This module is a resource for lecturers
Preventing private sector corruption
Stricter and more nuanced regulation requires and incentivizes companies to strengthen compliance with rules, but also to focus on their values and develop an ethical culture. Stakeholders such as employees, customers, shareholders, business partners and civil society expect even higher standards of integrity and ethical business conduct than the imposition of mere rules can enforce. Focusing on rules and regulations alone will often fall short of meeting these higher expectations of ethical business practices. Therefore, an effective ethics and compliance programme, which goes beyond mere compliance and aims to foster a culture of integrity, should include internal, external and collective measures.
From legal to behavioural approaches
The global application of legal anti-corruption norms for companies creates incentives for businesses to adopt ethics and compliance programmes that can detect and prevent corruption in organizations to avoid sanctions and reputational damage. Besides, for companies, engaging in efforts to prevent corruption makes good business sense given the negative impact corruption can have on individual businesses and the market as a whole. This also involves altering both organizational behaviour and corporate culture (Sullivan and others, 2013; UNODC, 2013a).
Legal compliance approaches that merely rely on rules to be enforced by the company itself, with threats of criminal or civil punishment to back them, have historically been the primary mechanism to address corruption in the private sector. Several governments and international organizations have issued guidelines to help companies map their anti-corruption ethics and compliance programmes. UNODC, for example, has published An Anti-Corruption Ethics and Compliance Programme for Business: A Practical Guide and an Anti-Corruption Ethics and Compliance Handbook for Business (in cooperation with OECD and the World Bank). The International Standardization Organization has even approved a standardized anti-bribery management process, the ISO 37001.
However, early compliance programmes were problematic, because companies tended to focus on processes such as enacting codes of conduct and implementing internal rules and procedures without assessing the outcomes of these processes and the impact they had on ethical and behavioural issues within the companies (Hodges and Steinholtz, 2017). Therefore, such processes did not disrupt companies' problematic business models. Compliance programmes were seen as separate from core business operations, and programmes were therefore unable to change the values and working methods of the organization. As a result, corporate cultures of wrongdoing remained largely intact. When large-scale cases of corruption emerged, demonstrating that often corporate wrongdoing was not caused by rogue employees but by a specific corporate culture, the focus began to shift to aligning organizational culture with anti-corruption goals (Torsello, 2018).
Legal approaches to corporate liability addressed this shift through the lens of orthodox economics and rational choice theory (See, e.g., Becker, 1968). In a nutshell, the assumption was that the right mix of detection and sanction was the key to deterring misbehaviour. Relying exclusively on deterrence in practice is, however, too costly and ineffective, both economically and socially (Hodges and Steinholtz, 2017). Psychological and behavioural science research shows that changes in behaviour motivated by incentives and sanctions come at a high cost. These changes require the provision of financial and personnel resources, for example surveillance systems and systems of incentives and related tracking. Moreover, anti-corruption ethics and compliance programmes strongly based on detection and sanctions send a message of distrust within an organization. Surveillance can have a particularly negative impact on corporate culture. In an environment of distrust, employees may be reluctant to voluntarily observe and disclose breaches of internal policies and may feel disengaged and under continual suspicion.
To overcome a corporate culture of wrongdoing, top management needs to make clear that it does not advocate or condone wrongdoing, and that after a proper root cause analysis and investigation, intentional corruption will be punished. In technical jargon, this is often referred to as "tone from the top". Such a policy of zero-tolerance of corruption should be communicated within a framework that couples the stick of punishment with the carrot of a positive message about the type of behaviour that the company expects from its employees.
Conducting root cause analysis and investigations before determining whether punishment is required also contributes towards building a "just culture" where fairness is perceived and where people can learn from their mistakes. In such an environment, it will be possible to determine the true cause of the problem (which might be, e.g., that targets set by senior management are impossible to meet any other way) and to learn from the exercise and fix the underlying problem, rather than just blaming and punishing a scapegoat.
