OCEG Illustrated Series: Managing Corruption Risks

How do you move off dead center? That was a question posed by my colleague Mary Jones in a recent guest blog post. She gave several concrete steps in answer to her own question. This question was further explored in the January issue of the Compliance Week magazine which began a six-part "Anti-Corruption Illustrated" series by Carol Switzer, President of the Open Compliance and Ethics Group (OCEG). OCEG is an organization which "develops standards and guidance to help organizations achieve Principled Performance"; that is, "the reliable achievement of objectives while addressing uncertainty and acting with integrity." OCEG's Illustrated Series is a teaching method developed to visually represent how to set up processes and procedures in various areas and disciplines. This Anti-Corruption Illustrated Series is a very useful tool for the compliance practitioner to use in explaining the components of an effective compliance program.

In the first article of her series, Switzer shares her views on how anti-corruption programs enable business agility. In addition to her own thoughts, Switzer moderated and reported on a roundtable discussion of compliance experts who shared their views on managing corruption risks. These experts included Steven Kuzma, Global Leader in Corporate Compliance at Ernst & Young, Jay Martin, Chief Compliance Officer at Baker Hughes, Mike Rost, Vice President at Thompson Reuters GRC and Jim Slavin, Senior Director at SAI Global.

1. Assess the Risk - In this step you identify corruption risk factors that your company may face. These can be based upon several different factors including the nature and location of your company's business activities; your company's third party relationships; and your company's methods for obtaining and retaining business. You should evaluate and then rank these risks based upon your company's risk appetite and be prepared to respond to internal or external forces that might change this risk assessment.
2. Develop the Program - You should develop "a comprehensive and balanced anti-corruption program that corresponds to the risks identified in the assessment process." This should include written policies, procedures and internal controls for all levels within your organization. You will need to obtain Board of Directors and senior management endorsement of your strategies and communication of this support.
3. Define and Implement Policies - In this step you should consider the written policies which map to the applicable regulations, obligations and business processes that you have created. Ownership of these requirements within the business is critical to their success and there should be communication to key stakeholders including "staff, third parties, auditors and customers."
4. Build and Operate Controls - Nest you will need to establish "procedures and controls to prevent, detect, correct, and mitigate the risks" which you have identified and ranked. There needs to be ownership established to monitor these controls with regular documentation, continued assessment and testing of these controls.
5. Train and Educate - You must develop and deliver training to "raise stakeholder awareness and competence regarding anti-corruption goals, policies, procedures and [internal] controls." This should include identification of "role-specific programs with desired outcomes" with delivery methods to get your message across to the various target audiences.
6. Monitor and Evaluate- Here OCEG suggests a five step process to track and assess policies and controls for effectiveness.
   1. Screen - Monitor vendor, partner and customer records against trusted data sources for red flags.
   2. Identify - Establish helplines and other open channels for reporting of issues and asking questions by employees and appropriate third parties.
   3. Investigate - Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
   4. Analyze - Evaluate data to determine "concerns and potential problems" by using data analytics, tools and reporting.
   5. Audit - Finally, your company should have regular internal audit reviews and inspections of your company's anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.
   6. Review, Realign and Report - This step requires you to "take timely corrective and disciplinary action for violation" of your company's program. Your program should be regularly evaluated and aligned with any new or additional corruption risks which are found. Both the Board of Directors and senior management must be informed through regular reporting. Finally, there should be a professional external review on no less than a two year basis to determine your program's overall sufficiency.

Switzer's article and report on the roundtable discussion are very useful tools for the compliance practitioner. Her article includes a removable copy of the OCEG Illustrated Series on managing corruption risk. I heartily recommend it to you.

Visit the FCPA Compliance and Ethics Blog, hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and other forms of risk management for a worldwide energy practice, tax issues faced by multi-national US companies, insurance coverage issues and protection of trade secrets.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

For more information about LexisNexis products and solutions connect with us through our corporate site.