Chapter 2. Promoting integrity and preventing corruption in state-owned enterprises: What works and what does not?

This chapter explores obstacles to effective integrity and anti-corruption in the opinion of 347 SOE respondents in 213 companies across 34 countries. It incorporates the perspectives of SOE representatives and state ownership entities regarding challenges and good practices in implementing mechanisms to prevent and detect corruption. The analysis is framed using key elements of integrity, compliance or anti-corruption mechanisms and programmes, as outlined by the OECD and other international standard-setters – from prevention to detection and response.

    

Overview: Promoting integrity and preventing corruption in state-owned enterprises

This section summarises and highlights the main findings from this chapter, which outlines the challenges that SOEs are facing in adopting and effectively implementing internationally-recognised elements of compliance and integrity mechanisms and programmes. It deconstructs SOE responses to the 2017 SOE survey on anti-corruption and integrity, assessing which factors may act as obstacles to effectively promoting integrity and preventing corruption in, or involving, respondents’ companies.

Four out of five SOEs allocated an average of 1.5% of operational budget to detecting and addressing corruption and breaches of integrity in the last year. The majority of SOEs have internal audit, a degree of public disclosure, assessments of anti-corruption and integrity risks as part of risk management and complaints and advice channels for reporting wrongdoing.

There is more work to be done in adopting and implementing integrity mechanisms that are tailored to the company’s risk profile and in increasing their efficacy. Such efforts must be coupled with a culture of integrity to counter pressure and undue influence where corruption is a systemic issue, and opportunistic behaviour by individuals where it is not. The overall findings indicate that certain factors may be pronounced in SOEs.

Participating SOEs’ greatest obstacles to integrity relate to behavioural issues and relations with the state. These obstacles are more pronounced for respondents that report having witnessed corrupt or other irregular practices in the last three years. Overcoming these will require strengthening of the ten key elements of effective integrity and anti-compliance programmes that form the basis of this chapter. In particular, it will require:

  • Making a clearer argument for investing in preventing, detecting and addressing integrity and anti-corruption, changing the perception that it is a burden or cost. SOEs see budget allocation to preventing, detecting and addressing integrity and anti-corruption as more of a burden than private companies (OECD, 2015a). Despite an average 1.5% allocation of operational budget, some respondents still see inadequate resourcing as at least “somewhat of an obstacle” to company integrity.

  • Promoting a culture of integrity within the SOE and at the government level. Respondents ranked “a lack of integrity in the public and political sector” as the primary obstacle for their company. A close second was a “lack of awareness among employees of the need for, or priority placed on, integrity”.

  • Ensuring professional and transparent SOE interactions with the ownership entity and broader public sector. In addition to reporting the risk of non-declaration of conflict of interest, 27% of SOE respondents voiced concerns about relations between the SOE and political officials.

  • Considering opportunistic behaviour and risk-taking in SOEs versus private companies. SOE respondents reported that some of the greatest obstacles to integrity in their company include the opportunistic behaviour of individuals, a pressure to rule-break or to perform and perceptions that (i) the cost of corruption is low, (ii) the return is high, or (iii) they are unlikely to be caught. Comparison with a OECD study on business integrity showed that private sector companies were more likely to have behaved in a risk-averse manner when faced with corruption risks than SOEs of this study (2015a).

  • Strengthening internal controls and equipping internal audit. Nearly all companies have some arrangement of integrity mechanisms – controls, detection and reporting systems – but there are common challenges in their effectiveness. Board members and executive management pointed to a lack of effectiveness in internal controls, audit or risk management as an issue for integrity.

  • Explicitly and regularly treating corruption risks. Almost one in ten companies does not explicitly treat anti-corruption risks as part of risk management. SOEs that conduct risk assessments every two to three years were more likely to witness corruption in their company and to report greater obstacles to effective prevention and detection than companies conducting risk assessments annually.

  • Ensuring due process for enforcement and, where necessary, sanctioning non-compliance, breaches of integrity and corruption. Demonstrating an SOE’s or a state’s willingness to enforce high standards of integrity should increase the opportunity cost of engaging in corrupt or other irregular practices. It may also counteract any perception, if and where it exists, that SOEs or corporate insiders are not likely to be caught. It may also facilitate repatriation of funds in cases of cross-border corruption.

  • Investing in prevention, detection and enforcement helps to safeguard SOEs from self-serving behaviour that may stem from within an SOE, or from undue influence and exploitation by any third parties. The trifecta of corruption prevention, detection and response should remove blind spots to corruption, and reduce the likelihood of financial losses, risk of non-compliance, loss of trust by clients and citizens and reputational damage. Compliance, integrity or anti-corruption programmes can also help an SOE in defence of corporate liability. 1 All of these implications of corruption were voiced as a concern by SOEs in this study.

The analysis of this chapter is primarily framed by key elements of integrity and compliance mechanisms and approaches, promoted in the OECD, United Nations Office on Drugs and Crime (UNODC) and World Bank (2013), Anti-Corruption Ethics and Compliance Handbook for Business. It benefits from internationally agreed upon standards issued by the OECD. Particularly pertinent key instruments for SOEs and for the state as owner are provided in Box 2.1.

Box 2.1. Overview of existing OECD sources on promoting integrity in the public and private spheres 

Convention on Combating Bribery of Foreign Public Officials in International Business Transactions (1997) (Implementing body: Working Group on Bribery in International Business Transactions)

Recommendation of the Council on Improving Ethical Conduct in the Public Service Including Principles for Managing Ethics in the Public Service (1998), (Implementing body: Public Management Committee now called Public Governance Committee)

Recommendation of the Council on OECD Guidelines for Managing Conflict of Interest in the Public Service (2003), (Implementing body: Public Management Committee now called Public Governance Committee)

OECD Principles for Transparency and Integrity in Lobbying (2010) (Implementing body: Corporate Governance Committee)

Recommendation of the Council for Further Combating Bribery of Foreign Public Officials in International Business Transactions (2009, including its Annex II: Good Practice Guidance on Internal Controls, Ethics and Compliance added in 2010) (Implementing body: Working Group on Bribery in International Business Transactions)

Guidelines for Multinational Enterprises (2011) (Implementing body: Investment Committee)

Recommendation on Fighting Bid Rigging in Public Procurement (2012) (Implementing body: Competition Committee)

Recommendation of the Council on Public Procurement (2015) (Implementing body: Public Governance Committee)

G20/OECD Principles of Corporate Governance (2015) (Implementing body: Corporate Governance Committee)

Recommendation of the Council for Development Co-operation Actors on Managing Risks of Corruption (update to the DAC Recommendation on Anti-Corruption Proposals for Bilateral Aid Procurement of 1996) (Implementing bodies: Development Assistance Committee and the Working Group on Bribery in International Business Transactions)

Recommendation of the Council on Integrity in Public Procurement (2016) (Implementing body: Public Governance Committee)

Recommendation of the Council on Public Integrity (2017) (Implementing body: Public Governance Committee)

Tackling obstacles to integrity

The OECD survey of SOEs tracked challenges to improving integrity in their companies. Obstacles to integrity, when aggregated at the country level, are moderately and negatively associated with country scores on the World Justice Project’s Rule of Law Index. In other words, companies in countries that rank higher on the Rule of Law Index (that is, better rule of law) consider the obstacles to integrity facing their company as lower. This suggests that respondents’ assessments of the obstacles to integrity are somewhat influenced by exogenous factors that form the components of the Rule of Law Index, including, but not limited to: the country’s constraints on government powers, absence of corruption, regulatory enforcement and criminal and civil justice. 2 This moderate negative correlation may indicate that SOE assessments of obstacles may be a useful proxy for pinpointing where improvements can be concretely made within SOEs and in their operating environment.

Table 2.1 shows how SOE respondents assess obstacles to integrity in their company. Overall, respondents do not report facing grave obstacles – with respondents rating most obstacles presented to them (Annex 2.A1) as “does not exist”, exists but “not at all an obstacle” or “somewhat an obstacle”. While respondents do not differ in how they rate the severity of obstacles to their company, they do differ in terms of the types of obstacles they consider their company to face.

Table 2.1. Assessments of obstacles to integrity by respondent characteristics
Aggregated responses to: “In your opinion, to what degree does each factor pose as an obstacle to effectively promoting integrity and preventing corruption in, or involving, your company?”

 

% of respondents that say risks of corruption or other irregular practices materialised in the last three years

Type of obstacles to integrity respondent company faces

Overall sample average

42%

1. A lack of a culture of integrity in the political and public sector

2. A lack of awareness among employees of the need for, or priority placed on, integrity

3. Opportunistic behaviour of individuals

Respondent’s position / role in the company

Board member

43%

1. A lack of a culture of integrity in the political and public sector

2. Opportunistic behaviour of individuals

3. A lack of awareness among employees of the need for, or priority placed on, integrity

Executive Management

36%

1. A lack of a culture of integrity in the political and public sector

2. A lack of awareness among employees of the need for, or priority placed on, integrity

3. Opportunistic behaviour of individuals

Heads of the corporate audit, compliance or legal functions

45%

1. A lack of a culture of integrity in the political and public sector

2. A lack of awareness among employees of the need for, or priority placed on, integrity

3. Opportunistic behaviour of individuals

Other

46%

1. A lack of a culture of integrity in the political and public sector

2. A lack of awareness among employees of the need for, or priority placed on, integrity

3. Opportunistic behaviour of individuals

Respondent’s company: sector

Agriculture and Fishing

36%

1. A lack of a culture of integrity in the political and public sector

2. Opportunistic behaviour of individuals

3. Inadequate remuneration/compensation

Banking and related financial services

33%

1. A lack of a culture of integrity in the political and public sector

2. A lack of awareness among employees of the need for, or priority placed on, integrity

3. Inadequate financial or human resources to invest in integrity and prevent corruption

Energy (i.e. electricity generation and supply)

42%

1. A lack of a culture of integrity in the political and public sector

2. A lack of awareness among employees of the need for, or priority placed on, integrity

3. Opportunistic behaviour of individuals

Information and Communication Technology (ICT)

33%

1. A lack of awareness among employees of the need for, or priority placed on, integrity

2. Perceived likelihood of getting caught is low

3. Opportunistic behaviour of individuals

Mining

50%

1. Ineffective channels for whistleblowing / reporting misconduct

2. A lack of a culture of integrity in the political and public sector

3. Inadequate resources

Oil and Gas

63%

1. Overly complex or burdensome legal requirements

2. A lack of awareness among employees of the need for, or priority placed on, integrity

3. Opportunistic behaviour of individuals

Postal

45%

1. A lack of a culture of integrity in the political and public sector

2. Loyalty to company

3. A lack of awareness among employees of the need for, or priority placed on, integrity

Transportation and Logistics

42%

1. A lack of awareness among employees of the need for, or priority placed on, integrity

2. Opportunistic behaviour of individuals

3. Perceived likelihood of getting caught is low

Respondent’s company objectives

Entirely commercial

49%

1. A lack of awareness among employees of the need for, or priority placed on, integrity

2. A lack of awareness of legal requirements

3. Inadequate financial or human resources to invest in integrity and prevent corruption

Mixed objectives (commercial with public policy)

36%

1. A lack of a culture of integrity in the political and public sector

2. A lack of awareness among employees of the need for, or priority placed on, integrity

3. Opportunistic behaviour of individuals

Respondent’s status as a public official

Public official

42%

1. A lack of a culture of integrity in the political and public sector

2. A lack of awareness among employees of the need for, or priority placed on, integrity

3. Opportunistic behaviour of individuals

Not a public official

42%

1. A lack of awareness among employees of the need for, or priority placed on, integrity

2. A lack of a culture of integrity in the political and public sector

3. Opportunistic behaviour of individuals

Note: Ranking of individuals’ responses to “In your opinion, to what degree does each factor pose as an obstacle to effectively promoting integrity and preventing corruption in, or involving, your company?”, ranging from “NA/does not exist in my company” to “very much an obstacle”. The risks listed in column 3 are ranked in terms of their rating, and in some cases were equally rated.

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs.

Table 2.2. Top obstacles to integrity: Based on previous experiences with corruption and irregular practices

Top five obstacles to integrity in respondents’ companies

Respondents that witnessed corruption or other irregular practices transpire

Respondents that did not witness corruption or other irregular practices transpire

1. A lack of a culture of integrity in the political and public sector

2. A lack of awareness among employees of the need for, or priority to be placed on, integrity

3. Opportunistic behaviour of individuals

4. Perceived likelihood of getting caught is low

5. A lack of awareness of legal requirements

1. A lack of a culture of integrity in the political and public sector

2. A lack of awareness among employees of the need for, or priority placed on, integrity

3. A lack of awareness of legal requirements

4. Opportunistic behaviour of individuals

5. Overly complex or burdensome legal requirements

Note: Ranking of obstacles to integrity by respondents that responded affirmatively and negatively to “in your assessment, did any of the [listed] risks materialise into activities/actions in the last three years in (or involving) your company?” ranked based on an index from 0 to 3, whereby 0 is “NA/does not exist” to 3 is “very much an obstacle”.

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs.

Respondents also report different obstacles as a threat to integrity if they report to have witnessed corrupt or other irregular practices transpire in their company in the last three years (Table 2.2). Those that perceived witnessing corruption or irregularities in their company saw opportunistic behaviour of individuals as an obstacle to their company’s integrity, as well as the perception that the likelihood of being caught is low. Those who report that they have not witnessed corruption transpire see their biggest challenge as a lack of awareness. This could suggest that reported corruption or irregular practices in companies in the sample may be a result of opportunistic behaviour that circumvents rules, rather than ignorance to the rules.

The SOE Guidelines recommend that SOEs adhere as closely as possible to corporate practices and the best international standards. Table 2.3 shows the top obstacles to integrity for the participating SOEs in column A. For comparison, column B shows internationally recognised key elements of effective compliance and integrity approaches in business. The key elements are rooted in those found across more than ten international instruments, summarised in Annex 2.A1, as captured in the OECD, UNODC, World Bank (2013) Anti-Corruption, Ethics and Compliance Handbook for Integrity. While directed at the private sector, these elements are similar to those required by governments to ensure integrity and mitigate fraud, waste and abuse in the public sector. Elements appear in OECD’s Recommendation for Public Integrity, as well as SOE-specific guidance such as Transparency International’s 2017 “10 Anti-Corruption Principles for State-Owned Enterprises”.

