The Bribery Act came into force on 1 July 2011. After a slow start, the Serious Fraud Office (SFO) has started to gain traction with recent high profile prosecutions of Standard Bank and the Sweett Group. The main issue to date has been the lead in time. The Bribery Act does not have retrospective effect. Consequently, where the conduct pre-dates the coming into force of the Act, prosecutions have been pursued under the prior legislation. We are now getting to the point where conduct is being caught by the Act as it occurred after 1 July 2011. The SFO has signalled its intent to be more aggressive in its pursuit of prosecutions under the Act, with the focus as much on corporate wrong doing as it is on individual misconduct. Consequently, at least for the reason we identify in this article, for multi-national corporations, bribery risk exposure will increasingly be an area of concern.
Bribery and the Corporate Offence
Under the Act, it is an offence for a person to bribe or be bribed. A bribe is essentially the offer of a financial or other advantage with the intent that the person receiving it is induced to improperly perform their function.
Section 7 of the Act makes it an offence for a "commercial organisation" to fail to prevent bribery and they are guilty of any offence where an "associated person" bribes another person, intending to obtain or retain business or to obtain or retain an advantage in the conduct of business.
Importantly, it is a defence for the commercial organisation to prove that it had in place adequate procedures designed to prevent a person associated with it from undertaking such conduct. The procedures to be put in place are guided by six non-prescriptive principles laid down by the government:
- Principle 1: Proportionate Procedures
- Principle 2: Top-level commitment
- Principle 3: Risk Assessment
- Principle 4: Due Diligence
- Principle 5: Communication
- Principle 6: Monitoring and review.
In this article, we focus primarily on Risk Assessment, however, it is important first to highlight the extra-jurisdictional reach of the Act as this goes a long way in explaining why risk assessment is such an important aspect
The Extra Jurisdictional Reach of the Act
It is crucial for multi-national businesses to understand that the Act is not just concerned with what happens in the UK. It extends to conduct outside of the UK even where that conduct occurs wholly outside of the UK. Its extra-jurisdictional reach is enshrined in the Act.
- Section 7(5) defines "commercial organisation" as being a UK incorporated body or "any other body corporate (wherever incorporated) which carries on a business, or part of a business, in any part of the UK".
- Section 8 defines "associated person" very widely as being a person who performs services for or on behalf of the "commercial organisation" and it does not matter in what capacity they do so, whether for example as an employee, agent or subsidiary.
- Sections 12(5) and (6) provide that an offence is committed under s.7 irrespective of whether the act or omission which forms part of the office takes place in the UK or elsewhere and further, where no act or omission takes place in the UK, proceedings for the offence may be taken in the UK.
If a corporate carries out business in the UK, it can be prosecuted in the UK under s.7 regardless of where the conduct was carried out. As a result, all corporates who do business in the UK need to be aware of the provisions of the Act and have put in place policies and procedures, including carrying out a risk assessment, to prevent bribery. A failure to do so will leave the corporate exposed to prosecution under s.7.
It is worth noting that there is some debate around what "carries on a business" means. It is not defined in the Act. It clearly denotes more than just a mere physical or legal presence in the UK. Whilst it is obviously inherent that there needs to be some activity, exactly what activity is open to debate. It naturally includes the corporates regular trade or commercial activity but there can be little doubt that the intention was to widely define the activity being carried out. It seems likely that this will be an area for judicial consideration and direction.
All of the six principles laid down by the government are important, however, the need to carry out and periodically review risk assessment processes and procedures is potentially the most challenging area. The fundamental requirement is that the corporate assesses the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it. The assessment must be periodic, informed and documented. But what does this mean?
What the corporate needs to do is understand where its exposures lie. At a fundamental level, this may appear straight forward. Surely any responsible corporate will know how it does its business, who it deals with and where it does it. As a result, it should know and understand what risks are associated with its business sector, its business partners and the countries in which it operates.
However, getting it right requires a multi-faceted approach. There needs to be:
- Top level management oversight: The government's guidance dictates a trickle down approach so that an anti-bribery culture is embedded in the organisation, driven by top level management. Further, how else can a corporate truly understand its risks other than with the involvement and knowledge of its business leaders?
