Risk Assessments in an Anti-Money Laundering Compliance Program

Today we celebrate that noted British comedian who made his fame in America – Bob Hope.  He had a successful film career largely thanks to the series of seven “Road” movies he made with Bing Crosby and Dorothy Lamour, including Road to Singapore (1940), Road to Morocco (1942), Road to Utopia (1946) and Road to Rio (1947). Hope is also known for his entertainment of US military forces overseas. In 1941, after America’s entrance into World War II, Hope began performing for US troops abroad; he would play shows for more than a million American servicemen by 1953. Some 65 million people watched him perform for troops in Vietnam on Christmas Eve in 1966, in his largest broadcast. Hope also became a legend for his countless TV specials, which he would perform over the course of some five decades. He hosted the Academy Awards ceremony a total of 18 times, more than any other Oscars’ host.

What does Bob Hope have to do with compliance? First he was a comedian and second he reinvented himself several times. The anniversary of his birthday reminded me of an article written by Carole Switzer, the co-founder and President of the Open Compliance and Ethics Group (OCEG), for Compliance Week Magazine entitled “Analyze This: The Value of Business Risk Assessments.” In her article, one in a continuing of her series of GRC Illustrated articles, Switzer says that anti-money laundering (AML) compliance programs, like therapy are “difficult to define and relatively easy to avoid.” She quoted Larry David, co-creator of Seinfeld and creator of “Curb Your Enthusiasm” for the following thought on therapy, “I know enough about myself now to know that I really don’t need to know anymore.” Unfortunately, as Switzer notes, many companies have the same problem when it comes to their AML programs.

Switzer discusses a recent report by the UK Financial Services Authority (FSA) which highlighted four general reasons that UK banks failed to have effective AML programs. The same four reasons hold true for non-banking sector US companies in the area of AML.

(a) Denial. The FSA reported that one-third of the banks “failed to review their business-risk assessment program on a regular basis. Additionally, about one-third of the companies scrutinized also failed to alter their risk assessments in response to new developments and insights, such as when allegations of major corruption were levied against a customer or when a country’s risk profile spiked due to regime change.”

(b) Grandiose delusions (imagine a bank with grandiose delusions!). The FSA found that too many “customer-facing “relationship managers” could override customer risk scores produced by the risk-assessment program—without sufficient evidence to support the decision to disregard the score.”

(c) Borderline suspicious. Bank personnel did not understand how the AML risk assessment was generated and indicated that they were “confused” regarding what score indicated that a customer was a high risk.

(d) Avoidance coping. The FSA noted that institutions “inappropriately low risk weightings for high-risk factors, “sometimes overtly”; while “other banks chose to ignore well-known high-risk indicators and other adverse information from a variety of sources, “such as links to certain business activities commonly associated with higher levels of corruption.”

Fortunately Switzer laid out her thoughts on what an effective business risk assessment program should contain. From this risk assessment, you can identify where your company should focus its AML resources, determine how changes might affect your company, and where your program may need enhancement. She is quite clear that without an effective risk assessment, “your AML program will be inefficient as well as ineffective.” She sets our five steps to take.

