"We don't take this data on face value, but look deeper into what it could mean," says Brian Loughman, Americas leader in the EY Fraud and Dispute Services practice. "Some of these people may have heard about these types of practices through the rumor mill, but they may not be in a position to accurately assess the materiality of the activity or the circumstances in which it happens. For example, a business might approach a supplier at the end of the year and say, 'We've spent a lot of money with you this year. How about a deal?' That's a pretty normal request. But if it was looked at in the wrong context, someone might see it as problematic.

"That said," Loughman adds, "even if some of the activities our respondents reported were immaterial or were fairly standard business deals, the prevalence of respondents identifying these practices as happening in their companies shows that you have to be vigilant in terms of compliance. It's a reminder that people may do things, for whatever purposes, that don't necessarily fit your code of conduct or your corporate goals."

Does Compliance Help or Hurt Sales?

The EY study also offers up some compelling data for U.S.-based managers who heed Loughman's call to tighten anti-corruption controls. Thirty-one percent of respondents in businesses whose revenues had increased over the preceding two years rated their organization's ethical standards as very good—while only 18 percent of respondents in businesses that had seen revenues decrease did so. Similarly, 62 percent of respondents from companies with increased revenues are either fairly confident or very confident that their business's operations in different countries meet the same ethical standards. Only 41 percent of respondents from companies with decreased revenues answered this way. (See Figure 3, on page 2.)

Certainly, these results don't establish causality; it's not necessarily true that being more ethical brings a company more income. Perhaps instead the businesses with a higher revenue growth rate can afford to be more ethical, or perhaps they pay well enough that employees feel less pressure to succumb to dishonest practices. Nevertheless, Loughman points out: "This seems to suggest fairly strongly that having a good compliance program is not a barrier to growth.

"It is quite interesting," he adds. "If you're a compliance person for a business operating in frontier or fast-growing markets, you'll often hear, 'The other guys don't have to deal with this stuff. We're not going to be able to win business if we meet all these compliance policies.' This data would suggest that that's not necessarily true. In fact, I'd say this flies in the face of conventional business wisdom that in some of these markets, to get more growth you have to bend the rules a little bit."

How to Prevent Corruption in Payments, and Elsewhere

For treasury, finance, and risk management professionals who are encouraged by these survey results, Loughman suggests that the most important way to prevent corruption in foreign subsidiaries is to develop a deep understanding of the various markets in which the company does business. "Absorb all the external information you can about the market," he suggests. "Look at the types of business you're in, and do a risk assessment around what are likely to be the biggest risks to your operations in each region. Absorb those same types of information from your internal operations teams as well."

The point of the risk assessment is to determine which risks the company needs to focus on within each region and/or business unit, as well as how to cultivate the right kind of ethical environment within the organization. When senior management reaches consensus in these areas, the company is ready to develop a code of conduct around bribery and corruption.

The code of conduct needs to include a clear and unambiguous statement of the company's general approach to bribery and corruption, Loughman says. "It should say something like: 'We don't allow bribery of any kind, for government customers or in commercial business relationships. It's inappropriate,'" he says. "It's also often a good idea to wrap your anti-corruption goals into your overall goals. So if one of your strategic objectives is to have the strongest brand in your market, then you can tie corporate anti-corruption policy in with the damage that is done to a brand if the company is seen as a dirty player."

In addition to these summary-level goals, the company needs an anti-corruption policy that provides basic operational guidance, including the do's and don'ts of allowable activity in high-risk areas, Loughman says. Depending on the risks that the company identifies as most important, the policy might address controls around the retention of third-party consultants who are engaged in discretionary work and who are bringing influence to bear. It might set limits on travel and entertainment spending. And it might define the approvals that an employee needs to get if a customer asks for an unusual favor.

"You have to make sure the legacy internal controls are robust, and clearly define those controls in your ABAC [anti-bribery and corruption] policy," Loughman says. "The best corporate codes of conduct provide a big picture of what activities the company does and does not allow, while also providing more granular information about what is acceptable within the specific context of each geography or each particular line of business. So if you're an employee in Business A in China, you can pull up a page of the code of conduct that addresses the issues you are most likely to face. When it's lunar new year, you want employees to have a stock response if business associates are expecting a red envelope."

Then the compliance and finance teams need to routinely test the controls outlined in the code of conduct to make sure they continue to be operationally effective. For example, Loughman says, consider the controls a company might establish to prevent employees from retaining third-party firms under the guise of a consulting service, while their true goal is just to funnel money out of the business. "Testing these controls requires some straightforward blocking and tackling," he says. "You should look at the vendor setup process, at who has to sign off on new vendors to enter them into the accounts payable system. You also need to look at whether employees are performing any due diligence to be sure everyone understands who a new vendor really is—in other words, to make sure the 'consultant' doesn't have a family member who's a government official.

"As you test for these things, it's relatively straightforward to look at activities and make sure you have the right approval process in place," Loughman adds. "You also need the right thought process around payments. When the company receives an invoice that simply says 'Miscellaneous consulting work, $100,000,' will someone challenge that? Will people try to gather more information about what work was really performed? Is there a separation of duties around that sort of payment?

"The entire program should be structured toward the particular risks you're trying to control for," Loughman adds. "A company would take a slightly different approach if it were looking to regulate cash in the business. It would still need to test its compliance processes, but the code of conduct and the testing of controls would look different."

It All Comes Back to the People

One of the key goals of developing a corporate anti-bribery and corruption policy needs to be making it easy for employees to understand what they're supposed to do, and then to take those actions. To that end, Loughman says, training needs to be useful, and it needs to present real-world examples that employees on the ground in different locales can relate to. ABAC training programs also need to make clear the consequences employees face if they do something inappropriate.

It's also important for employees in different parts of the world to understand exactly where the management team stands with regard to bribery and corruption. "We talk a lot about tone at the top," Loughman says, "but it's also really important to set the right tone at the middle. Compliance isn't just about the 'grand pooh-bah' showing up once in a blue moon and making some pithy statements about appropriate activity. In order for the 'tone at the top' to be meaningful, it has to be present—which means that the managers whom people see day in and day out also need to be promoting the right kinds of behavior." For midlevel leadership roles, including the regional finance, compliance, and legal teams, hiring people you can trust is absolutely crucial.