- Appropriate resources devoted to the risk assessment process: Not only in terms of man power but also in their experience and expertise, which is especially important for corporates with diversified interests.
- Proper identification of internal and external information sources that will enable the risk to be assessed and reviewed: The best source of information is quite often the employees whose input can be obtained through workshops, interviews and questionnaires whilst external sources can include canvassing diplomatic services and other governmental organisations, chambers of commerce, trade organisations or via specialist advice from private agencies.
- Adequate and proportionate due diligence of employees and agents: Through H.R processes on recruitment of employees and where agents are engaged, obtaining information on their background, properly defining the services to be provided, taking and following up references, obtaining evidence of the agent’s own anti-bribery policies and being satisfied that their fees are commercial and reasonable.
- Adequate documentary records of assessments carried out and their conclusions: Such that anyone reviewing them is able to understand what the risk is, how it has been assessed, how the decision has been informed, and a clear statement of the outcome.
Getting it right in the first place is only half the story. There needs to be periodic review of the risks associated with the corporate’s business. Risks can and often do change. This can be driven by changes in the business itself or in the sectors or countries in which it operates. Most commonly, corporates will enter new sectors or new territories, possibly both at the same time. In doing so, it needs to assess whether its risk profile has changed. It must recognise the events that give rise to the need to undertake a review of its risk assessment. This may not mean, however, simply carrying out risk assessment on the specific sector or country. It may also require the corporate to consider whether its risk assessment resources are adequate to carry out the risk assessment in their current form. It may also need to consider whether it has access to the right information. In either case, before the corporate can embark on a sector/country risk assessment it may need to enhance its resources to enable it to properly do so.
External factors can also lead to a need to carry out further or enhanced risk assessment processes. Sometimes the need to do so is obvious, for example where social or political turbulence leads to changes in government or civil unrest. It may, however, be much more subtle: Laws may change which affect the way the corporate is able to do business in a particular jurisdiction, countries may exit from or join trade, economic or social alliances. Whatever the change is, the corporate needs the ability to recognise it and react accordingly. It is possible that no actual changes need to be made to processes and procedures as a result, but the corporate needs to consider it.
Failure to identify or address an obvious change in risk profile is going to give rise to a risk of exposure to prosecution under s.7 of the Act in the event that bribery has taken place. It will give rise to concerns about the adequacy of the procedures in place to identify and assess risk, most likely a lack of adequate resource, whether in terms of man power or experience and expertise. It may also lead to a finding that top level management has failed to exercise proper oversight of the process.
Identification of risk will naturally lead to consideration of how the risks are addressed. This may be via enhancement to existing control functions, implementation of new control functions, monitoring remedial actions to ensure they adequately fill any gaps identified and reporting outcomes.
What is important to bear in mind, however, is that corporates are not required to take exhaustive steps to eradicate the very possibility of bribery. Criminal activity is often by its very nature covert and difficult to identify. Adequate risk assessment enables corporates to understand where the risks lie, to put in place those procedures aimed at preventing bribery and to monitor and react to change. The ability to identify and assess risk is an essential part of the procedures that a corporate needs to have in place to enable it to address bribery and to be able to defend itself against exposure to prosecution under s.7 of the Act. Recognising the fact that the Act applies to conduct outside of the UK is an essential element of understanding bribery risk.
In addition to the legal woes that come along with SFO investigations and prosecutions, corporates must also pay close attention to the potential for significant reputational damage. Given that this damage often outlasts the legal process, the importance of understanding and managing reputational risk cannot be overstated.
It is crucial that corporates operating in territories with high corruption risk have plans in place to immediately address any instances or allegations of impropriety. In the midst of a crisis, there is no time to step back and build the internal capacity needed to effectively respond to reputational threats. Developing crisis communications strategies and protocols in advance enables corporates to quickly respond to any issues as they arise, rather than waiting for them to escalate.
These crisis communications plans must take into account both traditional and social media. Many companies have learned the hard way that social media can turn an obscure local story into an international issue overnight. In order to effectively manage their reputations in this new communications landscape, corporates must understand how to effectively monitor and engage through online platforms.
It is increasingly clear that legal and public relations risk management strategies cannot operate in a vacuum. The two must be seamlessly coordinated in order to be as effective as possible.