This article was written by Justin McDonnell, Jane Menzies and Millie Burnett.
The US Department of Justice (DOJ) has recently published a guide to "Evaluation of Corporation Compliance Programs". It provides a timely reminder of the importance of continuous monitoring and evaluation of a corporation's compliance regime, particularly in the area of anti-bribery and corruption.
Bribery laws at home and abroad
Australia's Criminal Code (Cth) prohibits bribing foreign public officials in international business transactions. Penalties for corporations are at least $18 million and can be up to three times the value of the benefit obtained or 10% of a corporation's annual turnover. The Foreign Corrupt Practices Act 1997 (US) (FCPA) and the Bribery Act 2010 (UK) go beyond prohibiting bribery of foreign government officials. In the UK, it is an offence for a corporation not to have an effective compliance program in place to prevent bribery, while the US laws impose criminal liability on corporations that do not accurately maintain their books and records. Given that the UK and US are held out as bastions in the anti-corruption drive, much can be learned from the US approach to corporate compliance.
What are the key aspects of a best-practice corporate compliance program?
US authorities aggressively pursue criminal allegations of corruption. In a ten-day period last month, six companies settled FCPA-related charges by paying a combined total of $256.5 million to the DOJ and the US Securities and Exchange Commission. Examining a company's compliance program is a standard part of investigating corruption charges. While there is no one-size-fits-all approach to compliance, the DOJ's experience has shown that common issues arise in evaluating compliance programs regardless of the company involved. In addition to a well-designed compliance program, remedial efforts to implement, evaluate and continuously improve the program are crucial.
Compliance from the top down
A compliance program must apply equally to all employees. Senior and middle management must actively discourage misconduct. They must demonstrate a shared commitment to compliance with anti-bribery and corruption laws. Support must be provided to the compliance function of a company in order to meaningfully implement compliance programs. In this area, the DOJ commonly asks:
- How has senior leadership modelled proper behaviour to subordinates?
- How does the corporation monitor its senior leadership's behaviour?
- What specific actions have senior and middle management taken to demonstrate their commitment to compliance?
Procedures and risk assessments
Policies and procedures prohibiting misconduct must be designed to meet the specific requirements of each company. When designing new policies, business units should be widely consulted, particularly as they will need to implement new procedures day to day. Risk assessment is also crucial to identifying and addressing the particular risks each company faces. However, a static risk assessment is of little use; risks evolve along with the business. Comprehensive corruption risk assessments should be conducted periodically to ensure that the compliance program stays relevant and effective. In evaluating your policies and risk assessments, consider questions asked by the DOJ:
- What is your process for designing and reviewing anti-corruption policies and procedures?
- How do you identify, analyse and address risks?
- What information do you collect to detect misconduct and how does this information inform the compliance program?
- Has the risk assessment effectively addressed risks that have manifested in misconduct?
Training and communication
A good compliance program must be clearly communicated and implemented across all levels of a company. The DOJ suggests asking:
- What training has been provided to employees, particularly to anyone working in a high-risk area?
- How has senior management communicated the corporation's position on misconduct?
- What resources are available to employees to provide guidance on managing corruption risks?
Even the most carefully designed compliance program is ineffective without ongoing evaluation and revision. Anti-corruption measures need to be periodically tested to ensure they robustly respond to changing business circumstances. On this front, consider:
- Have you audited your compliance program by testing controls, analysing relevant data and interviewing employees and third parties on the ground?
- How often have you updated your risk assessments and reviewed your compliance policies and procedures?
- Have you considered whether your policies and procedures are suited to each business segment or company subsidiaries?
What do you need to know?
- In managing corruption risks in Australia and abroad, a robust compliance program must meet your particular business risks. While initial design and implementation are important, the DOJ guide to "Evaluation of Corporation Compliance Programs" emphasises continuous evaluation, assessment and improvement.
- Anti-corruption risk assessments and relevant policies and procedures must be living documents that evolve with your business.
What do you need to do?
- Review and evaluate your compliance program using the questions that the DOJ provides.
- If an evaluation of your program identifies potential vulnerabilities, appropriate measures need to be designed, implemented and monitored.