Anti-Corruption Illustrated
Transcription
Anti-Corruption Illustrated
An e-Book Publication INSIDE THIS PUBLICATION: Designing an Anti-Corruption Capability Performing Third Party Due Diligence Managing Mergers & Acquisitions Identifying and Resolving Issues Conducting Investigations Using Data Analytics Anti-Corruption Illustrated Visualizing an Effective Capability Brought to you by COMPLIANCE WEEK 3 In control? Legal requirements. Regulatory demands. It’s hard to keep everything on track. We can help you embed compliance and risk management across your entire organization. We will work closely with you on alignment, coordination and cost sustainable results. That’s how we make a difference. See More | Results © 2012 Ernst & Young LLP. All Rights Reserved. ED: 0113. 1205-1355890. ey.com Welcome A nti-corruption efforts at the modern global company can be overwhelming and, for all the talk about effective anti-corruption regimes, sometimes it helps to step back and visualize the bigger picture—literally. Hence we welcome you to our first-ever “Anti-Corruption Illustrated” publication. This e-book is a compendium of anti-corruption articles Compliance Week has published jointly with the Open Compliance & Ethics Group for the last six months. Here you will find all those articles, plus the roundtable discussions OCEG has run about anti-corruption with chief compliance officers and other compliance thinkers, plus OCEG’s famed illustrations: doublepage spreads you can print out, stare at, and contemplate as you structure your own anti-compliance program. The articles address all the fundamentals of compliance programs: due diligence on third parties and acquisition targets; sifting through reams of corporate data effectively to find those few clues that expose possible misconduct; the role of the modern chief compliance officer as one part cheerleader for good conduct, one part counselor to business unit leaders, and one part fraud investigator. Each article also has an accompanying illustration. We know the images are somewhat abstract, and have a certain flowchart appeal to them. That’s intentional. Successful anticorruption consists of several basic principles that can apply to all, and myriad small details that apply to your business alone. The illustrations capture those basic principles; the articles provide context; the details we leave to you, since only you know what compliance program will work best at your business. We hope you find our anti-corruption e-book useful as you continue to develop and implement anti-corruption regimes around the world. The cliché is that a picture speaks 1,000 words. Considering the huge and diverse audiences a chief compliance officer must reach these days, and the complex subject matter, visualization can only help. ■ Matt Kelly, Editor & Publisher mkelly@complianceweek.com 4 e-Book 5 A Compliance Week publication Anti-Corruption Programs Enable Business Agility Inside this e-Book: Matt Kelly Introductory Letter 3 Anti-Corruption Programs Enable Business Agility 5 Illustration: Managing Corruption Risk 6 Managing Corruption Risk: An OCEG Roundtable 8 Third-Party Corruption Risk: Know What You Should 11 Illustration: Third-Party Anti-Corruption Due Diligence 12 Preventing Corruption Through Third-Party Due Diligence: An OCEG Roundtable 14 A Holistic Approach to Diagnosing Corruption 16 Illustration: Anti-Corruption Issue Management 18 Corruption Issues: An OCEG Roundtable 20 How to Boost Your Merger and Acquisition IQ 23 Illustration: M&A Corruption Due Diligence 24 Buyer Beware of Corruption Risk: An OCEG Roundtable 26 Finding the Corruption Needle in the Haystack 28 Illustration: How to Conduct Corruption Investigations 30 Investigating Corruption: An OCEG Roundtable 32 Brad Pitt: The New Anti-Corruption Compliance Officer 35 Illustration: Data Analytics for Anti-Corruption 36 Anti-Corruption Data Analytics: An OCEG Roundtable 38 Illustration: OCEG: Your Path to Principled Performance 40 Company Descriptions 41 Thank you to our series sponsor And installment co-sponsors playing field by reducing the frequency and severity of corruption in their markets. Executives who foster this point of view through the development of an effective and efficient anti-corrupne of the most frequently asked questions I hear tion program pursue a similar approach to those emabout managing corruption risk demonstrates braced by any top-notch CFO, CIO, or business conthe compliance profession’s passion for benchmarking: tinuity manager. These functional leaders continually “What do companies with the best anti-corruption prostrive to share leading finance, information technology grams do differently?” and business resiliency practices throughout their supThe answer I give does not offer details about proply and demand chains. And they also strive, through cess or technology, at least not directly; instead, it boils continual process improvement, to make their “lightsdown to philosophy and vision. Compliance, risk, on” finance, IT, and disaster recovering capabilities as internal audit, and other executives leading the most efficient as possible, so that they can invest more time effective (and, not coincidentally, the most efficient) and effort marshaling their resources to support strateanti-corruption programs think of their efforts as an gic offensive. integral part of their organization’s offensive capabilThis approach calls to mind the philosophical conity—efforts that enable business agility and business cept of a paradox; call it the “process paradox:” the resiliency to flourish. more leading practitioners focus This vision does not downon their anti-corruption processes play the importance of process and other building blocks of antiExecutives at the helm of and programs, the less time these efforts ultimately consume. This corruption capabilities. Indeed, organizations with leading occurs as anti-corruption beleading practitioners also share a anti-corruption programs say comes more integrated into strapenchant for crafting comprehensive, dynamic programs—the sort their intent is twofold: tegic decision making and daily work throughout the organizaof capabilities that this six-part to strengthen organizational tion. Additionally, by investing in “Anti-Corruption Illustrated Seagility and resiliency while a sturdy anti-corruption frameries” will examine in detail. Each installment conducts this analysis also bolstering anti-corruption work, leading practitioners create a foundation from which they can through diagrams, guidance, and mindsets and capabilities more easily add lean GRC prinfield insights provided by leading throughout their business ciples and practices that can help experts. While the focus of this seecosystems. achieve continual improvements over the long haul. ries centers on process—the This process work begins with “how” of anti-corruption proa philosophy; one that envisions grams—it is valuable for those anti-corruption as a valuable enabler of business agility overseeing and managing these programs to also reand business resiliency—qualities whose strategic value flect on “why” they invest in these programs. The exhas never been higher. ■ ecutives at the helm of organizations with leading anticorruption programs say their intent is twofold: to strengthen organizational agility and resiliency while also bolstering anti-corruption mindsets and capabiliCarole Switzer is the president of OCEG, a non-profit think ties throughout their business ecosystems. This extertank that develops standards and guidance to help organizations nal reach not only helps customers, suppliers, and other achieve Principled Performance—the reliable achievement of obbusiness partners and stakeholders strengthen their anjectives while addressing uncertainty and acting with integrity. ti-corruption programs, but also helps the competitive www.oceg.org Carole Switzer OCEG Pesident O OCEG Anti-Corruption Illustrated Series 2 DEVELOP THE PROGRAM Design a comprehensive and balanced anti-corruption program that corresponds to the risks identified during the assessment process. Establish policies, procedures and controls in all levels of the business, with owners for each. Obtain board and management endorsement of strategies, short and long term expectations, and resources, with ongoing communication of this support. Organizations must address global corruption challenges with a comprehensive and dynamic program. To succeed, the board and management must demonstrate and demand an anti-corruption culture. PROGRAM OWNERS AN ANTI-CORRUPTION PROGRAM IS GOOD FOR BUSINESS RISK AUDIT START: ASSESS RISKS Identify corruption risks considering factors including nature and location of business activities, third party relationships, methods for generating business, and applicable laws. Evaluate and rank risks based on the organization’s established risk appetite, and be prepared to respond to internal and external changes that affect the assessment. 7 IDENTIFICATION CORRUPTION Anti-corruption efforts require coordinated action involving many in the C-suite and managers of operations that present corruption risk. A management committee or internal stakeholder group can ensure that necessary communication takes place, resources are committed, and sufficient support for effectiveness of the program exists. POLICY DESIGN REVIEW, REALIGN, AND REPORT 3 PERFORM DUE DILIGENCE Knowing how and where your vendors, agents and customers operate, and understanding the activities and controls of any planned acquisition, as well as the risks they present, is an essential part of the anti-corruption program. Due diligence should include analyzing whether established steps of an effective program are followed. MONITOR AND EVALUATE U YB KE SCREENING SCREEN monitor internal and external information and compare vendor, partner and customer records against trusted data sources for red flags that indicate issues THIRD PARTY RELATIONSHIPS M&A Track and assess policies and controls for effectiveness and performance in various ways: AUDITING/ TESTING SIN P E R AT I O N S / S TA K EHO ESS O LDE Write policies that map to regulations, obligations and business processes. Establish owners responsible to ensure continued appropriateness and effectiveness. Communicate to key stakeholders including staff, third parties, auditors, and customers. CONTROLS LOGISTICS/ DISTRIBUTION/ PURCHASING SALES/ MARKETING establish hotline and other open channels for reporting and resolution of questions and issues DEFINE AND IMPLEMENT POLICIES RS ACCOUNTING/ FINANCE IDENTIFY obtain and assess information about observed or suspected misconduct, using appropriate qualified teams, and considering privilege issues DATA ANALYZE PO ANALYTICS AUDIT provide regular internal audit oversight and inspection of the anti-corruption program; test and assess controls to determine if additional or modified action is necessary contact Scott L. Mitchell smitchell@oceg.org for comments, reprints or licensing requests ©2012 OCEG Establish procedures and controls to prevent, detect, correct and mitigate E OC the risks. Include process, technology, PR human capital and physical controls. Establish owners to monitor controls to ensure effective workflow, continued appropriateness of design, and operation in business units. Regularly document, assess and test controls. R DU 5 t64'PSFJHO$PSSVQU1SBDUJDFT"DU t6,#SJCFSZ"DU t64%PEE'SBOLBOE1BUSJPU"DUT t1VCMJD1SPDVSFNFOU-BXT and Regulations t(VJEBODFGSPN0&$%World Bank, and Non-Governmental Organizations t0$&((3$4UBOEBSET t$POUSBDUVBM0CMJHBUJPOT REINFORCE BRAND AND CORPORATE REPUTATION t&OIBODF#SBOE$SFEJCJMJUZ t4PMJEJGZ4IBSFIPMEFS5SVTU tø(BJO3FTQFDUJOUIF.BSLFUQMBDF BUILD AND OPERATE CONTROLS HOTLINE evaluate data to locate concerns and potential problems by applying analytic techniques, tools and reporting capabilities FULFILL LEGAL OBLIGATIONS AND GUIDANCE 4 MANUFACTURING INVESTIGATIONS INVESTIGATE BUSINESS COMPLIANCE OPERATIONS AND LEGAL ESTABLISH PROGRAM OWNERSHIP AND OVERSIGHT OBJECTIVES Take timely corrective and disciplinary action for violation of the anti-corruption program. Continually evaluate the program and adjust it to ensure alignment with changes in risk profile. Keep management and the board informed of program outcomes and needs through regular reporting. Strengthen assurance of program sufficiency with external review and certification. 6 FINANCE AND OTHERS RISKS 1 Strong anti-corruption programs help to build a climate of integrity and an ethical culture across the extended enterprise that drives desired conduct and supports compliance overall. Compliant companies perform better in the marketplace and have a competitive advantage. An effective anti-corruption program enables the company to: TRAIN AND EDUCATE Develop and deliver training in various forms to raise stakeholder awareness and competence regarding anti-corruption goals, policies, procedures and controls. Identify role-specific programs with desired outcomes and develop content and delivery methods appropriate for each target audience, taking cultural and language issues into account. Assess, certify, and track training results. LIC IES ES ASSURE THE BOTTOM LINE t1SPUFDU$PSQPSBUF"TTFUT and Operations t&OBCMF1VCMJD1SPDVSFNFOU Lines of Business t&OBCMF0QFSBUJPOJO Corruption-Prone Countries t1SFWFOU3FWFOVF-PTT'SPN Non-Compliance t"WPJEPS3FEVDF'JOFT and Penalties ©2012 Dachis Group 8 e-Book 9 A Compliance Week publication Managing Corruption Risk: An OCEG Roundtable SWITZER: There’s a lot of talk about FCPA enforcement and U.K. Bribery Act requirements, but there is confusion about what to do. How do you determine how well your company is managing corruption risk? and a good set of supporting procedures enable the implementation of the company’s values and strategies, create the framework for consistent and fair practices across business units, mitigate risk, and ensure accountability among employees. MARTIN: A thoughtful and comprehensive risk assessment is fundamental for any anticorruption program. An adequate risk assessment gives an organization a systematic view of its compliance risks so that it can develop detailed policies, procedures, and controls to effectively manage these risks. KUZMA: Take a phased approach to validate whether efforts are sufficient given the risk assessment. First, ensure that the program covers all necessary areas for the company’s industry and geographic footprint, including outside counsel review and consideration of information such as industry guidelines and programs of other companies. Then, regularly conduct an assessment to determine if there are any unidentified or poorly controlled risks that require program changes. SWITZER: We often hear “It is overwhelming; I don’t know where to start.” What steps do you recommend to begin the process and gain some “quick wins”? MARTIN: A strong anti-corruption policy KUZMA: Two more quick-win areas are training and analytics. Train throughout the company and focus on raising awareness about how bribery and corruption can occur, including real world examples; what regions in the company are at most exposure and why; relevant legal requirements; and details of the company’s anticorruption policy. Then perform analytic testing to expose expenditures that may create potential for corruption. Data analytics focusing on accounts payable, travel and entertainment, and petty cash provide great insight. SLAVIN: To avoid becoming overwhelmed, address highest-risk areas first. Successfully remediating a few high-risk areas through improved training, a more effective hotline system, or better third-party due diligence, will create early wins and help build momentum. A well-conceived, multi-year plan that considers relative risks, budgets, and available manpower will make an overwhelming undertaking feel much more manageable. ROST: It’s key to start with the most significant risk, and for many this is the risk presented by vendors and suppliers. Since these firms may be located where the organization does not have in-country resources, it’s important to have upfront and ongoing due diligence that includes assessing risk based on country of origin; targeted screening of the organization and key employees; and enhanced due diligence for high-risk areas in the form of detailed background reports. SWITZER: How do you establish oversight and ownership of each aspect of the anticorruption program to avoid, confusion, gaps, and unnecessary overlaps? SLAVIN: Decisions regarding ownership, oversight, and tactical responsibility differ by company and are impacted by staff size, budget, and corporate structure. That being said, high-level central oversight is critical. Individual components may be delegated to different people, departments, or regions as necessary, but