“Compliance” has been a buzzword for some time now. Every business knows that there is a myriad of rapidly evolving anti-bribery legislation, amongst others, that they need to comply with.
The first question is – has anything been done about compliance within the organisation?
The second question is – has enough been done?
Has the implementation of an anti-bribery compliance program been a simple “paper exercise”, or is it specific to the organisation and industry, proportionate, risk-based and regularly reviewed?
In its Operational Handbook, the UK Serious Fraud Office sheds some light on the key factors it considers in assessing the effectiveness of an organisation’s compliance program as part of an investigation.
Who is the Serious Fraud Office?
The Serious Fraud Office (SFO) tackles large-scale fraud, bribery and corruption in the UK, acting as both investigator and prosecutor.
The SFO was created and given its powers under the Criminal Justice Act 1987 and was established in 1988. With a strong international focus, the SFO collaborates with overseas jurisdictions to effectively disrupt criminal groups and assist overseas jurisdictions with their investigations.
Investigators obtain information using a variety of sources and methods including voluntary disclosures and interviews, compelled disclosure of documents or information, witness interviews and, in some cases, suspect interviews.
Why does the SFO assess compliance programs?
Compliance program assessment helps to inform decisions in any case involving an organisation, including determining:
- Is a prosecution in the public interest?
- Is a Deferred Prosecution Agreement (DPA) appropriate?
- Sentencing considerations.
- Does the organisation have a defence of adequate procedures to prevent bribery’?
What does an “effective” compliance program look like?
There is no one-size-fits-all approach to developing an effective anti-bribery compliance program. Larger firms may need to establish a dedicated compliance department, whilst smaller companies may only need to have one key person whose role has a significant focus on compliance.
Other considerations include the nature of the business, who it deals with and throughout which countries.
How does the SFO conduct assessments?
The SFO looks at time periods relevant to decisions, and is guided by six key principles when conducting assessments.
Time periods considered
- What was the state of the compliance program at the time of offending? For example, if a bribe was committed, did the organisation at that time have “adequate procedures” in place designed to prevent its staff and associates from engaging in such conduct?
- What is the current state of the compliance program? Since the wrongdoing, has the organisation proactively strengthened its compliance program in an effective way? This can influence whether a DPA is deemed appropriate, as well as sentencing considerations.
- How could the compliance program change going forward? Even if the organisation does not yet have a fully effective compliance program, a DPA can include terms that impose further improvements.
The “Six Principles”
In 2011, the UK Ministry of Justice published statutory guidance under the Bribery Act to help organisations understand what procedures they can put in place to prevent bribery committed by their “associates”. Its principles provide the SFO with a general framework for assessing compliance programs.
Principle 1: Proportionate Procedures
A compliance program needs to be proportionate to the bribery risks an organisation faces and to the “nature, scale and complexity of the commercial organisation’s activities.” The first step is therefore conducting a risk assessment to accurately determine the risks.
Principle 2: Top Level Commitment
Is top-level management committed to preventing bribery and fostering a culture of compliance? This includes overseeing the risk assessment, being involved in critical decisions, and the selection and training of senior managers to lead anti-bribery work.
Principle 3: Risk Assessment
As an organisation evolves, so will the bribery risks it faces. Risk assessments therefore need to be “periodic, informed and documented.” Policies and procedures should evolve in line with the ongoing risk assessments.
Evolving risks may be either external or internal, for example:
- External risk: A new business opportunity that involves a country which is high-risk for bribery and corruption.
- Internal risk: The introduction of a new “bonus” system which may encourage risk-taking.
Principle 4: Due diligence
The organisation needs to apply due diligence procedures in respect of anyone who will perform services for or on behalf of the organisation. This includes employees, intermediaries, vendors and other business entities.
Mergers and acquisitions are highlighted as being relationships which carry “particularly important due diligence implications.”
Principle 5: Communication (including training)
Ensuring that bribery prevention policies and procedures are embedded and understood throughout the organisation through internal and external communication, including training. This may be extended to third parties such as associates.
Principle 6: Monitoring and Review
Monitoring and reviewing anti-bribery procedures and making improvements where necessary. Methods utilised may include internal and external audits, staff surveys and other measures.
It is more important than ever for companies of all sorts to develop effective anti-bribery programs. Off-the-shelf solutions will not suffice, however. It is essential for each company to develop a tailored program that is specific to its business and operations, and that is regularly reviewed in line with ongoing risk assessments.