Forgot your password?
Please enter your email & we will send your password to you:
My Account:
Copyright © International Chamber of Commerce (ICC). All rights reserved. ( Source of the document: ICC Digital Library )
by Jean-Daniel Lainé*Former Senior Vice-President, Ethics & Compliance, Alstom
In this Chapter, we move closer to the field and start with one of the most essential tasks you as ethics and compliance officer have to undertake: understanding and measuring your company’s exposure to corruption and antitrust risks. This is usually done at the behest of the Board of Directors by performing a comprehensive and methodical review of these risks, an exercise otherwise known as an ethics and compliance risk assessment. This Chapter explains the basic steps for performing a risk assessment. The author then draws on his company’s experience to illustrate some key practical aspects you should take into account as you plan and implement your company’s own risk policy.
-
Every company needs to identify, measure, and manage the most significant risks that may affect its business operations and jeopardize its social license to operate. Among these risks, corruption and antitrust require special attention. A single act of corruption or a single antitrust breach may indeed cause devastating legal, financial, and reputational damage for a company, its employees, and its shareholders.
Because illicit practices can appear in virtually any part of an enterprise, an important first step for a company and its Board of Directors is to understand the company’s vulnerability to corruption and antitrust risks. This can be done by conducting a comprehensive and thorough ethics and compliance risk assessment (or risk evaluation), as described in the following pages. This management tool helps identify what could go wrong, the probability of occurrence, and the potential consequences should an incident occur.
[Page55:]
Performing systematic reviews of your company’s risks is not a ‘nice to have’ policy but rather an essential part of any proper governance approach. The OECD, in the Principles of Corporate Governance (2004)5, states that reviewing and guiding the company’s risk policy is one of the key functions of the Board of Directors. This allows Board members to act on a fully informed basis, in good faith, and with due diligence and care, as required by their fiduciary duties.
DO ALL COMPANIES PERFORM AN ANTI-BRIBERY AND CORRUPTION RISK ASSESSMENT?
The answer is: no, not every company does.
The Global Anti-Bribery and Corruption Survey 2011, commissioned by KPMG and conducted with 214 executives of large companies in the United States and the United Kingdom tells us that a third of the respondents to the survey do not perform an anti-bribery and corruption risk assessment.
Another survey conducted by PricewaterhouseCoopers with 144 members of the PwC Fraud Academy in April 2010 leads to a similar conclusion: 70% of respondents stated that ethical risks were identified (in a risk assessment exercise) but only 34% of respondents said that ethical risks were adequately measured and evaluated.
It is therefore a primary responsibility of the Board of Directors to give the initial impetus to the definition of the company’s risk policy. It will do so by requesting the company’s management to plan and implement a systematic ethics and compliance risk assessment. Once this has been done, and the results of the assessment have been presented to the Board, it is, again according to the OECD Principles of Corporate Governance (2004), the Board’s duty to define the company’s desired risk profile, specifying the types and degree of risk that the company is willing or not to accept in pursuit of its goals.
By defining the company’s risk profile, the Board of Directors outlines the limits of the company’s risk appetite. It establishes the rules and procedures for evaluating whether any particular industrial, commercial, or financial project (such as moving into a new country, embarking on a new product line, or using a new financial instrument) involves acceptable or unacceptable risks. In a number of companies, the Board of Directors will create a Risk Committee to cover the implementation of the company’s risk policy.
To explain the rationale behind conducting risk assessments, let’s start with an analogy. For a dam project, engineers will focus on the main design to frame its structure and use calculations linked to resistance factors to test its robustness under all conditions. Their purpose is to anticipate and address all issues and risks which could arise during the dam’s life. For these kinds of projects, risks are so huge that no stone should be left unturned in pursuit of safety. Every detail is critical.[Page56:]
The assessment of bribery and corruption risks should be conducted in a comparable way. Risk assessment is a practical tool that enables a company to detect all risks and issues that can occur in business transactions. More detailed risk reviews may sometimes be necessary to fully embrace risks linked to specific activities or to certain types of business partners with whom the company may be engaged or that it may plan to engage.
AN ETHICS AND COMPLIANCE RISK ASSESSMENT IS A COMPREHENSIVE AND CONTINUOUS PROCESS FOR:
There is no ‘one size fits all’ solution for conducting ethics and compliance risk assessments. Each company’s risk assessment approach should be designed in a way that is proportionate to its size, the nature of its business, its organizational structure, and the geographical diversity of its operations.
The ethics and compliance risk assessment of a company can be performed on a stand-alone basis. It is, however, increasingly common to integrate such specific exercise in a broader assessment of all risks the company faces, as is done in Enterprise Risk Management. By using an integrated approach, an enterprise can avoid inconsistencies between separate risk assessments and ensure that the risk assessment is updated regularly and receives appropriate attention from senior management.
