MACC: Minding the gap
According to the annual Deloitte Asia Pacific Regulatory Outlook, the management of risks and behaviours of employees and persons acting on behalf of the organisation has been viewed as a key area of regulatory focus for three consecutive years. Prosecutors and regulators across the region are becoming increasingly active in enforcing anti-bribery and corruption legislation, with the number of enforcement actions and amount of regulatory fines and penalties increasing significantly over the last few years.
MACC Act Section 17A
In Malaysia, the Malaysian Anti-Corruption Commission Act 2009 (“MACC Act”) was amended in 2018 to incorporate Section 17A on corporate liability for corruption. In this regard, any director, controller, officer, partner or manager of a commercial organisation can be personally liable for an offence committed by the organisation unless the individual can prove that the offence was committed without his consent, and that he had exercised the necessary due diligence to prevent the commission of the offence.
In the event a commercial organisation is found liable under Section 17A of the MACC Act, the organisation must prove that adequate procedures were in place to prevent its employee(s) and/or associated persons from undertaking corrupt practices in relation to its business activities. In simplicity, a commercial organisation is required to have in place an anti-bribery and corruption (“AB&C”) programme.
Bribery and Corruption Risk Assessment
The foundation of a holistic anti-bribery and corruption (AB&C) programme is a corruption risk assessment, a process to identify, analyse, assess, and prioritise the internal and external corruption risks of the organisation. The AB&C programme should focus on the specific risks of bribery and corruption inherent to the organisation, of which derives from the nature, scale and geographies of the operations, and the degree of business dealings with public officials and third parties. In line with understanding its risks, they must then set their risk appetite in regards to bribery and corruption, which is amount of risk they are willing to tolerate in their business operations.
The identification and categorisation of bribery and corruption risks is the first step in the risk assessment framework. This process ensures that all business activities have been considered, with regards to their probability of exposing the organisation to bribery and corruption risk. While there is no universally agreed categorisation of bribery and corruption risk, the UK’s Ministry of Justice Guidance has identified five risk categories in the risk identification process:
A risk evaluation process is typically put into place after identifying the types of bribery and corruption risk, using the “likelihood” and ”impact” method. Considerations for the likelihood of a risk occurring is usually driven by the frequency of a high risk activity occurring, or the value involved in the same activity. The higher the frequency of occurrence or the higher the value involved, the higher the likelihood of the risk occurring. Impact, on the other hand, is measured by the level of effect or consequence arising from the occurrence of the risk event. Some considerations to measure impact include size of legal fines, severity of reputational damage, and repercussions to the business profitability.
AB&C Controls and Testing
With a comprehensive understanding of the organisation’s inherent risk rating for bribery and corruption, the next step in the risk assessment process is to identify anti-bribery and corruption controls to manage the risks. In the event a particular inherent risks is not fully mitigated by the existing controls in place (i.e. “residual risk”), a remediation plan must be developed to address the gap(s) and to manage the risk appropriately. The controls in place should also be tested periodically, to ensure its effectiveness.
The organisation should also monitor these risks and controls in an organised manner, with regular reports to the Board and senior management. A common monitoring approach is key risk indicator “KRI”. This is a list of indicators or metrics that are used to measure risks that the orgaisation is exposed to. KRIs are usually measured against thresholds, which should be set in line with the organisation’s risk appetite as mentioned above.
Bribery and corruption risk assessment is recommended to be performed on an annual basis, or at minimum once every 3 years. This ensures that new risks are identified, in line with the constant change of business environment and regulatory landscape.
As part of the organisation’s AB&C programme, the risk assessment performed should be independently reviewed and challenged. This ensures that it is comprehensive, accurate, and commensurate with the business nature. This review should be conducted by an independent party who is not involved in performing the risk assessment, such as the internal audit function.
Capitalising on technology
The current era of technological change is dramatically altering the ways in which organisations manage their businesses and risks. Commercial organisations may choose to integrate technology with the existing risk management process, including the AB&C risk assessment. An emerging tool in Malaysia is Deloitte’s Enterprise Risk Assessment tool, a web-based, standardised and automated tool that enables consistent risk assessments across an organisation, covering enterprise-wide risk, regulatory compliance risk, and AB&C risk.
A comprehensive AB&C risk assessment will enable organisations to better understand its risk profile and subsequently improve decision-making and risk management processes. This will help organisations prioritise and focus attention on business activities and relationships which have been identified as more risky. AB&C risk assessments also put commercial organisations on the front foot. If something does go wrong, there is a documented decision-making trail for bribery and corruption risk to be managed efficiently and effectively.
The views and opinions expressed in this article are those of Justin Ong, FSI Regulatory Risk Leader of Deloitte Malaysia.