Does ABC provide the business case for GRC?

Quantifying business risk is difficult, and persuading senior management to invest in technology to help mitigate it is therefore challenging.  However millions of pounds are paid every year in fines and numerous custodial sentences handed out as a result of corporate fraud and corruption.  This points clearly to the justification of implementing a Governance, Risk and Compliance (GRC) system as an Anti-Bribery and Corruption (ABC) measure.

The Bribery Act 2010 states that adequate procedures (bribery prevention policies and the procedures and controls that implement them) need to be effectively implemented in order that the full corporate defence against bribery by a person associated with the company can be used.  Wide jurisdiction of the Act means this has to be applied globally.

Risk managers need to develop a proportionate response to this.  That is, it must be proportionate to the risk and proportionate to the size of the organisation.

A single GRC system to co-ordinate the implementation and operation of adequate Anti-Bribery and Corruption (ABC) procedures provides a solution for risk managers.  Four key areas where it helps are:- senior management commitment; risk assessment; gifts and hospitality; policies and guidelines management.

Senior management commitment

Investment in a GRC system demonstrates that an organisation is serious about controlling the risks.  As well as providing the documentary evidence of compliance in one place, it will give senior executives a level of Management Information (MI) reporting that enables them to better understand their organisation’s ABC risk exposure. 

Risk assessment

The gathering of periodic risk assessment data performed at a local level to determine the inherent scale of bribery risk present at a particular entity can be automated with a GRC system.  This data can then be collated across the group and be used as input for a full risk profiling and assessment process across the entire company.  This resulting risk profile can be used to determine level of bribery prevention procedures required to ensure they are proportionate with underlying risk.

Gifts and hospitality

Periodic surveys can be used to capture and formally record the giving and receiving of gifts and hospitality.  This data can then be collated and used as input for an overall Gifts and Hospitality Register, which ensures that when these are given and received, they remain within acceptable boundaries as outlined in AB&C policy.

Policies and guidelines

GRC systems can be used to formally record that recipients have read and understood company policies relating to ABC.  This is backed up by policy quiz functionality which is used to ensure that recipients have an adequate level of understanding using pass/fail mark and workflow of results for oversight by line managers.

Once the GRC system is in place for these and other ABC procedures, risk managers can also use it to manage the risks associated with other areas of economic crime such as sanctions, fraud, anti-trust, and money laundering.  By doing so, they will receive an increased return on their GRC investment.

Conclusion: a step in the right direction

Implemented correctly, a GRC system will go a long way towards demonstrating that adequate procedures are in place to reduce the likelihood of bribery and corruption in an organisation. Whilst this may not address all aspects of compliance to the new ABC regulations it is clearly a strong statement of intent from the company’s leadership and will certainly be viewed favourably by the regulators.