Anti-Bribery & Corruption (ABAC) Risk in the Extended Enterprise: A Quick Guide

An increasingly global third-party ecosystem and a growing number of bribery and corruption laws means your organization must continuously assess its vendor relationships for ABAC risks.
Michael Rasmussen
GRC Analyst & Pundit, GRC 20/20 Research
May 11, 2021
Blog abac risk 0521

In my previous post, A Quick Guide to ESG and Risk Management in the Extended Enterprise, I outlined what environmental, social and governance (ESG) is and how it impacts third-party risk management. This post expands on a specific aspect of governance in ESG: anti-bribery and corruption (ABAC).

ABAC Risk and Compliance

Organizations today face a tremendous amount of anti-bribery and corruption risk – especially as they conduct business globally. Anti-bribery and corruption laws govern business transactions and prohibit exchanges of value that illegally influence the actions of either party in a transaction. There is a range of laws meant to enforce ABAC measures – from the U.S. Foreign Corrupt Practices Act (FCPA, passed in 1977), to more recent legislation such as the U.K. Bribery Act (2010) and France's Sapin II (2016). In fact, 46 different countries have bribery and corruption laws. These laws address bribery in business transactions, often focusing on the actions of foreign government officials.

Enforcement of ABAC laws is expanding. For instance, 2019 was once a high-water mark for FCPA violations, with the U.S. Department of Justice (DoJ) and Securities and Exchange Commission (SEC) collecting $2.65 billion in penalties. COVID-19 did not slow down law enforcement, with 2020 seeing $2.78 billion in FCPA penalties. In the United Kingdom, the Serious Fraud Office (SFO) is also expanding its enforcement activities. And the European Union’s Directive on Mandatory Human Rights, Environmental, and Good Governance Due Diligence will require significant due diligence for organizations operating in EU countries, with ABAC falling under the Good Governance section.

Anti-Bribery and Corruption Risks in 2021

Bribery and corruption risk has increased because of COVID-19, and risk exposure will likely continue to climb as the pandemic continues to play out in 2021. With constrained supply chains, limited government contracts and permits, and backlogs in customs for import/export, organizations are facing a greater risk of bribery and corruption. For instance, we may see increasing numbers of employees and agents of third parties offer bribes to secure contracts and permits, or to expedite and prioritize shipping and customs. This increased risk exposure requires attentive due diligence of transactions and third-party relationships to ensure that the organization is not implicated in bribery or corruption charges.

Bribery & Corruption Risks in Third-Party Relationships

Third-party relationships are one of the most significant bribery and corruption risk exposures to organizations. When unpacking FCPA bribery and corruption enforcement actions, Stanford Law School discovered that over 90% of incidents involve a third-party intermediary. All third parties who act as agents of a company – such as distributors, sales representatives, brokers, consultants, freight forwarders, lobbyists – can expose the organization to liability for bribery and corruption. In fact, a company can be held liable for the actions of its third parties, even if the company claims to have no knowledge of an incident. Often, all that is needed for an indictment is a "high probability" of bribery or evidence that a company was "willfully blind" to a third party’s corruption on their behalf.

Managing ESG Risks Across the Extended Enterprise

This analyst report from GRC 20/20 uncovers best practices for including ESG in your third-party risk management program.

Read Now
Blog managing esg 1021

5 Key Requirements for a Third-Party ABAC Program

An effective governance program can help your organization address its third-party bribery and corruption risks. Key elements include:

  1. Relationship documentation: Start with a clear business case and rationale for why a third party is needed, as these relationships are sometimes used to hide illicit payments.
  2. Ongoing risk-based due diligence: Flag relationships that expose the organization to bribery and corruption risk, and regularly conduct due diligence – from onboarding to termination. Due diligence should include comprehensive vendor risk assessments, as well as continuous monitoring of databases for listings of agents on watch lists, sanction lists, and politically exposed person lists.
  3. Policy communication and attestation: Clearly communicate policies to address bribery and corruption and require third parties to acknowledge/attest that they understand and conform to your organization's policies.
  4. Transaction monitoring: Closely monitor third-party transactions for red flags that signal potential illicit payments, including gifts and entertainment, political contributions, hospitality, and facilitated payments.
  5. System of record: Have a robust system of record or audit trail of interactions, transactions, assessments, and communications with third parties. The goal is to provide evidence that demonstrates that your organization has a compliance program that can detect misconduct.

The complexity and risk exposure inherent to an extended enterprise of third-party relationships requires a structured process to ensure that tasks are completed, that risk is evaluated, and that nothing slips through the cracks. Organizations face increased risk exposure if they rely on manual processes encumbered by spreadsheets and emails to manage this process. One way to minimize the risk of bribery and corruption risk in third-party relationships and develop a defensible compliance program is to implement a third-party risk management solution with that can automate, manage and audit the entire ABAC assessment and monitoring process.

Michael rasmussen
Michael Rasmussen
GRC Analyst & Pundit, GRC 20/20 Research

Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management. With 28+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo