In an interview with Leas Bachatene, CEO at ethiXbase, Richard Bistrong, CEO at Front-Line Anti-Bribery LLC, shares his views on front-line third party risk management in today’s business environment.
LB: Hi Richard, thank you for participating in today’s Q & A. You’ve been very active within the compliance community over the course of the last 18 months, helping to bring value to other individuals, organisations and institutions in their own compliance and anti-bribery initiatives by sharing your uncommon experience and perspective. For the benefit of our readers, perhaps you could share with us what brought you into the field of compliance?
RB: Thank you Leas for the opportunity to engage, once again, with you and your team. I am really looking forward to our webcast this week on “Managing Real-World Risk – The Warning Signs You Don’t See.” As to my journey into compliance, it certainly has been outside of the norm. It started with spending ten years in the field as an International Sales and Marketing Executive in the defence industry. It was my conduct during this period that ultimately concluded with my being targeted by the Justice Department, as the subject of an FCPA investigation. My lawyer received the ‘target’ call from the DOJ mid-2007, and I was given an opportunity to ‘proffer’ (meet with the DOJ under limited immunity), which then led to five years of cooperation with the FBI/DOJ, including cooperation with the City Of London Police and Crown Prosecution Service. The UK cooperation was as part of an Immunity Agreement, which was negotiated in the context of being the target of a UK criminal investigation under UK Trade and Proceeds of Crime Laws. At the end of three years of covert cooperation and another two years of working with prosecutors in trial preparation and testimony, I faced sentencing as part of my own US Plea Agreement in the US, where I ultimately served fourteen and a half months in prison.
LB: So how did that experience lead to what you do today, and how has your message been received?
RB: When I got home (after incarceration) in 2013, I started to ‘deep dive’ into the well-experienced and resourced compliance discussion. What I didn’t see was any reflection as to what it is like on the front lines of international business, where field personnel, in remote and often unsupervised offices, sit at the crossroads of compliance, commerce and corruption. If you look at those who have been convicted of FCPA and anti-bribery offences, you will notice a well-educated and compensated group that didn’t need to take any risk, and certainly not with their own liberty, to succeed. I sometimes think we forget that those on the front-lines are not lawyers, auditors or investigators; they are professionals who have been hired, at some level, to grow the business, even in frontier markets where business opportunity and corruption risk are intertwined. So, at first, I started to write and talk about it: what it was like, what did I do, what I was thinking, etc.
As to how it has been received, I knew what I was doing was illegal when I did it, so I understand and respect when some members of the compliance community reflect, “what can we learn from that?” I also understand that because of my criminal past that my journey might be discarded or dismissed by some. That’s natural. However, the greater reaction and engagement has been from corporate CCO’s, GC’s as well as Board Committees, who share their common challenge of “we think our compliance is robust enough to satisfy the regulators, but what keeps us up at night, is it embraced and understood in the field as part of sustainable business growth and strategy.”
I attended a conference a few weeks ago where the CCO of a Fortune 100 company talked about how “rules, policies and procedures don’t necessarily drive behaviours.” Agreed. That is where the WAH, or ‘what actually happens’ in the field, which you won’t find in a compliance manual, needs to be addressed as a part of a compliance programme. My sharing that experience and perspective, where I ‘pull back the curtain’ on the WAH, has been the most inspiring and resonating part of my work. It is where compliance gets calibrated to reality, and where organisational silos, and/or organisational ‘unspoken’ messages, that might be out of alignment with anti-bribery compliance, get addressed.
I have worked with compliance leaders that appreciate the dynamics of corruption risk, and as you know from your own work, understand that it is not a “one size fits all” risk model, especially when you look at regional risk. Thus, the process of calibrating compliance to the real-world local threats that forward positioned teams face is one that is extremely challenging, and very much a “roll up your sleeves” exercise.
In summary, I find that business leaders are really interested in the WAH, so as to make certain that their compliance programmes are not ignored at the field level to the necessities of business development, but that they are viewed as a strategic asset.
LB: In our recent whitepaper Managing Real World Third Party Risk: The Red Flags You Don’t See, you caution organisations to beware of how they manage third parties deemed ‘low risk’. Could you tell us more about what you mean here and strategies an organisation may employ to manage this?
RB: Leas, I was charged with bribery offenses that involved New York based UN Officials and in another offense, a Dutch Police Officer. We probably don’t think of the US or Holland as a “high risk” regions. In the case of the UN, the commission rate was less than five percent, which is certainly lower than most red-flag thresholds. So while there may be regions and transactions that might be deemed “low risk,” I think that organisations are operating with great peril when they assign such categories as “no risk.” Here, you and I have had some interesting conversations, as to what might be considered the “least common risk denominator” of third party due diligence. In such cases, even in a low risk matrix of region and transaction, there still needs to be a reasonable amount of process and due diligence which addresses the scenario.
LB: It is well known that the US has a well-established regulatory framework under the Foreign Corrupt Practices Act; however, many organisations fall afoul of these principles when conducting business abroad, and especially in emerging markets such as Asia. In your opinion, what do you think firms can improve on, and learn from when it comes to managing third parties and ensuring compliance while considering the challenge that distance and differing business cultures present?