someone must have broad oversight of the entire program with authority to make executive decisions. MARTIN: It is important to have a chief compliance officer at the vice president level, over a centralized compliance group to provide thought leadership and staff support for essential elements of the program. Steven Kuzma Global Leader, Corporate Compliance Advisory Services, Ernst & Young LLP KUZMA: That’s right, and to establish comprehensive ownership you have to review the program that is in place, determine who is responsible for each element, and identify areas where no one is currently responsible. You also need to make sure that there are effective compliance officers in countries where corruption risks surface, and that the chief compliance officer back at headquarters has strong working relationships with them. A facilitated group discussion can be the starting point to iron out responsibilities to avoid confusion, gaps and duplication of effort. ROST: Also, an important way of achieving coordinated ownership is by standardizing a common taxonomy of policy, risk, and control with identified owners responsible for the documentation, communication, testing, and monitoring of each. Standardizing common methodologies and systems will enforce the consistency and transparency of information. SWITZER: What specific steps should corporate leadership take to establish and drive home the proverbial “tone at the top” to build corporate culture that is intolerant of corruption? MARTIN: Senior management must consis- ROUNDTABLE PARTICIPANTS MODERATOR Carole Switzer President, OCEG To succeed and ensure consistency across business units, the program also must be embraced by the employees and business partners. Jay Martin, Vice President, Chief Compliance Officer and Sr. Deputy General Counsel, Baker Hughes Incorporated Mike Rost, Vice President, Thomson Reuters GRC Jim Slavin, Senior Director, Advisory Services, Bribery & Corruption Risk Management, SAI Global Compliance tently demonstrate the correct tone-at-thetop through clear statements on the commitment of a culture of integrity and a zero tolerance approach to corruption. Also, for a compliance program to succeed, line managers at all levels of the organization must be held accountable for the compliance performance of the employees in their organization. SLAVIN: Employees will quickly discount these messages as hollow rhetoric unless executives not only “talk the talk” but also “walk the walk.” The steps that leadership takes must show employees that they are willing to walk away from deals requiring bribes; that anyone, regardless of their contributions or stature, will be fired for unethical behavior; and that the CEO’s commitment to profitability does not overshadow commitment to ethical behavior. Employees must believe that good-faith reporting of suspected wrongdoing is not only welcome, but expected. ROST: Senior management should communicate zero tolerance for bribery and corruption, with messages tailored to different audiences. U.K. Ministry of Justice guidance suggests that messages include: » » » » » » A commitment to carry out business fairly, honestly, and openly Zero tolerance toward bribery Consequences of breaching the policy Articulation of the business benefits of rejecting bribery Reference to bribery prevention procedures the organization has, or is putting in place Reference to the organization’s involvement in any collective action against bribery SWITZER: Today, many companies have a lot of data but not a lot of information because they can’t easily consolidate and analyze what they have. How can technology help? ROST: Two important technology investments are an enterprise GRC platform and a third-party due diligence solution. The platform provides a common environment to manage the documentation, testing, communication, workflow, and reporting related to policy, compliance, and risk management and internal audit. It supports a common language for policy, risk, and control that enhances information transparency. Third-party due diligence solutions provide global intelligence on heightened risk individuals and entities, including screening for Politically Exposed Persons, enhanced due diligence reporting, and geopolitical risk solutions that provide the means to address the full spectrum of risk across all markets and industries, no matter what type and size organization. SLAVIN: Third-party due diligence is a great example. Making consistent and defensible partnership decisions based upon efficiently collected and accurately analyzed data is important for all organizations. Inquiries to legal, audit, HR, or procurement departments may uncover existing technologies that compliance departments can leverage to meet these objectives. For example, many companies utilize litigation case management, GRC, and hotline systems that are suitable for use in the anti-corruption arena. Also, a software tool with features such as e-mail distribution, workflow management, external data integration, a secure & centralized repository, and a business rules engine is essential for large-scale data analysis and risk profiling. MARTIN: Baker Hughes has successfully employed technology solutions in key areas such as the vetting and certifying of third-party agents, delivery of the worldwide training program, maintenance of a comprehensive case management system, and ongoing delivery of a wide variety of compliance messages. KUZMA: Data analytics tools and techniques used in regular audits and investigations also can be used proactively to prevent, detect, and monitor against corruption. These systems test and analyze data by looking at trends and abnormal activity, uncovering exposure in key areas such as petty cash, accounts payable, and travel and expense submissions. Companies are starting to use tools to look at the unstructured data that is resident in the financial systems such as the text within journal entries, a/p disbursement descriptions, entries in the travel system that describe individual submissions, and information that describes how and why petty cash was used. Internal e-mail communication also is often a treasure chest of information. ■ 11 Third-Party Corruption Risk: Know What You Should $230 million combined related to bribes in Nigeria and elsewhere in a group of cases commonly referred to as “CustomsGate.” Many of these bribes stemmed from a third-party logistics firm the oil services companies “The beginning of knowledge is the discovery of used, Switzerland-based freight-forwarder Panalpina. something we do not understand.” Panalpina acknowledged that it bypassed customs, —Frank Herbert, novelist paid bribes, and submitted fake customer documentation from 2002 through 2007 as part of its “culture of ant to know one of the surest ways to strengthen corruption.” The well-known global companies that your organization’s anti-corruption capabilities? used Panalpina paid tens of millions of dollars in crimiStart by discovering what you do not understand about nal fines as well SEC-mandated disgorgements because, the third parties who help you do business abroad. in some cases, the court found that they should have The prevailing FCPA and U.K. Bribery Act stoknown what was being done on their behalf, despite rylines focus on intensifying enforcement activity, but their ignorance of their third-parfail to drive home the fact that third-party agents—suppliers, The reality is that success in ty agent’s bribes. Avoiding CustomsGate situjoint venture partners, service today’s global marketplace ations has grown increasingly providers, facilitators, and others—are the main characters in hinges on acting upon what difficult as more companies rely the story. you know while continually on more third parties to operate abroad. The sheer volume of data As a recent Bloomberg Law striving to learn what you required to conduct sufficient due Report indicates; 10 of the 11 corporate FCPA investigations initishould know. diligence on foreign partners can be staggering. ated during the first 11 months of Fortunately, there have never 2009 involved payments made by been more tools available to support anti-corruption third parties. Not much has changed. due diligence. For example, Transparency InternationIf your company fails to expand its knowledge about al’s 2011 Bribe Payers Index (http://bpi.transparency. the activities of your business partners, the Department org/results/), released in November, ranks 28 leading of Justice (DoJ) or the U.K. Serious Fraud Office (SFO) international and regional exporting countries by the may define your “knowledge” for you in stark, legal likelihood of their companies to bribe abroad. Comterms. These results often sound like a cruel twist from panies from Russia and China are seen as most likely a novel: companies find themselves stained with crimito pay bribes abroad; those from the Netherlands and nal liability, forced to pay hefty fines, and with their Switzerland are least likely to bribe; and U.S.-based reputation in tatters because—unbeknownst to them— organizations figure as the 10th least likely to bribe a third-party agent bribed an official. among the 28 countries. Unfortunately, this isn’t fiction. The reality is that The index is only one tool. Many consulting, legal, success in today’s global marketplace hinges on acting and software firms have developed information soluupon what you know while continually striving to learn tions for anti-corruption analytics to transform raw what you should know. Failure to do so is “willful igdata related to third-party agents into actionable infornorance,” a condition that pervades the failed defenses mation. of numerous regulatory and criminal cases inside and By collecting and analyzing such data, following a outside the realm of corruption. And yet, taking the rigorous risk assessment and third-party selection pronecessary steps to avoid a finding of willful ignorance cess, and establishing ongoing third-party controls and and liability is too often neglected. monitoring; compliance and risk managers can tame the Just ask companies that have endured disruptive due diligence data deluge. By doing so, these managers investigations and costly penalties as a result of their can also help ensure that their companies continually lack of third-party agent knowledge. In 2010, more understand what they should know. ■ than a half-dozen oil service companies paid more than Carole Switzer OCEG Pesident You Know that you have the skills to help any business achieve Principled Performance® Let Everyone Else Know! www.grccertify.org W 0$&("OUJ$PSSVQUJPO*MMVTUSBUFE4FSJFT Global organizations may have thousands of third-party relationships that present corruption risks. An effective worldwide anti-corruption program must include comprehensive and consistent due diligence in the selection of agents, suppliers, and other partners; and methods for monitoring and evaluating compliance once they are on-boarded. This demands a proportionate approach to ensure the right level of process is applied to each. START: DEFINE OP 1 t4DPQFPGUIFUIJSEQBSUZEVFEJMJHFODF process considering countries of concern, and aspects of operations and business relationships that present significant corruption risks t0CKFDUJWFTBOEEFTJHOPGUIFQSPDFTT define goals, key roles and responsibilities, JOGPSNBUJPONBOBHFNFOUSFRVJSFNFOUT policies and procedures t,FZGPSNTBOEUFNQMBUFTGPS OFXUIJSEQBSUZSFRVFTUT UIJSEQBSUZRVFTUJPOOBJSFT (3) due diligence level analysis, (4) background checks, and (5) third-party certifications t1SPDFEVSFTUPBEESFTTiSFEýBHTw BOESFRVJSFSFSFWJFXPGBOZQBSUZ 2 ERA TIO NS INITIAL DATA COLLECTION DEFINE SUPPLY AND SALES CHAIN COLLECT INITIAL DATA t$PVOUSZSFWJFXUPJEFOUJGZQPUFOUJBMIJHISJTL t3FBMUJNFDIFDLUPJEFOUJGZDPOOFDUJPOTPGFOUJUZBOEJOEJWJEVBMTUPGPSFJHO government-owned or -controlled entity, high-risk business relationships, and history of investigation for criminal or civil violations t4FMGEJTDMPTVSFTVSWFZGPSUIJSEQBSUZDBOEJEBUFTUBJMPSFEUP UIFVOJRVFMPDBMSJTLBOBMZTJTBOEUIFTQFDJåDGBDUTSFMBUJOH to each entity or person t/BUVSFTDPQFBOEWBMVFPGJOUFOEFESFMBUJPOTIJQ and transactions 3 LOW MED HIGH ASSESS t4VQQMJFST$VTUPN.BOVGBDUVSFST t"HFOUT3FQSFTFOUBUJWFT t3FTFMMFST%JTUSJCVUPST t$VTUPNFST REGULATORY FACILITATORS t7FIJDMFMJDFOTJOHBHFOUT t7JTBQSPDFTTPST t$VTUPNTCSPLFST t'SFJHIUGPSXBSEFST PROFESSIONAL SERVICES t-PCCZJTUT t-BXZFST t"DDPVOUBOUT t$POTVMUBOUT t5SBWFMBHFODJFT t3FBMFTUBUFBHFOUT t%FåOFIJHINPEFSBUFBOEMPXSJTLDBUFHPSJFT for third parties based upon factors researched in initial data review t3BOLFBDIUIJSEQBSUZCBTFEPOJOJUJBMEBUB t1FSGPSNBEEJUJPOBMEVFEJMJHFODFCBTFEPOMFWFM ASSESS 6 -083*4, -FWFM%VF%JMJHFODF DATA MANAGEMENT MONITOR / REVIEW t&TUBCMJTINPOJUPSJOHBOE SFBQQSPWBMSFRVJSFNFOUTGPS each risk level t$POEVDUSFHVMBSPOHPJOH review of third parties through automated or manual screening leveraging trusted data sources t"DUPOSFEýBHTBOEDIBOHFTJO risk rankings t3FRVJSFSFBQQSPWBMQFSJPEJDBMMZ on schedule appropriate for each risk level WHO IS A THIRD PARTY? Trusted Data Source Search and Risk Screening PROGRAM PRINCIPLES *4:063130(3".3&"40/"#-& t1VCMJTIFEDPOWJDUJPOTQFOBMUJFTBOETBODUJPOT %POUJOUFSGFSFXJUI operations or be a burden on the business. t1PMJUJDBMMZ&YQPTFE1FSTPOT1&1T IFJHIUFOFESJTL JOEJWJEVBMTBOEPSHBOJ[BUJPOTBOEQVCMJDXBUDIMJTUT t.VMUJQMFNFEJBPVUMFUTJODMVEJOHMPDBMJOEVTUSZBOE HFOFSBMCVTJOFTT APPROVE 4 MONITOR & REVIEW 5 RESOLUTION TRAIN / CONTROL t&TUBCMJTIBOUJDPSSVQUJPOUSBJOJOH and controls for each risk level t"ENJOJTUFSUSBJOJOHGPSEJGGFSFOU third-party audiences, taking cultural issues into consideration and addressing role-specific needs t"TTFTTBOEDFSUJGZUIJSEQBSUZBXBSFOFTTBOE competence in anti-corruption t%FåOFSFRVJSFEDPOUSBDUDMBVTFTBOEBVEJUSJHIUT CONTROLS APPROVE / DENY / APPROVE WITH CONDITIONS t&TUBCMJTICVTJOFTTSVMFTBOE automated and process triggers, to facilitate control and monitoring throughout the life of each contract t"QQMZNPSFTUSJOHFOUDPOUSPMT BOENPSFGSFRVFOUNPOJUPSJOH to higher-risk level entities, individuals, and contracts RAISE OR RISK OR LEVEL DENY .0%&3"5&3*4, -FWFM%VF%JMJHFODF Enhanced Evaluation t-FWFMBDUJWJUJFTQMVTy t"EEJUJPOBMUSVTUFEEBUBCBTFT *4:063130(3".$0/4*45&/5 &TUBCMJTITUBOEBSEJ[FEQSPDFTTFT that apply to all areas of the business everywhere in the world. Incorporate standardized forms and templates to drive consistency. t*ODPVOUSZQVCMJDSFDPSETTVDIBTDPVSUåMJOHT t%FUBJMFECBDLHSPVOESFQPSUTGSPNUSVTUFEQSPWJEFS t3FTFBSDIJOUPDPSQPSBUFSFMBUJPOTIJQT BOEIVNBOOFUXPSLT t5IJSEQBSUZJOUFSWJFXTRVFTUJPOOBJSFTBOE TVQQPSUJOHEPDVNFOUT )*()3*4, -FWFM%VF%JMJHFODF *4:063130(3".3&410/4*7& 4VQQPSUUSBOTQBSFOUBOE sound decision making with strong management oversight and robust reporting. *4:063130(3".