Skip to main content

Compliance lacks clarity

Our 2017 survey finds that a significant number of employees misunderstand critical elements of compliance policies and processes, highlighting areas where organizations should work to clarify and raise awareness of what ethical conduct looks like. As a matter of urgency, leaders should make sure that they know the answers to the following questions.

Do employees understand your ABAC policies?

According to our 2017 survey, for the vast majority of organizations, the answer to this question is likely to be: “No.”

A massive 85% of our respondents want to change their organization’s ABAC policy to make it more understandable. Specifically, they think existing policies are too long and use unnecessarily complex language (including legal jargon).


Beyond simplifying and shortening ABAC policies, employees believe understanding would be greatly helped if policies are provided in the local language and explained in terms of real-world, local business examples that clearly demonstrate compliant behavior.

Almost a quarter (24%) of respondents believe their head office does not provide enough budget and decision-making authority to local business management to fight bribery and corruption in their market.

What changes would you make to your company’s ABAC policy?

  • I would shorten the policy to focus on key messages
  • I would simplify the language of the text
  • I would localize all scenarios and language for it to make sense to our local business activities
  • I would change all of the above


Is your code of conduct practical?

A significant minority (39%) of respondents say their code of conduct has little impact on actual employee behavior, perhaps in part because employees either do not understand or do not see the relevance of this element of compliance. Two years ago, a majority of employees told us their code of conduct should be more flexible to accommodate local needs. Our 2017 survey finds little has changed, with 57% of respondents once again agreeing with this point. Some respondents also believe there is a disconnect between directives from head office and the realities of the local market. A worrying 14% of respondents believe that the management team at head office does not understand the local business environment.

Organizations must test their codes of conduct for local understanding and clarify as needed to fit with business practices on the ground.

Do you have a well-articulated gift giving and entertainment policy?

Our 2017 survey finds that many organizations are failing to provide adequate direction around gift giving and entertainment. More than one-third of respondents say their organization either has no gift giving policy at all, or that they have a policy but it is vague and they do not understand it. Interestingly, the majority of employees have strong opinions about what their gift giving policy should be. Almost 60% of respondents want their organization to avoid all ambiguity and provide employees with an exact monetary amount for gift giving and entertainment.



Clear policies and procedures around gift giving are essential, as temptations for bribery and corruption abound. Best practice includes:

  • Communicating a clear policy statement in the local language
  • Setting a ‘no-exceptions’ monetary limit
  • Clarifying the approval process for gifts within this limit
  • Describing what are and what aren’t suitable gifts or entertainment options
  • Explaining in unambiguous terms the potential implications of non-compliance

“Organizations need clear, simple policies that make it easy for front-line employees to politely decline a request for a deviation.”


Emmanuel Vignal, Greater China Leader, Forensic & Integrity Services

Are you tackling the complexities of third-party risk management effectively?

  • Increased organizational reliance on third parties 

    In the two years since our 2015 survey, the ecosystem of third parties has grown more complex, as companies have changed their business models to take out costs and secure growth in new markets. With more outsourced or distributed functions, new players in their supply chains and organizational reliance on third parties has never been greater nor the risk more far reaching.

    Our 2017 survey finds an increase in awareness of third-party risk — 62% up from 55% in 2015. Three in five respondents believe that third parties constitute a “significant risk” to their organization. In relation to the third parties they work with, more than 80% say it is important to understand each organization’s: media coverage of fraud, bribery and corruption; past or current litigation; and its compliance culture.

  • Gaps in third-party risk management

    Our findings suggest that, even though a majority of respondents recognize third-party risk as a concern, a significant number of organizations in APAC are still not proactive enough when it comes to on-boarding and monitoring their business relationships. Nearly a third (32%) of the respondents say their organizations do not conduct any audit reviews of their third parties or are unaware of such activities when managing existing ones. As third parties continue to be the nexus between companies and recent FCPA (Foreign Corrupt Practices Act) enforcement actions, it is critical that relationships are scrutinized with more care and consistency. Faced with limited budgets and growing number of business relationships, companies need to have a risk-based third-party management approach by categorizing each of their third parties into low, medium or high-risk entities and conduct appropriate levels of integrity due diligence to understand the compliance risks associated with new and existing business partners. Business volume, nature of the business relationship, location of operations, government interactions and history of wrongdoings are all factors that can help determine the level of risk and scrutiny required to manage third parties. If deemed high risk or if any red flags were found, a more frequent and comprehensive audit approach should be incorporated throughout the life-cycle of the business relationship. Since the level of risk may increase after on-boarding, companies need to proactively monitor their third parties by identifying changes in ownership structures or new compliance red flags. Our 2017 survey findings suggest that many organizations are neither equipped to detect changes in third-party risk conditions nor able to adapt appropriately.

    As a priority, companies should harness the digitized information now available for third-party risk assessment. Organizations can use forensic data analytics to quickly transform large volumes of transactional and publicly available data into valuable actionable business intelligence. This will enable the appropriate monitoring and review of risk drivers, so that companies’ compliance functions can respond accordingly.

    More than a quarter (26%) of respondents do not know whether their organization is conducting compliance audits, suggesting gaps in communication around third-party risk. Assessing risk exposure requires multiple functions such as procurement, sales, marketing and legal to manage third parties in accordance with firm policy.

“As ethical behavior becomes a market differentiator, senior management should be more involved in conversations around thirdparty risk management. In today’s fast-changing environment, relationships are complex and dynamic, requiring continuous third-party risk monitoring. Companies will need to leverage digital data in the most cost efficient and effective way to address key risks around third parties and their activities.”


Reuben Khoo, ASEAN Leader, Forensic & Integrity Services; APAC Leader, Forensic Technology & Discovery Services

A graph

Q. How significant of a risk do you think each of the following is to your business in relation to bribery and corruption?
Base: Total respondents (1,598), except India.

Back to top