Enforcement authorities across the globe are placing an increased emphasis on the importance of establishing robust and risk-based corporate compliance programs. While the precise formulation and detail of the guidance issued varies, for example, under the US Sentencing Guidelines, the official guidance relating to the UK Bribery Act, or the Good Practice program guidelines endorsed by the Organization for Economic Co-operation and Development, there are key themes that are common to all. Baker McKenzie has distilled those key themes into the following five essential elements of corporate compliance:
Standards and Controls
Introduction – Today’s Compliance Environment
In business, trust is the glue that binds employers to employees, customers to companies, and companies to suppliers, regulators, governments and partners. Yet several years after the financial crisis, efforts to rebuild trust are ongoing. Clients, customers, employees, and stakeholders around the world now demand greater transparency and ethical behavior from businesses with which they are engaged. Companies and regulators alike are seeking to restore trust in industries, products and services, and government. An effective compliance program is a fundamental tool in a company’s ability to build trust. Maintaining a strong corporate compliance program designed to help prevent corporate officers, employees and third-party agents from engaging in illegal practices such as bribery, collusion, and fraud sounds simple enough. In reality, it’s extremely challenging. Government authorities around the world are steadily raising expectations with respect to the comprehensiveness of corporate compliance programs, expecting robust policies, procedures, and controls not only for anti-corruption, but also for trade, antitrust, data privacy, and anti-money laundering compliance (among other areas). Furthermore, today’s multinational companies operate in a highly competitive environment in which they have thousands of employees, multiple business partners and extensive operations throughout the world, including in emerging markets where the rules of public and commercial engagement often differ significantly from what they are used to at home.
In China, for example, foreign multinationals do most of their business with state-owned or state-operated companies, which can get them into trouble under the anti-corruption legislation of various countries, including the prohibition in the US Foreign Corrupt Practices Act (FCPA), the UK Bribery Act and the Brazil Clean Company Act against making improper payments to foreign officials. In Russia and Nigeria, a foreign company may find it challenging to get its products into the country without bribing customs officials. And in Brazil and Indonesia foreign companies may have difficulty winning public bids without paying someone to shape the request for proposal in their favor. Companies with headquarters outside the US must also be aware of a significant trend toward enforcement by US, European, and Asia-Pacific enforcement agencies (such as the US Department of Justice, the UK Serious Fraud Office, and the Australian Federal Police) against companies in Eastern Europe, Latin America, Asia, and Africa. In fact, of the 10 largest FCPA settlements, only two involve US companies, with the rest being foreign multinationals, a number of which had no shares or debt registered in the US.
ENFORCEMENT & EXPECTATIONS
Despite the impact of globalization on the business landscape, enforcement officials aren’t giving companies any breaks for improper behavior. In fact, the dramatic increase in global anti-corruption investigations has been accompanied by the rising cost of enforcement actions, an emergence of more aggressive cross-border cooperation in multi-country government investigations, and an increasing risk of prosecution faced by individuals. These days, a Brazilian subsidiary of a US company that comes under investigation by Brazilian authorities will likely also receive a subpoena from the US government. Further, non-US anti-corruption enforcement has seen a noticeable increase in recent years – a trend likely to continue as countries around the world enact robust anti-bribery legislation to meet rising global expectations regarding anti- corruption enforcement. With the stakes so high, where should companies making compliance a priority look to ensure their compliance programs meet regulators’ expectations? The answer to that question has become increasingly complicated. The gold standard for what types of rules, protocols, communications and oversight a company must have in place in order to meet best practice compliance program requirements used to be contained in the US Sentencing Guidelines’ (USSG) “Seven Elements of an Effective Compliance Program,” originally published in 1991. Since then, however, those guidelines have been revised numerous times and other country-specific and international standards have been added to the equation. A major development with respect to compliance program best practices occurred in November 2012, when the US Department of Justice (DOJ) and the US Securities and Exchange Commission (SEC) jointly released their aptly titled A Resource Guide to the U.S. Foreign Corrupt Practices Act. The Resource Guide, a must- read for US and global anti- corruption practitioners and compliance officers, addresses a wide variety of topics related to the US agencies’ enforcement of the FCPA. Significantly, the Resource Guide provides direction on the hallmarks of an effective corporate compliance program and the best practices that the DOJ and the SEC expect companies to deploy when developing and maintaining a compliance program. When assessing a compliance program, the Resource Guide asks three key questions: (1) Is the program well designed? (2) Is it applied in good faith? and (3) Does it work? Importantly, the Resource Guide warns against paper tiger programs, which are often accompanied by assurances of efficacy, but in practice fail to demonstrate program effectiveness. Similarly, the global compliance landscape has evolved significantly in the past several years. In 2010, the Organization for Economic Co-operation and Development (OECD) released its “Good Practice Guidance on Internal Controls, Ethics, and Compliance.” A year later,the UK Ministry of Justice published six principles for “adequate procedures” following the enactment of the UK Bribery Act. Transparency International, a leading anti- corruption organization, has also established “Nine Business Principles for Countering Bribery,” and the World Economic Forum’s Partnership Against Corruption Initiative has become a leading voice on the global compliance stage. In light of the recent enactment of the Clean Company Act in Brazil, it is expected that Brazilian authorities will also issue detailed guidelines and expectations for corporate compliance programs.
