In the wreckage of a corporate FCPA enforcement action, a company has to answer two important questions.
First, how did the conduct occur without senior executives and the Board learning or suspecting that such conduct was occurring or could occur?
Second, how did the wrongdoers obtain access to the money needed to fund the bribery scheme?
I know these two questions are fairly obvious, but hopefully they will focus the company’s analysis on the right issues.
The focus on the senior executives and the board is akin to the famous Watergate question (I know this shows my age) – what did the senior executive know or not know and when did he know or not know it?
At bottom, this inquiry is focused on how relevant operational information is shared and analyzed in relation to compliance monitoring functions. For example, if the misconduct occurred in a region where employees have not been trained and no monitoring activities (e.g. audits, sampling or other techniques) have occurred, senior executives and the board have to redouble their monitoring and supervision activities to refine them to focus on the high-risk regions and activities where misconduct can occur.
A chief compliance officer has limited resources, time, and effort that have to be structured to respond to risks in a meaningful manner. To do so, a CCO has to be mindful of the importance of creating information-gathering systems that collect the right information, ensure accurate analysis, and then ensure effective responses. In this process, a CCO is likely to learn about high-risk operations that need to be addressed. Unfortunately, because of a frequent lack of resources, a CCO is constrained from responding to risks by triaging them by level of risk.
The second question is an important inquiry that is often ignored by CCOs when reviewing corporate bribery schemes. To pay a bribe requires money (how about that for insight?). A corporate actor is unlikely (but it is possible) to pay for a bribe from his or her own pocket. So the important question is how did the corporate actor (or actors) obtain access to the money required to fund the scheme?
In the aftermath of a bribery scandal, you can bet that the financial controls surrounding the money used by the corporate wrongdoer(s) were weak, typically involving segregation of duty conflicts, inadequate monitoring of invoices or receipts, and other paperwork/documentation requirements.
As I frequently repeat myself, companies have to devote proactive steps to control access to money in high-risk areas. The focus of a compliance program should include coordination with appropriate financial officials to design and implement robust financial controls in high-risk regions and operations. To ignore this fundamental requirement is the same as playing Russian Roulette. Bribery is bound to occur in this environment.
In some countries where bribery is rampant (e.g. China and India), a company should take the basic and proactive step of appointing a person to the disbursement function who has little to no local ties, and build in appropriate segregation of duty controls to make sure that the disbursement function is operating effectively.
It is no surprise that companies often experience kickback or bribery problems when a local person is put in charge of the disbursement function and inadequate surrounding controls are employed to minimize the risk of unauthorized access to funds. This is a basic requirement that is often ignored and then subsequently discovered in the wreckage of a bribery or kickback violation.