A couple of months ago, guest-blogger Scott Moritz talked about risk-based compliance. His post, we now see, was prophetic. Why? Because just last week, when Aon settled an enforcement action with the U.K.’s Financial Services Authority, the real star of the show was . . . risk-based compliance.
The FSA’s Final Notice described how both U.K.-based Aon Ltd and its U.S. parent, Aon Corporation, have improved the way they’ll deal with intermediaries — the group apparently responsible for Aon’s problems in a number of countries. The Aon companies, the Final Notice said, have “designed and implemented a new global anti-corruption programme that includes a policy limiting the use of third parties. Aon Ltd has also implemented robust risk-based procedures that control and restrict the circumstances in which staff may make payments to Overseas Third Parties, particularly in high risk jurisdictions.”
Aon’s new compliance policy, according to the Final Notice, generally . . .
. . . prohibits the use of third parties whose only service to Aon is to assist in the obtaining and retaining of business solely through client introductions in countries where the risk of corrupt practices is anything other than low. These jurisdictions are defined by reference to an internationally accepted corruption perceptions index. Any use of third parties not prohibited by the policy must be reviewed and approved in accordance with global anti-corruption protocols. . . . In addition, Aon Ltd has implemented an enhanced comprehensive risk-based training regime for its staff.
How does risk-based compliance work? Guest-blogger Moritz said the concept is simple: certain customers, vendors, and intermediaries represent a higher compliance risk than others. Geography, nexus to government officials, business type, method of payment, dollar volume — all are risk indicators. And he said the key to any risk-based approach is the strategic use of information technology — tracking and sorting the critical elements, including risk-ranking, as well as enhanced due diligence and ongoing monitoring of high-risk parties proportionate to their risk profiles.
The benefits of risk-based compliance are clear. In places where risks are very low, compliance burdens can be reduced. Where risks are anything but low, compliance is stepped up one or more notches, to make sure nothing slips through. As we’ve often said, when there are more red flags around, the proper response is more compliance, not less. And that’s what risk-based compliance is all about.
And one more thing . . .
Take a look at Don Lee’s amazing story from the January 12th edition of the LA Times about Avery Dennison’s FCPA compliance problems in China. Shanghai bureau chief Lee seems to have gotten everyone to talk on the record. This is one of the best articles we’ve read in the mainstream press or anywhere else about the Foreign Corrupt Practices Act at ground level.