The corporate liability created by section 7 of the Bribery Act means that businesses can commit an offence by failing to prevent persons associated with them from committing bribery on their behalf.
However, it is recognised that no bribery prevention regime will be completely effective at all times. The purpose of the Act is not to criminalise well run businesses, which are the victims of a corrupt associate or employee, and Section 7(2) provides that a company will have a defence if it can prove that it had adequate procedures in place to prevent bribery, even if it failed in the case in question.
The Ministry of Justice has issued guidance on the type of procedures which will be considered adequate and suggests that they should be governed by six principles intended to be flexible rather than prescriptive. These can be viewed as a starting point for a company planning its bribery review regime, but the interpretation and implementation of them will not be the same for all businesses. Broadly, however, the greater the effort made to have good procedures, the better the chance of defending a prosecution.
Procedures should be proportionate to a company’s specific risk of bribery. They should be designed to mitigate risks already identified as well as to prevent deliberate unethical conduct. This principle should always be borne in mind when considering the other principles and when creating an anti-bribery policy, and means that a business with a low exposure to risk of bribery need not have an over-elaborate policy.
It is the responsibility of senior management to prevent bribery. This principle is based on the belief that those at the highest levels of the company are in the best position to create an anti-bribery culture and control key decision making relating to the bribery risk, as well as to communicate this with both internal and external anti bribery commitment statements. It is not enough to create procedures and take no further interest. This will be dealt with further below, but it would be sensible for the workings of the procedures to come up for review at board level at least on an annual basis and on any occasion when an incident has occurred, in order to demonstrate management interest and commitment. In higher risk businesses greater frequency might be required.
A risk assessment is the vital starting point. This can be a specific assessment directed at corruption or form part of a more general risk assessment but it must be carried out in relation to the business in question.
As a business develops, so will the bribery risks it faces. Certain external risks (for example country, sector, transaction, business opportunity or business partnership) and certain internal risks (for example deficiencies in training, bonus culture, rewarding risk taking, lack of clarity in policies or lack of clear financial controls) should trigger specific consideration of the potential for corruption, in order to keep policies and procedures effective.
Whatever the form of the assessment, if it is well informed, documented and regularly reviewed in the light of experience, then this should lead to a fuller understanding of the bribery risks an organisation faces and how effective its efforts to prevent bribery have been.
Risk assessment should lead to the creation of specific procedures based on the risk assessment but these will require implementation and follow up. The level of due diligence required will vary depending on the analysis of the risks arising from each relationship; therefore it should be conducted using a risk based approach, and, like the risk assessment, regularly reviewed and updated in the light of changing conditions and experience. Specific responsibility for monitoring procedures should be assigned to an individual or team but a culture should develop in which everyone is involved.
Effective communication is necessary to ensure that all people associated with the company, including employees, are aware of the bribery prevention policies which the company has in place. Although the board is ultimately responsible, it would be unrealistic to think that senior management fully understand all the issues faced by staff in carrying out their work and it is important to listen to staff experience. Effective communication aimed at stamping out corruption must occur at all levels, and staff should be encouraged to explain the issues openly.
Training is necessary to ensure that the policies in place are understood by staff at all levels to raise awareness of the problem and to understand how to deal with any bribery related issues which may arise during their involvement with the company. Clarity about such issues as facilitation payments and corporate hospitality will help staff to identify good and bad practice.
An important part of internal communication is to establish whistleblowing procedures (ensuring these provide protection for those reporting their concerns), in which staff and associates can have confidence as a means for parties, whether internal or external, to raise concerns about bribery.
External communication is also important, for example, requiring adherence to the company’s anti-corruption policies in contracts with agents and joint venture partners, as well as in employment contracts.
A company should keep its anti-bribery procedures under review and should monitor effectiveness. Bribery risks change so the procedures which mitigate them must change too. We have already suggested an annual review at board level in addition to reviews in the light of particular problems. It would also be worth considering carrying out due diligence exercises on particular business areas, joint venture partners and suppliers, and tightening financial controls on payments as bribery issues emerge from an investigation into other forms of financial misconduct.
To these six principles in the Ministry of Justice guidance, we add an additional two:
The best way of demonstrating adequate procedures and compliance generally is to document the decision making processes, implementation and reviews, and to give someone specific responsibility for maintaining records.
If you have identified a particular risk of corruption, formulate a strategy for handling an incident, whether an allegation is made internally or publicly, so that you can react quickly to an investigation, press allegation or other crisis. If your organisation has a crisis plan, this risk should be added to it. Prompt response and ability to co-operate quickly with investigations are likely to have a positive impact on the outcome and hence limit public embarrassment.