Corruption risk in the business world: the pillars of effective due diligence

Corruption is still hard to eradicate and even more complicated to counter with preventive control measures, provided for by the various regulations, national and international special preventive laws and by the set of best practices and self-regulation standards that have merged into the ISO37001.

Corruption is such a complex and multifaceted phenomenon that it is pointless to categorise. There are countless corruption-related offences, that today range from the traditional
direct and indirect corruption, to the so-called environmental corruption and the “new” corruption between private individuals and related criminal solicitation (see articles 2365 and 2365a of the Italian Civil Code); the latter offence adjusts the Italian system to the main international regulations, based on the now legally undisputed assumption that repression of “public corruption” should be pursued also through repression of “private corruption”, as both equally damage the market and economic and financial stability, thus the whole public economy.

Specifically, anti-private corruption laws target:

    1. administrators, general managers and executives in charge of drawing up corporate accounting documentation, liquidators and anyone holding managerial functions within the organisational structure of the company or private entity (even non-profits), that, due to them giving or promising money or other benefits to themselves or others, perform or omit – even through a third party – acts in breach of the obligations inherent in their role or loyalty obligations with or without harm to the company (Article 2635, paragraph 1 of the Italian Civil Code);
    2. the persons supervised and coordinated by the persons indicated in paragraph 1 (Article 2635, paragraph 2 of the Italian Civil Code);
    3. those who give or promise benefits (so-called “outsiders”) to the persons indicated in the first and second paragraphs in order to persuade the “insiders” (i.e. the parties within the company that omit or perform acts in breach of the obligations inherent their role) to perform or omit the act which the harm to the company results from. This was (and has remained, as will be discussed below) the only criminally relevant conduct in terms of administrative liability of the entity in whose advantage or interest such conduct was put in place pursuant to Legislative Decree No. 231/2001 (Article 2635, paragraph 3 of the Italian Civil Code, as implemented by Article 25 b of Legislative Decree No. 231/01)

The direct effect of giving anti-private corruption legislation sanctioning power has been the proliferation of internal control procedures and systems to enhance the so-called anti-corruption framework, which is generally part of the broader “prevention of predicate offences that are relevant pursuant to Legislative Decree no. 231/2001 (or “System 231”). The said anti-corruption framework consists of a set of organisational rules, procedures and mechanisms aimed at preventing “corruption”, understood in its broadest sense as offering, paying or accepting, directly or indirectly, money or other benefits for the purpose of obtaining or preserving a deal or securing an unfair advantage in relation to one’s business activities.

The diverse regulatory framework of today’s anti-corruption legislation, including Law 190/2012, Legislative Decree No. 33/2013 and Legislative Decree 97/2016 – not to mention other relevant legislation – has been well summarised and adjusted to the purposes of organisational use by private sector companies through the UNI ISO 37001:2016 standard – “Anti-bribery management system”. UNI ISO 37001: 2016 specifies the requirements and orientation to define, implement, maintain, update and improve an anti-corruption management system, even if it is already integrated with a general management system (e.g. Model 231).

The self-regulation standard is a useful reference tool to evaluate corporate anti-corruption systems; although not providing an exemption of liability, the standard sets two key principles for organisations to assess their corruption risk assessment systems. Specifically: the need to formalise the corruption risk assessment system, with the purpose of defining, keeping track of, implementing, updating, constantly reviewing and, where needed, implementing a system to manage anti-corruption activities, including related procedures and their interconnection, based on preset requirements; the related need to conduct – among other anti-corruption activities – adequate due diligence, also considering that law enforcement investigations cannot be limited by the fact that an organisation has obtained ISO 37001 certification.

The standard provides useful information on the parameters of an organisation to be necessarily assessed when putting anti-corruption policies in place, including:

    1. size, structure and power of attorney system of the organisation,
    2. the geographical area and sectors in which the organisation operates or plans to operate,
    3. nature, extent and complexity of the organisation’s operations and activities,
    4. legal, regulatory, contractual and professional obligations and duties.

The above-mentioned criteria, together with the opportunity to adopt a risk-based approach, better define the scope of due diligence, which is often labeled as a non-homogeneous activity ranging from mere checks on company registers to checks on international databases (so-called watch lists), which are certainly necessary but not enough for counterparty analysis to provide company management with really effective decision-making support.

Counterparty due diligence has to provide decision-makers with operational support through reliable corruption and reputational risk assessment. In this context, a reliable methodology has to involve the evaluation of corruption risk and – in more theoretical terms – reputational risk through the qualitative and quantitative analysis of four main categories (or ‘indices’) of risk:

    1. Country risk, which can be broken down into crime risk (covering organised crime risk, money laundering and terrorism financing risk and – that goes without saying – corruption risk), political risk (covering security, restrictive measures and sanctions, legal compliance risk) and ethical risk (covering assessments relating to transparency and social development);
    2. Counterparty risk, which can be broken down into risks linked to the composition of corporate structures, the risk arising from the availability of economic and financial information and the risk resulting from criminal proceedings launched by judicial, civil and administrative bodies;
    3. Economic value of contract/supply, i.e. the total amount of the commissioned work or turnover to be developed with the partner/client in the event of a partnership;
    4. Type of relationship, based on the nature of the relationship, be it a mere supply or, as mentioned, a strategic partnership.

Once the risk level has been measured for each of the five areas above, reputational risk will result from the average of the values obtained from the related indices, which can also be expressed – for ease of end user reference – with traffic light indicators corresponding to different risk levels, and in particular:

    1. Low risk (green): the risk associated with the company under assessment is minimal (empirical evidence of low/moderate or almost zero risk), but must in any case be periodically monitored to identify any critical elements that may arise;
    2. Medium risk (yellow): the risk associated with the company under assessment must be taken into due consideration (empirical evidence of significant but not high risk) and should be subject to a formal assessment of any potential critical issues emerged (possibly involving senior business development executives);
    3. High risk (red): the risk associated with the company under assessment is severe or, in any case, substantial (empirical evidence of very high or extreme risk) and must be subject to a formal assessment of the potential critical issues emerged. The assessment must necessarily involve senior business development executives and, if need be, the company’s control and strategic management and supervision bodies for proper decisions to be made.

In addition to reflecting the criteria of the aforementioned UNI standard, the above-described methodology provides additional and objective value thanks to qualitative and quantitative data analysis leaving no room for discretion in assessing counterparties.

This tool provides useful support to contain, first, corruption risk in business relations with counterparties inclined to the so-called pactum sceleris (criminal conspiracy) – stigmatised in Roman times and still today resulting in damage and sanctions – and, secondly, reputational risk, that has become increasingly crucial over the last few decades as part of the broader corporate risk management activity, in view of the growing role of brand power in business development strategies.

Romolo Pacifico, Chief Executive Officer of IFI Advisory