Anti-bribery laws, including the United States’ own Foreign Corrupt Practices Act, seem to be becoming the stuff of Aesop’s Fables, with many asking whether the resounding alarm over bribery-exposure is akin to the cries of “wolf” by the shepherd boy. The alarm is real enough, however. The Securities and Exchange Commission and the Department of Justice have brought an average of 30 cases per year since 2005. These laws impact small and medium-sized companies and their executives, as well. In July 2014, Kara Brockmeyer, chief of the SEC Enforcement Division’s FCPA Unit explained that “small and medium-size businesses that want to enter into high-risk markets and expand their international sales” must be compliant with the FCPA.

So, if the wolf is really amongst the flock—or, at least, potentially in the neighborhood—what is one to do? Pull back from China, India, Brazil and Russia? Spend millions of dollars in legal fees with a major New York law firm? Respectfully, no. We recommend five simple steps to ensuring—as best as possible—that you can keep the wolf at bay, at a reasonable cost to your enterprise.

Be Aware of Your Risks. When it comes to corruption risks, there is no one-size fits all approach. Each business must be aware of its own risks. Corruption risks are directly tied to (i) the contacts a business has with the government of any particular country and (ii) the corruption perception of the government of such countries. In a highly-regulated country, in which licenses and permits are required at every turn, the corruption risk may be higher than that in either a less-regulated country or a similarly regulated country that is not perceived to be as corrupt. One of our clients, for example, requires licenses and permits for all of its work—its current project in Turkmenistan (which ranks 168 out of 177 on the Corruption Perception Index), poses risk on both fronts. In such situations, each of the steps below require more emphasis and care. On projects in countries with less regulation or lower corruption-perception levels, on the other hand, some of these steps may be less important.

Have a Compliance Policy. The vigilant shepherd must have a plan before the wolf is amongst the flock. Similarly, companies doing business overseas ought to have an anti-corruption policy in place before learning of a potential problem. According to “A Resource Guide to the U.S. Foreign Corrupt Practices Act,” published by the Department of Justice and the Securities and Exchange Commission (available here at p. 56), an effective compliance program “may influence whether or not charges should be resolved through a deferred prosecution agreement (DPA) or a non-prosecution agreement (NPA) … [and] will often affect the penalty amount and the need for a monitor or self-reporting.” An effective compliance program, “tailored to the company’s specific business and to the risks associated with that business,” can help set the ethical tone in a company, as well as spot and root out potential corruption through strong internal controls, audit practices and documentation policies. With the proliferation of anti-corruption prosecutions, law firms across the country—not just the large coastal firms—have the expertise to cost-effectively draft and tailor such policies.

Train Your Employees. Of course, once the plan is in place, employees must be trained on the plan. At a minimum, senior executives and the board must be trained on the company’s anti-corruption policy—and specifically incentivized to pass their training through the organization. For companies that regularly and consistently engage in the same business throughout the world, such training ought to be provided to the specific employees operating internationally. For companies that act internationally on a project-by-project basis, training ought to be modified and redelivered for each project in order to ensure that the company has identified, quantified, and addressed specific potential threats.  Simply requiring that employees read a handbook that includes an anti-corruption policy is not enough. A company must have taken at least these minimum steps for its policy to be deemed effective.

Monitor Activity in Your Company. Given the ever-shifting sands of business, an effective anti-corruption policy must include a method for monitoring employee activity.  For instance, corruption risks arise in any situation in which corporate employees are entertaining, working with, or seeking business from, government employees.  Effective monitoring could include: (i) an approval process by which significant expenditures are approved in advance by senior-level management; (ii) a documentation policy by which all sales and marketing expenses are recorded, along with backup in the form of receipts, credit card bills, or written proposals that have been approved by a higher level of management; and (iii) a computer program by which expenses can be reported and approved prior to reimbursement. In addition, monitoring must include a method by which members of management—preferably the Compliance Department or their proxies—visit remote projects, business locations, or other outposts, to ensure that formal controls are being followed. Simply floating the policy throughout the company, without more, will not likely convince the Department of Justice or the Securities and Exchange Commission that the policy is a “good faith” effort to prevent corruption.

Require Third Parties to Indemnify for Corruption Risks. Third party vendors also pose a risk of corruption. For instance, a freight forwarder who assists a United States manufacturer in getting its raw materials into Mexico and its finished products back from its Mexican maquiladora could be a corruption risk if it is paying extra money at the border to move goods more efficiently. Or, an agent helping a company obtain contracts that require government approval might pose a corruption risk if he or she is lavishing government officials with gifts to obtain better visibility with those officials. One way to avoid this risk is to consistently monitor third-party activities—perhaps even to have a software system into which the third party vendors are to submit invoices so that the software can track amounts charged against historic prices to spot discrepancies (padded invoices being one place in which reimbursement for bribes are hidden). For many companies, the expense of such a program may outweigh its benefits. An alternative is to require third party vendors to certify—as part of their contracts with your company—that they have an anti-corruption policy that comports with the Foreign Corrupt Practices Act (at a minimum) and that they will certify that their employees comply with that policy. For smaller vendors, this alone may be sufficient. For more significant vendors, a company may wish to perform a moderate amount of due diligence to assure itself that the third party vendor has a robust program in place.  Several companies exist that perform such due diligence—including basic reputational due diligence so your company can assess the risk of partnering with specific third parties—for a reasonable fee.

These five, simple, steps can help you be sure that, if the wolf visits your flock, you will be prepared.