Prosecutors in the US, the UK, and other countries routinely insert compliance program requirements into negotiated resolutions with companies under investigation for corruption. This further adds to the long checklist of what enforcement agencies around the world expect companies to do to detect and prevent misconduct. The good news is that although these guidelines vary in length, tone and language, they have a lot in common. They all touch upon a set of key issues that can be boiled down to five essential elements: leadership, risk assessment, standards and controls, training and communication, and oversight. If a company’s corporate compliance program effectively covers these five essential elements, it will likely fulfill the wide variety of law enforcement expectations around the world and help prevent costly prosecutions. In the event of a government investigation, a company with a robust compliance program that encompasses these five elements is much more likely to be granted compliance credit, a reduction in penalties and other forms of leniency that could ultimately minimize damages. Two key factors that prosecutors in the US and other countries consider when deciding whether to file an enforcement action include a company’s level of cooperation and its preexisting compliance program. To help companies meet the government’s demands for maintaining successful compliance programs, we’ve distilled the various standards to five essential elements based on our extensive experience working on these cases in jurisdictions around the world. For each element, we’ve included specific actions that companies can take to ensure they are fulfilling the requirements of each element. While our primary focus in this document is in the area of anti-corruption, the five elements framework can be practically and effectively applied in other areas of your compliance program, such as trade, antitrust, data privacy, and anti-money laundering. Our subject matter experts around the globe can provide you with the detailed guidance to apply the five elements to such areas, based on your company’s unique risk profile.
1 – Leadership
Increasingly, boards are finding that trust is on their agenda as a key business enabler – this means trust in the business, its leadership, its stakeholders, and its network of suppliers. Corporate structures and processes are essential, but they must also be fortified with values that include integrity, transparency, and respect for the rule of law. Likewise, a successful compliance program must be built on a solid foundation of ethics and integrity that is fully endorsed by senior management. Otherwise it’s just a hollow set of internal rules and regulations. But compliance standards require even more than support from the top. Companies must have high-ranking compliance officers with the authority and resources to manage the program on a day-to-day basis. The compliance officers must have the ear of those individuals ultimately responsible for corporate conduct, including members of the Board of Directors. The US Sentencing Commission reinforced the importance of ensuring that compliance officers have direct access to the Board of Directors when it published amendments to the US Sentencing Guidelines in 2010. To receive a “culpability score reduction” during sentencing under the Guidelines, a company must now show that its compliance officers can promptly report any matter involving criminal conduct directly to the board or appropriate board committee. Compliance officers should also report to the board on the implementation and effectiveness of the company’s compliance program at least once a year. As a best practice, however, we advise clients to take this component of their programs a step further. We recommend that a company’s chief compliance officer or legal department compliance manager provide quarterly presentations to the board about ongoing internal investigations, general developments in anti-corruption laws and enforcement, compliance challenges the company is facing and what is being done to address those challenges. That way, it is clear that the line of communication between the compliance team and the board is open.
Ensure board level accountability for the effectiveness of your compliance program.
A key element of successful compliance programs is that responsibility for developing and maintaining a culture of compliance ultimately rests with the Board of Directors. This is also where the trust-building of a company originates, as the Board must endorse ethical values at every level of the company in a manner that will influence behavior across reporting lines and help ensure these values reach all employees. Robust compliance programs require those responsible for the effective operations of the company to ensure that appropriate operational systems and corporate structures are in place to enable the company to operate in a compliant manner. A Board of Directors should therefore oversee implementation of a company’s compliance program, ensure that it is effective in addressing the risks faced by the company, and provide direct supervision of those responsible for the day-to-day management of the program. And the Board should get familiar with the business, know what is happening on the ground, consider how corporate values are being followed, and ensure employees feel they can speak up with any concerns they might have.
