people for interviews
and the target may be sensitive about providing information without full knowledge
or appreciation of the purpose, which creates a significant challenge in gaining access
to relevant information. But it’s critical to
gain a full understanding of all key business drivers of the target (key customers,
sales channels, etc.) so you can determine
how the target operates and identify potential areas of risk quickly. And you have
to obtain full disclosure of all key business
partners and the true business purpose behind each arrangement.
MARTIN: In my experience, the biggest challenge is to complete adequate due diligence
on all third-party business partners, with
particular emphasis on commercial agents
who earn a commission for new business
they bring in. This challenge arises because
of the poor state of records in many lesser
developed countries and the propensity of
business partners operating in those coun-
tries to incorporate in offshore jurisdictions, where it is difficult or impossible to
identify complete ownership of an entity
and to confirm the lack of involvement in
that entity by any foreign official covered
by the strictures of the FCPA. Another
challenge is to identify all of the key contracts and related amendments covering
business with state-owned entities in the
limited period of time one has to conduct
due diligence in an acquisition context. The
fact that documentation exists in huge volumes in many media, and in many locations
around the world, creates a major challenge.
ROST: Gathering the extensive range of information needed for effective due diligence
can be an arduous and time consuming task
when you do not have the in country resources, knowledge, and language skills to
perform the proper research and due diligence. Where to get information, how to
ask for it, and researching and understanding the complex relationships between legal
and government entities requires local expertise, and this is why many organizations
rely on trusted information providers to
execute on tailored enhanced due diligence
activities. Professionally created reports offer detailed background checks on current
and proposed individual and organizational business partners, and these professionals also can assist with informed decisions
when more information is required.
SWITZER: Too often, those who are responsible
for due diligence outside of the pure financial
realm are viewed as impediments to getting
deals done. How do you overcome this view
and demonstrate that early understanding of
corruption risks presented by the target company can protect the bottom line and provide
insight that may make for a better deal?
MARTIN: Our company has successfully
conducted many acquisitions over the years
which have involved some of the target’s
activities being in high-risk countries. We
have had enough instances where acquisitions were not completed because of significant unresolved compliance issues that
the company now readily appreciates the
critical role that my compliance team plays
in any acquisition to ensure that the company does not take on any hidden material
compliance issues which would erode the
expected value of the acquisition. We have
spent a considerable amount of time educating other members of the company’s due
diligence team and senior management on
the significant risks that are presented by
the ineffective treatment of corruption risk
and the material impact that unresolved
compliance can have on the value obtained
by the acquisition.
WOLSKI: The key is to educate the deal
team, preferably even before they identify
a potential target, about the range and significance of potential risks which must be
identifed and assessed as early as possible.
They need to know that the deal may give
ROUNDTABLE PARTICIPANTS
MODERATOR
Carole Switzer
President, OCEG
Jay Martin,
Vice President, Chief Compliance
Officer and Sr. Deputy General Counsel, Baker Hughes Incorporated
Mike Rost,
Vice President,
Thomson Reuters GRC
Gregory Wolski ,
Partner, Fraud Investigation &
Dispute Services,
Ernst & Young
rise to reputational risks that can create
difficulty in attracting capital for future
investments. There may be personal civil
and criminal exposure for directors and executives with oversight responsibilities. Financial risks could impact the value of the
acquired company based on the loss of revenues, customers and suppliers which were
generated from or associated with bribery
or corruption; not to mention significant
expenses associated with conducting internal investigations, responding to regulatory inquiries, and paying fines. There also
may be operational risks including delays
in closing the contemplated transaction
as a result of last-minute identification of
potential issues, successor liability arising
from pre-acquisition violative activity, difficulty attracting funding for the contemplated transaction, and inability to divest
or exit from the investment.
ROST: The easiest way to overcome the view
that more extensive M&A due diligence is
an impediment to the deal is to provide the
data which highlights the risks associated
with corruption, business relationships,
and the downside to moving forward without the proper research efforts . The best
practice M&A due diligence processes we
have seen involves the steps of searching and
reviewing similar deals that have been done
in the recent past, analyzing legal precedent
for M&A corruption risks, review of global
M&A deal metrics, governing law, jurisdiction, acquirer characteristics, and related
parties, and screening and due diligence reports which outline risky business relationships and associations related to sanctions
lists and legal action. All of these activities
can be easily done by accessing trusted data
sources and information providers who offer M&A specific information capabilities.
SWITZER: When issues are identified, typically what can be left to address after the
closing and what must be dealt with before
the deal is sealed?
ROST: It is a best practice to gather as much
information as possible prior to closing.
Vendors and customers should be screened,
the relationships and networks of those entities should be analyzed and understood,
and high-risk areas should receive enhanced due diligence efforts. If these activities are not executed upon prior to closing
and the deal still closes, a comprehensive
effort be made immediately post closing to
screen all vendors, customers, and thirdparty agents and provide as much information as possible as part of the process.
MARTIN: In evaluating whether any compliance issues that are identified in the course
of the due diligence effort for an acquisition must be resolved prior to the closing
and which issues can be resolved post-closing, great judgment and experience must
be applied. For example, if an issue is serious enough to require disclosure to one or
more government agencies, most acquiring
companies will insist that such issues either
be satisfactorily resolved or disclosed by
the target company prior to closing. This
would also be true for issues that present a
significant amount of dollar exposure, such
as pending litigation or environmental liability issues. With respect to identified
issues, that can be pretty accurately priced
as to liability, adjustments can be made to
the purchase price of the target. As a general matter, compliance issues which do not
have to be disclosed and do not present high
dollar value exposure, can be dealt with on
a priority basis following the closing
WOLSKI: Prior to closing, you should fully
determine and assess the risks of bribery
and corruption of the target and really
understand the target’s existing agent and
customer relationships. In connection with
closing, include reps and warranties in the
deal agreement affirming compliance with
FCPA and applicable anti-bribery laws by
key target shareholders, executives, and directors. Immediately post closing, be sure
to immediately communicate the right
tone from the top and fix any shortcomings
identified in due diligence. Implement policies, train employees, and ensure a program
is established to monitor compliance.
SWITZER: What is the biggest mistake made
when acquiring entities with weak anticorruption capabilities?
MARTIN: In my experience, the single biggest mistake that companies make when
acquiring entities with weak anti-corruption capabilities is the failure to recognize
how significant the adverse exposures can
be. In today’s world, many companies have
global operations in numerous high-risk
countries, and many dealings with stateowned entities and foreign officials. If any
of the actions taken by the target company
to attain or retain business were violative
of anti-corruption laws, the acquiring
company may be held fully accountable for
those liabilities when they are discovered
after closing. These exposures can involve
significant reputational damage to the acquiring company, high investigative costs,
substantial fines and disgorgement, personal liability to individuals, and potential
debarment from government contracts. In
a worst case, the collective liabilities resulting from hidden problems can be greater
than the value of the acquisition itself.
