Testing ABAC compliance programmes: lessons from recent enforcement actions

It has been ten years since the Bribery Act 2010 entered into force in the UK.  This is an excellent time for organisations to review their ABAC compliance programme, if they have not done so already. 

There are three components to an effective corporate ABAC programme: design, implementation and testing. We see common weaknesses in corporate compliance programmes at each of these stages.

The bedrock of compliance: framework design

An effective ABAC framework should:

• set out key obligations;
• incorporate these in policy and procedure documents; and
• establish controls, which relate to the obligations, as well as risks the organisation is facing.

There should be an appropriate governance structure with clear accountability for ownership of the risks and controls. The governance structure should ensure adequate and independent oversight of the ABAC framework, providing an opportunity for challenge and independent perspective. There should be a separation of business and oversight functions (such as compliance, legal and internal audit).

Recent DPAs show how governance structure can be a weakness for some companies. Following SFO enforcement action, companies have, for example, created a Board Risk Committee to provide risk-related oversight of key contracts, investment and commercial decisions¹ and altered reporting lines so that they are not business-led to ensure scrutiny by an independent compliance function.²  

Other shortcomings in ABAC frameworks that we see include:

• missing key documents from the framework, such as directions for employees on the appropriate steps to take when encountering high-risk situations.
• key documents being overly legalistic and lacking practical context or user friendliness to allow users to understand easily what they should do and why. Policies should not be too long, and should incorporate practical elements, such as a list of business-specific red flags to bring the high-risk scenarios to life for all employees.

Having the right policies, procedures, manuals, contractual clauses and checklists provides a robust foundation for embedding the right behaviours within an organisation.

Implementation relies on training and culture

Effective implementation of a compliance framework heavily depends on training and culture.

Several DPAs have highlighted a lack of training.³ Shortcomings included failing to carry out periodic training, or not training the right people.  

Multiple DPAs have pointed to a culture of disregard for compliance.⁴ Ongoing and visible commitment not only from senior, but also mid-level managers, is needed to ensure the effective implementation and operation of a robust compliance framework. In the absence of the right tone from the top, and modelling behaviours of compliance, even the most well designed compliance and prevention framework becomes redundant.

Testing and monitoring: is it working?

Independent oversight over the effectiveness of the framework helps identify weaknesses and address gaps. Both monitoring and testing are necessary. 

Monitoring should include reviewing the processes in place, and the associated Management Information (MI) reports produced. MI should help management analyse trends, provide a comprehensive view of the current state of effectiveness of processes and controls, as well as provide early warning signs of potential threats due to weaknesses in the compliance programme.

Testing, on the other hand, means a closer look at specific controls and verifying their effectiveness. For ABAC this may, for example, include verifying a sample of the gifts and hospitality register and approval forms and logs, reviewing training records or doing deep dive investigations into individual whistleblowing reports to verify whether policy is being followed.

Effective ABAC frameworks

The strongest ABAC management frameworks have senior management ownership of risks, clear alignment between risks and their respective controls, an assigned day-to-day owner of each control, and periodic testing, creating a feedback loop through effective reporting lines in place. This goes to show that the three components of framework design, implementation and testing are inextricably linked, and all require adequate maintenance.

The appointment of an external party can meaningfully supplement internal reviews of the existing framework, by providing best practice insights and lessons learned from industry. A targeted review of certain documents such as policy and procedure documents, ABAC training programme, or controls testing can help identify areas of improvement, to ensure a framework remains as effective as possible.

The SFO continues to be ambitious in pursuing cases, as are other authorities worldwide. We know from working with clients across a range of sectors that in order to maintain an effective compliance programme, companies need to commit to a continual process, which develops with their changing risk profile. The process requires engagement across all levels of the organisation.

A proactive approach will help mitigate costly shortcomings later down the line. A&O Consulting helps companies understand their obligations and design robust and pragmatic solutions that deliver broader business benefits. We work with A&O lawyers to provide clients with seamless and tailored advice.

¹ G4S

² G4S, Airbus

³ Guralp, Airline Services

⁴ Eg Airbus, Amec Foster Wheeler