Bribery is a widespread phenomenon. It raises serious social, moral, economic, and political concerns, undermines good governance, hinders development, and distorts competition. It erodes justice, undermines human rights and is an obstacle to reducing poverty. It also increases the cost of doing business, introduces uncertainties into commercial transactions, increases the cost of goods and services, diminishes the quality of products and services, which can lead to loss of life and property, destroys trust in institutions, and interferes with the fair and efficient operation of markets.
Governments have made progress in addressing bribery through international agreements such as the Organization for Economic Co-operation and Development Convention on Combating Bribery of Foreign Public Officials in International Business Transactions and the United Nations Convention against Corruption and through their national laws. In most jurisdictions, it is an offense for individuals to engage in bribery and there is a growing trend to make organizations, as well as individuals, liable for bribery. However, the law alone is not sufficient to solve this problem. Organizations have a responsibility to proactively contribute to combating bribery.
This can be achieved by implementing a robust Anti-Bribery Management System (ABMS), and through leadership commitment to establishing a culture of integrity, transparency, openness, and compliance. The nature of an organization’s culture is critical to the success or failure of an ABMS. The ABMS and supporting management systems help an organization to avoid or mitigate the costs, risks, and damage of involvement in bribery, to promote trust and confidence in business dealings, and to protect its reputation.
This article reflects good practice and can be used in all jurisdictions. It is applicable to small, medium, and large organizations in all sectors, including public, private, and not-for-profit sectors. The bribery risks an organization can face vary according to factors such as the size of the organization, the locations, and sectors in which the organization operates, and the nature, scale, and complexity of the organization’s activities.
1. Leadership and Tone at the Top
Governance body and board oversight
Any organization with a Governing Body (GB)/Board of Directors (BoD) has the fiduciary responsibility to demonstrate leadership and commitment with respect to the ABMS by:
- Approving the organization’s AB policy
- Ensuring that the organization’s strategy and AB policy are aligned
- At planned intervals, receiving and reviewing information about the content and operation of the organization’s ABMS
- Requiring that adequate and appropriate resources needed for effective operation of the anti-bribery management system are allocated and assigned
- Exercising reasonable oversight over the implementation of the organization’s ABMS by top management and its effectiveness
Thus, a GB/BoD shall be directly liable for any bribery uncovered under their watch. There is no hiding away.
Top management, Exco’s, and Manco’s
The top management, whether it is the Executive Committee (Exco) or Management Committee (Manco) has the following responsibilities, depending on the role:
- Ensuring that the ABMS, including policy and objectives, is established, implemented, maintained, and reviewed to adequately address the organization’s bribery risks
- Ensuring the integration of the ABMS requirements into the organization’s processes
- Deploying adequate and appropriate resources for the effective operation of the ABMS
- Communicating internally and externally regarding the anti-bribery policy
- Communicating internally the importance of an effective ABMS and of conforming to the anti-bribery management system requirements
- Ensuring that the ABMS is appropriately designed to achieve its objectives
- Directing and supporting personnel to contribute to the effectiveness of the ABMS
- Promoting an appropriate AB culture within the organization
- Promoting continual improvement
- Supporting other relevant management roles to demonstrate their leadership in preventing and detecting bribery as it applies to their areas of responsibility
- Encouraging the use of reporting procedures for suspected and actual bribery
- Ensuring that no personnel will suffer retaliation, discrimination, or disciplinary action for reports made in good faith, or on the basis of a reasonable belief of violation or suspected violation of the organization’s AB policy, or for refusing to engage in bribery
The GB/BoD and top management have the obligation to appoint an AB Compliance Function (ABCF). This function is responsible and has the authority for:
- Overseeing the design and implementation of the ABMS by the organization
- Providing advice and guidance to personnel on the ABMS and issues relating to bribery
- Ensuring that the ABMS conforms to the organization’s own requirements, the requirements of the stakeholders, and the global best practices (ISO 37001)
- Reporting on the performance of the ABMS to the GB/BoD and top management and other compliance functions, as appropriate
The ABCF must be adequately resourced and assigned to person(s) who have the appropriate competence, status, authority, and independence. The ABCF must have direct and prompt access to the GB/BoD and top management if any issue or concern needs to be raised in relation to bribery or the ABMS.
The top management can assign some or all of the ABCF to persons external to the organization. If it does, it must ensure that specific personnel have responsibility for, and authority over, those externally assigned parts of the function.