1. Define the Risk. Switzer says that “At the forefront of any good business risk assessment program is an executive vision. The executive sponsorship must ask themselves diffi­cult, critical questions.” This is largely because while there are certainly known risks to a business there are also risks you and your company may not be aware of so it is important to define what you know but leave it flexible enough to cover the unknown when it becomes known to you. Switzer lists some of the questions that you might begin with, which include: What are the inherent risks in our current business? What controls do we have in place? How much risk, after the business risk assessment process is instituted, remains? Should we close business locations? Should we add additional controls? Should we put spending restrictions in place? Are other industries at the same level of risk?
2. Gather Intelligence. In this step, after executive sponsorship has set the strategy in motion, you must gather intelligence to truly understand the exposure across the organization’s products, services, and customer base. The AML team should consult local business and compliance leaders to gain key insight. The specific steps include: (1) Develop the business risk assessment questionnaire. (2) Determine what controls are currently in place. (3) Review the external risk. (4) Understand the magnitude of each risk factor. (5) Gather and normalize all data for review.
3. Review the Findings. Once a full business assessment has been conducted and all the data collected, a full analysis of the data is performed at multiple levels. The overall picture of risk is reported to business line, regional leaders, and enterprise leaders. Switzer’s specific steps include (1) Creation of full evaluation reports of all measured data. (2) Involve AML staff, regulators, and critical business leaders in your review. (3) Utilize external, unbiased consultation to determine product and service risk for remediation.
4. Decide How to Proceed. Switzer advises that after you come to an understanding of your exposure and risk, your vision has been set, and you have gathered data and reviewed it, you can set a course to move ahead. However, she cautions that “continual review of the plan’s impact on the business, even at this stage, is critical.”
5. Implement the Plan. At this final step, after your company has defined its strategy, determined, by measurement, the exposure to AML risk, understood and evaluated the areas of potential risk and then “determined a path to accept, resolve and eliminate, it’s time to go to work setting the plan into motion—however, just because you are now implementing doesn’t mean you can relax. Constant scrutiny, learned best practices, and ongoing monitoring are critical.”

Switzer concludes by stating that “Risk assessment programs must evolve quickly as risks and crimes do. Building in a good system of correction and monitoring that can flex with your organization is critical.” So just as Bob Hope reinvented himself as the tastes of society changed, your risk assessment should be a “living, breathing process.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Marine Transportation and Anti-Money Laundering

My recent article on the marine transportation industry and the Foreign Corrupt Practices Act (FCPA) generated some discussion ranging wider than simply the port agent issue regarding interaction with foreign government officials. One of the discussion points was how and where a company should pay the crew. One of the sacrosanct rules that I learned while working at Halliburton was that payments to any third parties had to be made to either (1) the location where the services were delivered or (2) the location where the third party was domiciled. It was called ‘Offshore Payments’ and the legal department was charged with making sure that all contracts specified payments to be delivered into one of the aforementioned locations. The rule was designed to comply with Anti-Money Laundering (AML) rules and regulations. This concept also appears in the FCPA as a red flag if a third party desires to be paid outside either of the locations stated because a corrupt entity or person could use funds already in the banking or financial system to disguise any movement that might reveal the corrupt action, such as a bribe to a foreign governmental official.

Obviously you cannot pay a ship’s crew in the location where the services are delivered if those services are delivered at sea. So that would seem to leave jurisdiction where a crew member is domiciled. But in addition to the home domicile there are other AML issues such as the bank to which the payments are wired into from the US.. The Financial Action Task Force (FATF) Recommendations on the International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation set out several in its White Paper released last year. These included due diligence on payees to determine politically exposed persons and specially designed individuals, record keeping, controls regarding payee banks and financial institutions and reporting of suspicious transactions, among others. In others words, there are many concerns about paying third parties; even those third parties a company might not normally consider in their own compliance regime.

Based upon these conversations, I thought a deeper look into AML issues was warranted. Fortunately Carol Switzer, President of the Open Compliance and Ethics Group (OCEG) just penned another piece in her series in Compliance Week on compliance related issues. This month Switzer has taken a look at AML issues in an article entitled “The Complex Mechanics of Money Laundering” and compended with the article is another of OCEG/Compliance Week, GRC Illustrated Series, where in an illustrated manner, they review how to build an effective AML program.

Switzer explains that there are several laws which deal with AML compliance. They include “the Intelligence Reform & Terrorism Prevention Act of 2004, which amended the BSA; the Money Laundering and Financial Crimes Strategy Act; and the Money Laundering Suppression Act).” There are numerous regulatory and enforcement agencies with domestic AML oversight. They include “the U.S. Department of the Treasury and its Financial Crimes Enforcement Network (FinCEN), to the Security and Exchange Commission to the Dodd-Frank Act’s Consumer Financial Protection Bureau (CFPB) to the New York Stock Exchange, IRS, FBI, and a number of federal banking regulators.”

