PROTIVITI FLASH REPORT

Transcription

1 PROTIVITI FLASH REPORT U.K. Bribery Act 2010 Ministry of Justice Delays Publication of Updated Guidance, Indicates that Ongoing Review of Regulatory Impact Forced Further Delay February 11, 2011 In November 2010, the U.K. Ministry of Justice (MoJ) closed the consultation period on the document containing adequate procedures guidelines for businesses. The final guidance was expected to be published in January 2011 to allow businesses an adequate familiarization period before the Act commences on April 1, The MoJ currently is still working on the guidance to make it practical and comprehensive for businesses. On January 31, 2011, the MoJ indicated that it would not be able to meet its selfimposed January deadline to release the updated guidance. The MoJ did, however, confirm that when the guidance is published, it would be followed by a three-month notice period before implementation of the Bribery Act. As a result, it has been widely reported that the Act will not come into force until May 2011 at the earliest. Despite this delay, Protiviti advises companies against delaying preparations for the Act. While further guidance is expected in a number of areas, in particular in relation to corporate hospitality, the key provisions of the Act are not expected to change. It likely will take companies much longer than they expect to define and implement adequate procedures. Defining policies and preparing guidance is only a small part of a comprehensive program. In our experience, many companies will require significantly more than the three-month notice period to roll out and embed a complete set of guidance on a global basis effectively. The guidelines as they currently stand are not prescriptive and give only a high-level outline of the procedures that companies should put in place. They follow the general principles that the Serious Fraud Office indicated they would expect companies to have in place when deciding whether a company has an adequate defense to allegations of bribery. The guidance sets out six principles that should be considered when assessing the adequacy of procedures for bribery prevention. These are reproduced below. Six Principles for Bribery Prevention Risk Assessment The business should know and maintain an up-to-date assessment of the bribery risks that are faced in its sector and market. Top-Level Commitment The business should establish a culture across the organization in which bribery is unacceptable. If the business is small or medium-sized, this may not require much sophistication. It is, however, important to make sure the message is clear, unambiguous and reinforced to staff and business partners on a regular basis..

2 Due Diligence The business should know who it does business with; know why, when and to whom it is releasing funds and seeking reciprocal anti-bribery agreements; and be in a position to feel confident that business relationships are transparent and ethical. Clear, Practical and Accessible Policies and Procedures The business should establish an effective set of policies and procedures. These should be applied to everyone it employs and also to business partners under its effective control. The policies should cover all relevant risks, such as political and charitable contributions, gifts and hospitality, promotional expenses, and responding to demands for facilitation payments or when an allegation of bribery comes to light. Effective Implementation This is about going beyond paper compliance to embedding anti-bribery in the organization s internal controls, recruitment and remuneration policies, operations, communications, and training on practical business issues. Monitoring and Review This relates to auditing and financial controls that are sensitive to bribery and are transparent, considering how regularly the organization needs to review its policies and procedures, and whether external verification would help. The MoJ has provided commentary on these principles but, to date, has offered no specific solutions to the scenarios contained in the document, many of which could typify the situations encountered by businesses, particularly those operating in areas prone to corruption. The New Offenses Following is a high-level summary of the four categories of offenses contained in the Bribery Act. Crucial is the new corporate offense which can be committed by a company (or partnership) if an associated person performing services on its behalf bribes another person in order to obtain or retain either business or a business advantage for the company. 1. Bribing another person It will be an offense to offer, promise or give an advantage to someone: With the intention of inducing that person to behave improperly; As a reward for that person to behave improperly; and Knowing or believing that the recipient s acceptance of the advantage would constitute improper behavior. 2. Being bribed (as the recipient of the bribe) It will be an offense for a person to receive a bribe if that person requests, agrees to or receives an advantage to act in an improper manner. It does not matter whether the recipient receives or accepts the advantage directly or through a third party or whether it is for the recipient s benefit or that of another. It also does not matter, in most cases, whether the recipient even knows his or her acceptance constitutes a bribe. 3. Bribing a foreign public official It will be an offense to bribe a foreign public official by offering an advantage to the official, which is not permitted or required by the written law applicable to that official, with the intention of obtaining or retaining a business advantage. Unlike the above offenses, there is no requirement that the advantage offered or given was improper. 2