Make sure central compliance communicates with those in the field.
One of the biggest impediments to effective compliance leadership is poor communication between a company’s central compliance department and country managers working in the field. This can be a major oversight considering that country managers are often the employees in the trenches overseeing sales people and third-party agents who are selling and distributing the company’s products and services. Neglecting to provide appropriate compliance training for country managers or keep them in the corporate loop increases the chances that efforts to establish a strong local compliance culture will fail. Management tactics such as incorporating specific compliance requirements into annual evaluation criteria and connecting compensation to performance under these requirements can be effective for guiding employee behavior towards a greater respect for compliance. Local managers are often best situated to set the tone for compliance and to detect and address illegal or unethical practices before they become compliance issues that put the company at risk.
Place compliance officers in high-risk markets.
Another common oversight is failing to have well-trained compliance personnel in a company’s foreign offices. Maintaining a leadership structure that is too centralized will stifle efforts to foster a healthy compliance culture across all geographies and to minimize global risk. Ethical edicts issued from faraway headquarters are often ineffective without buy-in from local managers who have the training and experience to reinforce such rules. The determination of which overseas offices should have the strongest compliance presence should be made on a risk basis. Companies can begin by building an active presence of trained compliance managers in markets with the greatest compliance risk, then expand this presence to other jurisdictions.
Conduct periodic board training and provide reports on hot topics in compliance and risk management.
Corporate board members face the prospect of personal liability for failing to meet their fiduciary responsibilities in overseeing these policies and practices. With greater awareness of compliance issues from sources such as whistleblowers and bloggers there comes a greater duty and expectation for board members to act. By providing regular, timely compliance training for board members and keeping them updated on compliance and risk management trends, legal and compliance departments can help directors fulfill their compliance obligations and steer the company away from potential misconduct.
Leverage Internal Audit, Finance, and other risk management functions.
In order for a compliance program to be successful, multiple disciplines within the company must assist the compliance department in leading the way. Internal Audit and Finance are in the best position to understand the company’s financial risks and are often on the front lines of identifying red flags. Leveraging their expertise and internal structure will extend the reach of the compliance program into those functions that are key to a successful compliance program.
2 – Risk Assessment
Although the original 1991 version of the US Sentencing Guidelines did not specifically identify the completion of a formal risk assessment as one of the seven elements of effective corporate compliance, Sarbanes-Oxley directed the Commission to add it to the list. As a result, government officials now routinely emphasize risk assessments as the foundation of an effective program. What changed? The answer may be globalization. As multinationals have expanded their enterprises and become more dependent on global supply chains, knowing and understanding the nature and extent of business risks has become a critical first step for implementing successful compliance programs. Enforcement authorities around the world increasingly expect multinationals to have formal processes for periodically assessing the compliance risks everywhere they do business, particularly in higher-risk regions, including emerging markets like China, Russia, India and Brazil. During the risk assessment process, companies must evaluate numerous compliance issues, including the degree to which the company’s employees conduct business with government officials, the company’s use of third-party agents and intermediaries, the regulatory environment of the regions where the company operates, and the effects of any recent business developments such as new joint ventures, corporate affiliations, or expansion into markets that could create additional risk.
Conduct annual risk assessments.
The purpose of a risk assessment is to gauge where your company’s greatest compliance risks are so you can target resources in those areas and establish policies and protocols to minimize those risks. Yet it’s surprising how many companies do not perform this task. Companies will often wait until something goes wrong before self-assessing. To avoid the inherent risks in the “wait and see” approach, we recommend that you conduct a formal risk assessment every year. Because enforcement trends, such as those involving anti-corruption, trade, antitrust, data privacy, and anti-money laundering laws evolve rapidly and multinationals tend to go through numerous significant changes within a given fiscal year, we have found this to be an optimal timeframe.
Build this annual risk assessment into your compliance program.
Not only should you conduct annual risk assessments, but you should try to perform them at the same time each year. To pass muster with government regulators, it will be helpful to demonstrate that your risk assessment is a regular, systemic part of your compliance efforts rather than an occasional, ad-hoc exercise cobbled together when convenient. We also recommend designating a specific group, such as your compliance team, internal audit department or enterprise risk management team to spearhead the annual review. This will help demonstrate to the government that your risk assessment is a formal corporate process.