In the illustrated section following Switzer’s article, it sets out three basic steps which are (1) Define the Risk; (2) Quantify the Risk; and (3) Manage the Risk.

I.                   Define the Risk

It all begins with a comprehensive organizational analysis so that you can understand how much exposure your organization has and where it originates. A company should keep track of the places it does business and how it does business, either directly or through third parties. A company should determine where threats are hiding in its operations and to identify any specific AML issues posed by a particular products or service line. A company should also understand the enhanced risks posed by any specific geographic markets and then identify the risks inherent in different customer types.

II.                Quantify the Risks

Under this prong, a company should determine the quantitative impact of defined risks, both from a customer and asset perspective, while understanding how operating locations may affect these identified risks. Next a business should profile and risk rate customers and assets based on risk attributes including customer geography, business structure, sources of funds, business type, products and services utilized and other factors. From these factors a company should then formulate a comprehensive business risk assessment.

III.             Manage the Risk

Based on steps one and two a company should then implement an AML program consisting of people, processes, and controls proportional to the quantified risks which can ensure compliance, visibility, and protection. This Step III has four subparts.

1. Design: A company should define its internal roles and responsibilities. There should be designated risk categories which will inform the appropriate level of due diligence. A company should build and implement both suspicious activity controls and transaction monitoring.
2. Implement: This step involves the establishment of policies and procedures and training of employees and relevant third parties there. To the extent possible OCEG recommends using technology to monitor, review, escalate, and report suspicious activities using a risk-based and practical approach. Lastly, they recommend that companies should exchange knowledge with industry peers and experts.
3. Test and Analyze: A company should regularly test its controls and monitor personnel and third parties. A company should evaluate the data that it receives. Finally, as with all compliance regimes, there should be a confidential reporting mechanism to report suspicious activities or other violations.
4. Report: A company should report suspicious activity and any AML controls system weaknesses should be scheduled for analysis. A company should also document and file any suspicious activity for both its own internal use and regulatory reporting requirements.

A company must continually capture and update its understanding of threats and system weaknesses to influence continued evolution of an effective AML program. This should be coupled with the continuous evolution of your AML program because the nature of money laundering is ever-evolving as criminals construct new and “improved” methods to hide the proceeds of crime and funds for financing criminal action, making it ever more difficult to monitor and stop.

So how about the payment issue in marine transport industry and the ship’s crew? Most US companies no longer own and crew the ships they use to transport product or cargo and will typically use a charter party. The charterer gives orders for the employment of the vessel and payment of the crew. If your company is in such a position I would suggest that it make the following inquiries of your charter party. 1) Does the charter party have an International Organization for Standardization (ISO) program and policy in place for the hiring and paying of employees?; 2) Does the charter party vet all employees to include license checks; verify bank address to employee address and obtain background checks thereon?; 3) Does your charter party ensure that all banking transactions made to the employees are documented starting with hours worked, signature from masters and payments made to employees home country only?

If you are in the marine transport industry and use a third party to pay those working on your behalf you need to review the third party’s AML program. The same is true for any other business which uses a third party company to make payments to others outside the US.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

FCPA Issue Management: An Illustrated Primer

I have previously written about the Open Compliance and Ethics Group (OCEG) Anti-Corruption Illustrated Series on Managing Corruption Risks and Third Party Anti-Corruption Due Diligence. Today I will review another in the Illustrated Series on Anti-Corruption Issue Management. This installation of the OCEG series is designed to assist companies to implement or refine an investigation process and to avoid some of the common problems that arise in when trying to identify, prioritize, investigate and resolve corruption.

I.                   Capture and Filter

A company should establish “multiple pathways” which will allow it to receive tips on potentially corrupt activity. Further, a company should monitor high risk activity and relationships based upon “identified factors including country, sales channel and third-party compliance data.” Some of these data sources could include continuous controls monitoring, controls violations which are noted, hotlines and informal intakes, third party or customer reports, audits, both internal and external, interviews, third party due diligence or media reports of other companies, locations, sales models or conduct.

