After news broke that the U.S. Department of Justice was investigating Uber’s potential violations of the Foreign Corrupt Practices in late August, the National Law Review wrote, “In our experience, once DOJ begins learning about a particular industry in such an investigation, the investigation will expand to other players within the industry. It’s called an ‘industry sweep,’ and it’s a thing.”
If tech startups are now under the DOJ microscope, then the case for implementing anti-bribery compliance programs — regardless of an organization’s size — has been strengthened. After all, startups usually launch with a small, very localized footprint, which would seem to negate the need for an FCPA compliance program.
The challenge for startups — and other small-to-medium sized businesses — is balancing the cost of a compliance program with the level of risk. Uber went from small startup to global disruptor operating in 70 countries in only eight years. And while not every company experiences such a rocket-like growth trajectory, the global nature of supply chains means that companies are more vulnerable to third-party risk exposure.
The risk increases further for companies within regulated industries. As the National Law Review pointed out, “Playing abroad in a regulated industry requires constant interaction with foreign government officials. Each of those interactions creates a risk that some payment, offer, or business hospitality could be considered an FCPA violation.”
For Uber, the allegations involve payments to police to facilitate the licensing of its drivers, but bribery risk could just as easily involve gifts offered by pharma reps to doctors at state-run hospitals.
The ISO 37001 certification standard introduced last October was designed for flexibility, making it appropriate for multinational companies, small and medium-sized enterprises, public, private, and non-governmental organisations.
Moreover, ISO 37001 is written in straightforward business language — rather than complex legal jargon that permeates guidance provided by anti-bribery enforcement agencies in the U.S. and UK — making it far more approachable for organizations that don’t have a fleet of lawyers and compliance professionals on the payroll.
The ISO 37001 requirements establish a framework that companies can follow, even if their current risk level is low, to help ensure that as they expand into new geographies — through direct operations or via their supply chain — companies can mitigate bribery risk.
Those requirements include:
1. Implementing a clear, anti-bribery policy
2. Establishing management leadership, commitment, and responsibility
3. Developing personnel controls and training
4. Conducting risk assessments and due diligence on projects, business associates and other third parties
5. Executing financial, commercial, and contractual controls
6. Instituting an ongoing process for reporting, monitoring, investigating, and reviewing
7. Taking corrective action when indicated and focus on continual process improvement
Whether companies are seeking ISO 37001 certification or not, small to mid-size companies, including young startups, can start the process without breaking the budget.
While risk remains relatively low, beginning with the first three requirements can help to generate awareness. As circumstances change — such as expansion into a new market in a foreign country — companies can implement the rest of the requirements.
Technology, like automated risk screening or due diligence platforms, can further strengthen companies’ anti-bribery compliance programs. The cost of such tools may even be offset by the savings realized through lower human resources demand.
In addition, improved risk awareness helps companies respond quickly when a red flag is spotted, reducing the potential financial and reputational damage caused by corruption allegations. Ultimately, not every company needs ISO 37001 certification, but Uber’s current plight certainly shows that companies need to periodically conduct risk assessments to determine whether a more proactive approach to bribery risk mitigation is needed.
Karen E. Gray is a Senior Entity Due Diligence and Monitoring specialist for LexisNexis. She serves as an expert and central point person for all due diligence and third-party monitoring solutions. She is a resource for Benchmarking, Market Intelligence, Strategic Category Management, and Vendor Selection, and focuses on efforts to improve profitability and cash flow, risk mitigation and operational efficiencies with regard to vendor selection and monitoring.