On 4 May 2021, Transparency International published its “Making it count” report on measuring the effectiveness of anti-bribery and corruption (ABC) programmes (the TI Report).
Authorities globally are focused on the practical effectiveness of companies’ ABC programmes. As the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) Resource Guide puts it, authorities’ primary question in relation to a compliance programme is “does it work in practice?” The UK SFO also stresses the importance of a company having a “genuine proactive and effective” programme.
The TI Report is focused on why and how companies can measure effectiveness (and how in doing so they can ensure that they are deploying their resources in the right areas).
Unless a company’s compliance programme is tested, it will:
- Not know if it the programme is working to mitigate ABC risks (because you don’t really know if something works unless you test it); and
- Struggle to demonstrate to authorities that its programme is effective or adequate (the DOJ, for example, suggest that prosecutors should consider how effectiveness is reviewed (see the DOJ’s Evaluation of Corporate Compliance Programs, here)).
- Test whether your training is working: Companies should consider including a knowledge test as part of ABC training. To show that the test was more than a mere memory test, post-training knowledge tests can be conducted a few weeks or months after training. The TI Report also notes that behaviour change can be monitored after training:
- “For example, after whistleblowing training, is there an increase in helpline reporting, views of the whistleblowing policy and/or related intranet webpages?”
- The use of speak-up/whistleblowing lines should be carefully analysed. Companies need to be wary of observation bias, e.g. markedly low levels of whistleblower reports may be interpreted as a sign that the compliance programme is working well. It may instead be a sign of a poor – or poorly communicated – speak up programme, or of a culture in which individuals do not feel able to speak up.
- Analyse G&E data. Gifts and entertainment is an area that lends itself to data analytics, for example comparing recorded/approved expenditure with expensed expenditure, or reviewing financial data to test whether anomalies or unusual patterns were identified by existing controls.
- Employee culture surveys are a useful tool. Tracking the results of culture surveys over time helps to assess whether the company’s stated culture/tone from the top translates on the ground. The TI Report suggests asking questions in employee surveys such as:
- “Do you agree or disagree that leaders believe it is more important to win with integrity rather than just win?”
- “Do you agree or disagree that leaders promote a culture of integrity and doing the right thing?”
- Use internal and external audit. Audits can be an extremely useful tool in assessing the effectiveness of controls (and employees’ understanding of/adherence to policies). The TI Report also notes that external assurance is becoming commonplace:
- “Investors such as Norges Bank Investment Management, are requiring companies to disclose whether they undertake regular, independent external assurance of their anti-corruption programme, and whether the findings of such assurance are communicated to the board.” (see Norges Bank, Anti-corruption: Expectations of companies, here).
- Assess the effectiveness of your third party programme. Given the centrality of third parties to ABC risk, companies should carefully assess the effectiveness of their third party programme, considering, for example transaction testing, analysis of how many third parties are rejected, and review of how controls operated where ABC issues arise in relation to third parties.
- Investigate root causes and control failings. Careful root cause analysis is very important when conducting investigations, i.e. investigating why an issue happened as well as what happened. Although the TI Report rightly notes that “a company may struggle to establish statistically reliable cause and effect patterns” where ABC issues occur infrequently, examples of non-compliance provide a unique window into the operation of the ABC programme.
While measuring effectiveness is extremely important, care needs to be taken that effectiveness reviews are conducted and documented in a way that best protects the interest of the company in the event of issues occurring because an effective compliance programme may be the company’s only defence or mitigation.