These above mechanisms could raise a number of Red Flags which should be investigated more thoroughly. These Red Flags can include allegations of commercial bribery, customs and offset commitments, out of policy gifts, entertainment and travel, misreported accounting records, cash vendor disbursements and other high risk transactions, charitable giving and commission payments and unusually high or too-frequent facilitation payments.

Self-Assessment Questions

• Have we categorized types of conduct and areas of operations into threat-level categories as a part of our risk assessment process?
• Do we proactively monitor potential high-threat-level conduct and activities and provide multiple pathways for issue intake?
• Do we have contingency plans to manage issues that arise in each risk category including identified investigation teams, reporting requirements and escalation paths?

II.                Review

If any of your company mechanisms pick up or alert you to a Red Flag, the first thing you need to do is to secure your records to prevent the loss or destruction of any data and to try and preserve the attorney/client privilege to the extent possible. Next you should triage and assess the threat and rank it by risk level. The next step should be to determine your reporting obligations within the company. If you have a pre-existing contingency plan, you should report to those persons listed in the plan for the level of risk assessed. From this step you should execute a defined plan for the identified risk level and then refer the matter to the designated investigation and communication teams.

One thing that OCEG emphasizes is the need for high level oversight, whether that is a corporate Board of Directors or something akin to the Board of Trustees at college or university. Senior management and the Board of Directors need to be informed about potential issues of bribery and corruption early and should be kept abreast of the investigation as it progresses and “take a hands on approach to ensure protection of the organization and resolution of the issue.”

Self-Assessment Questions

• Do we have policies and procedures to secure evidence, protect privilege and bring in legal teams?
• Who is on our investigation team? From legal, internal audit, security, operations?
• Have we identified an authorized spokesperson and informed everyone about what may and may not be said, and by whom, about issues that have been identified or are being investigated?

III.             Resolution

Here the OCEG suggests a tri-parte approach. First, a company should investigate by collecting, reviewing and analyzing the evidence. Attention should be paid to issues which cannot be quickly resolved that may require re-assignment and notice to either senior management or the Board of Directors. Second, the company should execute a communications plan for management, employees and external stakeholders. This communications plan should keep the appropriate level of management informed on the change in status of any issue throughout the investigation. Lastly, the company should obtain an independent report and resolve any signals of systemic violations and ensure that any unlawful conduct has been terminated and appropriate disciplinary actions taken. This final step should present senior management with the requisite information to make business decisions about changes in business operations; the discipline/termination of employee/contractors/business partners.

Additionally, the company should define the legal strategy it will pursue if a violation is determined. Under the Foreign Corrupt Practices Act (FCPA) this could include an evaluation of whether the company should self-disclose to the Department of Justice (DOJ) and/or Securities and Exchange Commission (SEC).

Self-Assessment Questions

• Have all illegal practices been identified, stopped, and had controls revised or added?
• Do we have a communications plan and team that protects our reputation?
• Have we found systemic problems that require correction or deeper investigation?
• Are there potential violations of law that must be, or should be, disclosed and if so how quickly?
• Is the investigation report sufficiently independent and thorough to facilitate cooperation with prosecutors or regulators, and aid in defense of civil or criminal actions?

Finally, the company needs to be prepared to defend its reputation. OCEG suggests that the company identify those who will speak on the company’s behalf and to the extent possible have a consistent, controlled and truthful message.

Self-Assessment Questions

• Have we adequately briefed senior management and the board about strategic, financial, reputational impact of the case?
• Do the findings indicate gaps in company governance or culture that might require significant leadership changes?
• Do we need to revise business strategy, or terminate lines of business, withdraw from geographic regions or sever third party relationships?
• Will there be significant lost revenue and can we control it?                                                                                                                                        IV.              Continuous Improvement

The process should not stop at the conclusion of each issue resolution. OCEG suggests that a company conduct a root-cause analysis “including leadership weaknesses, culture issues and flaws in the performance of management activities and controls.” Patterns both in relationships and the aggregate should be analyzed and reviewed. Continuous controls monitoring should also be implemented.