*/%&1&/%&/5 Deep Dive Assessment TRAINING t-FWFMBOEBDUJWJUJFTQMVTy t"VEJUBOESFWJFXPGUIJSEQBSUZDPOUSPMTBOEåOBODJBMSFDPSET .JOJNJ[FQPUFOUJBMDPOýJDUT of interest and ensure EFDJTJPOTBSFPCKFDUJWF t%FUBJMFEJOUFSWJFXTPGSFGFSFODFTQPMJUJDBMBTTPDJBUFTCVTJOFTTBTTPDJBUFT DPOUBDU4DPUU-.JUDIFMMTNJUDIFMM!PDFHPSHGPSDPNNFOUTSFQSJOUTPSMJDFOTJOHSFRVFTUT ª0$&( t*OWFTUJHBUJWFCBDLHSPVOESFQPSUTMFWFSBHJOHMPDBMEBUBTPVSDFT ©2012 Dachis Group 14 e-Book 15 A Compliance Week publication Preventing Corruption Through Third-Party Due Diligence: An OCEG Roundtable SWITZER: Many companies that operate globally have thousands of agents, suppliers, and other partners. You can’t do even minimal due diligence on all of them, or can you? How do you determine the level of due diligence for each one? WALDEN: Filtering the population of vendors and business partners is a critical step before determining due diligence procedures. We meet with clients to understand their current efforts, specific challenges within their industry, geographic areas of operation, and business strategy. We then build a filtering model that separates the third parties into risk-based categories and proceed with different levels of due diligence: Level 1 is an open source background check; Level 2 adds an “incountry” focus with respect to local court records or business filings; and Level 3 is a deep dive into the company which may include interviews, site visits, and financial analysis. Typical risk factors used in the filtering process include type of relationship with the vendor, industry sector, services provided, geographic location, nature of the contract, existence of government links, and response to monitoring controls. By using this approach, only entities considered high and medium risk undergo a deeper level of scrutiny, which results in lower costs and maximized results for the client. ROST: Another filtering factor is the criticality of the partner to the continued business operations. For example, high-risk partners may include those who handle your intellectual property, have access to your IT systems or provide unique products or services to your company. After filtering, the next step is to rigorously screen each business partner commensurate with the risk category to which each is assigned. Where screening raises red flags, a more thorough, detailed, assessment is required, focusing not only on the company, its owners and its operating and litigation history but also on management and key decisions makers. Include an assessment of their backgrounds, track records, real competencies, potential conflicts of interest, and political and criminal links. And don’t forget that a lot can happen in six months, so adequate procedures require that higher-risk business relationships should be screened at least twice a year and a full rescreening should be applied annually. HAUSERMAN: Thousands of third parties is certainly considered by most compliance professionals an almost impossible number to be able to research and risk forecast accurately. But there are significant lessons in the reaction of financial institutions over a decade ago, to the then new antimoney laundering regulatory obligations. At its core, be it AML or third-party due diligence, poor information management is the biggest impediment to doing due diligence right. Today, modern information management technology coupled with sophisticated analytics to prioritize third -party risk mitigation activities is available and affordable to solve the problem the right way. But risk is in the eyes of the beholder, and the first place a company has to start is to review its own risk tolerances. SWITZER: There is a phenomenal amount of data to be considered in third-party due diligence, and it is constantly changing. How can you collect and keep track of it all and be sure it is fed into your approval system? HAUSERMAN: This is actually a quite straightforward information management problem that has been solved many times. That is not to say it is easy, but there are plenty of examples for how information can be captured and maintained in a continuously accurate state. Organizations can make thirdparty due diligence effective by connecting all the systems and people who have the necessary information. For instance, thirdparty business sponsors should be required to monitor and maintain accurate data for their third parties. Likewise a third-party primary contact should be accountable for maintaining the third-party records. But it takes good information management sys- tems to make all of this possible. ROST: Many organizations struggle to cope with overwhelming levels of data that need to be screened and rescreened. Some organizations have the resources to hire a large and competent compliance department. For others, the answer is to outsource to experts who can absorb the complexity of the requirements and deliver results at a reasonable cost. Dedicated providers leverage professional research teams located in strategic hotspots around the world and have the capacity to do on-the-ground research in local languages, and physically check paperwork and tangible assets. These teams know what to look for and how to recognize a potential red flag, perhaps the kind of detail that a less experienced, distantly located, compliance staff member would overlook. Even a partial outsourcing of compliance processes can greatly enhance a program and provide peace of mind, while keeping costs low. WALDEN: The role of individual owners of data sources, who are responsible for monitoring changes, can’t be underestimated. Data management systems are critical, but they are only as good as the information that goes into them, and getting that right takes some human judgment. SWITZER: How do you manage change in WALDEN: Given the constant changes of MODERATOR Carole Switzer President, OCEG Bill Hauserman, SVP, Bribery and Corruption Risk Management, SAI Global Mike Rost, Vice President, Thomson Reuters GRC Vince Walden, Partner, Fraud Investigation and Dispute Services, Ernst & Young HAUSERMAN: First you have to have a mechanism to monitor for such changes. And realize that your information will never cover everything, so start with obviously risky items. These are typically monitored by an external database provider such as WorldCheck, Dow Jones, or RDC, which track millions of companies and individuals for sanctions and PEP (“politically exposed person”) exposure, criminal conduct, and financial irregularities. Good providers can actually monitor a third-party continuously for changes that increase risk and inform you about issues. While this monitoring is for higher-risk type changes, these are exactly the ones a regulator would question how you could possibly miss, given the regulatory requirements. SWITZER: Even if an entity passes due diligence, corruption can still occur. How can companies prevent or detect this? And are there established criteria for the frequency and extent of ongoing due diligence? WALDEN: Third-party due diligence is a partner relationships that may raise concerns (including change in ownership, new suppliers to your supplier, and new customers to your distributor)? ROUNDTABLE PARTICIPANTS appraised of any significant development on the vendors’ end. Periodic requests for information, random testing, and independent due diligence reviews are also recommended to test the effectiveness of the compliance programs. the business world and mounting pressure from regulators, compliance programs need to undergo periodic reviews to make sure they remain current, effective, and reasonable. As new information becomes available, it is important to occasionally re-run past searches at random to verify that the information is accurate and up-todate. In addition, compliance officers must work with their business partners to stay continuing effort that requires collaboration between the company and its business partners. To monitor significant changes on the vendor’s end, establish vendor reporting obligations for any changes in activities conducted on the company’s behalf, or to the vendor’s business model and strategy. This includes any new contracts, entrance in new markets, or the establishment of links to government entities or officials. Companies are also requiring annual certifications and disclosure statements of key vendors or third parties, some of which require a right to audit records clause. And this voluntarily provided information should be complemented with periodic checkpoint reviews and independent due diligence research to verify that the information is reliable, current, and complete. ROST: Regardless of the strength of controls, those looking to break the rules will continue to exploit any potential weakness in a system that they are familiar with. A reasonably designed and effectively implemented risk-based approach will provide an appropriate control structure to manage these risks. Simply asking a partner to fill in a form that includes the question “are you corrupt” is naive in the extreme. In today’s environment, it is reasonable to expect that the partner has a robust anti-corruption program. However, not all partners have the resources to construct an adequate compliance response, so it may be necessary to assist in the building of expertise in partner organizations. This can be done through on-site training , e-learning , and by providing professional advice and resources to support the partner compliance processes. Without this institutional support, partners may overestimate risk, thus wasting a lot of time and money during remediation, or even miss the risk altogether, which can be disastrous for all involved in the relationship. HAUSERMAN: Some would say that the half-life of a successful due diligence that clears a third party for use is measured in minutes. That is the speed of economic activity and information flow. The not-sosimple fact is that you have to find a proportionate balance for all third parties to earn regulator relief. It doesn’t have to be full-proof and stop all bribery; the regulators don’t expect that. But they do insist an organization be serious and consistent in applying due diligence around the globe. The regulatory term is “continuous due diligence to the balance of probability.” An organization based on budgets and risk tolerances must define continuous. The one thing that can be assured is that the regulators will define it more precisely if organizations are too lax. ■ 16 e-Book A Compliance Week publication A Holistic Approach to Diagnosing Corruption Carole Switzer OCEG Pesident I n the long-running television drama “House,” the ornery and unconventional medical genius Dr. Gregory House masterfully diagnoses the sources of mysterious illnesses. The secret to House’s success stems from his ability to see the big picture, understand how all of a human body’s various systems interact with each other, and spot patterns that no one else detects. The same skills would enable House to thrive in the complex field of corruption issue intake and management. Conventional wisdom holds that this is a relatively simple, straightforward, and discrete process. But the conventional wisdom is wrong. Companies with the most sophisticated anti-corruption capabilities do more than resolve the issue and identify its direct cause. They also periodically examine their entire portfolio of corruption issues to better understand how they interact and to identify ways to improve corruption defenses throughout the entire organizational system. By conducting such “portfolio examinations” on a periodic basis, these companies continuously improve their anti-corruption capabilities in several different ways, including process improvements, efficiency gains and more effective crisis communications, and litigation preparation in the event that a significant corruption issue arises. The last point is important. When an instance of corruption is raised, communications about the event (and the response) must be quickly disseminated to all relevant stakeholders while initial review of the issue takes place. In some cases, a crisis response effort and litigation preparation activities must also begin right away. So, even a single investigation involves a tangle of moving parts. Consider how complex issue intake and management becomes in an enterprise that operates in dozens of countries around the world. Each response produces a body of information related to what went wrong, why it went wrong, and the steps to be taken to prevent the issue from arising in the future. Companies with leading anti-corruption capabili- ties—those that occupy the third level of the following maturity scale—leverage this body of information to their benefit: Level 1: Response. Almost every company has achieved this level of maturity (if they have not, the first bribery issue that arises might put them on life support). Once an issue occurs, it is assessed, assigned, investigated, and resolved. Level 2: Root Cause Analysis. Many organizations try to operate at this level; as part of resolving a corruption issue, those responsible for the investigation also attempt to understand why the individual event occurred in the first place. Level 3: True Continuous Improvement. Achieving continuous improvement requires a periodic analysis of all corruption issues, including a systemic examination that helps expose patterns of problems and other vulnerabilities. These findings and insights in turn stimulate the sharing of best practices throughout the enterprise, as well as the identification of specific process improvements designed to lessen the likelihood of future occurrences of corruption problems. And when push comes to shove, in some cases tough decisions must be made about whether the company should avoid using specific agents, or even cease operations in some markets. The risk of not evolving beyond the second level of this maturity model can be significant: Without a bigpicture understanding, any individual root cause analysis may be incorrect or incomplete. What looks like a root cause in isolation may actually turn out to be a symptom of a more systemic problem. To ensure a strong prognosis for success in international markets, more anti-corruption managers should consider diagnosing corruption issues the way Dr. House would: by taking a big-picture view and tenaciously examining all of the causal factors, and how they influence each other, until the issues are understood and resolved in a holistic manner. ■ OCEG Anti-Corruption Illustrated Series SPEED, RIGOR, INDEPENDENCE, IMPROVEMENT – Every organization should have a strong capability to identify, prioritize, investigate and resolve bribery and other corrupt activities, as well as compliance system weaknesses. While this can be a daunting task, this illustration can help implement or refine an investigation process and avoid common pitfalls. CAPTURE AND FILTER THE TOUGH QUESTIONS REVIEW Establish multiple pathways for receiving tips about suspected or observed corrupt activity and actively monitoring high risk activities and relationships based on identified factors including country, sales channel and third-party compliance data. Sort issues into established risk level categories for action. Assess Threat Prevent data loss or destruction and preserve privilege. Confirm veracity and triage by risk level. RED FLAGS COMMERCIAL BRIBERY ARE WE PREPARED? Secure Records Determine Reporting Comply with any immediate reporting requirement in contingency plan for risk level. CUSTOMS and OFFSET COMMITMENTS Execute Plan Assign Tasks Apply defined plan for identified risk level (immediate communication and responses in advance of further investigation). Refer to designated investigation and communication teams. TASKS OUT-of-POLICY GIFTS and ENTERTAINMENT CASH VENDOR DISBURSEMENTS and OTHER HIGH RISK TRANSACTIONS RESOLUTION MISREPORTED ACCOUNTING RECORDS HIGH-LEVEL OVERSIGHT CHARITABLE GIVING and COMMISSION PAYMENTS HOTLINE & INFORMAL INTAKE THIRD-PARTY OR CUSTOMER REPORT Do we proactively monitor potential high-threat-level conduct and activities and provide multiple pathways for issue intake? PLAN PROACTIVE MONITORING CONTROL VIOLATIONS Have we categorized types of conduct and areas of operation into threat-level categories as part of our risk assessment process? FACILITATION PAYMENT BUSINESS DECISIONS Provide senior management with information needed to make decisions about changes in business operations, disciplining or terminating employees/ contactors/ business partners, management of financial impact, and leadership changes. SENIOR EXECUTIVE TEAM Senior management and the board must be told about suspected corruption issues early, stay informed as investigations progress, and take a hands on approach to ensure protection of the organization and resolution of the issue and underlying causes. AUDITS Investigate Collect, review and analyze evidence. Issues might be resolved quickly or may progress into different or multiple issues that require re-assignment and notice to senior management/board. PR OG RE SS Communicate Execute communications plan for management, employees and external stakeholders; keep management informed of any changes in issue status throughout investigation. Report and Resolve Obtain thorough, independent reports; focus on signals of systemic violations; ensure unlawful conduct has stopped and disciplinary action has been taken. INTERVIEWS MEDIA THIRD-PARTY DUE DILIGENCE CONTINUOUS IMPROVEMENT REPUTATION LEGAL DEFENSE Conduct root-cause analysis including leadership weaknesses, culture issues, and flaws in performance of management activities and controls. Look for patterns in relationships and in aggregate. Implement improved compliance controls including changes in training and frequency of audits. Identify authorized speakers or representatives, prepare for rapid release and response and have consistent, controlled, truthful messaging. Determine legal strategy including potential disclosure and cooperation with regulators and prosecutors. contact Scott L. Mitchell smitchell@oceg.org for comments, reprints or licensing requests ©2012 OCEG Do we have contingency plans to manage issues that arise in each risk category including identified investigation teams, reporting requirements and escalation paths? Do we have policies and procedures to secure evidence, protect privilege and bring in legal teams? Have we identified authorized spokespeople and informed everyone about what may and may not be said, and by whom, about issues that have been identified or are being investigated? CAN WE DEFEND THE ORGANIZATION? Have all illegal practices been identified, stopped, and had controls revised or added? Are there potential violations of law that must be, or should be, disclosed and if so, how quickly? Do we have a communication plan and team that protects our