Decision-making is critical to implementing an ABMS. The ABCF must obtain the Delegation of Authority (DoA) for the making of decisions in relation to which there is a more-than-low risk of bribery, the organization shall establish and maintain a decision-making process or set of controls which requires that the decision process and the level of authority of the decision-maker are appropriate and free of actual or potential conflicts of interest. A critical part of the DoA is to review and implement continuous improvement strategies to empower the ABCF and the ABMS continuously. This is not a one-time exercise.
2. Understanding the Organizational Context
Understanding the organization and its context
Every organization is different, and one-size-fits-all methodologies do not work in the real world. As part of the continuous improvement strategy and to fully understand the context the organization functions within, issues critical to its purpose and that affect its ability to achieve the objectives of its ABMS must be identified and then assessed.
These issues will include, without limitation, the following factors:
- The size, structure, and delegated decision-making authority of the organization
- The locations and sectors in which the organization operates or anticipates operating
- The nature, scale, and complexity of the organization’s activities and operations
- The organization’s business model
- The entities over which the organization has control and entities which exercise control over the organization
- The organization’s business associates
- The nature and extent of interactions with public officials
- Applicable statutory, regulatory, contractual, and professional obligations and duties
Understanding the needs and expectations of stakeholders
Stakeholders are directly or indirectly part of any organization. One must understand the definition of stakeholders, prior to reading this further. Stakeholders are persons or organizations that can affect, be affected by, or perceive themselves to be affected by a decision or activity (ISO 73).
Every organization implementing an ABMS must determine:
- The stakeholders that are relevant to the ABMS, through a stakeholder analysis process. This shall include the Power/Influence matrix analysis of every stakeholder.
- The relevant requirements of these stakeholders. In identifying the requirements of stakeholders, an organization can distinguish between mandatory requirements and non-mandatory expectations of, and voluntary commitments to stakeholders.
Bribery risk assessment
Anti-Bribery Risk Assessment (ABRA) is the departure point in understanding the risks pertaining to bribery. The ABRA must include the following as a minimum requirement:
- Establish criteria (low, medium, high) for evaluating the level of bribery risk, which shall consider the organization’s policies and objectives
- Identify the bribery risks the organization might reasonably anticipate, given the factors listed in the internal and external context analysis
- Analyze, assess, and prioritize the identified bribery risks
- Evaluate the suitability and effectiveness of the organization’s existing internal controls (IC) to mitigate the assessed bribery risks
- As part of the continuous improvement strategy, these assessments must be reviewed on a regular basis so that changes and new information can be properly assessed based on timing and frequency defined by the organization or in the event of a significant change to the structure or activities of the organization.
It must be understood that the ABRA is an official document and can form part of any criminal, civil, or discipline process, thus, it must be conducted by competent AB specialists. It must also be signed off by the top management and the GB/BoD.
The intention of the ABRA is to enable the organization to form a solid foundation for its ABMS. This assessment identifies the bribery risks that the management system will focus on, the bribery risks deemed by the organization to be a priority for bribery risk mitigation, control implementation, and allocation of anti-bribery compliance personnel, resources, and activities.
3. Creating an Anti-Bribery Organizational Culture
Where the organization’s ABMS has assessed a morethan- low bribery risk in relation to specific categories of transactions, projects, or activities, planned or ongoing relationships with specific categories of business associates, or specific categories of personnel in certain positions, the organization shall assess the nature and extent of the bribery risk in relation to specific transactions, projects, activities, business associates, and personnel falling within those categories.
The ABMS shall include any due diligence necessary to obtain sufficient information to assess the bribery risk. The due diligence shall be updated at a defined frequency, so that changes and new information can be properly taken into account.
The purpose of conducting due diligence on certain transactions, projects, activities, business associates, or personnel is to further evaluate the scope, scale, and nature of the more-than-low bribery risks identified as part of the organization’s risk assessment. It also serves the purpose of acting as an additional, targeted control in the prevention and detection of bribery risk, and informs the organization’s decision on whether to postpone, discontinue, or revise those transactions, projects, or relationships with business associates or personnel.