OCEG continues its excellent illustrated series with this Primer on corruption issue management. It not only provides the compliance practitioner with a road map to follow but provides some very pointed questions that you can ask yourself to give a preliminary assessment of the state of your compliance program to detect and then respond to an issue. With the Dodd-Frank Whistleblower statute in full force, a quick directed response is mandatory to both comply with the law and to protect a company. I once again heartily recommend that you take a look at the OCEG series, as it will be well worth your time.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

OCEG on Third Party Anti-Corruption Due Diligence

My grandfather was a comic book collector. He collected all kinds and types of comics, from super-heroes to the Archie series. One of the series that he collected that I still think about from time-to-time was Classics Illustrated. Classics Illustrated was a comic book series featuring adaptations of literary classics which began publication in 1941 and finished its first run in 1971, producing 169 issues. I won’t divulge how many classic novels that I read in such fashion as a youngster but I will say that that group is the only set of magazines and comics that I collected in the 60s of which I still have a complete set.

There is another illustrated series which may be of more use to the modern day compliance practitioner which can be found in Compliance Week Magazine. In the February 2012 edition OCEG President Carole Switzer continues her series on an illustrated six-part anti-corruption program. In this issue she focuses on third party due diligence. She begins by noting that one of the surest ways to develop and strengthen your anti-corruption compliance program, whether based upon the US Foreign Corrupt Practices Act (FCPA) or the UK Bribery Act is to discover “what you do not understand about the third-parties who help you to do business abroad.” She explains that if your company does not “expand its knowledge of activities of your business partners,” the Department of Justice (DOJ) or UK Serious Fraud Office (SFO) may well do so for you in an enforcement action. Switzer provides a six-step process with a nifty diagram attached to the article.

1.  Define

To begin you should define your objectives and then design your process. This should include all forms that you will use including questionnaires, background checks, references and certifications. You should also delineate your process to review and clear any Red Flags which may arise in the process.

2.      Collect Initial Data

This step should begin with a country review to make an initial determination of risk of corruption. You can use the Transparency International (TI) Corruption Perceptions Index (CPI) or similar resource. Determine how you can make real-time checks, whether through a third-party software provider such as World Compliance or other mechanism for initial due diligence. You will also need to collect data directly from the proposed third party business partner in the form of a questionnaire or other document. There should also be an initial discussion of the “nature, scope and intended relationship” with the third party.

3.  Assess

Under this step, Switzer believes that you should initially set up categories for your third parties of high, moderate and low. Based upon which risk category the third party falls into, you can design specific due diligence. She defined low risk screening as “trusted data source search and risk screening such as the aforementioned World Compliance”; moderate risk screening as “enhanced evaluation to include in-country public records…and research into corporate relationships”; high risk screening is basically a “deep dive assessment” where there is an audit/review of third party controls and financial records, in-country interviews and investigations “leveraging local data sources.”

4.      Approve/Deny/Approve with Condition

Under this step you should establish business rules and process triggers to “facilitate control and monitoring throughout the life of each contract.” As the risk level increases you should apply more stringent controls on the third party. This would also include more intense monitoring of the relationship on an ongoing basis.

5.      Train/Control

Your company should establish anti-corruption training for each risk level of third party with which you do business. You should administer the training, whether live, computer based or webinar, for different third party audiences “taking cultural issues into consideration and addressing role-specific needs.” You should assess and certify the results of your training or certify third party awareness through its own training program. Lastly the “control” portion of this step relates to compliance terms and conditions, which should be included in any written agreement with your third party.

6.      Monitor/Review

Switzer ends her six-point program by noting that you should “establish monitoring and re-approval requirements for each risk level.” There should be continued contact and monitoring by a combination of business unit sponsor and trusted outside professionals. There should be mandatory re-approval at fixed points as well as an action plan to address any red flags which might arise during the relationship.

