OCEG Illustrated Series: Managing Corruption Risks

How do you move off dead center? That was a question posed by my colleague Mary Jones in a recent guest blog post. She gave several concrete steps in answer to her own question. This question was further explored in the January issue of the Compliance Week magazine which began a six-part “Anti-Corruption Illustrated” series by Carol Switzer, President of the Open Compliance and Ethics Group (OCEG). OCEG is an organization which “develops standards and guidance to help organizations achieve Principled Performance”; that is, “the reliable achievement of objectives while addressing uncertainty and acting with integrity.” OCEG’s Illustrated Series is a teaching method developed to visually represent how to set up processes and procedures in various areas and disciplines. This Anti-Corruption Illustrated Series is a very useful tool for the compliance practitioner to use in explaining the components of an effective compliance program.

In the first article of her series, Switzer shares her views on how anti-corruption programs enable business agility. In addition to her own thoughts, Switzer moderated and reported on a roundtable discussion of compliance experts who shared their views on managing corruption risks. These experts included Steven Kuzma, Global Leader in Corporate Compliance at Ernst & Young, Jay Martin, Chief Compliance Officer at Baker Hughes, Mike Rost, Vice President at Thompson Reuters GRC and Jim Slavin, Senior Director at SAI Global.

1. Assess the Risk – In this step you identify corruption risk factors that your company may face. These can be based upon several different factors including the nature and location of your company’s business activities; your company’s third party relationships; and your company’s methods for obtaining and retaining business. You should evaluate and then rank these risks based upon your company’s risk appetite and be prepared to respond to internal or external forces that might change this risk assessment.
2. Develop the Program – You should develop “a comprehensive and balanced anti-corruption program that corresponds to the risks identified in the assessment process.” This should include written policies, procedures and internal controls for all levels within your organization. You will need to obtain Board of Directors and senior management endorsement of your strategies and communication of this support.
3. Define and Implement Policies – In this step you should consider the written policies which map to the applicable regulations, obligations and business processes that you have created. Ownership of these requirements within the business is critical to their success and there should be communication to key stakeholders including “staff, third parties, auditors and customers.”
4. Build and Operate Controls – Nest you will need to establish “procedures and controls to prevent, detect, correct, and mitigate the risks” which you have identified and ranked. There needs to be ownership established to monitor these controls with regular documentation, continued assessment and testing of these controls.
5. Train and Educate – You must develop and deliver training to “raise stakeholder awareness and competence regarding anti-corruption goals, policies, procedures and [internal] controls.” This should include identification of “role-specific programs with desired outcomes” with delivery methods to get your message across to the various target audiences.
6. Monitor and Evaluate– Here OCEG suggests a five step process to track and assess policies and controls for effectiveness.
   1. Screen – Monitor vendor, partner and customer records against trusted data sources for red flags.
   2. Identify – Establish helplines and other open channels for reporting of issues and asking questions by employees and appropriate third parties.
   3. Investigate – Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
   4. Analyze – Evaluate data to determine “concerns and potential problems” by using data analytics, tools and reporting.
   5. Audit – Finally, your company should have regular internal audit reviews and inspections of your company’s anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.
   6. Review, Realign and Report – This step requires you to “take timely corrective and disciplinary action for violation” of your company’s program. Your program should be regularly evaluated and aligned with any new or additional corruption risks which are found. Both the Board of Directors and senior management must be informed through regular reporting. Finally, there should be a professional external review on no less than a two year basis to determine your program’s overall sufficiency.

Switzer’s article and report on the roundtable discussion are very useful tools for the compliance practitioner. Her article includes a removable copy of the OCEG Illustrated Series on managing corruption risk. I heartily recommend it to you.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Barbara Tuchman and Compliance Programs

One of my favorite historians is Barbara Tuchman. One of the first large volumes of history I read growing up was “The Guns of August”, her Pulitzer Prize-winning book about the outbreak of World War I. The Library of America has recently released two of Tuchman’s works, the aforementioned “The Guns of August” and “The Proud Tower” which details the pre-World War I era, together with the personalities and events which led to the ‘war to end all wars.”

This love of history coupled with my interest in ethics and compliance was piqued by an article in the Saturday edition of the Wall Street Journal (WSJ), entitled “A Heroine of Popular History”, by Bruce Cole. The article discussed the work of Tuchman as a popular historian and contrasted the books she wrote with those written by historians with a more academic focus. He quoted the historian Catherine Drinker Bowen, who had the following quotation over her desk “Will the reader turn the page?” I thought this question had particular relevance in the arena of compliance programs; as compliance professionals continually try to get the message of compliance throughout a corporation. So here is some of the wisdom of writing history that Tuchman advocated and how it might help the compliance professional convey the essence of doing business in compliance across a corporation.

Get out in the Field

Tuchman stressed the importance of using primary sources and visiting the sites where ‘history was made”. She said that it was necessary to keep a historian from “soaring off the ground”. From this advice, I believe that the compliance professional needs to get out of the home office, wherever that is, and visit international locations. This is the best way to find out what is going on in the field. This ties to the second point of using primary sources. In the compliance arena, your primary sources are the employees in your own organization. Cole quoted Tuchman that you “arrive at a theory by way of the evidence, not the other way around”. This advice sounds like the guidance from the Department of Justice (DOJ) that your risk assessment should inform your compliance program, not the reverse.

Study Your Company Culture

In the field of history, Tuchman did not view nations or individuals as “helplessly swept along by forces of history beyond their control.” She viewed history as driven by human “foibles, flaws and occasional heroism, rather than by abstract systems.” This means that a compliance professional needs to understand how the cultures in your organization work and then create a compliance program to fit those needs. It does not mean a company can continue to do business with corrupt intent but if there is a culture of gift giving in a geographic area, you should determine a way to continue such courtesies, within the context of your overall compliance regime.

Write Your Policies for Everyone

This is probably Tuchman’s greatest lesson, for both the historian and for the compliance practitioner. Tuchman never received a post-graduate degree in history so she never learned to write like a professional historian, beginning with a “footnote-laden dissertation-written strictly to be read by other scholars.” Tuchman wrote for a wider reading popular audience. The same can be said for written compliance policies. In academia, a Professor’s progress is measured by the judgment of his or her scholarship by peers. Unfortunately, those peers are steeped in the same academic training and therefore judge scholarship on the same criteria as that used to judge dissertations. Tuchman believed that by not pursuing a PhD in history, she was a better writer. She was quoted in the Cole article as having said, “It’s what saved me, I think. If I had taken a doctoral degree it would have stifled my writing capacity.”

Many times compliance policies are written by lawyers and can only be read and interpreted by other lawyers. It is really not our fault as we were all trained in law school to “think and write like a lawyer” but out there in the real world, such language does not always work for the intended audience. This point is even memorialized in the UK Ministry of Justice’s Six Principles for Adequate Procedures which reminds compliance practitioners that anti-bribery compliance policies should be written in “plain English.” While many lawyers, particularly outside counsel who have never practiced as in-house counsel, write like lawyers for other lawyers to read, such writing style does not work for most business people. Therefore in-house counsel should work with a business unit representative, or several, to make the language in written compliance programs accessible to people in the field who are trying to read and understand it.

Just as the Library of America celebrates Tuchman in its recent release of two her greatest works, we in the compliance field should celebrate her for the guidance that she provides in our discipline.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012