Skip to content

How to Develop an Ethical Culture

Subsidiaries of Daimler charged with paying bribes to officials in Russia and Croatia have agreed to pay a $93.6 million fine to the U.S. Department of Justice (DOJ) and will also pay $91.4 million to the U.S. Securities and Exchange Commission (SEC). It is just the latest in a series of high-profile corporate bribery and corruption cases in recent years that have drawn attention to the need for companies to develop and implement international corporate anti-corruption programs. 

In the United States, it is the Foreign Corrupt Practices Act (FCPA) that outlaws the practice of companies paying bribes to officials to do business in countries around the world. Many countries have statutes similar to the FCPA. There’s also an international framework under the Organisation for Economic Co-operation and Development’s (OECD) Convention on Combating Bribery of Foreign Public Officials in International Business Transactions that requires the 38 countries that are party to it to put in place laws that criminalize the bribery of foreign public officials.

“What we see is corruption is looked upon as kind of a global threat,” says Helge Kvamme, a partner at PricewaterhouseCoopers in Norway, who specializes in anti-corruption efforts. “It’s a crime, but in addition to a crime, it’s a threat to the society; it challenges so many other areas of life. It [can even play a role in] the increasing difference between rich and poor in some countries.” The same focus has not been placed on other types of economic crime, he notes.

Enforcement Trends

In 2008, German engineering giant Siemens AG settled charges that it violated the FCPA; the charges were brought by the DOJ and SEC. In one of the largest corporate fines issued in connection with the FCPA, the company agreed to pay $1.6 billion to U.S. and German authorities. That action should have served as a wake-up call for companies with global operations. Since then, investigations related to the FCPA— jointly enforced by the DOJ and the SEC—have increased.

 While the precise number of ongoing investigations is not given out, in its proposed 2011 budget, the DOJ’s Criminal Division stated that it had 100 ongoing FCPA investigations from January 2009 to July 20, 2009, a 100 percent increase from the year prior. Mark Mendelsohnwas head of DOJ’s FCPA enforcement when he told attendees at the Global Ethics Summit 2010 in February that his section may grow as much as 50 percent in size in the next year or two (at press time Mendelsohn had left the DOJ for the private sector.)

In August 2009, the SEC announced the creation of specialized teams dedicated to specific enforcement areas, including the FCPA. According to media reports, Cheryl Scarboro, who was selected as the team’s leader, recently said the team’s staff size would be between 25 and 30 and that operations would be located throughout the country, including Fort Worth, Texas; Boston; Los Angeles; San Francisco; and Washington, D.C.

In addition to a steep rise in the number of active investigations, another trend shows that individuals, rather than organizations, are increasingly being targeted. A tally by international law firm Steptoe & Johnson LLP shows that the number of individuals who were prosecuted in 2009 outpaced the number of corporate prosecutions: 28 compared to 18. In 2008, there were nine prosecutions of individuals and 14 of corporations.

“What’s happened in the last couple of years is that the enforcement authorities—both the DOJ and the SEC— have consciously adopted a policy, for deterrence reasons, of targeting individuals, particularly high-level individuals in companies,” says Lucinda Low, a partner at the law firm, who heads the FCPA practice. “They realize, or they believe, that if executives think they might go to jail, they’ll act differently,” she adds.

Early this year, the SEC announced a new cooperation policy that provides incentives for individuals and companies to cooperate with investigations and enforcement actions. The goal, Low says, is to get cooperation from lower-level employees who can assist the SEC in pursuing higher-level executives.

The SEC is also applying some “broader tools that prosecutors have in their toolbox” to focus on the prosecution of individuals, Low notes. For example, the SEC charged two executives last year with control-person liability for a corporation’s FCPA books and records violations even though the authorities did not allege that the executives had personal knowledge of the nefarious payments.

Another new development in corruption investigations is the use of undercover sting operations. In January, 22 business executives and employees were arrested during one such operation for attempting to win a portion of a $15-million contract for military and law enforcement equipment by allegedly bribing overseas officials. During the operation, an FBI investigator posed as a sales agent representing the defense minister of an African country, which was unnamed in the indictment.