ROST: When the risk is present with a target company with a weak anti-corruption
capability, that risk should not be underestimated. Investing in enhanced due diligence, including screening of third party
vendors, prior to deal closing will reduce
any post close surprises and provide the acquiring company the information to price
the deal correctly.
WOLSKI: Some acquirers approach transactions assuming that any issue can always be fixed post closing and take
more of a check the box approach to
anti-corruption due diligence, which may
result in failing to appropriately assess
corruption risks based on the information
that they have been provided. Just digging
a little deeper or talking to the right target
employees often results in the identification of information that could have a potentially significant detrimental impact on
deal value. ■
28
e-Book
A Compliance Week publication
Finding the Corruption Needle in the Haystack
fective and efficient as possible. And you need to know
where to look.”
Finding the needle in the haystack marks a difficultto-develop but crucial capability. When a hotline or
eryl Markham was a 20th century female advena manager receives a report of a violation, a swift and
turer and one of the first pilots to fly solo and noncomprehensive investigation is an absolutely necessary
stop across the Atlantic (she did it from east to west
response. Anything less can ultimately expose the comagainst prevailing winds). Markham also knew how to
pany to major compliance risks
turn a phrase. “The way to find
and criminal liability. Yet, cona needle in a haystack,” she once
said, “is to sit down.”
The investigation of a report ducting a quick, rigorous, and methodical investigation is difficult
When it comes to conductof bribery or another alleged due to several obstacles including
ing corruption investigations, we
corrupt act resembles a the following:
would do well to heed her advice—as a warning.
search for a needle in the
The investigation of a report of
»
Translation Obstacles: Recorporate haystack. cent research indicates that less
bribery or another alleged corrupt
act resembles a search for a needle
than 5 percent of all reports of
in the corporate haystack. Howethical violations are captured by
ever, investigators who sit down on the job can be cerethics hotlines. The vast majority of these issues
tain that their organizations will endure consequences
are reported to managers and supervisors—but
far more painful, costly and disruptive than a little jab.
rarely is the reporting done in a crystal-clear (“I
witnessed a $50,000 bribe”) manner. Managers
If the investigation team simply starts rooting
need to understand how to spot certain indicators
around in the hay without this knowledge, the inof problems (“I felt uncomfortable when …”) and
vestigation is going to drag on; worse, it may fail to
then ask more questions to flesh them out.
uncover the full scope of the problem. Violations are
rarely isolated. If the investigation team fails to unearth other, related ethical violations (or even a major
»
Selection Obstacles: Once an investigation is deemed
root cause), disruptive follow-up efforts are necessary
necessary, the question of who should lead the effort
and the U.S. Department of Justice may take a keen
arises. Too often, companies get this answer wrong:
interest.
HR managers are left to investigate fraud and inhouse attorneys take the lead in instances where out“Billions of dollars in fines , penalties, disgorgement
side counsel would bring much-needed objectivity to
of profits, and professional fees signal that we are in
the process.
a world that has bribery and corruption firmly in the
center of any international company’s radar,” asserts a
new eBook “Bribery and Corruption: Navigating the
»
Breadth and Depth Obstacles: Slow starts can
Global Risks” from Ernst &Young’s Fraud Investigacripple an investigation, but zipping through withtion & Dispute Services practice.
out looking broadly and deeply enough can blind
“The individuals conducting the investigation have
the investigative team to patterns of unethical beto know what the needle looks like before they search,”
havior or root causes.
notes Littler Shareholder Katherine Franklin, who has
trained companies on how to conduct effective invesBy following pre-established steps to triage issues
tigations for more than 20 years. “You need to know
and manage investigations to resolution, your organiwhat corruption looks like. You need to know what
zation, can dig the needle out the haystack before it
tools and processes to use to make your search as efpricks you in the … ■
Carole Switzer
OCEG Pesident
B
Tangled up in new laws?
Don’t lose momentum. Contact Littler today.
Because risk begins in the work place, compliance begins at Littler.
For more information on Littler’s Corporate Compliance and
Ethics Practice Group please visit littler.com.
OCEG Anti-Corruption Illustrated Series
COMPLEXITY
Every organization should have a strong anti-corruption program that includes detection systems
and processes and a response plan to assess, investigate and resolve issues. This illustration can
help you implement or refine an investigation process and focus on important areas.
1 INVESTIGATION
THIRD PARTY
DUE DILIGENCE
DATA
ANALYTICS
TRIGGERS
WHISTLE
BLOWER
A culture of compliance that encourages reporting
is essential. Corruption concerns are also captured
from people, processes and technologies that
directly control, monitor and detect
potentially inappropriate activity.
2 TRIAGE
Use a standard
process to review
and filter allegations
to develop initial
response plan.
SEVERITY
Are high-level
employees involved?
Are there complex
areas of law and
jurisdiction involved?
Based on the analysis of each issue, establish the investigation team, determine
any need for outside counsel, and take necessary steps to discover and preserve
evidence. Ensure appropriate oversight and disclosure as the process continues.
Determine Investigation Team
Potential members include: SUBJECT MATTER
How widespread is
the alleged
Address Technical and
Logistical Issues
Engage experts to navigate foreign
language documents, distant
witnesses and evidence,
cultural issues, and
different data formats.
SUPERVISORS
HUMAN
RESOURCES
Is safety around products,
employees or witnesses a
concern? Should we call
the police?
REGULATORS/
POLICE
CREDIBILITY
THIRD PARTY
COMPLAINTS
INTERVIEWS
3 PLAN AND ASSIGN
EXPERTS, FORENSIC ACCOUNTANTS, COMPLIANCE
OFFICER, INTERNAL AUDITOR, LAWYERS
URGENCY
INTERNAL
AUDIT
How wide and
deep is the scope?
HOTLINES
MEDIA
INTERNAL TRIGGERS
CULTURE OF
COMPLIANCE
WHISTLE
BLOWER
EXTERNAL TRIGGERS
Is the source known and
considered reliable? Can
any facts easily be verified?
Who’s involved
outside our company?
Third party agents?
HR
Identify Key
Stakeholders
for Oversight
Could include:
TECHNOLOGY
GENERAL COUNSEL
AUDIT COMMITTEE
SPECIAL COMMITTEE
CHIEF COMPLIANCE OFFICER
Program Improvement
Recommendations
and Follow up
SECURITY
Potential
Initial Disclosures
AUDIT COMMITTEE
SENIOR MANAGEMENT
OUTSIDE AUDITORS
REGULATORS
PEOPLE
Joint venture partners
Government interaction (taxes, permits, licenses, etc.)
Government customers (SOEs)
Gifts, donations and political/charitable contributions
Acquired entities and relationships
Meals, travel, entertainment (employee expenses)
Freight forwarders and customs agents
Disbursements (including petty cash)
Third parties (agents, brokers, consultants, etc.)
