Should I get Anti-Bribery program certified? Is it worth it?

It’s been four months since the ISO 37001 Anti-Bribery Management Systems document was published. 

It is not only very new, but also questioned in terms of its value and importance.

It is a fundamental change that we finally have international standard that can support us to certify our anti-bribery program. You ask me why? I tell you that ISO 37001 can help your organisation not only to achieve high standards and stronger compliance, but also can support to leverage reputation. 

In short ISO 37001 certificate can support in:

• Building holistic program and accurate documentation which is continually improved on all levels and across all functions of organisation
• Becoming first-to-market with certification in your country or industry.
• Creating strong mitigating factor for an organization in the event of a government action
• Ensuring that your program meets the Federal Sentencing Guidelines’ requirement of an effective compliance and ethics program

Why bribery is so widely discussed?

Bribery is a widespread phenomenon. It raises serious social, moral, economic and political concerns, undermines good governance, hinders development and distorts competition. It erodes justice, undermines human rights and is an obstacle to the relief of poverty. It also increases the cost of doing business, introduces uncertainties into commercial transactions, increases the cost of goods and services, diminishes the quality of products and services, which can lead to loss of life and property, destroys trust in institutions and interferes with the fair and efficient operation of markets (source: ISO 37001).

What government does about it?

There are a number of activities undertaken by international government to address through international agreements such as the Organization for Economic Co-operation and Development Convention on Combating Bribery of Foreign Public Officials in International Business Transactions and the United Nations Convention against Corruption. Apart from that there are number of national laws to set up requirements and obligations on this issue. In most jurisdictions, it is an offence for individuals to engage in bribery and there is a growing trend to make organizations, as well as individuals, liable for bribery.

What organisations can do about bribery?

The law alone is not sufficient to solve this problem. Organizations have a responsibility to proactively contribute to combating bribery. This can be achieved by an anti-bribery compliance programs and strong compliance cultures.

ISO 37001 is to set up the tone of the proper management system to mitigate bribery risks. This document is providing guidelines on structure for establishing a culture of integrity, transparency, openness and compliance. The nature of an organization's culture is critical to the success or failure of an anti-bribery management system. This document reflects international good practice and can be used in all jurisdictions. It is applicable to small, medium and large organizations in all sectors, including public, private and not-for-profit sectors. The bribery risks facing an organization vary according to factors such as the size of the organization, the locations and sectors in which the organization operates, and the nature, scale and complexity of the organization's activities. This document specifies the implementation by the organization of policies, procedures and controls which are reasonable and proportionate according to the bribery risks the organization faces. Conformity with this document cannot provide assurance that no bribery has occurred or will occur in relation to the organization, as it is not possible to completely eliminate the risk of bribery. However, this document can help the organization implement reasonable and proportionate measures designed to prevent, detect and respond to bribery. (based on ISO 37001)

What is the key to be compliant?

A well-managed organization is expected to have a compliance policy supported by appropriate management systems to assist it in complying with its legal obligations and commitment to integrity. An anti-bribery policy is a component of an overall compliance policy. The anti-bribery policy and supporting management system helps an organization to avoid or mitigate the costs, risks and damage of involvement in bribery, to promote trust and confidence in business dealings and to enhance its reputation.

What is the lesson from HSBC's latest transgression?

What is the best way to strengthen controls environment in your organisation? Many say that antidote is to set a ‘tone at the top’.

While it is definitely a key and necessary element, it will not cure your organisation. The example of HSBC is vivid.

Wall Street Journal says in today’s report: 

HSBC Holdings PLC is under yet another investigation for failures in its anti-money-laundering compliance program, several high-profile hires apparently haven't changed the bank's culture. HSBC's chief executive said, for his part, that the monitor "has raised certain concerns" but the bank has continued its progress on implementing reforms. "By the end of this year, we are on track to have our anti-money laundering and sanctions policy framework in place and to have introduced major compliance IT systems across the group,” he said.

What are the facts? Although HSBC has hired, among others, former top U.S. officials Stuart Levey and Jennifer Shasky Calvery, it didn’t altered the whole organisation and haven’t changed its track. The captain is key for the boat, however the crew really sails.

What is the lesson from HSBC's latest transgression?  It is not enough to change compliance culture at the hands of a monitor enforcing a legal settlement. It has to be done in a way that conveys substantive change, and not merely to fend off authorities.