It is increasingly accepted that, compared to legal compliance approaches, behavioural change approaches premised on value-based programmes lead to higher levels of ethical awareness, more employees seeking advice on ethical issues, and a greater likelihood of employees reporting violations, thus minimizing damage. Value-based programmes are premised on the assumption that employees engage with whichever values are present in the company, pro-social or anti-social, and adopt them as their own. When these values are oriented towards pro-social engagement, employees are more likely to comply with rules, even when they are not monitored. Key elements in value-based programmes are treating employees fairly, rewarding ethical behaviour, remedying unintentional unethical behaviour, and punishing criminal behaviour (Treviño and others, 2006). A step further in this direction is to develop a Values Pledge. This is a collective commitment of organizations to become a truly values-driven organizations and to support the creation of value-based business environment. The UK Values Alliance is a good example of an initiative which brings together individuals and companies aiming to develop a Values Pledge in UK.
Research findings and practical experience suggest that value-based models are not only as or more effective than traditional coercion-based models, but they are also much better at encouraging voluntary compliance with the rules and lessening the difficulties and costs associated with creating and maintaining effective surveillance mechanisms needed for sanction-based models. For a broader discussion on values and value-based programmes for businesses, see Module 11 of the E4J University Module Series on Integrity and Ethics.
The work of Langevoort (2017) is especially helpful to understand how to apply behavioural ethics findings to the implementation of anti-corruption ethics and compliance programmes. Beyond the obvious need to align compensation schemes and promotion practices with ethical values, Langevoort's work shows how widely accepted ideas about what makes a business successful, for example group loyalty, competitiveness and risk appetite, may work as hidden pathways for unethical behaviour.
Effective anti-corruption ethics and compliance programmes
There are different management models for internal measures that ensure business integrity and ethics, but they all share similar characteristics:
- Business leaders and managers actively voice support for doing the right thing, and are personally committed and willing to act on the values they espouse. However, the tone should also come from the middle managers, who are the team leaders and backbone of companies. It can be said that ethics is everyone's responsibility, even though it must start at the top.
- The guiding values and commitments make sense and are clearly communicated at every appropriate opportunity, including in a well-balanced code of ethics and guidelines.
- Internal measures are based on a risk assessment to spend limited resources as effectively as possible.
- The values are integrated into day-to-day business, and practical resources and training are provided to guide employees even in difficult situations and grey areas.
- An internal control system is established and there are various channels for reporting, such as whistle-blowing.
- The anti-corruption ethics and compliance programme is understood as a continuous process of learning, and measures are monitored and reviewed on a regular basis. Freely available resources can be used for continuous education purposes, such as the video-based e-learning tool developed jointly by UNODC and the United Nations Global Compact (which is the focus of the pre-class exercise of this Module).
Having the full support and commitment from all levels of management is essential for creating a culture that is driven by ethical values and implementing an effective anti-corruption ethics and compliance programme (UNODC, 2013b). When developing the programme, consideration needs to be given to oversight mechanisms with internal controls and record-keeping. Effective programmes also have clear, visible and accessible policies prohibiting corruption, mitigating particular corruption risks and addressing violations. They also establish channels for reporting on corruption (UNODC, 2015).
For larger companies, the programme should engage with business partners, subsidiaries and intermediaries. Employee training and the promotion and incentivizing of ethical behaviour and compliance are essential for effective implementation. The programme as a whole should be reviewed and evaluated periodically (OECD, UNODC and World Bank, 2013). The effectiveness of measures in place also needs to be improved from time to time. Larger companies are encouraged to expand measures to third parties and to share good practices, for example by participating in anti-corruption collective action projects, which are discussed further below.
Companies should not only focus on their own culture for ethics but also engage with business partners and their supply chains. Intermediaries are very often the weak link and the public perception does not only focus on the supplier itself but also on the companies that contracted them (UNODC, 2013b). In addition to ensuring compliance with national and international regulations, companies should thus adopt a proactive approach to strengthen business integrity and ethics in their supply chains, regarding their corporate responsibility and sustainable business practices.
Finally, companies can also engage in collective action such as sharing experiences in working groups or joining initiatives such as the United Nations Global Compact. In environments in which unethical practices are prevalent, companies could resort to collective action to try to change the status quo. For example, they could get regulators to intervene or set standards in areas such as supply chains. Such collective action is addressed below in further detail.
