In some parts of the world, bribing government officials is still considered a normal cost of doing business. Elsewhere there has been a growing trend over the past 40 years to make it illegal for a corporation to pay bribes. In the United States, Congress passed the Foreign Corrupt Practices Act (FCPA) in 1977 in the wake of a succession of revelations of companies paying off government officials to secure arms deals or favorable tax treatment. More recently other governments have implemented anticorruption statutes. The U.K., for instance, enacted the strict Bribery Act in 2010 to replace increasingly ineffective statutes dating back to 1879. The purpose of these actions is to enable ethical and law-abiding companies to compete on a level playing field with those that are neither. A cynic might wonder about the real, functional difference between, say, Wal-Mart’s recent payments to officials in Mexico to accelerate approval of building permits and the practice in New York City of having to engage expediters to ensure timely sign-offs on construction approval documents. No matter – the latter is legal (it’s a domestic issue, after all) while the former is not.
Moreover, the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have increased their oversight of bribery. At the beginning of 2013 they jointly issued the Resource Guide to the U.S. Foreign Corrupt Practices Act. For its part, the SEC has stepped up enforcement using its own resources. Recently, it charged a group of bond traders with enabling a Venezuelan finance official to embezzle millions of dollars by disguising the money as fees paid to the broker/dealer to handle apparently legitimate transactions. Tellingly, though, there was another relatively recent bribery issue that involved Morgan Stanley where the SEC declined to include that company in an enforcement action because it had demonstrated diligence to prevent it.
Before anticorruption laws, it was expedient for corporations to pay government officials to close business, get preferred status or prevent punishment. Once the laws were established, that stopped being the case. However, from a management standpoint, compliance with the law became complicated because of the dual nature of the corporation, which is both an entity and a group of individuals. In the case of the latter, when an individual breaks the law, is that person at fault, is the corporation or are both? Regardless of how a case is decided, there can be severe reputational damage to a company found violating the law, and that will have repercussions for corporate boards and executives.
This question leads to the agency dilemma, an important consideration in enterprise risk management. Economists long ago recognized the agency dilemma when the modern corporation separated the roles of its principals (that is, the shareholders) from its management. The agency issue exists where the best interests of the principals are either not aligned or in conflict with the interests of the agents (the professional managers running the corporation). But agency issues also extend to the company’s executives and may be rife in any large-scale business. Within the management group, authority to act independently is delegated down through the hierarchy, and the interests of the lower-level managers may be in conflict with those of senior executives, the board of directors and shareholders. For example, suppose that a local manager believes his performance evaluation, compensation and prospects for promotion hinge on the timely opening of a new facility. Confronted with a culture of payoffs for permits, that manager may try to find a way to pay officials for expedited consideration, especially if he is local to the area. From that individual’s perspective, corrupt activity may be the norm, and he may believe himself to be clever enough to violate company policy without detection.
It was once acceptable for a company to claim that it had a stated policy prohibiting bribery and that executives were ignorant of an employee’s actions. Absent proof to the contrary, that often was enough. However, the FCPA changed this norm, imposing the need for diligence and affirmative actions on the part of companies to prevent employees from breaking the law as well as to detect and report any such violations that do occur (which is how the Wal-Mart situation came to light). Public standards, too, have changed since the 1970s. Despite its self-disclosure after the fact and the steps it took to address the corrupt behavior, Wal-Mart suffered severe reputational damage. Yet even with the likelihood potential consequences, our benchmark research reveals that just 6 percent of companies have effective controls for managing reputational risk.
We assert that the most effective control is to prevent illegal activity from taking place at all. Short of that, companies that can demonstrate that they have taken all reasonable steps to prevent a violation of the law are in a better position to claim that the individual, not the company, is at fault.
An organization should have clearly articulated and documented antibribery and corruption policies and procedures, institute mandatory training of and signed acknowledgements of having taken it by executives and managers, and put in place incentives and disciplinary measures. However, these required measures are increasingly insufficient to demonstrate diligence in preventing corrupt activities. Companies also must have a software-supported internal control system that flags suspicious activity immediately and triggers a rigorous remediation process that analyzes, investigates and documents the disposition of each incident. Incidents that are detected long after their commission are more difficult to cope with and pose much higher legal, financial and reputational risk.
Software is available that helps detect activities that violate anticorruption laws and regulations as they occur or shortly thereafter; this is far more effective than waiting for internal audits or (worse still) whistleblowers to uncover malfeasance. To prevent violations of the FCPA and other antibribery statues, corporations must be able to monitor their financial and other systems for warning signs. These applications take advantage of operational intelligence, a class of analytical capabilities built on event-focused information-gathering that can uncover suspicious actions as they occur. Our research on innovating with operational intelligence shows that companies use an array of systems (led by IT systems management and major enterprise applications such as ERP and CRM) to track events, analyze them, report results and create alerts when conditions warrant them, as detailed in the related chart. The research also shows that about half (53%) use 11 or more information sources in implementing their operational intelligence efforts. In the future, effective FCPA software increasingly will need to look at a wider range of internal data as well as information from external sources and social media to determine, for example, whether a consulting company that just received a finder’s fee is run by or employs a relative of a government official. Today, companies can utilize software from large vendors such as IBM, Oracle and SAP, as well as vendors with FCPA-specific software such as Compliancy and Oversight Systems.
Bribery and corruption are unlikely to disappear entirely. Regardless of anyone’s best intentions, corporate boards and executives can find themselves enmeshed in a scandal not of their own devising. The best defense in such cases is plain evidence that the organization has done everything reasonable to prevent its occurrence and has discovered and dealt with it promptly if it does. Policies and training are vital components, but software can be the extra component necessary to improve the effectiveness of monitoring and auditing to support anticorruption efforts.
Robert Kugel – SVP Research