Projects, specific transactions, and activities must be focused upon. The following are factors that the organization may find useful to evaluate:
- Structure, nature, and complexity (e.g., direct or indirect sale, level of discount, contract award, and tender procedures)
- Financing and payment arrangements
- Scope of the organization’s engagement and available resources
- Level of control and visibility
- Business associates and other third parties involved (including public officials)
- Links between any parties in point e. above and public officials
- Competence and qualifications of the parties involved
- Client’s reputation
- Reports in the market or in the press
Business associates are usually a due diligence focus and must include factors which the organization may find useful to evaluate:
- Whether the business associate is a legitimate business entity, as demonstrated by indicators such as corporate registration documents, annual filed accounts, tax identification number, listing on a stock exchange
- Whether the business associate has the qualifications, experience, and resources needed to conduct the business for which it is being contracted
- Whether and to what extent the business associate has an anti-bribery management system in place
- Whether the business associate has a reputation for bribery, fraud, dishonesty, or similar misconduct, or has been investigated, convicted, sanctioned, or debarred for bribery or similar criminal conduct
- The identity of the shareholders (including the ultimate beneficial owner(s)) and top management of the business associate, and whether they have a reputation for bribery, fraud, dishonesty, or similar misconduct
Anti-bribery controls and business associates
In relation to business associates not controlled by the organization for which the bribery risk assessment or due diligence has identified a more-than-low bribery risk, and where anti-bribery controls implemented by the business associates would help mitigate the relevant bribery risk, the organization shall implement procedures as follows:
- The organization shall determine whether the business associate has anti-bribery controls in place which manage the relevant bribery risk.
- Where a business associate does not have anti-bribery controls in place, or it is not possible to verify whether it has them in place:
- Where practicable, the organization shall require the business associate to implement anti-bribery controls in relation to the relevant transaction, project or activity.
- Where it is not practicable to require the business associate to implement anti-bribery controls, this shall be a factor taken into account in evaluating the bribery risk of the relationship with this business associate and the way in which the organization manages such risks.
Gifts, hospitality, donations, and similar benefits
Any organization needs to be aware that gifts, hospitality, donations, and other benefits can be perceived by a third party (e.g., a business competitor, the press, a prosecutor, or judge) to be for the purpose of bribery even if neither the giver nor the receiver intended it to be for this purpose.
A useful control mechanism is to avoid as far as possible any gifts, hospitality, donations, and other benefits which could reasonably be perceived by a third party to be for the purpose of bribery.
The benefits referred to could include, for example:
- Gifts, entertainment, and hospitality
- Political or charitable donations
- Client representative or public official travel
- Promotional expenses
- Community benefits
- Club memberships
- Personal favors
- Confidential and privileged information
A robust gifts and hospitality procedure must be implemented by the organization and be designed to:
- Control the extent and frequency of gifts and hospitality by:
- A total prohibition on all gifts and hospitality; or
- Permitting gifts and hospitality, but limiting them by reference to such factors as:
- A maximum expenditure (which may vary according to the location and the type of gift and hospitality)
- Frequency (relatively small gifts and hospitality can accumulate to a large amount if repeated)
- Timing (e.g., not during or immediately before or after tender negotiations)
- Reasonableness (taking account of the location, sector, and seniority of the giver or receiver)
- Identity of recipient (e.g., those in a position to award contracts or approve permits, certificates, or payments)
- Reciprocity (no one in the organization can receive a gift or hospitality greater than a value which they are permitted to give.)
- The legal and regulatory environment
- Require approval in advance for gifts and hospitality above a defined value or frequency by an appropriate manager
- Require gifts and hospitality above a defined value or frequency to be made openly, effectively documented (e.g., in a register or accounts ledger), and supervised
Raising concerns or implementing a whistleblowers policy is a critical step in changing the culture of any organization on route to ABMS maturity. The organization shall implement procedures which:
- Encourage and enable persons to report in good faith or on the basis of a reasonable belief attempted, suspected, and actual bribery, or any violation of or weakness in the anti-bribery management system, to the anti-bribery compliance function or to appropriate personnel
- Except to the extent required to progress an investigation, require that the organization treats reports confidentially, to protect the identity of the reporter and of others involved or referenced in the report
- Allow anonymous reporting
- Prohibit retaliation, and protect those making reports from retaliation, after they have in good faith, or on the basis of a reasonable belief, raised or reported a concern about attempted, actual, or suspected bribery or violation of the anti-bribery policy or the ABMS
- Enable personnel to receive advice from an appropriate person on what to do if faced with a concern or situation which could involve bribery
Through inductions, training, and awareness programs, the organization shall ensure that all personnel are aware of the reporting procedures and are able to use them, and are aware of their rights and protections under the procedures.
Investigating and dealing with bribery
Appropriate procedures on how to investigate and deal with any issue of bribery, or violation of anti-bribery controls, which is reported, detected, or reasonably suspected, must be developed and implemented. How an organization investigates and deals with a particular issue will depend on the circumstances.