Sales generation process
Related parties
International transactions
4
INVESTIGATION
VES
Each invest
investigation
i
t
is unique.
The facts
fact
fa
ctss and
an circumstances
will d
dictate
icta
ic
tate
te how specific
procedures
edures should be
performed.
ormed.
Follow
the
Money
Inform Appropriate
Parties
Determine what
to disclose to
any or all of
the following:
GOVERNMENT /
REGULATORS
AUDITORS
THE BOARD
AUDIT COMMITTEE
EMPLOYEES
SHAREHOLDERS
SUPPLIERS
CUSTOMERS
UMENTS
DOCUMENTS
CRIMINAL COMPLAINT
LEGAL ACTION
REASSIGNMENT
DEMOTION
TERMINATION
5 REMEDIATION
Address discipline of those involved and terminate problematic
third party relationships. Report findings and recommend
changes to personnel, prevention and detection processes,
policies, training, data analytics and other program elements.
contact Scott L. Mitchell [email protected] for comments, reprints or licensing requests
©2012 OCEG visit www.oceg.org for other installments in the Anti-Corruption Illustrated Series
Draw Conclusions and
Make Recommendations
Develop fact pattern
and prepare report of
recommendations on
disclosures, program
improvement and
discipline.
Identify
and Preserve
Evidence
Find locations of
key data and
preserve it, identify
key witnesses, involve
counsel to trigger privilege,
decide if a litigation hold is
Necessary, and determine if you can
get third party interviews and evidence.
Conduct Data Analytics And Document Review
Look for other transactions with similar attributes that
should also be part of the investigation. A forensic accounting
review is critical to understanding how transactions are captured
in the accounting system, the flow of funds and the internal
control environment. Email and document review helps better
understand troubling transactions.
FACT PATTERN
FACT PATTERN
Discipline and
Corrective Action
THE FIRST
72 HOURS
Mistakes in the first 72 hours can cause an
investigation to fail. Evidence can be lost,
poor documentation (of investigations) can
send you down the wrong track.
OVERLOOKING
THE SCHEME
Do not overlook smaller transactions or assume
many similar transactions are reasonable when
they are actually part of a much bigger issue.
FINANCE
WHAT TO LOOK FOR
SITUATIONS
COMMON PITFALLS
Understand Fact Pattern
Have you confirmed the
allegations? Have you discovered
other possible problems? Who else
do you need to speak with? What
additional evidence needs to be
reviewed? Execute additional
investigative steps as needed.
FACT PATTERN
FACT PATTERN
WITNESSES
I’m the company’s
lawyer, not yours.
Start to Develop Fact Pattern
Determine who is involved. Tell the
story of who, what , when, where,
and how. Third party agents,
consultants, suppliers, distributors,
contractors are often involved.
Consider necessary disclosures as
facts develop.
Conduct Interviews
Be prepared: what info do you
want from your interviews? Are
you seeking new or corroborating
evidence, are they friendly or
hostile? Know as much as possible
about the witnesses, know which
evidence to ask about. Have a
plan to encourage cooperation
and to address non-cooperation.
TRAMPLING
ON EVIDENCE
Inexperienced investigators or others in
the organization can inadvertently
destroy, corrupt or fail to adequately
secure critical evidence.
ACCEPTING
FACE VALUE
The investigation needs to confirm the
business purpose of transactions in question.
Any problematic underlying motives need to
be revealed even if transactions appear
reasonable with relevant supporting
documentation.
CULTURE CLASH
If you don’t understand the culture you may
miss what they’re trying to tell you or not get
the info you need from witnesses.
RETALIATION
Retaliation against whistleblowers or witnesses
opens you up to additional legal risk and
erodes the needed culture of compliance that
encourages internal reporting.
PARALLEL
INVESTIGATION
Avoid contaminating parallel investigations
being run by the government, your parent
company or auditors by establishing which
has priority.
©2012 Dachis Group
32
e-Book
33
A Compliance Week publication
Investigating Corruption: An OCEG Roundtable
SWITZER: Let’s start at the beginning, when
there is a report or suspicion of corrupt activity what are the very first steps you need
to take?
the allegations relate to the reliability of the
company’s financial reporting? Do they involve high-level employees? Is there a potential public relations consequence? Will
regulators and your auditors care?
THOMAS: First, you have to assess the credibility and seriousness of the event to
ensure that the level of response is appropriate and proportionate. Evaluate the qualitative aspects of the
allegation rather than focusing on the
quantitative aspects, because the notion of “materiality” should not affect the decision to investigate further.
Then develop an investigative workplan
tailored to the specific facts and
circumstances, and revise it as new facts
come to light.
MARTIN: You need a good intake and case
management system overseen by an experienced attorney; and you have to preserve all
potentially relevant evidence. Cycle times
should be monitored so that remedial actions are prompt and followed up to ensure
any harm has been stopped.
SICILIANO: The initial risk analysis considers
the matter’s scope, urgency, complexity, and
severity. Ask if the issue involves a single individual or multiple people, business units,
and physical locations. Are there obligations
to disclose to the government or key stakeholders? Is it urgent to intervene quickly
to limit exposure? Does the matter involve
complex areas of law or technical facts? Do
SWITZER: In the United States, immediately
establishing attorney client privilege for
an investigation into alleged corruption is
considered essential, but is that the case—
and is it even possible—when the investigation involves activity in other countries?
SICILIANO: Privilege typically is not as strong
outside the United States. In some jurisdictions, privilege exists for outside counsel, but not for in-house counsel. When
conducting a cross-border investigation, I
always try to protect the privilege here in
the United States by making sure there is
a licensed U.S. attorney present during interviews and limiting non-lawyer involvement. But in a country like Japan, in-house
legal departments often have no licensed
lawyers. This fact, combined with cultural
inclinations to report everything through
set communication channels to a broad
range of parties, can create tension in trying to preserve the privilege.
MARTIN: Preservation of privilege in a multi-jurisdiction investigation is very challenging because of widely varying rules.
Nevertheless, it is very important because
now there is an unprecedented level of
cooperation and sharing of information
among prosecutors across borders. There is
no protection for a company against double jeopardy for the same offense in different jurisdictions, and if the attorney-client
privilege is non-existent or waived in one
jurisdiction, it may be waived in others.
THOMAS: Given the risks, you really need to
make sure the investigation team knows how
to identify and address local privilege and
data privacy issues when determining how
to collect, store, and analyze the relevant
documents and data for the investigation.
SWITZER: Corruption can range from an
individual salesperson’s decision to bribe
a government official to a concerted conspiracy that establishes an ongoing kickback scheme. What steps do you take to determine if this is a single bad act versus an
ongoing scheme with multiple participants?