The obstacles in Table 2.3 (column A) may represent weaknesses or blind spots to the SOE that could leave them exposed to corruption or other irregular practices by corporate insiders or outsiders. The sub-sections below propose elements of an overall corporate approach that may be instrumental in overcoming such obstacles, allowing SOEs to meet international standards for effective integrity, compliance and anti-corruption for state owned and non-state owned companies (column B).

Table 2.3. Counteracting perceived obstacles to integrity in state-owned enterprises

A. What are the obstacles to integrity?

B. How can SOEs overcome obstacles to integrity?

A. Top ten obstacles to integrity in SOEs (as rated by 347 SOE respondents)

B. Key elements of effective integrity, anti-corruption or compliance mechanisms or programmes

1. A lack of a culture of integrity in the political and public sector

2. A lack of awareness among employees of the need for, or priority placed on, integrity

3. Opportunistic behaviour of individuals

4. A lack of awareness of legal requirements

5. Perceived likelihood of getting caught is low

6. A lack of a culture of integrity in the company

7. Overly complex or burdensome legal requirements

8. Inadequate financial or human resources to invest in integrity and prevent corruption

9. Ineffective internal control or risk management

10. Ineffective channels for whistleblowing / reporting misconduct

1. A culture of integrity through tone at the top and mechanisms to operationalise it

2. Autonomy and resources for integrity mechanisms

3. Risk Management and assessment

4. Standards of conduct/policies and internal controls

5. Third party management and due diligence

6. Education and training on anti-corruption and integrity

7. Disclosure, monitoring and auditing

8. Detection, advice and complaints channels

9. Incentives for integrity

10. Investigation, response and improvement

Note: The ten obstacles were ranked out of a list of 24 obstacles put forth to SOE respondents, found in the Annex of Chapter 2, and generated based on an index constructed from 0 to 3 (from “does not exist in my company” to “very much an obstacle”)

Source: Column A: OECD 2017 Survey of anti-corruption and integrity in SOEs. Column B: Adapted from sections of, and international principles captured in, OECD, UNODC and World Bank (2013), Anti-Corruption Ethics and Compliance Handbook for Business, www.oecd.org/corruption/anticorruption-ethics-and-compliance-handbook-for-business.htm.

Box 2.2 elaborates on how weaknesses such as those identified by SOE respondents have exposed organisations to fraud, as illustrating the link between obstacles and misconduct. The study in Box 2.2 demonstrates that fraud resulted from not only an absence of appropriate controls or review, but from override of existing controls.

Box 2.2. Primary control weaknesses observed in cases of occupational fraud

A study on victims of occupational fraud found cited the weaknesses below that exposed their organisation to fraud cases – 37.4% of which also overlapped with corruption.

As such, the findings can be instructive for SOEs seeking to mitigate corruption by establishing necessary safeguards and filling in vulnerabilities:

  1. Lack of internal controls (internal controls discussed under “key element 4”)

  2. Override of existing internal controls (internal controls discussed under “key element 4”)

  3. Lack of management review (monitoring is covered under “key element 7”)

  4. Poor tone at the top (“tone at the top” discussed under “key element 1”)

  5. Lack of competent personnel in oversight roles (capacity and resourcing for oversight discussed in section “key element 2”)

  6. Lack of independent checks and audits (monitoring an auditing discussed under “key element 7”)

  7. Lack of employee fraud education (education and training discussed under “key element 6”)

  8. Lack of clear lines of authority (authority and autonomy discussed in “key element 2”)

  9. Lack of reporting mechanisms (detection and advice channels discussed in “key element 8”)

Source: Association of Certified Fraud Examiners (ACFE) (2016), Report to the Nations on Occupational Fraud and Abuse, 2016 Global Fraud Survey, www.acfe.com/rttn2016/docs/2016-report-to-the-nations.pdf

SOEs’ existing approaches to integrity by SOEs are either stratified throughout a company or packaged into a complete integrity, compliance or anti-corruption programme. The particular choice as to whether to create an explicit anti-corruption, compliance or similar “programme” may be delegated through the state-ownership entity’s expectations, outlined in the legal and regulatory framework or up to the discretion of the board of executive management of the SOE. Whether or not they are formalised into an explicit “programme”, SOEs should still strive to implement key elements of a good practice programme taking into account SOE capacity, size, risk profile and risk tolerance levels.

Element 1: A “tone at the top” and a plan for operationalisation

Similar to privately incorporated SOEs, SOE boards and executive management have the job of operationalising the requirements found in the legal framework that support prevention, detection, and response to corruption and other irregular practices. Particularly for SOEs, the state is also instrumental in setting a tone – a “tone from the top” – through the establishment and communication of expectations.

Instilling a culture of integrity is broader than compliance. Compliance can, and is often, treated narrowly as the adherence to relevant rules that exist. A culture of integrity – promoting “doing the right thing” – extends beyond seeking the letter of the law. The state’s encouragement towards integrity should be spelled out clearly in the state’s expectations to avoid additional or ad-hoc burdens on SOEs, or to avoid it being used as a cover for intervention in the operations of SOEs.

SOEs may choose or be required to tailor and implement explicit state expectations regarding anti-corruption and integrity in SOEs that may be more or less stringent than those applying to privately incorporated companies. The SOE Guidelines recommend that SOEs adhere, as closely as possible, to corporate practices and the best international standards. In some countries, anti-corruption and integrity-related mechanisms are implemented in line with requirements for public sector entities. In one UK company, state requirements to adopt relevant codes is placed on all government departments and agencies although each body is free to establish the shape, size, content and method of communication (and associated methods of control). In other cases, SOEs may be limited in their approach to integrity by the state’s requirements, or lack thereof.

A tone from the top and promotion of integrity in SOEs could be improved, as almost half (47%) of SOEs lost annual corporate profits to corruption or other rule-breaking at 3% on average in the last year.3 Results show that 25% of heads of the corporate audit, compliance or legal functions, and 18% of executive management board members reported that “unsupportive leadership from the board and management” is at least “somewhat an obstacle to integrity in their company.” The variance in opinion by respondent position points to a respondent bias. Further, the following obstacles were highlighted amongst the greatest obstacles by SOE respondents:

  • A lack of awareness among employees of the need for, or priority placed on, integrity.

  • Existence of behavioural issues, such as opportunistic behaviour of individuals, a perception that the likelihood of getting caught is low, or perverse incentives such as pressure to perform or to break the rules.

  • A lack of a culture of integrity in the political and public sector. The states’ responsibility in this regard is discussed in Chapter 3. SOE leadership is also responsible for insulating its company from any undue influence – state or otherwise.

SOE leadership can tackle such issues by establishing a clear “tone from the top” – a clearly articulated mission statement or visible corporate policy that explicitly addresses the topic of integrity, ethics or anti-corruption and is integrated into the corporate strategy. Orchestrating a believable approach to combatting corruption and promoting integrity in a company will require bringing leadership onto the same page. Figure 2.1 shows that board members, integrity managers and executive management have different perspectives on the allocation of budget to integrity functions in their company. Fifty-seven percent of board members see it as an asset or investment, higher than integrity managers (52%) and executive management (42%).

A high proportion of companies’ existing approaches to integrity and anti-corruption have been self-driven or voluntarily established by leadership. However, the foremost driver of these mechanisms has been to comply with requirements that have been imposed or requested. A majority were also driven to implement such measures for fear of reputational damage. Forty percent of respondents also pointed to a risk of corruption, and a risk of legal enforcement or divestment as a significant impetus for establishing their current approaches. Private sector companies reported, in the 2015 OECD study on Trust in Business, similar reasons for seeking to prevent and address corporate misconduct (OECD, 2015a).

Figure 2.1. Allocation of operational budget to anti-corruption and integrity: Investment or cost?
Responses to the question: “How would you characterise the allocation of operational budget to preventing, detecting and addressing integrity and anti-corruption?”
picture

Note: Board members included Chairs and other board members; Executive management included Chief Executive Officers/Presidents/Managing Directors, Chief Financial Officer or similar or other “C-suite” executives; the group of heads of the corporate audit, compliance or legal functions also included Chief Risk and Chief Sustainability Officers.

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs

A culture of integrity importantly includes the understanding throughout the ranks of the company that anti-corruption and integrity initiatives are part of the broader strategy towards the achievement of SOE goals. Where they are seen as a drain on the company, there is scope to better link them to strategic objectives and to disseminate the understanding of their importance for achievement of goals and mitigation of reputational damage and losses to waste and abuse.

The tone from the top should include clear instruction on how such anti-corruption and integrity efforts will be operationalised – from prevention, through detection, enforcement and improvement – embodied in codes and standards. The SOE Guidelines state that “boards of SOEs should develop, implement, monitor and communicate internal controls, ethics and compliance programmes or measures, including those which contribute to preventing fraud and corruption. They should be based on country norms, in conformity with international commitments and apply to the SOE and its subsidiaries” (OECD, 2015b). Further, one key step of Enterprise Risk Management is that management selects a set of actions to align risks with the entity’s risk tolerances and risk appetite (the Committee of Sponsoring Organizations of the Treadway Commission [COSO], 2017).

In some countries, a specific anti-corruption, compliance or integrity programme is established, while in others the approach to integrity is captured in a specific code of conduct, or similar, backed by relevant controls. An SOEs’ approach may be dictated or simply recommended by the state ownership entity, or at the full discretion of the board and executive management. Relevant company examples provided in the OECD 2017 survey of anti-corruption and integrity in SOEs include:

  • One Finnish company that has established a “Total Compliance” programme which covers key areas of regulatory compliance and business ethics. It is managed with risk-based prioritisation. Internal Controls are integral part of the Total Compliance and both the Group Compliance Officer and the Head of Internal Controls report to the General Counsel independently of the business. The Code of Conduct and compliance topics and instructions are communicated through internal and external communication channels. Alignment is enforced by top management with their full commitment.

  • An Italian SOE’s board that deliberated in 2016 the adoption of an integrated anti-corruption system that will be composed by the existing Compliance Model according Legislative Decree 231/2001 and an Anti-Corruption Model, to be created after the deliberation of the Anticorruption Policy. The goal is to cover a larger spectrum of illicit practices not considered by specific company legislation.

  • A Norwegian company has a formal compliance programme in place, as required. This is based on a range of international standards, with particular reference being made to the guidelines issued for the UK Bribery Act and the recently approved International Organization for Standardization (ISO) standard on anti-bribery management systems. The programme includes the following key elements: tone from the top; risk assessment; proportionate procedures; due diligence; training and communication; monitoring and review. A corporate compliance unit has been established, and there is a network of compliance resources in all business and staff areas. The programme is regularly reviewed and audited, including by external auditors.

  • A Costa Rican company that is bound by the Manual of Standards of Internal Control for the Public Sector (Standard 2.3.1), on the "Formal Factors of Institutional Ethics", which requires establishment of formal factors to promote and strengthen institutional ethics, including at least those relating to: a) the formal statement of vision, mission, and institutional values; b) a code of ethics or similar; c) indicators that allow for following the institutional ethical culture and the effectiveness of the formal elements for its strengthening and; d) an implementation strategy to formalise commitments, policies and regular programs to evaluate, update, and renew the institution's commitment to ethics.

SOE leadership will also need to demonstrate a commitment to anti-corruption and integrity through support to related processes and through adherence to the highest standards. Naturally, it would follow that leadership should not under any circumstance be involved in corruption or other irregular practices. Yet, as shown in Chapter 1, 25% of respondents witnessed corruption or other irregular practices involving senior management and 16% involving board members.

Leadership should effectively execute its own duties regarding anti-corruption and integrity. In one country, the state ownership entity stressed that boards of directors need to think strategically, while considering risks involved in the planning process that include corruption risks. In spite of the fact that these SOEs are obliged to have a risk matrix as a tool for monitoring this type of risk, boards of directors rarely discuss it. Oversight and monitoring of integrity and anti-corruption programmes or mechanisms in a company is discussed further below.

SOE leadership and state ownership entities can consider assessing the adequacy and effectiveness of their “tone from the top” and their ability to build a culture of integrity in their company. Box 2.3 provides example questions that companies may use to self-assess the adequacy of their tone from the top.

Box 2.3. Key questions to assess effectiveness of companies’ tone from the top regarding anti-corruption and integrity
  • Is active commitment and visible support given by management?

  • Has there been clear, practical and accessible communication of the compliance programme and standards to employees?

  • Has management established a trust-based organisational culture, adopting the principles of openness and transparency?

  • Are appropriate levels of oversight of subsidiary operations established?

  • What structures and processes are in place to enable oversight?

  • What information is required by management in real-time or periodic reporting?

Source: OECD, UNODC and the World Bank, Anti-Corruption Ethics and Compliance Handbook for Business (2013), www.oecd.org/corruption/anti-corruption-ethics-and-compliance-handbook-for-business.htm.

Element 2: Autonomy and resourcing of integrity mechanisms and programmes

Departments with a primary responsibility for integrity should have sufficient autonomy, stature, capacity, and resources to execute accordingly. This section focuses on autonomy of the integrity function, while elaboration on the importance of board autonomy is found in Chapter 3.

Resourcing of corruption prevention and detection

Eighty-one percent of participating companies that invest in integrity allocate on average 1.5% of the operational budget to preventing, detecting and addressing corruption and breaches of integrity. Yet “inadequate financial or human resources to invest in integrity and prevent corruption” is considered at least “somewhat of an obstacle” for 40% of SOE respondents. This figure is slightly lower than in private sector companies, as reported by OECD’s Corporate Governance and Business Integrity: A stocktaking of Corporate Practices (2015a), where 26% of respondents felt that they had inadequate financial and human resources to establish an effective integrity policy (OECD, 2015a).

SOEs see allocation of financial and human resources to integrity as more of a burden than the private sector. Overall, 50% of SOE respondents saw such allocation of budget as an investment or asset and 27% saw it as a cost or expense. Corporate Governance and Business Integrity showed that 60% of companies felt such allocation was an investment and only 18% as a cost (OECD, 2015a).

Autonomy of SOE leadership and integrity functions

A distinct difference between SOEs and private companies is the need for board autonomy from the state owner – insulating the board from direction by state representatives that is misaligned with the role of the state as owner as elaborated in the SOE Guidelines. Board autonomy is discussed in Chapter 3.