Scrutinize new business partners and third-party agents.
One of the key areas that can get companies into compliance trouble is their lack of internal controls over business partners and third-party intermediaries such as consultants, distributors, contractors and sales agents. The majority of FCPA enforcement actions involve some use of third parties. Compliance standards require companies to conduct due diligence on new business partners and third-party intermediaries. But in the rush to close deals and enter new markets, that doesn’t always happen as thoroughly as it should. Conducting a formal risk assessment each year provides an opportunity to take a closer look at newer business relationships to make sure partners and third parties do not have improper connections to government officials or involvement in unethical, improper, or illegal conduct. Any risk that you uncover should be addressed and remediated.
Update your policies and procedures based on enforcement trends.
Throughout the course of a year, government officials around the world file numerous enforcement actions against companies for all kinds of corporate misconduct. Paying attention to the specific compliance areas that the government is targeting in these enforcement actions will tell you a lot about what your program needs to focus on to stay out of the government’s cross hairs. If, for example, you notice that the government has been clamping down on gift giving and hospitality in Asia and you conduct considerable business in that region, that should become a focus area for your risk assessment. Then, depending on whether your hospitality policies and procedures in Asia are in line with what the government now expects, you should make necessary changes.
Memorialize your findings in an annual report.
When conducted every year, routine risk assessments should generally take three to four weeks, depending on the size of your company and your compliance resources. Once the assessment is complete, the compliance or audit team should compile its findings and recommendations in a comprehensive report to be presented to the chief compliance officer and Board of Directors for review and consideration of appropriate program enhancements. However, the process should not stop there. An action plan that prioritizes the recommendations from the risk assessment and assigns parties responsible for implementation should then be developed to ensure that the necessary program enhancements are implemented.
3 – Standards and Controls
It would be challenging to find a global company today that doesn’t have a code of business conduct — an easy-to-read summary of corporate do’s and don’ts. But compliance standards require that companies go much further. Besides a flagship code of conduct, corporations should have detailed written policies covering issues such as bribery, corruption, trade, antitrust, data privacy, money laundering and accounting practices, as well as clear procedures and protocols for making sure those policies are followed and enforced. A code of conduct will usually expressly prohibit bribery. However, best practices now require additional standards and controls, including detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on paper.
Establish stringent protocols for screening business partners and third parties.
In most risk assessments we perform for clients, we find gaps in the company’s third-party due diligence program. Many companies have not yet created an effective platform for screening third-party intermediaries and other business partners for previous misconduct and improper ties to the government. Some companies still give their business partners only a cursory look — a considerable oversight considering how often government investigations involve allegations of impropriety by a company’s third-party agents. To conduct proper due diligence, companies must require third parties and other business partners to complete background questionnaires detailing, among other things, their financial stability, foreign government ties and any history of investigations. Third parties should also declare their commitment to robust corporate compliance in a signed certification form. To increase accountability, we also recommend using business sponsor forms in which employees who refer or hire third- party agents provide background information about the agents, such as the experience and attributes that qualify the agents for the role they will play as new company partners.
Conduct background checks on important business partners in high-risk markets.
Performing background checks on third parties can be an expensive undertaking. But it may be advisable when screening major business partners and third parties in higher-risk markets to make sure they’ve represented themselves accurately in their paperwork. Accordingly, consider hiring trained, local investigators to get an even clearer picture of whether your potential partner could become a compliance liability.
Include strict compliance covenants in your third-party contracts.
Today’s best practice compliance standards also require companies to monitor the conduct of third parties and other business partners. We strongly encourage companies to integrate contractual provisions with business partners that facilitate the company’s ability to do so. At a minimum, these compliance covenants should cover three core concerns: adherence to the anti- corruption laws that are of most relevance to the relationship, audit rights, and termination rights. More specifically, these provisions should require the business partner to agree not to violate relevant anti-corruption laws, to give the company the right to review the partner’s books and records, and to enable the company to terminate the contract if it later determines the partner is engaged in misconduct, unethical behavior or illegal activity.
Establish internal controls to ensure accounting records are accurate.