3 4. Failure to prevent bribery A company or partnership will be automatically liable for any bribe offered or given in connection with its business unless it can effectively demonstrate that it has in place adequate procedures designed to prevent such bribery. Meaning of An Associated Person The Act does not clarify in detail the concept of an associated person. The definition reported within the Act states that a person is associated with an organization if he/she performs services on its behalf. As it is currently worded, an associated person could be interpreted as an employee, agent, intermediary or even an introducer. It is, again, left to the courts to define the concept of an associated person. As stated in the Act, the courts should take into account all the relevant circumstances and not just the nature of the relationship between the parties. Jurisdictional Reach The Bribery Act is far reaching. The new corporate offenses apply to any U.K.-incorporated entity and any overseas entity that carries on a business or part of a business in the United Kingdom. No official interpretation is provided by the U.K government to define the concept of part of a business. It will be left to the courts to interpret this concept. The Bribery Act Reaches Beyond the Scope of the FCPA U.K. companies that are aware of, or comply with, the U.S. Foreign Corrupt Practices Act (FCPA) should bear in mind that the provisions of the Bribery Act are not the same and the penalties for violation of the latter are more severe. The Bribery Act is significantly broader than the FCPA, and features stricter scrutiny and enhanced criminal penalties. It is important to note that U.S. companies with U.K. offices will be responsible for complying not only with the FCPA, but also with the Bribery Act. Consequently, U.S. companies will need to revise their FCPA compliance programs to take into account the U.K. Bribery Act provisions. Following are the key differences between the Bribery Act and the FCPA: The FCPA focuses on anti-corruption of foreign governmental officials, whereas the Bribery Act also covers nongovernmental officials (i.e., private citizens). The Bribery Act makes any bribery illegal not just the bribing of a foreign government official (or the attempt thereof). In addition to making illegal the actual or attempted bribery of private individuals and public officials, the Bribery Act also makes the receipt of bribes illegal. The FCPA contains no such provision. Unlike the FCPA, the Bribery Act does not have a facilitation payments defense. Under the Act, certain types of corporate hospitality are prohibited if they are intended to subvert the duties of good faith or impartiality that the recipient owes his or her employer. The FCPA has no strict liability on the company either written directly into the statute or interpreted by judicial review. The Bribery Act creates a new strict liability of corporate offense for the failure of a corporate official to prevent bribery. Under the Bribery Act, a company will be liable if anyone acting under its authority commits a bribery offense, including employees, agents, subsidiaries, joint venture partners and consultants. The only satisfactory defense is where a company has adequate procedures in place to prevent bribery offenses. 3

4 The FCPA has criminal penalties of five years per offense. Companies may be fined up to $2 million per violation, while individuals may be fined up to $100,000 per violation and/or receive up to five years in prison. Fines may be higher under the Alternative Fines Act. Also, it is important to note that companies may not pay fines on behalf of an employee. The Bribery Act has penalties of up to 10 years per offense and unlimited fines for companies accused of bribery that do not have adequate procedures in place. The FCPA requires that the company s books and records provide reasonable detail so that transactions and disposition of assets are reflected accurately and fairly. A reasonableness standard, rather than a materiality standard, is applied. This means that if bribes and kickbacks have been made, there ought to be accurate records to reflect this. The Bribery Act has no equivalent provision (except insofar as companies are required to maintain accounts in accordance with the U.K. s Companies Act 2006). Frequently Asked Questions About the Bribery Act Is my company at risk if I offer corporate hospitality to clients and prospective clients? The Act is not designed to criminalize routine corporate hospitality. The Act states that if a person is induced to act improperly as a result of a reward, this will constitute an offense. Companies will need to take care going forward to ensure that any corporate hospitality can be justified. Consideration should be given not only to the cost when compared to other clients or competitors, but also the timing. In the case of foreign public officials, the element of impropriety does not have to be established and great care should be exercised. It may not be appropriate to offer entertainment to a procurement panel member ahead of a tender award where, as a result of such entertainment, the panel member might exhibit conduct that falls short of a reasonable person s expectation of good faith, impartiality or trust. What types of benefits might be considered a bribe? Under the Act, a bribe is any benefit offered, promised or given as a reward for that person to behave improperly, knowing or believing that the recipient s acceptance of the advantage would constitute improper behavior. A number of areas have been identified during the consultation as areas that companies should look at carefully. These include: Corporate hospitality: Offers of hospitality to prospects, targets or clients Gifts: Gifts paid to employees of a third-party organization in recognition of the business that it has provided you Facilitation payments: Payments made to an individual to encourage a transaction to be given preferential treatment or to be fast tracked Commission: Payment of commission to brokers that are expected to act independently and in the interests of their customers Reward schemes: Rewards offered to sales representatives to encourage them to favor one product over another product Offset arrangements: Provision of additional services (outside of the contract) as an incentive to win the contract Particular care should be taken when a benefit is offered to an individual rather than to a company or organization. It is not unusual for companies to offer benefits to individuals as a means of thanking them for directing business to you. There is a risk associated with hospitality, gifts, commissions and other reward schemes as these are typically directed to an individual and not the organization that provided you with the work. By comparison, a volume discount 4

