Chapter 2. Promoting integrity and preventing corruption in state-owned enterprises: What works and what does not?

Resourcing of corruption prevention and detection

Eighty-one percent of participating companies that invest in integrity allocate on average 1.5% of the operational budget to preventing, detecting and addressing corruption and breaches of integrity. Yet “inadequate financial or human resources to invest in integrity and prevent corruption” is considered at least “somewhat of an obstacle” for 40% of SOE respondents. This figure is slightly lower than in private sector companies, as reported by OECD’s Corporate Governance and Business Integrity: A stocktaking of Corporate Practices (2015a), where 26% of respondents felt that they had inadequate financial and human resources to establish an effective integrity policy (OECD, 2015a).

SOEs see allocation of financial and human resources to integrity as more of a burden than the private sector. Overall, 50% of SOE respondents saw such allocation of budget as an investment or asset and 27% saw it as a cost or expense. Corporate Governance and Business Integrity showed that 60% of companies felt such allocation was an investment and only 18% as a cost (OECD, 2015a).

Autonomy of SOE leadership and integrity functions

A distinct difference between SOEs and private companies is the need for board autonomy from the state owner – insulating the board from direction by state representatives that is misaligned with the role of the state as owner as elaborated in the SOE Guidelines. Board autonomy is discussed in Chapter 3.

Figure 2.2. Main activities undertaken by the integrity function

Non-exhaustive list of activities undertaken by SOE units/functions assigned significant responsibility for integrity, according to individual respondents

Note: Based on 347 individual responses. Other was not specified.

Source: OECD 2017 Survey of Anti-Corruption and integrity in SOEs.

Autonomy is also needed for those responsible for integrity to exercise their role objectively and in accordance with the best interests of the company and with international standards. In cases where executive management and those involved in integrity functions, such as the CEO or internal audit, are appointed by the state, this is a direct challenge to the independence and autonomy that the integrity functions and the SOE rely on to mitigate undue influence and to manage conflicts of interest.

The internal audit department is most commonly assigned significant responsibility for promoting and overseeing integrity or integrity policies in participating SOEs (relating to risk, controls, compliance ethics or anti-corruption), but often shares the responsibility with others. Legal departments are the second group most often given this responsibility, followed by internal human resources departments. In most SOEs responsibility for integrity is shared between more than one unit.

In comparison to participating SOEs, private sector companies tend to organise integrity under a specific department, or with the in-house legal department, more often than within the internal audit department. This may suggest a greater reliance on internal audit by SOEs than in private sector. Internal audit in SOEs may also look different than in private sector companies, with the majority of SOEs reporting that their internal audit functions are in line with those of the government or public sector entities rather than in line with other corporations.

One Italian SOE for instance designates both the internal audit department and supervisory body, pursuant to Legislative Decree 231/01, as responsible for promoting and ensuring integrity and anti-corruption through events, training sessions, monitoring activities and issuing internal disciplinary sanctions.

The main activities of SOEs’ integrity functions are provided in Figure 2.2, showing that over 88% of SOE respondents are in companies where the integrity function is responsible for developing and maintaining internal guidelines and controls, undertaking internal audits and also overseeing implementation of internal guidelines and controls. They are also commonly exercising a training or investigative role. Less than 40% of respondents said that their integrity function conducts third-party due diligence.

With regards to internal audit, the OECD SOE Guidelines state that the internal audit function should be monitored by and report directly to the board, and to the audit committee or the equivalent corporate organ. The majority of units responsible for integrity in SOEs report to the CEO or Managing Director, and secondly to the chair of the board or another board member. Good practice holds that companies’ senior corporate officers should have adequate resources. In some cases, the person responsible for the integrity unit sits on the board. Companies with opportunities to report to both have witnessed slightly less corruption or other irregular practices (41%) than companies whose integrity functions report to neither (47%).

Specialised board committees

The SOE Guidelines suggest that “SOE boards should consider setting up specialised committees, composed of independent and qualified members, to support the full board in performing its functions, particularly in respect to audit, risk management and remuneration”.