The reach of the FCPA has also been extended, Low says. One example of this is that authorities are no longer targeting large multinationals to the exclusion of small and medium-sized companies. “It’s not just large-scale corruption,” Low says. “You’re seeing cases that involve payments sometimes as low as $40, and so it’s smaller scale corruption as well that’s subject to enforcement.”

In addition, the FCPA was strengthened in 1998 as part of the United States becoming a party to the OECDs Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. Now U.S. citizens can be subject to the FCPA wherever they are acting in the world, and the conduct does not have to have a connection to the United States. For foreign nationals, U.S. authorities only need to have personal jurisdiction over an offender. For example, a former Alcatel executive wanted on charges that he violated the FCPA was taken into custody by authorities while transiting through the United States on a business trip.

The international anti-corruption regulations in other countries are also being strengthened, notes Kvamme, who points out that companies can be prosecuted under more than one of these statutes for the same offenses. For example, a company operating in Norway could be investigated and fined by Norwegian authorities for violating Norway’s corruption laws while also being prosecuted by U.S. authorities for FCPA violations. In fact, news reports after the recent FCPA case involving Daimler said that the German government might investigate whether it should bring related charges against the company, which is based there.

The United Kingdom passed a new bribery law in April; it will hold organizations accountable for failing to prevent a bribe being paid by those who perform services on its behalf. If the organization has adequate procedures in place to prevent bribery, however, it will not be held liable. The law is to go into effect in October; guidance for implementation is expected in July from the U.K.’s Serious Fraud Office.

Developing a Program

The ideal situation, Kvamme says, is to have a strong anti-corruption program in place so that employees know the company does not endorse such activities, and if an incident occurs, the organization can prove to authorities that it was trying to prevent corruption by employees. “You can never prevent…somebody in your organization, even on the management level, being involved in fraud or corruption,” Kvamme says. “But if you have put resources [in place], and you can prove to the government or to the authorities that you have done as much as possible…you will be much better off and you will be treated much differently than if you have an incident and the authorities come in, and you can’t [provide] any evidence of a proper anti-corruption program.”

While there is not one standard for developing an international corporate anti-corruption program, several organizations publish helpful guides that address the issue, among them are PricewaterhouseCoopers’ Confronting Corruption: The Business Case for an Effective Anti-Corruption Programme and Transparency International’s Business Principles for Countering Bribery. Transparency International (TI), a nonprofit group that tracks corruption, publishes the latter in two editions: one for large companies and one for small and medium-sized enterprises.

Corporate culture. The PricewaterhouseCoopers guide emphasizes the importance of “tone at the top” as the first step to developing a strong program. The CEO, board, and senior executives should provide leadership throughout the development and implementation of the program. “It’s important to communicate to employees that reaching bottom-line objectives is not all that’s important,” says François Valerian, TI’s head of private sector programs.

Documentation. TI’s Business Principles recommends that the anti-corruption program be documented in writing. For a large company with a board of directors, the proposal should be presented to the board and agreed to by resolution. For a small organization, colleagues and partners should document their approval of the goals of an anti-corruption program, and once it is developed, they should formally designate it as policy. Regardless of the company’s size, once the program is developed, written, and approved by senior management, the plan must be promulgated, and its tenets must be implemented and enforced. Actions taken under the plan, such as employee training, should also be documented.

Assessing risks. Experts agree that organizations should complete a thorough risk assessment before trying to develop an anti-corruption program. They can then use the data to develop a program suited to their particular risks. “You don’t want to just put into place some set of policies and procedures that isn’t tailored to your company,” Low says. “Something that doesn’t fit is really worse than having nothing at all, because people are going to ignore it and then you really look venal if you have a problem.”

The risk assessment should consider the corruption level of all the locations worldwide where the company operates, the kind of risks in the business or industry segments in which the company operates, and where the risks are within the organization. TI has created two tools to help corporations with their risk assessments, Valerian says. They are the Bribe Payers Index (BPI), which offers a look at the supply side of corruption, and the Corruption Perception Index (CPI), which examines the demand side. 