THOMAS: Determining whether a transaction is an isolated act or part of pervasive or
systemic issue is essential. Indicators from
e-mails, interviews, or other sources should
be investigated further, and it is important
to focus on the attributes of the problematic transactions and how they are recorded
in the company’s books. For example if an
employee admits to paying a bribe through
an excess commission to an agent, analysis of payments to that agent may identify
numerous similar transactions. There may
be other indicators in the general ledger
meta data that could identify problematic
ROUNDTABLE PARTICIPANTS
MODERATOR
Carole Switzer
President,
OCEG
Jay Martin,
Vice President, Chief Compliance
Officer and Sr. Deputy General
Counsel, Baker Hughes Inc.
Brad Siciliano,
Shareholder,
Littler Mendelson
Richard Thomas,
Partner, Fraud Investigation &
Dispute Services,
Ernst & Young
transactions and experienced investigative
teams can apply data analytics to identify
other non-standard transactions.
SICILIANO: That really is the purpose of the
investigation. You may have allegations
about a discrete event, but your investigation is going to assess whether there was
similar wrongdoing by that individual over
a period of time. With data mining tools this
process has become much simpler and more
efficient. Even if you don’t find evidence
of additional misconduct, the fact that the
wrongful conduct did occur is reflective
of a potential weakness in your control
process and you should evaluate whether
others in the organization have exploited
that weakness. If you have an internal audit
function that is regularly checking control
processes, point them in the direction of
the potential weakness and have them test
it for you. When these discrete incidents of
misconduct arise, an organization needs to
use them as an opportunity to see if they are
part of a larger problem.
SWITZER: What sort of policies, procedures,
and controls around information management and document retention are necessary
to ensure that evidence remains available to
the investigators?
SICILIANO: While most investigators would
prefer that evidence stay around forever,
that’s neither practical nor advisable in
today’s business world. Instead, a business should implement document retention
policies and procedures that are tailored to
how the company is structured and goes to
market. Rather than use generic descriptions, the policy should clearly explain
how to handle and retain specific types of
documents, identified by the terms used by
the business. Companies have gotten into
trouble recently for what courts have found
to be unreasonably short e-mail retention
policies, so at a minimum companies need
to make sure that their policies are reasonably related to business needs and don’t
appear to be designed to hide information.
It’s also helpful to have an IT infrastructure
which makes ESI accessible and gives you
the ability to segregate relevant users’ content from the rest of the population. Companies also need to have strict controls in
place that establish who has authority to
delete data. The worst scenario is inadvertent deletion because a court may treat it as
deliberate destruction of evidence.A key
element of maintaining the necessary controls is a cooperative working relationship
between the legal, HR, and IT departments
and a process in place for securing approval
for the destruction of data.
THOMAS: Most companies perform regular
backups of important data and have established formal document retention policies
that allow the company to comply with its
legal and local tax requirements. It is important to understand these different policies and procedures to ensure that data is
not inadvertently lost or destroyed. This
is often addressed by issuing a document
preservation notice or legal hold notice that
is provided in local languages, is broadly
distributed, and clearly defines what is to
be retained. The investigative team should
immediately consider acquiring forensically sound images of the data on employees’ laptops and of the company’s servers in
order to preserve what may turn out to be
very relevant metadata. The preservation of
other electronic data, such as information
on smartphones and thumb drives or other
external media, should also be considered.
The decision of what data to review and how
to review it can often be taken at a later time,
but it will at least remain available to the investigative team if it is preserved. The investigative team should also contact IT to ensure that relevant backup tapes are not being
overwritten and contact any off-site storage
facility to ensure that hard copy documents
are not being routinely destroyed.
SWITZER: How do you decide if, and when,
to inform external stakeholders, including
legal authorities, about an ongoing internal
investigation?
MARTIN: First take into account whether
reporting is mandated by law such as required disclosures for public companies
in U.S. Then you have to consider how
significant the discovered violation is;
whether disclosure is required by an agreement such as a DPA; how likely it is that
disclosure will be made by someone else
such as a whistleblower or disgruntled employee; the impact of the Dodd-Frank Act’s
whistleblower rules; what the rules are for
disclosure in various jurisdictions; whether
the rewards of disclosure outweigh the
risks; and who needs to be involved in the
disclosure decision. Remember, once you
disclose you lose control of the matter.
SICILIANO: After considering legal reporting
obligations and the seriousness of the event,
I consider what I have actually learned in
my investigation. External stakeholders
such as auditors typically take the view that
your first duty is to report to them no matter what. I think, however, you first need
to know what you’re reporting. I’ve experienced too many situations where a stunning
allegation turns out to be a simple misunderstanding. Also, you don’t want to report
on something that you don’t fully understand because, when your report contains
mistakes, you potentially lose credibility
with the third-party stakeholder.
THOMAS: You don’t always get to decide.
In some cases, the investigation has been
triggered by an inquiry from the government and discussions with the regulators
are ongoing throughout the investigation.
And, whether disclosed to regulators or
not, companies are still subject to audit
and have reporting obligations in respect of
their public filings. In other cases, once the
investigative team has developed enough
facts to corroborate bribery or corruption
issues, the company may seek to self-disclose issues in return for leniency, in which
case what you disclose may be as important
as when. For example, you may include a
summary of progress to date, highlighting
the remediation steps that the company is
taking to punish those involved and prevent future recurrences. ■
35
Brad Pitt: The New Anti-Corruption
Compliance Officer
Carole Switzer
OCEG Pesident
»
Think Differently. As Lewis writes in his book,
baseball “managers tend to pick a strategy that is
the least likely to fail, rather than to pick a strategy
that is most efficient … The pain of looking bad
is worse than the gain of making the best move.”
A similar dynamic holds sway in business and in
compliance. Traditional, rules-based tests of data
samples remain widely used—in part because they
are so widely used. Despite their popularity, rulesbased tests have several limitations: They are slow,
require a lot of manual work, and examine a relatively small set of data. Besides, outwitting those
who break rules requires a continual dose of fresh
thinking: ABC analytics provide fresh insights derived from an untraditional source (organizational
data).
»
Strike a Balance: The use of ABC analytics does
not negate the value of traditional modes of
anti-corruption and bribery vigilance; instead,
these tools should augment existing capabilities.
In the movie version of “Moneyball,” Beane angrily fires his scouting director, Grady Fuson
because Fuson refused to adapt his from-thegut approach to finding talent to Beane’s new,
analytical approach. In reality, however, Fuson
left the team, quietly, on his own accord and
was later re-hired by Beane. The two have confirmed that the team’s current talent-scouting
approach balances qualitative and quantitative
techniques.
»
Tailor Your Tools: ABC analytics should be customized to reflect the unique risks an organization
faces. These tools and methodologies should also
be sufficiently flexible so that they can incorporate
insights and observations from previous investigations.
A
nti-corruption compliance efforts are rarely, if
ever, as easy as a-b-c. However, these endeavors
would be much easier and more effective if more companies understood—and deployed—their ABCs.