5 built into your standard terms is a means of rewarding a company for directing you a large amount of work. The standard applied by the courts would be based on the improper performance test. As such, consideration would be given to whether the act represents conduct falling short of a reasonable person s expectation of good faith, impartiality or trust. It should be noted that this is the standard of a reasonable person in the United Kingdom (to avoid confusion with what someone working in the industry or in a less-regulated environment overseas might expect). Local practices or customs should not be taken into account unless permitted by written local law. What if I do nothing (this is not a compliance requirement)? The Act applies to everyone including business entities of all types. Adequate procedures are not prescriptive and Transparency International has already stated that a company s antibribery programme is more likely to be regarded as constituting adequate procedures if it is based on good practice rather than an approach that solely uses compliance with laws to determine the structure of the programme. Any company is at risk if it becomes subject to an allegation of bribery and does not have appropriate measures in place to prevent bribery. How will prosecutors determine whether they will take action against those involved in bribery? There are a number of factors that will determine whether a case is prosecuted in the criminal courts, but in general the key factors will be based on a reasonable prospect of securing a criminal conviction and whether it is in the public interest to pursue a prosecution. A company that does not have adequate procedures in place is more likely to face prosecution if an incident of bribery is identified within the business or through a third party acting on its behalf. Our controls are FCPA compliant. Is this enough? No. The Bribery Act has a far greater reach than the FCPA, and FCPA compliance does not go far enough to provide a defense for offenses created under the Bribery Act. FCPA compliance may provide a foundation on which to build the additional controls needed to fulfill the Bribery Act s adequate procedures guidelines, but it will be necessary to enhance and improve many aspects of controls to reduce the additional risks. Have industry representatives expressed any concerns about the Act and adequate procedures guidelines during the consultation process? Yes. Some of the key comments include: Concerns over the lack of clarity as to what constitutes acceptable levels of corporate hospitality and corporate gifts. Concerns over lack of clarity on whether the Bribery Act applies equally to government bodies operating in the United Kingdom and overseas. Concerns that failure to include the impropriety element when dealing with foreign public officials could criminalize legitimate business activities, such as promotional expenditure and proportionate use of corporate hospitality. Concerns over the conflict between the FCPA, which allows facilitation payments under certain conditions, and the Bribery Act, which does not. Concerns that the term associated persons is too broad and has not been defined properly. As it stands, businesses could face criminal liability from the actions of many associated persons over which they have no effective control. 5

6 Concerns as to whether a U.K. company can be expected to change behavior of employees in a country where local customs differ significantly from the United Kingdom. It has been suggested that the adequate procedures guidelines should be updated to provide greater clarity regarding risk-based approaches. Commentators believe this is important to allow a company s response to the Bribery Act to be reasonable and proportionate to the bribery and corruption risks it faces. How do I implement adequate procedures? There is no official guidance on how to implement adequate procedures. The guidance issued by the MoJ provides a general overview of what procedures companies should adopt but does not state in detail the process that they need to follow. Below is a roadmap to compliance suggested by Protiviti, followed by a detailed review of each step. 1. Perform a Risk Assessment 2. Review Internal Policies and Procedures and Define Key Actions 3. Define Compliance and Education/Awareness Programs 4. Establish Ongoing Monitoring and Response Process A risk assessment needs to be performed at two levels: Level 1: Determine the countries, processes, transactions, partners to be reviewed and analyzed: In which countries do we operate? Are any markets deemed high risk? Which business transactions could be deemed at risk? Where do we rely heavily on business partners? Where are they located? What background checks or due diligence have been performed? While completing the Level 1 assessment, key stakeholders with knowledge of the higher risk areas will be identified to participate in the Level 2 risk assessment. Level 2: Establish a comprehensive risk register for high-risk areas identified in the Level 1 risk assessment. Any risks identified should be ranked to assess significance and likelihood. The risk assessment should be revisited on a regular basis to identify new or emerging areas of risk. A detailed review of the existing internal policies and existing controls should be performed for higher-risk areas identified when conducting the Level 1 and Level 2 risk assessments. The primary objective is to assess the adequacy of the existing controls to reduce the risk to an acceptable level. For high-risk areas, it may be necessary to document key processes to ensure that the risks identified in the Level 2 risk assessment are complete. Consideration should be given to existing controls and assurance work performed by Internal Audit. Key questions that will need to be addressed include: Are the processes and key risk areas fully understood? Have policies been adequately defined? Do clear guidelines exist? Are there controls in place to reduce the risk to an acceptable level? Are the existing policies effectively communicated? Upon completion of this activity, a defined set of remedial actions will be agreed upon. Once the necessary remedial action has been taken and the necessary statement of commitment, policies and guidelines prepared, a communication, training and awareness campaign will need to be established. This will communicate the key requirements to all employees as well as business partners (where applicable). When implementing an awareness program, senior management should consider the following (at a minimum): Who is the target audience? What are the key messages that need to be communicated? Who will be responsible to roll out the training and awareness program? Can a single set of messages be sent out to all key individuals or does the approach adopted need to be tailored to different audiences? Can the communication program be conducted in a single corporate language or does communication need to be in a local language to be effective? How does the business ensure that the target audience has received the necessary communications? Communication of policies will not be sufficient to reduce risk to an acceptable level. The business will need to establish an appropriate framework of controls to prevent and/or detect inappropriate behavior. A program will need to be established to ensure that the necessary controls are designed and are operating effectively. Where possible, reliance should be placed on existing assurance programs. Where instances of potential bribery are detected or reported, the company should consider the following: 1. Identify root cause of the problem Were the individuals involved aware of the company policies? Could the inappropriate transaction have been prevented? Does this represent an isolated case or is this an indicator of a wider problem? 2. Consider actions to be taken internally Review and, if necessary, update current risk assessment. Review and update antibribery policies and procedures. Refresh communication and awareness program. 6

