For those doing business internationally, Foreign Corrupt Practices Act (FCPA) is a critical initiative ensuring no individual acting on behalf of the organization pays, or offers to pay, directly or indirectly, money or anything of value to a foreign official to obtain or retain business. The penalties are significant, ranging from $250,000 to $5 million per violation, 5-20 years’ imprisonment, and potential delisting from the stock exchange. The total settlements are staggering: Siemens for $800 million, KBR for $579 million, BAE Systems for $400 million, Snamprogetti for $365 million, Technip for $338 million, and the list goes on and on. Moreover, FCPA enforcement is ramping up.
Critically, FCPA regulations extend beyond employees, cascading down the supply chain into subsidiaries and any third parties acting on behalf of the organization. Just three years ago, according to the Business Ethics Management Group, 78% of Global 2000 organizations did not include partners/suppliers in their Code of Conduct practices. Now, however, companies are faced with the daunting task of providing proper due diligence. It’s no easy task.
As corporations tackle this regulation, similar regulations are adding to their burden: for example, the newly passed UK Anti-Bribery Act. And companies are finding that each country’s privacy laws present additional challenges, such as segregation of duties on a country-specific basis.
FCPA compliance requires a company to know where it, directly or indirectly, does business, as different countries mean viewing compliance through different lenses. Companies must know with whom they do business, as dealing with a foreign government entity, or entity that a foreign government entity has interest in, requires higher scrutiny. In addition, a company must know how it is doing business, whether direct sales or through third parties. This information is often housed in several systems spanning many countries, with limited aggregate visibility.
You should be concerned with:
- Multiple, disparate systems containing supplier information
- Managing a program that spans multiple languages
- Timely reporting on compliance issues
Companies will continue to be exposed to significant risk if they don’t address these basic data elements as part of their supplier master data management.
Lack of Controls
In an interview, Mike Tyson said “Everybody’s got plans… until they get hit.” In his world that statement is more often than not true. In FCPA, however, there is no room for error. The processes, the information collected, who is involved both internally and externally, the escalation procedures, etc., must all be defined and followed. Automation of an FCPA compliance initiative is the only way to ensure everyone understands the standards of doing businesses and that, if you get hit, your company follows the correct procedures to minimize or eliminate penalties and fines.
You should be concerned with:
- Ability to segregate duties and information viewed, within the stakeholders
- Exception handling and reporting to executives
- Insight and control over third parties conducting business on your behalf
Having an automated set of policies and processes is important, but doesn’t ensure all parties will comply completely. Infractions, once discovered, require extensive and detailed investigations that are only further complicated by missing records. As such, strong controls focused on FCPA information collection are needed to ensure all relevant information, and a complete record, for audit and cost reduction.
The Federal Sentencing Guidelines state that the board of directors must be knowledgeable about the content and operation of the company’s FCPA compliance program and must “exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.” Is your supplier management solution up to the task? Audit trails and all, you better make sure it is.
Lack of Automation
FCPA impacts the way companies can do business abroad – often varying from country to country. Some countries have legal requirements that push against, or increase liability within, FCPA standards. Many countries in the Middle East, for example, require companies to utilize a local agent or representative. Some countries necessitate companies to use in-country businesses to supply goods and services. Other countries have state-owned entities which have a compelled giving component. The network of workflows, surveys, and standards is complex and requires intelligent, flexible systems to streamline the FCPA initiative.
You should be concerned with:
- Ability to automate data collection and processes within a multi-tiered, complex network of third parties
- Resources to manage and monitor the anti-bribery compliance initiative
The old management adage is that “you can’t manage what you don’t measure.” In an environment where data resides on many systems, resources are scrambling to find information, and processes are not automated, management more closely resembles “putting out fires.” Intelligent systems ensure all the needed information is in place, enabling the regular management and supervisory activities necessary to ensure a successful FCPA program.
FCPA program compliance requires a number of key elements including:
- Support for the program from the top
- An ability for the monitoring body to provide timely updates to the board of directors
- Inclusion of employees, suppliers, and all third parties within the program
- A system where employees can report compliance violations, with automated routing and reporting
- Easily accessible reports to monitor the effectiveness of the program.
The HICX FCPA/UK Anti-bribery solution gives you the ability to:
- Centralize control of FCPA/Anti-bribery initiatives for the collection of information, including employees, third parties, intermediaries, partners, and subsidiaries
- Track and manage policies and business practices with your third-party contractors, government officials, and transactional partners
- Access a central repository that contains all supplier information, trading partner profiles, contacts, relationships, facilities, and contracts
- Automate and centralize collection of credentials, whether trading partner information (policies, contracts, etc.) or agreed-upon compliance standards
- Automate escalation and notification when compliance standards are not agreed to
- Measure and score risk on compliance, as well as report on high-risk areas and/or operational exposure
- Have full auditability of records, from data change to communication of policies to training
- Integrate into other systems for necessary external information transfer