“ABC” refers to anti-bribery and corruption analytics, which are statistical techniques that comb through
massive amounts of data and sniff out unusual patterns,
questionable transactions, and compliance risks buried deeply within organizational information systems.
These analytics mine vast amounts of data via clustering, variance-detection, linguistic searches, and other
techniques. When potential problems are detected, analytical tools issue automatic alerts calling for further
investigation.
If that sounds complicated, it should. After all, companies of all sizes now rely on a complex tangle of information systems, located on internal servers as well
as in the cloud. These systems process ever-increasing
amounts of data measured in gigabytes, terabytes, and
petabytes.
That being said, the process of using analytics does
not require an advanced degree in IT. Once the tools are
in place, leveraging information they produce is as easy
as 1-2-3, to which any finance director, human resources department, sales and marketing team, professional
sports manager, or amateur fantasy sports enthusiast
can attest.
Best Buy has used analytics to discover that slight
boosts in employee engagement scores correlate to significant increases in annual operating income. Financial planning and analysis functions routinely employ
analytics to forecast, with eerie accuracy, fluctuations
in revenue several quarters into the future. And perhaps
most famously, Oakland A’s General Manager Billy
Beane, who is played by Brad Pitt in the film version
of author Michael Lewis’ “Moneyball,” rose to prominence by employing analytics to sniff out up-and-coming baseball talent that conventional talent-scouting
either neglected or dismissed.
Spotting talent, it turns out, often is just as difficult
as identifying evidence of bribery and other forms of
corruption within organizations. Success in either endeavor requires the following approaches:
Copyright © 2012 Tableau Software. All rights reserved.
Once these analytical tools are in place and tailored
to your organization’s risk environment, you too can
be more like Brad Pitt. OK, you won’t become richer,
better looking, or world famous; but you can be a star
(at least within your company) by using analytics to get
a quicker, deeper, and more efficient view of corruption
and bribery risks. ■
OCEG Anti-Corruption Illustrated Series
Companies face significant economic hurdles as margins shrink and profit expectations grow.
Implementing and monitoring a strong anti-corruption compliance program under these
conditions can be daunting. Forensic data analytics—known as Anti-Bribery and Corruption
E-MAIL
analytics, or ABC analytics—can help companies cost effectively and efficiently use data
SALES REP
CALL NOTES
discovery to enhance their anti-corruption efforts.
WHY DATA ANALYTICS
GOALS & PLANNING
CONTROL
MONITORING
MATURE
COMPLIANCE
REACTIVE
INVESTIGATIONS
CRMs
ERPs
INCIDENT
RESPONSE
DRIVERS
RELATIONSHIPS
EXPECTATIONS
No single data source holds all the
answers to your questions. Organizations
collect data in numerous places, some
more structured than others. Find and
collect data from a wide range of sources.
The success of the project will ultimately be measured
by different expectations of various stakeholders. Define
these expectations and how they affect the approach
you will take before the project begins.
LIMITED RESOURCES
PREPARE FOR ANALYSIS
With companies trimming resources in support
functions, it is often difficult to get involvement from
the people you need. Success requires commitment of
compliance, audit, legal, IT, and other resources before
the project begins.
Extract data kept in different forms in
different systems, and then normalize and
cleanse it so that meaningful analysis can
take place.
DEFINE/SCOPE
Determine the key insights
needed and the core tests
to address the corruption
risk areas for your company
and industry. Build teams of
people with the right skills
and knowledge to define
data needs and locations;
determine key words and
patterns that indicate risk.
POTENTIAL CHALLENGES
IDENTIFY THE DATA
SOURCE
DATA
You can use data analytics proactively
and reactively to dig deep and find
both opportunities for and instances
of corruption.
PROACTIVE
TRADING
SYSTEMS
AVAILABILITY
Access to data can be limited by factors such as data owner
resistance, lack of awareness of relevance, and unknown
locations. Work with communication team members to
encourage sharing of information and access.
EXPLORE THE DATA
VIEW, ANALYZE, ACT Document lessons learned
during all phases of analysis and take action to
address identified issues and feed information back
into the models to improver future iterations. ABC
analytic systems should continually evolve to
become faster, better, and cheaper over time.
DISPARATE DATA SYSTEMS
With organizations getting larger through global
expansion and acquisition, it is rare to find globally
integrated data management and accounting systems.
The data preparation process must be flexible enough to
tie together varied systems into one platform for analysis.
OUTLIERS
CLUSTERING
TRENDS
PATTERNING
GLOBAL OPERATIONS
A “one size fits all” approach to data analytics is rarely
successful. Consider cultural differences that drive legal
requirements and individual behavior in countries of
operation. Include people with relevant language skills
and cultural knowledge on teams to analyze data and
communicate results.
LINGUISTICS
ANOMALY
DETECTION
INTERNAL
ASSURANCE
SETTLEMENT
REQUIREMENT
?
ACQUISITION
DUE DILIGENCE
RISK ASSESSMENT
INPUT
POST-ACQUISITION
ASSESSMENT
RISK ASSESSMENT
FOLLOW-THROUGH
KEY ADVANTAGES OF
A SUCCESSFUL MODEL
MINING
SEARCHES
INTERACTIVE
FORENSIC ANALYSIS
Interactive exploration includes
data mining and modeling
techniques that drill down, slice
and dice, pivot to analyze
words/numbers and risk rank
transactions, employees, and
third parties.
DIAGNOSTIC
ABC analytics offer a powerful tool for
anti-corruption compliance monitoring by
focusing on high-risk areas where traditional
rules-based anti-fraud tests have limited
detection capacity. Well-designed ABC analytics
have these distinctive features that reduce false
positives and increase overall detection.
contact Carole S. Switzer [email protected] for comments, reprints or licensing requests
©2012 OCEG visit www.oceg.org for other installments in the Anti-Corruption Illustrated Series
INFORMATION SHARING
DATA VISUALIZATION
Present data in role-based dashboards,
geographic maps, and custom search reports
to clearly communicate insights, anomolies,
and changes in a timely, repeatable way.
Intuitive, highly
visual, and simple
to navigate with
minimal training
the information to be collected are important factors to
be balanced. Determine what is really essential and limit
scope to avoid getting lost in the data.
Analyze and communicate findings to the
investigative/compliance field team for use in
determining field testing. Inform management as
appropriate. Consider final results to continuously
improve the anti-corruption program.
INTEGRATIVE
VISUAL
Identifies high-risk
areas that warrant a
deep dive analysis
of transactions and
source documentation
0 LARGE COMPLEX DATA SETS
10
00
01
11
01
1 The size of the data to be collected and analyzed must
1
10
10
00
10
be carefully considered. Both the depth and breadth of
0
10
1 11
FALSE POSITIVES
Data analysis will always create some false positives that
must be reviewed. Integrate a risk scoring methodology that
objectively prioritizes the highest-risk transactions and
reduces the overall risk of false positives.
