The U.S. Foreign Corrupt Practices Act (FCPA) and similar
regulations across the globe have been a source of great anxiety for large
publicly traded companies. There is significant risk of unknowingly becoming
ensnared in the framework of rules, particularly as a company becomes more
global. There are resources to help guide companies through these risks, but
many appear focused on resource-rich, large multinational companies. What if
your company is a small or medium-sized entity (SME) making an initial foray
into the global markets?
SMEs do not have the resources or expertise of large
multinationals. So how can they reasonably comply with the regulations and best
practices that may be both literally and figuratively foreign to them?
Fortunately, an effective compliance program can be achieved with the limited
resources of an SME.
Compliance Is Not an Option
SMEs have recently become a focus of regulators. At the 2015
SEC Speaks program, Kara N. Brockmeyer, chief of the Securities and Exchange
Commission’s (SEC) FCPA unit, commented that her group has added a focus on
small and medium-sized companies that venture into international markets. In
2014, Smith & Wesson, Bruker, and Layne Christensen (companies with annual
revenues of $600 million, $1.8 billion, and $800 million, respectively) were
targets of FCPA enforcement actions. With the 2014 Smith & Wesson action,
Brockmeyer said, “When a company makes the strategic decision to sell its
product overseas, it must ensure that the right internal controls are in place
Large penalties accompany violations. Noteworthy recent
penalties include payments by Alcoa ($384 million), Avon ($135 million), Alstom
($772 million), and VimpelCom ($795 million). Siemens recently paid $42 million
(in addition to the $1.2 billion paid in prior settlements related to other
actions) to settle a 14-year-old bribery case. These fines represent only the
penalty component. They don’t include a company’s cost of investigating and
correcting the issues or any effects on reputation.
Although an SME might not find itself charged with a $1.2
billion fine, SMEs and individual employees may still have to dig deeply into
their own smaller pockets to atone for any missteps. For example, Smith &
Wesson settled with the Department of Justice (DOJ) for $2 million for the
payment and concealment of bribes, in the form of guns and illegal cash through
third parties in Pakistan, Indonesia, Turkey, Nepal, and Bangladesh, in an
attempt to win contracts. The SEC said Smith & Wesson failed to “design and
implement a system of internal controls or an appropriate FCPA compliance
program reasonably designed to address the risks of its new business model.”
The price of the investigation added another $2 million to the total cost. To
put the total $4 million in perspective, consider that the alleged bribe was
only valued at $11,000 and yielded $108,000 in contract profits.
It’s not just SME “companies” at risk; it could become very
personal. The DOJ has shifted focus toward individual prosecution, as evidenced
by the September 2015 Individual Accountability for Corporate Wrongdoing
memorandum issued by Sally Quillian Yates, deputy attorney general. Known as
the “Yates Memo,” the memorandum states, “One of the most effective ways to
combat corporate misconduct is by seeking accountability from the individuals
who perpetrated the wrongdoing.” The memo both describes steps the DOJ will
take to ensure the identification of culpable individuals and highlights the
use of civil action as a future deterrent.
Enforcement is becoming more vigorous. The FBI is tripling
resources dedicated to investigating FCPA violations, and it will add three new
squads of special agents devoted to FCPA prosecutions and investigations. The
DOJ recently announced a three-part initiative that could potentially create a
significant increase in the level of FCPA enforcement activity. The DOJ’s FCPA
unit will be bolstered by 10 additional prosecutors, and it will also continue
to strengthen its coordination with foreign counterparts. The DOJ has also
introduced a one-year FCPA enforcement “pilot program” to motivate companies to
self-disclose FCPA-related misconduct.
In addition to mitigating the legal risk from wayward
employee conduct, complying with corruption regulations is just generally
better business. An effective anti-corruption compliance program will help
control a company’s exposure across all its operations and supply chain, and
enhance its reputation as a responsible partner with vendors, customers, and
others. Compliance presents the advantage of being a preferred business in the
event the company is a potential target for acquisition. Usually an acquiring
company will evaluate the strength of a target’s compliance program to provide
assurances to a host of stakeholders and shareholders.
Guidance for SMEs
The SEC has explicitly stated that SMEs, like their larger
counterparts, are responsible for creating functioning and effective compliance
programs. SMEs do not get a “pass” for being small or for being new to global
markets. However, reasonableness is a key consideration in program development,
and SMEs will not be measured with the same yardstick as their larger counterparts.