Figure 2.2. Main activities undertaken by the integrity function
Non-exhaustive list of activities undertaken by SOE units/functions assigned significant responsibility for integrity, according to individual respondents
picture

Note: Based on 347 individual responses. Other was not specified.

Source: OECD 2017 Survey of Anti-Corruption and integrity in SOEs.

Autonomy is also needed for those responsible for integrity to exercise their role objectively and in accordance with the best interests of the company and with international standards. In cases where executive management and those involved in integrity functions, such as the CEO or internal audit, are appointed by the state, this is a direct challenge to the independence and autonomy that the integrity functions and the SOE rely on to mitigate undue influence and to manage conflicts of interest.

The internal audit department is most commonly assigned significant responsibility for promoting and overseeing integrity or integrity policies in participating SOEs (relating to risk, controls, compliance ethics or anti-corruption), but often shares the responsibility with others. Legal departments are the second group most often given this responsibility, followed by internal human resources departments. In most SOEs responsibility for integrity is shared between more than one unit.

In comparison to participating SOEs, private sector companies tend to organise integrity under a specific department, or with the in-house legal department, more often than within the internal audit department. This may suggest a greater reliance on internal audit by SOEs than in private sector. Internal audit in SOEs may also look different than in private sector companies, with the majority of SOEs reporting that their internal audit functions are in line with those of the government or public sector entities rather than in line with other corporations.

One Italian SOE for instance designates both the internal audit department and supervisory body, pursuant to Legislative Decree 231/01, as responsible for promoting and ensuring integrity and anti-corruption through events, training sessions, monitoring activities and issuing internal disciplinary sanctions.

The main activities of SOEs’ integrity functions are provided in Figure 2.2, showing that over 88% of SOE respondents are in companies where the integrity function is responsible for developing and maintaining internal guidelines and controls, undertaking internal audits and also overseeing implementation of internal guidelines and controls. They are also commonly exercising a training or investigative role. Less than 40% of respondents said that their integrity function conducts third-party due diligence.

With regards to internal audit, the OECD SOE Guidelines state that the internal audit function should be monitored by and report directly to the board, and to the audit committee or the equivalent corporate organ. The majority of units responsible for integrity in SOEs report to the CEO or Managing Director, and secondly to the chair of the board or another board member. Good practice holds that companies’ senior corporate officers should have adequate resources. In some cases, the person responsible for the integrity unit sits on the board. Companies with opportunities to report to both have witnessed slightly less corruption or other irregular practices (41%) than companies whose integrity functions report to neither (47%).

Specialised board committees

The SOE Guidelines suggest that “SOE boards should consider setting up specialised committees, composed of independent and qualified members, to support the full board in performing its functions, particularly in respect to audit, risk management and remuneration”.

The most common specialised committees are audit committees (84% of respondents report their SOE has one). More than half of respondents’ companies have a risk management committee, and less than half (43%) have a remuneration committee. Less common, yet in roughly one third of companies, are specialised committees for ethics (39%), compliance (34%) or public procurement (28%).

Respondents in companies with specialised committees in audit, risk management, remuneration and public procurement rate the likelihood of corruption as lower than those whose companies do not have the aforementioned committees. Risk management committees on the board are additionally associated with a lower rate of witnessing corruption than those without risk management committees.

Box 2.4. Key questions to assess adequacy of autonomy and resourcing for anti-corruption and integrity

Autonomy – Have the compliance and relevant control functions had direct reporting lines to anyone on the board of directors? How often do they meet with the board of directors? Are members of the senior management present for these meetings? Who reviewed the performance of the compliance function and what was the review process? Who determines the compensation, bonuses, raises, hiring, or termination of compliance officers? Do the compliance and relevant control personnel in the field have reporting lines to headquarters? If not, how has the company ensured their independence?

Empowerment – Have there been specific instances where compliance raised concerns or objections in the area in which the wrongdoing occurred? How has the company responded to such compliance concerns? Have there been specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns?

Stature – How has the compliance function compared with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions?

Experience and Qualifications – Have the compliance and control personnel had the appropriate experience and qualifications for their roles and responsibilities?

Funding and Resources – How have decisions been made about the allocation of personnel and resources for the compliance and relevant control functions in light of the company’s risk profile? Have there been times when requests for resources by the compliance and relevant control functions have been denied? If so, how have those decisions been made?

Outsourced Compliance Functions – Has the company outsourced all or parts of its compliance functions to an external firm or consultant? What has been the rationale for doing so? Who has been involved in the decision to outsource? How has that process been managed (including who oversaw and/or liaised with the external firm/consultant)? What access level does the external firm or consultant have to company information? How has the effectiveness of the outsourced process been assessed?

Source: Department of Justice, United States (2017), “Evaluation of Corporate Compliance Programs”, www.justice.gov/criminal-fraud/page/file/937501/download.

In a few cases, specialised committees may exist external to the board, at the executive management level. This is the case in one Norwegian Company, which has compliance and risk committees that are executive management committees, or in one Italian company that has Control and Risk, Compensation and Sustainability and Scenarios Committees external to the board.

Specialised committees should have adequate autonomy and distance from executive management and employees in order to provide adequate oversight. This is particularly challenging when such committees are established at the executive management level.

Of high importance is the adequacy of the capacity and skills set of those responsible for integrity – including those on specialised committees – and the stature and authority of the departments in the company. Box 2.4 provides suggested questions that may be used by the US Department of Justice, particularly pertaining to the adequacy of autonomy and resourcing of those responsible for integrity in face of corruption suspicions. They are not meant to be used as a specific checklist, but as a guide for companies’ self-evaluation and reflection.

Element 3: Risk assessment and management

Good practice as laid out by international standard setters, such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2017), promote integration of risk management into strategic and operational processes of the company. Yet too often risks, let alone corruption risks, are treated separately from decision-making processes. Those companies that do explicitly treat corruption risks do so as part of compliance risks, and fewer as strategic, operational or financial risks. In addition to the four categories shown in Table 2.4, corruption risks are treated as completely separate in 3% of companies. Ten percent of companies in the sample do not treat corruption risks explicitly.

Risk assessments aimed specifically at identifying, analysing and prioritising corruption risks are done on an annual basis in 79% of participating companies (Figure 2.3). SOE respondents in companies that never conduct corruption-related risk assessments or that conduct them every two-to-three years reported witnessing corruption and other irregular practices more often than companies that conduct annual risk assessments. They also consider corruption risks as more likely to transpire and that mechanisms for prevention and detection (internal controls, risk management, internal audit and reporting) are more of a challenge to their company’s integrity.

Table 2.4. Categorisation of corruption risks in state-owned enterprises

Risk category

Example business objectives by risk category

Examples of risk factors (“a condition that is associated with a higher probability of risk consequences”)

% SOEs subsuming anti-corruption and integrity risks into each category

Strategic risk factors

Protect the brand from reputational damage

Competitive and economic environment; impact on stakeholder value

18%

Operational risk factors

Enhance likelihood of company success by providing exceptional services

Dependence on strategic partners; management competence; workforce skill and competence

17%

Financial risk factors

Strengthen the probity and accuracy of annual accounts

Susceptibility to fraud; complexity of transactions; recent cash flow trends

6%

Compliance risk factors

Comply with local, domestic and international laws

Extent of regulatory influence on operations; tone at the top by leadership; magnitude of fines or other penalties.

38%

Note: The percentage of companies is based on responses from valid responses of 169 companies in response to “Under which category of risks does your company explicitly categorise integrity or anti-corruption risks, if at all”. Five percent of SOEs report to categories corruption risks in multiple ways, and 3% said they are treated in another way.

Source: Categories adopted from Georgetown University (2017), Impact, Likelihood and Velocity, https://riskmanagement.georgetown.edu/RiskAssessmentMeasures; and OECD 2017 Survey of anti-corruption and integrity in SOEs.

Figure 2.3. Regularity of corruption-related risk assessments in state-owned enterprises
picture

Note: Based on 213 company responses to: “how often does your company generally conduct risk assessments aimed specifically at identifying, analysing and prioritising corruption risks?”

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs.

Boards should be duly informed about material risks to the company. Table 2.5 shows that boards of participating SOEs are more likely to receive integrity-related findings than are executive management. This is not surprising, but it raises the question as to whether management should be more informed about the risks to the company. As mentioned above, these two groups perceive risks differently from each other and from those who prepare and present the reports or findings.

Table 2.5. To whom are integrity-related recommendations and findings presented?
Of 347 responses to the question “Please select the following integrity-related findings/recommendations/assessments that are brought to the attention of your company’s leadership.”

Type of recommendations, findings or assessments

Percentage of respondents whose companies present such findings to the:

Board

Executive Management

Findings of risk assessments that point to integrity or corruption risks

71

66

Internal audit findings/recommendations

83

71

External audit findings/recommendations

83

66

Recommendations from integrity functions

49

58

Evaluations of internal controls (that may be separate from internal audits)

32

36

Reports or claims of irregular practices or corruption made through reporting channels

59

57

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs.

SOE boards could use risk assessment results to better insulate the company from the risks identified in this report. Sound risk assessments should underpin internal controls and integrity mechanisms or programmes that are proportionate to risks. They should be used to improve on a continuous basis thereafter.

Some SOEs seek to insulate their companies from identified potential or real corruption risks. Table 2.6 outlines the proportion of SOE and non-SOE companies that have ceased business operations, taken internal remedial action or that have revised business projects in the face of corruption risks. SOEs were less likely to take action than non SOEs in each category.

Table 2.6. Actions taken by state-owned enterprises in face of corruption risks

Action

SOEs

Non SOEs

Respondents said their companies have ceased business operations in a particular jurisdiction because of the integrity or corruption risks involved

12%

39%

Respondents that said their companies have taken internal remedial/disciplinary action following violation of your organisation's integrity or anti-corruption policies.

46%

70%

Respondents said their companies have substantially revised at least one business project because of the corruption and integrity risk(s) involved.

30%

66%

Note: This analysis is done on 261 individual responses – not by company. Broad comparisons made with a survey of non-SOEs where the number of respondents was 57.

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs; OECD (2015), Trust and Business.

Inspiration for risk practices may be drawn from a UK company that has a risk management framework with seven Level 1 Risk Categories, each of which is used by the Board to set its risk appetite (encompassed in the “Risk Appetite Statements”): strategic and business risk, market risk, credit & investment risk, operational risk (including financial crime), information risk, legal & compliance risk and reputational risk. These are cascaded to 27 Level 2 Risk Categories and used to asses and monitor if the company is managing these risks within the risk appetite. This monitoring includes the use of Key Risk Indicators.

Box 2.5 provides example questions that companies may use to self-assess the adequacy of their risk management, as put forth in the OECD, UNODC and World Bank, Anti-Corruption Ethics and Compliance Handbook for Business (2013).

Box 2.5. Key questions for companies to ask about risk assessment
  • Who owns the process, and who are the key stakeholders?

  • How much time will be invested in the process?

  • What type of data should be collected, and how?

  • What internal and external resources are needed?

  • What framework will be used to document, measure, and manage the corruption risk?

Source: OECD, UNODC and the World Bank, Anti-Corruption Ethics and Compliance Handbook for Business (2013), www.oecd.org/corruption/anti-corruption-ethics-and-compliance-handbook-for-business.htm.

Element 4: Standards of conduct and internal controls

The SOE Guidelines (2015b) recommend that boards of SOEs “should develop, implement, monitor and communicate internal controls, ethics and compliance programmes or measures, including those which contribute to preventing fraud and corruption. They should be based on country norms, in conformity with international commitments and apply to the SOE and its subsidiaries.”

Codes and policies

SOEs may be subject to relevant provisions for preventing, detecting and responding to corruption and other irregular practices found in the overarching legal framework. Such requirements are discussed in Chapter 3. SOEs may also be encouraged to adopt soft law instruments or other national or supranational codes that are not formally part of the legal framework. For instance, Codes of Corporate Governance are often applied on a voluntary comply-or-explain basis. While such voluntary codes play an important role in improving corporate governance arrangements, shareholders may be unclear about their status and implementation. Considerations for the state as owner, including to be informed about the existence and implementation of rules and codes, are made in Chapter 3.

Codes of ethics should apply to the SOEs as a whole and to their subsidiaries. They should give clear and detailed guidance as to the expected conduct of all employees and compliance programmes and measures should be established. It is considered good practice for these codes to be developed in a participatory way in order to involve all the employees and stakeholders concerned. These codes should benefit from visible support and commitment by the boards and senior management. SOEs’ compliance with codes of ethics should be periodically monitored by their boards (OECD, 2015b).

The legal framework will determine which codes and rules are voluntary or Codes may be required on the basis of internal control laws. One Latin American company’s Code of Ethics is required by the Ministry of Public Affairs, while the Code of Conduct is required by relevant Banking Law.

SOEs most often aggregate rules in their standards of codes of conduct, ethics, compliance or other. Codes of conduct should be as comprehensive as possible, particularly where they are considered to be the company’s statement on integrity and anti-corruption, as well as integrity-related action plan or programme. In addition, they may cover issues related to human rights and broader corporate social responsibility. Company examples include:

  • A Norwegian company’s policy for Corporate Social Responsibility (CSR), its Integrity Program and its related “Tool Box” are all established on a voluntarily basis, based on COSO. The company has signed the UN Global Compact and reports according to the principles of the Global Reporting Initiative in its annual Sustainability Report.

  • In a Polish SOE, the Code defines the principles to be followed by employees and stakeholders in a comprehensive manner, in particular: transparent HR policy, respect for work and professionalism in carrying out tasks, gifts and invitations, conflicts of interest, environmental performance, fair competition, prevention and the fight against fraud and corruption.

  • An Italian company, in accordance with the principle of “zero tolerance” towards corruption expressed in the Code of Ethics, has had an articulated system of rules and controls to prevent corruption-related crimes since 2009 in accordance with applicable anti-corruption provisions of international conventions (including the United Nations Convention Against Corruption [UNCAC], the Anti-Bribery Convention, the US Foreign Corrupt Practices Act, the UK Bribery Act and Italian Legislative Decree 231/2001).