COLLABORATIVE
Integrates statistical
and text-mining
techniques to spot
patterns and
anomolies, and
continuously improves
the analytical ability
of the system
COST EFFECTIVE
Allows secure
global sharing with
compliance and
investigative team
members as well
as key business
stakeholders
Saves time and money
with quicker, more
accurate fact finding
in ongoing
compliance
monitoring and
during investigations
©2012 Dachis Group
38
e-Book
39
A Compliance Week publication
Anti-Corruption Data Analytics: An OCEG Roundtable
SWITZER: The very idea of data analytics can
be intimidating to many compliance officers. Can you share how a forensic analysis
approach can help them to find instances
or patterns of bribery, or potential for
corruption to occur? Tell us why this approach is so important, and give us some
idea of how it actually works.
WALDEN: Imagine looking through your
company’s accounts payable activity from
your Russia operations and you come
across a sizeable cash payment to a vendor
that is described in the journal entry comments field as, “Goodwill fee as incentive
payment for business relations.” Further,
the vendor under review is a state-owned
entity. While nobody is going to book it
as a “bribe expense,” people come up with
creative ways to describe inappropriate
payments. By looking at these “free text”
payment descriptions, a new light is shed
on the data which makes it much easier
to identify. This is the core of integrating
anti-bribery and corruption analytics into
your monitoring program.
CRAFTON: Here are some of the concrete
steps you can take to find corrupt activity
by analyzing your data. There are five main
areas to analyze when looking for corruption. First is knowing who is involved by
analyzing vendors and agents. You might
stratify agent payments by time period and
currency amount, or by contract or project
code. Also, look for payments to vendors
that are not on the vendor master list or
large round sum payments to agents. This
may include commissions, recurring commissions, and cash payments in large round
dollars or unusual currencies. Second, consider corrupt intent behind a payment and
analyze the free text field general ledger entries for items such as cash disbursements,
travel & entertainment, marketing, and
charitable expenditures. As Vincent mentioned, this is a key component for looking
for improper payments.
Third, look deeper into cash disbursements and evaluate things such as duplicative payments and suspicious vendors; petty cash account use in selected countries;
and payments made without a P.O. or not
in the vendor master. People will get creative when looking for ways to extract cash
from a company to pay bribes so you have
to be creative as well. Fourth, look for suspicious recipients, considering customer
segmentation by country, Transparency
International’s CPI index, sale price and
margin analysis across customers and vendors, among other factors.
And last but not least, apply a business
purpose test analyzing revenue in different
ways such as trending analysis of revenue
by country and by customer, or calculation of effective commission rates paid to
agents. Any of these can point you to sus-
picious patterns and help you to uncover
corrupt activity.
SWITZER: What can you get from a forensic
analytics system that you can’t get by using
spreadsheets and collaborative information
sharing software?
A JENSTAT: The human visual system is a
great system for finding patterns and outliers. In the case of fraud, where you may
not have specific questions but are looking
for something unusual, this is even more
true. You need to see your data before
you know what you’re looking for. Once
you see something unusual, you want an
interactive visualization so you can drill
down, filter, apply sorts and highlights and
other contextual information to determine
whether what you’re seeing may be an indicator of fraudulent activity.
When you’re in a spreadsheet, you are
looking at rows and columns of data, and
it’s really hard to see trends or spot an outlier. Or you can go through a chart-wizard
process, but again you need to have an idea
of what you’re looking for first. An interactive and visual environment is excellent
for identifying patterns that are amiss.
WALDEN: I agree. The value in finding patterns and outliers is a key factor. In the
current regulatory environment, many
companies are modifying their inter-
ROUNDTABLE PARTICIPANTS
MODERATOR
Carole Switzer
President,
OCEG
Francois Ajenstat,
Director,
Product Management,
Tableau Software
Jared Crafton,
Senior Manager, Assurance
Services, Fraud Investigation and Dispute Services,
Ernst & Young
Vince Walden,
Partner, Fraud Investigation
and Dispute Services,
Ernst & Young
nal audit and or compliance monitoring functions to specifically incorporate
risks around bribery and corruption/
FCPA. As with any audit program, analytics—not just looking at policies and
procedures—should be integrated into
the work program. However, analytics around bribery and corruption are
fundamentally different than traditional
internal audit or “accounting” tests that
primarily rely on spreadsheets or “rulesbased tests” to evaluate the numbers in
accordance with accounting standards,
not FCPA.
In my view, the key difference is data visualization and text. What employees are
putting in the free-text fields of journal entries, accounts payable, sales data, or travel
& entertainment explanations can go a
long way in identifying “corrupt intent”
into a potentially improper payment or
transaction. Traditional auditing tools are
simply not designed to pick up kickbacks
and corrupt payments; hence, their detection rate is limited and their false positive
rates are high.
SWITZER: Does the system find and define
the corruption for you, or do you still have
to investigate to determine what schemes
are going on?
ness case for using these anti-bribery and
corruption analytics for a large, global
Fortune 500 company by reducing their
number of site visits from 20 locations
to around eight and reducing the time in
country from four weeks to two weeks,
saving over $500,000 and providing a more
through audit by testing 100 percent of the
payment data for all 20 counties.
CRAFTON: As Vincent mentioned, no suite of
analytical tools will be able to define corruption for you. However, they can point
you in the right direction. An effective anti-fraud and corruption analytics methodology is designed to get smarter over time.
Each iteration of analysis will bring new
tests, procedures, and review techniques to
light. Knowledge gained in one country or
one business unit can be applied in future
analytics.
Beyond the analytics, the people reviewing
the results must have experience in these
areas. Even with as much decision support
as can be built into reports, there is no replacement for investigative experience. We
use a library of over 3,000 terms in over a
dozen languages developed by our investigators around the globe to help us identify
issues.
SWITZER: People have trouble justifying
WALDEN: No. These analytics won’t confirm that any fraudulent or corrupt payment has taken place, only a court of law
can do that; however, they will tell you
where to look.
Significant cost and time savings can be
achieved by incorporating these analytics on a “pre-field work” basis to identify
high-risk countries and business operations. Drilling in deeper, these pre-field
work anti-corruption analytics “arm” the
investigator with high-risk vendors, employees, transactions, or expenses before
they hit the ground so that they can make
the best use of their time in country.
In one example, we helped make the busi-
budgets these days, so tell me, is the use of
a sophisticated data analytic approach really only for large companies?
A JENSTAT: Sophisticated data analytics
does not need to be a heavy, expensive
implementation. In fact, instead of large
monolithic systems that need developers
to change the output, what you want in
forensics is a more agile approach. There
are tools that are highly visual—that
should be one of your criteria. Another
criteria should be a self-service approach.
Your forensics analysts need to be able to
quickly hypothesize, test, disprove—and
start again. And in general, you should be
suspicious of any system that requires a
massive deployment before it proves itself.
