Recent enforcement activities in Canada under its Corruption of Foreign Public Officials Act (CFPOA), including the conviction of Niko Resources Ltd. (Niko) in June of last year and ongoing high-profile Royal Canadian Mounted Police (RCMP) investigations of other Canadian companies, has caught the attention of boards and executives across the country.1 Additional prosecutions or settlements are expected in the near future, as it is understood that the RCMP has over 30 foreign corruption investigations ongoing at this time.
This note highlights the importance of conducting a thorough risk assessment before designing and implementing compliance processes and procedures.
Anti-Corruption Risk Abroad Canadian companies operating abroad can face particularly high anti-corruption risk exposure depending on the countries in which they operate and their interactions with foreign government officials, whether directly or through agents, consultants or other third parties.
Canadian companies are now beginning to understand the risks and costs of non-compliance with the CFPOA and other anti-bribery regimes that may apply to them, including the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act 2010 (Bribery Act), and the very substantial impact of compliance failure on their directors, executives and employees, share price, the inherent value of their company, as well as their attractiveness to others as a business partner or acquisition target. Many are now looking to take the next step: the implementation of processes and procedures to ensure effective compliance is achieved. A quick search of the Internet can easily locate many examples of anti-corruption compliance programs and employee and executive training modules. These plans may cover all the right bases, namely implementing written processes and procedures and appropriate internal accounting controls, appointing responsible compliance officers, demonstrating strong senior management support, periodic training and certification, internal auditing, internal reporting and voluntary disclosure, disciplinary procedures for non-compliance, agent and third party due diligence, and contract review. It is, however, critical that companies ensure they have first conducted a thorough risk assessment before developing, adopting and implementing these compliance mechanisms. Without undertaking an effective risk assessment exercise and then properly tailoring your compliance measures to your company’s specific circumstances, the compliance program will be of little assistance, and in some cases can be harmful to the company.
Undertaking Risk Assessment
The internal controls and policies specified in the Probation Order agreed to by Niko and approved by the Court handling their guilty plea are particularly instructive as a list of CFPOA compliance measures expected to be implemented by Canadian companies. The importance of conducting a risk assessment was highlighted in the Probation Order as follows:
The company will develop these compliance standards and procedures, including internal controls, ethics and compliance programs, on the basis of a risk assessment addressing the individual circumstances of the company, in particular foreign bribery risks facing the company, including, but not limited to, its geographical organization, interactions with various types and levels of government officials, industrial sectors of operation, involvement in joint venture agreements, importance of licenses and permits in the company’s operations, degree of governmental oversight and inspection, and volume and importance of goods and personnel clearing through customs and immigration.2
This exercise is a significant one. In providing guidance on its Bribery Act, the U.K. government lists risk assessment as one of six fundamental principles for preventing bribery and identifies both external and internal risks to be considered.3 External risks are categorized into five groups: country risk, sectoral risk, transaction risk, business opportunity risk and business partnership risk, while common internal factors include deficiencies in employee training and skills, a culture that rewards excessive risk taking, a lack of clarity in the company’s policies, a lack of clear financial controls and a lack of a clear anti-bribery message from senior management.
Some Questions to Consider
Although the length of this note does not permit an exhaustive listing, some key questions and considerations Canadian companies should be addressing include:
- Where we do stand now? What current controls, due diligence and training programs do we have in place? Are they being taken seriously? Do our employees follow these procedures? What is the level of engagement of our senior management and executives? What is our history of compliance in this area?
- Where are our operations located? How are those countries ranked on indices, such as Transparency International’s Corruption Perceptions Index? What is the level of political stability and democracy in these locations? Are we vulnerable to risk of regime change? In addition to the CFPOA, how do other potentially aggressive anti-bribery regimes, such as those of the United States, the United Kingdom or the host country apply to our activities?
- Where and how do we interact with government officials? What are our government "touchpoints" through all stages of our business operations? What permits and licenses do we require? Do we also deal with government-owned or -controlled entities? How and with whom are our concession or royalty agreements negotiated? Do we need to import goods, equipment and heavy machinery for our operations and how do we deal with customs authorities in that process?
- Which positions within the company are most exposed? Which executives or employees have responsibilities for dealing with government officials or authorizing related expenditures? How are they compensated? What financial incentives may exist for individuals within the company to engage in bribery of government officials?
- How do we use third parties in our business operations? What kind of agents and consultants do we retain to assist us in developing and doing business in third countries? Do they interact with government officials on our behalf? How about lawyers, customs brokers and joint venture partners? How do we screen, approve, retain, pay and then monitor these third parties?
With this and other information flowing from their initial risk assessments in hand, companies should be well-positioned to develop anti-corruption compliance processes and procedures on a targeted and cost-effective basis.