The most common specialised committees are audit committees (84% of respondents report their SOE has one). More than half of respondents’ companies have a risk management committee, and less than half (43%) have a remuneration committee. Less common, yet in roughly one third of companies, are specialised committees for ethics (39%), compliance (34%) or public procurement (28%).

Respondents in companies with specialised committees in audit, risk management, remuneration and public procurement rate the likelihood of corruption as lower than those whose companies do not have the aforementioned committees. Risk management committees on the board are additionally associated with a lower rate of witnessing corruption than those without risk management committees.

In a few cases, specialised committees may exist external to the board, at the executive management level. This is the case in one Norwegian Company, which has compliance and risk committees that are executive management committees, or in one Italian company that has Control and Risk, Compensation and Sustainability and Scenarios Committees external to the board.

Specialised committees should have adequate autonomy and distance from executive management and employees in order to provide adequate oversight. This is particularly challenging when such committees are established at the executive management level.

Of high importance is the adequacy of the capacity and skills set of those responsible for integrity – including those on specialised committees – and the stature and authority of the departments in the company. Box 2.4 provides suggested questions that may be used by the US Department of Justice, particularly pertaining to the adequacy of autonomy and resourcing of those responsible for integrity in face of corruption suspicions. They are not meant to be used as a specific checklist, but as a guide for companies’ self-evaluation and reflection.

Codes and policies

SOEs may be subject to relevant provisions for preventing, detecting and responding to corruption and other irregular practices found in the overarching legal framework. Such requirements are discussed in Chapter 3. SOEs may also be encouraged to adopt soft law instruments or other national or supranational codes that are not formally part of the legal framework. For instance, Codes of Corporate Governance are often applied on a voluntary comply-or-explain basis. While such voluntary codes play an important role in improving corporate governance arrangements, shareholders may be unclear about their status and implementation. Considerations for the state as owner, including to be informed about the existence and implementation of rules and codes, are made in Chapter 3.

Codes of ethics should apply to the SOEs as a whole and to their subsidiaries. They should give clear and detailed guidance as to the expected conduct of all employees and compliance programmes and measures should be established. It is considered good practice for these codes to be developed in a participatory way in order to involve all the employees and stakeholders concerned. These codes should benefit from visible support and commitment by the boards and senior management. SOEs’ compliance with codes of ethics should be periodically monitored by their boards (OECD, 2015b).

The legal framework will determine which codes and rules are voluntary or Codes may be required on the basis of internal control laws. One Latin American company’s Code of Ethics is required by the Ministry of Public Affairs, while the Code of Conduct is required by relevant Banking Law.

SOEs most often aggregate rules in their standards of codes of conduct, ethics, compliance or other. Codes of conduct should be as comprehensive as possible, particularly where they are considered to be the company’s statement on integrity and anti-corruption, as well as integrity-related action plan or programme. In addition, they may cover issues related to human rights and broader corporate social responsibility. Company examples include:

• A Norwegian company’s policy for Corporate Social Responsibility (CSR), its Integrity Program and its related “Tool Box” are all established on a voluntarily basis, based on COSO. The company has signed the UN Global Compact and reports according to the principles of the Global Reporting Initiative in its annual Sustainability Report.

• In a Polish SOE, the Code defines the principles to be followed by employees and stakeholders in a comprehensive manner, in particular: transparent HR policy, respect for work and professionalism in carrying out tasks, gifts and invitations, conflicts of interest, environmental performance, fair competition, prevention and the fight against fraud and corruption.

• An Italian company, in accordance with the principle of “zero tolerance” towards corruption expressed in the Code of Ethics, has had an articulated system of rules and controls to prevent corruption-related crimes since 2009 in accordance with applicable anti-corruption provisions of international conventions (including the United Nations Convention Against Corruption [UNCAC], the Anti-Bribery Convention, the US Foreign Corrupt Practices Act, the UK Bribery Act and Italian Legislative Decree 231/2001).

Internal controls in accordance with state-owned enterprise risk profiles

The SOE Guidelines suggest that boards of SOEs should develop, implement, monitor and communicate internal controls. How the board does so may depend on the level of corporatisation of the company and its functional independence from the state-ownership entity.

International standards hold that effective internal controls should be developed based on results of robust risk assessments. As mentioned above, explicitly treating corruption risks in risk assessments enables SOEs to have a more realistic risk profile and to address them with measured controls.