Internal controls in accordance with state-owned enterprise risk profiles

The SOE Guidelines suggest that boards of SOEs should develop, implement, monitor and communicate internal controls. How the board does so may depend on the level of corporatisation of the company and its functional independence from the state-ownership entity.

International standards hold that effective internal controls should be developed based on results of robust risk assessments. As mentioned above, explicitly treating corruption risks in risk assessments enables SOEs to have a more realistic risk profile and to address them with measured controls.

The one-third of SOE respondents who reported that ineffective internal controls and risk management is at least “somewhat of an obstacle” to integrity in their company, were more likely to see corruption in their company in the last three years compared to those that do not see controls as ineffective (52% versus 35% respectively).

Controls can be improved. SOEs should align, to the extent possible, its practices with listed companies. Regardless of whether aligned with public or private sector, controls could include, amongst others:

  • Accurate books and records that document all financial transactions (Partnering Against Corruption: Principles for Countering Bribery, 2004);

  • Prohibition of off the books accounts and transactions, non-existent expenditure, entry of liabilities with incorrect identification of objects, use of false documents, the deliberate destruction of books or house documents earlier than foreseen by law (OECD Anti-Bribery Convention, 1997; UNCAC, 2003);4

  • Financial and organisational checks and balances over the enterprises’ accounting and record-keeping practices and other business processes (Transparency International et al. Business Principles for Countering Bribery, 2013);

  • Vetting current and future employees with any decision-making authority or in a position to influence business results (World Bank Group’s Integrity Compliance Guidelines, 2010);

  • Transparent and multi-step approval and certification processes, including that of decision-making processes, that are appropriate for the value of the transaction and perceived risk of misconduct (World Bank Group’s Integrity Compliance Guidelines, 2010);

  • Appropriate contractual obligations for business partners and third parties (World Bank Group’s Integrity Compliance Guidelines, 2010). Third party and vendor management that is in line with the SOEs’ own integrity and anti-corruption policies (discussed below).

Controls should be supported by the human resources department. One control measure proposed in international guidance is to restrict arrangements with former public officials regarding employment or remunerative arrangements. SOEs’ involvement with public officials is more complicated, as many SOE board members or executive management members are themselves considered public officials. The need for merit-based and transparent board nominations procedures are discussed in Chapter 3.

Good practice for listed companies is for internal controls systems to be subject to regular, independent internal and external audits to provide objective assurance and determine the adequacy of controls. The SOE Guidelines also recommend that internal auditors are independent, to ensure an efficient and robust disclosure process and proper internal controls in the broad sense. The data shows that in SOEs with a lack of effectiveness in internal control, there are also greater challenges with effectiveness of internal audit. Improvements to controls and internal audit should thus go hand in hand. Internal audit is discussed further below.

Specific corruption risk areas should be embedded in a company’s codes (of ethics, compliance or conduct) and addressed by associated internal controls. Commonly agreed standards hold that companies should target specifically: bribery, including facilitation payments, conflicts of interest, solicitation and extortion, and special types of expenditures (including gifts, hospitality, travel and entertainment, political contributions, and charitable contributions and sponsorships).

The findings in Chapter 1 on key corruption risks specific to SOEs emphasise the need for SOEs to have additional policies in relation to integrity in public procurement, favouritism (nepotism, cronyism and patronage) and interference in decision-making. SOEs have rules in place for some key high-risk areas, but not all. Respondents report that their SOEs have an average of four out of seven key rules in place, and fewer than ten companies had all of the below in place:

  • Eight-three percent have rules for conflict of interest.

  • Sixty-six percent have rules for public procurement (as procurer of goods and services).

  • Sixty percent have rules for charitable contributions and sponsorships.

  • Fifty-four percent have rules for asset/income disclosure.

  • Forty-nine percent have rules for public procurement (as bidder).

  • Forty-two percent have rules for political party financing or engagement. One company commented that political contributions are simply out of the question and that there was no need to have rules.

  • Twenty-three percent have rules for lobbying. One company’s rules regarding lobbying are included in the civil service code, applicable to the SOE.

  • SOEs report additional rules relating to anti-money laundering and counter-terrorist financing, travel and gifts, public official meeting registration, election period rules and community relationships, policies and manuals for Politically Exposed Persons (PEPs),5 related party transactions, anti-fraud and anti-market abuse policy.

Existing codes, rules and controls should be based on international norms and, to the extent possible, be consistent across countries in order for constructive comparisons and consistent audits to be made across SOEs within a country. The international norms most commonly referred to by SOEs participating in this study include: those of the OECD; the Institute of Internal Auditors (IIA), COSO, ISO (particularly ISO 37001); the UK Bribery Act, the Foreign Corrupt Practices Act (FCPA); the Global Compact Programme, and; the United Nations’ Convention Against Corruption, Guiding Principles on Business and Human Rights, Convention on the Rights of the Child and the Convention on the Elimination of all Forms of Discrimination against Women and the Principles for Responsible Investment. Some SOEs draw motivation from international comparisons such as Ethisphere's "World's Most Ethical Companies".6

Box 2.6. Monitoring implementation of compliance programmes: A compliance assessment checklist

The Anti-Corruption Ethics and Compliance Handbook for Business explains how one UK-based international company uses self-assessment as one way to monitor compliance. When the self-assessment tool is applied to the area of conflicts of interest, the unit head seeks to affirm the following:

I understand the issues surrounding actual, perceived or potential conflicts of interest and I confirm that a process has been implemented within my business unit/division to ensure that situations that might give rise to a conflict of interest are disclosed to the company and managed appropriately by an independent person e.g. staff within the human resources or local compliance officer or legal function.

a. My staff are aware that they must disclose to their department head, the human resources, local compliance officer or legal departments if they own, serve on the board of, or have a substantial interest in, a [company] competitor, supplier or contractor; have a significant personal interest or potential gain in any [company] business transaction; hire or supervise a relative who works for [company], or has the opportunity to place company business with a firm owned or controlled by an [company] employee or his or her family.

b. My staff are aware that taking outside employment or freelancing, accepting gifts/entertainment from suppliers, honoraria or other payments from third parties may give rise to an actual, perceived or potential conflict of interest and that if they are in any doubt they must disclose the circumstances to their department head.

c. Management within my business unit have been given appropriate guidance on conflicts of interest and are aware of the issues that must be reported to the local compliance officer or human resources department.

Source: OECD, United Nations Office on Drugs and Crime (UNODC) and the World Bank, Anti-Corruption Ethics and Compliance Handbook for Business (2013), www.oecd.org/corruption/anti-corruption-ethics-and-compliance-handbook-for-business.htm.

Evidence shows that SOEs must go beyond establishing codes, rules and controls to focus also on their effective dissemination, implementation and enforcement. Almost half of SOE respondents identified a “lack of awareness of legal requirements” as at least “somewhat an obstacle” to integrity. Indeed, a high proportion of respondents within the same company – at the highest echelons of the SOE - could not agree on which rules were in place. In addition, the vast majority of SOEs in the survey have conflict of interest rules (83%), yet the risk of nondeclaration is ranked as one of the highest corruption-related risks for companies in terms of the likelihood of occurrence. Box 2.6 provides questions that SOEs may use to assess the effectiveness of their controls. Mechanisms for detection and response are covered in more detail below.

Element 5: Third party management and due diligence

Like private companies, SOEs must “manage” relationships with third parties – taken broadly to refer to those individuals or companies external to the SOE ranging from vendors or suppliers to civil society organisations – in a way that protects the integrity and reputation of the SOE. The SOE Guidelines (OECD, 2015b) stipulate that:

  • When SOEs engage in co-operative projects such as joint ventures and public-private partnerships, the contracting party should ensure that contractual rights are upheld and that disputes are addressed in a timely and objective manner.

  • When SOEs engage in co-operative projects with private partners, care should be taken to uphold the contractual rights of all parties and to ensure effective redress and/or dispute resolution mechanisms. Relevant other OECD recommendations should be observed, in particular the OECD Principles for Public Governance of Public-Private Partnerships as well as, in the relevant sectors, the OECD Principles for Private Sector Participation in Infrastructure.

  • Listed or large SOEs should report on stakeholder relations, including where relevant and feasible with regard to labour, creditors and affected communities.

Other international guidance suggests that third-party management includes the application of anti-corruption measures or programmes to the enterprise’s partners and due diligence in the selection and maintenance of business interaction. The G20 High-Level Principles on Private Sector Transparency and Integrity call for businesses to conduct appropriate due diligence and to ensure that subsidiaries, including affiliates over whom they have effective control, have internal controls and ethics and compliance measures commensurate with the risks they face. Transparency International’s “10 Anti-Corruption Principles for State-Owned Enterprises” calls for SOEs to “manage relationships with third parties to ensure they perform to an anti-corruption standard equivalent to that of the SOE” (TI, 2017).

The following list of tools used to manage third parties are synthesised from the practices of SOEs participating in the study. SOEs may wish to review them for the comprehensiveness of their own company approach:

  • Pre-screening and ex ante risk assessment of third parties and proposals:

    • seeking out fair trade partners when possible, as is done by a company in Poland

    • screening, audits or risk assessments of third parties, as is done in a Norwegian company:

      • analysis of legal, financial and corporate background of contractors

      • cross-checking owners, directors and representatives, and comparing them and affiliates in anti-money laundering and anti-terrorist financing, or bribery, databases

      • sending a questionnaire to new supplier candidates

      • “Know Your Customer” software used in Finnish companies for procurement processes

      • using open sources and dedicated IT tools managed by the security unit, as well due diligence carried out by other business units for specific activities at risk

  • risk assessment of proposals

  • system support and coordination of risk maps between different functions as is done in Sweden

  • independent professional advice may be secured on an as required basis, as is done in New Zealand.

  • “Integrity agreements”, integrity pacts,7 or integrity or anti-corruption clauses built into contracts. Agreement templates contain anti-bribery and corruption provisions in Finland. In Italy, anti-corruption addendums are added to the contracts that third parties have to accept and sign.

  • Code of Conduct attached to supplier agreements or as part of employees' working contracts.

  • Using certifying business coalitions or collective engagement with governments or others (including civil society), as is done in Latvia and Mexico. Collective action through informal compliance roundtables with representatives of external companies. Regular contact with public authorities, in trade compliance matters as is done in Sweden.

  • Compliance and ethics training and discussions to selected important third parties to clearly explain the company’s expectations on ethics and compliance, integrity and anti-corruption.

  • Setting related controls for approvals and payments, including checks and balances, procedures to approve contracts and payments to suppliers based on a system of multiple authorisers and matrix of agents based on double signature; authority limits and delegations rules; establishing thresholds for large procurements, as is done in Latvia, for instance.

  • Systematic review:

    • SOE in Israel: annual review of engagements with third parties

    • SOE in Korea: ex post risk assessment in high-risk sectors such as large development projects covering more than a designated scale

    • Some SOEs in Norway: audits and unannounced inspections; nightly screening of all suppliers and customers

    • SOE inthe United Kingdom: Audit and Risk Committee Review all procurement where there has been a single tender process

Additional controls that companies consider useful for managing third parties include (i) establishment of policies on gifts, bribery, anti-money laundering and the like, discussed above, and (ii) confidential advice and whistleblowing channels, and effective internal audit, that are discussed below.

While participating companies exhibit a range of controls and procedures designed to manage risks of external engagement, there is room for strengthening company approaches in view of the challenges discussed in Chapter 1. Only 39% of companies require the integrity function (usually housed in internal audit or legal departments) to conduct due diligence for third parties.

Exceptions to an otherwise systematic approach to due diligence should be based on sound risk assessments for the project or engagement in question. Some practices and approaches are not systematically applied within companies, while others adopt ongoing monitoring of third and counterparties, regardless of the status and longevity of engagement. One European SOE conducts ex ante assessment of third parties only if the other company is unknown to the SOE. Another European company supplements memoranda for fair and open cooperation for only certain contracts.

The UNCAC calls for state parties to “consider corruption a relevant factor in legal proceedings to annul or rescind a contract, withdraw a concession or other similar instrument or take any other remedial action (34)” (UNCAC, 2003). SOEs too should be encouraged to consider such actions in face of corruption. Yet, SOEs appear less willing or able to sever business relations with partners than do private sector companies (Table  2.7). It could be hypothesised that SOEs are less exposed to potentially corrupt partners than private companies, but this is unlikely. The OECD’s Foreign Bribery Report showed that the highest proportion and highest amount of foreign bribes were offered, promised or given to SOE officials over other public officials. Further, an IMF study showed that the majority of respondents’ attributed corruption in the real sector to the SOE sector (IMF, 2017).

Table 2.7. Severing business relations in face of corruption risks: SOEs versus non-SOEs

Action

SOEs

Non-SOEs

Respondents that said their companies severed a relationship with at least one business partner (e.g. supplier, service provider) because of the risk of exposure to or engaging in corruption.

32%

66%

Note: The SOE data is based on 261 individual responses. The non-SOE data is based on 57 private sector respondents.

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs; OECD (2016), Trust and Business.

Box 2.7. State-owned enterprises and public procurement: rules and regulations

As indicated in Chapter 1, public procurement and contract violations are amongst the top risks for SOEs. Accordingly, public procurement is treated explicitly in the SOE Guidelines: When SOEs engage in public procurement, whether as bidder or procurer, the procedures involved should be competitive, non-discriminatory and be safeguarded by appropriate standards of transparency ( III. G.).

Countries concerned about the participation of SOEs in public procurement processes and in levelling the playing field have increasingly sought to ensure that regulations do not favour any category of bidder. Yet it differs by country whether or not these rules apply to SOEs in a similar manner to other government entities, as does the degree of implementation. Where SOEs fulfil a governmental purpose (have mixed objectives), or to the extent that a particular activity allows an SOE to fulfil such a purpose, the SOE should adopt government procurement guidelines that ensure a level playing field for all competitors (OECD, 2015).

  • Eighty-six percent of respondents whose companies have specific rules for engaging in public procurement as a bidder (i.e. to act as the supplier of goods and services to other parts of the public sector) report to be subject to competitive bidding on an equal footing with other firms. However, respondents pointed most commonly to collusion and bid rigging as risks their companies face in engaging in public procurement.

  • Similarly, 94% of respondents whose companies have specific rules for engaging in procurement as procurer (to procure goods and services) report being subject to government procurement rules. A few respondents reported being subject to additional rules specific to the SOE or to the sector of operation (e.g. energy).