Ross Delston, a Washington, D.C.-based independent anti-money-laundering expert says: "That's been the tendency of multinational banks of late: Wait out the monitor or the [timing] of the enforcement action, and then go back to what they were doing before."

Do you still think compliance is expensive?

It is not easy to provide training on Anti-Bribery and Competition Law. You probably also say how important it is to be compliant and that investments in strong and solid compliance program is needed.

You are very right! However you need a hook to attract attention of your audience. There are a lot of dramatic stories of companies losing money, reputation, or people being fired because of misconduct. Use them! Your speech will be far more tangible! The below is the most recent one..

“Rolls earnings hit by bribery charges. Rolls-Royce Holdings PLC on Tuesday said it swung to a full-year net loss of £4.03 billion ($5.05 billion), stung by a settlement over corruption charges, the fall in the British pound and setbacks on high-profile aircraft engine programs, the WSJ reports. Rolls-Royce, best known for making engines for Boeing Co. and Airbus SE’s long-range planes, reported a £83 million profit the year before.” WSJ, Risk & Compliance Journal, 14 February 2017.

Just a reminder…

What is a bribery?

•    Bribery is defined as giving someone a financial or other advantage to encourage that person to perform their functions or activities improperly or to reward them.

•    Bribery can take many forms

•    Bribery can be direct or indirect (bribery paid on your behalf)

•    But there is a full defense if we can show we had adequate procedures in place to prevent bribery.

The relevant legislation

Bribery Act 2010 (UK)

•    Bribing a foreign public official or bribing a UK official, commercial bribes, requesting/receiving bribes

•    A company’s failure to prevent bribery also constitutes a criminal offence, a defence to which is available if the company can demonstrate that it has adopted "adequate procedures" to combat bribery and corruption risks

•    Facilitation payments are included within the definition of a bribe and prohibited

•    Corporate hospitality could be bribery however, ‘reasonable and proportionate hospitality which seeks to improve the image of the company’ is not penalised

Foreign and Corrupt Practices Act (FCPA) 1977 (US)

•    Prohibits payments to foreign government officials to obtain or retain business

•    Includes dealings with individuals who belong to administrative functions in government, state owned enterprises, political candidates and parties and public international organisations

•    Significant prosecution success

•    For non US listed companies trigger is whether any conduct took place in the US (a conference call with US subsidiary is sufficient)

Spanish Criminal Code 2010 (Spain)

•    Bribing a foreign public official or bribing a Spanish official, commercial bribes, requesting/receiving bribes and corporate failure to prevent bribery are all specific offences

465 days to GDPR

From May 2018 a new data protection law, the General Data Protection Regulation (GDPR), will apply through the EU. The GDPR introduces a number of significant changes including a step change in sanctions with fines of up to 4% of annual worldwide turnover. There are more than a year remaining before the GDPR is implemented and the changes needed to comply with it are significant.

Consider the below to get your organisation ready for this!

Steering Group

Organise a Readiness Steering Group who will lead the organisation and all its functions to implement the GDPR. It should be chaired by General Counsel and includes attendees from group companies, and / or all functions. Consider engagement of data protection specialists from law firm, to help develop a compliance plan.

Workshops and detailed gap analysis

Plan a serious of workshops during the first half of the year to obtain input from each of the functions about their current data collection, processing and compliance processes. The workshops, along with other information submitted by each functions (such as existing procedures), will be used to complete the findings of a detailed gap analysis by end of June. Remind your colleagues that each function will remain responsible throughout for the allocation of appropriate resource to prepare for GDPR compliance based on its gap analysis.

Implementation Plan

The Steering Group will further work with each function to finalise an implementation plan by end of the year, taking into account operational and cost implications of the options available to becoming GDPR compliant. The implementation plan and the work to deliver it should be monitored and reported on by the Steering Group.

Approach to be taken

While the primary objective of the project is to enable compliance with the GDPR the Steering Group should be conscious of the need to take proper account of commercial objectives and where possible should also use this as an opportunity to deliver synergies and improvements by taking a consistent approach across your organisation!

Remember business is first!

Read more on GDPR http://www.eugdpr.org/

Let it grow...

In his great book: Antifragile: Things That Gain from Disorder, Nassim Nicholas Taleb beware us of making things too fast. He is saying that like Mother Nature needs time to grow the tree we need to be patient and let things grow.