reputation? Is the investigation report sufficiently independent and thorough to facilitate cooperation with prosecutors or regulators, and aid in defense against civil or criminal actions? Have we found systemic problems that require correction or deeper investigation? DO WE KNOW THE BUSINESS IMPACTS? Have we adequately briefed senior management and the board about strategic, financial and reputational impact of the case? Do the findings indicate gaps in company governance or culture that require significant leadership changes? Do we need to revise business strategy, or terminate lines of business, withdraw from geographic regions or sever third party relationships? Will there be significant lost revenue and can we control it? ©2012 Dachis Group 20 e-Book 21 A Compliance Week publication Corruption Issues: An OCEG Roundtable SWITZER: Companies learn of corruption issues through many pathways, including hotlines, comments to supervisors, and unfortunately sometimes only when a government investigation takes place. What are the best ways to drive early notice so that the problem can be addressed quickly? important to train and remind employees, managers, and third parties about reporting options and responsibilities. And using a sophisticated case management system ensures accurate collection of issues, facilitates workflow, and helps in managing investigations and generating useful reports. MEFFORD: Employees are the best eyes and REISMAN: I agree with everything said and ears of the organization because they see the action from the front lines. I am always amazed at how many employees knew something was going on, but didn’t say anything. The challenge is making employees feel secure enough to say something when they see it. It takes courage to step forward. We have to fight the negative stigma associated with being a “snitch” and help employees understand how speaking up protects the company, coworkers, and themselves. Having an employee tell coworkers “it’s OK to say something; I did and nothing happened to me. In fact, I was thanked for my help,” is powerful and the grapevine will spread that message quicker than any corporate communication program. can add a few points. First, help employees and others know how to identify corruption risks, and train managers about communicating reports to compliance officers and company lawyers. Second, paradoxically, reduce reliance on employee calls and tips by proactively monitoring known risk areas and capturing data from your compliance processes. For example, periodically assess payments or commissions made to certain third parties, due diligence reports for appointment of agents and distributors, T & E accounts in high-risk countries, and any charitable or political contributions. Also hold periodic face-to-face reviews with sales teams in remote locations. Last but not least, promptly identify and escalate potentially significant issues with a structured and tested process for communication, assessment and assignment of cases, and metrics for cycle time. C AMPBELL: It’s so true that companies must establish an ethical, “speak-up” culture, and they should make it as convenient as possible for employees and third parties to report issues internally. Provide and advertise multiple points of contact; offer anonymity but encourage personal contact; acknowledge receipt of issues and act promptly; and maintain centralized, accurate records. It’s SWITZER: Given the number of sources of information and the volume of potential issues, what are the key steps in filtering and ensuring the right level of investigation for each? REISMAN: Start by getting the issue to a knowledgeable first responder—someone in compliance or legal who can sift through potentially unclear reports, ask follow-up questions, and identify a corrupt practice. Whether the issue was communicated in person, by telephone, e-mail, or instant message, the first responder should create a record in an electronic case-management system, for routing to those responsible for the second step—mobilizing investigations and assembling global teams. For that step to be effective, global teams should be on standby for quick response in places where a risk assessment indicates that a significant issue is likely to surface. They have to be ready to handle a hot case quickly and comprehensively: secure the evidence; contact the witnesses; conduct interviews; keep employees and management informed; and handle customer and public inquiries. Standard protocols and team rehearsals are important. C AMPBELL: You definitely have to be ready to deal with the highest-risk issues first, and that is part of what the first responder has to determine. Wasting time, personnel, and money chasing low-priority items while critical issues remain unattended can be the undoing of a compliance program and the organization. Issues can be prioritized based on the risk they carry to your objectives and available resources. And it’s helpful to estimate how successful an investiga- tion might be, measured by the likelihood of issue resolution as well as successful risk mitigation. Companies that have leveraged technology have an advantage in sorting through all this. They can easily filter accumulated data by the risk criteria they deem important such as allegation type, vendor type, or gift recipient and identify the riskiest issues. MEFFORD: A good first step is discussing what sorts of issues will demand the highest attention. Most companies categorize issues into buckets, which the governance group should rank by priority and impact to the organization. This allows the first responder to make a better initial assessment. Having the right people involved in the governance group is also important to ensure you are thinking of each issue holistically and assessing it from different points of view. We have a representative from human resources, legal, finance, and internal audit to ensure each issue is viewed from those perspectives. Another factor to consider is the level of individual in the organization against which the claim is made. An organization faces greater liability if a country manager or executive is involved than if it is a low-level employee. SWITZER: Some issues are so hot they require immediate escalation. What are some triggers for sending issues up the chain quickly, even to the point of informing the board? sue has been previously investigated. Given the size and nature of potential penalties and the need to demonstrate integrity in this area, escalation should be prompt once credibility has been established, especially if there has been a history of problems. REISMAN: Ask yourself a few key questions. First and foremost: Is there evidence to indicate that a crime has been committed, so that the company might need to make a voluntary disclosure to prosecutors and regulators? Is it likely that the claim is true? Is it probable that other people know and might make a disclosure before the company can respond, for example, an employee seeking a bounty under the Dodd-Frank Act’s whistleblower rules? Is there significant legal, operational financial, or reputational risk to the company? MEFFORD: This will vary from organization to organization, so it is extremely important to understand your board’s expectations. That is the most important criteria for knowing when to escalate an issue and notify the board. As a general rule, if a high-level employee is involved, if the magnitude of the wrongdoing or potential fines are material, or if there is the chance of a significant reputational risk, you should notify the board sooner than later. One of the worst things that can happen is for the board to read about an incident in the media before they were made aware of the issue. C AMPBELL: As a general rule, any report reROUNDTABLE PARTICIPANTS MODERATOR Carole Switzer President, OCEG Colin Campbell, Global Head of GRC Product Management, SAI Global Jason Mefford, VP Business Process Assurance, Ventura Foods Andrew Reisman, Senior Manager, Fraud Investigation & Dispute Services, Ernst & Young garding suspected corruption needs to be escalated as soon as possible to the general counsel and the chief compliance officer, or to a specific individual designated by them. Also, there needs to be a single focal point in the organization with the perspective to make connections between reports. Having this kind of process helps organizations identify areas of emerging risk. Escalation up from that point will depend on the nature of the allegation, the type of risk involved, such as reputation or financial, the credibility of the report, and whether the is- SWITZER: What are some of the information management and communication needs when an investigator determines criminal investigation or voluntary disclosure to prosecutors may be likely? C AMPBELL: Information must be readily available in one central location. This is where technology can really help. For example, having all the communication between relevant parties on one centralized platform makes data collection and disclosure more cost-effective and accurate. A centralized platform should include systems for case management,for tracking or registering gifts and entertainment, and for capturing information about third-party due diligence. Clearly, centralized oversight, on-demand reporting, and data storage are real advantages of such a system. MEFFORD: Once an investigator determines a criminal investigation or voluntary disclosure to prosecutors may be likely, it’s time to check back in with the governance group responsible for investigations. There should be one procedure for determining if this is necessary and how to notify prosecutors and the board. This is a decision that needs to be made by the right individuals, who are usually represented on the governance group. I think one of the biggest issues is to ensure that any statements made by the company or its employees are factual and consistent. Nothing is more damning, to the public or prosecutors, than an organization changing its story as the events unfold. REISMAN: Keep in mind one central point: Nothing in today’s world stays secret for long, despite attorney-client legends on documents and admonitions to employees. I have this vision of people tweeting as the investigation team walks down the hall. Employees being interviewed tend to get nervous, and understandably so. That makes planning communications to the people who might be involved critical. Be prepared to describe the issue and the investigation process, and to let employees know whether the company will retain counsel for them. Have a communication plan for local managers who need to answer customer inquiries and questions from employees after the investigation team leaves; and for senior management who will be involved in decisions about legal issues and making changes in business operations. And ensure strong coordination and information flow between the investigation teams and the compliance officer and general counsel, who may need to provide information to the board. ■ 23 How to Boost Your Merger and Acquisition IQ Times to describe the pressure to get the deal done that obscures the downside of a deal to management. Companies that treat the experts responsible for M&A corruption due diligence as the “Department of Know” inere’s a quick quiz to test your merger and acquisistead of the “Department of No” are better positioned tion (M&A) IQ. The success and value of a proto strengthen decision-making no matter how intense posed deal hinges more on: the deal heat becomes. By participating in the strategic planning meetings A. The “deal-drivers;” or that hash out whether it is better to build or buy, what B. The “organization protectors.” markets a company targets or avoids and other upstream determinations, anti-corruption experts help lower the It’s a trick question. The right answer, and the key to likelihood of selecting acquisition targets with high effective M&A corruption due diligence, is: corruption risks. By sniffing out top-level corruption threats in the risk assessment phase, the company can C. This distinction should not exist. identify and resolve corruption issues earlier and at a lower cost than it would incur when scrambling to react The team driving the deal is protecting the organizato these same issues later in the transaction process. tion by enhancing its value. The team conducting corruption due diligence is driving There are other benefits as the deal and enhancing organizawell. Knowledge of corruption tional value by ensuring that the Knowledge of corruption risk risk strengthens the acquiring company makes the right acquisicompany’s negotiating hand and strengthens the acquiring may result in a more effective deal tion at the best terms. Too often, these teams are pitted against each company’s negotiating hand structure or more favorable purother in a tug of war that prevents and ultimately may result in a chasing terms. Early detection of corruption due diligence from corruption risk gives the acquirmore effective deal structure ing company an opportunity to taking place in a sufficiently timely and comprehensive fashion. or more favorable purchasing proactively meet with relevant The need to replace the “deal terms. regulators to negotiate resoludrivers vs. organizational protions to outstanding issues so that tectors” mindset with a more efthese distractions and potential fective approach has never been business interruptions are firmly greater. M&A activity is on the rise, particularly in in the rear-view mirror once the deal is finalized. Planregions and countries with high corruption risks. The ning for post-closing changes can take place as well. rapidly developing economies of Brazil, Russia and To get these types of returns on their M&A knowlIndia rate relatively poorly on Ernst & Young’s M&A edge investments, organizations should deploy corrupMaturity Index—an analytical tool that evaluates M&A tion due diligence efforts as early as possible. The cost risk and opportunity globally—and corruption risk is a of neglecting this need can be extreme: “Failed M&A large reason why. can destroy a company’s market value, destabilize its It’s not only a matter of how, but of when to evaluate financial position and credit ratings, impair its stratecorruption risks in a proposed deal. The best solution gic position, weaken the organization and damage the is to use a structured risk assessment approach in due company’s reputation,” warns the Ernst & Young paper diligence well before the decision to consummate a deal “Increased Oversight of M&A: An Expanding Role for is finalized. Audit Committees.” If the parties driving the deal and those tasked with By treating their deal-drivers as organizational promanaging corruption risk cooperate, they can help pretectors and vice versa, acquiring companies can ace vent the due diligence process from wilting under the their due diligence and improve their odds of avoiding pressure of “deal heat,” a term coined by The Financial a failed deal. ■ Carole Switzer OCEG Pesident H CONNECTED GOVERNANCE, RISK & COMPLIANCE © REUTERS/TOM CHONG Our solutions dynamically connect business transactions, strategy, and operations to the ever changing regulatory environment. Thomson Reuters Accelus™ is a comprehensive suite of information and software solutions for: ȕ GLOBAL REGULATORY INTELLIGENCE ȕ E-LEARNING ȕ FINANCIAL CRIME ȕ RISK MANAGEMENT ȕ ANTI-BRIBERY AND CORRUPTION ȕ POLICY MANAGEMENT ȕ COMPLIANCE MANAGEMENT ȕ BOARD PORTAL ȕ INTERNAL AUDIT ȕ DISCLOSURE SERVICES accelus.thomsonreuters.com 0$&("OUJ$PSSVQUJPO*MMVTUSBUFE4FSJFT .FSHFSBOEBDRVJTJUJPOBDUJWJUZJTPOUIFSJTFJOIJHIDPSSVQUJPOSJTLDPVOUSJFT5PPNBOZDPNQBOJFTGPDVTPOåOBODJBM EVFEJMJHFODFJOUSBOTBDUJPOTBOEIBWFVOEFSUBLFOJOTVGåDJFOUQSFBDRVJTJUJPODPSSVQUJPOEVFEJMJHFODFQSPDFEVSFT FWFOXIJMFSFHVMBUPSZEFNBOEIBTJODSFBTFE5IJTJMMVTUSBUJPOPVUMJOFTLFZTUFQTUIBUTIPVMECFUBLFO 3FNPWF UBSHFUGSPN DPOTJEFSBUJPO TOP TEN RED FLAGS 1. )JTUPSZPGDPSSVQUJPOJODPVOUSZPSJOEVTUSZ PLAN 5&$)/0-0(: 2. /PBOUJCSJCFSZDFSUJåDBUJPO 1SPDFFEBT QMBOOFE 3. 5JFTUPHPWFSONFOUPGåDJBMTPSSPZBMGBNJMZ 4. 6TFPGTIFMMDPNQBOJFT 5. &YDFTTJWFVTFPGDBTIBOEPSQBZNFOUTNBEFJODBTI NE ST 5 6 ANALYZE t%FUFSNJOFSJTLTGPSPOHPJOHCVTJOFTT t1SJPSJUJ[FPOHPJOHDPNQMJBODFOFFET t&WBMVBUFBOUJDPSSVQUJPOUSBJOJOH t&WBMVBUFBDDPVOUJOHQSPDFTTQPMJDJFT BOEQSPDFEVSFT EP S 6. *OWPJDJOHEJTDSFQBODJFT FIX IDENTIFIED SHORTCOMINGS 7 t5POFBU5PQ t$PEFPG$POEVDU t5IJSE1BSUZ0WFSTJHIUBOE5SBJOJOH t1PMJDJFTBOE1SPDFEVSFT t5IJSE1BSUZ%VF%JMJHFODF t-PDBM/FFET t5SBJOJOH Determine & Inspect 8 INTEGRATE t&TUBCMJTIDPSQPSBUFDVMUVSF t*NQMFNFOUFOUJUZXJEFQPMJDJFT t1SPWJEFVOJGPSNUSBJOJOH t&TUBCMJTIVOJGPSNBDDPVOUJOH t$POTJEFSVOJGPSNUFDIOPMPHZ COMMUNICATE 7. &YDFTTJWFHJGUTUSBWFMFOUFSUBJONFOUBOEDPOUSJCVUJPOT t.BOBHFDIBOHFXJUIFNQMPZFFT BOETUBLFIPMEFST t*OGPSNNBOBHFNFOUCPBSEBOE SFHVMBUPSTBTSFRVJSFEPSEFFNFE BQQSPQSJBUF PGJTTVFTJEFOUJåFE ASSESS '03&/4*$ "$$06/5*/( RISKS XT $IBOHF USBOTBDUJPO UZQFPSUFSNT 03 SFRVJSF QSFDMPTJOH åYFTPS EJTDMPTVSFT POST CLOSING ACTIVITIES 8. 