An SME’s compliance program will be assessed based on the company’s relative
size and resources. Available guidance will give SMEs some helpful insight.
According to U.S. sentencing guidelines, SMEs must
demonstrate the same degree of commitment to ethical conduct and compliance
with the law as large organizations. They can, however, meet these requirements
with “less formality and fewer resources” than larger companies. Reliance on
existing resources or simpler systems than those used by larger organizations
is appropriate. The sentencing guidelines provide four examples of correct
- The governing authority discharges its responsibility for
oversight of the compliance and ethics program by directly managing the
organization’s compliance and ethics efforts (i.e., they don’t have to
outsource its management and instead do it themselves).
- Employees are trained through staff meetings and monitored
via regular “walk-arounds” or continuous observation.
- The company uses available personnel rather than employing
separate staff to carry out the compliance and ethics program.
- The company models its own compliance and ethics program
on existing, well-regarded compliance and ethics programs and best practices of
other similar organizations.
The SEC’s and DOJ’s FCPA guidance also reveals that these
agencies will take into account the differences between compliance programs at
large multinational companies and those at SMEs. Even so, the expectation is
that SMEs will still look to the following “Hallmarks of Effective Compliance
Programs” provided in the SEC’s and DOJ’s FCPA guidance:
- A commitment from senior management and clearly
articulated corporate policy against corruption
- A code of conduct and compliance policies and procedures
addressing the company’s riskiest areas
- Autonomy and resources provided to one or more identified
senior executives vested with responsibility for the oversight and management
of the compliance program
- A risk assessment in order to develop a compliance program
that focuses compliance resources on areas of highest risk
- Training and continuing advice to employees, directors,
officers, and, in appropriate circumstances, agents and partners
- Incentives and disciplinary measures that reinforce the
importance of compliance
- Risk-based, third-party due diligence and monitoring of
third-party payments and relationships
- A mechanism for confidential reporting and a properly
funded efficient process for investigating allegations raised
- Periodic testing and review in order to continuously
improve the compliance program
- Preacquisition due diligence and postacquisition
integration in the context of mergers and acquisitions
The best approach for an SME is to focus on those areas that
correspond to the highest risks within the organization. This should facilitate
the development of an effective compliance program, even with limited
The guidance for SMEs will receive a boost with the imminent
arrival of ISO 37001, the International Organization for Standardization’s
anti-bribery management systems standard. ISO 37001 has been developed with
significant input from business professionals, and is designed to apply to
companies of all sizes. In fact, the draft standard contains multiple
references to small organizations. The draft pays particular attention to
smaller organizations’ limited compliance resources, and recognizes that the
anti-bribery compliance function may be the shared responsibility of an
appropriate individual or carried out by a third party. Once ISO 37001 is
finalized, qualified organizations will have the ability to obtain
certification with the standard, which should provide a distinct compliance
advantage for SMEs.
Where to Begin?
Many “hallmarks” of an effective compliance program are
easily developed with existing resources, though this may require creativity on
the part of the SME. Here are some examples:
- Leverage – Don’t hire a stand-alone compliance person.
Assign an existing senior-level executive with overall responsibility for the
company’s compliance program. A senior-level person in charge sends the correct
message to others within the organization. It establishes a proper tone at the
top for the organization and shows that the company places great importance on
ensuring there is compliance with anti-corruption regulations. Similarly,
leverage local staff to act as compliance “liaisons” throughout your
organization to help disseminate the compliance message and act as dedicated
resources for problem-solving and escalation of issues.
- Tailor – Don’t write a Code of Conduct from scratch. A
Code of Conduct and other policies and procedures can be developed easily by
mirroring the compliance programs of similar organizations. Find something and
tailor it to your organization.
- Communicate – Once developed, the Code of Conduct can be
circulated to the company’s other business partners, vendors, and customers
with little effort.
- Amend – Anti-corruption language can easily be included in
all new company contracts with any third party. Existing important contractual
relationships can be amended.
- Report – Anonymous reporting functions and follow-up on
allegations can be fulfilled by outsourcing an anonymous hotline, using the
company’s existing internal audit function, and generally fostering an
environment that encourages the reporting of suspicious behavior.
- Monitor – Charge internal audit or other existing finance
functions with the responsibility of periodic testing and review of the
existing compliance function.
