12th Global Fraud Survey Growing Beyond: a place for integrity
Preparing to meet new challenges
Inconsistent level of recognition of the risks of investing in new markets
Q: To what extent do you agree or disagree with the statement “planned investment by my company in new markets will open us up to new risks”?
Base: All respondents (1,758)
Only 59% of respondents report using an approved supplier database.
As companies expand their businesses in rapid-growth markets, they are confronted by a wide range of risks that must be actively managed.
A majority of our respondents have taken the important first step by acknowledging the challenges. Nevertheless, a significant global minority of one in five respondents do not recognize that new markets bring new risks.
Managing the risks arising from third parties
When entering new markets, the need for local contacts and procedural knowledge leads many companies to engage the support of third-party agents or business partners. Such relationships can expose companies to significant ABAC compliance risks.
There have been many publicized enforcement actions by regulators which highlight the significant costs to companies of breaches by their third parties. In fact, more than 90% of reported FCPA cases involved third-party intermediaries.
Of these cases, one of the most significant was the Panalpina case of 2010. Among other charges levelled at the company by the US Department of Justice (DoJ) and the US Securities and Exchange Commission (SEC), Panalpina was alleged to have made payments on its customers' behalf to local officials to speed up import procedures across a number of countries.
The case served as a wake-up call for many companies, and provided a further example of how the DoJ was willing to consider enforcement against companies whose third parties had paid bribes on their behalf.
Yet, despite the significant risks and specified demands of regulators, our survey suggests that the corporate response to mitigating third-party risks is still inadequate. Many companies are failing to adopt even the most basic controls to manage their third-party relationships.
Only 59% of respondents report using an approved supplier database — a worryingly low uptake for a simple mechanism which helps ensure that only legitimate and bona fide third parties provide the company with services.
The apparent lack of knowledge held by companies about the third parties they deal with is a real problem.
Effective third-party due diligence and compliance audits
Third-party due diligence is increasingly expected by multiple regulators. US regulators, through both the US Federal Sentencing Guidelines and FCPA settlement agreements, have made it clear that third-party due diligence and monitoring are important aspects of an FCPA compliance program.
Guidance issued by the UK authorities on the UK Bribery Act also specifically addresses the need for an effective third-party due diligence process.
An effective anti-corruption regime requires consistent processes and a risk-based approach. The importance of taking a risk-based approach is highlighted by both the Organisation for Economic Co-operation and Development (OECD) anti bribery guidelines and the UK Bribery Act guidance.
To implement a risk-based approach, companies need to consider a number of key questions, including:
- Have all third parties been identified and are there processes in place to ensure that they continue to be identified on an ongoing basis?
- What criteria should be used in risk assessment? Consideration should be given to matters including country corruption risk, the nature of the activity performed by the third party, the ownership of the third party, the likelihood of interaction with government officials, the volume of business done with the third party and whether the third party is a regulated entity.
- How can companies ensure that the process is independent and consistent? Companies should weigh the benefits of checks being performed centrally with more independence and at a lower cost or within the business unit with better on-site local knowledge.
- Does the company have the resources to implement the process? There may be a large volume of information to be processed. Can the company produce a robust audit trail that is defensible when subjected to regulatory scrutiny?
- Is the process sustainable once established?
A significant amount of enforcement activity continues to relate to acquired entities. In 2011 alone, there were three FCPA settlements that related to prior violations by recently acquired subsidiaries. Through these and other settlements, the DoJ has reinforced the importance of pre-acquisition and post-acquisition due diligence.
It is not just a matter of whether ABAC due diligence is performed but also when. It is essential that ABAC due diligence starts early. The earlier issues are identified, the sooner an acquirer can understand the corruption risks of a deal, discuss any issues with the relevant regulators or walk away should that prove necessary.
This can avoid significant expenditure on a transaction that ultimately falls through because of compliance concerns identified late in the process. It can also prevent an acquirer experiencing reduced profits because certain revenue streams were dependent on corrupt payments or from subsequent regulatory fines.
It is essential that the acquirer moves quickly after the purchase to flush out any historic or ongoing corruption issues or control gaps in the acquired business. It may prove impossible to make all of the changes required at once; therefore, key risk areas should be identified for initial remediation.