The one-third of SOE respondents who reported that ineffective internal controls and risk management is at least “somewhat of an obstacle” to integrity in their company, were more likely to see corruption in their company in the last three years compared to those that do not see controls as ineffective (52% versus 35% respectively).

Controls can be improved. SOEs should align, to the extent possible, its practices with listed companies. Regardless of whether aligned with public or private sector, controls could include, amongst others:

• Accurate books and records that document all financial transactions (Partnering Against Corruption: Principles for Countering Bribery, 2004);

• Prohibition of off the books accounts and transactions, non-existent expenditure, entry of liabilities with incorrect identification of objects, use of false documents, the deliberate destruction of books or house documents earlier than foreseen by law (OECD Anti-Bribery Convention, 1997; UNCAC, 2003);4

• Financial and organisational checks and balances over the enterprises’ accounting and record-keeping practices and other business processes (Transparency International et al. Business Principles for Countering Bribery, 2013);

• Vetting current and future employees with any decision-making authority or in a position to influence business results (World Bank Group’s Integrity Compliance Guidelines, 2010);

• Transparent and multi-step approval and certification processes, including that of decision-making processes, that are appropriate for the value of the transaction and perceived risk of misconduct (World Bank Group’s Integrity Compliance Guidelines, 2010);

• Appropriate contractual obligations for business partners and third parties (World Bank Group’s Integrity Compliance Guidelines, 2010). Third party and vendor management that is in line with the SOEs’ own integrity and anti-corruption policies (discussed below).

Controls should be supported by the human resources department. One control measure proposed in international guidance is to restrict arrangements with former public officials regarding employment or remunerative arrangements. SOEs’ involvement with public officials is more complicated, as many SOE board members or executive management members are themselves considered public officials. The need for merit-based and transparent board nominations procedures are discussed in Chapter 3.

Good practice for listed companies is for internal controls systems to be subject to regular, independent internal and external audits to provide objective assurance and determine the adequacy of controls. The SOE Guidelines also recommend that internal auditors are independent, to ensure an efficient and robust disclosure process and proper internal controls in the broad sense. The data shows that in SOEs with a lack of effectiveness in internal control, there are also greater challenges with effectiveness of internal audit. Improvements to controls and internal audit should thus go hand in hand. Internal audit is discussed further below.

Specific corruption risk areas should be embedded in a company’s codes (of ethics, compliance or conduct) and addressed by associated internal controls. Commonly agreed standards hold that companies should target specifically: bribery, including facilitation payments, conflicts of interest, solicitation and extortion, and special types of expenditures (including gifts, hospitality, travel and entertainment, political contributions, and charitable contributions and sponsorships).

The findings in Chapter 1 on key corruption risks specific to SOEs emphasise the need for SOEs to have additional policies in relation to integrity in public procurement, favouritism (nepotism, cronyism and patronage) and interference in decision-making. SOEs have rules in place for some key high-risk areas, but not all. Respondents report that their SOEs have an average of four out of seven key rules in place, and fewer than ten companies had all of the below in place:

• Eight-three percent have rules for conflict of interest.

• Sixty-six percent have rules for public procurement (as procurer of goods and services).

• Sixty percent have rules for charitable contributions and sponsorships.

• Fifty-four percent have rules for asset/income disclosure.

• Forty-nine percent have rules for public procurement (as bidder).

• Forty-two percent have rules for political party financing or engagement. One company commented that political contributions are simply out of the question and that there was no need to have rules.

• Twenty-three percent have rules for lobbying. One company’s rules regarding lobbying are included in the civil service code, applicable to the SOE.

• SOEs report additional rules relating to anti-money laundering and counter-terrorist financing, travel and gifts, public official meeting registration, election period rules and community relationships, policies and manuals for Politically Exposed Persons (PEPs),5 related party transactions, anti-fraud and anti-market abuse policy.

