Understanding, experience and technology for success
Adopt a Proactive Approach to Risk and Compliance Management
Even a cursory look at recent global financial news reveals that a number of companies in diverse industries are facing severe scrutiny by the United States government for potential violations of Foreign Corrupt Practices Act (FCPA). Healthcare companies, IT companies and pharmaceutical giants are among the numerous organizations that are going through the rigorous FCPA enquiries.
As US Securities and Exchange Commission (SEC) and the US Department of Justice are tightening the noose to eradicate corruption and bribery in its entirety, companies often find themselves in situations where they are unaware of practices that may lead to such punishable offences. In many cases, this lack of knowledge or lack of awareness makes it even more difficult for the internal departments to identify, track and control malpractices or possible violations of FCPA.
Foreign Corrupt Practices Act (FCPA) was signed into the United States’ law in 1977 to end the bribery of foreign officials by American businesses in order to facilitate, acquire or maintain business. The act was amended in 1998 by the International Anti-Bribery Act of 1998 which was designed to implement the anti-bribery conventions of the Organization for Economic Co-operation and Development.
The act prohibits companies from paying bribes to foreign government officials and political figures. Organizations violating this law by paying bribes are subject to criminal and civil actions, resulting in fines, suspension, and exclusion from government procurement contracts. The employees and directors of such organizations can be sentenced to imprisonment.
The Department of Justice is responsible for enforcing the anti-bribery provisions, as it pertains to domestic as well as foreign companies. The Securities and Exchange Commission (SEC) is responsible for civil enforcement of the anti-bribery provisions of the FCPA. Both agencies can institute civil actions, while the Department of Justice is authorized to file criminal charges.
The anti-bribery provisions of the FCPA make it unlawful for a US person, and certain foreign issuers of securities, to make a payment to a foreign official for the purpose of obtaining or retaining business for or with, or directing business to, any person. Since 1998, the provisions also apply to foreign firms and persons who take any act in furtherance of such a corrupt payment while in the United States. There is no materiality to this act, making it illegal to offer anything of value as a bribe, including cash or non-cash items. The focus is on the intent of the bribery rather than on the amount.
The accounting provisions in FCPA require corporations whose securities are listed in the United States to make and keep books and records that accurately and fairly reflect the transactions of the corporation and to devise and maintain an adequate system of internal accounting controls. The act’s provisions also apply to foreign companies and nationals paying bribes to government officials and political figures while doing business in the U.S.
FCPA violations and their implications – Penalties, Tarnished Reputation, Lost Opportunities
The penalties involved in FCPA violations are substantial and run into tens of millions of dollars - demanding the immediate attention of large multinationals and mid-sized as well as small companies alike. Recently a large healthcare company agreed to pay more than $70 million to settle U.S. and U.K. allegations that it bribed doctors and hospital administrators in several European countries and Iraq.
The SEC settled FCPA charges with 20 defendants in 2010 - a highest number since the passage of SOX. Four of these settlements were among the top ten settlements in the second half of 2010. The United States Department of Justice (DOJ) has reported over 140 investigations for FCPA violations in 2009 alone.
The ascending numbers in FCPA settlement values underline the increasing severity of the act’s enforcement. According to the new list of top ten FCPA settlements of all times, published on the FCPA Blog in April 2011, the settlement amounts range from $70 million to $800 million. Eight of the largest amounts ever paid to settle FCPA charges are from settlements in 2010 and early 2011. The composition of the top ten list itself has changed twice in the first few months of 2011, strengthening the trend of constantly rising amounts of FCPA settlements.
According to NERA SEC Trends report, the creation of the FCPA Unit within the SEC Division of Enforcement strongly suggests that this will be an important focus area for future enforcement activities.
FCPA penalties for entities:
FCPA violations cost the companies in question much more than the large monetary losses in form of penalties. They bring on negative publicity that can spread like wildfire and harm the companies’ reputation earned over years. This in turn may result in instant fall in stock prices and exclusion from government procurement contracts or diminished ability to do business with the government of the country where the recipient of the corrupt practice operates, not to mention the possibility of the business relationship going sour for longer periods. These losses are harder to recover or sometimes even irreparable.
Proactive approach to Managing FCPA - Profitable and Smarter Option
In the wake of the increasing stringency and rising level of enforcement of FCPA, many companies from various industry verticals are looking at managing FCPA compliance efficiently. Proactive approach and investment in technology solutions that allow companies to be on top of FCPA requirements and ensure the mandates are followed consistently throughout the enterprise spell the emerging trends. Considering the stakes, high penalties and other severe repercussions that FCPA violations can expose businesses to, adopting a proactive approach and investing in FCPA control is proving to be an extremely cost-effective and sustainable option to prevent violations.