Another hallmark of an effective compliance program is one
developed using a risk-based approach. Look at your business and where and how
your business may be exposed to corruption. It is the cornerstone, and
essential first step, in building an effective program. If your company does
not have the appropriate expertise to do this, it may justify outsourcing this
risk assessment to a consulting firm with these capabilities. These firms can
assist SMEs in identifying their unique risks and developing a reasonable yet
effective program to mitigate those risks.
Regardless of who performs this work, a risk assessment will
identify and prioritize a company’s corruption risks by looking at the
company’s operations, business with government entities, geographic locations,
size, industry, go-to-market strategy, and regulatory environment. Specifically
with an SME, it will be important to understand what is “new” to better
understand the risks. If a company has recently expanded into new global
markets, what is the operating environment and what are the risks associated
with those markets? Are there new government customers? Has the company added
new distributors or intermediaries to its sales process? All of these changes
could be indicative of new risks within the company that need to be identified
and addressed as part of an effective compliance program. We’ve provided some
examples below of common situations and associated risks, as well as how
elements of an effective compliance program might mitigate the risks. This is
meant to provide some concrete examples, though it is not a comprehensive list.
My company has begun to use licensed distributors for
overseas sales – This is a common situation as sales in other countries often
require the use of a local intermediary. Using a distributor, or any
third-party intermediary, can pose additional corruption risks. For example,
it’s not uncommon for a distributor to unlawfully incentivize customers to
generate sales. These incentives could be in the form of kickbacks, gifts, or
free goods and services. The company is still responsible for the action of its
distributors, so this potential risk requires assessment and prioritization
with other potential risks. An effective compliance program designed to
mitigate this particular risk might include things such as ensuring that the
contract with the distributor contains appropriate anti-corruption language and
audit rights; performing due diligence on the distributor, either through
public records searches or site visits to better understand the distributor’s
business reputation; and conducting periodic monitoring or communication with
the distributor. The company should also watch out for preferential pricing
arrangements by analyzing profit margins associated with the ultimate sell-through
of product to the end customer. Unusual profit margins could be a source of
funds used for kickbacks, bribes, or other nefarious purposes.
My company now sells directly to government entities
overseas – Any type of sale to government entities or government-controlled
entities poses an increased risk of corruption because you now have company
personnel or their agents potentially interacting directly with government
officials. There is a risk that interactions could result in improper behavior
and activity, including inappropriate gifts, bribes, kickbacks, or other offers
designed to influence the decision-making of government officials, including
offers of employment for family members of government officials. In this
circumstance, an effective compliance program would focus its attention on
those employees who have the most interaction with the government customers. A
compliance program would provide appropriate training for these individuals and
make sure appropriate policies are in place to specifically deal with the
treatment of gifts, entertainment, travel, and other things of value being
presented to government officials. The company might also want to maintain a
log of any meals, entertainment, or gifts involving a government official.
My company acquired a company that has operations overseas –
Any violation of anti-corruption regulations by an acquired company – past or
present – can become the responsibility of the acquiring company. Although your
company may have commissioned due diligence prior to making the acquisition,
chances are high that any anti-corruption due diligence has not been
particularly extensive due to limited access. If this new acquisition resides
in a location known for corruption or within a higher-risk regulated industry,
it may make sense to perform an onsite post-acquisition corruption risk
assessment to identify any risks or issues that might exist. For an SME that is
newly engaged in a foreign market, it may make sense to outsource this work to
a firm with local resources that can perform the bulk of this work on your
behalf or assist you with developing a workplan that your own personnel can
For resource-constrained SMEs, it’s important to identify
the biggest corruption risks that exist within your organization, document
those risks, and build a compliance structure to address those risks. Then,
periodically monitor and test the compliance structure you have built. When
this risk-based approach is employed in conjunction with the creative use of
resources to develop sound policies and the other hallmarks of an effective
program, you will likely have a successful system. It may not look like the
compliance program of a multinational corporation, but it will nonetheless be
an effective program that matches your company’s size, operations, and risk
profile while being more likely to pass regulatory scrutiny.
Steven G. Blum, CPA, CFE, CFF, is a partner with Control
Risks Group in Washington, D.C., and a member of the Pennsylvania CPA Journal
Editorial Board. He can be reached at firstname.lastname@example.org.
Benjamin A. Cohen, CPA, CFE, CFF, is a principal with
Control Risks Group in Washington, D.C. He can be reached at email@example.com.