Businesses may require different approaches to create an effective ethical culture owing to their characteristics, for example, in terms of size, legal status and/or complexity. There is no one-size-fits-all model, but the underlying principles apply to both large and small companies, including start-ups (OECD, UNODC and World Bank, 2013). For example, in a large business, one manifestation of the tone from the top may be a video statement on the website or a postcard with a quote from a management representative sent to the employees, since it is not possible for the CEO to meet in person all employees. In an owner-led smaller business, one-on-one talks with the employees raising the importance of integrity as a core value of the company would be appropriate.
While a small company or start-up may not need to draft an elaborate code of ethics (although that will change as the business grows), a multinational may need to consider the best way to express its values in different contexts and pay attention to different country regulations to which its staff will be held accountable. The multinational will also need to assess the risks of unethical behaviour in the different environments in which it operates to select the appropriate controls that it needs to institute. A multinational corporation is also often faced with the problem of cultural or regional relevance. Should there be one code that applies throughout all the countries where it operates, or should there be a multiplicity of codes to make provision for different contexts? The most elegant solution is to have a global code that provides high-level guidance on the values of the company, supported by country guidelines that provide a level of flexibility, but never in contradiction with the global values or applicable law, which may be that of another jurisdiction, such as the UK Bribery Act or the US FCPA, since a multinational company may be subject to those statutes wherever it does business.
UNODC's An Anti-Corruption Ethics and Compliance Programme for Business: A Practical Guide provides advice to businesses on how to put enhanced integrity standards into practice. This Guide focuses on basic common elements that businesses should address, with a particular emphasis on the challenges and opportunities for small and medium-sized enterprises. It draws on the United Nations Convention against Corruption as well as other international and regional instruments that provide businesses with guidance on how to uphold enhanced integrity standards and be good corporate citizens.
Additional international initiatives that provide business ethics guidance include the World Economic Forum's Partnering Against Corruption Initiative (PACI), the United Nations Global Compact, the Alliance for Integrity, Transparency International's Business Principles on Countering Bribery, G20/OECD Principles of Corporate Governance, G20's Business 20 (B20) and the OECD CleanGovBiz Initiative.
Many organizations have developed guidelines to help facilitate good practice . For instance, Mexicanos contra la Corrupción y la Impunidad (Mexicans against Corruption and Impunity), a Mexican non-profit that focuses on protecting the rule of law and denouncing, punishing and eradicating systemic corruption and impunity in both the public and private sectors, has published its code of conduct. This code serves as a standard and source of guidance for businesses that are drafting and implementing their own codes of conduct (Mexicanos contra la Corrupción y la Impunidad, 2019). For more discussion on codes of conduct and codes of ethics in business, see Module 11 and Module 14 of the E4J University Module Series on Integrity and Ethics.
Risk management approaches to fighting corruption in the private sector
Even when they adopt anti-corruption measures, all organizations are still subject to corruption risks. Ethics and compliance programmes should therefore include procedures for the identification and treatment of corruption-related risks that could affect the performance of the organization (COSO, 2016). Risk management approaches have become an essential part of the corporate compliance field. Overall, the corruption risk management is seen as a process of identifying and prioritizing (assessing) the risks, in order to design a meaningful plan to address them, and then to implement the plan, while monitoring the changing environment and being ready to have a flexible response to new challenges.
Corruption risks vary. While there are external risk factors related, for example, to the country, industry sector and type of operation, there are also internal risks that are organization-specific, such as insufficient reporting channels, conflicting incentives, and a lack of policies and procedures. Corruption risks differ from company to company according to their distinctive characteristics, such as size, structure, geographical factors, business model or internal operations. The size of the company matters particularly as it dictates how measures and strategies can be applied. Size is correlated to resources, such as staff, time and money, that influence what kinds of anti-corruption ethics and compliance programmes can be implemented (Sullivan and others, 2013). The limited availability of resources, for example, makes risk assessments particularly difficult for small and medium-sized enterprises (SMEs), which must strike a balance between cost-effectiveness and efficiently reducing corruption risks. However, a lack of resources should not be a barrier to developing an ethical culture.
