anti-bribery & corruption compliance - navex global · •ensure continuous monitoring of all...

© 2015 NAVEX Global, Inc. All Rights Reserved.

www.navexglobal.com © 2015 NAVEX Global, Inc. All Rights Reserved.


www.navexglobal.com

Anti-Bribery & Corruption Compliance: Where Does the Future Take Us?

Randy Stephens, NAVEX Global & Michael Volkov, Volkov Law Group




www.navexglobal.com

• Why do anti-bribery and corruption (ABC) programs and third party practices matter?

• What current best practices exist for ABC and third party programs?

• What new standards and practices are we likely to see in the next 2-5 years?

• What new ABC challenges are you likely to face in the future?

• How can your compliance program and organization prepare to meet these challenges?

• Questions?

Agenda




www.navexglobal.com

A B C C o m p l i a n c e : W h e r e D o e s t h e F u t u r e T a k e U s ?

WHY DOES IT MATTER?




www.navexglobal.com

Where is Your Company Now?

Q: When it comes to my company’s ABC program, the word or phrase that best describes it is:

1. Best Practice

2. We have a strategic plan and we are executing it over the next 2-5 years

3. More is needed

4. We hire honest people

5. I have the DOJ on speed dial




www.navexglobal.com

• High compliance priority: third parties continue to be the focus of FCPA enforcement actions.

• Third-party violations

• FCPA Guidance emphasizes importance of risk-based due diligence

• Effective due diligence program has to allocate resources and effort in response to risks

• Applies to screening, monitoring, auditing and compliance program awareness

U.S. FCPA & International Enforcement




www.navexglobal.com

DOJ and SEC Guidance issued in 2012 reiterates significant incentives to design and implement “effective” compliance program – amount of fine, declination, DPA or NPA or monitorship.

Importance of Ethics and Compliance

“In appropriate circumstances, DOJ and SEC may decline to pursue charges against a company based on the company’s effective compliance program, or may otherwise seek to reward a company for its program, even when that program did not prevent the particular underlying FCPA violation that gave rise to the investigation.”




www.navexglobal.com

Due Diligence: Foundation of an Effective E&C Program

Due diligence is absolutely essential to an “effective” compliance program:

• Third party agent risk: “implementing an effective compliance program, which includes due diligence of any prospective foreign agents.” (pg. 23)

• Charitable giving: “DOJ approved the proposed grant or donation based on due diligence measures and controls … .” (pg. 19)

• Documentation of due diligence: the SEC brought an administrative action where there was a “lack of documented due diligence” regarding a subsidiary. (pg. 28)

• M&A: “DOJ and SEC encourage companies to conduct pre-acquisition due diligence … .” (pg. 28) and “appropriate due diligence, and implementation of an effective compliance program may decrease the likelihood of an enforcement action … regarding post acquisition conduct… .” (pg. 30)




www.navexglobal.com

The Key to Effective Due Diligence is Risk-Based

• “Effective” compliance programs will reduce the impact of a violation that is discovered.

• “DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area.” (DOJ FCPA Guidance, pg. 59)

• Ralph Lauren (NPA – internal identification and self-reporting)

• Morgan Stanley (NPA – compliance program credit)




www.navexglobal.com

Third Parties Add Risk

• Use of third parties is increasing*

• Over 90 percent of FCPA investigations involve payments by third parties

• OECD Foreign Bribery Report (2014) confirmed that intermediaries pose the single greatest bribery risk for companies, concluding that 75 percent of foreign bribery schemes are executed through an agent or other third party

• Liability can attach to the company engaging the third party if they knew, or should have known, that the third party had a history or propensity to bribe

* NAVEX Global’s Third Party Risk in a Global Environment: Key Survey Findings




www.navexglobal.com

Your Company’s Response to Third Party Risk

Q: Which of the following most closely describes the primary method used by your company address third party risk?

1. We require the third parties to have insurance

2. We contract with them through a shell corporation

3. We tell them “not to do anything we wouldn’t do”

4. We use a risk based approach to due diligence

5. We randomly select 10 percent of our third parties to audit

6. We only use third parties recommended by our government partners




www.navexglobal.com


CURRENT BEST PRACTICES




www.navexglobal.com

• Culture of compliance

• Written and communicated ABC policy and procedures addressing:

Gifts, entertainment and travel

Facilitation payments

Accurate recordkeeping

Use of third parties

• Training

Targeted (curriculum map basis)

OLT and live

Scenario-based

• Monitoring and auditing

• Effective due diligence

Elements of an Effective ABC Program




www.navexglobal.com

A Foundation of Due Diligence

• Due diligence should be designed to identify and reduce risk as well as create legal defense against bribery committed by third party

• Not to predict which third party will engage in bribery

• Negate “corrupt intent” and document good faith screening of potential third parties for corruption risks

