Implementation. Experts agree that the biggest challenge is implementation. The major failure of many companies is they believe the job is finished after they put the policies in place. “You make a good and solid code of conduct, you tell everybody what’s wrong and what’s right…and you send a clear message out that this is our level of ethical behavior, and then you stop,” Kvamme says.
“I think the toughest challenge is to go from establishing that level of where you want to be to implementing the whole thing,” he says.
Three important aspects of implementation are establishing an effective whistleblower system, training staff, and monitoring the system.
Whistleblower system. Having a channel through which employees can report concerns is increasingly important, Valerian says. The system can be a phone hotline or computer-based, but the best practice is to have it monitored by a third party so that employees feel confident that they will be anonymous. (See related article, page 72.)
When concerns about unethical behavior are reported either anonymously through a whistleblower system or through more normal channels, the company should investigate and take appropriate action when needed. “Everybody should know that they are not only allowed to [report concerns] but it is expected from them that [they will do so] every time they see something suspicious or something that doesn’t look normal,” Kvamme says.
Communication and training. All employees who were identified by the risk assessment as being exposed to corruption risks should be trained on at least an annual basis, Valerian says.
Training should include a discussion of international laws and regulations relating to bribery and corruption. It should also include instruction on what constitutes ethical behavior and how to make ethical choices. For that purpose, PricewaterhouseCoopers has established an ethical decision model, which asks company employees, when faced with a dilemma, to consider questions like the following: Does it go against company or professional standards? Does it feel right? Is it legal? How would it look in the newspapers? Would you be able to sleep at night?
Training should be tailored to the various operational lines of the company and the specific risks to which employees in that section or geographic location are exposed. Training and other communication relating to the program should also be translated into the various languages of operation of the company.
Monitoring. Monitoring compliance can be very difficult as well. “[The FCPA] is the most profoundly extra territorial statute there is because it makes companies responsible for what’s going on in their most remote foreign operation,” Low says. “In a foreign affiliate that may be a separate legal entity operating thousands of miles away, they’re still obliged…to have controls and systems in place to prevent and detect and remediate improper practices. And it can be very hard, especially if you’re a major multinational company with far-flung activities…to know what’s going on in all those foreign operations, much less control them.”
Valerian recommends empowering the chief compliance officer or chief social responsibility officer with monitoring and implementation of the program. According to TI’s guidelines, contract terms should be monitored, accurate written records should be kept, and the program should be reviewed regularly, perhaps as an agenda point on the board or as a business meeting agenda.
Compliance with anti-corruption policies should also be noted on all employees’ annual job performance reviews “so that employees know that they are also measured on their ability to behave,” Valerian explains. “That part is often missed in the corporation.”
Outreach. A well-designed and well-implemented anti-corruption program may not always do the trick, however, says Michael Hershman, president of the Fairfax Group, LLC, and a cofounder of TI. “When you’re dealing with a company that has tens and tens of thousands of employees working around the world, you are going to violate the law somewhere along the line,” he says. “You are going to have a rogue employee or two or more that want to get ahead in the company, want to exploit for their own benefit the systems, and they’re going to get your company in serious trouble.” When that happens, he says, the company must be able to show law enforcement and the regulatory authorities not only that it has checked the boxes but that it has a broader approach to corporate ethics and governance and compliance.
He recommends that companies build good will by going beyond simply complying with the laws; they can do that by being good corporate citizens and engaging in corporate responsibility projects that give back to the local communities in which they operate around the world. “They have to let those people know that, yes, they’re there to make a profit, and hopefully a healthy profit, but they’re willing to give as well as take,” he says.
Hershman was appointed as the independent compliance advisor to the board of Siemens after the disclosure in 2006 that the company may have violated foreign bribery laws. He says he helped Siemens create an outreach program through which it worked with NGOs, governments, and other businesses in a collaborative effort to bring greater transparency and accountability to the company’s international trade activities.
The effort helped the organization mitigate the level of the punishment, Hershman says.
With increased enforcement of anti-corruption laws on the part of numerous authorities comes the need for more awareness and vigilance by companies. Developing and implementing an international corporate anti-corruption program is critical to reducing the risk that bribery laws will be violated. Should a violation occur, an organization’s ability to show a genuine effort to curb bribery, along with evidence of corporate social responsibility, may help to mitigate the harm done to the company’s reputation and bottom line.
Stephanie Berrong is an assistant editor at Security Management.