7 1. Perform a Risk Assessment The objective of the risk assessment is to understand the key risk drivers. This will enable the business to focus its efforts on the areas of highest risk to the organization. Key factors that will need to be considered during the risk assessment include: nature of the transactions, rewards and remuneration, geography, cultural norms and common practices, third-party relationships, and perceived level of control. A company would typically perform this risk assessment at two levels. The initial risk assessment would typically be a relatively high-level assessment to analyze the business, considering the factors outlined above, to identify the business activities that are most susceptible to bribery. A more in-depth analysis would then be performed of the highest-risk areas to determine the specific risk events that the business needs to control to reduce the risk of bribery to an acceptable level. The definition of acceptable level of risk varies from company to company and reflects the risk appetite of the organization. 2. Review Internal Policies and Procedures/Define Key Actions The second stage in the roadmap to compliance is the review of internal policies and procedures. The objective of this stage is to assess how significant risk events are being managed within the current internal control framework. This process will also enable the company to validate assumptions made when conducting the risk assessment. This review process would be targeted at the highest-risk areas identified in phase one. A review would typically consider internal processes, guidelines, policies and procedures, and will determine if the company is effectively managing the key risks identified by the risk assessment. Our approach utilizes Protiviti s six elements of infrastructure. These are the key attributes that we believe a business needs to establish to effectively manage risk. In particular, the business will need to consider: Business Policies Business Processes People & Organization Management Reports Methodologies Systems and Data Are the necessary business policies in place? Are these policies communicated to all appropriate parties? Have the necessary processes been put in place to reinforce the company s policies? Are these policies consistently followed across the organization and does this extend to thirdparty business partners? Do all individuals understand their role in these business processes? Have key individuals been provided with the necessary training to enable them to fulfill their roles effectively? Does management receive the necessary information to enable it to ascertain whether these processes are operating effectively and to enable it to respond effectively at the right time when action is required? Has the company adopted appropriate methods to identify high-risk transactions for investigation? Does the company use systems effectively to support the processes? Is the data provided reliable? 7

