By Sundar N
Director, Forensic Services
SKP Business Consulting LLP
Companies are increasingly considering anti-corruption assessments to evaluate the compliance adherence to existing policies or benchmark their policies with established best practices. Greater interest has developed with ISO 37001 on anti-corruption compliance preparedness for the companies, however, the extent to which companies adapt to ISO standards is to be seen in the coming years.
Anti-corruption assessments are often construed to be a policy assessment and not a holistic assessment. A holistic assessment is an assessment of the compliance standards, statements, and measures to test the efficacy and efficiency of the program in practice. Companies may choose to do an anti-corruption compliance assessment as a management assurance effort or to assess the gaps in the existing mechanism. A traditional approach covers aspects of policies, due diligence, training and books and records as a measure to evaluate compliance.
However, they do not cover the following examples extensively:
- Non-verbal references of the leaders and their perceived market focus over compliance could send an inconsistent signal to the employees on compliance.
- Standard due diligence that gives a false assurance on compliance, due to lack of verifiable information on the targeted third party/ individual.
- Lack of budgets and resources for the compliance function to drive and measure compliance progress.
- Limited involvement of stakeholders in compliance. For instance, finance teams not being involved in reviewing payments to offshore bank accounts.
- Incentive mechanism associated with the performance expectation and compliance risks that trigger around the expected performance.
- Inconsistency in treatment and disciplinary action for employees in different bands, on violations/ deviations from acceptable practices as part of incident management.
A holistic assessment is expected to cover 8 key pillars which are:
- Management Commitment: The degree and level of leadership commitment to anti-corruption compliance, time, resources and priorities established by the organization. Measuring management commitment shall extend to pre-existing or purpose structured surveys of key people within the organization. These may include understanding the perceptions and treatment of compliance by the leader and the extent of compliance consideration in the leader’s decisions.
- Clarity and Communication: The level of clarity on policy, processes and compliance expectations within the organization and associated communications via training and awareness assessment programs. Clarity is sometimes misunderstood to be communication. A clarified policy on the intranet is easily accessible to the employees, but communication extends beyond that perspective.
- Risk Acceptance and Incentives: The level of risk that is considered acceptable to the business, the method of treatment of acceptable risk to stay compliant and the incentives associated with risk acceptance levels. Increase in risk acceptance has a proportional increase in incentives and a possible increase in compliance challenges. Hence it is necessary to focus on risk acceptance by the organization than the risk assessment at an overall level.
- Expectation and Measurement: The levels of expectations on compliance, measures to monitor the alignment to expectation and effectiveness of such monitoring measure. Setting the expectations through policies, procedures, workflows, goals and performance metrics is key along with possible measurable parameters on the adherence on a periodic basis. The monitoring mechanism has to avoid accepting that policies, procedures and workflows are sacrosanct.
- Stakeholder Involvement: The level of stakeholder involvement or stakeholder influence in enabling/ progressing compliance objective towards maturity. The role of stakeholders in the process also defines the maturity of the compliance mechanism. For instance, stakeholders also being responsible for adhering, monitoring and measuring compliance is an approach to build the first and second line of defense within the system allowing the compliance officer to have effective oversight into the effectiveness of the compliance mechanism.
- Budget and Resources: The proportion of budget and resources committed to achieving the success of anti-corruption compliance. Inadequate or partial resources limit the potential to be adequately diligent in driving the compliance mechanism. While corporations may have resource constraints in specific geographies, considering the business size or operations, it is essential to assess this aspect as a best practice.
- Governance and Reporting: The levels of governance around facets of compliance, reporting protocols, communication channels and action measures for deviations. Board involvement, management information and compliance leadership reporting across channels on key compliance expectations and actions is an essential part of governance and reporting measure.
- Incident Management and Action: The maturity of the process towards incident management and actions against the violations. Actions on deviations and consistency therein is an imperative measure in the holistic assessment of the compliance mechanism.
These pillars help companies measure their stage of compliance maturity and allow them to focus on critical action at an overall level. Many of the above factors define the culture of compliance of the organization at a given point in time. These help companies differentiate themselves in demonstrating the extent to which compliance was part of a way of life within the organization when placed in front of a regulator.