Look for something that can grow as your
needs grow.
WALDEN: Recognizing that large, global
companies doing business in the emerging
market countries are at a very high risk for
bribery and corruption, all companies doing business in emerging market countries
should be considering anti-bribery and
corruption analytics into their monitoring
and compliance programs. Taking a riskbased, focused approach will help companies target where to focus these analytics—as these analytics are not intended to
be run across the entire enterprise.
SWITZER: Let’s close with one example of an
actual data analytics. Jared, can you share
something?
CRAFTON: Sure. We had a situation where
the Department of Justice had required our
client to analyze nearly a million transactions for suspected bribery payments. We
reviewed a sample of 2,000 transactions
in detail with supporting documentation
such as vouchers, invoices, and approvals
which led us to identify 400 suspicious and
1,600 non-suspicious entries.
Based on what we learned, we created a
predictive model to identify potentially
improper payments and applied it to the
remaining 948,000 additional transactions,
which resulted in identification of 14,000
more potentially improper payments totaling more than $8 million. The methodology had over 95k percent confidence level
and DoJ accepted this approach, which not
only saved potentially thousands of hours,
but also allowed for deep, timely analysis
of the data.
Not surprisingly, the key variable in the
high-risk population of 400 payments was
when the word “volume contract facilitation” or “release expense” was in the free
text payment description. That is the power of a data analytic approach supported by
text mining and statistical software developed for this purpose. ■
OCEG Anti-Corruption Illustrated Series
OCEG is ready to help you address the challenges that you
face today. Join the thousands of individuals in the OCEG
community and stay on the path to 1rincipled 1erformance™
Principled Performance™ is a management discipline that enables an organization to clearly define its principles and goals,
determine how it will address risks and uncertainties, and grow and protect value. Achieving Principled Performance™
demands the clear articulation of objectives and the methods by which you will establish and stay within mandatory and
voluntary boundaries of conduct while driving toward those objectives.
OPTIMIZE YOUR:
Governance
Ensure that sound governance
structures are in place “below
the board” so that the right
information about the right
issues is available at the right
time.
Risk
*OUFHSBUFSJTLNBOBHFNFOU
with strategic planning and
NBJOUBJOB¡ view of
organizational risks and
effectively allocate resources
to address them.
Ethics & Compliance
Establish practices and a
culture to prevent misconduct,
inspire desired conduct, detect
problems and improve
outcomes.
'JOBODF
Reduce costs and optimize
how you allocate capital to
governance, risk, and
compliance processes so that
GRC is better aligned with
the business.
Technology
"EESFTT*5DPNQMJBODFJTTVFT
and the alignment of
information technology to
general GRC needs in the
rest of the business.
Audit
Go beyond financial processes
and assess the design and
operation of controls for
governance, risk management,
compliance, and ethics efforts
throughout the enterprise.
-FHBM
*EFOUJGZBOEFTUBCMJTITPVOE
practices to address your legal
risks and improve your ability
to detect and correct issues;
while improving your ability
to defend the organization.
EXECUTIVE SUPPORT AND SOLUTIONS
t#SJOHZPVSNBOBHFNFOUUFBNUPHFUIFSJOUIF
0$&(4USBUFHZ-BCXJUI0$&(FYQFSUTXIPDBO
help you integrate GRC with business strategy
RESOURCES AND TOOLS
Thousands of resources developed, collected, and organized
by OCEG and shared within the OCEG Community:
t(VJEFTBOEIBOECPPLT
t-FBSOIPXUPJNQMFNFOUUIF0$&('SBNFXPSL
in your organization by working with OCEG
staff and partners
t5IF(3$*MMVTUSBUFE4FSJFT‰QJDUPSJBM
explanations of key GRC processes
t(3$4VSWFZTSFTFBSDIBOE
benchmarking reports
EVENTS AND NETWORKING
t5PQJDBMXIJUFQBQFSTBOEBSUJDMFT
t(3$¡0$&(TNBHB[JOF
presenting critical
perspectives on governance,
risk, compliance, and
culture
t-JOLTUPLFZHPWFSONFOUBOE
organizational guidance
documents
-EARN MORE AT
Coaching
t0QQPSUVOJUJFTUPXPSLUPHFUIFSXJUIQFFST
to address GRC challenges from every angle
Webinars
Strategy
-BCT
t-JWFBOEBSDIJWFE8FCJOBST
t&YDIBOHFWJFXQPJOUTBOEJEFBT
Events
FRAMEWORKS & GUIDANCE
PROGRAM CERTIFICATION
t Comprehensive GRC Capability
Model developed and vetted by
hundreds of experts and reviewed
by thousands
t1SPWJEFBTTVSBODFUPUIFCPBSE
and senior management that
GRC processes are sound
t(BJOFYUFSOBMSFDPHOJUJPOPG
excellence
t Searchable database of laws,
regulations, standards, and
guidance from many sources
t Searchable library of sound
practices you can apply to
address governance, risk,
and compliance
requirements at your
organization
t4FMFDUUIFJOGPSNBUJPOZPV
need and use it the way
that works best for you
through OCEG’s custom
report feature
Resources
1SPEVDUBOE
1SPHSBN
Certification
Conversations
Take back tools you
can use to help your
organization and
your career
(3$¡
This group develops strategic
and technical resources to help
*5BOECVTJOFTTQSPGFTTJPOBMT
improve the application of
technology to GRC.
1SPKFDUTJODMVEF
t GRC Taxonomy™
t GRC Blueprint™
t (3$9.-™
t (3$*53PBENBQ™
$PSF1SPDFTTFT
Embed sound GRC practices in
all lines of business and core
processes so that business
owners and operators are
accountable for GRC success.
Ad
dr
ess
PO
RT
AL
Technology
Create
Value
PEOP
LE
s
ie
r
nd
u
Bo
PROCE
hin LOGY
t
i
W
O
HN
Stay
C
TE
ASSESSMENTS,
MEASUREMENTS,
& BENCHMARKS
t Tools to evaluate your GRC
processes and benchmark
with peers
t Benchmarking studies and polls
t Assessment tools and processes
SSES
OUR APPROACH AND
CAPABILITIES ARE DISTINCT
Multiple Professions come
together in ONE PLACE
OCEG can assist you on
UIFQBUIUP1SJODJQMFE
1FSGPNBODF™ with tools
and resources you can
use to:
t%FTJHOBOENFBTVSFZPVS
GRC efforts against a
business process model
developed by hundreds of
business, financial, legal
and technology experts,
and publicly vetted by
thousands.
Benchmarks
Assessments
Council
Un
cert
ainty
OUTCOMES
t&TUBCMJTIBOJOUFHSBUFE
organization-wide
approach to GRC ensuring
the flow of consistent
information.