If you thing that has nothing to do with compliance job, think about effective implementation of compliance programs. The nature of the business is fast, ever-changing and very dynamic. You need to react proactively and very rapidly in order to satisfy your management board with the appropriate program.

On the other hand, you need time … to learn all law and regulations, to validate and assess all risk and related possible disorders, finally … you need to prepare good program and all ‘marketing’ around it.

This is what you need to achieve your goals:

Step 1. Appoint a reliable compliance program owner – you need person with right attitude and knowledge to let him/her act independently once the program will be in force

Step 2. Form a working group – don’t even think of acting along! You need buy-in from the business, process owners, colleagues from Law or Audit Departments, etc.

Step 3. Identify “core elements” – draft a plan, be ready to present how you want to accomplish your goal and what will business benefit from this. You don’t need to be very specific yet. It is time to frame your thoughts and prepare others for changes.

Step 4. Create compliance program document – now it’s time to work with the whole group on the complete and holistic program. Think about program objectives, list all related risks and how you plan to mitigate them, plan all actions, ideally think of annual plan, as well as 3 year goals. List all resources you need and never forget to complete your program with governance framework. You need to know at the very beginning what governance bodies you need, how issues will be escalated and who will take care of what. This will take you some time, but it’s ok, remember that the flower is not growing faster just because someone sets it unrealistic deadline… Flower as a tree needs time, and you need time as well to be ready for a next step.

Step 5. Roll out the program – Mother Nature teaches as not only that plants needs time to grow, She is also teaches us that to be alive they need to be cared of. You program will need that care as well. You need to stay focused on your objective, monitor how you progress, regularly train people, alter your plans if there is a need, and report back your progress.

Step 6. Keep it rolling – once your program is in place, don’t think that you job is done. It is time to celebrate achievement, for a while, … and get back to work which is even more complicated. From now on you will no longer have that managerial focus on the program itself. It will require very organised and systematic work to constantly develop policies, stay up-to-date on regulatory changes and refresh compliance program and its measurements. It might be that after a while you will need to change whole thing completely and replace it with something new. This is again Mother Nature approach. Once the time comes, a tree or flower fade away, and there is a place for a new plant.  

Get it right from the start

We often hear from top management that what they want is to build a ‘good’ corporate culture. What does it mean though? What would you advise them to do to bring ‘good’ corporate culture into your organisation?

Hard to say… Corporate culture is very individual. It is basically the whole collection of things, behaviors, plans and ways to interact with business partners that triggers how business model is led.

It is truism that corporate culture should support making ‘good’ business decisions. Again, the question is how and what decision?

If your goal is to earn big money in a short time, you need to take fast actions, risky projects and stretch your resources. Your culture will be based on values of hazard, speed, and greed. If you only concentrate your objectives on money, you will seek for easy ways of making it. It can bring you benefits in form of € on your bank account, however what really happens in the culture of speed and rush is STRESS.

“When stress is the basic state of mind, even good things stress us out. We have to learn to let go.”
― Sakyong Mipham, Running with the Mind of Meditation: Lessons for Training Body and Mind

To build a ‘good’ culture we should first understand what is not good for our organisation. Isn’t that too much to use lessons from Tibetan lama? I truly advise, it is not too much. Taking lessons from people who achieved balance and wisdom can only leverage you as a person and your organisation. 

Why is that? First of all because they do concentrate on values: love, hope, care, sagacity. Second of all, because they do not focus on ‘me’ but on others.

“The wise are balanced, and the foolish are extreme.”
― Sakyong Mipham, Running with the Mind of Meditation: Lessons for Training Body and Mind

If you want to create a ‘good’ corporate culture, it is essential that you concentrate all your efforts and your resources on the act of creation. It will never work if you only engage partially.

“In the modern culture of speed, we seem to not do anything fully. We are half watching television and half using the computer; we are driving while talking on the phone; we have a hard time having even one conversation; when we sit down to eat, we are reading a newspaper and watching television, and even when we watch television, we are flipping through channels. This quality of speed gives life a superficial feeling: we never experience anything fully. We engage ourselves in these activities in order to live a full life, but being speedy”
― Sakyong Mipham, Running with the Mind of Meditation: Lessons for Training Body and Mind

Good and solid corporate culture is about promoting good and solid activities and achievements. It is all about MAKING GOOD THINGS INSTINCTIVELY.

Bear with 3 key elements and promote them..

Keep the ball rolling, and cultivate values in whatever you do. Others will follow you.