By Michael X. Marinelli and Sandra Gonzalez of Greenberg Traurig
(Sept. 4) – Companies understand that embracing change is integral to remaining competitive. The same holds true for compliance programs. Companies must continually adapt to internal and external business risk by examining and optimizing their anti-corruption compliance programs. As part of an annual risk assessment, companies anticipate changes in their operations and environments, which allows them to allocate resources strategically.
It can be easy for companies to lose sight of the importance of conducting risk assessments and difficult for them to complete their initial risk assessments. Further, companies with mature programs tend to drift toward treating the risk assessment as a “check the box” exercise. However, to effectively protect against current and emerging risks, companies should ensure that their risk assessments are clearly defined and organized, led by the appropriate people, and executed at regular intervals.
As this article explains, an anti-corruption compliance program refers to more than just a policy. This program consists of an anti-corruption policy, procedures implementing that policy, and related anti-corruption financial controls that cover all the topics required for an effective compliance program.
Why do a risk assessment?
The short answer is that for an anti-corruption compliance program to be effective, it must be designed to address the corruption risks the company faces. Moreover, if a program is not geared to those risks, it will be inefficient. Compliance resources are always finite and should be focused on the highest risk aspects of the business.
Additionally, the U.S. government expects companies subject to the U.S. Foreign Corrupt Practices Act to perform periodic risk assessments. The FCPA prohibits persons subject to U.S. jurisdiction from paying bribes to further their business interests. As the history of the FCPA enforcement actions has long shown, and as the Department of Justice and Securities and Exchange Commission Resource Guide expressly confirms, an anti-corruption compliance program must be reasonably designed to address and mitigate the specific risk associated with a company’s business operations.
Recently, U.S. Deputy Attorney General Rod Rosenstein emphasized the impact of ever-changing business with respect to compliance. He said, “Compliance is not a one-size-fits-all proposition … as companies grow, risk profiles change.” This is important because for a company with an existing anti-corruption compliance program, it can be challenging to ensure that the company devotes adequate resources to its highest risk areas as business develops and continues to grow.
In October 2016, the International Standards Organization published a requirements standard on anti-bribery (37.001) that includes a risk assessment requirement. Companies can use this standard to implement reasonable and proportionate measures designed to prevent, detect, and respond to bribery. Companies should conduct regular risk assessments with established criteria and retain and use the results to design or improve the company’s anti-corruption compliance program.
What is a risk assessment?
A risk assessment is a disciplined and methodical process for gathering and analyzing information relevant to determining the likelihood and impact on the company of corrupt activity occurring – meaning specifically paying bribes. The mechanisms for gathering the relevant information can vary, and some companies use a combination of techniques. In considering the internal factors that affect risk, these techniques include conducting interviews with employees, having employees complete surveys, reviewing policy and procedural documents and analyzing financial data. Companies may also consult outside resources that can provide insight into the external factors that impact corruption risk, such as the level of economic development and prevalence of corruption in countries of operation.
Given the variety of risks that a company encounters, and the frequent interplay among those risks, corruption risk assessments are often performed in tandem with other regulatory risk assessments, such as environmental compliance or food safety.
The specific factors to consider in an anti-corruption risk assessment include:
• Country, including the political environment – Transparency International’s Corruption Perception Index provides helpful insight on the degree of corruption by country.
• Company profile in that market – This includes internal reports of corrupt activity and the company’s scope and pace of activity and growth.
• Donations and other charitable activity
• Industry sector – Highly regulated industries have a higher corruption risk than non-regulated industries. Some sectors have historically seen a high incidence of corruption.
• Business model – This includes operational issues, such as whether the company sells directly or through distributors or agents.
• Potential business partners – Evaluate whether and to what extent the company uses business partners to interact with the government and, if so, for what functions are these partners used. Examples include hiring lobbyists or using a business partner to obtain licenses or permits.
• Business opportunities – Consider future strategies and projects in addition to current operations.
• Company infrastructure – This covers the type and number of financial systems and whether the company has multiple operating entities or operates in multiple countries.
• Level of involvement with the government, including state-owned entities – This also includes sales to the government, political contributions and gifts, meals, travel and entertainment of government officials.
• Amount of government regulation and oversight, including enforcement environment
• Cross-border movement of goods – Consider the value, volume and frequency of imports into international markets.
• International deployments of employees – Consider the frequency of international deployments requiring visas, work permits or other authorizations.
What types of companies should do a corruption risk assessment?
Companies subject to the FCPA
Given that the U.S. government expects companies subject to the FCPA to perform risk assessments, the next logical question is “Who is subject to the FCPA?” The U.S. government takes an expansive view of its jurisdiction. The FCPA’s anti-bribery provisions apply to any “issuer,” “domestic concern” or “foreign person” in the U.S.
An “issuer” is a corporation that has issued securities registered in the U.S. or is otherwise required to file certain periodic reports with the SEC. Foreign companies, including those with no physical U.S. presence, listed on a national securities exchange, including stock or American Depository Receipts, are “issuers” for purposes of the FCPA.
The term “domestic concern” includes any business that has its principal place of business in the U.S. or is organized under the laws of the U.S. It also includes an individual who is a citizen, national or resident of the U.S.
A “foreign person” may be a foreign individual or foreign company. A foreign person is covered by the FCPA if that person is in the U.S. or causes an act to take place within the U.S. in furtherance of a bribery scheme.
