Sometimes even the gold standard still isn’t enough. Since 1995, company leaders and their corporate counsel have leaned on a single, well-respected measure to gauge vulnerability to bribery and corruption risks around the world. The Corruption Perceptions Index (CPI) is a trusted annual yardstick that ranks the integrity of every country’s public sector, based on the perception of experts and business executives.
Large companies have come to rely heavily on the CPI to guide their decisions on monitoring third-party agents and providers. If a country’s CPI score drops, compliance departments will usually allocate more due diligence resources to third parties in that jurisdiction.
Yet many large and well-resourced compliance programs disproportionately focus their risk rating on the country risk alone.
This strategy brushes a whole country with the same ranking for bribery and corruption risk. Yet the reality is far more nuanced. This leads to major inefficiencies and overlooks risks in corporate compliance programs.
Programs that follow the CPI without due weight being given to other factors end up “boiling the ocean” — spending too much time and too many resources on diligence for low-risk partners in “corrupt” countries while missing red flags on problematic third parties in “clean” countries. This is especially true for companies dealing with thousands of third parties in different capacities.
Even when compliance pros ask more questions of their partners, their reliance on the CPI gold standard can lead to insufficient or half-hearted follow-up. This simplistic approach could increase a firm’s legal vulnerability in the event of a Department of Justice or Securities and Exchange Commission enforcement action under the Foreign Corrupt Practices Act.
For example, a CPI-based assessment would correctly suggest that a customs broker in India presents more risk than a similar partner in Canada. But that reasoning breaks down when applied to different industries. Doesn’t it stand to reason that a Canadian customs broker could be deserving of closer diligence than an Indian provider of office stationery given the inherent vulnerability of customs services to graft?
How to supplement the CPI
The CPI is, and will continue to be, a valuable part of the compliance tool kit. But companies need to factor in a range of more dynamic metrics to create a truly sophisticated and efficient program. That’s because dynamic factors — which change over time and have multiple data points — are just as important to monitor as static factors. Static factors can include the type of relationship with a third party, the party’s size, its industry and the relative size of the contractual relationship.
Screening and monitoring for corruption risks against different databases is one example of a dynamic tool. This enables compliance departments to stay on top of developments, such as major corruption investigation affecting a supplier, and act on them accordingly.
Another is the use of questionnaires, which allow programs to gather information from third parties and create a permanent record for risk management. This enables compliance departments to track their partners’ constantly evolving risk profile and adjust policies accordingly. That high-performing sales agent you partnered with five years ago in China could by now present a totally different risk depending on a change in their ownership structure or strategic decisions they’ve made, such as whether or not they sell to governments.
Monitoring transaction flows with third parties is another important dynamic aspect of strong compliance. A sudden increase in transaction amounts may signal a need for further checks and diligence. High-risk relationships — such as an agent that sells to the government — may need to be singled out for monitoring on a transaction-by-transaction basis.
Dynamic assessments are key to identifying risks in supposedly “clean” countries that would otherwise stay hidden. Take that Canadian customs agent who would appear to be extremely low risk on a CPI basis. A questionnaire-based assessment could reveal that it works in a several high-risk markets, including some with a high corruption risk.
Harnessing internal resources can also be a vital part of getting a more nuanced, up-to-date portrait of risks. When problems surface with third parties, they’ve often been known about or suspected for years by employees who nevertheless didn’t bring the issue to the company’s attention.
So much of the information needed to build a strong compliance program is at companies’ fingertips in this way, and is far more important than how a country is faring in the CPI.