1BZNFOUTPSQSPNJTFTUPQBZHPWFSONFOUBMPGåDJBMT 9. *OBEFRVBUFUIJSEQBSUZTFMFDUJPOPSDPOUSPM 10. QUESTIONABLE AGENTS 4"-&4"/% 01&3"5*0/4 OBJECTIVES -&("- Strategic Decisions Redux PRE-TRANSACTION ACTIVITIES Transaction Testing t4BMFTBOECVTJOFTTFYQFOEJUVSFT %FDJEFOFYUTUFQT t1BZNFOUTUPBHFOUTDPOTVMUBOUT DPOUJOVFPSOFHPUJBUF PUIFSUIJSEQBSUZJOUFSNFEJBSJFT MJBCJMJUZBOEFOGPSDFNFOU t1BZNFOUTUPUIJSEQBSUZSFQSFTFOUBUJWFT PVUDPNFTQSFDMPTJOH t3FMBUFEQBSUZUSBOTBDUJPOT t4VDDFTTPSMJBCJMJUZ t5SBWFMBOEFOUFSUBJONFOUFYQFOEJUVSFT tø6OTVTUBJOBCMF t$IBSJUBCMFEPOBUJPOTBOETQPOTPSTIJQT #VTJOFTT.PEFM t(JGUTBOEQPMJUJDBMDPOUSJCVUJPOT tø$PTUPG3FNFEJBUJPO t1FUUZDBTI t*OUFSWJFXFYFDVUJWFUFBNQFSTPOOFM t#BDLHSPVOEDIFDLUIFUBSHFUPXOFST LFZQFSTPOOFMBOEUIJSEQBSUJFT t0CUBJOGVSUIFSEPDVNFOUBUJPO t"OBMZ[FBOEEJTDVTTJEFOUJåFE JTTVFTXJUINBOBHFNFOU t*OUFSWJFXLFZMPDBMQFSTPOOFM BOEUIJSEQBSUJFT Determine t1PMJDJFTBOEQSPDFEVSFTGPS SFDPSEJOHBOEBQQSPWJOH FOUFSUBJONFOUIPTQJUBMJUZ FYQFOTFTBQQSPWJOHHJGUTBOE NPOJUPSJOHBOESFRVJSJOH TVQQPSUJOHEPDVNFOUBUJPOGPS DBTIBEWBODFTUPFNQMPZFFT & Inspect Assess t-PDBUFIBSEDPQZ t-FWFMPGLOPXMFEHFPG EPDVNFOUBUJPO BOUJDPSSVQUJPOMBXT JODMVEJOH t"OUJDPSSVQUJPOUSBJOJOH BDDPVOUJOHSFDPSET BOEVOEFSTUBOEJOH BOEDPOUSBDUT t/BUVSFPGHPWFSONFOUEFBMJOHT t6UJMJ[FBDDPVOUJOH t1PMJDJFTQSPDFEVSFTBOE TZTUFNT EPDVNFOUBUJPOPGQBZNFOUT t4FMFDUJPOBOEPWFSTJHIUPGBHFOUT NE ST HOT AGENT ISSUES tø/PBQQBSFOUCVTJOFTTQVSQPTFGPSBHFOU Establish Team tø$MBJNTUPCFSFMBUFEUPHPWFSONFOUPGåDJBMT tø"TLTGPSJNQSPQFSJOWPJDFTPSQBZNFOUT tø4FFLTFYDFTTJWFDPNNJTTJPOTPSEJTDPVOUT 4FOE UISPVHI NPSFEVF EJMJHFODF tø0CKFDUTUPCFJOHBVEJUFE tø3FGVTFTUPEJTDMPTFPXOFSTQBSUOFSTPSQSJODJQBMT tø-BDLTBDDPVOUJOHUSBOTQBSFODZ ENHANCED DUE DILIGENCE FOR RED FLAG ISSUES EP S START XT #30"%&3 */5&37*&84 MAKE STRATEGIC DECISIONS t%PXFBWPJETPNFNBSLFUTBMUPHFUIFS t%PXFCVJMEJOTUFBEPGCVZ t%PXFMJNJUUPUBMOVNCFSPGCVZT UPMJNJUSJTL 2 IDENTIFY TOP LEVEL CORRUPTION THREATS t0QFSBUJPOJOIJHISJTLDPVOUSJFTPSJOEVTUSJFT t%JSFDUTBMFTUPHPWFSONFOUTPSTUBUF t)JHISJTLBHFOUTTVQQMJFSTPSDVTUPNFST SVODPNQBOJFT t5BSHFUFNQMPZFFPSBHFOUUJFTUPHPWFSONFOU t)JTUPSZPGQBZNFOUTGPSUSBWFMPS PGåDJBMTSPZBMGBNJMZPSLFZDVTUPNFST FOUFSUBJONFOUPGHPWFSONFOUPGåDJBMT tø.PWFNFOUPGHPPET t)JTUPSZPGDPSSVQUJPOCZDPNQBOZPS LFZJOEJWJEVBMT t#BDLHSPVOEDIFDLUIFUBSHFUJUTPXOFST contact Scott L. Mitchell smitchell@oceg.org for comments, reprints or licensing requests LFZQFSTPOOFMBOEUIJSEQBSUJFT ª0$&( %"5" "/"-:5*$4 %&5"*-&%%&&1 %*7&3&1035 4*5& 7*4*54 3FNPWF UBSHFUGSPN DPOTJEFSBUJPO ADVANCE RISK ASSESSMENT 1 "6%*5 LOOK DEEPER 4 Dig Even Deeper $0.1-*"/$& 3 MAKE TACTICAL DECISIONS Analyze findings for each target location 4FMFDU EJGGFSFOU USBOTBDUJPO TUSVDUVSF '03&/4*$ "$$06/5*/( "/"-:4*4 "%%*5*0/"7&/%03 "(&/5 $6450.&3 4$3&&/*/( ©2012 Dachis Group &-&$530/*$ %0$6.&/5 "/%&."*3&7*&8 26 e-Book 27 A Compliance Week publication Buyer Beware of Corruption Risk: An OCEG Roundtable SWITZER: Not all mergers or acquisitions are between U.S. based companies or those that are located where they are likely to have established anti-corruption programs. What are the biggest challenges in completing effective due diligence for corruption concerns when the company is acquiring an entity that operates completely within a high corruption risk country? WOLSKI: Ironically, the confidential nature of a deal often results in overly restrictive access to the proper people for interviews and the target may be sensitive about providing information without full knowledge or appreciation of the purpose, which creates a significant challenge in gaining access to relevant information. But it’s critical to gain a full understanding of all key business drivers of the target (key customers, sales channels, etc.) so you can determine how the target operates and identify potential areas of risk quickly. And you have to obtain full disclosure of all key business partners and the true business purpose behind each arrangement. MARTIN: In my experience, the biggest challenge is to complete adequate due diligence on all third-party business partners, with particular emphasis on commercial agents who earn a commission for new business they bring in. This challenge arises because of the poor state of records in many lesser developed countries and the propensity of business partners operating in those coun- tries to incorporate in offshore jurisdictions, where it is difficult or impossible to identify complete ownership of an entity and to confirm the lack of involvement in that entity by any foreign official covered by the strictures of the FCPA. Another challenge is to identify all of the key contracts and related amendments covering business with state-owned entities in the limited period of time one has to conduct due diligence in an acquisition context. The fact that documentation exists in huge volumes in many media, and in many locations around the world, creates a major challenge. ROST: Gathering the extensive range of information needed for effective due diligence can be an arduous and time consuming task when you do not have the in country resources, knowledge, and language skills to perform the proper research and due diligence. Where to get information, how to ask for it, and researching and understanding the complex relationships between legal and government entities requires local expertise, and this is why many organizations rely on trusted information providers to execute on tailored enhanced due diligence activities. Professionally created reports offer detailed background checks on current and proposed individual and organizational business partners, and these professionals also can assist with informed decisions when more information is required. SWITZER: Too often, those who are responsible for due diligence outside of the pure financial realm are viewed as impediments to getting deals done. How do you overcome this view and demonstrate that early understanding of corruption risks presented by the target company can protect the bottom line and provide insight that may make for a better deal? MARTIN: Our company has successfully conducted many acquisitions over the years which have involved some of the target’s activities being in high-risk countries. We have had enough instances where acquisitions were not completed because of significant unresolved compliance issues that the company now readily appreciates the critical role that my compliance team plays in any acquisition to ensure that the company does not take on any hidden material compliance issues which would erode the expected value of the acquisition. We have spent a considerable amount of time educating other members of the company’s due diligence team and senior management on the significant risks that are presented by the ineffective treatment of corruption risk and the material impact that unresolved compliance can have on the value obtained by the acquisition. WOLSKI: The key is to educate the deal team, preferably even before they identify a potential target, about the range and significance of potential risks which must be identifed and assessed as early as possible. They need to know that the deal may give ROUNDTABLE PARTICIPANTS MODERATOR Carole Switzer President, OCEG Jay Martin, Vice President, Chief Compliance Officer and Sr. Deputy General Counsel, Baker Hughes Incorporated Mike Rost, Vice President, Thomson Reuters GRC Gregory Wolski , Partner, Fraud Investigation & Dispute Services, Ernst & Young rise to reputational risks that can create difficulty in attracting capital for future investments. There may be personal civil and criminal exposure for directors and executives with oversight responsibilities. Financial risks could impact the value of the acquired company based on the loss of revenues, customers and suppliers which were generated from or associated with bribery or corruption; not to mention significant expenses associated with conducting internal investigations, responding to regulatory inquiries, and paying fines. There also may be operational risks including delays in closing the contemplated transaction as a result of last-minute identification of potential issues, successor liability arising from pre-acquisition violative activity, difficulty attracting funding for the contemplated transaction, and inability to divest or exit from the investment. ROST: The easiest way to overcome the view that more extensive M&A due diligence is an impediment to the deal is to provide the data which highlights the risks associated with corruption, business relationships, and the downside to moving forward without the proper research efforts . The best practice M&A due diligence processes we have seen involves the steps of searching and reviewing similar deals that have been done in the recent past, analyzing legal precedent for M&A corruption risks, review of global M&A deal metrics, governing law, jurisdiction, acquirer characteristics, and related parties, and screening and due diligence reports which outline risky business relationships and associations related to sanctions lists and legal action. All of these activities can be easily done by accessing trusted data sources and information providers who offer M&A specific information capabilities. SWITZER: When issues are identified, typically what can be left to address after the closing and what must be dealt with before the deal is sealed? ROST: It is a best practice to gather as much information as possible prior to closing. Vendors and customers should be screened, the relationships and networks of those entities should be analyzed and understood, and high-risk areas should receive enhanced due diligence efforts. If these activities are not executed upon prior to closing and the deal still closes, a comprehensive effort be made immediately post closing to screen all vendors, customers, and thirdparty agents and provide as much information as possible as part of the process. MARTIN: In evaluating whether any compliance issues that are identified in the course of the due diligence effort for an acquisition must be resolved prior to the closing and which issues can be resolved post-closing, great judgment and experience must be applied. For example, if an issue is serious enough to require disclosure to one or more government agencies, most acquiring companies will insist that such issues either be satisfactorily resolved or disclosed by the target company prior to closing. This would also be true for issues that present a significant amount of dollar exposure, such as pending litigation or environmental liability issues. With respect to identified issues, that can be pretty accurately priced as to liability, adjustments can be made to the purchase price of the target. As a general matter, compliance issues which do not have to be disclosed and do not present high dollar value exposure, can be dealt with on a priority basis following the closing WOLSKI: Prior to closing, you should fully determine and assess the risks of bribery and corruption of the target and really understand the target’s existing agent and customer relationships. In connection with closing, include reps and warranties in the deal agreement affirming compliance with FCPA and applicable anti-bribery laws by key target shareholders, executives, and directors. Immediately post closing, be sure to immediately communicate the right tone from the top and fix any shortcomings identified in due diligence. Implement policies, train employees, and ensure a program is established to monitor compliance. SWITZER: What is the biggest mistake made when acquiring entities with weak anticorruption capabilities? MARTIN: In my experience, the single biggest mistake that companies make when acquiring entities with weak anti-corruption capabilities is the failure to recognize how significant the adverse exposures can be. In today’s world, many companies have global operations in numerous high-risk countries, and many dealings with stateowned entities and foreign officials. If any of the actions taken by the target company to attain or retain business were violative of anti-corruption laws, the acquiring company may be held fully accountable for those liabilities when they are discovered after closing. These exposures can involve significant reputational damage to the acquiring company, high investigative costs, substantial fines and disgorgement, personal liability to individuals, and potential debarment from government contracts. In a worst case, the collective liabilities resulting from hidden problems can be greater than the value of the acquisition itself. ROST: When the risk is present with a target company with a weak anti-corruption capability, that risk should not be underestimated. Investing in enhanced due diligence, including screening of third party vendors, prior to deal closing will reduce any post close surprises and provide the acquiring company the information to price the deal correctly. WOLSKI: Some acquirers approach transactions assuming that any issue can always be fixed post closing and take more of a check the box approach to anti-corruption due diligence, which may result in failing to appropriately assess corruption risks based on the information that they have been provided. Just digging a little deeper or talking to the right target employees often results in the identification of information that could have a potentially significant detrimental impact on deal value. ■ 28 e-Book A Compliance Week publication Finding the Corruption Needle in the Haystack fective and efficient as possible. And you need to know where to look.” Finding the needle in the haystack marks a difficultto-develop but crucial capability. When a hotline or eryl Markham was a 20th century female advena manager receives a report of a violation, a swift and turer and one of the first pilots to fly solo and noncomprehensive investigation is an absolutely necessary stop across the Atlantic (she did it from east to west response. Anything less can ultimately expose the comagainst prevailing winds). Markham also knew how to pany to major compliance risks turn a phrase. “The way to find and criminal liability. Yet, cona needle in a haystack,” she once said, “is to sit down.” The investigation of a report ducting a quick, rigorous, and methodical investigation is difficult When it comes to conductof bribery or another alleged due to several obstacles including ing corruption investigations, we corrupt act resembles a the following: would do well to heed her advice—as a warning. search for a needle in the The investigation of a report of » Translation Obstacles: Recorporate haystack. cent research indicates that less bribery or another alleged corrupt act resembles a search for a needle than 5 percent of all reports of in the corporate haystack. Howethical violations are captured by ever, investigators who sit down on the job can be cerethics hotlines. The vast majority of these issues tain that their organizations will endure consequences are reported to managers and supervisors—but far more painful, costly and disruptive than a little jab. rarely is the reporting done in a crystal-clear (“I witnessed a $50,000 bribe”) manner. Managers If the investigation team simply starts rooting need to understand how to spot certain indicators around in the hay without this knowledge, the inof problems (“I felt uncomfortable when …”) and vestigation is going to drag on; worse, it may fail to then ask more questions to flesh them out. uncover the full scope of the problem. Violations are rarely isolated. If the investigation team fails to unearth other, related ethical violations (or even a major » Selection Obstacles: Once an investigation is deemed root cause), disruptive follow-up efforts are necessary necessary, the question of who should lead the effort and the U.S. Department of Justice may take a keen arises. Too often, companies get this answer wrong: interest. HR managers are left to investigate fraud and inhouse attorneys take the lead in instances where out“Billions of dollars in fines , penalties, disgorgement side counsel would bring much-needed objectivity to of profits, and professional fees signal that we are in the process. a world that has bribery and corruption firmly in the center of any international company’s radar,” asserts a new eBook “Bribery and Corruption: Navigating the » Breadth and Depth Obstacles: Slow starts can Global Risks” from Ernst &Young’s Fraud Investigacripple an investigation, but zipping through withtion & Dispute Services practice. out looking broadly and deeply enough can blind “The individuals conducting the investigation have the investigative team to patterns of unethical beto know what the needle looks like before they search,” havior or root causes. notes Littler Shareholder Katherine Franklin, who has trained companies on how to conduct effective invesBy following pre-established steps to triage issues tigations for more than 20 years. “You need to know and manage investigations to resolution, your organiwhat corruption looks like. You need to know what zation, can dig the needle out the haystack before it tools and processes to use to make your search as efpricks you in the … ■ Carole Switzer OCEG Pesident B Tangled up in new laws? Don’t lose momentum. Contact Littler today. Because risk begins in the work place, compliance begins at Littler. For more information on Littler’s Corporate Compliance and Ethics Practice Group please visit littler.com. OCEG Anti-Corruption Illustrated Series COMPLEXITY Every organization should have a strong anti-corruption program that includes detection systems and processes and a response plan to assess, investigate and resolve issues. This illustration can help you implement or refine an investigation process and focus on important areas. 