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs; OECD (2015b), OECD Guidelines on Corporate Governance of State-Owned Enterprises, 2015 Edition, OECD Publishing, Paris. http://dx.doi.org/10.1787/9789264244160-en.

As demonstrated by aforementioned company practices, third-party or counterparty management is applied commonly when companies engage in public procurement or other contracting. Box 2.7 details which laws are in place to support competitive neutrality and integrity and efficiency when SOEs engage in public procurement. SOEs may also derive use from the list of “integrity tools” for procurement, provided in Box 2.8. While the tools are directed at public sector entities responsible for the public procurement process, SOEs too could apply them to their own contracting processes.

Box 2.8 provides a checklist of public sector integrity tools applied to the public procurement cycle that can be employed in pursuit of the 2015 OECD Recommendation of the Council on Public Procurement.

Box 2.8. A checklist: public sector integrity tools tailored to public procurement

B.1 Adherents [to the 2015 OECD Recommendation of the Council on Public Procurement] should develop and implement risk assessment and management strategies and tools to safeguard integrity in the different stages of the procurement process. Those strategies and tools can include:

  • needs assessments to ensure that the procurement project is needed in the first place (and not improperly influenced)

  • risk maps to identify the positions, activities, and projects which are vulnerable, assessing probability and potential impact of risks of fraud and corruption

  • red flags, standardised warning signs that stretch over the whole procurement cycle and assist in the detection of wrongdoing

  • integrity plans (that facilitate the development of mitigation strategies)

  • whistleblower programmes (that can mitigate risk-management pitfalls).

B.2 Adherents should develop and implement mechanisms to prevent for misconduct in public procurement. Those mechanisms could be the following:

  • mechanisms that ensure the independent responsibility of at least two persons in the decision-making and control process -- the four-eye principle (double signatures, crosschecking, separation of duties and authorisation, etc.)

  • systems of multiple-level review and approval of procurement process stages (reviews by independent senior officials independent of the procurement and project officials or by a specific contract review committee process)

  • the rotation of officials, involving new responsibilities, as a safeguard for positions that involve long-term commercial connections for instance

  • electronic systems for avoiding direct contact between officials and potential suppliers and for standardising processes

  • adequate security control measures for handling of information (unique user identity codes, well-defined levels of computer access rights and procurement authority, encryption of confidential data)

  • standardisation of bidding documents and procurement documentation,

  • strong internal control and risk management mechanisms

  • direct social controls on government activities through the introduction of social witnesses and social observers (who should ideally be trained in public procurement)

  • other mechanisms such as the two-envelope approach and integrity monitors.

B.3 Adherents should develop and implement mechanisms for the detection and sanctioning of misconduct in public procurement. Those mechanisms could be the following:

  • the systematic recording and tracking of key decisions (e.g. through electronic systems)

  • red flags or other systems that provide warnings of irregularities and potential corruption

  • exchange of information between officials in charge of control and investigation such as public procurers, internal controllers, auditors and competition authorities (e.g. specific joint training, expert assistance to gather evidence of corruption and collusion in public procurement, joint investigations, exchange of staff), and/or

  • specific sanctions for misconduct in public procurement

  • transparency of information to allow for “social control” of procurement activities.

Source: OECD (2016a), Checklist for Supporting the Implementation of the OECD Recommendation of the Council on Public Procurement, www.oecd.org/governance/procurement/toolbox/search/checklist-implementation-oecd-recommendation.pdf.

Element 6: Education and training on anti-corruption and integrity

Disseminating a culture of integrity is a cornerstone of an effective anti-corruption and integrity effort that encourages “doing the right thing”. It helps the company to avoid waste on programmes and controls that are not understood and employed.

Companies in the survey allocate approximately 1.5% of operational budget to promoting integrity and mitigating corruption. Forty-five percent of respondents see this allocation of operational budget to fighting corruption and promoting integrity as an investment, with 25% seeing it as a cost, and the remainder with no or another view. Board members and those in charge of compliance, risk, legal or other saw it as more of an investment than did executive management, but not by a large margin. There is room for improvement in disseminating a tone from the top through executive management and through to all employees of the business benefits and growth and investment opportunities of a good reputation.

Fifty-seven percent of SOE respondents report that their companies provide training for all employees, board members and executive management, yet findings of Chapter 1 point to their ineffectiveness. SOE respondents pointed to both a lack of awareness and priority on integrity, and to perverse incentives that could detract SOE officials from “doing the right thing”.

One of the greatest challenges to integrity in the participating companies was a lack of awareness of related requirements. Companies can increase the value-for-money of their investments in integrity by ensuring that trainings are effective in remedying some of the issues raised in this report. A PwC (2016) survey showed that while 82% of companies reported having an ethics and compliance programme in place, one in five respondents were not aware of it and many were confused about who owns it internally.

Box 2.9. Sample compliance assessment checklist: testing employee awareness, and effectiveness of training and communication

The Anti-Corruption Ethics and Compliance Handbook for Business explains how one UK-based international company uses self-assessment as one way to monitor compliance. When the self-assessment tool is applied testing employee awareness and effectiveness of training and communication, the unit head seeks to affirm the following:

My staff are aware of and understand the group AB&C policy, Code of Conduct and processes regarding gifts, hospitality and entertainment and have completed any required compliance training:

  1. My staff are aware of the identity of their Local Compliance Officer, Divisional Compliance Officer (if different) and the Group Compliance Officer and when and how to contact them for advice or guidance.

  2. My staff are aware of and understand [company]'s policy on facilitation payments and their duty to report such immediately to the Legal Department.

  3. My staff are aware of and understand their duty to report promptly any concerns they may have whether relating to their own actions or the actions of others and how and when to use the group gifts and entertainment register and "whistleblowing" facility.

  4. My staff are aware that there must be no retaliation against good faith "whistleblowers".

Source: OECD, United Nations Office on Drugs and Crime (UNODC) and the World Bank, Anti-Corruption Ethics and Compliance Handbook for Business (2013), www.oecd.org/corruption/anti-corruption-ethics-and-compliance-handbook-for-business.htm.

A focus on improving the effectiveness of education and training would be beneficial. The findings that such programmes are treated as a check-the-box exercises, without being taken seriously, present an opportunity to consider new approaches. Company examples could be used to draw inspiration on innovative ways to promote and cultivate a culture of integrity:

  • A Korean SOE asks all employees including board members and senior management to take a vow of integrity.

  • An Italian SOE invests in continuous training programmes in Italy and abroad that provide guidance on how to recognise and manage red flags.

  • Another Italian company directly provides induction to top management and employees of the company, dedicated internal communications (e.g. newsletters and other), best practice sharing through dissemination of corporate governance tools and guidelines. They are committed to the achievement of compliance certifications (such as ISO 37001) .

  • A German company does a “tone from the middle” survey every two years to assess perceptions at lower levels of the entity.

  • An SOE in Costa Rica uses annual ethics tests of employees to assess their understanding of ethics requirements and to inform improvements in related mechanisms.

Box 2.9 provides a sample compliance assessment checklist to test employee awareness, and effectiveness of training and communication, as provided in the Anti-Corruption Ethics and Compliance Handbook for Business (2013), of the OECD, UNODC and World Bank.

Element 7: Disclosure, monitoring and auditing

The SOE Guidelines (2015b) require state-owned enterprises to “observe high standards of transparency and be subject to the same high quality accounting, disclosure, compliance and auditing standards as listed companies”.

Disclosure

As a baseline, all SOEs should disclose material financial and non-financial information on the enterprise, including areas of significant concern for the state as an owner and the general public. Large and listed SOEs should disclose according to high quality internationally recognised standards.

An SOEs’ disclosure should be dictated by a clear disclosure policy developed by the ownership entity. It should identify what information should be publicly disclosed, the appropriate channels for disclosure and the mechanisms for ensuring quality of information. The practice of embedding anti-corruption and integrity considerations into the state’s disclosure policy is discussed in Chapter 3.

Table 2.8. Level of state-owned enterprise disclosure

Information to be disclosed

Percentage of respondents whose companies disclose each

1. A clear statement to the public of enterprise objectives and their fulfilment (for fully-owned SOEs this would include any mandate elaborated by the state ownership entity);

78%

2. Enterprise financial and operating results, including where relevant the costs and funding arrangements pertaining to public policy objectives;

96%

3. The governance, ownership and voting structure of the enterprise, including the content of any corporate governance code or policy and implementation processes;

81%

4. The remuneration of board members and key executives;

72%

5. Board member qualifications, selection process, including board diversity policies, roles on other company boards and whether they are considered as independent by the SOE board;

52%

6. Any material foreseeable risk factors and measures taken to manage such risks;

34%

7. Any financial assistance, including guarantees, received from the state and commitments made on behalf of the SOE, including contractual commitments and liabilities arising from public-private partnerships;

40%

8. Any material transactions with the state and other related entities;

43%

Note: The elements for disclosure are taken from the SOE Guidelines as examples of what could be disclosed, depending on the size and capacity of the SOE. Based on individual responses of 346 SOE respondents, from across 212 companies in 34 countries.

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs.

Table 2.8 provides an overview of the degree to which participating SOEs disclose recommended financial and non-financial information. Thirty-four percent of SOEs disclose material foreseeable risk factors and measures taken to manage such risks, recalling that one in ten companies do not explicitly treat corruption risks as part of risk assessments. Red flags may be falling between the cracks.

Almost half of participating SOEs report on their anti-corruption and integrity efforts and policies in the annual report (44%). Fifteen percent of respondents’ companies only report through internal documents and one percent does not report at all (Figure 2.4).

Figure 2.4. Channels for reporting on company integrity policies or anti-corruption efforts
picture

Note: Based on 347 individual responses about their company, to “How, if at all, is information reported on your company’s integrity policies or anti-corruption efforts?”

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs.

Internal audit

Internal audit is an independent and objective assurance activity evaluating the effectiveness of a company’s risk management, control and governance. It is important to the achievement of a company’s objectives and supportive of integrity in the company. Moreover, internal audit can further support anti-corruption and integrity efforts in a company by making it a specific audit topic – for instance, assessing the effectiveness of specific controls related to bribery, or, for instance, the effectiveness of an anti-corruption programme’s implementation.

Ninety-two percent of participating SOEs report having an internal audit function, and 84% assign it as at least one of the units or departments with significant responsibility for integrity. Yet, 25% found its ineffectiveness poses obstacles to their company’s integrity. This sub-section considers why.

Sixty four percent of SOEs in the sample are required by law to establish internal audit - the majority of which were required to do so in line with other government departments or agencies. Eighteen percent of all companies are aligned with listed company requirements and 7% with privately incorporated companies (Figure 2.5). One quarter of the sample report that internal audit was established voluntarily, not mandatorily. Finally, 4% (eight companies of an eligible 180) do not have internal audit.

Figure 2.5. Requirements for internal audit in state-owned enterprises
picture

Note: Based on aggregated and comparable responses of 180 SOEs to the question “please best describe your company’s internal audit unit/function”.

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs.

Figure 2.6 compares the incidence of corruption within companies with the more commonly applied internal audit functions. The findings show that respondents in companies that have internal audit requirements in line with listed companies were more likely to see corruption (57%), compared to those in line with government departments or agencies (40%) and those which voluntarily established internal audit without a requirement (25%). It may be recalled that 42% of respondents report to have witnessed corruption or other irregular practices materialise in the last three years in their company.

Figure 2.6. Witnesses to corruption in companies with different internal audit requirements
picture

Note: Based on 230 individual responses that fell into the three categories of each question: “Please best describe your company’s internal audit unit/function” and “in your assessment, did any of the [listed] risks materialise into activities/actions in the last three years in (or involving) your company?”

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs.

The 25% of SOE respondents rated “ineffective internal audit” as at least “somewhat of an obstacle to integrity” in their company were more likely to be:

  • board members or executive management, as opposed to those in charge of compliance, internal audit, or risk;

  • in companies where internal audit is “required in line with government departments/agencies”;

  • in companies operating with SOE-specific law and with mixed objectives (commercial with public policy).

Of those who rated “ineffective internal audit” as at least “somewhat of an obstacle to integrity”, 44% had witnessed corrupt or other irregular practices in their company in the last three years – slightly higher than the average of all respondents (42%).

On average, companies’ internal audit departments undertake two of the three following audits: financial, compliance and performance (or operational). Most often, companies conduct compliance audits (88% of respondents’ companies), financial audits (82%) followed by performance audits (71%). Performance audits are usually targeted at efficiency, effectiveness and economy of company processes, and may include, for instance, assessments of quality management systems and of information protection and security. IT audits are also common.

A survey on internal auditors’ perceptions – the Institute of Internal Auditors’ Global Internal Audit Common Body of Knowledge Stakeholder Survey (2015) – suggests that the more tools they have at their disposal for the execution of their duties, the more value added. While it is good practice for SOEs’ annual financial statements to be subject to an independent external audit based on high-quality standards (OECD, 2015b: VI.B), SOEs may also wish to systematise performance auditing that looks at the efficiency and effectiveness of integrity mechanisms in the context of broader corporate governance.

Internal audit, and any audit committee, plays an important oversight role in achievement of objectives. Yet internal audit is not synonymous with monitoring or investing in corruption detection. Internal audit units or departments should not be used as a crutch or replacement for the role of the board in monitoring overall performance of the company. The board also has a responsibility in monitoring the performance of the SOE, the achievement of its goals, and the management of risks – corruption and other – that may detract from such achievement. The board however, may rely on internal audits to inform its monitoring process.

External audit

In conjunction with the SOE Guidelines’ recommendation for internal audit, SOEs’ financial statements should be subject to an independent external audit based on high-quality standards. Twenty-four percent of SOE respondents saw “ineffective external audit” as at least “somewhat an obstacle” to effectively promoting integrity and preventing corruption in, or involving, their companies.

Specific state control procedures should not substitute for an independent external audit (OECD, 2015b). In many countries, the SAI provides oversight, insight and foresight on governance within and across SOEs, as well as of the governance arrangements between SOEs and the state ownership entity. The SAI should not attempt to duplicate such financial audits but should rather focus the audits on the performance and efficiency of SOEs, directing recommendations to the state ownership entity. Examples include:

  • a grading of management control environments and financial systems and controls for SOEs, by New Zealand’s Office of the Auditor General

  • the National Audit Office of the UK’s value-for-money audit on the existence and structure of SOEs

  • audit of the sustainability of SOEs by Portugal’s Tribunal de Contas.

