The whirlwind of anti-corruption regulations in the past decade is generating profound changes in corporate governance. The aggressive enforcement of the Foreign Corrupt Practices Act in the United States was joined first by the rising enforcement of similar laws in other OECD countries –especially Germany, the United Kingdom, Switzerland and Canada– and, more recently, the establishment of similar measures in Chile (2009), Colombia (2011) and Brazil (2013). If we add to this the legislative debates of similar draft laws in Peru, Mexico and Argentina, we can anticipate an imminent levelling of the playing field among companies in the OECD and Latin American companies. In fact, the regional pervasion of the Petrobras scandal had already begun to accelerate this process.
With minor differences associated with each legal system, the legal standard is now global: a satisfactory compliance programme significantly boosts the chances of negotiating with authorities to defer or terminate an investigation, to lower economic sanctions and to mitigate executives’ criminal liability. A “satisfactory” programme includes actions both inside the firm and in relation to its value chain. Inside the firm, at a minimum internal principles, policies and procedures must be put into place to prevent, detect and remediate prohibited acts; the entire staff must be trained on the specific application of these policies and procedures; and an “internal justice” system –investigation, sanctions and application of corrective measures in the event of violations– must be implemented. With regard to the value chain, the regulations require due diligence in commercial relations with third parties –affiliates, suppliers, agents, contractors, etc.– and measures proportionate to the risk posed by each third party must be taken.
The new laws, supported by a civil society that is increasingly effective in demanding that they be enforced, requires companies to abandon formal compliance and instead to integrate compliance both inside the firm and in their relationships with third parties
In other words, the scenario has changed. The argument that this placed companies at a disadvantage compared to competitors which are subjected to less demanding regulations –which has consciously or unconsciously determined the emphasis in the enforcement of compliance measures in the region– is now a thing of the past. Even though many public servants have not yet noticed the change, the new laws, supported by a civil society that is increasingly effective in demanding that they be enforced, require companies to abandon formal compliance and instead to integrate compliance both inside the firm and in their relationships with third parties.
Integrating compliance into the company
Even though the majority of companies have ethical codes, the “maturity” of the programmes they implement as a result varies considerably according to both the laws which they must abide and how close they have come to a scandal followed by sanctions.
At the lowest level are the companies that still take a haphazard approach. The most common in companies that are the least exposed to international sanctions, this approach is essentially reactive. The purpose of compliance –usually absorbed by the legal or audit departments– remains ad hoc and the processes are not integrated with other functions –finances, procurement, purchasing, sales or marketing–. Usually earmarked minimum resources, the programme is perceived as a formality and administered for purely documentary reasons. Needless to say, it is virtually irrelevant when facing a real crisis.
At the intermediate stage are companies which have partly brought compliance into the hierarchy, either because their competitors do or because their business partners require it. This gives it some visibility which consists of implementing “long-term” processes which aspire to modify some aspects of the corporate culture slowly but surely. In these companies, the purpose of compliance is primarily to define and educate the sales force in the so-called “grey areas” –policies on gifts and hospitality, entertainment, charitable contributions, sponsorships, etc.–. These processes are not yet internalised, and therefore they are not automatic either. Even though the function of compliance here is supported by –or may even involve– senior management, it is not yet a crucial factor in the most important decision-making processes. The majority of companies that operate in Latin America are in this stage. The compliance agenda of subsidiaries of multinationals is dominated by getting more attention from the local CEO and by the “adaptability” of the programme designed in the parent company to the local situation, especially in terms of the need to live with sectors from the informal economy –which the ILO claims accounts for an average of 47% of business in the region– with certain union practices, social organisations and security forces.
Finally, a handful of companies, especially those that have already experienced a crisis and have been subjected to monitoring, have made major efforts –budgetary, human and technological– to integrate the compliance function into all their corporate decisions. This integration is heavily supported by a technological architecture which automates processes that have already been internalised by the organisation. These companies already appreciate the benefits of “not playing around the edges” in certain business deals, and they enjoy the efficiency that comes with organisational trust bolstered by shared values. Many of these companies participate in the global regulatory debates, lead the practices in their industries and focus their marketing on the benefits of ethical business. Oftentimes, they also understand the need to adapt programmes to certain regional specificities and boost the ownership of the local departments.
The risks posed by business partners
Unlike the integration of compliance inside the organisation, administering the risks posed by business partners is more homogeneous in the region: almost all companies are in the early stages.
The responsibility for “indirect bribery” is nothing new. However, the widespread practice of letting local partners –which global regulations do not reach– “do the dirty work”1 led regulators to strengthen the system of attributing responsibility. While in the past, “turning a blind eye” to a bribe paid by a business partner was valid, today “wilful blindness” not only no longer works as a defence but also increasingly acts as the basis for business liability, which is legally defined as a “failure of supervision” or “failure of appropriate procedures” to prevent the crime committed by the third party.
To avoid the responsibility under these systems of blame, companies have to act diligently when they hire third parties. The standard recipe consists of classifying them according to the amount of risk they pose –low, medium and high– and adopting preventative measures on “the riskiest ones”. These measures include introducing auditing rights and contractual rescission clauses in case there are suspicions that the risk will materialise, along with training them and checking their sales record through external sources.
Even though the majority of companies have ethical codes, the “maturity” of the programmes they implement as a result varies considerably
Even though this seems reasonable in the abstract, applying this recipe is not easy. Many global companies are now familiar with the world of their active business partners, and when they manage to identify them, it is hard for them to classify the risks they pose. They usually end up doing so based on stereotypes –the risk of corruption of the home country or the industry in which they operate– without truly examining the risk they specifically pose in their transactions with the company. Just like the compliance programme, monitoring the purpose of the contract to ensure the fit of the third party’s record, the price and the market practice requires efforts to integrate different areas –purchasing, finances, legal, contract management– which are not always prepared or willing to rise to the occasion. This complexity –which is enormous in global companies– is illustrated in a recent survey by Dow Jones, which showed that only 51% of the multinationals surveyed believe that their policies for business partners are effective, and only 5% have a great deal of confidence in these policies. Once again, a haphazard or ad hoc system seems like a simple, economic solution, even if it is ineffective in the middle term.
The relationship between the maturity of the corporate compliance programme and each company’s proximity to a crisis suggests that we cannot expect the private sector to lead the changes needed to prevent corruption if competitiveness is not protected. Today’s regulatory convergence, coupled with the standards that some industries are collectively developing –especially finance, pharmaceuticals and public infrastructures– have the potential to level the playing field to allow the private sector to play a more active role in reducing corruption and thus promoting development in the region.