Buyers after an acquisition or merger
Buyers that are already subject to the FCPA should perform a risk assessment of the newly acquired or merged entity, regardless of whether the new entity was previously subject to the FCPA. Similarly, buyers not subject to the FCPA should also perform a risk assessment when the newly acquired or merged entity is subject to the FCPA. The appropriate time to perform the risk assessment is after closing. The Resource Guide makes clear that a “company assumes the predecessor company’s liabilities” when it merges with or acquires another company.
It is important to distinguish between conducting anti-corruption due diligence prior to the corporate transaction and the post-acquisition or merger risk assessment. In the case of a newly-acquired company, at a minimum the risk assessment should address the new company’s international footprint, the volume of government contracts and the government regulations to which it is subject. In the case of a merger, the risk assessment should also address current policies, procedures and strategies related to efficient implementation and effective training and communication. Many of these factors may have been discussed during the pre-acquisition diligence process, but the purpose of those discussions is to consider the effect on the purchase price. During a risk assessment, these risks are assessed in depth to identify key areas where the company should implement processes and controls to mitigate its newly acquired corruption risks.
Think of it like the purchase of a home. Prospective homeowners use the inspection report to negotiate the price. But after the purchase and during the move in process, the homeowner will assess what exists and what is missing to determine next steps. This might include setting up the utilities, arranging furniture and appliances to identify items to be purchased and repairing issues identified during inspection.
Pre-acquisition anti-corruption due diligence and a post-acquisition risk assessment should be handled the same way. One cannot be completed in lieu of the other if the goal is to mitigate the anti-corruption risks and implement an effective anti-corruption program that fits the newly-formed company.
Who performs risk assessments?
Once the company has established that an anti-corruption risk assessment must be conducted – whether to create a new program, to reassess a current anti-corruption program or as part of a post-acquisition plan – it should determine the appropriate individual or team to conduct the assessment. Generally, companies will look to their ethics, compliance or legal teams to lead the risk assessment. For the most part, those teams are capable of properly executing a general risk assessment. But a company first must decide whether its internal teams have the knowledge and resources to execute an anti-corruption specific risk assessment. An effective anti-corruption risk assessment requires in-depth analysis of processes and transactions defined by a detailed scope that addresses the spectrum of corruption risks determined by the company’s risk profile.
While it may be common for a company to use in-house resources to conduct its anti-corruption risk assessments, hiring outside resources can provide a fresh look at the program. Another reason why a company may consider using outside resources to conduct its anti-corruption risk assessment is when the company is under investigation or conducting its own internal investigation. According to Rosenstein, having an outside resource simultaneously performing a risk assessment demonstrates the company’s interest in identifying “the underlying cause of the problem,” which is something prosecutors would consider under the FCPA Policy. The review by outside resources in these scenarios would provide the company a completely independent and objective analysis and related recommendations.
How do you conduct a risk assessment?
A company should start with defining the scope of the anti-corruption risk assessment. This includes identifying key players in its various operations in each of its locations. These individuals can provide specific information on factors to consider, such as the company’s profile in that particular jurisdiction and the level of involvement with the government, which is essential in the company’s ability to accurately identify its corruption risks. For this reason, the individuals selected to participate in the risk assessment should not be limited to only corporate-level stakeholders. Rather, individuals selected should be those who have firsthand knowledge of the day-to-day operations of the company.
The company will also need to determine the resources available to complete the assessment. There is often a tension between using the most effective techniques and budgetary constraints, which is why companies will use more than one method of gathering information. While there may not be a “right” answer, the Resource Guide recommends not dedicating too many resources “to low risk markets and transactions to the detriment of high-risk areas” as the best course of action. Operations in highly corrupt environments with multiple government contracts making up the majority of the operation’s revenue would likely warrant in-person interviews versus operations in highly corrupt environments with little to no government touch points. In the latter scenario, the company may consider a more extensive document review and telephone interviews or surveys to ensure it has sufficiently covered the potential risk points.
In addition to interviews of key stakeholders, companies should review current policies, procedures and specific financial transactions. These documents should be reviewed regardless of whether it is a brand new anti-corruption program or a well-established one. Think of it like the new home analogy, except now you have lived in the new home for a few years. Naturally, furniture has been acquired, systems installed and maybe an additional member or two has arrived. Like an ever-growing household, companies grow and change based on current circumstances. If circumstances change, then established policies and procedures need to shift to ensure the company continues to mitigate the risks it faces under the new circumstances.
The analysis of the company’s transactions is equally important because it allows the company to identify gaps in its financial controls. Further, the results of a transactional analysis can corroborate or contradict information provided during interviews of key stakeholders or certain global or local policies and procedures. The intention of the risk assessment is not to identify any wrongdoing but rather to identify where existing mitigating processes are not working or are not being followed in the local market.
The completion of a risk assessment sets the stage for the implementation of an effective anti-corruption program. It can also strengthen an existing anti-corruption program if it is conducted on a regular basis. How often will depend on the company profile, including the size of the company, the corruption environment in the countries in which it operates, its total revenue and how much of it comes from contracts with the government. This could mean that a company is completing an anti-corruption risk assessment annually or perhaps every other year. Either way, once the frequency of the anti-corruption risk assessment is established, it is important that the company complies with its own standard. The only exceptions to the standard established should be when a significant corporate change triggers a risk assessment, such as a merger or acquisition.
Conclusion
While it may sound simple, the most important aspects of a risk assessment are that a company performs it and then uses it to create or refine its compliance program.
Michael X. Marinelli and Sandra Gonzalez are shareholders in Greenberg Traurig’s Austin office. Adelaida Vasquez, who also contributed to this article, is of counsel in the firm’s Houston office.