Existing codes, rules and controls should be based on international norms and, to the extent possible, be consistent across countries in order for constructive comparisons and consistent audits to be made across SOEs within a country. The international norms most commonly referred to by SOEs participating in this study include: those of the OECD; the Institute of Internal Auditors (IIA), COSO, ISO (particularly ISO 37001); the UK Bribery Act, the Foreign Corrupt Practices Act (FCPA); the Global Compact Programme, and; the United Nations’ Convention Against Corruption, Guiding Principles on Business and Human Rights, Convention on the Rights of the Child and the Convention on the Elimination of all Forms of Discrimination against Women and the Principles for Responsible Investment. Some SOEs draw motivation from international comparisons such as Ethisphere's "World's Most Ethical Companies".6

Evidence shows that SOEs must go beyond establishing codes, rules and controls to focus also on their effective dissemination, implementation and enforcement. Almost half of SOE respondents identified a “lack of awareness of legal requirements” as at least “somewhat an obstacle” to integrity. Indeed, a high proportion of respondents within the same company – at the highest echelons of the SOE - could not agree on which rules were in place. In addition, the vast majority of SOEs in the survey have conflict of interest rules (83%), yet the risk of nondeclaration is ranked as one of the highest corruption-related risks for companies in terms of the likelihood of occurrence. Box 2.6 provides questions that SOEs may use to assess the effectiveness of their controls. Mechanisms for detection and response are covered in more detail below.

Disclosure

As a baseline, all SOEs should disclose material financial and non-financial information on the enterprise, including areas of significant concern for the state as an owner and the general public. Large and listed SOEs should disclose according to high quality internationally recognised standards.

An SOEs’ disclosure should be dictated by a clear disclosure policy developed by the ownership entity. It should identify what information should be publicly disclosed, the appropriate channels for disclosure and the mechanisms for ensuring quality of information. The practice of embedding anti-corruption and integrity considerations into the state’s disclosure policy is discussed in Chapter 3.

Table 2.8 provides an overview of the degree to which participating SOEs disclose recommended financial and non-financial information. Thirty-four percent of SOEs disclose material foreseeable risk factors and measures taken to manage such risks, recalling that one in ten companies do not explicitly treat corruption risks as part of risk assessments. Red flags may be falling between the cracks.

Almost half of participating SOEs report on their anti-corruption and integrity efforts and policies in the annual report (44%). Fifteen percent of respondents’ companies only report through internal documents and one percent does not report at all (Figure 2.4).

Figure 2.4. Channels for reporting on company integrity policies or anti-corruption efforts

Note: Based on 347 individual responses about their company, to “How, if at all, is information reported on your company’s integrity policies or anti-corruption efforts?”

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs.

Internal audit

Internal audit is an independent and objective assurance activity evaluating the effectiveness of a company’s risk management, control and governance. It is important to the achievement of a company’s objectives and supportive of integrity in the company. Moreover, internal audit can further support anti-corruption and integrity efforts in a company by making it a specific audit topic – for instance, assessing the effectiveness of specific controls related to bribery, or, for instance, the effectiveness of an anti-corruption programme’s implementation.

Ninety-two percent of participating SOEs report having an internal audit function, and 84% assign it as at least one of the units or departments with significant responsibility for integrity. Yet, 25% found its ineffectiveness poses obstacles to their company’s integrity. This sub-section considers why.

Sixty four percent of SOEs in the sample are required by law to establish internal audit - the majority of which were required to do so in line with other government departments or agencies. Eighteen percent of all companies are aligned with listed company requirements and 7% with privately incorporated companies (Figure 2.5). One quarter of the sample report that internal audit was established voluntarily, not mandatorily. Finally, 4% (eight companies of an eligible 180) do not have internal audit.

Figure 2.5. Requirements for internal audit in state-owned enterprises

Note: Based on aggregated and comparable responses of 180 SOEs to the question “please best describe your company’s internal audit unit/function”.

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs.

Figure 2.6 compares the incidence of corruption within companies with the more commonly applied internal audit functions. The findings show that respondents in companies that have internal audit requirements in line with listed companies were more likely to see corruption (57%), compared to those in line with government departments or agencies (40%) and those which voluntarily established internal audit without a requirement (25%). It may be recalled that 42% of respondents report to have witnessed corruption or other irregular practices materialise in the last three years in their company.

