Instituting a vigorous anti-corruption program certainly can appear daunting, but inaction poses the biggest risk of all. In today’s world, poor risk management can be closely correlated with an ineffective program for managing agents and third parties.

Executives at US corporations and private equity firms certainly understand that bribery of foreign officials is illegal under the Foreign Corrupt Practices Act (FCPA), yet a surprising number of these companies still lack rigorous mechanisms to ensure FCPA compliance.

The same executives may be less aware of other recent developments that strengthen the trend towards stricter anti-corruption measures and more consistent enforcement of anti-bribery statutes.

Most significant among these is the anti-bribery legislation introduced in the UK in April 2010, which goes even further than the FCPA in the requirements that it imposes on companies.

The new law exceeds previous standards by criminalizing bribery of both government officials and employees of private entities, by making the failure to prevent bribery a criminal act, and by holding directors responsible for the actions of their companies. Beyond the US and the UK, countries such as Ghana and Nigeria have begun to actively enforce their own long dormant anti-corruption statutes. Therefore it is clear that the will to prosecute corruption is growing around the world, and the need to implement appropriate programs to meet these new regulatory challenges is greater than ever.

The value of proactive engagement

In light of the new, more stringent requirements, executives and board members should consider a comprehensive evaluation of their companies’ approaches to the FCPA. Many companies lack basic review processes and even those that have attempted to address the issue may have procedures that are haphazard or poorly coordinated between business units. Too often, companies only develop a set of world-class best practices after an FCPA investigation. Far rarer is the company that proactively ensures that its procedures and processes are as robust as possible before being forced to do so.

As of late 2009, there were a reported 150 cases under active investigation by the US Department of Justice or the US Securities and Exchange Commission. Facing a DoJ or SEC investigation into alleged bribery is likely to be time-consuming, costly, and could lead to jail time for those involved.

In an effort to spread its tough-on-crime message, Mark Mendelsohn, the DoJ official responsible for FCPA issues at the time, told a Bar Association panel in September 2008:

“The number of individual prosecutions has risen and that’s not an accident. That is quite intentional on the part of the Department. It is our view that to have a credible deterrent effect, people have to go to jail. People have to be prosecuted where appropriate. This is a federal crime. This is not fun and games.”

Aside from the very real possibility of jail time for executives, companies can face stiff civil penalties, disgorgement of profits, and vast legal bills, as well as reputational harm, downgrading by rating agencies, and the loss of the right to participate in US government or international tenders. The German company Siemens serves as the primary example of the steep costs of violating the FCPA.

In 2006, Siemens became embroiled in a massive corruption scandal stemming from its payment of over $1.4 billion in bribes to secure government contracts in numerous countries and wound up paying over $1.6 billion in fines to settle the case. Siemens also faced a $100 million fine from the World Bank and paid more than $850 million in remediation costs to lawyers, accountants, and other consultants as part of the investigation.

While this represents the high end in terms both of costs and FCPA fines, multi-million dollar penalties are now typical and come with commensurate legal fees.

Following convictions or deferred prosecution agreements, DoJ-appointed monitors - in many cases former prosecutors - often oversee companies’ revamped compliance efforts and can be both costly and intrusive. Monitors can serve for up to three years and have cost companies as much as $50 million.

In addition, companies frequently face civil actions in the wake of FCPA cases. These follow-on cases are likely to take the form of class action suits, may be directed against company directors, and can do direct harm to company interests. In May 2009, Sun Microsystems disclosed via an SEC filing that it was the subject of shareholder lawsuits arising from an FCPA infraction. The lawsuits were filed just as Oracle was trying to close a deal to acquire Sun, and delayed the transaction.

Given the potential burdens on executives’ time, fines, possible jail sentences, the imposition of a monitor, and shareholder lawsuits, the arguments for companies having their anti-corruption house in order are highly compelling. Undertaking a thorough review of company procedures before an FCPA-related tsunami strikes is both prudent and could yield large savings.

According to James Parkinson, a partner at Mayer Brown who specializes in FCPA issues: “There is no substitute for knowing your risks. Getting to the point of properly characterizing your company’s risks requires a searching review and a discipline to achieve, but will yield significant rewards as preventative medicine.”

Assessing internal anti-corruption practices

So where should a company begin? The following five general questions provide a starting point for companies attempting to ensure that they have a sufficiently robust anti-corruption framework. Any company that can answer all five affirmatively has achieved a set of best practices in the anti-corruption arena.