RB: That’s an excellent question and I wish it had an easy answer. First, let us start with the premise that in such emerging or frontier markets, that many third parties don’t take established extra-territorial regulatory and enforcement frameworks seriously. In other words, the WAH is often “it’s not my law, and I need the business, so I will sign whatever you want me to, if that gets me vetted.” Remember, in these frontier countries, third parties are presented with lucrative business opportunities that result from partnerships with brands that can generate significant revenue. Better said, they need your business. Thus, putting some anti-bribery paperwork in between them and getting successfully on-boarded is often met with shrugs of “what do I care, it’s not my law,” or, worse “it’s legal here.” Thus, organisations should not be complacent or under any illusion that third parties signing anti-bribery paperwork is a direct reflection of their business ethics and anti-bribery compliance. To me, those papers should be the ends of a vetting process, as oppose to the means.
Organisations operate at their own peril when they “vet and forget.” I know that monitoring is something ethiXbase takes quite seriously. I have seen, for example, third parties move from performing legitimate services into corruption due to regime change, where newly seated public officials are “on the same team” as the third party. I can think of other triggering events, but I always recommend that organisations hit the ‘pause’ button on transactions in markets of political instability when there is regime change. You are now dealing with a whole new set of public officials. Find out who they are before proceeding.
Ultimately, businesses can operate in most markets ethically with proper compliance programmes, on-going due diligence, and localised third party training. There is also the potential to start by engaging in lower level, lower-risk transactions, as a way of operating in country. This allows organisations to show that business, even small business, can be achieved devoid of corruption. There is nothing wrong with smaller steps, as opposed to large-scale investments, where risk has been baked into the business and strategic model. That’s good business.
LB: At ethiXbase, and through the Ethical Alliance Corporate Anti-Corruption Programme, we stress the importance of ‘tone from the top’ in driving and maintaining a consistent ethical business culture. In your experience, do you see disconnect between the individual and corporate attitude towards corruption and/or compliance and how do you recommend this is addressed?
RB: Leas, tone at the top is essential. It shows leadership commitment. But I often counsel, before looking for the bribe, look for the strategy. In other words, is compliance a part of the discussion when business strategy, forecasts and incentive plans are rolled out, especially in high-risk and low-integrity regions? Are corporations looking for quick returns in frontier markets, or do they have a long-term plan for ethical and sustainable business? From my perspective, where time lines are short in high-risk markets, and incentives are indexed on individual performance, or what we call “eat what you kill” in the sales field, then we have a very dangerous disconnect. In such scenarios, forward positioned personnel and teams will ponder “what does management really want, compliance or sales, as I can’t deliver both.” When you have that zero-sum indexing of anti-bribery compliance with business success, it presents great peril to all. In such environments, compliance decisions get made ‘on the fly,’ and the unspoken organisational message of ‘win above all else’ starts to dilute that tone at the top. I understand those quarterly calls where ‘did you make your numbers’ sounds a lot louder then ‘how are you making your numbers.’ Now compliance is left with the unenviable task of potentially catching falling knives.
LB: In your extensive interaction with the compliance community, what do you view as the biggest challenges and pitfalls when it comes to effective ongoing third party management and due diligence? Would you agree that many organisations do not appreciate the difference between onboarding and ongoing management when it comes to their anti-corruption compliance programme?
RB: Yes, and I look forward to addressing this with real life examples in our webcast. Leas, I know that as a consumer and producer of third party surveys, you appreciate the commonality among reports that organisations are falling dramatically short of third party engagement and monitoring after the on-boarding process. Thinking that having a robust ‘gate keeping’ vetting programme somehow eliminates risk after a third party is ‘through the door,’ presents tremendous risk and danger to an organisation and its front-line teams. This dynamic of “vetting and forgetting” really needs to be addressed. The regulators have certainly shared their thoughts on the importance of monitoring.
LB: And now a light-hearted question to round out this interview, one that I am sure many readers would be keen to know. If ever your journey of crime, cooperation and compliance was to be turned into a movie, which actor would you choose to portray your character and why?
RB: And in a light-hearted response, I will survey my family and come back to you!
LB: Thanks again Richard, any final thoughts that you would like to add?
RB: Yes, Leas. Your efforts really do go beyond a “bolt-on” system of due-diligence, vetting and on-boarding. The event we had in Houston, our whitepapers as well as your Anti-Corruption Programmes and the Ethical Alliance, clearly demonstrate not only your commitment to protecting organisations and people, but also to your understanding and elevating the real-world risks that continue to challenge multinationals and front-line offices. You also clearly embrace and elevate the challenges that we don’t operate in a static environment; that behavioral, third-party and external risks are constantly changing. Thus, a due diligence process needs to be both flexible and calibrated to those changes in risk. I will look forward to hearing more about your views in our webcasts on the 9th and 10th December! Also, I naturally welcome the comments and insights of your community via my website at www.richardbistrong.com or email@example.com.