The BPI, based on a survey of approximately 2,600 executives in 26 countries and territories, ranks countries as well as industry sectors on the likelihood that companies in these groups will pay a bribe. The CPI, a composite index based on 13 different surveys, measures the perceived level of public sector corruption in 180 countries and territories.

Companies should also consider third parties in their risk assessments. Third parties have always been a high-risk area, Low says, but historically organizations have focused on sales and marketing activities. Low says that recent corruption cases show that companies should be considering a wider range of possible third-party risks, including joint ventures or partners, customs brokers, third-party contractors handling immigration services, regulatory authorities, and security authorities.

“Basically a company has to look at who it’s working with, where it conducts its business, and then how it conducts its business,” Low says. “Anywhere [that a company] may be relying on somebody to interact with some aspect of government on their behalf, especially if there are discretionary actions of government that are involved, there are FCPA risks,” she adds.

 Another important aspect of a risk assessment is to identify the indicators of fraud in an organization, says Kvamme. “As a result of the risk assessment, you can build a kind of red flag system,’” he says. “You can use this red flag system as a very proactive tell your staff, ‘If you ever see anything like these indicators or red flags, use our proactive reporting system and report.’”

Policies and procedures. The risk assessment should have identified the forms a bribe might take in the environments where the company operates. The anti-corruption program must then describe the corporate policy for dealing with those situations. “Some activities are very clear cut, saying you don’t bribe is pretty clear cut;” Low says. “But when do gifts, when does entertainment, when does hiring somebody, when do charitable activities sort of cross the line?”

Among some issues companies may want to address are facilitation payments, gifts and entertainment, and political and charitable contributions.

Facilitation payments. While the FCPA states that it is bribery for a company to pay a government official to help its business, there is an exception provided in the U.S. law for what is called “facilitation payments.” These are payments that expedite certain routine government actions like small amounts paid to facilitate the connection of telephone service, to obtain a visa, or for police protection. However, France, Germany, the United Kingdom, and most other OECD countries do not allow facilitation payments, and the OECD recently called on countries to eliminate the exception.

There is a trend, Low says, for companies to eliminate or limit the facilitation payments that they allow. “It takes a lot of work to apply the U.S. exception,” she says. “You’ve got to be pretty confident that you’re dealing with routine governmental action, and in some countries, it’s hard to figure out what the nature of the governmental action is.”

Gifts and entertainment. Gift giving is a common and accepted practice in many countries and is often used to build relationships. However, it is a practice that is easily abused, and an organization should place limits on gifts given or received. Companies may want to set a monetary-value limit on gifts or provide employees with an idea of what is acceptable by giving examples of small gifts, such as flowers or chocolates, as well as examples of excessive gifts like jewelry or airline tickets. The frequency with which employees should accept gifts may need to be addressed as well.

Entertainment, such as meals or other hosted events, should not be accepted or given if it is extravagant or on a frequent basis. A normal business lunch at a reasonable restaurant is probably fine, Kvamme says.

Political and charitable contributions. Organizations should set up guidelines for political and charitable contributions. Local law should be consulted at the outset to determine whether there are any restrictions and what these are. TI’s guidelines caution that granting paid leave to an employee to support a political group may be regarded as a political contribution made by the business. The timing of contributions should also be regulated. For example, companies should not make contributions to a political party while negotiating a business deal or any other company matter with authorities tied to that political party.

For charitable donations, TI recommends ensuring that a charity is registered with local or national authorities. Organizations should also identify the officials of the charity to prevent a conflict of interest, and companies should make sure that any donation to a charity with which a customer has a connection is not and does not appear to be a quid pro quo for business. The group also recommends creating an approval process for donations so that there are counterchecks for any payments made.

Companies should never give money to an individual and should maintain a written record of all contributions.

Implementation. Experts agree that the biggest challenge is implementation. The major failure of many companies is they believe the job is finished after they put the policies in place. “You make a good and solid code of conduct, you tell everybody what’s wrong and what’s right…and you send a clear message out that this is our level of ethical behavior, and then you stop,” Kvamme says.