• Due diligence system should fairly and objectively pre-screen third parties, and even reject some third parties

• There is no burden of proof (no preponderance, or clear and convincing standard) and program should not define an evidentiary standard

• Applies equally to M&A target third parties – don’t “buy” ABC liabilities




www.navexglobal.com

Add the Filter of Risk-Based Due Diligence

• DOJ, SEC, OECD and UK Bribery Act emphasize the importance of risk-based due diligence

• Assign weighting and apply formula with thresholds for level of scrutiny and remedial steps to reduce risk

Country (e.g. Transparency International CPI Ranking)

Relationship with foreign officials: Former and existing relationship

• Capture connection (once removed, twice-removed, etc.)

Referral from foreign official

Prior history of corruption or allegations of misconduct

Anti-Corruption compliance program

Nature of services or industry

Size and nature of the transaction

Historical relationship with the third-party




www.navexglobal.com

• Third party policies

• Third party automated solutions, e.g. NAVEX Global 3PRM

Document and due diligence management

Dashboards

Continuous monitoring – not “one and done”

• Open source intelligence

Basic information including Internet search and company financial due diligence

Relationship to government and government officials

Media sources, public filings and information on state-owned enterprises

Basic Level Third Party Tools




www.navexglobal.com

• Questionnaire

Ensure party willing to sign written contract with anti-corruption provisions

• Standard contractual provisions: certification of compliance; audit and termination rights (if applicable)

• Internal business sponsor and relationship to third party

Business justification and specific services third party will provide

Basic Level Third Party Tools (cont.)




www.navexglobal.com

Document, Document, Document

• Prepare a due diligence file for each candidate

• Due diligence file = running log of due diligence process

• Build a file which contains every piece of information and every action taken

• File should include, at appropriate points, approval of in-house or external attorneys for action proposed and taken




www.navexglobal.com

What Are Red Flags?

• Circumstances which indicate an increased risk of corruption

• Government will cite each red flag as proof of “willful blindness”

• Due diligence process has to identify and “resolve” or respond to all red flags




www.navexglobal.com

• Allegations or reputation of corruption or misconduct

• Large or unusual compensation arrangements

• Status as existing or former foreign government official

• Close ties to existing or former foreign official

• Lack of transparency of ownership structure

• No track record in industry or no “business purpose”

• Suspicious payment arrangements or cash

• Limited access to information

Common Red Flags




www.navexglobal.com

How to Resolve Red Flags and Risks?

• Additional factual investigation

• Representations and warranties

• Contractual modifications

• Focused investigation

• Advice of Counsel

• Enhanced investigation




www.navexglobal.com


NEW STANDARDS AND GUIDANCE




www.navexglobal.com

DOJ and SEC Expectations

• Sophisticated, due diligence systems, especially for mid-size and large companies

• Due diligence requirements extend into supply chain management

• Greater justifications for reducing amount of due diligence for mid- and lower-risk third parties, and vendors and suppliers

• DOJ and SEC are monitoring market and technology capabilities

• New developments and expectations surrounding monitoring and auditing requirements for third parties

• Best practices and norms are developing around initial screening, renewals and monitoring/auditing practices




www.navexglobal.com

ISO 19600:2014

8.3 – Outsourced Processes

• “The organization should ensure that outsourced processes are controlled and monitored.”

• Key guidance:

Use of third parties does not relieve the organization of its legal responsibilities or compliance obligations

Need to undertake effective due diligence to ensure organizations’ standards are not lowered

Controls need to ensure that the contract is complied with (e.g. third party performance appraisals

Consider compliance risks related to other third party processes… and put controls in place as necessary (e.g. contract provisions)

• Still short on specifics




www.navexglobal.com

• Collect and analyze information to identify third parties and measure risk

• Apply across-the-board standards and procedures at every step of the process

• Weigh business need and justification against risk

• Minimize overall risk to enterprise

Four Universal Principles




www.navexglobal.com

Screening, Monitoring, Mitigation, Renewal & Auditing




www.navexglobal.com

• No longer can the requirement be satisfied solely by acquiring audit rights

• Who do you audit?

• How are they selected?

• What do you do with the audit results?

• How do you take into account risk factors?

• Do you devote sufficient resources to monitor third parties?

• Do you devote sufficient resources to audit third parties?

