Strengthen anti-bribery and anti-corruption measures

In our most recent Global Economic Crime SurveyOpens in a new window, a significant majority of respondents globally and in Canada agreed corruption risks aren’t receding, while enforcement efforts are gathering pace.

Almost three-quarters (73%) of Canadian respondents believe the risks associated with corrupt or improper payments to government officials and/or commercial customers either stayed the same or increased in their industry in the last 12 months. At the same time, 90% of Canadian respondents agree government efforts to enforce anti-corruption laws are staying steady or becoming more robust in the countries where they operate.

Increasing regulatory expectations, heightened anti-corruption enforcement and increasing social demand for responsible business practices globally appear to be catching the attention of Canadian leaders. In many cases, these changes and enhanced understanding are triggering a long-overdue organizational culture shift on compliance.

Here we explore the importance of four key regulatory expectations compliance professionals must incorporate into their organization’s anti-bribery and anti-corruption (ABAC) compliance programs. 

Key regulatory expectations in ABAC compliance

1 - Anti-corruption-specific risk assessments

2 - Third-party risk management

3 - Data analytics

4 - Whistleblower programs

As all compliance professionals know, the starting point for any effective risk management program is to understand your risks. While many Canadian organizations regularly conduct fraud risk assessments, some of which include corruption risk scenarios, many organizations have never completed an anti-corruption-specific risk assessment, or if they have, haven’t refreshed it in a number of years.

Conducting an anti-corruption-specific risk assessment is critical, as the motivations and incentives behind “typical” frauds (e.g. asset misappropriation, cyber) and corruption differ drastically. Typical fraud risks, including cyber, result in the extraction of funds or assets from your organization (losses). As such, the incentives and motivation to prevent these frauds are quite obvious and often shared among internal stakeholders. However, because corruption results in a benefit to the organization (e.g. new sales, avoidance of penalties and/or fines, expedition of services and/or permits), incentives and motivations within the organization to prevent corruption can be grey.

Organizations must design their risk assessments to thoroughly understand the incentives of their employees, third parties, sales agents and distributors (for example, are sales agents commission-based?). They must understand the cultural and political risks associated with doing business in foreign countries, who from their organization is interacting with foreign officials—and how, as well as the extent of autonomy in their foreign operations. These understandings are achieved through consultation with as many stakeholders, business units and regions as possible, not simply with the same individuals and departments as in fraud risk assessments.

Once an organization deeply understands the internal and external incentives and motivations impacting their corruption risk, they can begin to design a program that adequately addresses the risks.

In our survey, we found that while 79% of Canadian leaders are confident their compliance programs can mitigate emerging risks of corruption, a striking 40% either don’t have a third-party risk management (TPRM) program or don’t do any form of risk scoring as part of it. Given that many major incidents of bribery or corruption involve the actions of third parties, corruption-specific risk assessments and third-party due diligence must be part of any ABAC program.

Many organizations still determine their due diligence efforts at the onboarding phase and through ongoing monitoring based on financial metrics, such as the dollar value of contracts. But this method doesn’t adequately address the risk of corruption with the third party, and it’s easily manipulated (e.g. success-fee contracts, split contracts). Organizations should embed anti-corruption risk assessment questions when risk scoring third parties. Examples include: Is the third party liaising with government officials on our behalf? Who referred the third party? Are they using subcontractors? Have we assessed the nature and value of services compared to those in other jurisdictions?

Only 19% of Canadian respondents are regularly conducting ABAC audits of their third parties. Similar to third-party due diligence efforts, third-party ABAC audits should be risk-based. The insights gathered from these audits can be very informative about the real risks behind the scenes, both with the third party under audit and potentially others in the region or practice area.

Most organizations have almost limitless amounts of data, including sophisticated information about vendors, the countries where the organization is operating and transactional data. However, only 21% of Canadian respondents report they leverage data aggregation technology to enable compliance monitoring, and more concerning, 20% don’t use data analytics at all to support their compliance function.

With data analytics tools readily available, inexpensive and, in many cases, already embedded elsewhere in the organization, why aren’t more compliance functions using them? If built and managed properly, analytics can predict high-risk transactions, provide compliance key performance indicators and help manage third-party risks and many other automated tasks, serving as a valuable resource for compliance professionals.

As an additional line of defence, all organizations should have an independent, robust and effective whistleblower program in place that’s well communicated internally and externally, where appropriate. The program must be easily accessible and anonymous, and it should have a consistent incident report intake and triage process. Continuous employee training is crucial to help employees identify the indicators of fraud more easily and understand when to report incidents through the whistleblower program.

In many cases, we’ve seen information from individuals triggering investigations, so organizations must make sure any information received goes to the right people to act immediately.