“I think the toughest challenge is to go from establishing that level of where you want to be to implementing the whole thing,” he says.

Three important aspects of implementation are establishing an effective whistleblower system, training staff, and monitoring the system.

Whistleblower system. Having a channel through which employees can report concerns is increasingly important, Valerian says. The system can be a phone hotline or computer-based, but the best practice is to have it monitored by a third party so that employees feel confident that they will be anonymous. (See related article, page 72.)

When concerns about unethical behavior are reported either anonymously through a whistleblower system or through more normal channels, the company should investigate and take appropriate action when needed. “Everybody should know that they are not only allowed to [report concerns] but it is expected from them that [they will do so] every time they see something suspicious or something that doesn’t look normal,” Kvamme says. 

Communication and training. All employees who were identified by the risk assessment as being exposed to corruption risks should be trained on at least an annual basis, Valerian says.

Training should include a discussion of international laws and regulations relating to bribery and corruption. It should also include instruction on what constitutes ethical behavior and how to make ethical choices. For that purpose, PricewaterhouseCoopers has established an ethical decision model, which asks company employees, when faced with a dilemma, to consider questions like the following: Does it go against company or professional standards? Does it feel right? Is it legal? How would it look in the newspapers? Would you be able to sleep at night?

Training should be tailored to the various operational lines of the company and the specific risks to which employees in that section or geographic location are exposed. Training and other communication relating to the program should also be translated into the various languages of operation of the company.

Monitoring. Monitoring compliance can be very difficult as well. “[The FCPA] is the most profoundly extra territorial statute there is because it makes companies responsible for what’s going on in their most remote foreign operation,” Low says. “In a foreign affiliate that may be a separate legal entity operating thousands of miles away, they’re still obliged…to have controls and systems in place to prevent and detect and remediate improper practices. And it can be very hard, especially if you’re a major multinational company with far-flung activities…to know what’s going on in all those foreign operations, much less control them.”

Valerian recommends empowering the chief compliance officer or chief social responsibility officer with monitoring and implementation of the program. According to TI’s guidelines, contract terms should be monitored, accurate written records should be kept, and the program should be reviewed regularly, perhaps as an agenda point on the board or as a business meeting agenda.

Compliance with anti-corruption policies should also be noted on all employees’ annual job performance reviews “so that employees know that they are also measured on their ability to behave,” Valerian explains. “That part is often missed in the corporation.”

Outreach. A well-designed and well-implemented anti-corruption program may not always do the trick, however, says Michael Hershman, president of the Fairfax Group, LLC, and a cofounder of TI. “When you’re dealing with a company that has tens and tens of thousands of employees working around the world, you are going to violate the law somewhere along the line,” he says. “You are going to have a rogue employee or two or more that want to get ahead in the company, want to exploit for their own benefit the systems, and they’re going to get your company in serious trouble.” When that happens, he says, the company must be able to show law enforcement and the regulatory authorities not only that it has checked the boxes but that it has a broader approach to corporate ethics and governance and compliance.

He recommends that companies build good will by going beyond simply complying with the laws; they can do that by being good corporate citizens and engaging in corporate responsibility projects that give back to the local communities in which they operate around the world. “They have to let those people know that, yes, they’re there to make a profit, and hopefully a healthy profit, but they’re willing to give as well as take,” he says.

Hershman was appointed as the independent compliance advisor to the board of Siemens after the disclosure in 2006 that the company may have violated foreign bribery laws. He says he helped Siemens create an outreach program through which it worked with NGOs, governments, and other businesses in a collaborative effort to bring greater transparency and accountability to the company’s international trade activities.

The effort helped the organization mitigate the level of the punishment, Hershman says.

With increased enforcement of anti-corruption laws on the part of numerous authorities comes the need for more awareness and vigilance by companies. Developing and implementing an international corporate anti-corruption program is critical to reducing the risk that bribery laws will be violated. Should a violation occur, an organization’s ability to show a genuine effort to curb bribery, along with evidence of corporate social responsibility, may help to mitigate the harm done to the company’s reputation and bottom line.

Stephanie Berrong is an assistant editor at Security Management.