All organizations inherently face bribery risks to some degree, whether it is the organization itself or persons related to it that offer a bribe (active bribery) or when the organization or persons related to it receive or act on the expectation of receiving a bribe (passive bribery). In this respect, on December 9, 2003, the United Nations (UN) passed the Convention Against Corruption, and International Anti-Corruption Day is observed annually on that date. In addition, the 2030 Agenda for Sustainable Development was launched in 2015 during a UN summit. Target 16.5 of that agenda aimed at substantially reducing corruption and bribery in all their forms (emphasis mine).[1]
Corruption can be defined as a scheme in which an employee misuses their influence in a business transaction to gain a direct or indirect benefit, violating their duty to the employer.
Bribery is categorized as one of the corruption schemes; it is the act of offering, promising, giving, accepting, or soliciting an undue advantage of any value (monetary or not), directly or indirectly, as an inducement or reward for a person acting or refraining from acting in relation to the performance of that person’s duties.
However, the target of “substantially reducing corruption and bribery in all their forms” set in the 2030 agenda is far from being met. According to the Association of Certified Fraud Examiners 2022 Report to the Nations, the percentage of cases involving corruption is on the rise—from 33% in 2012 to 50% in 2022—while corruption was by far the most common occupational fraud scheme around the globe.[2]
What can organizations do to address this rising risk?
A road trip
The idea hit me while driving my car on a cloudy and cold day on a mountainous road. I had been invited to participate in a panel discussion at the 2023 Conference of the Institute of Internal Auditors of Albania, titled “The Road to Building Trust,” to share my experience related to bribery and corruption. Seeing that the road trip from my hometown to Tirana, Albania, would last approximately six hours, I invited my wife, Sofia, to come along.
During the trip, I rehearsed points I wanted to make at the panel discussion. I was going to present successful practices to fight corruption and the significance of an anti-bribery policy.
It was then that Sofia asked me, “So, does having a well-designed, anti-bribery management system actually limit bribery risk?” It was that question that prompted me to write this article.
What is an anti-bribery management system
Most organizations are active in environments where bribery flourishes. Thus, customers may ask employees to serve them with priority or to obtain preferential pricing; suppliers may attempt to entice managers to prefer their products or services, and so on.
So, what can an organization do against this threat?
Let me recount what an organization I was part of did to respond to this threat. The organization formed a project team, including the internal audit department in a consulting capacity, the compliance department, and other units involved in the organization’s operations.
The team decided not only to design an anti-bribery policy but also to take an additional step: to set up an anti-bribery management system and have it certified against the requirements of ISO 37001.
An anti-bribery management system provides an organization with guidance on implementing anti-bribery measures commensurate to its type and size and the nature and extent of the bribery risk the organization faces. It is a series of policies, procedures, and controls tailored to each organization’s specifics that help it establish, implement, and improve.
An anti-bribery management system is designed to instill an anti-bribery culture within an organization and implement appropriate controls. This will, in turn, increase the chance of preventing, detecting, and responding to bribery risk and complying with anti-bribery laws. The system can be independent of, or integrated into, an overall management system.
Having an anti-bribery management system ensures that the shareholders, board of directors, investors, employees, customers, and other interested parties take the appropriate measures to respond to the risk of bribery.
Components of the system
An anti-bribery management system includes:
-
The anti-bribery policy;
-
Management leadership and commitment;
-
Risk register design and population;
-
Risk and control assessments;
-
Employee training;
-
Due diligence on projects and business associates;
-
Financial, commercial, and contractual controls;
-
Segregation of duties, approval authorities, and workflows;
-
Reporting, monitoring, and review;
-
Continuous improvement.
Setting up the system
After management approved the anti-bribery management system project, we started by preparing a well-thought-out project plan with clear timelines, roles, and actions.
Then we went on to design the anti-bribery policy that:
-
Set the appetite and tolerance of the organization toward bribery risk;
-
Provided the framework for setting, reviewing, and achieving anti-bribery objectives;
-
Encouraged raising bribery concerns in good faith without fear of retaliation, discrimination, or disciplinary action; and
-
Explained the consequences of not complying with the anti-bribery policy.
We made sure that this anti-bribery policy was:
-
Available in a single document;
-
Approved by management;
-
Using appropriate and easy-to-understand language for the target audience; and
-
Published through the organization’s internal and external communication channels so it was easily accessible (e.g., intranet portal, website, social media accounts).
The next step was critical to setting up an effective system. We had to identify the bribery-related risks the organization could face, assess them, and decide which were the most significant to address to effectively prevent, detect, and respond to them.
So, we identified the organization’s activities that make it vulnerable to bribery, the circumstances that could make bribery more likely to occur, and the way in which a bribe can be transferred. Thus, a risk register was created and populated, forming the basis for assessing and prioritizing the identified bribery risks.
Identification of potential risk events can come through a wide range of external and internal resources, such as:
-
Publicly available information;
-
Cases where bribery risk materialized;
-
Interviews and surveys performed with board members, management, and employees;
-
Surveys to suppliers, customers, and other external stakeholders;
-
Internal audit findings and compliance reports;
-
Concerns raised through hotlines; and
-
Risk and control self-assessment exercises.
The next step was to assess the bribery-related risks in the risk register in accordance with the instructions provided by the organization’s risk management policy. The assessment took into consideration two characteristics of the risk events: the probability that a specific risk will materialize and the impact the specific risk event would have on the organization’s objectives.
After that, the organization’s risk responses to the most significant bribery risks were identified and put in the risk register. Then, the design and effectiveness of these responses were evaluated, and we ended up with the residual bribery risks—prioritized based on their probability and possible impact.
For those residual risks outside the appetite set by the organization’s board of directors, the risk owners were asked to develop action plans that would enhance the existing risk responses or develop new ones. In this respect, policies and procedures that clearly define the standards and controls could be developed to ensure the organization’s employees are aware of and can execute their duties and responsibilities in line with these expectations.
The next step was employee training and stakeholder awareness of the anti-bribery management system and its requirements. This was achieved through workshops, emails, postings on the organization’s intranet and website, and inclusion of relevant terms in contracts with customers and suppliers.