Corruption risk assessments are essential to ensure that resources are being applied where they most matter and to reinforce transparency, build trust and reduce corruption. To prevent and fight corruption effectively, the company needs to know how and where the crime happens. Such knowledge enables the targeting of real and not just perceived problems within a given organization's processes and structures and, eventually, the identification and application of relevant measures aimed at resolving these problems. Corruption risk assessments can be crucial because, while managers might acknowledge the risk of corruption on a more general level, they might not know or realize the exact mechanisms through which their company is exposed to corruption.
In recent years, several international organizations have developed tools and mechanisms to support the private sector's need to identify and respond to corruption risks. Such risk assessment tools have been developed, for example, by the United Nations Global Compact, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the Regional Anti-Corruption Initiative (RAI) and Transparency International.
While the above-mentioned guides differ in some aspects, such as terminology, steps of the process and techniques for collecting and analysing data, most of them follow the standardized framework for designing, implementing, and maintaining corruption risk management systems offered by the International Standards Organization (ISO) in its ISO 31000 - Risk Management - Principles and Guidelines . This framework suggests a standard approach to risk management, consisting of three main phases: risk identification; risk analysis; and risk evaluation (ISO 31000, 2018). This approach is illustrated in the PowerPoint slides available in the Additional teaching tools section of this Module.
Corruption risk assessments in companies should focus on both internal and external risks, including organizational culture risk. Once specific corruption pathways are identified, it then becomes possible to put in place additional controls and checks to prevent these acts from being perpetrated. To ensure an effective and affordable compliance system, risk assessments must be conducted on a regular basis, as well as when there is a significant change in the business of the company.
Business partner's due diligence
To externalize business risks and for other reasons, companies sometimes outsource operations to third parties such as agents, consultants, distributors, subcontractors, re-sellers, foreign subsidiaries, business partners in joint ventures and, in general, anyone with the capacity to act on behalf of the company or whose conduct can end up benefiting the company. However, working with third parties presents significant corruption risks. For example, research from the OECD (2014) indicated that 75 per cent of all transnational bribery enforcement actions conducted between 1999 and 2014 involved payments through intermediaries. The practice of using intermediaries to channel bribes is so extensive that the international community responded by tightening company responsibility by requiring due diligence to be performed when dealing with third parties.
The duty to supervise the behaviour of third parties emerges from the principle that anyone who creates a situation of risk or danger is obliged to adopt appropriate precautionary measures to serve as protection against the occurrence of the harm. To address third party risks, companies first need to map their third parties globally and understand the purpose of each commercial relationship. This information allows companies to classify their third parties into a risk matrix and adopt appropriately proportioned measures to mitigate the identified risks. In many cases, due diligence processes result in a reduction in the number of business partners and in the rationalization of operations, often to the benefit of the corporation.
Risk mitigation measures range from getting the business partners' acknowledgment and commitment to abide by the law and by the company's code of conduct to establishing contractual safeguards, including audit and termination rights, and carrying out third parties' anti-bribery training. Part of the due diligence process involves checking the reputation of potential business partners against different databases, for example those containing sanctioned persons, blacklisted persons, politically exposed persons (PEPs), and adverse media reports in local language. If the third party shows up in these lists, then the company can undertake a more thorough investigation. For a discussion of the evolution of third party due diligence, see Transparency International UK (2016).
As with employees, measures aimed at mitigating third party risks can take different shapes. Companies may concentrate on avoiding working with business partners suspected of corruption. An approach based on surveillance and sanctions will focus on the selection process of business partners and on legal measures to protect the company if the third party subsequently violates the rules. By contrast, a value-based approach aims at working with partners who share common values and at helping them to create the right corporate culture to avoid corruption. This distinction is especially important in contexts of systemic corruption, where local business partners are hired for a specific process, such as customs clearance, and obtaining licences or permits, and may have little choice but to pay bribes to deliver the goods and services to their clients. In a more coercive compliance relationship with large companies, local agents might be inclined to hide their activities. In a more open relationship, local agents can engage with large companies in a collective strategy to reduce corruption in that specific business process.