The Bribery Act, Governance, Risk and Compliance (GRC)

28th February 2011

The 2010 Bribery Act passed by the last Government (and supported by the Coalition) is a very significant piece of legislation with wide ranging implications for UK businesses.  Chief amongst these is the legal requirement for companies to “prevent” bribery. The main defence for companies caught violating the new law is that they had taken reasonable steps to lay down systems and procedures to avoid an incident of bribery. But the implementation of the law has controversially been delayed pending the delivery of government guidelines amplifying what kinds of behaviour are unacceptable and what processes should be in place.  Gary Simon, FSN’s managing editor looks at the role that GRC capability could play in protecting businesses and their directors from prosecution.

The Bribery Act is part of a concerted effort by the Organisation for Economic Co-operation and Development (OECD) to rid business of unsavoury practices.  So far, around 38 countries are signatories to the OECD convention on combating bribery and are introducing legislation to curb corporate bribes. However the UK’s implementation has been delayed, as lobby groups and companies fret about whether inviting a customer to a lavish lunch or cricket match constitute a bribe. In view of the outcry from businesses, April’s implementation has postponed pending new guidance from the government.

The signs are that the government does not intend that normal business practice is captured by the legislation.  According to a report in The Telegraph last week, Justice Secretary Ken Clarke is quoted as saying, “Ordinary hospitality to meet customers, network with customers [and] improve relationships is an ordinary part of business and should not be a criminal offence.  I'm hoping to put out very clear guidance to businesses of all sizes to make that clear and save them from fears which have been aroused."

But it is the companies that trade overseas in less regulated environments that are particularly at risk. In certain industries and countries it is common practice for a wide range of inducements to be offered and unlike the Foreign Corrupt Practices Act (FCPA) in force in the United States the UK’s version of the law is seen to be more aggressive. For example, the FCPA allows companies to make facilitation payments but the UK legislation will consider these illegal.

The UK Act which covers bribery in the public or private sectors creates two general offences covering the offering, promising or giving of an advantage, and requesting, agreeing to receive or accepting of an advantage.  It also creates a discrete offence of bribery of a foreign public official and, as mentioned above, creates a new offence of failure by a commercial organisation to prevent a bribe being paid for or on its behalf.

It is a statutory defence for a company to say that it has adequate procedures in place to combat bribery but how does “adequate” translate in practice?

Predictably, the government’s guidelines are likely to focus on organisational aspects of the process such as the board of directors taking responsibility for establishing a culture in which corruption is eradicated, the extension of the compliance function, the development of codes of ethical business conduct, employment procedures and so on. Valuable those these initiatives are, they are unlikely to even scratch the surface of the preventative and detective controls that an organisation is going to need to have a realistic chance of recognising and eliminating bribery.

The truth is that the scale and reach of multinational operations is so vast that questionable transactions are likely to be lost in terabytes of data. So what can an organisation reasonably be expected to do?

The first thing to bear in mind is that the Bribery Act, is one of a number of parallel compliance requirements. It is also just one of the many risks in the complete spectrum of risks that organisations face.  It therefore makes sense to take a holistic approach to managing risks, bringing them together in one risk management environment.  This is where GRC (Governance, Risk and Compliance) plays a vital role.  This combines policies, governance structures, processes and systems in one overall environment which combined with controls and transaction monitoring can provide boards of management and other stakeholders with the assurance that measures have been taken to contain the risks they face. 

GRC and the role that it can play is not widely understood yet systems from the major players such as Oracle and SAP are beginning to make inroads and can be readily cost justified in the right circumstances, for example in susceptible organisations and industries.  However, there are many obstacles to GRC being accepted, most notably; management inertia and an “it couldn’t happen here” attitude.

The coalition government, though delayed, says it is committed to introducing the Bribery Act and contrary to some opinions it is unlikely to be watered down. The penalties for violation, both financial and reputational are severe. Furthermore, there will be a clamour for an early ‘scalp’ to parade publicly as a deterrent.  Organisations ignore the Bribery Act and the contribution of GRC at their peril.