Detection methods for Economic Crimes
Corruption can be detected in cash payments, travel and entertainment expenses, off-the-book funds, use of intermediaries (distributors, agents, vendors), illegitimate payments characterized as legitimate (consulting, legal, accounting fees), charitable donations, non-cash considerations (employment, use of the corporate jet, other benefits).
The 2009 PwC global economic crime survey classifies detection methods into three categories:
The survey results indicate internal audit function was the most successful control in detecting economic crimes. Whistle-blowers may become more prevalent given the new incentives under the Dodd-Frank Act. This increases witness cooperation and hence SEC’s available resources to unearth corruption more effectively.
FCPA Risk Indicators
Some of the risk indicators for FCPA compliance are:
Major Components of Effective FCPA Compliance
A vast range of FCPA stipulations and their implications for organizations are related to many aspects of business and operations that need close control and monitoring.
Educating the staff
The FCPA enforces certain restrictions on employee conduct in a number of situations while dealing with government clients and stakeholders as part of the anti-bribery provision. If the staff members are not aware of these provisions and restrictions, they are likely to violate these out of ignorance. Therefore, training the employees on the complete spectrum of FCPA violations along with examples and scenarios related to their work profile and creating awareness is the first step towards FCPA compliance.
Tracking the expense reports
As a preventive measure, companies need to track the expense reports of their employees and detect any extraordinarily large expenses or transactions. These expenses must be treated as signals and handled appropriately internally to prevent any incident of corruption and bribery before it occurs. Relevant executives and other personnel must be informed about such reports immediately and necessary corrective action must be taken.
Monitoring the business with partners in foreign countries
All transactions conducted through partners, resellers and representatives in foreign countries must be monitored meticulously at every step. Miscellaneous expenses, invoices, and other transactions need to be scrutinized for large inexplicable sums and relevant personnel must be alerted at once. Expenses that involve costly gifts, business lunches or dinners at expensive places are required to be under detailed examination by executives and managers.
Managing the violation scrutiny
In case the signals are overlooked and an FCPA violation does occur, organizations need to be prepared and have a robust system in place to handle the investigation, follow a defined process accordingly and take the right decisions.
How MetricStream can help
Continuous monitoring and tracking of various related processes and ensuring awareness among all employees are some of the critical requirements in managing FCPA. MetricStream provides a comprehensive framework and accompanying workflows to help enterprises streamline, automate and monitor important aspects of FCPA compliance while combining best-in-class technology with relevant regulatory content. Built on a single platform, the solution enables FCPA compliance management at multiple levels.
The solution, via its detailed workflows and complete integration, helps the ethics and compliance chief officers to set the right tone from the top of the organization which percolates to all levels and creates a culture of FCPA awareness and compliance. MetricStream solution approaches FCPA management in a holistic way covering all aspects to deal with incidents of non-compliance efficiently:
MetricStream Solution offers an efficient way of creating, publishing and distributing policies as well as performing policy awareness assessment for continued assurance. Organizations can ensure accurate knowledge of policies related to business conduct with overseas stakeholders through this solution across its enterprise. It is critical to the management of FCPA requirements that all employees are aware of these policies and have accepted to follow them.
Automated workflow for certifications and self assessments allows the employees to receive notifications and updates and read and accept policies. The governance team can measure the success of FCPA-related policy awareness and the maturity and preparedness of the organization in this area.
Policy exceptions can be tracked through a comprehensive issue management mechanism. Being a central repository of policies, the solution is a storehouse of latest versions of documents, policies, procedures, regulations and standards prescribed by FCPA. The availability of standard information contributes to increased employee awareness.
Some examples of policies related to FCPA that organizations must have in place, and which can be managed efficiently within the MetricStream solution, are:
MetricStream’s Value Proposition
MetricStream solution provides a common compliance structure to manage not only FCPA, but a diverse range of regulations and multiple compliance requirements using a single framework.
It prevents a fragmented approach towards different aspects of compliance management and introduces integrated methodology for complete compliance.
The solution enables effective management of related policies, procedures, training programs, risks, internal controls, audits, issues and corrective action, integrating the different components together.
MetricStream solution provides a single, centralized view of the status of organization’s compliance program.
The solution includes a built-in ability to track minute changes in the regulatory landscape by receiving regulatory alerts and updates from reliable external sources.
MetricStream solution can be configured to adapt itself to the changing business processes and requirements of businesses, without deviating focus from business goals of the organization.
The solution allows the top management to set the tone of regulatory accountability across the organization.
MetricStream solution is scalable and can be easily aligned with organizational growth path.