What Are Your Monitoring and Auditing Practices?




www.navexglobal.com

Monitoring Third Parties

• Risk rank third parties annually (even twice a year)

• Ensure continuous monitoring of all third parties through management system

• Respond to reports of third party involvement in misconduct

• Assign monitoring tools based on relative risk ranking

• Document monitoring strategy and obtain legal approval

• Tools for Monitoring/Response:

Audit, transaction testing, spot checks, invoice verification, unannounced visits/meetings, annual training, more frequent certifications, refreshed due diligence, additional training, compliance reminders




www.navexglobal.com

Auditing Third Parties

• Annual auditing plan developed using specific risk formula

• Design specific auditing plan for year (or two)

• Modify plan depending on circumstances and new issues

• Obtain advice of counsel regarding audit plans

• Assign audit resources based on relative rankings

Formal financial and compliance audits

Issue spot-checks on specific issues when certain threshold

Transaction testing

Desk-top or phone audits

Formal audits




www.navexglobal.com

Manage All of Your Risks

• You cannot ignore mid- and low-level risks

• Disproportionate allocation of resources to focus solely on high-level risk exposes the company to serious enforcement risks

• Make sure you allocate adequate resources in proportionate fashion based on mid-level and low-level risk samples

• Design monitoring and auditing program to address these risks

• Build in controls to your management system (or make sure vendor does so to address these risks)

• Continuously review and modify this process




www.navexglobal.com

• Use of consistent risk formula and policy is best protection for due diligence system and company

• Objective system versus subjective system

• Objective is based on risk formula, assigning weights to specific factors, depending on the category to get relative ranking

• Subjective is based on gut-check assessment of relevant factors

• DOJ will not second guess risk ranking formula so long as you are consistent, explain the policy and stick to it

Risk Formulas




www.navexglobal.com

• Regularly review third parties (at least annually)

• May lead to a “cleansing” process – clear away deadwood and redundant third parties

• Focuses inquiry on benefits of third parties

• Weigh the benefits against the risks/costs of the third party

• Inquire where compliance and business needs coalesce

Updating Business Justification




www.navexglobal.com


CHALLENGES




www.navexglobal.com

Consider Entire Scope of Relationships

Source: Compliance and Ethics Leadership Council




www.navexglobal.com

Gathering & Coordinating Information Forms the Foundation of Due Diligence Information needs to come from a number of sources:

Internal policies &

procedures

Third party forms

Investigative services

Enhanced Due

Diligence

Ongoing Monitoring

Risk Identification




www.navexglobal.com

• In many ways the compliance field is in the midst of a paradigm shift

• In the “old” days, compliance officers struggled to get enough data to analyze

• In the future, compliance officers will struggle with managing and analyzing large volumes of data.

• Integrated systems platforms will be an indispensable tool

Paradigm Shift




www.navexglobal.com

• Effective risk identification requires gathering and analyzing more and more information

Gathering information is time consuming!

Analyzing information is time consuming!

• The future of effective risk identification lies in the ability to streamline, simplify and document the process.

The New Challenge: Managing Information (aka Big Data)




www.navexglobal.com

• Volumes of information gathered must be managed

• Effective risk management requires identifying and targeting high risk areas

• Automated third party solutions

Risk-Based Due Diligence Requires Targeting Resources




www.navexglobal.com


WHAT CAN YOU DO TO PREPARE FOR THE FUTURE?




www.navexglobal.com

Maximize Proactive Risk Reduction

• Verified invoices and payments

• Monitoring

• Additional training and monitoring

• Require participation in training program (or existence of comparable compliance program and training)

• More than annual certifications

• Additional compliance reminders

• Update and renew due diligence

• Agent and distributor codes of conduct

• Office, country or region-specific compliance program reviews




www.navexglobal.com

Leverage Technology Solutions

• Automate processes to reduce time and money

• Look for administrative efficiencies

• Avoid information silos across the organization (third party, procurement)

• Devote time and effort to creative monitoring and auditing systems

• Use on-line certifications, questionnaires, training, compliance reminders and communications




www.navexglobal.com

• Focus on overall risk

• Allocate resources in response

• Third parties are one of several high risk areas

• EFFECTIVE Risk Identification

Build Enterprise Risk Management Systems




www.navexglobal.com

Q: How Do You Plan to Meet the Third Party Challenge?

1. My company already has an automated third party system

2. My company is evaluating an automated third party system in the next 12- 24 months

3. My company adequately manages its third parties using an in-house system or multiple spreadsheets and processes

4. I plan to follow to the letter the excellent advice I just received

5. I am renewing my passport for a country without an extradition agreement with the U.S.

1. My company has an automated third party system

2. My company is evaluating a third party system

3. My company manages its third parties in-house

4. I plan to follow the advice I just received 5. I am renewing my passport for a new

country




www.navexglobal.com

Questions?




www.navexglobal.com

Thank You

Randy Stephens Vice President, Advisory Services [email protected]

Michael Volkov Owner & CEO, Volkov Law Group [email protected]

mailto:[email protected]

mailto:[email protected]

anti-bribery & corruption compliance - navex global · •ensure continuous monitoring of all...

Documents