In many countries, notably in Latin America, SOEs are not fully corporatised, or are operated in close proximity to the public administration and are thus often subject to more direct state financial control. The relationship between state auditors and SOEs depends in large part on the institutional arrangements for state ownership and the degree of corporatisation of the SOE sector.  

Some SAIs may have a broader role than in performance audits of individual or a group of SOEs. In Italy some cases8 defined by Law No. 259/1958, a representative from Italy’s SAI - the “Corte dei Conti” - will take part in the meetings of the board of statutory auditors on the board of directors. In Chile, the Contraloria Generale de la Republica undertakes ex ante approval of particular contracts over the threshold amount for the public administration.

Effective monitoring by the board

The board is responsible for monitoring management. Performance monitoring should integrate board expectations for responsible business conduct – an important component of which is anti-corruption and integrity (OECD, 2015b: VI). Section 2.2.3 showed that boards are more informed than executive management on most audit findings and integrity-related assessments.

Boards must be well informed in order to adequately monitor the performance of management, including with respect to integrity and anti-corruption. Boards, to a certain degree rely on the determination of management as to what is materially significant and thus should be shared with the board.

The presence of specific audit, risk or compliance committees may facilitate more regular discussion on the topics. The presence of specialised board committees is associated with fewer reported instances of corrupt or other irregular practices in a company.

The findings in this report may also motivate the board to integrate anti-corruption and integrity performance into board assessments of management. With regards to anti-corruption mechanisms or programmes, boards should have appropriate assurance of the performance of integrity mechanisms and related controls. In 86% of companies, the department assigned significant responsibility for integrity is also responsible for overseeing implementation of internal guidelines or codes.

Key findings that may be useful for monitoring are not always shared with boards (see Table 2.9). A broader range of integrity related outputs are shared with them than with executive management, except in two areas: recommendations from integrity functions and evaluations of internal controls (that may be separate from internal audits). It is possible that boards are missing the complete picture. Indeed, the findings in Chapter 1 demonstrated that board members and executive management have different perspectives on corruption risk in the company, and that these are not aligned with the real incidence of corruption.

Table 2.9. Which assessments and audit findings are presented to state-owned enterprise leadership?

List of recommendations/ findings

% of respondents whose companies present such findings to the:

Board

Executive Management

Findings of risk assessments that point to integrity or corruption risks

71

66

Internal audit findings/recommendations

83

71

External audit findings/recommendations

83

66

Recommendations from integrity functions

49

58

Evaluations of internal controls (that may be separate from internal audits)

32

36

Reports or claims of irregular practices or corruption made through reporting channels

59

57

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs.

There is scope for integrating anti-corruption efforts into company targets and performance appraisal, with associated indicators for measurement. For instance, one Korean SOE has linked integrity into its long-term strategies and goals. The company is meant to (i) constitute the “highest degree” integrity culture, (ii) strengthen control and prevention of corruption, and (iii) establish human rights management. The company has established associated indicators that are internally and externally verified to track their success:

  • the external assessment includes evaluations of: (a) integrity, (b) corruption-prevention policies, and (c) of the Korea Business Ethic Index: Sustainable management (KoBEX-SM)

  • the internal assessment includes evaluations of (a) integrity, (b) risk assessment of executive members, and (c) the ethical management index, and a “red-face test”.

Box 2.10 highlights suggested elements of a checklist, prepared by Transparency International UK (2012), for monitoring and evaluation of anti-bribery programmes, that may be applicable and informative for other integrity-related mechanisms and programmes that go beyond the scope of bribery.

Box 2.10. Transparency International UK’s checklist: Monitoring and review of anti-bribery programmes
  • Continuing and/or discrete evaluations are performed supporting the continuous improvement of the programme.

  • The company use key performance indicators to encourage and measure progress in improvement of the programme and its implementation. Discussions are held with stakeholders especially suppliers and contractors to obtain their views on the programme

  • The company benchmarks its programme internally between business units The company benchmarks its programme externally

  • There is a procedure for ensuring that there is an adequate audit trail to support all recorded transactions.

  • There is a procedure to discuss the results of internal audits of the Programme with relevant operational personnel.

  • There is a procedure to address weaknesses identified through internal audits with a documented corrective action plan and a timetable for action.

  • External consultants are used to monitor and advise on the programme.

  • The company participates in anti-corruption initiatives and business sector groups to learn best practices to improve its programme.

  • Self-evaluations are carried out and the results applied to improve the programme.

  • There is a procedure to ensure that the internal control systems, in particular the accounting and record keeping practices, are subject to regular internal audits to provide assurance that they are effective in countering bribery.

  • There is a procedure for senior management to monitor the programme and periodically review its suitability, adequacy and effectiveness and implement improvements as appropriate.

  • There is there a procedure for senior management to periodically report the results of programme reviews to the audit committee, governance committee, board or equivalent body.

  • There is a procedure for prompt reporting of any issues or concerns to senior management and the board.

  • There is a procedure for the audit committee, governance committee, the board or equivalent body to make an independent assessment of the adequacy of the Programme.

  • There is a procedure for the audit committee, to report regularly to the board on its independent assessment of the adequacy of the programme.

  • There is a procedure to use the experience from incidents to improve the programme.

  • The company has a procedure for self-reporting bribery incidents as appropriate to the authorities.

  • The board or equivalent body has considered whether to commission external verification or assurance of the programme.

  • An external verification or assurance has been conducted.

  • The verification or assurance opinion has been published publicly.

  • The company publishes publicly a description of the scope and frequency of feedback mechanisms and other internal processes supporting the continuous improvement of the programme.

  • The company publishes publicly a description of the company’s procedure for investigation and resolution of incidents.

  • The company publishes publicly details of public legal cases of bribery involving the company.

Source: Wilkinson, Peter, and Transparency International UK (2012), The 2010 UK Bribery Act, Adequate Procedures Checklist, Guidance on good practice procedures for corporate anti-bribery programmes, Transparency International UK, 2010, London, www.transparency.org.uk/wp-content/plugins/download-attachments/includes/download.php?id=986.

Element 8: Detection, advice and complaint channels

Detection

Detection makes use of the mechanisms discussed above, including internal audit, external audit, internal controls and complaints channels. International studies on corruption and fraud, corporate misconduct or other irregular practices in the public and private sectors, consistently show internal audit and reporting channels as the most effective means of detection (Table 2.10). This holds for detection of general irregular practices as well as with specific forms of it including foreign bribery and fraud.

Table 2.10. What are the most effective detection and assurance mechanisms?

Category

General

Specific to foreign bribery

Specific to fraud

Effectiveness of business ethics and compliance programmes

Report

Control Risks’ International Business Attitudes to Compliance (2017)

OECD’s Detection of Foreign Bribery (2017)

The Association of Certified Fraud Examiners’ 2017 Global Fraud Survey

PwC’s Global Economic Crime Survey (2016)

Findings

Anonymous whistleblower line or reporting mechanism (64%),

A known person or team within the organisation responsible for responding (59%),

Anti-corruption compliance audits (41%),

Data analytics to monitor transactions in real time (34%),

Post-acquisition assessments (20%)

Surprise fraud audits (18%) (Control Risks, 2017)

22% of foreign bribery cases were brought to the attention of law enforcement authorities through companies’ self-reporting.

These self-reporting entities became aware of foreign bribery in their business operations predominantly through internal audit (22%), internal controls/investigations (7%), mergers and acquisitions due diligence (7%) and whistleblowing (5%).

Tips (predominantly through telephone but also through email and through online or web-based forms) (39.1%),

Internal audit (16.5%)

Management review (13.4%)

76% internal audit,

54% management reporting,

42% monitoring whistleblowing hotline reports,

40% external audit,

6% other internal monitoring,

2% other external monitoring,

4% other

Note: The table does not allow for comparisons between studies, as they use different methodologies, but is instructive in demonstrating how internal audit features across studies.

Source: ACFE (2017), Report to the Nations on Occupational Fraud and Abuse, Global Fraud Survey, www.acfe.com/rttn2016/docs/2016-report-to-the-nations.pdf; Control Risks (2017), International Business Attitudes to Compliance, Report 2017, https://www.controlrisks.com/our-thinking/insights/reports/international-business-attitudes-to-compliance; OECD (2017b), The Detection of Foreign Bribery, www.oecd.org/corruption/the-detection-of-foreign-bribery.htm; OECD (2014), Foreign Bribery Report, http://dx.doi.org/10.1787/9789264226616-en; PwC (2016), Adjusting the Lens on Economic Crime, Global Economic Crime Survey, www.pwc.com/gx/en/economic-crime-survey/pdf/GlobalEconomicCrimeSurvey2016.pdf

Respondents that reported ineffective detection mechanisms (internal audit, whistleblowing, controls and external audit) reported in greater numbers to have witnessed corruption in their company in the last three years. Interestingly, their perception of the effectiveness of detection mechanisms did not change the overall perception of risk likelihood. This confirms that companies with weak detection do not rate present risks in line with perceptions that risks actually occurred in the past.

Forty-three percent of SOE respondents feel that their company’s integrity is at least somewhat challenged by the general perception that the likelihood of being caught for misconduct is low. These companies, in which there is a perception that the likelihood of being caught is low, were more likely to report seeing corruption.

Confidential complaint and advice channels

In pursuit of the SOE Guidelines, ownership entities should ensure that SOEs are responsible for effectively establishing safe-harbours for complaints for employees, either personally or through their representative bodies, or for others outside the SOE. SOE boards could grant employees or their representatives a confidential direct access to someone independent on the board, or to an ombudsman within the enterprise (OECD, 2015b: V.C).

Such channels should be in place for those who wish to report violations of integrity policies or of corruption and other irregular practices, as well as for those who wish to not commit violations and who seek advice. This could include of those who are under pressure to violate rules from superiors (World Bank Group, 2010). Advice and complaint channels should provide a systematic mechanism to assess effectiveness of integrity mechanisms and to manage red flags in particular projects, or business areas.

The following reporting practices emerge from the companies of the 347 respondents:

  • Most complaints channels are formalised as a whistleblower mechanism, with 60% of respondents reporting this to be the case. Almost half have online internal and external sites, and just less than half have another in-person option for lodging complaints to report suspected instances of corruption or irregular practices involving the company.

  • On average, claims channels are usually open to, or claims are sent to, two individuals or positions within a company: most commonly to those in charge of legal, compliance, risk or audit. Thirty-eight respondent companies channel the information to the CEO or President, and 33% to a member of the board. Companies report that employees and officials are offered the choice of who to go to and how.

  • Participating SOEs estimated that almost half, 48%, of all claims made through such channels in the last 12 months pertained to corruption or other related irregular practices.

  • Some companies send such reports to specific units -- such as a high level whistleblowing committee; an ethics committee that is separate from the board as in one Italian company; a working group consisting of heads of HR, quality, security and of the management board as does one company in Latvia; an Ethics and Conflict of Interest Prevention Committee and Internal Oversight Department; or to a Chief Governance Officer in a Corporate Governance Office such as in the Philippines; or the quality department, the Ombudsman office, or an Investigation Department as is done in one company in Turkey.

  • SOEs in the survey predominantly classify claims as confidential (60%). One third classifies them as anonymous, and the remainder are attributed to the individual making the claim or report (Figure 2.7).

Figure 2.7. Classification of claims: confidential, anonymous or attributed.
picture

Note: Based on the 128 companies that knew how claims were categorised, or that could agree upon the classification (in companies with multiple respondents) in response to: “How are internal and external reports/claims about corruption or other irregular practices categorised/classified when coming through your company’s reporting mechanism”?

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs.

Three quarters of SOEs offer legal protection from discriminatory or disciplinary action for those who disclose wrongdoing in good faith on reasonable grounds, yet 21% do not. Those that do so are either required by law (45%) or have done so voluntarily (30%).

Of the 42% of respondents that have seen corruption or other irregular practices in their company in the last three years, 92% said they had reported it. One chief compliance officer from a European SOE admitted that he did not report what he saw as the anti-corruption programme had not yet been in place. Of the vast majority of respondents that reported witnessing corrupt or irregular activity, only two reported experiencing retaliation for doing so, which is a much lower rate than those found in another comparable international study (ECI, 2016).

Thirty-seven percent of SOE board members and executive management report that ineffectiveness of reporting channels and whistleblowing mechanisms as an obstacle to integrity in their company. This ranks it amongst the top ten obstacles to integrity of the participating SOEs. Companies should focus not only on the channels but the action undertaken by the reports. As mentioned above, SOEs appear less likely to take strict action (cancelling projects and taking remedial action, for instance) compared to other private companies.

A common concern is that those witnessing corruption will not report for fear of retaliation or discrimination, but only two who saw and reported corruption or other irregular practices experienced retaliation as a result. For one respondent, retaliation came in the form of increased time delays, administrative costs and friction in relationships. Retaliation for "doing the right thing" was generally ranked as a low likelihood of occurrence on average across participating countries.

The general finding that the vast majority were not retaliated against may signal that mechanisms for protecting whistleblowers are effective. Figure 2.8 shows that 70% of respondents report that their company has legal protection for those who disclose wrongdoing, 45% of which do so as required by law. An OECD survey on business integrity and corporate governance showed that over one third of companies surveyed did not have a written policy for protecting whistleblowers from reprisal (OECD, 2015a). OECD’s Committing to Effective Whistleblower Protection, showed that while much progress has been made in whistleblower protection in the public sector that the private sector lagged behind (OECD, 2016b).

Figure 2.8. Protection for those disclosing or reporting wrong-doing in good faith
picture

Note: Based on 129 companies that responded to the question and could agree (where multiple respondents) on the answer to the question “Does your company have legal protection from discriminatory or disciplinary action for those who disclose wrongdoing in good faith, to competent authorities, on reasonable grounds?”

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs.

Another study by the Ethics and Compliance Initiative (2016) showed that of the 34% of respondents in the public sector had observed misconduct, and 32% in the private sector; The majority report the misconduct (59%, both categories), but at least one third (36%) experience retaliation for reporting (private sector 33% and public 41%).