1 INVESTIGATION THIRD PARTY DUE DILIGENCE DATA ANALYTICS TRIGGERS WHISTLE BLOWER A culture of compliance that encourages reporting is essential. Corruption concerns are also captured from people, processes and technologies that directly control, monitor and detect potentially inappropriate activity. 2 TRIAGE Use a standard process to review and filter allegations to develop initial response plan. SEVERITY Are high-level employees involved? Are there complex areas of law and jurisdiction involved? Based on the analysis of each issue, establish the investigation team, determine any need for outside counsel, and take necessary steps to discover and preserve evidence. Ensure appropriate oversight and disclosure as the process continues. Determine Investigation Team Potential members include: SUBJECT MATTER How widespread is the alleged Address Technical and Logistical Issues Engage experts to navigate foreign language documents, distant witnesses and evidence, cultural issues, and different data formats. SUPERVISORS HUMAN RESOURCES Is safety around products, employees or witnesses a concern? Should we call the police? REGULATORS/ POLICE CREDIBILITY THIRD PARTY COMPLAINTS INTERVIEWS 3 PLAN AND ASSIGN EXPERTS, FORENSIC ACCOUNTANTS, COMPLIANCE OFFICER, INTERNAL AUDITOR, LAWYERS URGENCY INTERNAL AUDIT How wide and deep is the scope? HOTLINES MEDIA INTERNAL TRIGGERS CULTURE OF COMPLIANCE WHISTLE BLOWER EXTERNAL TRIGGERS Is the source known and considered reliable? Can any facts easily be verified? Who’s involved outside our company? Third party agents? HR Identify Key Stakeholders for Oversight Could include: TECHNOLOGY GENERAL COUNSEL AUDIT COMMITTEE SPECIAL COMMITTEE CHIEF COMPLIANCE OFFICER Program Improvement Recommendations and Follow up SECURITY Potential Initial Disclosures AUDIT COMMITTEE SENIOR MANAGEMENT OUTSIDE AUDITORS REGULATORS PEOPLE Joint venture partners Government interaction (taxes, permits, licenses, etc.) Government customers (SOEs) Gifts, donations and political/charitable contributions Acquired entities and relationships Meals, travel, entertainment (employee expenses) Freight forwarders and customs agents Disbursements (including petty cash) Third parties (agents, brokers, consultants, etc.) Sales generation process Related parties International transactions 4 INVESTIGATION VES Each invest investigation i t is unique. The facts fact fa ctss and an circumstances will d dictate icta ic tate te how specific procedures edures should be performed. ormed. Follow the Money Inform Appropriate Parties Determine what to disclose to any or all of the following: GOVERNMENT / REGULATORS AUDITORS THE BOARD AUDIT COMMITTEE EMPLOYEES SHAREHOLDERS SUPPLIERS CUSTOMERS UMENTS DOCUMENTS CRIMINAL COMPLAINT LEGAL ACTION REASSIGNMENT DEMOTION TERMINATION 5 REMEDIATION Address discipline of those involved and terminate problematic third party relationships. Report findings and recommend changes to personnel, prevention and detection processes, policies, training, data analytics and other program elements. contact Scott L. Mitchell smitchell@oceg.org for comments, reprints or licensing requests ©2012 OCEG visit www.oceg.org for other installments in the Anti-Corruption Illustrated Series Draw Conclusions and Make Recommendations Develop fact pattern and prepare report of recommendations on disclosures, program improvement and discipline. Identify and Preserve Evidence Find locations of key data and preserve it, identify key witnesses, involve counsel to trigger privilege, decide if a litigation hold is Necessary, and determine if you can get third party interviews and evidence. Conduct Data Analytics And Document Review Look for other transactions with similar attributes that should also be part of the investigation. A forensic accounting review is critical to understanding how transactions are captured in the accounting system, the flow of funds and the internal control environment. Email and document review helps better understand troubling transactions. FACT PATTERN FACT PATTERN Discipline and Corrective Action THE FIRST 72 HOURS Mistakes in the first 72 hours can cause an investigation to fail. Evidence can be lost, poor documentation (of investigations) can send you down the wrong track. OVERLOOKING THE SCHEME Do not overlook smaller transactions or assume many similar transactions are reasonable when they are actually part of a much bigger issue. FINANCE WHAT TO LOOK FOR SITUATIONS COMMON PITFALLS Understand Fact Pattern Have you confirmed the allegations? Have you discovered other possible problems? Who else do you need to speak with? What additional evidence needs to be reviewed? Execute additional investigative steps as needed. FACT PATTERN FACT PATTERN WITNESSES I’m the company’s lawyer, not yours. Start to Develop Fact Pattern Determine who is involved. Tell the story of who, what , when, where, and how. Third party agents, consultants, suppliers, distributors, contractors are often involved. Consider necessary disclosures as facts develop. Conduct Interviews Be prepared: what info do you want from your interviews? Are you seeking new or corroborating evidence, are they friendly or hostile? Know as much as possible about the witnesses, know which evidence to ask about. Have a plan to encourage cooperation and to address non-cooperation. TRAMPLING ON EVIDENCE Inexperienced investigators or others in the organization can inadvertently destroy, corrupt or fail to adequately secure critical evidence. ACCEPTING FACE VALUE The investigation needs to confirm the business purpose of transactions in question. Any problematic underlying motives need to be revealed even if transactions appear reasonable with relevant supporting documentation. CULTURE CLASH If you don’t understand the culture you may miss what they’re trying to tell you or not get the info you need from witnesses. RETALIATION Retaliation against whistleblowers or witnesses opens you up to additional legal risk and erodes the needed culture of compliance that encourages internal reporting. PARALLEL INVESTIGATION Avoid contaminating parallel investigations being run by the government, your parent company or auditors by establishing which has priority. ©2012 Dachis Group 32 e-Book 33 A Compliance Week publication Investigating Corruption: An OCEG Roundtable SWITZER: Let’s start at the beginning, when there is a report or suspicion of corrupt activity what are the very first steps you need to take? the allegations relate to the reliability of the company’s financial reporting? Do they involve high-level employees? Is there a potential public relations consequence? Will regulators and your auditors care? THOMAS: First, you have to assess the credibility and seriousness of the event to ensure that the level of response is appropriate and proportionate. Evaluate the qualitative aspects of the allegation rather than focusing on the quantitative aspects, because the notion of “materiality” should not affect the decision to investigate further. Then develop an investigative workplan tailored to the specific facts and circumstances, and revise it as new facts come to light. MARTIN: You need a good intake and case management system overseen by an experienced attorney; and you have to preserve all potentially relevant evidence. Cycle times should be monitored so that remedial actions are prompt and followed up to ensure any harm has been stopped. SICILIANO: The initial risk analysis considers the matter’s scope, urgency, complexity, and severity. Ask if the issue involves a single individual or multiple people, business units, and physical locations. Are there obligations to disclose to the government or key stakeholders? Is it urgent to intervene quickly to limit exposure? Does the matter involve complex areas of law or technical facts? Do SWITZER: In the United States, immediately establishing attorney client privilege for an investigation into alleged corruption is considered essential, but is that the case— and is it even possible—when the investigation involves activity in other countries? SICILIANO: Privilege typically is not as strong outside the United States. In some jurisdictions, privilege exists for outside counsel, but not for in-house counsel. When conducting a cross-border investigation, I always try to protect the privilege here in the United States by making sure there is a licensed U.S. attorney present during interviews and limiting non-lawyer involvement. But in a country like Japan, in-house legal departments often have no licensed lawyers. This fact, combined with cultural inclinations to report everything through set communication channels to a broad range of parties, can create tension in trying to preserve the privilege. MARTIN: Preservation of privilege in a multi-jurisdiction investigation is very challenging because of widely varying rules. Nevertheless, it is very important because now there is an unprecedented level of cooperation and sharing of information among prosecutors across borders. There is no protection for a company against double jeopardy for the same offense in different jurisdictions, and if the attorney-client privilege is non-existent or waived in one jurisdiction, it may be waived in others. THOMAS: Given the risks, you really need to make sure the investigation team knows how to identify and address local privilege and data privacy issues when determining how to collect, store, and analyze the relevant documents and data for the investigation. SWITZER: Corruption can range from an individual salesperson’s decision to bribe a government official to a concerted conspiracy that establishes an ongoing kickback scheme. What steps do you take to determine if this is a single bad act versus an ongoing scheme with multiple participants? THOMAS: Determining whether a transaction is an isolated act or part of pervasive or systemic issue is essential. Indicators from e-mails, interviews, or other sources should be investigated further, and it is important to focus on the attributes of the problematic transactions and how they are recorded in the company’s books. For example if an employee admits to paying a bribe through an excess commission to an agent, analysis of payments to that agent may identify numerous similar transactions. There may be other indicators in the general ledger meta data that could identify problematic ROUNDTABLE PARTICIPANTS MODERATOR Carole Switzer President, OCEG Jay Martin, Vice President, Chief Compliance Officer and Sr. Deputy General Counsel, Baker Hughes Inc. Brad Siciliano, Shareholder, Littler Mendelson Richard Thomas, Partner, Fraud Investigation & Dispute Services, Ernst & Young transactions and experienced investigative teams can apply data analytics to identify other non-standard transactions. SICILIANO: That really is the purpose of the investigation. You may have allegations about a discrete event, but your investigation is going to assess whether there was similar wrongdoing by that individual over a period of time. With data mining tools this process has become much simpler and more efficient. Even if you don’t find evidence of additional misconduct, the fact that the wrongful conduct did occur is reflective of a potential weakness in your control process and you should evaluate whether others in the organization have exploited that weakness. If you have an internal audit function that is regularly checking control processes, point them in the direction of the potential weakness and have them test it for you. When these discrete incidents of misconduct arise, an organization needs to use them as an opportunity to see if they are part of a larger problem. SWITZER: What sort of policies, procedures, and controls around information management and document retention are necessary to ensure that evidence remains available to the investigators? SICILIANO: While most investigators would prefer that evidence stay around forever, that’s neither practical nor advisable in today’s business world. Instead, a business should implement document retention policies and procedures that are tailored to how the company is structured and goes to market. Rather than use generic descriptions, the policy should clearly explain how to handle and retain specific types of documents, identified by the terms used by the business. Companies have gotten into trouble recently for what courts have found to be unreasonably short e-mail retention policies, so at a minimum companies need to make sure that their policies are reasonably related to business needs and don’t appear to be designed to hide information. It’s also helpful to have an IT infrastructure which makes ESI accessible and gives you the ability to segregate relevant users’ content from the rest of the population. Companies also need to have strict controls in place that establish who has authority to delete data. The worst scenario is inadvertent deletion because a court may treat it as deliberate destruction of evidence.A key element of maintaining the necessary controls is a cooperative working relationship between the legal, HR, and IT departments and a process in place for securing approval for the destruction of data. THOMAS: Most companies perform regular backups of important data and have established formal document retention policies that allow the company to comply with its legal and local tax requirements. It is important to understand these different policies and procedures to ensure that data is not inadvertently lost or destroyed. This is often addressed by issuing a document preservation notice or legal hold notice that is provided in local languages, is broadly distributed, and clearly defines what is to be retained. The investigative team should immediately consider acquiring forensically sound images of the data on employees’ laptops and of the company’s servers in order to preserve what may turn out to be very relevant metadata. The preservation of other electronic data, such as information on smartphones and thumb drives or other external media, should also be considered. The decision of what data to review and how to review it can often be taken at a later time, but it will at least remain available to the investigative team if it is preserved. The investigative team should also contact IT to ensure that relevant backup tapes are not being overwritten and contact any off-site storage facility to ensure that hard copy documents are not being routinely destroyed. SWITZER: How do you decide if, and when, to inform external stakeholders, including legal authorities, about an ongoing internal investigation? MARTIN: First take into account whether reporting is mandated by law such as required disclosures for public companies in U.S. Then you have to consider how significant the discovered violation is; whether disclosure is required by an agreement such as a DPA; how likely it is that disclosure will be made by someone else such as a whistleblower or disgruntled employee; the impact of the Dodd-Frank Act’s whistleblower rules; what the rules are for disclosure in various jurisdictions; whether the rewards of disclosure outweigh the risks; and who needs to be involved in the disclosure decision. Remember, once you disclose you lose control of the matter. SICILIANO: After considering legal reporting obligations and the seriousness of the event, I consider what I have actually learned in my investigation. External stakeholders such as auditors typically take the view that your first duty is to report to them no matter what. I think, however, you first need to know what you’re reporting. I’ve experienced too many situations where a stunning allegation turns out to be