The DOJ expects the risk-based approach to saturate compliance programs. It calls for risk-based training, risk-based due diligence, risk-tailored resource allocation, and even “risk-based and integrated processes” to deal with onboarded third parties, according to the Evaluation of Corporate Compliance Programs.
That approach makes sense. If a reliable assessment reveals low risk, companies aren’t required to waste resources to unnecessarily boil the ocean. If the assessment shows high risk, they respond by devoting more compliance resources, demonstrating their effort to comply.
Bottom line: Companies should devote “appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction,” the DOJ says.
If a compliance problem happens anyway, Main Justice instructs prosecutors to consider the company’s risk-based efforts. Conversely, when an FCPA defendant can’t demonstrate the presence of those risk-based elements, it is likely to face stiffer consequences. So there’s a strong incentive for companies to do the right thing, and that’s good.
So, what’s the problem? It’s this: Risk isn’t always equal, not even for companies in the same industries and markets and with the same customers and intermediaries. Corruption risk is more variable than we often perceive.
What makes it variable? Well, variables. Here are a few.
Some companies — a growing number of them, I hope — refuse to pay bribes. They take zero-tolerance seriously. They won’t do business with sketchy intermediaries or bribe-demanding rulers or civil servants. They operate transparently and, when needed, make loud exits from markets where it’s not possible to do business cleanly. As a result, their host-country leaders learn not to seek bribes from them.
Other companies have lower expectations. When they’re in a market that’s perceived as risky, they expect problems. For them, compliance problems are part of doing business in certain places. “We don’t like what goes on there, but we can’t stop or control it, no matter what we do.” Wiley host-country politicians and bureaucrats can sniff out that attitude. It stimulates their appetite for bribes and puts those companies at more risk from bribe seekers.
The second group might also include companies that harbor cynicism about compliance. Yes, they may display to the outside world appropriate indicators of an intention to comply. But deep down, there’s no real commitment. Corporate leaders can’t help but communicate to subordinates their attitudes toward compliance, and cynicism at the top can spread invisibly and silently through organizations. Any outside assessment of how committed a company like that was to risk-based compliance won’t tell the whole story.
On the flip side, personal relationships between country leaders and corporate bosses can reduce the risk of corruption. If the ruler of an African country, say, and the CEO of a global company were once classmates in an MBA program at Stanford or the London School of Economics and bonded while there, their friendship and mutual respect could help insulate their business dealings from corruption risks.
In a similar way, stable, long-term business relations between a country and a company can promote clean business. From stability comes predictability and familiarity, and those generate mutual trust. Does increased trust lower the pressure on companies and country leaders to engage in corrupt practices? I think it does. Suppose a company has been doing business with the government of Country X for generations. In that case, both sides are more likely to value the relationship and avoid tainting it through bribery or other abhorrent behavior.
Companies with a history of family ownership and leadership are less likely to engage in corruption. There have been 273 corporate FCPA enforcement actions, according to FCPA Blog+. By my count, just eight of those 273 cases involved family-owned or -managed businesses. That’s under three percent of all corporate FCPA defendants. And yet, family-owned companies make up more than a third of the Fortune 500 and dominate most economies.
In other words, family-owned or -managed businesses appear to be at least 20 times less likely to be prosecuted for FCPA offenses than non-family-owned businesses. Why? Compliance becomes a personal priority when a family’s reputation is on the line. Yes, profitability might share the top rung of the priority ladder, but not at the expense of the family’s reputation.
I’m trying to show that not all factors that might increase or decrease risk can be measured. That doesn’t mean they don’t exist and aren’t exerting an influence, sometimes a very powerful influence. But it does mean they won’t register with the DOJ should a problem need explaining. Instead, and by necessity, the DOJ will use conventional tools to measure the company’s risk assessment and response to it.
I said at the start that risk-based compliance makes sense. It incentivizes most companies to be more careful when risks arise. But risk assessments judged from the outside aren’t always accurate or complete. Like much in life, there are forces at work that we can’t see or measure. Traditional risk-assessment tools are blind to some of the most important variables.
That’s not a reason to abandon risk-based compliance. But it is a reason to wonder how we might look deeper into what factors might reduce corruption risks, and how we might nurture those factors, even though they can’t be seen or measured.