Figure 2.6. Witnesses to corruption in companies with different internal audit requirements

Note: Based on 230 individual responses that fell into the three categories of each question: “Please best describe your company’s internal audit unit/function” and “in your assessment, did any of the [listed] risks materialise into activities/actions in the last three years in (or involving) your company?”

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs.

The 25% of SOE respondents rated “ineffective internal audit” as at least “somewhat of an obstacle to integrity” in their company were more likely to be:

• board members or executive management, as opposed to those in charge of compliance, internal audit, or risk;

• in companies where internal audit is “required in line with government departments/agencies”;

• in companies operating with SOE-specific law and with mixed objectives (commercial with public policy).

Of those who rated “ineffective internal audit” as at least “somewhat of an obstacle to integrity”, 44% had witnessed corrupt or other irregular practices in their company in the last three years – slightly higher than the average of all respondents (42%).

On average, companies’ internal audit departments undertake two of the three following audits: financial, compliance and performance (or operational). Most often, companies conduct compliance audits (88% of respondents’ companies), financial audits (82%) followed by performance audits (71%). Performance audits are usually targeted at efficiency, effectiveness and economy of company processes, and may include, for instance, assessments of quality management systems and of information protection and security. IT audits are also common.

A survey on internal auditors’ perceptions – the Institute of Internal Auditors’ Global Internal Audit Common Body of Knowledge Stakeholder Survey (2015) – suggests that the more tools they have at their disposal for the execution of their duties, the more value added. While it is good practice for SOEs’ annual financial statements to be subject to an independent external audit based on high-quality standards (OECD, 2015b: VI.B), SOEs may also wish to systematise performance auditing that looks at the efficiency and effectiveness of integrity mechanisms in the context of broader corporate governance.

Internal audit, and any audit committee, plays an important oversight role in achievement of objectives. Yet internal audit is not synonymous with monitoring or investing in corruption detection. Internal audit units or departments should not be used as a crutch or replacement for the role of the board in monitoring overall performance of the company. The board also has a responsibility in monitoring the performance of the SOE, the achievement of its goals, and the management of risks – corruption and other – that may detract from such achievement. The board however, may rely on internal audits to inform its monitoring process.

External audit

In conjunction with the SOE Guidelines’ recommendation for internal audit, SOEs’ financial statements should be subject to an independent external audit based on high-quality standards. Twenty-four percent of SOE respondents saw “ineffective external audit” as at least “somewhat an obstacle” to effectively promoting integrity and preventing corruption in, or involving, their companies.

Specific state control procedures should not substitute for an independent external audit (OECD, 2015b). In many countries, the SAI provides oversight, insight and foresight on governance within and across SOEs, as well as of the governance arrangements between SOEs and the state ownership entity. The SAI should not attempt to duplicate such financial audits but should rather focus the audits on the performance and efficiency of SOEs, directing recommendations to the state ownership entity. Examples include:

• a grading of management control environments and financial systems and controls for SOEs, by New Zealand’s Office of the Auditor General

• the National Audit Office of the UK’s value-for-money audit on the existence and structure of SOEs

• audit of the sustainability of SOEs by Portugal’s Tribunal de Contas.

In many countries, notably in Latin America, SOEs are not fully corporatised, or are operated in close proximity to the public administration and are thus often subject to more direct state financial control. The relationship between state auditors and SOEs depends in large part on the institutional arrangements for state ownership and the degree of corporatisation of the SOE sector.  

Some SAIs may have a broader role than in performance audits of individual or a group of SOEs. In Italy some cases8 defined by Law No. 259/1958, a representative from Italy’s SAI - the “Corte dei Conti” - will take part in the meetings of the board of statutory auditors on the board of directors. In Chile, the Contraloria Generale de la Republica undertakes ex ante approval of particular contracts over the threshold amount for the public administration.

Effective monitoring by the board

The board is responsible for monitoring management. Performance monitoring should integrate board expectations for responsible business conduct – an important component of which is anti-corruption and integrity (OECD, 2015b: VI). Section 2.2.3 showed that boards are more informed than executive management on most audit findings and integrity-related assessments.

Boards must be well informed in order to adequately monitor the performance of management, including with respect to integrity and anti-corruption. Boards, to a certain degree rely on the determination of management as to what is materially significant and thus should be shared with the board.

