By Peter Viksnins, Director and Core Forensic Services & Anti-Corruption Leader, PwC Malaysia
It’s no surprise that bribery and corruption continues to be on the rise across South East Asia. According to PwC’s Global Economic Crime and Fraud Survey 2018, nearly a quarter of South East Asian organisations (23%) have been asked to pay a bribe in the last two years (vs 14% in 2016). With new technology, comes new risks and complexities to grapple with. Are companies addressing and adapting to these risks fast enough? Are they aware of changing regulations and compliance standards?
The ISO 37001: Anti Bribery Management Systems was recently published globally to combat bribery and promote an ethical business culture. In fact, many of South East Asia’s standard-setting organisations, including in Malaysia, Singapore, Indonesia, and the Philippines, have adopted this standard. Some of the leading companies and government agencies in the region have taken a step further to get certified. So how are companies responding to this standard in the different parts of the region?
In this blog, I will explore three key questions: what is this standard, why is it popular in the region, and what actions should companies consider taking now that it's been published?
What is ISO 37001?
ISO 37001 has variants specific to different countries, but it’s essentially recognised as an Anti-Bribery Management System. Some companies already have existing Anti-Bribery / Anti-Corruption (ABAC) compliance programmes. So, assuming that companies follow existing guidance for developed economies, most of the content of ISO 37001 will be familiar territory.
Guidance on ABAC compliance programmes has been published by a number of governments and non-governmental organisations for years. ISO 37001 definitely stands on the shoulders of their predecessors, including:
For some companies, the only “new” piece of the ISO 37001 standard is the requirement for some level of due diligence on individual employees in risky or sensitive positions. But this sort of requirement can in fact be found in the US Sentencing Guidelines Chapter 8.
Why is ISO 37001 popular in South East Asia?
It can be argued that the popularity of the standard is a result of its global nature – after all, it doesn’t have the force of law, and is an international standard, rather than being advocated only by Western governments like the US FCPA or UK Bribery Act 2010. It is also not restricted to particular groups or international associations (like guidance from the OECD or EU might be perceived to be). Thus, for entities of the Malaysian, Singaporean or other regional governments to suggest the standard doesn’t necessarily mean they have to adopt another government’s legislation.
What can companies do to protect themselves from corruption risk?
I recommend that companies approach certification with caution before embarking on it. This certification carries with it ongoing obligations including audits, training and risk assessments. Some companies may feel that it is more prudent to implement a robust anti-bribery management system consistent with the principles of ISO 37001, rather than committing both time and financial resources to be certified with the standard. As shared, many of those ISO 37001 principles are already encapsulated in numerous other authoritative documents that can be used to set up the framework for such a compliance programme.
I strongly recommend that companies perform a corruption risk assessment as a first step. Only one-third of Asia-Pacific respondents in PwC’s Global Economic Crime and Fraud Survey 2018 indicated that they had performed such an assessment in the past two years – clearly an area for improvement.
Risk assessments do not always need to be significant exercises conducted by external consultants. Very often organisations can perform the sufficient basics of a corruption risk assessment themselves. As with any risk assessment process, the first step is to identify the actual and potential risks, and assess their likelihood and impact. Then existing controls and mitigating factors can be bolstered until the remaining corruption risk is acceptably low. Any risk assessment undertaken should be regular, formal and well documented.
More than a risk assessment alone, what’s needed is a customised compliance programme to prevent and mitigate the risks faced by companies. A well designed compliance programme must have significant top level commitment, and be clearly informed by robust risk assessment and planning. With a strong foundation of clear and concise policies and procedures, third party risk and other high risk areas can effectively be managed. Once implemented, any compliance programme must be combined with a comprehensive communications and training plan, and be subject to ongoing monitoring, review and continuous improvement. This will help companies up their game in detecting, monitoring and preventing future incidences of bribery. Look for fraud in the right places. And you’ve won half the battle in addressing its risks.