Fraud Academy

There have been many different responses to the Bribery Act coming into force in the last year, ranging from local council bans on Christmas gifts to your bin men to increasing market exits from the more notoriously corrupt countries. The development last December of a new British Standard for 'adequate procedures' to prevent bribery may help some organisations deal with process issues but does not move the agenda very far forward in how best to influence an organisation’s ethical culture.

This new specification has a lot to commend it.

• BS 10500 ('the 2011 specification for an anti-bribery management system' to give its full title) was published last December after a period of consultation with experts ranging from the National Audit Office to the City of London Police and a number of commercial organisations. 
• Standards have a long and distinguished pedigree in business improvement and quality management, and can provide a reassuringly clear and stable framework for companies that don't know where to start in addressing complex cross-cutting issues like information security or fraud. 
• The methodical approach of standards can also be helpful in promoting consistency and coordination across project teams and supply chains, a particular issue for many companies given the Bribery Act's focus on overseas corruption and intermediaries. 
• Applied sensibly, BS 10500 can make a positive contribution alongside other standards for ethical sourcing and supply chain resilience. Certified companies still suffer from occasional problems in procurement (e.g. child labour in India, flooding in Thailand) but typically bounce back quicker and are better able to integrate the experience into risk management.

So what's the challenge? 

Firstly, the regulatory agenda is looking for more than just documented systems and process improvements. Public trust in business has rarely been as tentative or as fragile as now. There have been a succession of high-profile corporate scandals where elaborate control systems failed to prevent corporate failures – Enron and Lehman Brothers are just two that spring to mind but there are many others.

In this sceptical environment people may view self-certification as another form of corporate PR, and companies seeking a professional benchmark for their systems may want to consider independent assurance on how they have applied the specification in reality rather than in theory. 

A company that responds to press allegations with 'trust us, we've got a management system' is likely to be met with the question of “how do you know it is really working in practice?”

Secondly, there's a limit to what can be achieved by management systems alone.

• The British Standards Institute notes that "responsible organisations are increasingly seeing bribery prevention on a par with safety and quality control". However, this cuts both ways. Historical lessons from health and safety show that improvements quickly plateau after physical safeguards (e.g. handrails) and process interventions (e.g. a policy of hard hats for everyone on-site), leaving a persistent remainder of accidents due to the slippery 'human factor' (e.g. the foreman being in a hurry to get home to see the football). Our experience tells us that companies who want to move beyond this plateau are now looking to supplement their processes with practical and values-driven decision-making to enable day-to-day implementation of the policies and procedures, to embed compliance into the heart of the corporate culture – the ‘DNA’ of the company - and ‘business as usual’.
• Individual behaviour is one of the hardest risks to address through a traditional process-heavy approach. PwC is helping companies address these often overlooked behavioural risks, seeking to narrow the gap between what is said (“intended behaviour”), what is visible (“expressed behaviour”),and what is done (“actual behaviour”) by defining and embedding ethical values in company strategy and individual decision-making.

Finally, while applying the specification will help demonstrate that a company has established and implemented a suite of anti-bribery procedures, this is not the same thing as demonstrating 'adequate procedures' in compliance with the Bribery Act.

• The specification is heavily caveated and is effectively a checklist of what a company has in place. This can be useful for companies at that early stage of the compliance journey, especially for those struggling to standardise their approach across different corporate functions and territories. However, there are a number of other checklist guides that are already out there for free, such as the Transparency International guidance on best practice in adequate procedures. 
• The new specification has not received any formal endorsement from the UK authorities. 

So, probably best to take the new specification at face value, and accept the limitations of peer-to-peer benchmarking within a wider due diligence process. This specification also offers value for companies seeking another tool for vetting their suppliers and categorising risks - but don’t forget that certification will be one single indicator amongst others – with its limitations.

Those seeking to ensure adequate procedures to prevent bribery should consider taking the time and investment for an independent review of their anti-bribery regime, addressing the hard-to-reach issues of behavioural risk, corporate values and ethical decision-making, as well as the policies and procedures themselves.