a simple misunderstanding. Also, you don’t want to report on something that you don’t fully understand because, when your report contains mistakes, you potentially lose credibility with the third-party stakeholder. THOMAS: You don’t always get to decide. In some cases, the investigation has been triggered by an inquiry from the government and discussions with the regulators are ongoing throughout the investigation. And, whether disclosed to regulators or not, companies are still subject to audit and have reporting obligations in respect of their public filings. In other cases, once the investigative team has developed enough facts to corroborate bribery or corruption issues, the company may seek to self-disclose issues in return for leniency, in which case what you disclose may be as important as when. For example, you may include a summary of progress to date, highlighting the remediation steps that the company is taking to punish those involved and prevent future recurrences. ■ 35 Brad Pitt: The New Anti-Corruption Compliance Officer Carole Switzer OCEG Pesident » Think Differently. As Lewis writes in his book, baseball “managers tend to pick a strategy that is the least likely to fail, rather than to pick a strategy that is most efficient … The pain of looking bad is worse than the gain of making the best move.” A similar dynamic holds sway in business and in compliance. Traditional, rules-based tests of data samples remain widely used—in part because they are so widely used. Despite their popularity, rulesbased tests have several limitations: They are slow, require a lot of manual work, and examine a relatively small set of data. Besides, outwitting those who break rules requires a continual dose of fresh thinking: ABC analytics provide fresh insights derived from an untraditional source (organizational data). » Strike a Balance: The use of ABC analytics does not negate the value of traditional modes of anti-corruption and bribery vigilance; instead, these tools should augment existing capabilities. In the movie version of “Moneyball,” Beane angrily fires his scouting director, Grady Fuson because Fuson refused to adapt his from-thegut approach to finding talent to Beane’s new, analytical approach. In reality, however, Fuson left the team, quietly, on his own accord and was later re-hired by Beane. The two have confirmed that the team’s current talent-scouting approach balances qualitative and quantitative techniques. » Tailor Your Tools: ABC analytics should be customized to reflect the unique risks an organization faces. These tools and methodologies should also be sufficiently flexible so that they can incorporate insights and observations from previous investigations. A nti-corruption compliance efforts are rarely, if ever, as easy as a-b-c. However, these endeavors would be much easier and more effective if more companies understood—and deployed—their ABCs. “ABC” refers to anti-bribery and corruption analytics, which are statistical techniques that comb through massive amounts of data and sniff out unusual patterns, questionable transactions, and compliance risks buried deeply within organizational information systems. These analytics mine vast amounts of data via clustering, variance-detection, linguistic searches, and other techniques. When potential problems are detected, analytical tools issue automatic alerts calling for further investigation. If that sounds complicated, it should. After all, companies of all sizes now rely on a complex tangle of information systems, located on internal servers as well as in the cloud. These systems process ever-increasing amounts of data measured in gigabytes, terabytes, and petabytes. That being said, the process of using analytics does not require an advanced degree in IT. Once the tools are in place, leveraging information they produce is as easy as 1-2-3, to which any finance director, human resources department, sales and marketing team, professional sports manager, or amateur fantasy sports enthusiast can attest. Best Buy has used analytics to discover that slight boosts in employee engagement scores correlate to significant increases in annual operating income. Financial planning and analysis functions routinely employ analytics to forecast, with eerie accuracy, fluctuations in revenue several quarters into the future. And perhaps most famously, Oakland A’s General Manager Billy Beane, who is played by Brad Pitt in the film version of author Michael Lewis’ “Moneyball,” rose to prominence by employing analytics to sniff out up-and-coming baseball talent that conventional talent-scouting either neglected or dismissed. Spotting talent, it turns out, often is just as difficult as identifying evidence of bribery and other forms of corruption within organizations. Success in either endeavor requires the following approaches: Copyright © 2012 Tableau Software. All rights reserved. Once these analytical tools are in place and tailored to your organization’s risk environment, you too can be more like Brad Pitt. OK, you won’t become richer, better looking, or world famous; but you can be a star (at least within your company) by using analytics to get a quicker, deeper, and more efficient view of corruption and bribery risks. ■ OCEG Anti-Corruption Illustrated Series Companies face significant economic hurdles as margins shrink and profit expectations grow. Implementing and monitoring a strong anti-corruption compliance program under these conditions can be daunting. Forensic data analytics—known as Anti-Bribery and Corruption E-MAIL analytics, or ABC analytics—can help companies cost effectively and efficiently use data SALES REP CALL NOTES discovery to enhance their anti-corruption efforts. WHY DATA ANALYTICS GOALS & PLANNING CONTROL MONITORING MATURE COMPLIANCE REACTIVE INVESTIGATIONS CRMs ERPs INCIDENT RESPONSE DRIVERS RELATIONSHIPS EXPECTATIONS No single data source holds all the answers to your questions. Organizations collect data in numerous places, some more structured than others. Find and collect data from a wide range of sources. The success of the project will ultimately be measured by different expectations of various stakeholders. Define these expectations and how they affect the approach you will take before the project begins. LIMITED RESOURCES PREPARE FOR ANALYSIS With companies trimming resources in support functions, it is often difficult to get involvement from the people you need. Success requires commitment of compliance, audit, legal, IT, and other resources before the project begins. Extract data kept in different forms in different systems, and then normalize and cleanse it so that meaningful analysis can take place. DEFINE/SCOPE Determine the key insights needed and the core tests to address the corruption risk areas for your company and industry. Build teams of people with the right skills and knowledge to define data needs and locations; determine key words and patterns that indicate risk. POTENTIAL CHALLENGES IDENTIFY THE DATA SOURCE DATA You can use data analytics proactively and reactively to dig deep and find both opportunities for and instances of corruption. PROACTIVE TRADING SYSTEMS AVAILABILITY Access to data can be limited by factors such as data owner resistance, lack of awareness of relevance, and unknown locations. Work with communication team members to encourage sharing of information and access. EXPLORE THE DATA VIEW, ANALYZE, ACT Document lessons learned during all phases of analysis and take action to address identified issues and feed information back into the models to improver future iterations. ABC analytic systems should continually evolve to become faster, better, and cheaper over time. DISPARATE DATA SYSTEMS With organizations getting larger through global expansion and acquisition, it is rare to find globally integrated data management and accounting systems. The data preparation process must be flexible enough to tie together varied systems into one platform for analysis. OUTLIERS CLUSTERING TRENDS PATTERNING GLOBAL OPERATIONS A “one size fits all” approach to data analytics is rarely successful. Consider cultural differences that drive legal requirements and individual behavior in countries of operation. Include people with relevant language skills and cultural knowledge on teams to analyze data and communicate results. LINGUISTICS ANOMALY DETECTION INTERNAL ASSURANCE SETTLEMENT REQUIREMENT ? ACQUISITION DUE DILIGENCE RISK ASSESSMENT INPUT POST-ACQUISITION ASSESSMENT RISK ASSESSMENT FOLLOW-THROUGH KEY ADVANTAGES OF A SUCCESSFUL MODEL MINING SEARCHES INTERACTIVE FORENSIC ANALYSIS Interactive exploration includes data mining and modeling techniques that drill down, slice and dice, pivot to analyze words/numbers and risk rank transactions, employees, and third parties. DIAGNOSTIC ABC analytics offer a powerful tool for anti-corruption compliance monitoring by focusing on high-risk areas where traditional rules-based anti-fraud tests have limited detection capacity. Well-designed ABC analytics have these distinctive features that reduce false positives and increase overall detection. contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests ©2012 OCEG visit www.oceg.org for other installments in the Anti-Corruption Illustrated Series INFORMATION SHARING DATA VISUALIZATION Present data in role-based dashboards, geographic maps, and custom search reports to clearly communicate insights, anomolies, and changes in a timely, repeatable way. Intuitive, highly visual, and simple to navigate with minimal training the information to be collected are important factors to be balanced. Determine what is really essential and limit scope to avoid getting lost in the data. Analyze and communicate findings to the investigative/compliance field team for use in determining field testing. Inform management as appropriate. Consider final results to continuously improve the anti-corruption program. INTEGRATIVE VISUAL Identifies high-risk areas that warrant a deep dive analysis of transactions and source documentation 0 LARGE COMPLEX DATA SETS 10 00 01 11 01 1 The size of the data to be collected and analyzed must 1 10 10 00 10 be carefully considered. Both the depth and breadth of 0 10 1 11 FALSE POSITIVES Data analysis will always create some false positives that must be reviewed. Integrate a risk scoring methodology that objectively prioritizes the highest-risk transactions and reduces the overall risk of false positives. COLLABORATIVE Integrates statistical and text-mining techniques to spot patterns and anomolies, and continuously improves the analytical ability of the system COST EFFECTIVE Allows secure global sharing with compliance and investigative team members as well as key business stakeholders Saves time and money with quicker, more accurate fact finding in ongoing compliance monitoring and during investigations ©2012 Dachis Group 38 e-Book 39 A Compliance Week publication Anti-Corruption Data Analytics: An OCEG Roundtable SWITZER: The very idea of data analytics can be intimidating to many compliance officers. Can you share how a forensic analysis approach can help them to find instances or patterns of bribery, or potential for corruption to occur? Tell us why this approach is so important, and give us some idea of how it actually works. WALDEN: Imagine looking through your company’s accounts payable activity from your Russia operations and you come across a sizeable cash payment to a vendor that is described in the journal entry comments field as, “Goodwill fee as incentive payment for business relations.” Further, the vendor under review is a state-owned entity. While nobody is going to book it as a “bribe expense,” people come up with creative ways to describe inappropriate payments. By looking at these “free text” payment descriptions, a new light is shed on the data which makes it much easier to identify. This is the core of integrating anti-bribery and corruption analytics into your monitoring program. CRAFTON: Here are some of the concrete steps you can take to find corrupt activity by analyzing your data. There are five main areas to analyze when looking for corruption. First is knowing who is involved by analyzing vendors and agents. You might stratify agent payments by time period and currency amount, or by contract or project code. Also, look for payments to vendors that are not on the vendor master list or large round sum payments to agents. This may include commissions, recurring commissions, and cash payments in large round dollars or unusual currencies. Second, consider corrupt intent behind a payment and analyze the free text field general ledger entries for items such as cash disbursements, travel & entertainment, marketing, and charitable expenditures. As Vincent mentioned, this is a key component for looking for improper payments. Third, look deeper into cash disbursements and evaluate things such as duplicative payments and suspicious vendors; petty cash account use in selected countries; and payments made without a P.O. or not in the vendor master. People will get creative when looking for ways to extract cash from a company to pay bribes so you have to be creative as well. Fourth, look for suspicious recipients, considering customer segmentation by country, Transparency International’s CPI index, sale price and margin analysis across customers and vendors, among other factors. And last but not least, apply a business purpose test analyzing revenue in different ways such as trending analysis of revenue by country and by customer, or calculation of effective commission rates paid to agents. Any of these can point you to sus- picious patterns and help you to uncover corrupt activity. SWITZER: What can you get from a forensic analytics system that you can’t get by using spreadsheets and collaborative information sharing software? A JENSTAT: The human visual system is a great system for finding patterns and outliers. In the case of fraud, where you may not have specific questions but are looking for something unusual, this is even more true. You need to see your data before you know what you’re looking for. Once you see something unusual, you want an interactive visualization so you can drill down, filter, apply sorts and highlights and other contextual information to determine whether what you’re seeing may be an indicator of fraudulent activity. When you’re in a spreadsheet, you are looking at rows and columns of data, and it’s really hard to see trends or spot an outlier. Or you can go through a chart-wizard process, but again you need to have an idea of what you’re looking for first. An interactive and visual environment is excellent for identifying patterns that are amiss. WALDEN: I agree. The value in finding patterns and outliers is a key factor. In the current regulatory environment, many companies are modifying their inter- ROUNDTABLE PARTICIPANTS MODERATOR Carole Switzer President, OCEG Francois Ajenstat, Director, Product Management, Tableau Software Jared Crafton, Senior Manager, Assurance Services, Fraud Investigation and Dispute Services, Ernst & Young Vince Walden, Partner, Fraud Investigation and Dispute Services, Ernst & Young nal audit and or compliance monitoring functions to specifically incorporate risks around bribery and corruption/ FCPA. As with any audit program, analytics—not just looking at policies and procedures—should be integrated into the work program. However, analytics around bribery and corruption are fundamentally different than traditional internal audit or “accounting” tests that primarily rely on spreadsheets or “rulesbased tests” to evaluate the numbers in accordance with accounting standards, not FCPA. In my view, the key difference is data visualization and text. What employees are putting in the free-text fields of journal entries, accounts payable, sales data, or travel & entertainment explanations can go a long way in identifying “corrupt intent” into a potentially improper payment or transaction. Traditional auditing tools are simply not designed to pick up kickbacks and corrupt payments; hence, their detection rate is limited and their false positive rates are high. SWITZER: Does the system find and define the corruption for you, or do you still have to investigate to determine what schemes are going on? ness case for using these anti-bribery and corruption analytics for a large, global Fortune 500 company by reducing their number of site visits from 20 locations to around eight and reducing the time in country from four weeks to two weeks, saving over $500,000 and providing a more through audit by testing 100 percent of the payment data for all 20 counties. CRAFTON: As Vincent mentioned, no suite of analytical tools will be able to define corruption for you. However, they can point you in the right direction. An