Table 2.11. Mechanisms for ensuring legal protection for those who disclose wrongdoing in good faith

Ways to ensure legal protection

Reported company examples for legal protection of those reporting

Reliance on robustness of mechanisms for reporting/whistleblowing

Person reporting remains anonymous/confidential, training for all officials, encouraging a culture of reporting, “Whistleblower protection system”

Explicit references in company Codes or whistleblowing codes

Reference in national legislation, internal regulation, Code of Conduct/ethics, Policy for Workplace Harassment, Compliance Investigation Manual, etc.

Punitive measures for those retaliating or discriminating

Grounds for discipline (including retaliation),

Note: Based on the question “Does your company have legal protection from discriminatory or disciplinary action for those who disclose wrongdoing in good faith, to competent authorities, on reasonable grounds?” The Table is not meant to be comprehensive but to provide examples of different company approaches.

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs.

Table 2.11 outlines the ways in which companies do ensure such legal protection in practice. One company provides protection from retaliation on a more subjective basis: if the person reporting is well intentioned and their claims are true. A few report that while protection through law exists that it is only partially guaranteed or it has not been applied. One company “guarantees discretion and confidentiality during the entire disclosure management process, from the time the disclosure is received to the preliminary investigation and conclusion phase”.

Box 2.11 provides example questions that companies may use to self-assess the systems in place for reporting, as put forth in the OECD, UNODC and World Bank, Anti-Corruption Ethics and Compliance Handbook for Business (2013).

Box 2.11. Key questions to assess companies’ systems for reporting and investigation
  • Has management established a culture in which questions will be raised?

  • Does management regularly communicate the requirement for reporting concerns?

  • Does the business unit have a clearly defined plan for response to such concerns?

  • Are procedures in place to ensure that any issues are communicated to the appropriate group function?

Source: OECD, UNODC and the World Bank, Anti-Corruption Ethics and Compliance Handbook for Business (2013), www.oecd.org/corruption/anti-corruption-ethics-and-compliance-handbook-for-business.htm.

Element 9: Incentives for integrity

OECD’s Good Practice Guidance on Internal Controls, Ethics and Compliance asks companies to consider “appropriate measures to encourage and provide positive support for the observance of ethics and compliance programmes or measures against all foreign bribery [and corruption], at all levels of the company” (OECD, 2010). Company officials should be reassured that they will not suffer retaliation from refusing to engage in, or reporting on, corruption and other irregular practices, as discussed above in the section on detection and advice channels.

SOEs, and state ownership entities, should communicate the benefits of integrity and hindrance of corruption, raising awareness to the threat, causes and gravity of corruption. This approach is promoted by the UNCAC (2003). Positive reinforcement and awareness-raising is covered further in the section above on education and training.

SOEs should also seek to manage perverse incentives for corrupt behaviour that puts personal interest of themselves or another ahead of the best interest of the company and, importantly for the case of SOEs, ahead of society as an ultimate shareholder.

Incentives management should be incorporated into the risk management system. This means identifying and managing perverse incentives to misbehave, rule-break, or engage in corruption that may be exacerbated by an SOEs’ governance structure, goals or objectives.

OECD’s Behavioural Insights for Public Integrity – Harnessing the Human Factor to Counter Corruption (2018) provides insight into what public administrations, as well as SOEs and private sectors alike, can do about perverse incentives that may give rise to corruption. Table 2.12 outlines the Australian Government’s “Values Alignment” framework to describe three types of persons based on their likelihood to engage in corruption and what can be done about it (ACLEI, 2017; OECD, 2017b; OECD, 2018). OECD’s forthcoming work on behavioural insights for public sector integrity emphasise the potential in tapping into and focusing efforts on group B of Table 2.12 – where a culture of company integrity and awareness and education can help to negate existing perverse incentives.

Table 2.12. When values are aligned, or misaligned with the company’s, and what can be done about it

Classification

Characteristics

What can be done?

Group A

Represents people who are unlikely to act corruptly regardless of circumstances, perhaps as a result of internal values or identity

Recruit for values that resist corruption

Group B

Represents people whose decision to act corruptly is dependent on circumstance. In ideal conditions, this group is unlikely to act corruptly. However, the opposite is true if personal or environmental circumstances were conducive

Provide a work environment for staff in which high professional standards are valued, opportunities for corrupt conduct are minimised and compliance with integrity measures is made easy

Group C

Represents a small group of people who are likely to act corruptly whenever they can get away with it. This group is driven by self-interest and tend to respond only to effective deterrence

Be prepared for the existence of the purely self-interested, by putting in place effective detection and deterrence measures

Source: Australian Commission for Law Enforcement Integrity, www.aclei.gov.au/corruption-prevention/key-concepts/values-alignment; OECD (2017c), OECD Integrity Review of Colombia: Investing in Integrity for Peace and Prosperity, OECD Publishing, Paris, http://dx.doi.org/10.1787/9789264278325-en; OECD (2018): Behavioural Insights for Public Integrity – Harnessing the Human Factor to Counter Corruption. OECD Public Governance Reviews, OECD Publishing, Paris, http://dx.doi.org/10.1787/9789264297067-en.

The 347 survey respondents (SOE board members and senior management) confirmed that behavioural considerations can challenge the efficacy of SOEs’ corruption prevention. The following challenges were rated as “somewhat an obstacle”, “an obstacle” or “very much an obstacle” to effectively promoting integrity and preventing corruption in, or involving, their company:

  • opportunistic behaviour of individuals (51%)

  • a perception that the likelihood of getting caught is low (43%)

  • a perception that the cost of corruption is low and/or return is high (38%).

Respondents that see these behavioural issues as obstacles to SOE integrity have also seen more corruption and other irregular practices in the last three years, and rate the likelihood and impact of future risks transpiring as higher.

Liability regimes may affect the behaviour of SOE representatives with respect to corruption and other irregular practices. The above factors are considered greater obstacles in SOEs that operate under a criminal liability regime in which the entity is liable only when senior management (in the "directing mind" and will of the company) committed the crime (sometimes known as the identification doctrine or theory) (OECD, 2016c). In these companies, those in “the directing mind” of the company may put pressure on lower ranks to break rules. Indeed, non-management employees and mid-level managers are considered by respondents to be most often involved in corruption. On the contrary, SOEs operating under “strict” or “adjusted” liability regimes, where the entire company is liable for criminal wrong-doing, see the above factors as less of an obstacle to their company’s effective prevention and detection of corruption.

The “fraud triangle” described in PwC (2011) outlines three common factors that are in place when fraud occurs that may be applicable to corrupt or irregular practices:

  • Opportunistic behaviour: PwC’s 2016 Global Economic Crime Survey found that economic crime was primarily a result of the opportunity or ability to commit the crime (69%), compared to incentives or pressure to perform (14%) (PwC, 2016a).

  • Pressure or incentive to engage in misconduct: A report by the Financial Stability Board (FSB, 2017), identifies the root causes of misconduct in the financial sector. Findings show that misconduct follows a trail that begins with some form of pressure, thereby affecting decisions by leadership or tone from the top and ultimately contributing to an organisational culture that undervalues safety and ethical values. The report also finds that a lack of appropriate governance arrangements may provide incentives to engage in misconduct, including but not limited to unclear roles and responsibilities and insufficient controls.

  • Justification or rationalisation of the behaviour: A global survey by Ernst and Young (EY, 2016) finds that executive management, notably chief financial officers, can justify misconduct when under financial pressure. The PwC Global Economic Crime survey found that 11% of perpetrators of economic crime used rationalisations to justify their behaviour (PwC, 2016a).

These three common denominators of fraud are applied in this report to corrupt and other irregular practices in SOEs. A blatant form of pressure is the direct pressure to break rules, or to compromise integrity standards. One study (ECI, 2016) found that pressure to compromise standards was higher in:

  • multinationals (25%) as opposed to solely domestic companies (18%)9

  • companies that are suppliers have more pressure to compromise standards than those that are not (26% versus 18%)10

  • companies undergoing numerous and recent organisational changes.

SOEs should monitor red flags for individuals’ behaviour as part of the overall risk management system of the enterprise. A study conducted biennially by the ACFE has, since 2008, consistently found six top red flags that may help to identify those who commit occupational fraud: (i) living beyond their means, (ii) financial difficulties, (iii) unusually close association with vendors or customers, (iv) “wheeler-dealer” attitudes, (v) control issues or unwillingness to share duties, and (vi) personal or family issues. In almost 80% of the cases of occupational fraud that were studied, perpetrators exhibited at least one of these six flags. While the findings focus on occupational fraud, the study also found that 37.4% of all cases were an overlap of fraud and corruption and/or asset mismanagement (ACFE, 2016).

It should be clear to corporate insiders that engagement in corrupt or other irregular practices has implications that extend beyond the financial. SOEs in this study have indeed suffered financial losses to corruption or other irregular practices. In 47% of companies, at least one representative reported that the company lost operational budget due to corruption and other irregular practices. They estimate the losses to be at 1.4% of annual corporate profits. In some cases, this figure included cost estimates relating to compliance with enforcement actions or sanctions that have been paid.

Box 2.12. Countering perverse incentives: A maturity framework for developing a positive culture

Fundamental

  • Officials understand and agree the need and value of effective risk management.

  • Senior executives and line managers demonstrate the importance the entity places on managing risk in line with the entity’s framework and systems.

Developed

  • The entity’s risk management framework is integral to its operating model.

  • Lessons learnt are communicated to staff.

  • There is a common understanding of the meaning of good risk management and as a result a consistent use of language and understanding of risk related concepts.

Systematic

  • Surveys and external reviews undertaken (such as the annual state of the service report or capability reviews) are analysed to provide insights into the risk culture of the entity.

  • The entity analyses loss incidents and identifies areas for improvement. This includes acknowledging good risk management practice and speaking with staff regularly about opportunities to better manage risk.

Integrated

  • Senior executives are held accountable through their performance agreements for managing risk including responsibility for strengthening the risk culture of their teams.

  • The entity’s risk culture is formally and regularly assessed with recommendations identified for improvement.

  • The entity has a risk management framework that is integrated with its overarching governance framework so that the task of managing risk is not regarded as an additional responsibility or burden.

Advanced

  • Officials are comfortable raising concerns with senior managers and those being challenged respond positively.

  • There is a sponsor at the senior executive level of the entity that leads and promotes the management of risk across the entity.

  • The entity learns from negative and positive situations so that policy and procedural changes are made to improve the management of risk in the future.

Optimal

  • The culture of the entity is one that demonstrates and promotes an open and proactive approach to managing risk that considers both threat and opportunity.

  • Examples of good risk management practice are communicated by senior executives and individuals that excel in demonstrating good risk management practice in their day to day responsibilities are rewarded.

Source: Government of Australia, Department of Finance (2017), Benchmarking Survey 2017 – Risk Management Maturity Capability Levels (2017), www.finance.gov.au/sites/default/files/rm-capability-maturity-levels-2017.pdf.

The greatest casualty of economic crime is employee morale, according to another international study (PwC, 2016a). SOEs should pay attention to low employee morale and the working environment this creates because, as mentioned above, individual actions may be dependent on the conduciveness of an environment to promoting positive incentives for integrity. Employee morale as a casualty of corruption may only serve to deepen the issue.

SOEs do not operate in a vacuum. SOEs in this study are also concerned with reputational damage, and subsequent loss of trust and client base. SOEs should give due consideration and care to the economic, social and environmental externalities of their actions, not least to their involvement in corrupt or other irregular practices.

Box 2.12 elaborates a maturity model for developing a positive culture within an entity. While applied to improving the culture of risk management in an entity, it can be used as inspiration and tailored to improving a culture of integrity more broadly in response to the above behavioural risks. The “optimal” practice includes a situation where “examples of good risk management practice are communicated by senior executives and individuals that excel in demonstrating good risk management practice in their day to day responsibilities are rewarded” (Australian Government Department of Finance, 2017). It can be useful, in particular, for targeting “Group B” in Table 2.11, for whom a positive environment can effectively persuade people to “do the right thing”.

Element 10: Investigation, response and improvement: what happens when things go wrong?

In case of suspected wrong-doing, SOEs would benefit from having techniques to manage efficiently, effectively and economically. International good practice suggests that companies have in place (i) appropriate disciplinary measures and procedures to address corruption and other irregular practices (OECD’s Good Practice Guidance); (ii) the ability to apply appropriate sanctions for violations of integrity mechanisms or programmes internally (Principles for Countering Bribery); (iii) investigative procedures (Integrity Compliance Guidelines); (iv) openness to cooperate appropriately with relevant authorities in connection with investigations and prosecutions (Business Principles for Countering Bribery).

SOEs in this study usually assign internal audit units, legal departments and HR departments with primary responsibility for internal investigations and for remedial or disciplinary action for violation of integrity policies. These units are additionally responsible for overseeing implementation of internal guidelines or codes in 65% of respondents companies.

Where red flags are detected, or in cases of suspected corruption or other irregular practices, SOEs generally take a first step of launching an internal investigation before, if needed, appealing to external authorities for further investigation.

In a case in Colombia, it was the board of directors that noticed a series of inconsistencies in its financial and operational results of the company and later decided to conduct an in-depth restructuring process and commanded a forensic external audit, which later confirmed their concerns. In the Netherlands, an external investigation was requested by the board and the Ministry of Finance in its capacity as shareholder, to carry out a thorough analysis of the effectiveness of the existing internal procedures, risk management, compliance and checks within an SOE involved in corruption, and all its subsidiaries. The SOE took on additional measures based on the external report to refine internal procedures and checks and it has drawn up an action plan preventing bribery and corruption in the future. Upon suspicion of one case of corruption in Argentina, the national internal audit agency in Argentina (SIGEN) was the one to raise the case with authorities and communicated the facts to the Anti-Corruption Agency, which took the case to the Courts.

Suspected and real corruption and other irregular practices should be accompanied or followed by an internal review and, if necessary, revision of existing integrity mechanisms – including a root-cause analysis of what went wrong. It may also warrant an external review. Such activities should complement the aforementioned, regular and robust monitoring of the integrity mechanisms or programme by the designated party, as well as overall performance monitoring of management by the board.

