Last April Transparency International UK released a very interesting report on the quality of corporate anti-bribery compliance programs in the defense industry. (This was the second such report; the first was issued in 2015). The report evaluated the ethics and anti-bribery compliance programs of 163 defense companies along five dimensions (leadership & governance, risk management, policies & codes, training, personnel & helplines) using publicly available information, supplemented with additional internal information from 63 cooperating firms, and assigned each firm a letter grade (A-F). The most eye-catching result, and the one that has gotten the most attention in the press releases and reporting on the report, is how badly the defense industry seems to be doing overall on this issue: Of the 163 firms included in the review, there were 4 As, 23 Bs, 29 Cs, 31 Ds, 19 Es, and 57 Fs. Thus, fewer than 17% of the defense firms examined scored in the A or B range, while close to half (47%) received a failing grade of E or F.
That’s certainly a notable and important (and depressing) finding, but digging a bit deeper, there are a few other interesting features of the report that have gotten a bit less attention, and are worth highlighting.
- First, as the report itself emphasizes, although the overall performance of the defense firms seems discouraging, in fact the trend—when one compares the 2015 report to the 2012 report—is quite positive. Although only 17% of companies scored in the A-B range in the 2015 report, that’s still a significant improvement from 2012, when only 8% of companies scored in that range. And of the 127 companies included in both the 2012 and 2015 reports, 76 of them (60%) showed improvement between 2012 and 2015; 42 of those 76 (33% of the companies covered in both reports) improved significantly enough to improve their letter grade. This improvement is even more notable given that the grading was actually a bit tougher in 2015 than it was in 2012, with more questions and more demanding evaluation criteria. So despite the fact that there’s still obviously a long way to go, the story is at least somewhat encouraging. There appears to be genuine improvement.
- Another interesting (and not terribly surprising) result concerns the regional distribution of the best- and worst-performing firms. Long-story short: firms from the U.S., Canada, and Western Europe tend to do fairly well, while firms from China, Russia, Eastern Europe, the Middle East (other than Israel), and other parts of the developing world tend to do badly. It’s a bit tricky to assess the breakdown from the report itself, which unfortunately looks only at larger regional groupings that lump together very different countries (“Europe & Central Asia”, for example, includes both Western European firms, which tend to do fairly well, and Russian firms, which are almost uniformly awful), so I did a bit of additional sorting. For simplicity, I’ll just categorize firm’s performance as “pass” (grades A-D) or “fail” (grades E-F). In North America (basically the U.S., though I think there’s one Canadian firm in there), 33 of 54 companies (80%) got a pass grade, and in Western Europe, 35 of 45 companies (78%) got a pass grade. By contrast, all 11 Russian firms got a failing grade, as did all 9 firms from other former Soviet republics or formerly communist countries of Eastern Europe, all three firms from China, all five from Middle Eastern countries other than Israel, three of the four Indian firms, and two of the three Turkish firms. (In the case of India and Turkey, the non-failing firms got “Ds”). There are likely many reasons for this big gap in performance, including history, resources, corporate culture, etc., but at least one plausible contributing factor is the legal environment. Those firms that are likely to be subject to jurisdiction of the U.S. FCPA or the U.K. Bribery Act seem to have much better corporate compliance programs, on average, than those that don’t. Another piece of suggestive evidence that the legal environment matters is the fact that, as the report notes, among the Western European firms, the best performers are disproportionately U.K. firms, who may have been responding to the passage of the UKBA.
- The report also seems to corroborate the belief that larger, more sophisticated firms are more likely to have robust compliance programs. The big, famous defense contractors (Bechtel, Lockheed Martin, Raytheon, Northrop Grumman, KBR, United Technologies, Airbus, BAE Systems, Rolls Royce) tend to cluster at the high end of the range. This is not universally true, but in eyeballing the list, it looks like most of the firms (at least in North America and Western Europe) that get lousy grades are smaller, less well-known companies. (This appears less true for Japanese and South Korean firms–even big players like Mitsubishi, Samsung, and Toshiba get Ds–though the sample is much smaller.) There’s also a belief in some quarters that firms that have been the subject of FCPA enforcement actions (or similar proceedings) tend to have better compliance programs as a result, either because they learn from their bad experience to take compliance seriously, or because improvement in the firm’s compliance system is part of the settlement or demanded by a government-imposed monitor. The report seems consistent with that notion, as some of the firms that have been the subject of very high-profile anti-bribery investigations seem to score quite well (Lockheed Marin, KBR, BAE), but there’s not a large enough sample to really know.
- Although the headline grades are the most attention-grabbing feature of the report, the report is perhaps even more useful in drilling down a bit deeper into where companies in the industry are most in need of improvement. Two in particular jumped out at me: due diligence on third-party agents, and whistleblower mechanisms. With respect to the former, although most companies (including almost all companies that get at least a C grade overall) inform their agents of their opposition to bribery and corruption, less than one-third of the companies examined explicitly state (in a publicly accessible source) that they insist on anti-bribery compliance terms in their contracts with these agents, along with mechanisms for monitoring compliance with these terms. Moreover, only about one-third of companies provide some public evidence that they conduct due diligence on third-party agents, and less than 10% (13 out of 163) provide evidence that this due diligence is “refreshed at regular intervals.” If so, this finding is quite troubling, given that third-party agents present some of the most significant bribery risk. It’s possible, of course, that many firms are actually doing quite a bit more to monitor and control third-party agents, but it’s not public. (Oddly, on this topic the report doesn’t compare the general results to the results just for firms that supplied internal information, even though the report does this for other issues. So it’s hard to tell.) As for whistleblower mechanisms, while most companies had whistleblowing mechanisms, only 8 of 163 “actively support and follow-up on their use.” Among the firms that provided internal information, the results were not much better—only 19 of 63 such firms (30%) got a high score on implementation of the whistleblower program; given that the firms that were willing to supply internal information are probably the ones that are most likely to have strong programs, this is a dispiriting result. For both third-party agent monitoring and for whistleblowing, the picture that emerges is of many firms getting the message that they need to have some sort of program in place—a box needs to be ticked—but far fewer firms investing significant resources on an ongoing basis to make sure the program actually works as intended.
There’s a lot more in the report, and it’s worth reading (it’s quite short). I’ll close here with a couple of additional observations.
- First, the report focuses primarily on formal aspects of a firm’s anti-bribery compliance program. Whether these programs are actually implemented effectively is another matter. That’s not a criticism of the report, which is clear about what it does and doesn’t do. Information on the formal program is important. But a good grade on this report care is a necessary but not sufficient condition for an effective compliance program.
- Second, although this report focuses on the defense industry, it seemed to me that the same methods could—and should—be used to assess ethics and anti-bribery compliance programs more generally. True, some of the questions in this report focus on issues specific (though perhaps not unique) to the defense industry, such as the use of “offset contracts” (where the contractor pledges to spend or invest some portion of the contract price in the procuring country). But most of the questions are much more general. It would be great to conduct this same exercise to other industries (e.g., pharmaceutical, extractives), or perhaps just to the Fortune 500 (or Fortune 100, if 500 is too much). As some of our readers may know, some earlier posts (see here, here, and here) have discussed various efforts underway to assess the quality of companies’ compliance programs. The TI-UK report on the defense industry is as good as anything I’ve seen, and certainly much more transparent than many of the black-box assessment techniques used by private firms. I realize that these surveys are resource-intensive, but I think it would be great if TI, other organizations, and—perhaps most importantly—those with the ability to fund such reports push further with these efforts.