YOU
AND YOUR
ORGANIZATION
are at the center
of everything
that we do
GRC
*MMVTUSBUFE4FSJFT
TECHNOLOGY COUNCIL
www.oceg.org
t#FODINBSLZPVS
organization’s performance
against peers, and
participate in targeted
industry research and
resource development.
t+PJOGPSDFTXJUIQFFSTXIP
are managing governance,
risk, and compliance
challenges from every
angle.
t%PZPVSKPCCFUUFSGBTUFS
and more economically
with the right tools.
PEOPLE
PROCESSES
TECHNOLOGY
OCEG is the only non-profit organization that brings you
an expert executive team with backgrounds in business,
legal, finance, audit, technology, research and compliance,
and ethics management. Our hands-on experience
provides the background and understanding to help you
put principles into practice in your organization.
A collaborative, open process to
develop publicly vetted standards
and guidance addressing the full
scope of governance, risk,
compliance, and ethics
management and measurement.
An interactive online content
portal with cross-referenced and
linked resources including full-text
search and custom reporting.
Get what you want, how you
want, and when you want it.
©2008 OCEG®
42
e-Book
43
A Compliance Week publication
OCEG is a nonprofit think tank dedicated to helping organizations reliably achieve their objectives, while addressing uncertainty and acting with integrity. This is what OCEG calls Principled Performance, and it is a goal that every organization
can achieve by integrating and aligning their approaches to the governance, assurance and management of performance, risk
and compliance. Processes for achieving that integrated approach, commonly called GRC, is supported by the open source
standards set out in OCEG’s Red Book GRC Capability Model. The companion set of agreed upon procedures set out in
OCEG’s GRC Assessment Tools (the Burgundy Book) provide an opportunity for self-assessment and OCEG certification
of the design and operation of an organization’s entire GRC capability or aspects of it as they are matured over time. OCEG
offers hundreds of resources, online and live training opportunities, and a community within which individuals can continually build their skills and organizations can collaborate. Learn more at www.oceg.org.
Dealing with complex issues of fraud, regulatory compliance and business disputes can detract from efforts to achieve your
company’s potential. Better management of fraud risk and compliance exposure is a critical business priority – no matter the
industry sector. Our more than 1,000 fraud investigation and dispute professionals around the world bring the analytical and
technical skills needed to quickly and effectively conduct financial investigations, quantify economic damages, and gather
and analyze electronic evidence. Working closely with you and your legal advisors, we assemble the right multidisciplinary
and culturally aligned team, and bring an objective approach and fresh perspective to these sensitive and contentious situations – wherever you are in the world. And because we understand that, to achieve your potential, you need a tailored service
as much as consistent methodologies, we work to give you the benefit of our broad sector experience, our deep subject matter
knowledge and the latest insights from our work worldwide. It’s how Ernst & Young makes a difference. Learn more at www.
ey.com/FIDS.
With over 900 attorneys and 56 offices, Littler Mendelson is the largest U.S.-based law firm exclusively devoted to representing management in employment and labor law matters. A centerpiece of Littler’s practice is our ability to help employers
take preventive measures to avoid costly litigation and administrative penalties, while improving productivity and helping to
build a workplace of mutual respect. These efforts not only make good business sense, they come at a time when companies
are under intense scrutiny, coping with added responsibilities and new workplace requirements, which are being vigorously
enforced. The culture of a workplace is an important source of value for every organization. At Littler, we believe that each
time an employee makes a decision for the organization, that decision should be made according to the employer’s values,
principles, and strategic objectives. Littler’s corporate compliance attorneys have the experience to assist clients in developing
corporate compliance and ethics programs that build and protect value, engage employees, and help avoid costly legal expenses. Our Corporate Compliance and Ethics Group provides a number of services that fall into the following areas: creating
programs, analyzing risk, program evaluation and assessment, policy and procedure development, training and education,
investigations, and employment law compliance auditing. Learn more at www.littler.com.
For more than 25 years, SAI Global Compliance has provided hundreds of organizations with a wide range of governance,
risk and compliance (GRC) products, services and technology that help build organizational integrity and effectively manage compliance risk. We are the only GRC company in the world who understands the complexity of building compliance effectiveness and delivers: (1) highly customizable learning and communication courses and tools on a leading LMS
(2) third party risk management including automated third party due diligence questionnaires, automated risk scoring
and analytics, and training and certification and (3) the integration of multiple GRC functions including hotline, ethics
reporting, policy management, gifts and entertainment registers, conflicts disclosures, surveys and assessments, and audit
management – all with dashboard reporting to trigger needed activity, and supported by an in-house advisory services
team for Code of Conduct design and development, benchmarking, risk assessments, program effectiveness reviews, and
policy advice. Our SaaS-based Compliance 360® GRC Software Suite received the highest scores for customer satisfaction
among all vendors included in the 2011 “The Forrester Wave™: Enterprise Governance, Risk and Compliance Platforms,
Q4 2011,” published by Forrester Research, Inc. Learn more at www.saiglobal.com.
The Thomson Reuters Governance, Risk & Compliance business delivers the most comprehensive suite of solutions designed to empower audit, risk and compliance professionals, business leaders, and the Board’s they serve. Our business
provides intelligent information, premium software, and world class professional services that enable organizations to
reliably achieve business objectives while addressing uncertainty and acting with integrity. Through the Thomson Reuters Accelus suite, the GRC business brings together Thomson Reuters market-leading solutions for global regulatory
intelligence; financial crime; anti-bribery and corruption; enhanced due diligence, compliance management; internal audit;
e-learning; risk management; and, filing, board of director and disclosure services. Thomson Reuters Accelus is the combination of proven, best-in-class technologies and services with the common goal of managing business risk and driving business value. As a comprehensive suite of solutions built to address the GRC challenges of legal, compliance, audit, and risk
management professionals, Thomson Reuters Accelus connects the capabilities of the heritage businesses of Complinet,
World-Check, Paisley, Oden, Westlaw Compliance Advisor, and EDGARfilings. This powerful, connected suite of solutions addresses the goal of integrated GRC by delivering proactive insight into legal and regulatory changes, dynamically
connecting intelligent information with business experts, and empowering informed choices by providing greater visibility
and transparency into business risk. Learn more at www.accelus.thomsonreauters.com.
Tableau Software helps people see and understand data. Tableau’s award-winning software delivers fast analytics, visualization and rapid-fire business intelligence on data of any size, format, or subject. The result? Anyone can get answers from
data quickly, with no programming required. From executive dashboards to ad-hoc reports, Tableau lets you share mobile
and browser-based, interactive analytics in a few clicks. More than 7,000 organizations, including some of the world’s
largest enterprises, rely on Tableau Software. See how Tableau can help you by downloading the free trial at www.tableausoftware.com/abc-analytics.
®
Your source
for GRC resources and education
DRIVING PRINCIPLED PERFORMANCE ®
Learn more and
join today at
www.oceg.org/signup