A comparative analysis of key frameworks to promote business integrity around the world 🌍

The French Anti-Corruption Agency published in May 2023 a study comparing various regulatory anti-corruption frameworks from France, the UK and the US (AFA - Presentation of various regulatory frameworks for promoting business integrity across the world - May 2023). As we often struggle ensuring we comply with all these frameworks and their extraterritorial reaches, this presentation provides a nice and easy comparative guidance to manage business integrity risks in our organizations. In today’s mood post, we provide a quick-read, high-level checklist to make sure we have everything covered according to these frameworks.

Why does this matter, again?

Business integrity is a fundamental aspect of corporate governance: it is not only a matter of compliance with regulations but also a means to enhance trust and confidence in the business environment. By setting clear standards and guidelines, regulatory frameworks help prevent corruption, ensure fair competition, and safeguard the interests of stakeholders, in turn creating a better world for all of us. We like them!

Of course, it's not always straightforward for businesses to know and understand which standards they need to follow, comply with, and inspire their programs from. And the truth is, with so many regulations that apply extraterritorially, it is very likely that you need to follow several standards at the same time!

What’s nice about this AFA Guide

What I really like with the French Anti-Corruption Agency publishing this guide (AFA - Presentation of various regulatory frameworks for promoting business integrity across the world - May 2023), is that you will find in one place all the relevant information about the frameworks applicable in France, the US, the UK and supplemented with the framework released by the World Bank.

 “The notion of "framework" is used in the broad sense of the term to mean the set of binding standards and their accompanying measures, such as recommendations, guidelines and practical guides”(AFA - Presentation of various regulatory frameworks for promoting business integrity across the world - May 2023).

Amazing: from page 10 onwards you will find the links to all related resources for a deeper dive in each of them. For example, the Loi Sapin II in France does not make much sense if read without the AFA Guidelines etc. Right at your fingertips, you will find your comprehensive source guide for the future.

And by reading all these frameworks side by side, we are indeed able to take a stance at developing a framework for our organizations that complies with most requirements. I find this specificity of E&C very interesting: the emergence of an inter-national framework composed of a mix of regulations, best practices, enforcement and guidelines. I am a private international law nerd, and I can tell you that this idea is getting me quite excited. 

Let’s use this guide to get going!

Where do I start to create my effective anti-corruption program that will fit most frameworks?

In its guidance, the French Anti-Corruption Agency has summarized the key points necessary across all frameworks and how we can reconcile working with all of them (AFA - Presentation of various regulatory frameworks for promoting business integrity across the world - May 2023). All frameworks do touch upon the following key points:

• A Committed senior management 
• An independent and strong E&C function
• A solid risk assessment
• Key measures to prevent risks
• How we remediate risks

A committed senior management

The involvement of top management in the anti-corruption program is absolutely critical to its effectiveness. And we are not only talking about a clear zero tolerance policy, but true effective commitment. In the French framework, the management body (= the CEO) is actually liable for the non-implementation of the required anti-corruption measures required by the Loi Sapin 2.

So, what we expect from our committed top leadership is:

• Clear commitment to prevent corruption and actual work to create culture;
• Personal communication about the program, towards the whole company preferably, in the code of conduct, at Exec com meetings and so on. The support to the program should be visible and explicit;
• Leadership by example, behaving the right way and ensuring behaviors that are not in line get effectively sanctioned (otherwise it makes the above bullet points sound pretty duplicitous).

An independent and strong Ethics & Compliance function

In order to be able to support the management commitment and coordinate the Ethics & Compliance initiative in the organization, our E&C function needs to be strong and enabled: 

• We need adequate and appropriate resources to be able to prevent and remediate risks.
• We need direct access to the management body and in general, sufficient seniority and independence from senior management as well as the actual authority to implement the program.
• And of course, we need access to the information relevant to our mission!

A solid risk mapping 

To craft good prevention measures, we need to assess, map and understand the corruption risks in all our Business Units. This is the cornerstone of our risk-based approach as, most probably, we do not face the same risk in our Danish entity as in our latest joint venture in Cambodia with a powerful tycoon to distribute our heavily regulated products! It’s also one of the best ways for the E&C function to get to really know our business in depth if we run it well. Below a few key points to remember:

• We need to run the exercise for all our group entities, considering risk factors such as country risk and industry sector. 
• The exercise must enable us to evaluate and prioritize risks and finally come up with an action plan to ensure the prevention of such risks. We could write several books about the specifics of the methodologies. Truth is, in developing our latest Risk Assessment solution at Upright hand in hand with many E&C Teams, we realized that there are as many approaches as there are organizations. Some work with a scale of 1-5 while others 0-3, some 1-5 on likelihood and € amount on impact, some work with net risk only while others calculate a gross risk before calculating a net risk. In running the exercise, the approaches are also extremely varied: some want to enable local businesses to identify their risks, while others want to identify risks centrally. Again, other companies prefer a mix of both approaches. Some want to provide their units with pre-defined mitigation measures to implement and some don’t and so on. In short, if you have a hard time defining the right approach for your organization, have no fear: so long as it makes sense logically, you apply your methodology consistently across your business units and derive mitigation measures that you actually implement consistently, you cannot really get it wrong.
• And of course, our risk assessment exercise needs to be regularly updated, and updated ad hoc when necessary (for example in the case of merger or opening of a new market).