effective anti-fraud and corruption analytics methodology is designed to get smarter over time. Each iteration of analysis will bring new tests, procedures, and review techniques to light. Knowledge gained in one country or one business unit can be applied in future analytics. Beyond the analytics, the people reviewing the results must have experience in these areas. Even with as much decision support as can be built into reports, there is no replacement for investigative experience. We use a library of over 3,000 terms in over a dozen languages developed by our investigators around the globe to help us identify issues. SWITZER: People have trouble justifying WALDEN: No. These analytics won’t confirm that any fraudulent or corrupt payment has taken place, only a court of law can do that; however, they will tell you where to look. Significant cost and time savings can be achieved by incorporating these analytics on a “pre-field work” basis to identify high-risk countries and business operations. Drilling in deeper, these pre-field work anti-corruption analytics “arm” the investigator with high-risk vendors, employees, transactions, or expenses before they hit the ground so that they can make the best use of their time in country. In one example, we helped make the busi- budgets these days, so tell me, is the use of a sophisticated data analytic approach really only for large companies? A JENSTAT: Sophisticated data analytics does not need to be a heavy, expensive implementation. In fact, instead of large monolithic systems that need developers to change the output, what you want in forensics is a more agile approach. There are tools that are highly visual—that should be one of your criteria. Another criteria should be a self-service approach. Your forensics analysts need to be able to quickly hypothesize, test, disprove—and start again. And in general, you should be suspicious of any system that requires a massive deployment before it proves itself. Look for something that can grow as your needs grow. WALDEN: Recognizing that large, global companies doing business in the emerging market countries are at a very high risk for bribery and corruption, all companies doing business in emerging market countries should be considering anti-bribery and corruption analytics into their monitoring and compliance programs. Taking a riskbased, focused approach will help companies target where to focus these analytics—as these analytics are not intended to be run across the entire enterprise. SWITZER: Let’s close with one example of an actual data analytics. Jared, can you share something? CRAFTON: Sure. We had a situation where the Department of Justice had required our client to analyze nearly a million transactions for suspected bribery payments. We reviewed a sample of 2,000 transactions in detail with supporting documentation such as vouchers, invoices, and approvals which led us to identify 400 suspicious and 1,600 non-suspicious entries. Based on what we learned, we created a predictive model to identify potentially improper payments and applied it to the remaining 948,000 additional transactions, which resulted in identification of 14,000 more potentially improper payments totaling more than $8 million. The methodology had over 95k percent confidence level and DoJ accepted this approach, which not only saved potentially thousands of hours, but also allowed for deep, timely analysis of the data. Not surprisingly, the key variable in the high-risk population of 400 payments was when the word “volume contract facilitation” or “release expense” was in the free text payment description. That is the power of a data analytic approach supported by text mining and statistical software developed for this purpose. ■ OCEG Anti-Corruption Illustrated Series OCEG is ready to help you address the challenges that you face today. Join the thousands of individuals in the OCEG community and stay on the path to 1rincipled 1erformance™ Principled Performance™ is a management discipline that enables an organization to clearly define its principles and goals, determine how it will address risks and uncertainties, and grow and protect value. Achieving Principled Performance™ demands the clear articulation of objectives and the methods by which you will establish and stay within mandatory and voluntary boundaries of conduct while driving toward those objectives. OPTIMIZE YOUR: Governance Ensure that sound governance structures are in place “below the board” so that the right information about the right issues is available at the right time. Risk *OUFHSBUFSJTLNBOBHFNFOU with strategic planning and NBJOUBJOB¡ view of organizational risks and effectively allocate resources to address them. Ethics & Compliance Establish practices and a culture to prevent misconduct, inspire desired conduct, detect problems and improve outcomes. 'JOBODF Reduce costs and optimize how you allocate capital to governance, risk, and compliance processes so that GRC is better aligned with the business. Technology "EESFTT*5DPNQMJBODFJTTVFT and the alignment of information technology to general GRC needs in the rest of the business. Audit Go beyond financial processes and assess the design and operation of controls for governance, risk management, compliance, and ethics efforts throughout the enterprise. -FHBM *EFOUJGZBOEFTUBCMJTITPVOE practices to address your legal risks and improve your ability to detect and correct issues; while improving your ability to defend the organization. EXECUTIVE SUPPORT AND SOLUTIONS t#SJOHZPVSNBOBHFNFOUUFBNUPHFUIFSJOUIF 0$&(4USBUFHZ-BCXJUI0$&(FYQFSUTXIPDBO help you integrate GRC with business strategy RESOURCES AND TOOLS Thousands of resources developed, collected, and organized by OCEG and shared within the OCEG Community: t(VJEFTBOEIBOECPPLT t-FBSOIPXUPJNQMFNFOUUIF0$&('SBNFXPSL in your organization by working with OCEG staff and partners t5IF(3$*MMVTUSBUFE4FSJFTQJDUPSJBM explanations of key GRC processes t(3$4VSWFZTSFTFBSDIBOE benchmarking reports EVENTS AND NETWORKING t5PQJDBMXIJUFQBQFSTBOEBSUJDMFT t(3$¡0$&(TNBHB[JOF presenting critical perspectives on governance, risk, compliance, and culture t-JOLTUPLFZHPWFSONFOUBOE organizational guidance documents -EARN MORE AT Coaching t0QQPSUVOJUJFTUPXPSLUPHFUIFSXJUIQFFST to address GRC challenges from every angle Webinars Strategy -BCT t-JWFBOEBSDIJWFE8FCJOBST t&YDIBOHFWJFXQPJOUTBOEJEFBT Events FRAMEWORKS & GUIDANCE PROGRAM CERTIFICATION t Comprehensive GRC Capability Model developed and vetted by hundreds of experts and reviewed by thousands t1SPWJEFBTTVSBODFUPUIFCPBSE and senior management that GRC processes are sound t(BJOFYUFSOBMSFDPHOJUJPOPG excellence t Searchable database of laws, regulations, standards, and guidance from many sources t Searchable library of sound practices you can apply to address governance, risk, and compliance requirements at your organization t4FMFDUUIFJOGPSNBUJPOZPV need and use it the way that works best for you through OCEG’s custom report feature Resources 1SPEVDUBOE 1SPHSBN Certification Conversations Take back tools you can use to help your organization and your career (3$¡ This group develops strategic and technical resources to help *5BOECVTJOFTTQSPGFTTJPOBMT improve the application of technology to GRC. 1SPKFDUTJODMVEF t GRC Taxonomy™ t GRC Blueprint™ t (3$9.-™ t (3$*53PBENBQ™ $PSF1SPDFTTFT Embed sound GRC practices in all lines of business and core processes so that business owners and operators are accountable for GRC success. Ad dr ess PO RT AL Technology Create Value PEOP LE s ie r nd u Bo PROCE hin LOGY t i W O HN Stay C TE ASSESSMENTS, MEASUREMENTS, & BENCHMARKS t Tools to evaluate your GRC processes and benchmark with peers t Benchmarking studies and polls t Assessment tools and processes SSES OUR APPROACH AND CAPABILITIES ARE DISTINCT Multiple Professions come together in ONE PLACE OCEG can assist you on UIFQBUIUP1SJODJQMFE 1FSGPNBODF™ with tools and resources you can use to: t%FTJHOBOENFBTVSFZPVS GRC efforts against a business process model developed by hundreds of business, financial, legal and technology experts, and publicly vetted by thousands. Benchmarks Assessments Council Un cert ainty OUTCOMES t&TUBCMJTIBOJOUFHSBUFE organization-wide approach to GRC ensuring the flow of consistent information. YOU AND YOUR ORGANIZATION are at the center of everything that we do GRC *MMVTUSBUFE4FSJFT TECHNOLOGY COUNCIL www.oceg.org t#FODINBSLZPVS organization’s performance against peers, and participate in targeted industry research and resource development. t+PJOGPSDFTXJUIQFFSTXIP are managing governance, risk, and compliance challenges from every angle. t%PZPVSKPCCFUUFSGBTUFS and more economically with the right tools. PEOPLE PROCESSES TECHNOLOGY OCEG is the only non-profit organization that brings you an expert executive team with backgrounds in business, legal, finance, audit, technology, research and compliance, and ethics management. Our hands-on experience provides the background and understanding to help you put principles into practice in your organization. A collaborative, open process to develop publicly vetted standards and guidance addressing the full scope of governance, risk, compliance, and ethics management and measurement. An interactive online content portal with cross-referenced and linked resources including full-text search and custom reporting. Get what you want, how you want, and when you want it. ©2008 OCEG® 42 e-Book 43 A Compliance Week publication OCEG is a nonprofit think tank dedicated to helping organizations reliably achieve their objectives, while addressing uncertainty and acting with integrity. This is what OCEG calls Principled Performance, and it is a goal that every organization can achieve by integrating and aligning their approaches to the governance, assurance and management of performance, risk and compliance. Processes for achieving that integrated approach, commonly called GRC, is supported by the open source standards set out in OCEG’s Red Book GRC Capability Model. The companion set of agreed upon procedures set out in OCEG’s GRC Assessment Tools (the Burgundy Book) provide an opportunity for self-assessment and OCEG certification of the design and operation of an organization’s entire GRC capability or aspects of it as they are matured over time. OCEG offers hundreds of resources, online and live training opportunities, and a community within which individuals can continually build their skills and organizations can collaborate. Learn more at www.oceg.org. Dealing with complex issues of fraud, regulatory compliance and business disputes can detract from efforts to achieve your company’s potential. Better management of fraud risk and compliance exposure is a critical business priority – no matter the industry sector. Our more than 1,000 fraud investigation and dispute professionals around the world bring the analytical and technical skills needed to quickly and effectively conduct financial investigations, quantify economic damages, and gather and analyze electronic evidence. Working closely with you and your legal advisors, we assemble the right multidisciplinary and culturally aligned team, and bring an objective approach and fresh perspective to these sensitive and contentious situations – wherever you are in the world. And because we understand that, to achieve your potential, you need a tailored service as much as consistent methodologies, we work to give you the benefit of our broad sector experience, our deep subject matter knowledge and the latest insights from our work worldwide. It’s how Ernst & Young makes a difference. Learn more at www. ey.com/FIDS. With over 900 attorneys and 56 offices, Littler Mendelson is the largest U.S.-based law firm exclusively devoted to representing management in employment and labor law matters. A centerpiece of Littler’s practice is our ability to help employers take preventive measures to avoid costly litigation and administrative penalties, while improving productivity and helping to build a workplace of mutual respect. These efforts not only make good business sense, they come at a time when companies are under intense scrutiny, coping with added responsibilities and new workplace requirements, which are being vigorously enforced. The culture of a workplace is an important source of value for every organization. At Littler, we believe that each time an employee makes a decision for the organization, that decision should be made according to the employer’s values, principles, and strategic objectives. Littler’s corporate compliance attorneys have the experience to assist clients in developing corporate compliance and ethics programs that build and protect value, engage employees, and help avoid costly legal expenses. Our Corporate Compliance and Ethics Group provides a number of services that fall into the following areas: creating programs, analyzing risk, program evaluation and assessment, policy and procedure development, training and education, investigations, and employment law compliance auditing. Learn more at www.littler.com. For more than 25 years, SAI Global Compliance has provided hundreds of organizations with a wide range of governance, risk and compliance (GRC) products, services and technology that help build organizational integrity and effectively manage compliance risk. We are the only GRC company in the world who understands the complexity of building compliance effectiveness and delivers: (1) highly customizable learning and communication courses and tools on a leading LMS (2) third party risk management including automated third party due diligence questionnaires, automated risk scoring and analytics, and training and certification and (3) the integration of multiple GRC functions including hotline, ethics reporting, policy management, gifts and entertainment registers, conflicts disclosures, surveys and assessments, and audit management – all with dashboard reporting to trigger needed activity, and supported by an in-house advisory services team for Code of Conduct design and development, benchmarking, risk assessments, program effectiveness reviews, and policy advice. Our SaaS-based Compliance 360® GRC Software Suite received the highest scores for customer satisfaction among all vendors included in the 2011 “The Forrester Wave™: Enterprise Governance, Risk and Compliance Platforms, Q4 2011,” published by Forrester Research, Inc. Learn more at www.saiglobal.com. The Thomson Reuters Governance, Risk & Compliance business delivers the most comprehensive suite of solutions designed to empower audit, risk and compliance professionals, business leaders, and the Board’s they serve. Our business provides intelligent information, premium software, and world class professional services that enable organizations to reliably achieve business objectives while addressing uncertainty and acting with integrity. Through the Thomson Reuters Accelus suite, the GRC business brings together Thomson Reuters market-leading solutions for global regulatory intelligence; financial crime; anti-bribery and corruption; enhanced due diligence, compliance management; internal audit; e-learning; risk management; and, filing, board of director and disclosure services. Thomson Reuters Accelus is the combination of proven, best-in-class technologies and services with the common goal of managing business risk and driving business value. As a comprehensive suite of solutions built to address the GRC challenges of legal, compliance, audit, and risk management professionals, Thomson Reuters Accelus connects the capabilities of the heritage businesses of Complinet, World-Check, Paisley, Oden, Westlaw Compliance Advisor, and EDGARfilings. This powerful, connected suite of solutions addresses the goal of integrated GRC by delivering proactive insight into legal and regulatory changes, dynamically connecting intelligent information with business experts, and empowering informed choices by providing greater visibility and transparency into business risk. Learn more at www.accelus.thomsonreauters.com. Tableau Software helps people see and understand data. Tableau’s award-winning software delivers fast analytics, visualization and rapid-fire business intelligence on data of any size, format, or subject. The result? Anyone can get answers from data quickly, with no programming required. From executive dashboards to ad-hoc reports, Tableau lets you share mobile and browser-based, interactive analytics in a few clicks. More than 7,000 organizations, including some of the world’s largest enterprises, rely on Tableau Software. See how Tableau can help you by downloading the free trial at www.tableausoftware.com/abc-analytics. ® Your source for GRC resources and education DRIVING PRINCIPLED PERFORMANCE ® Learn more and join today at www.oceg.org/signup