There are three basic steps to conducting an ethics and compliance risk assessment, as illustrated in the diagram below:
It is essential to identify key risk factors through an overall analysis of the enterprise’s business operations and the key drivers of its commercial successes: its products, its services, its customers, its marketing channels, and its geographical markets.
A whole range of external and internal factors can have a direct impact on the corruption and antitrust risks that a company may face. For example:
[Page57:]
EXTERNAL FACTORS
Country risk Some countries (or regions) have a higher perceived corruption risk stemming from a lack of anti-corruption legislation, a low level of enforcement, weak institutions, or an overall lack of transparency.
Sectoral risk Some industry sectors are said to be more prone to corruption than others, such as extractive industries. Special attention should also be devoted to large-scale infrastructure projects.
Transaction risk Special attention should be given to business transactions concluded between companies and governments, government agencies, or government-affiliated enterprises (for example through public tenders); this will also be the case for projects that involve high value transactions and for business activities which are subject to licenses or permits delivered by public officials.
Business partnership risk The use of business partnerships, such as joint ventures, consortiums, or agents, intermediaries, contractors, and other third parties, may constitute an additional risk factor.
INTERNAL FACTORS
Size of the organization Affiliates and other group entities not totally under the control of the company or in shared control should be given special attention.
Organizational structure Is the organization centralized or decentralized? Group entities in remote locations or subject to limited reporting obligations may form another risk factor.
Leadership and governance Entities with non-conventional governance models require special care.
History of claims, litigation, and external inquiries In the presence of existing or past legal issues, an analysis of their impact and recurrence will be required (with the help of internal and external lawyers).
The method a company decides to adopt to address all its identified risks and to implement mitigation action will also depend on the way it is structured and organized. Based on the assessment for each specific risk, a centralized or decentralized approach may be preferred. Note, in this context, that the ICC Rules on Combating Corruption (2011) recommend that enterprises ensure that their central management has adequate control over third parties and maintains a record of their names, terms of engagement, and payments to them.
The Alstom Integrity Programme
Like all companies involved in infrastructure projects, Alstom is exposed to numerous risks. These risks may be of a technical, financial, political, or legal nature. They may relate to health, safety, and environmental issues. The company may also face risks relating to fraud, corruption, and infringements of competition law. To help face these risks, Alstom has put integrity at the top of its corporate agenda and seeks to promote a visible culture of ethics and compliance.
[Page58:]
To implement such policy in a global group of nearly 100,000 employees, Alstom has set up the Alstom Integrity Programme, which is built on a Code of Ethics, detailed corporate rules and instructions, as well as on training and communication activities. The Alstom Integrity Programme covers a large scope of ethics and compliance issues and areas relating to business transactions and personal integrity, such as:
The Alstom Integrity Programme, which is supported by a dedicated professional team, is continuously enhanced through meetings and exchanges of good practices with industry peers, anti-corruption experts, and specialized law firms. To achieve a best-in-class programme, a regular certification process has been put in place in 2009.
The Programme is based on a careful assessment of the specific ethics and compliance risks to which the company is exposed. The Alstom ethics and compliance risk assessment is part of the group’s risk management policy and constitutes a section of the company’s yearly risk assessment review and risk mapping exercise.
Since 2006, Alstom conducts a yearly risk assessment review as a part of the preparation of its annual budget and of its three-year planning process. The objective is to update the group’s risk mapping exercise by identifying, analysing, and anticipating significant risks facing the company. The risk assessment review is prepared with the input of the company’s four industrial sectors (Thermal Power, Renewable Power, Grid, and Transport) and of the main corporate functions, including internal control; internal audit; finance; tenders and projects; information systems; human resources; legal; ethics and compliance; and environment, health and safety.
At the Board of Directors level, the Ethics, Compliance, and Sustainable Development Committee is responsible for reviewing the mapping of ethics, compliance, sustainable development, and social responsibility risks and for advising the Board of Directors about identified risks and existing risk prevention procedures. The updated risk mapping and the main elements of the risk management system are presented every year to the company’s Audit Committee and to the Board of Directors.
[Page59:]
Through this exercise, Alstom is able to take into account the effect potential events may have on the achievement of its corporate business objectives. Such events are considered from two perspectives, namely ‘likelihood’ and ‘impact’. The ‘likelihood’ element represents the possibility that a given event occurs, while the ‘impact’ element represents the potential operational, financial, and legal consequences such event may have on the company. A combination of qualitative and quantitative criteria is used in making these assessments.