Corruption Risk Prevention

Once we have established a committed leadership, a functional E&C team and a solid risk mapping, we need to work on developing a strong corruption prevention framework.

The Code of Conduct is the key pillar: it needs to be clear and concise, lay out clearly the behaviors that are desired or prohibited. The Code needs to be reviewed regularly and remain accessible to employees and third parties in relevant languages. This Code of Conduct is typically complemented with frameworks that address specific corruption risks and areas (with respect to gifts & hospitalities, conflicts of interest, facilitation payments, sponsorship & donations and so on). Needless to say, our Code of Conduct needs to be effectively implemented: a simple code that is known, understood and followed is much better than a super complex framework of 25 documents that is not really implemented in practice.

Awareness & training enable effective operationalization: we need to follow a risk-based approach here again, raise the general awareness for all employees and create a dedicated program and training for at-risk employees, as well as control functions and gatekeepers so that they help us identify risks. Training should be appropriate, understandable, and content should be tailored to the audience. Also consider sensitizing your business partners on your Code of Conduct while you run due diligence on them.

Proper due diligence on third parties: of course, third parties may put us at risk and we want to have solid risk-based due diligence procedures that enable us to assess our third parties and document all of that. This enables us to avoid dealing with business partners known or reasonably suspected to have engaged in misconduct. Of course, this should take place before entering into business with a third party and regularly during the relationship. 

Mergers & Acquisition of businesses also brings a huge risk with successor liabilities. We need to beware of what we inherit when we purchase or absorb! We need to have an approriate and thorough E&C due diligence ahead of the transaction and be included in the acquisition process and data-room early on. I recommend having a framework in place already that governs how you set-up your M&A teams, manages the need for enhanced confidentiality for the project and so on. And of course, we need to work after the acquisition to integrate the target's compliance programs & controls into our existing framework.

Whistleblowing system: they are key to prevent risks from materializing. We need to enable trust in the system for people to report, which in turn creates incentives for everyone to behave well. Our systems need to be accessible and enable reporting or raising concerns (beware depending on the jurisdiction as to the type of personal data that can be collected in these systems), including anonymously, in a confidential manner. People who report should be protected from retaliation. We need a good pre-existing and transparent process in place on how we manage reports and what happens then. And we want and will need to learn from cases that have been reported: how can we improve our processes to make sure this does not happen again? On this topic, don't forget to check out my latest article on whistleblowers' rewards: 279 millions or the price to blow the whistle.

Internal investigations: this means the review of the potential violation of regulations and frameworks. We want to investigate and control high risk situations in order to make learnings and improve our programs. Our Investigations should be properly scoped, conducted by qualified personnel, timely, and of course the findings should be remediated.

Accounting Controls: these are key, and the goal is to ensure that books and records are not used to conceal corruption. Dedicated anti-corruption controls will reinforce existing accounting controls in place. Work with your accounting department to effectively implement these control points. Check out the neat guide published by the Agence Francaise Anti-Corruption on Accounting Controls to know where to start (AFA - Corporate anti-corruption accounting controls - April 2022).

Monitoring & Evaluation: having an internal program in place aimed at checking the effectiveness of your anti-corruption measures is not an option. We should periodically review the procedures, an appropriate execution level, control plans, audit plans, all of this duly formalized. The goal of monitoring is to check all levels of our program, from design to implementation, in order to improve it. 

The last key step of our program is of course to remediate properly when misconducts happen.

Corruption remedial actions

Corrective measures: whenever we audit, investigate or identify a shortcoming, get alerted on a gap, or face a new situation that may create risks, we need to adjust and correct, systematically. Our improvement plans should be followed from the lower levels of the organization all the way up to top management.

Discipline: we also need to have a very clear disciplinary system in place, applicable to all staff, and applied consistently across the group. We should not forget about the supervisory impact of a misconduct: what actions are we taking towards the supervisor? Check out here my blog-post on how to navigate discipline, incentives and rewards in today’s world (Sticks & Carrots for Ethics & Compliance: navigating incentives and rewards for today's humans).

In conclusion

This study from the French Anti-Corruption Agency should help all of us focus on the key points we need to ensure to be aligned with the requirements coming from the important frameworks developed by the US, UK and France (AFA - Presentation of various regulatory frameworks for promoting business integrity across the world - May 2023), as summarized by the French Anti-Corruption Agency:

“It is therefore possible to consider that the French anti-corruption framework offers companies that apply it significant guarantees of protection against the criminal risk of corruption, but also of compliance with the anti-corruption rules and recommendations of foreign countries where they are likely to develop their activities“ (AFA - Presentation of various regulatory frameworks for promoting business integrity across the world - May 2023).

I hope these few points are helpful to quick-check and enhance your anti-corruption program. Follow Upright Solutions on Linkedin for more inspiration for your Ethics & Compliance Program!

 Love from Copenhagen 💜

/risk-assessments/