I find the OCEG Anti-Corruption Illustrated series to be a very useful tool to help visualize the compliance process. While not in the same league as Classics Illustrated they certainly are a useful tool for the compliance practitioner. I would urge you to visit the OCEG website for their series and many other useful tools.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

OCEG Illustrated Series: Managing Corruption Risks

How do you move off dead center? That was a question posed by my colleague Mary Jones in a recent guest blog post. She gave several concrete steps in answer to her own question. This question was further explored in the January issue of the Compliance Week magazine which began a six-part “Anti-Corruption Illustrated” series by Carol Switzer, President of the Open Compliance and Ethics Group (OCEG). OCEG is an organization which “develops standards and guidance to help organizations achieve Principled Performance”; that is, “the reliable achievement of objectives while addressing uncertainty and acting with integrity.” OCEG’s Illustrated Series is a teaching method developed to visually represent how to set up processes and procedures in various areas and disciplines. This Anti-Corruption Illustrated Series is a very useful tool for the compliance practitioner to use in explaining the components of an effective compliance program.

In the first article of her series, Switzer shares her views on how anti-corruption programs enable business agility. In addition to her own thoughts, Switzer moderated and reported on a roundtable discussion of compliance experts who shared their views on managing corruption risks. These experts included Steven Kuzma, Global Leader in Corporate Compliance at Ernst & Young, Jay Martin, Chief Compliance Officer at Baker Hughes, Mike Rost, Vice President at Thompson Reuters GRC and Jim Slavin, Senior Director at SAI Global.

1. Assess the Risk – In this step you identify corruption risk factors that your company may face. These can be based upon several different factors including the nature and location of your company’s business activities; your company’s third party relationships; and your company’s methods for obtaining and retaining business. You should evaluate and then rank these risks based upon your company’s risk appetite and be prepared to respond to internal or external forces that might change this risk assessment.
2. Develop the Program – You should develop “a comprehensive and balanced anti-corruption program that corresponds to the risks identified in the assessment process.” This should include written policies, procedures and internal controls for all levels within your organization. You will need to obtain Board of Directors and senior management endorsement of your strategies and communication of this support.
3. Define and Implement Policies – In this step you should consider the written policies which map to the applicable regulations, obligations and business processes that you have created. Ownership of these requirements within the business is critical to their success and there should be communication to key stakeholders including “staff, third parties, auditors and customers.”
4. Build and Operate Controls – Nest you will need to establish “procedures and controls to prevent, detect, correct, and mitigate the risks” which you have identified and ranked. There needs to be ownership established to monitor these controls with regular documentation, continued assessment and testing of these controls.
5. Train and Educate – You must develop and deliver training to “raise stakeholder awareness and competence regarding anti-corruption goals, policies, procedures and [internal] controls.” This should include identification of “role-specific programs with desired outcomes” with delivery methods to get your message across to the various target audiences.
6. Monitor and Evaluate– Here OCEG suggests a five step process to track and assess policies and controls for effectiveness.
   1. Screen – Monitor vendor, partner and customer records against trusted data sources for red flags.
   2. Identify – Establish helplines and other open channels for reporting of issues and asking questions by employees and appropriate third parties.
   3. Investigate – Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
   4. Analyze – Evaluate data to determine “concerns and potential problems” by using data analytics, tools and reporting.
   5. Audit – Finally, your company should have regular internal audit reviews and inspections of your company’s anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.
   6. Review, Realign and Report – This step requires you to “take timely corrective and disciplinary action for violation” of your company’s program. Your program should be regularly evaluated and aligned with any new or additional corruption risks which are found. Both the Board of Directors and senior management must be informed through regular reporting. Finally, there should be a professional external review on no less than a two year basis to determine your program’s overall sufficiency.

Switzer’s article and report on the roundtable discussion are very useful tools for the compliance practitioner. Her article includes a removable copy of the OCEG Illustrated Series on managing corruption risk. I heartily recommend it to you.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012