1, Does the company have an ingrained anti-corruption culture?

For example, many companies institute driving rules for employees, such as remaining strictly within speed limits and refraining from cell phone use when driving. Mandating adherence to speed limits is part of the companies’ commitment to safety; company personnel know they must obey speed limits at all times with 100-percent consistency regardless of where they may be in the world. Similarly, getting employees at all levels to understand that there is zero tolerance for corruption is a good first step. At a practical level, employees throughout the company need to be thinking about anti-corruption issues on a day-to-day basis and to be staying alert for “red flags”.

2, Is there a top-driven approach to anti-corruption?

Executives need to lead by example and the correct tone from the top is essential. Messages and signals from above shape employee conduct and strong and consistent indications that the commitment to anti-corruption is more than a box-checking exercise will significantly improve adherence to company policy. Everyone needs to understand that anti-corruption efforts are designed to protect the overall reputation and well-being of the company. Board-level oversight sends the right message to business units and can be communicated through regular emails, speeches, company newsletters, and incentive programs.

3, Does the anti-corruption effort have a central focal point that drives policy and ensures coordination?

Developing an effective approach to mitigating corruption risk requires practice and expertise. Having a centralized hub allows for consistent standards across the company as well as specialized knowledge that can be readily shared with various business units. Does a single individual vet each relationship which the company enters into or provide clear cross-company guidance? Business development, legal, compliance, human resources, and audit units can all play roles in anti-corruption activities. Given the differing vantage points of each functional area, it is critical that they closely coordinate and that someone in the company sets overall policy.

4, Are anti-corruption standards consistent across the company?

A company’s effort to mitigate corruption risks can only be as strong as its weakest safeguards. As companies transfer decision-making down to individual business units, anti-corruption policies and procedures can diverge and create vulnerability to prosecution. In the event of a problem, strong practices in one division will provide no defense for substandard practices in another.

5, Have existing relationships received the same level of anti-corruption scrutiny as new relationships?

Another dimension of consistency involves subjecting relationships to a uniform level of scrutiny, regardless of when the relationships were formed. Long-standing ties established when anti-corruption statutes were of lesser significance should not be automatically ―grandfathered in‖ and companies should apply the same standards retroactively as well as prospectively in order to identify points of vulnerability.

An Achilles heel

The principles outlined above represent a set of best practices at the very general level. On a day-to-day basis, front-line defense needs to focus on ongoing relationships with agents and third-parties. For companies eager to proactively bolster their defenses in advance of an FCPA investigation, a review of dealings with agents and third parties is almost certainly the best place to start.

The foreign agents and other third parties on which many international companies rely present the most likely source of corruption-related problems. As enforcement efforts have increased, those seeking corrupt payments correspondingly have become more sophisticated, making it incumbent on companies to develop a robust understanding of their third-party relationships.

David Burns, a partner at Gibson, Dunn & Crutcher LLP in Washington, DC who focuses on FCPA investigations and compliance counseling, views a company’s third-party relationships as “without a doubt the single biggest corruption risk for any multinational organization. No matter how strong your own compliance culture and internal controls, if there is anything less than stringent diligence and ongoing monitoring of your business partners, your organization will be at the mercy of the ethics of others”.

Common warning signs

All agent and third-party relationships should flow through a framework that places the prospective relationship into low-, medium-, or high-risk categories. Not all situations will require the same degree of scrutiny and the necessary amount and rigor of due diligence will depend on where the proposed agent or third-party is based and what is expected of them. For example, working with an agent in Sweden who is representing a company selling entirely to private sector customers would obviously be a low-risk activity from an anti-corruption perspective. By comparison, engaging an agent to sell medical devices to the Ministry of Health in Nigeria would rank as a (very) high-risk activity.

The most important single factor in deciding how much due diligence to apply is the agent or third-party’s geographical locale. While corruption certainly happens in developed countries, Transparency International’s Corruption Perception Index is a good indicator of the places where companies need to be especially alert.

As reflected in the Index, Nigeria, Angola, Egypt, Iraq, Russia, Ukraine, China, Indonesia, Vietnam, and Honduras offer particularly perilous operating environments.

