CHAPTER 8: INVESTIGATING BRIBERY
It is essential that the organisation’s policies relating to investigation and consequences are fully understood before any ISO 37001 implementation is planned.
ISO 37001 requires that there are processes for investigating bribery or any weakness in the ABMS, and that appropriate action is taken if the investigation reveals bribery or any breach or weakness within the ABMS. This is a good starting point for any ABMS and, of course, these need to be risk based and proportionate.
Some organisations, particularly smaller ones, may have no formal investigation processes, so some consultancy help may be needed initially. Other organisations prefer to use specialist consultants for all such services. All decision making on the instigation and outcome of investigations needs to come from top management.
It is essential that the organisation’s compliance policies about investigation and consequences are fully understood by all layers of management, and that there is a commitment to consistent application. One true test of an organisation’s commitment to an ABMS is investigating someone who is commercially very important to the organisation. Where bribery is occurring it is likely that the perpetrators are just these individuals, ones who have been bringing in good results for the organisation (through their corrupt activities).
An investigation process that is just used to hasten the exit of staff seen as inefficient brings the legitimacy of the process into disrepute. This is an HR or commercial issue. It would also lead to real investigations becoming more difficult to conduct. Top management need to lead on this point and try to use a ‘without fear or favour’ policy with instigating an investigation.
The nuts and bolts
If there isn’t already an agreed process for investigating bribery allegations, Finance may have one relating to counter-fraud investigations. The branch of accountancy involved in identifying vulnerabilities and managing outcomes from fraud is called forensic accountancy, and larger auditing firms have their own team to support clients.
Fraud is a very broad term that covers a number of crimes and other regulatory infringements. Risks of fraud might range from relatively minor abuses of staff travel and entertainment expense accounts, to organised and systematic corporate frauds that could impact the ongoing viability of the organisation. There is a direct link between bribery and fraud, especially where it is alleged that there has been collusion between a customer and/or contractor and a member of staff.
Some fraud falls within a broader definition of cyber crime, and those responsible for identifying vulnerabilities and investigating breaches of information security are often separate from those involved with forensic accountancy, although some organisations ensure there is a crossover.
HR departments usually have processes to investigate allegations of misconduct or other inappropriate behaviour in the workplace. This might include discrimination or bullying, which can have a direct bearing on fraud and bribery, e.g. where a supervisor coerces their direct reports to either cooperate with or keep silent about their own wrongdoing. There could be a direct link if a member of staff alleges that a corrupt line manager is trying to manage them out of the business due to what they know about the manager’s improper activity. This could even be someone at board level.
If these investigative processes aren’t in place, they need to be because there may be legal consequences for not looking at all these matters, e.g. a greater risk of prosecution under the Bribery Act 2010.
As with all business planning there needs to be a clear goal, or a set of outcomes expected from the investigation process.
These could include:
• Establishing if there are any local processes and procedures for investigation within the organisation, even if they are not called as such. Depending on the size and structure of the organisation, it may be necessary to consult the HR, IT, information security, finance and legal functions on these points. With smaller organisations they are likely to take legal advice at an early stage. If necessary, a gap analysis should be done across the organisation to see if there is any duplication or conflict.
• Deciding who will be responsible for managing investigations. Top management support is vital with bribery and fraud allegations. A very senior manager – possibly the chairman or a non-executive director – will be informed about all such allegations. They will also receive reports on the progress of investigations and personally agree to any external actions, such as hiring external investigators or involving the police.
• Decision making at top management level is important because there is a distinct possibility that the allegations may involve one or more senior members of staff or, perhaps, a high-profile consultant or subcontractor. Even if more senior individuals are not directly involved in the alleged scheme, they may have knowledge of it, or prefer to cover it up once it is brought to their attention. Without such controls, unsubstantiated allegations could be unfairly disseminated throughout the organisation and, equally, if there are guilty parties, then their allies could destroy evidence or covertly obstruct an investigation. Nobody likes to think of trusted colleagues doing such things but the risk exists.
• Where the organisation has a compliance manager (as required by ISO 37001), they will often be the point of preliminary investigation. This needs to be supported by top management. They supervise the investigations or delegate to others better qualified. A specialist consultant can be employed, e.g. a security, HR, legal or forensic accountancy specialist, depending on the circumstances, and they would normally report through the compliance manager, unless it were decided that they should report directly to top management or the board.
• Clear terms of engagement need to be agreed with either internal or external consultants. Investigations are potentially delicate and the investigator must be aware in advance of the approach to be taken and any limitations to their role the organisation wishes to impose. An external investigator needs to demonstrate competence and discretion. The slightest deviation from this standard should lead to termination of the contract.
• A predetermined policy needs to be agreed by top management about the outcome of investigations where wrongdoing is established. This might involve disciplinary action, dismissal or referral to the police. No matter how senior or valuable an employee may be, appropriate action must be taken.
• HR management will need to be consulted if there is the potential for disciplinary or other formal action against staff. A predetermined protocol needs to be established.
• If the findings of any investigations implicate a contractor or a customer, then specialist legal counsel will definitely need to be taken. There is the bigger risk of conspiracy allegations being made by prosecutors against the organisation at a later date, if it is felt a blind eye was turned to any third-party dishonesty.
Investigations are complex and may be new to a client. Yet an ABMS is important if procedures and policies are not in place for investigations.
One approach is always to treat investigations as not just being the teeth of the process but to identify new and emerging risks and the opportunity for continual improvement.