Ten years in compliance. What a difference a decade makes?
While for some of us, 2010 may not feel so long ago, much has happened in the last decade. 2010 was the year Apple released the first iPad and X Factor gave us One Direction. 2010 is also the year the UK Bribery Act was unveiled to much discussion[1].
Thinking back, you may remember the doubt expressed in some quarters about whether the legislation would have a “real” impact, with scepticism apparently driven by uncertainty over how effectively and aggressively the legislation would be enforced. Since then, significant attention has been given to topics including the use of deferred prosecution agreements, the emergence of technology assisted review, and growing cross border cooperation between regulators. While these are all important developments, we thought it would also be appropriate to reflect on whether bribery and corruption compliance has changed over the last 10 years.
A change in focus
One of the most striking developments we have observed is the increasing sophistication of discussions about bribery and corruption compliance programs.
The “Adequate Procedures” guidance released by the UK Ministry of Justice, following the UK Bribery Act, made a significant contribution to moving compliance conversations beyond discussions about policies, procedures, and controls, to broader questions of communication, training and monitoring. The Adequate Procedures guidance also encouraged organisations to consider what compliance measures are reasonable for a particular entity given their resources and risk profile. By 2010, the US Foreign Corrupt Practices Act (FCPA) had been in force over 30 years and, although OECD Good Practice Guidance, released in 2009, already signposted how views on best practice compliance programs were evolving, the change in the tone of Boardroom compliance discussions accelerated following the release of the UK Bribery Act.
After the UK Bribery Act guidance, the FCPA Resource Guide, which was issued by the US Department of Justice and SEC in late 2012, included a section on “Hallmarks of Effective Compliance Programs”, which largely echoed the UK Ministry of Justice Six Principles. Others followed including, for example, SAPIN-II in France, the Clean Company Act in Brazil and ISO 37001, all of which reinforced the emerging consensus around compliance best practice. While there are still differences in approach between countries, a shared view of what some of the key building blocks of good looks like has certainly provided a helpful starting point for many organisations. Detailed guidance associated with the different regimes will continue to change, but it is hard to see agreement on the need to build and maintain effective, holistic, risk-based compliance programs changing any time soon.
The net effect has been a greater focus on compliance discussions, with “best practice” expectations being raised and an increasingly familiar view of the key pillars of a robust compliance program. While greater clarity over what good looks like does not guarantee the right result, it’s certainly an important step along the way and we think some credit should go to the UK Bribery Act for encouraging this development.
Embracing technology
Over the last decade the effective use of data as an essential component of risk management has, in our experience, been almost completely accepted. Looking back to when the UK Bribery Act was published, red-flag data analytics and visualisations were still seen as relatively sophisticated and not routinely performed. This was in part due to data as well as technological limitations.
Challenges to data analysis certainly remain, both in managing the various data sources that are a feature of most organisations and in navigating data privacy obligations. Despite these challenges, red-flag analytics are now a core part of many compliance programs and have been incorporated into a host of proactive exercises from compliance audits to third party monitoring.
More generally, the last decade has seen an explosion in the range of technology at the disposal of investigations and compliance teams. Developments in artificial intelligence and machine learning are now being used to support the analysis of increasingly complex and extensive data more efficiently. Over time these new tools have also been embraced by regulators and enforcement agencies and are now seen as a core part of the toolkit.
Improvements in technology have also been used to facilitate decision making. In the past, companies struggled with inconsistent approaches to important processes. Companies today are investing in workflow delegation technology with defined risk thresholds, automated end to end processes and centralised document trails. While there is still a need for human review, technology has come a long way in facilitating a robust and consistent approach.
Persistent challenges
A recent Parliamentary review described the UK Bribery Act as the “international gold standard” of anti-bribery legislation. Unfortunately, despite the developments in technology and approach that we have described above, it is difficult to observe the seemingly relentless stream of enforcement cases and record-breaking penalties across the world and not conclude that fundamental challenges remain. While there is always a lag between misconduct taking place and sanctions being announced, it is hard to argue the corruption problem has been solved.
Given the time, effort and sacrifice that has been spent tackling corruption, this is a disappointing reality to face.
In our experience, organisations continue to face fundamental challenges in dealing with bribery and corruption risk. To take one example, risk arising from third party relationships still cause problems for many. With diverse markets, varying levels of economic development and different political and legal realities, this should not be a surprise. Compliance teams are challenged to establish practical solutions tailored to the unique environments and challenges of their global footprints, not only for third parties but all aspects of bribery and corruption risk. And they many must do this with tight budgets and limited resources.
Conclusion
Reflecting on the changes in corporate compliance over the last ten years, we believe many aspects look and feel different. How much of this progress can be directly attributed to the UK Bribery Act is open for debate; but there have certainly been some positive developments.
At the same time as thinking around compliance programs has converged, there has been mounting public pressure on business and government to address the continued scourge of corruption. Across the world this impatience with the status quo has been fuelled by the proliferation of social media and multiple leaks of sensitive data and communications, making it harder for organisations to hide from their misdeeds. However, there remain stark differences in local legislation and, more significantly, enforcement activity, across the world.
This combined social and regulatory pressure will be essential to drive further change over the next decade. We hope that with increasing use of collective action, organisations can continue to influence the political, economic, and enforcement conditions that sustain corruption. It will certainly be interesting to see what the next ten years have in store.
[1] The UK Bribery Act subsequently became effective from July 2011
Michael Zimmern, Partner at Control Risks | Lorynn Demetriades, Director at Control Risks | |
Michael leads the investigations and forensic accounting practice for Control Risks in EMEA. As a qualified chartered accountant with more than 15 years forensics experience Michael advises on clients on regulatory, reputational and financial issues. Michael frequently supports clients on complex, cross-border investigations working alongside Governments, regulators and enforcement agencies to help clients manage and respond to risk. Michael has performed investigations and compliance work in the UK, Europe, the Middle East, Russia, India and Africa (including South Africa, Nigeria, Kenya, Ivory Coast, Ghana, Tanzania, Ethiopia, Cameroon, Zimbabwe, DRC and Angola) and has extensive experience supporting clients with issues in emerging markets. | Lorynn Demetriades is a forensic accountant and a Director of Control Risks forensic investigations practice in Europe & Africa.
Based in London, Lorynn supports clients undergoing complex and international challenges including forensic investigations, compliance advisory projects and forensic M&A due diligence. She often works alongside internal and external counsel, compliance officers and internal investigation teams.
Lorynn has been a consultant to multinationals, legal advisors and global investors for nearly 10 years and has worked on the ground in Africa, the Americas, Asia, Europe and the Middle East. She has particular experience in dealing with regulatory enquiries, including SEC, DOJ and FCA related investigations, and has served a range of sectors including energy, defence, pharmaceuticals and infrastructure. |