In low-risk environments, media reviews and basic reference checks are sensible safeguards. In medium-risk environments, companies should have a process in place for checking regulatory filings, legal records, and local language media to gain insight into the background and trustworthiness of local agents.

In high-risk environments such as China or Nigeria, however, a higher level of vetting is necessary. As one anti-corruption expert once noted, China offers 1 billion opportunities to violate the FCPA every day.

In this high-risk category, companies need to have in place a special set of procedures. Generally, only those companies that have already been through the maelstrom of an FCPA investigation deploy the truly rigorous approaches that are necessary. Siemens now employs some 500 in-house compliance staff to monitor the company’s anti-corruption efforts and third-party relationships. Others operate on a far leaner, and perhaps more effective footing. In high-risk instances, best-in-class companies engage accounting or risk advisory firms with sophisticated capabilities to vet agents and third parties.

Following Ronald Reagan’s old adage “trust but verify” is a good rule-of-thumb. In places such as Angola, Iraq, or Vietnam, weak public record systems may not reveal much of value from an anti-corruption perspective. Relying on media can also be dangerous in high-risk jurisdictions, since press coverage may be limited or journalists may be unwilling to report negatively on well-connected local figures. In such instances, independently-sourced information is probably a company’s best line of defense.

Looking across the three levels of due diligence on agents and third parties, companies should aim to have a thorough file for each relationship. Best-in-breed companies require someone within the company to take ownership of the relationship and to shepherd the prospective agent through the company’s vetting process.

Explaining to each prospective agent or third party that the company engages in rigorous due diligence across the board should minimize prospective agents’ offense at all the questions they will be required to answer. Ultimately, only those with something to hide will be unwilling to respond to a questionnaire or to participate in the due diligence process.

Once the vetting process is complete, each relationship should have a contract with appropriate representations and warranties. However, simply obtaining a signature on a contract may not be good enough should a problem arise. The DoJ and FSA will likely want to see what proactive steps a company took to verify the information provided. When faced with an inquiry, a company may find itself on much stronger ground if it had a solid process in place.

Providing anti-corruption efforts with sufficient resources

In many companies, compliance teams have limited budgets or depend on business units to fund due diligence costs. For example, one major defense contractor’s FCPA compliance team recently bemoaned the fact that a basic background check carried out by the Foreign Commercial Service (FCS) of the US Department of Commerce costs $900 per check.

Compared to the costs associated with an FCPA violation, the fact that the compliance team viewed this as a significant expense is very telling about the company’s priorities.

Furthermore, in low- and medium-risk countries, an FCS check run from a US Embassy can be a helpful component of the due diligence process and represents good value for money, although quality may vary from embassy to embassy. In high-risk situations, however, companies would be prudent to request an independent assessment from a risk management firm.

A solid agent vetting report that makes use of human source-based information is likely to cost in the region of $15,000 to $20,000 and a detailed due diligence report on a potential acquisition can cost twice as much, but such sums are miniscule compared to the costs of an FCPA case. Companies that are serious about anti-corruption due diligence will view such costs in the proper context and provide their compliance teams with adequate and independent budgets that allow for proper professional due diligence using both in-house and independent resources.

Vetting established relationships

While taking onboard new agents and third-parties will require a realistic budget, companies also need to revisit and monitor established relationships. This is a daunting but feasible task that requires discipline and may benefit from specialized assistance. For example, one large industrial company categorized its more than 7,000 third-party relationships according to a risk matrix and engaged an independent provider to carry out due diligence on those in the high risk category - thereby contributing to a complete database of its existing relationships - and to assess all future relationships.

Bringing due diligence files up-to-date in such a manner can be costly and time-consuming but provides companies with a high measure of confidence and ensures a consistent approach to the management of external relationships. Subjecting all established relationships to periodic reviews every two years or following any major change is also a prudent practice.

Conclusion

The vast majority of companies that run afoul of FCPA and related laws get in trouble because they lack a set of procedures to identify the corrupt individuals within their ranks. Their procedures are not sufficient to see the warning signs that typically are noticeable. Adequate procedures likely would have raised the alarm for Siemens and possibly could have prevented the severe financial penalties that followed.

Instituting a vigorous anti-corruption program certainly can appear daunting, but inaction poses the biggest risk of all. In today’s world, poor risk management can be closely correlated with an ineffective program for managing agents and third parties. The first steps are to acknowledge the need for such a program and then to break down a company’s activities into a risk matrix.