Every situation is different, and the organization’s response should be reasonable and proportionate to the circumstances. A report of a major issue of suspected bribery would require a far more urgent, significant, and detailed action than a minor violation of anti-bribery controls. The suggestions below are for guidance only and should not be taken as prescriptive.
The ABCF should preferably be the recipient of any reports of suspected or actual bribery or violation of anti-bribery controls. If the reports go in the first instance to another person, the organization’s procedures should require that the report is passed on to the compliance function as soon as possible. In some cases, the compliance function will itself identify a suspicion or violation.
The procedure should determine who has responsibility for deciding how the issue is investigated and dealt with. When any issue is identified, top management or the compliance function (as appropriate) should assess the known facts and potential severity of the issue. If they do not already have sufficient facts on which to decide, they should start an investigation.
The investigation should be carried out by a person who was not involved in the issue. It could be the compliance function, internal audit, another appropriate manager, or an appropriate third party. The person investigating should be given appropriate authority, resources, and access by top management to enable the investigation to be effectively carried out. The person investigating should preferably have had training or prior experience in investigating. The investigation should promptly establish the facts and collect all necessary evidence by, for example:
- Making inquiries to establish the facts
- Collecting all relevant documents and other evidence
- Obtaining witness evidence
- Where possible and reasonable, requesting reports on the issue to be made in writing and signed by the individuals making them
Once the investigation is completed, and/or has sufficient information to be able to make a decision, the organization should implement appropriate follow-up actions. Depending on the circumstances and the severity of the issue, these could include one or more of the following:
- Terminating, withdrawing from, or modifying the organization’s involvement in, a project, transaction, or contract
- Repaying or reclaiming any improper benefit obtained
- Disciplining responsible personnel (which, depending on the severity of the issue, could range from a warning for a minor offense to dismissal for a serious offense)
- Reporting the matter to the authorities
- If bribery has occurred, taking action to avoid or deal with any possible consequent legal offenses
4. Anti-Bribery Maturity Assessments
The Anti-Bribery Maturity Model (ABMM) outlines Key Anti-Bribery Indicators (KABI) and activities that comprise a sustainable, repeatable, and mature anti-bribery management system program.
ABMM is not a generic maturity model which one can obtain from the internet, if available. It is a specifically designed model to address the Key Anti-Bribery Indicators (KABI) as required by the organization and its unique environment it operates in.
Taking the unique designed ABMM maturity assessment, organizations benchmark how in line their current anti-bribery management practices are with the KABI.
This provides a clear and understandable road map, with milestones and performance indicators to the organization to be used for the duration of the implementation period. This is in short, the GPS directions of achieving the objectives.
Without the ABMM, most organizations run around, waste time, implement unnecessary structures and processes, and over complicate the ABMS.
As experts in this field, Crest Advisory Africa (CAA) has implemented various ABMSs across the globe due to our speed of implementation and the outcome of years of building and understanding these models.
The following are some recommendations on how to create a culture of compliance and have a robust compliance program:
- Contact the experts to conduct an ABMM assessment to determine where you are and where you need to be
- Develop the road map to implement and grow in maturity
- Create the strategy you need to follow to achieve the culture change and to build a robust ABMS
- Build and implement an open, transparent, and integrated training and awareness program to improve the competencies across the organization
- Empower the AB compliance function to conduct a comprehensive AB Risk Assessment
- Take control of a zero tolerance approach regarding gifts, hospitality, donations, and any other benefits. This means to conduct a physical walk through every office and collect, record, and remove all the gifts and any brands from business associates from all the offices.
- Conduct due diligence pertaining to every company found to provide gifts to any person of your company
- Develop and implement a robust whistleblowers policy
- Implement a hotline for anyone to report anonymously, addressing all modes of reporting
- Appoint AB champions in the organization to identify and recognize anything which could raise concerns
- Make the implementation of an ABMS a requirement to all the top 10-20 vendors or at-risk vendors identified during the AB Risk Assessment
- Enforce compliance and be consistent
Bribery, whether direct or indirect, is a global phenomenon. Any organization that wants to conduct business globally, must make a deliberate, intentional, and conscious decision to continuously improve their global standing.
Through the implementation of a robust ABMS, companies can compete and grow without fear of reputational risk. The benefits outweigh the decision of not implementing an ABMS. Not implementing an ABMS is also a deliberate, intentional, and conscious decision.