Governance. The overall responsibility of oversight of bribery and corruption risks posed to the organization lies on the board and senior management. The board shall delegate the oversight and monitoring functions to any of its sub-committee, preferably to the Board Compliance Risk Committee or Board Audit Committee.

Governance: ABC Compliance Program Elements #1

The internal risk assessment report must be presented to the board or its sub-committee for approval after review and recommendations of the compliance risk management committee. The internal risk assessment report recommendations must be action-oriented for developing mitigating controls on bribery and corruption risks, identified on weaknesses of controls observed. It will be the responsibility of the compliance risk committee to monitor the implementation of a time-bound action plan developed to mitigate bribery and corruption risks. 

Governance sets the organization’s tone, reinforcing the importance of and establishing oversight responsibilities for enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity. Governance forms the broadest concept. Typically, this refers to the allocation of roles, authorities, and responsibilities among stakeholders, the board, and management. Some aspects of governance fall outside enterprise risk management (e.g., board member recruiting and evaluation; developing the entity’s mission, vision, and core values).

To achieve an effective governance structure, roles and responsibilities should be allocated as follows: 

Senior Management: 

A member of the firm’s Senior Management should have oversight responsibility for the program, and the firm should allocate sufficient resources to achieve reasonably effective operations. Periodic Programme updates and material issue-reporting should be made to the Executive Board or equivalent body and the Board of Directors or an appropriate board committee. Senior management is responsible for all aspects of an entity, including enterprise risk management. Responsibilities assigned to the various levels of management are outlined here. 

The chief executive officer (CEO) is accountable to the board of directors and is responsible for the overall enterprise risk management culture, capabilities, and practices required to achieve the entity’s strategy and business objectives. (In privately owned and not-for-profit entities, this position may have a different title, but generally, the responsibilities are the same.) More than any other individual, the CEO sets the tone at the top along with the explicit and implicit values, behaviors, and norms that define the culture of the entity.

Program Lead: 

The programme should be led by an independent unit within the organization with the requisite expertise and authority. This unit should be part of a control function such as Compliance, Legal, or Risk. 

Business Functions And Departments: 

The organization’s business person should be responsible for achieving compliance with the established compliance program requirements.

Relevant data is collected to assist the Senior Management in assessing the compliance program’s effectiveness. Reporting should address the status updates on implementing the anti-bribery and corruption compliance program, including key performance indicators and incidents reported. 

The significant deviations from internal policies and procedures by the employees and engagements of intermediaries identified as presenting increased risks must be reported. The relevant legal and regulatory developments and updates on any internal reviews of the compliance program such as internal audits, or compliance reviews and testing with any other significant reported issues, about bribery and corruption committed by the officers or employees while dealing with third-party, must be reported to the Board and Senior Management.

The status of material internal investigations into alleged corruption should also be reported to Senior Management in coordination with the FI’s Legal Department, as appropriate. Moreover, an FI’s Board of Directors or a Board committee should receive periodic updates as to the effectiveness of the Program and any material matters requiring the board’s attention.

The organizations need to perform the reviews and tests of controls to determine whether internal controls are working as desired. The adequacy of the compliance program should therefore be tested and verified by an independent department or function such as internal audit or internal controls that are separate from the compliance program Lead. Consideration may also be given to having the adequacy of the compliance program tested and verified by external organizations such as external auditors or relevant quality control reviewers.

Final Thoughts

The Guidance focuses specifically on bribery, which is commonly defined as the offer, promise, request, acceptance, or transfer of anything of value to or by an individual, either directly or indirectly, in order to improperly induce, influence, or reward the performance of a function or activity.