The FCPA and the anti-corruption laws of many other countries require companies to book transactions correctly by securing receipts and accurately recording the date and amount of the payment. To be compliant, companies should reconcile bank accounts with outgoing and incoming payments every month and inquire into any suspicious payments and missing funds that could indicate misappropriation or off-the- books transactions. Companies should pay particular attention to transactions with consultants and business development agents, customs payments, charitable giving arrangements, political contributions and gifts and hospitality involving government officials. Provide clear guidelines for gift giving and hospitality. Giving clients and business associates gifts, treating them to dinner or taking them to sporting events are common business development practices. But anything too extravagant or lavish could quickly cross the line into bribery. Differences in culture and economic prosperity can make it difficult for companies to establish one-size-fits-all gift- giving and hospitality guidelines for the countries where they conduct business. While paying $150 a head for a business dinner in Australia may not constitute bribery, in poorer countries such as Nigeria or Indonesia it could. That’s why it’s so important to tailor hospitality policies to individual countries. Companies can do this in any number of ways, including through the use of a thresholds table listing permissible hospitality amounts based on local laws and regulations in each country where they operate, plus advice from experienced local counsel.
4 – Training
One of the most important elements of a strong compliance program is properly training company officers, employees and third parties on relevant laws, regulations, corporate policies, and prohibited conduct. In recent years, the rise of technology platforms such as webinars, video conferencing and online self-testing has made training easier and more affordable. But simply conducting some compliance training for employees isn’t enough. Enforcement officials want to be sure management’s compliance message gets through in a meaningful way. Thus, when determining whether a company’s training program meets its expectations for effectiveness, government authorities often scrutinize who a company trains, how the training was conducted and how often training occurs.
Develop an annual, risk-based, training plan.
Regulators in countries across the globe have come to expect companies to provide training programs. In order to demonstrate a true understanding of the anti- corruption risks unique to your company, regulators will want to see that your training program is adequately comprehensive, for example, by including both computer-based and live components. Also, government authorities will seek to ensure that employees performing your highest risk activities, and those who are in a position to monitor your highest risk transactions, are regularly trained on policies and procedures designed to help minimize risk, identify red flags, and escalate or remediate compliance-related problems. A training plan should include a schedule for tracking when employees complete required compliance training. Tools for encouraging timely completion can include a reduction in performance scores for staff who do not complete required training and supervisors whose staff are delinquent.
Provide live compliance training for country managers.
If resources permit, officers and managers in your foreign offices should receive live, in-person compliance training every year, particularly those working in your highest risk markets. In the compliance world, anti-corruption laws, enforcement trends and government priorities change quickly. Waiting more than a year to conduct periodic compliance training can impede awareness. If lack of resources is an issue, conducting live videoconferences or webinars with question-and-answer sessions is a good alternative.
Train the right people.
When providing compliance training, it’s important to prioritize which audience to educate first, particularly when you have limited resources. Besides country managers, it’s important to focus your initial training efforts on high-risk markets and directors, officers, sales employees, and third-party intermediaries who have direct contact with government officials or deal with state-owned entities. Then expand the training around the globe and across your employee spectrum.
Conduct live, annual training in high-risk markets.
Enforcement officials have made it clear that live, in-person training is the preferred method in high-risk markets and that this training should be relatively frequent. Therefore, merely conducting a simple five-question online anti-corruption compliance test in a higher-risk country such as Russia, or performing training in China once every five years, will probably not be sufficient from a regulator’s perspective. Also, one of the many benefits of conducting live, in-person training is that you often receive immediate feedback. During live training, employees are more likely to casually mention a potentially risky practice, giving you the opportunity to address an impropriety before it becomes a larger problem.
Develop your training to address a broad range of global issues.
Some companies make the mistake of having a generic script for all compliance training that misses the practical challenges employees routinely face. Training programs typically cover the FCPA, UK Bribery Act, OECD guidelines, Brazil Clean Company Act, and enforcement trends in other countries in Europe, Asia-Pacific, and South America. Additionally, you need to focus on the specific compliance risks in the country where the employees are working. In China, for example, training should address the many corruption risks of dealing with state-owned entities. In Brazil and Nigeria, training should include guidance on how to handle government officials who expect facilitation fees to move business processes along more quickly. Finally, certain functions that are key to effective compliance monitoring should receive function- specific training. For example, accounts payable should receive training on how to identify red flags related to improper payments or otherwise signaling potentially corrupt or fraudulent activity.
Update your training regularly.