FCPA non-compliance can lead to financial risks in the form of penalties and impact on stock prices, risk of lost business opportunities as well as the risk of loss of reputation.
MetricStream provides an integrated and flexible risk management framework for documenting and assessing risks related to FCPA, defining controls, managing audits, identifying issues and implementing recommendations and remediation plans. The risk management solution includes tools for risk analysis and monitoring such as configurable risk calculators and risk heat maps.
The solution supports risk assessment based on typical scenarios specific to the industry the organization is part of which means organizations can assess their risk based on not only their own operations, but the operations of their peers and competitors. The qualitative and quantitative impact of the risk can be evaluated and controls are implemented based on various assessments. The performance of these controls can be closely monitored and assessed to ensure their effectiveness to mitigate the risk.
The solution allows organizations to tailor their FCPA compliance risk profile based on the following risk factors:
Risk controls can be established in accordance with the risk profile of the company. These preventive controls need to be reflected in the company’s operations to ensure that they are followed. For example, to monitor the risk involved in large transactions, as a control signatory authorities are established for contracts of certain nature or amount. To ensure that this control is indeed in place, a proof in the form of signatory review or sign-off must be provided to the contract management team. Similarly, if a control in the form of third-party investigation process has been established to manage vendor risk, vendor relationship needs to be terminated in case of integrity concerns.
MetricStream’s integrated solution backed by detailed workflows enables organizations to define, assess and realign preventive controls. The solution supports tracking of controls to ensure the processes are followed and proofs are submitted to relevant personnel to confirm the effectiveness of the control.
MetricStream Solution enables effective management of the FCPA training process by maintaining the course offerings and course descriptions for easy review by employees and managers, scheduling training sessions, providing feedback on instructors and course material effectiveness, maintaining training records and conducting gap analysis to ensure complete FCPA compliance.
The powerful analytics and reporting capability with graphical dashboards to monitor training programs and effectiveness gives managers complete real-time visibility into the organization's FCPA training management system including tests and scoring, FCPA awareness and preparedness quotient.
The scope of training can include a basic level of FCPA awareness for all employees , third-party FCPA training for suppliers and vendors as well as specialized and in-depth training for employees at risk.
MetricStream solution supports identification of issues such as FCPA non-conformance, exceptions, loss-events, and process deviations and initiation of cases across departments from different sources including other systems and applications.
The solution enables organizations to establish and follow consistent procedures for capturing issues, tracking loss events, managing tasks, and reporting issue status. The solution supports evaluation of issues as well as case investigation and tracking leading to an elaborate remediation or corrective action process. The analytics, tracking and reporting capabilities with graphical dashboards give managers complete real-time visibility into FCPA compliance and provide critical information for reducing the risk of non-compliance.
Continuous Evaluation and Audit Management
Organizations need to evaluate their FCPA compliance on an ongoing basis to eliminate issues and risks. Auditing the existing compliance management processes rigorously can bring forth issues in time for the compliance team to prevent them from leading to FCPA enquiries.
MetricStream provides a comprehensive audit system designed to help companies manage a wide range of audit-related activities, data and processes. The audit management software has the flexibility to support all types of audits including internal audits, supplier audits and operational audits for FCPA compliance. The solution provides end-to-end functionality for managing the complete audit lifecycle comprising audit planning and scheduling, development of standard audit plans and checklists, field data collection, development of audit reports and recommendations, review of audit recommendations by audit entities and management and implementation of audit recommendations and remediation for a closed-loop FCPA compliance process.
Tone from the Top
For FCPA compliance to be foolproof, organizations need to create a culture of FCPA accountability which is initiated by thought leaders. MetricStream solution provides organizations the flexibility to link management objectives regarding FCPA with compliance processes, policies, risks, controls, incidents and corrective action plans. The solution maps complex organization hierarchies and provides role-based access, portal views, reports and dashboards with drill-down and roll-up capability for continuous compliance program monitoring.
MetricStream is a market leader in Enterprise-wide Governance, Risk, Compliance (GRC) and Quality Management Solutions for global corporations. MetricStream solutions are used by leading corporations such as UBS, P&G, Constellation Energy, Pfizer, Philips, BAE Systems, Twitter, SanDisk, Cummins and Sonic Automotive in diverse industries such as Financial Services, Healthcare, Life Sciences, Energy and Utilities, Food, Retail, CPG, Government, Hi-tech and Manufacturing to manage their risk management, quality processes, regulatory and industry-mandated compliance and corporate governance initiatives, as well as several million compliance professionals worldwide via the www.ComplianceOnline.com portal. MetricStream is headquartered in Palo Alto, California and can be reached at www.metricstream.com.