8 3. Define Compliance and Education/Awareness Programs One of the most critical steps that will ultimately determine the success or failure of the project is the communication and awareness program. The awareness program aims to improve awareness among employees of the key policies and create an environment in which these policies are respected. When establishing an effective awareness program, senior management should consider the following: Singular honed message that speaks directly to the employees Creative design of all print materials, which will serve as an image to ensure that the message is correctly perceived by the employees Strategic placement of all pieces to ensure the broadest visibility for employees (and where applicable key partners), regardless of location Reinforcement of the message through regular training Repetition of themes, ideas and structure in order to drive cultural change The message and its content must be relevant to the audience with whom the company is trying to communicate. 4. Establish Ongoing Monitoring and Response Process Defining policies and ensuring effective communication of these policies will not be sufficient to reduce risk to an acceptable level. The business will also place reliance on controls embedded into critical business processes to reduce the risk of potential bribery events. Furthermore, the business will need to establish processes to detect possible bribery and to take action. Key risks, events and controls identified via the risk assessment should be captured in a risk control matrix (RCM). Risks and controls that are already covered by other compliance and/or assurance programs should be cross-referenced to the relevant RCMs (if already in place) to avoid duplication of effort. It is not sufficient simply to document the controls. Management also needs to put in place procedures to ensure that the controls are operating as documented. For each key control captured in the RCM, an assurance strategy needs to be defined to assess the operating effectiveness of the key anti-bribery controls. Where possible, any testing performed should be integrated with existing assurance work performed by Internal Audit. This will also help to avoid any duplication of effort. An incident response plan will also need to be prepared that defines how the business will respond if evidence of potential bribery is detected. When should I start to ensure adherence with adequate procedures? The Bribery Act 2010 was due to come into force on April 1, Given the recent delay in the release of the updated guidance and the statement by the MoJ that when the guidance is published it will be followed by a three-month notice period before implementation of the Bribery Act, it is now anticipated that the Act will not come into force until May 2011 at the earliest. Protiviti would, however, advise companies against delaying preparations for the Act. While further guidance is expected in a number of areas, in particular in relation to corporate hospitality, the key provisions of the Act are not expected to change. It takes companies much longer than they expect to define and implement adequate procedures. Defining policies and 8

9 preparing guidance is only a small part of a comprehensive program. In our experience, many companies will require significantly more than three months notice to effectively roll out and embed a complete set of guidance on a global basis. Companies should now be evaluating their existing policies, controls and training requirements and undertaking a risk assessment to determine where their key risks are likely to occur. How Can Protiviti Assist? 1. Perform Risk Assessment 2. Review Internal Policies and Procedures and Define Key Actions 3. Define Compliance and Education/Awareness Programs 4. Establish Ongoing Monitoring and Response Process The role that Protiviti plays in this process can vary significantly from client to client. Protiviti would typically perform the following activities: Define a structured approach to performing the risk assessment and review with management and other stakeholders (e.g., the board). Develop tools to facilitate the risk assessment process (including frameworks to help focus participants in a risk workshop or survey). Facilitate risk workshop and/or manage survey (using technology such as voting software or survey tools to drive greater efficiency and to ensure full participation). Analyze results and capture key findings in the risk register. The role that Protiviti plays in this process can vary significantly from client to client. Protiviti would typically perform all or some of the following activities: Define the approach to be adopted for the review of policies and procedures. Develop tools to facilitate the review process (including providing access to tools that have been developed by Protiviti by way of an example). Draw on the results of the risk assessment to help the business determine the key processes and/or policies requiring review. Support the business in performing the review of business processes, working in partnership with Internal Audit. Assist the business in analyzing gaps identified and providing guidance on possible approaches being adopted by other organizations to reduce risk. Capture the key issues in an issues list ( gap tracker ) and obtain buy-in from the assigned owners. Manage the closure of the key risks, preparing regular reports on status of remedial work being performed. Assist with the closure of gaps identified (including preparation of policies and guidelines, drawing on our library of best practice policies and procedures in our knowledge management system (ishare)). Protiviti can help clients define a communication and awareness program that seeks to remind employees constantly of their responsibilities and enable the business to achieve its desired objectives. An awareness program would include: Highly visible locationbased print communication materials (posters, banners, calendars). Job aids that assist employees in their particular functions while concurrently conveying a specific message (handbooks and reference guides, tip cards). Collateral that is distributed directly to employees in the form of orientation brochures, payslip stuffers, newsletters, wallet cards or quiz cards. Electronic awareness in the form of reminders and banner ads on an intranet site can also be helpful for desk-based employees. Illustrations accompanied by different languages help keep the global message intact. Wallet cards can keep information on bribery and fraud prevention and reporting options at employees fingertips. Strategic placement of multilingual artwork ensures inclusion and consistency of messaging. The role that Protiviti plays in this phase of the project is typically dependent on the role adopted by Internal Audit. Protiviti would typically work in partnership with Internal Audit and/or another internal controls team to perform the following activities: Prepare risk and control matrices. Develop test plans. Assist with the testing of key controls (often targeted at overseas locations where Internal Audit may not have resources). Provide incident response support when issues are identified. 9

10 About Protiviti Protiviti ( is a global business consulting and internal audit firm composed of experts specializing in risk, advisory and transaction services. The firm helps solve problems in finance and transactions, operations, technology, litigation, governance, risk, and compliance. Protiviti s highly trained, results-oriented professionals provide a unique perspective on a wide range of critical business issues for clients in the Americas, Asia-Pacific, Europe and the Middle East. Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index Protiviti Inc. An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.