Enforcement trends and anti- corruption laws change quickly, and government officials are increasingly collaborating across borders to conduct large-scale investigations. That’s why it is important to monitor what’s happening around the world and incorporate those developments into your training. Compliance is a global issue that requires corporate vigilance and constant attention. By providing timely, effective employee training, companies can demonstrate their commitment to cultivating and supporting a strong compliance should include document preservation protocols, data privacy policies, and communication systems designed to manage information and get it to the appropriate people quickly. Best practice compliance guidelines also encourage companies to establish disciplinary policies that clearly state how they regulate and discipline employees engaged in misconduct.
5 – Oversight
After all the ethical messages have been put in place and communicated to the appropriate audiences, the question remains whether the workforce is actually complying. Two of the seven compliance elements in the US Sentencing Guidelines call for corporations to monitor, audit and respond quickly to allegations of misconduct. These three activities — monitoring, auditing and responding — are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs. Many companies fall short on this element, often because of confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance problems in real time, then acting quickly to remediate them. The primary goal is to identify and address gaps in your program on a regular basis. An audit is a more limited review that targets a specific business component, region or market sector during a particular timeframe to uncover or evaluate certain risks. Some companies assume that because they conduct audits or have a dedicated auditing team, they are effectively monitoring. This is usually not the case. A robust compliance program should include separate monitoring and auditing functions. While unique in protocol, these two program components are often viewed as compliance “cousins” because they work in tandem. If, for example, you notice a trend of suspicious payments in recent monitoring reports from Indonesia, you may decide it’s the appropriate time to conduct an audit of those operations to target and further investigate the issue.
Establish a regular monitoring system to spot problems and address them.
Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on a continuing basis. Ongoing, real-time monitoring, when effectively managed, will provide valuable insight into who a company’s business partners are and the specific transactions entered into with such business partners. Monitoring compliments the risk assessment and audit processes by providing additional context for the nature and scope of high-risk relationships and transactions. It facilitates ongoing visibility into these risks for the period of time between regularly-scheduled risk assessments and audits. The result is that compliance personnel have the opportunity to thwart corruption and bribery attempts while in process. This is why your compliance team should be checking in regularly with local finance departments in your foreign offices to ask whether they’ve noticed recent accounting irregularities. Also, as part of their corporate compliance accountability, regional business directors should be required to keep tabs on potentially improper activity in the countries they manage. Your global compliance committee or enterprise risk group should talk as often as feasible (perhaps every month) to discuss and address issues as they arise. Ongoing efforts like these will show government authorities that you are serious about compliance.
Require country managers to complete regular compliance reports.
One of the nine factors that US prosecutors consider when deciding whether to file an enforcement action is whether a company is applying its compliance program in good faith. The program may look good on paper but the government wants to know, is it really working? One of the most effective ways of answering that question is being able to show prosecutors regular, periodic monitoring and auditing reports prepared by senior executives and managers across your operations.
Pay attention to what employees say during training.
Training is a form of monitoring because it can alert you to potential problems based on the types of questions employees ask and their reception to certain concepts. For example, during training employees sometimes ask specific questions about their interactions with government officials or gift-giving practices that can raise red flags, which should be addressed quickly. The information learned from the engagement of employees in this manner will assist the company in taking appropriate actions to initiate program improvements and further enhance corporate values.
Regularly test your compliance program to verify its effectiveness.
Regulators expect a well-functioning compliance program to identify program weaknesses and promptly address those weaknesses. While companies typically test their financial controls they should be mindful of testing the entire anti-corruption program, not just the financial controls system. One particularly useful method of testing is to track categories of payment methods often used by third-party agents — such as commissions — and require compliance to confirm that due diligence screening was successfully completed. Upon implementation of an enhanced in-person training program, periodically review hotline reports and inquiries to determine whether such reports have increased, or whether more compliance-related inquiries have been received from categories of employees who have not previously communicated with the compliance department. Conduct employee surveys to measure the compliance culture and employee knowledge and awareness of compliance practices and procedures.
Establish protocols for internal investigations and disciplinary action.
Responding swiftly and effectively to compliance issues will sometimes require your company to conduct an internal investigation. Each company should have procedures already in place to make sure every investigation is thorough and authentic. Those procedures
Remediate problems quickly.
A key concept behind the oversight element of effective corporate compliance is the idea that if companies are policing themselves for compliance- related issues, the government won’t have to do it for them. That is why remediation is such an important component of oversight. If it’s clear that your sales people in Thailand are doing something potentially improper partly because they never received adequate compliance training, remediate the deficiency by scheduling that training immediately. In the end, it’s not enough to just gather information and identify compliance problems. To fulfill this essential element of compliance, you also have to fix them.