Data from past events are incorporated into risk assessments, as they provide a more objective basis than subjective assessments. Detailed information on the potential impact and likelihood of occurrences is checked and assessed. Potential events are assessed both individually and as part of a sequence or of a combination of events.
A time horizon of three years is used to assess the impact of risk. Accordingly, a proposed mitigation action is also included in the annual budget and the three-year plan. Any major risk assessed outside a three-year period is continuously kept under review. The risk mapping exercise also allows confirming that the appropriate insurance cover has been obtained for insurable risk.
Because it is advisable and useful to document every risk assessment, the Ethics and Compliance Department of Alstom produces a risk sheet every year. This risk sheet contains the following elements:
To gather more detailed information on corruption risks and to ensure that all potential risks have been taken into account, the Ethics and Compliance Department of Alstom also conducts its own Ethics and Compliance Risk Assessment.
The Ethics and Compliance Risk Assessment is designed to:
[Page60:]
The Ethics and Compliance Risk Assessment is based on an in-depth analysis of the group’s activities with a focus on the following aspects:
A total of 40 items form part of the Ethics and Compliance Risk Assessment. Each item is ranked on a scale of four steps from ‘low’ to ‘very high’ risk. For each item, the company identifies mitigation factors, which are either currently in place or which remain to be implemented.
The analysis of ethics and compliance risks is complemented by external sources of information, including the following documents:
In particular, the company conducts every year a ‘country risk analysis’, which is prepared on the basis of the CPI and which takes into account the company’s geographical footprint in terms of sales. Countries are ranked according to their risk level in the following way:
As a further step in the Alstom risk assessment process, the company conducts more detailed risk reviews for certain categories of business partners.
The matrix below combines two criteria: (i) the level of exposure to corruption risk and (ii) the required level of control for each category of business partners the company is dealing with.
[Page61:]
At a glance, we see that business advisors, also called agents or sales intermediaries, constitute a type of business partner that represents a high risk. Therefore, the company puts a high level of control for business advisors.
Alstom has put in place a system designed to ensure it only engages or does business with reputable and qualified business advisors who have an appropriate level of skills, expertise and resources, and who (i) act with integrity, (ii) are compliant with applicable laws and regulations, (iii) enjoy an untarnished reputation, and, (iv) do not create conflicts of interest with Alstom employees, its customers, or any public official.
Before any business advisor is appointed, a thorough due diligence is undertaken to assess the suitability of such appointment. As part of the due diligence process, Alstom checks and compiles information on the business advisor’s company status, financial background, reputation, media exposure, and legal records (for instance by examining any past criminal investigations or fines). In addition, Alstom orders a business intelligence report from an independent firm.
In addition, risks are mitigated through the introduction of strict anti-corruption clauses in contracts with business advisors, and by running a comprehensive check before any payment is made.
Business advisors working for Alstom are asked to submit an updated ‘business advisor profile’ at least every second year after their initial appointment, but also whenever there is a significant change in circumstances, or at any other time at the request of the company. The company also orders an update of the original business intelligence report.
Due diligence is fully updated on a regular basis, and fully reviewed every second year.
[Page62:]
Risk assessment generally follows the well-known trilogy: identifying, measuring, and managing risks. This exercise is the cornerstone of any robust ethics and compliance programme. It is a powerful management tool which helps detect the most sensitive areas in a company and allows allocating resources where they are most needed. It is accurately documented in regularly produced reports. It also provides a basis for designing appropriate mitigation action and defining the key priorities of a company’s compliance programme.
About the author
Jean-Daniel Lainé was Senior Vice-President for Ethics & Compliance at Alstom from January 2006 to June 2013. Jean-Daniel is a mechanical and electrical engineer and graduated in Finance at Sorbonne University. He started his career at Compagnie Electro- Mécanique in France. He joined Alstom in 1983 and held different operational positions in power generation and transportation activities, followed by various functional positions in Strategic Development, International Network, Finance and Human Resources. He was appointed Vice President at the Chairman’s Office in 1999 and then Vice-President, Compliance, for Power sectors in 2004.
* The author wishes to thank Tiphaine de Sachy, Compliance Officer, Alstom Integrity Programme Development, for her valuable contribution to the preparation of this Chapter.
5 http://www.oecd.org/daf/ca/corporategovernanceprinciples/31557724.pdf
6 http://www.ussc.gov/Guidelines/2011_guidelines/Manual_HTML/8b2_1.htm
7 http://www.legislation.gov.uk/ukpga/2010/23/contents
8 http://www.justice.gov.uk/downloads/legislation/bribery-act-2010-guidance.pdf
9 http://www.oecd.org/daf/inv/mne/oecdguidelinesformultinationalenterprises.htm