Impact, response and improvement

Penalties and their severity for corruption or other irregular practices will vary, and may include the following, based on real cases presented by SOEs and state ownership entities participating in this study:

  • civil or criminal fines or sanctions

  • imprisonment

  • debarment

  • dissolution

  • organisational restructuring and/or removal of officials or board members

  • increased monitoring

  • requirements to improve or overhaul integrity measures and/or to or implement compliance or anti-corruption programmes.

Following a corruption investigation in a Dutch SOE, the board chairman, under whose responsibility irregularities took place, left the company. There were additional criminal procedures against some former directors. The SOE’s board of directors was expanded to include a portfolio of Governance, Risk and Compliance. Internal procedures and codes of conduct for procurement (and compliance with them) have been tightened.

In one corruption case, individuals in a Colombian SOE were handed seven prison sentences. Executives in the third-party company with whom the bribery occurred received fines, and the third-party company was debarred and subject to increased monitoring through the SOEs’ compliance division.

The OECD’s Foreign Bribery Report (2014) found that the majority of the 427 foreign bribery cases concluded between 1999 and 2014 resulted predominantly in civil or criminal fines (261). Other types of punishment included confiscation (82), imprisonment (80), compliance programmes (70), injunction (67), suspended prison sentence (38), compensation (12), debarment (2) and dissolution (1). Of the cases for which data was available, 46% had a sanction that was less than 50% of the proceeds obtained by the defendant as a result of bribery foreign public officials. In 13% of cases, the sanction was 50-100% of the profits, in 19% of cases it was 100-200% and in 22% cases it was greater than 200% of the proceeds of the bribe.

SOEs have suffered financial losses and penalties, but are also fearful of reputational damage. Forty-seven percent of surveyed SOEs report financial losses as a result of corruption and other irregular practices, amounting to an average loss of 1.4% of annual corporate profits (including cost estimates relating to compliance with enforcement actions or sanctions that have been paid). Moreover, in establishing prevention and detection mechanisms, SOEs were more motivated by a fear of reputational damage, enforcement or divestment by broader investors (non-state), than by risk of legal or enforcement actions by shareholders. For SOEs that are not listed, and have a larger share of SOE ownership, attention may be paid to the “too public to fail” mentality, where SOEs feel insulated from legal or enforcement action.

SOEs could consult the US’ Department of Justice (DoJ) “Evaluation of Corporate Compliance Programs” (2017) which is a valuable tool for reflecting on the strength of the SOEs’ integrity mechanisms in face of suspected misconduct. As an indication of the types of questions that are asked in evaluations by the DoJ, it is not meant to be a check-the-box list of items. It too should be tailored to an individual company. It can effectively enable SOEs to reverse engineer their integrity and anti-corruption programmes. Examples of these questions that can be used to assess the strength of a company’s response and improvement in face of corruption allegations are provided in Box 2.13.

Box 2.13. Key questions to assess companies’ capacity for adequate response, prevention and improvement in cases of non-compliance

Evolving Updates – How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries?

Remediation – What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future? What specific remediation has addressed the issues identified in the root cause and missed opportunity analysis?

Root Cause Analysis – What is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis?

Prior Indications – Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed?

Source: United States’ Government, Department of Justice (2017), “Evaluation of Corporate Compliance Programs”, www.justice.gov/criminal-fraud/page/file/937501/download.

References

ACLEI (2017), Australian Commission for Law Enforcement Integrity, www.aclei.gov.au/corruption-prevention/key-concepts/values-alignment.

ACFE (2016), Report to the Nations on Occupational Fraud and Abuse, 2016 Global Fraud Survey, Association of Certified Fraud Examiners, www.acfe.com/rttn2016/docs/2016-report-to-the-nations.pdf.

Australian Government Department of Finance (2017), Benchmarking Survey 2017 – Risk Management Maturity Capability Levels, www.finance.gov.au/sites/default/files/rm-capability-maturity-levels-2017.pdf

Control Risks (2017), International Business Attitudes to Compliance, Report 2017, https://www.controlrisks.com/our-thinking/insights/reports/international-business-attitudes-to-compliance.

COSO (2017), Enterprise Risk Management: integrating with strategy and performance, Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission, www.coso.org/Pages/default.asp.

Department of Justice, United States (2017), “Evaluation of Corporate Compliance Programs”, www.justice.gov/criminal-fraud/page/file/937501/download.

Deloitte (2014), Director 360: Growth from all directions, www2.deloitte.com/content/dam/Deloitte/global/Documents/Risk/gx-ccg-director-360-growth-from-all-directions-third-edition.pdf.

ECI (2016), Measuring Risk and Promoting Workplace Integrity, Global Business Ethics Survey, Ethics and Compliance Initiative, 2016, www.ethics.org/ecihome/research/gbes/gbes-form.

EY (2016), Corporate misconduct – individual consequences: Global enforcement focuses the spotlight on executive integrity, Ernst & Young, www.ey.com/Publication/vwLUAssets/EY-corporate-misconduct-individual-consequences/USDFILE/EY-corporate-misconduct-individual-consequences.pdf.

FATF (2013), FATF Guidance: Politically Exposed Persons (Recommendations 12 and 22), Financial Action Task Force, www.fatf-gafi.org/media/fatf/documents/recommendations/Guidance-PEP-Rec12-22.pdf.

FSB (2017), Stocktake of efforts to strengthen governance frameworks to mitigate misconduct risks, Financial Stability Board, www.fsb.org/2017/05/stocktake-of-efforts-to-strengthen-governance-frameworks-to-mitigate-misconduct-risks/.

G20 (2015), G20 High-Level Principles on Private Sector Transparency and Integrity, http://g20.org.tr/wp-content/uploads/2015/11/G20-High-Level-Principles-on-Private-Sector-Transparency-and-Integrity.pdf.

Georgetown University (2017), Impact, Likelihood and Velocity, https://riskmanagement.georgetown.edu/RiskAssessmentMeasures.

IMF, (2017), The Role of the Fund in Governance Issues - Review of the Guidance Note - Preliminary Considerations - Background Notes, Policy Papers, International Monetary Fund, www.imf.org/en/Publications/Policy-Papers/Issues/2017/08/01/pp080217-background-notes-the-role-of-the-fund-in-governance-issues-review-of-the-guidance-note

ISO 37001 (2016), “Anti-bribery management systems -- Requirements with guidance for use”, International Organization for Standardization, www.iso.org/standard/65034.html

OECD (2018), Behavioural Insights for Public Integrity: Harnessing the Human Factor to Counter Corruption, OECD Public Governance Reviews, OECD Publishing, Paris, www.oecd.org/gov/ethics/behavioural-insights-for-public-integrity-9789264297067-en.htm.

OECD (2017a), The Detection of Foreign Bribery, OECD Publishing, Paris, www.oecd.org/corruption/the-detection-of-foreign-bribery.htm.

OECD (2017b), OECD Integrity Review of Colombia: Investing in Integrity for Peace and Prosperity, OECD Publishing, Paris, http://dx.doi.org/10.1787/9789264278325-en.

OECD (2016a), Checklist for Supporting the Implementation of the OECD Recommendation of the Council on Public Procurement, www.oecd.org/governance/procurement/toolbox/search/checklist-implementation-oecd-recommendation.pdf.

OECD (2016b), Committing to Effective Whistleblower Protection, OECD Publishing, Paris, www.oecd.org/corporate/committing-to-effective-whistleblower-protection-9789264252639-en.htm.

OECD (2016c), Liability of Legal Persons for Foreign Bribery: A Stocktaking Report, OECD Publishing, www.oecd.org/corruption/liability-of-legal-persons-for-foreign-bribery-stocktaking-report.htm

OECD (2015a), Corporate Governance and Business Integrity: A stocktaking of Corporate Practices, www.oecd.org/corruption/corporate-governance-business-integrity-stocktaking-corporate-practices.htm.

OECD (2015b), OECD Guidelines on Corporate Governance of State-Owned Enterprises, 2015 Edition, OECD Publishing, Paris, www.oecd.org/corporate/guidelines-corporate-governance-soes.htm.

OECD (2014), OECD Foreign Bribery Report: An Analysis of the Crime of Bribery of Foreign Public Officials, OECD Publishing, Paris, www.oecd.org/corruption/oecd-foreign-bribery-report-9789264226616-en.htm.

OECD (2010), Good Practice Guidance on Internal Controls, Ethics, and Compliance, www.oecd.org/daf/anti-bribery/44884389.pdf.

OECD (2013), OECD/UNODC/World Bank, Anti-Corruption Ethics and Compliance Handbook for Business, www.oecd.org/corruption/anti-corruption-ethics-and-compliance-handbook-for-business.htm.

PwC (2016a), Adjusting the Lens on Economic Crime: Preparation brings opportunity back into focus, Global Economic Crime Survey 2016, Price Waterhouse Coopers, www.pwc.com/gx/en/economic-crime-survey/pdf/GlobalEconomicCrimeSurvey2016.pdf.

PwC (2011), Fighting Fraud in the Public Sector, www.pwc.com/gx/en/psrc/pdf/fighting_fraud_in_the_public_sector_june2011.pdf

TI (2017), 10 Anti-Corruption Principles for State-Owned Enterprises, Transparency International, www.transparency.org/whatwedo/tools/10_anti_corruption_principles/0.

Transparency International et al. (2013), Business Principles for Countering Bribery, www.transparency.org/whatwedo/tools/business_principles_for_countering_bribery/1.

Transparency International UK (2012), The 2010 UK Bribery Act Adequate Procedures Checklist, Transparency International UK, London, 2010, www.transparency.org.uk/publications/adequate-procedures-checklist-pdf/#.W0Yf-tIzbcs.

UN (2005), United Nations Convention Against Corruption, United Nations, New York, 2004, www.unodc.org/unodc/en/treaties/CAC/.

US Department of Justice (2017) “Evaluation of Corporate Compliance Programs”, www.justice.gov/criminal-fraud/page/file/937501/download.

World Bank Group (2010), Integrity Compliance Guidelines, World Bank, Washington DC, http://siteresources.worldbank.org/INTDOII/Resources/Integrity_Compliance_Guidelines.pdf.

World Economic Forum (2016), Partnering Against Corruption Initiative: Principles for Countering Bribery, Multinational Task Force, www3.weforum.org/docs/WEF_PACI_Global_Principles_for_Countering_Corruption.pdf.

WJP (2017), World Justice Project Rule of Law Index 2017-2018, World Justice Project, worldjusticeproject.org/our-work/wjp-rule-law-index/wjp-rule-law-index-2017%E2%80%932018.

Annex 2.A. List of obstacles in the OECD state-owned enterprise survey
Table 2.A1.1. Obstacles to integrity: Question options from the state-owned enterprise survey
Response options for the following question: in your opinion, to what degree does each factor pose as an obstacle to effectively promoting integrity and preventing corruption in, or involving, your company?

List of obstacles put forth to SOE respondents to rank each: very much an obstacle, an obstacle, somewhat an obstacle, not at all an obstacle, NA/does not exist

Obstacles regarding relations with government

A lack of a culture of integrity in the political and public sector

Overly complex or burdensome legal requirements

Relations between your company, or the board, and political officials

Obstacles regarding company culture

A lack of a culture of integrity in your company

A lack of awareness among employees of the need for, or priority placed on, integrity

A lack of awareness of legal requirements

Conflicting corporate objectives

Inadequate financial or human resources to invest in integrity and anti-corruption

Inadequate remuneration/compensation

Loyalty to company

Loyalty to customers or third parties

Unsupportive leadership from the Board or management

Penalisation of whistleblowers/reporting

Pressure to perform or meet targets

Pressure to rule-break

Obstacles regarding controls and accountability

Ineffective channels for whistleblowing / reporting misconduct

Ineffective internal audit

Ineffective external audit

Ineffective internal control or risk management

Unclear or ineffective reporting lines between integrity units and Board

Unclear or ineffective reporting lines between Board and others

Obstacles regarding behaviour

Perceived cost of corruption is low and/or return is high

Perceived likelihood of getting caught is low

Opportunistic behaviour of individuals

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs

Notes

← 1. For more information, please see page 90 of OECD (2015a), Corporate Governance and Business Integrity: A Stocktaking of Corporate Practices, www.oecd.org/daf/ca/Corporate-Governance-Business-Integrity-2015.pdf

← 2. The correlation included 27 of the countries participating in the SOE survey. Data was not available for Iceland, Israel, Latvia, Lithuania, Pakistan, Slovakia or Switzerland.

← 3. Out of the 197 valid company responses available for this question, 104 companies reported not losing a share of annual corporate profits to rule-breaking and corruption (including cost estimates relating to compliance with enforcement actions or sanctions that have been paid). The remaining 93 companies (47%) had at least one respondent within the company estimate losing profits.

← 4. Article 8 of the 2009 Anti-Bribery Recommendation, section X (accounting, external audit, internal controls, ethics and compliance) and Annex II, Good Practice Guidance, sub-section 7.

← 5. The Financial Action Task Force provides Guidance on Politically Exposed Persons, www.fatf-gafi.org/media/fatf/documents/recommendations/Guidance-PEP-Rec12-22.pdf.

← 6. Ethisphere’s “World’s Most Ethical Companies Honoree List” compiles companies recognized for their critical role to drive positive change in their business committee and around the world. In 2018, 135 companies from 23 countries and 57 industries are featured on the list, available here: www.worldsmostethicalcompanies.com/honorees.

← 7. See OECD’s “Preventing Corruption in Public Procurement” for examples of utilisation of “integrity pacts”, www.oecd.org/gov/ethics/Corruption-in-Public-Procurement-Brochure.pdf.

← 8. This may occur in instances where there is a state warranty on defined liabilities of SOEs or contributions collected by means of taxation for special activities run by the enterprise.

← 9. MNEs observed more misconduct in the previous 12 months (36%) compared to domestic companies (29%) but were slightly less likely to report it at 59% versus reporting of domestic companies at 60%. In both types of companies, those reporting misconduct experienced retaliation – 35% in domestic and 32% in MNEs. Rate of misconduct is higher in companies that operate in more than one country (ECI, 2016).

← 10. Thirty-eight percent of respondents of companies that are suppliers personally observed misconduct in the previous 12 months, versus 27% who did not. Sixty-six percent of suppliers reported observing misconduct, while 54% of non-suppliers did not. Companies that are suppliers were also more likely to experience retaliation for reporting misconduct (39%) versus non-suppliers (27%) (ECI, 2016).