The presence of specific audit, risk or compliance committees may facilitate more regular discussion on the topics. The presence of specialised board committees is associated with fewer reported instances of corrupt or other irregular practices in a company.

The findings in this report may also motivate the board to integrate anti-corruption and integrity performance into board assessments of management. With regards to anti-corruption mechanisms or programmes, boards should have appropriate assurance of the performance of integrity mechanisms and related controls. In 86% of companies, the department assigned significant responsibility for integrity is also responsible for overseeing implementation of internal guidelines or codes.

Key findings that may be useful for monitoring are not always shared with boards (see Table 2.9). A broader range of integrity related outputs are shared with them than with executive management, except in two areas: recommendations from integrity functions and evaluations of internal controls (that may be separate from internal audits). It is possible that boards are missing the complete picture. Indeed, the findings in Chapter 1 demonstrated that board members and executive management have different perspectives on corruption risk in the company, and that these are not aligned with the real incidence of corruption.

There is scope for integrating anti-corruption efforts into company targets and performance appraisal, with associated indicators for measurement. For instance, one Korean SOE has linked integrity into its long-term strategies and goals. The company is meant to (i) constitute the “highest degree” integrity culture, (ii) strengthen control and prevention of corruption, and (iii) establish human rights management. The company has established associated indicators that are internally and externally verified to track their success:

• the external assessment includes evaluations of: (a) integrity, (b) corruption-prevention policies, and (c) of the Korea Business Ethic Index: Sustainable management (KoBEX-SM)

• the internal assessment includes evaluations of (a) integrity, (b) risk assessment of executive members, and (c) the ethical management index, and a “red-face test”.

Box 2.10 highlights suggested elements of a checklist, prepared by Transparency International UK (2012), for monitoring and evaluation of anti-bribery programmes, that may be applicable and informative for other integrity-related mechanisms and programmes that go beyond the scope of bribery.

Detection

Detection makes use of the mechanisms discussed above, including internal audit, external audit, internal controls and complaints channels. International studies on corruption and fraud, corporate misconduct or other irregular practices in the public and private sectors, consistently show internal audit and reporting channels as the most effective means of detection (Table 2.10). This holds for detection of general irregular practices as well as with specific forms of it including foreign bribery and fraud.

Respondents that reported ineffective detection mechanisms (internal audit, whistleblowing, controls and external audit) reported in greater numbers to have witnessed corruption in their company in the last three years. Interestingly, their perception of the effectiveness of detection mechanisms did not change the overall perception of risk likelihood. This confirms that companies with weak detection do not rate present risks in line with perceptions that risks actually occurred in the past.

Forty-three percent of SOE respondents feel that their company’s integrity is at least somewhat challenged by the general perception that the likelihood of being caught for misconduct is low. These companies, in which there is a perception that the likelihood of being caught is low, were more likely to report seeing corruption.

Confidential complaint and advice channels

In pursuit of the SOE Guidelines, ownership entities should ensure that SOEs are responsible for effectively establishing safe-harbours for complaints for employees, either personally or through their representative bodies, or for others outside the SOE. SOE boards could grant employees or their representatives a confidential direct access to someone independent on the board, or to an ombudsman within the enterprise (OECD, 2015b: V.C).

Such channels should be in place for those who wish to report violations of integrity policies or of corruption and other irregular practices, as well as for those who wish to not commit violations and who seek advice. This could include of those who are under pressure to violate rules from superiors (World Bank Group, 2010). Advice and complaint channels should provide a systematic mechanism to assess effectiveness of integrity mechanisms and to manage red flags in particular projects, or business areas.

The following reporting practices emerge from the companies of the 347 respondents:

• Most complaints channels are formalised as a whistleblower mechanism, with 60% of respondents reporting this to be the case. Almost half have online internal and external sites, and just less than half have another in-person option for lodging complaints to report suspected instances of corruption or irregular practices involving the company.

• On average, claims channels are usually open to, or claims are sent to, two individuals or positions within a company: most commonly to those in charge of legal, compliance, risk or audit. Thirty-eight respondent companies channel the information to the CEO or President, and 33% to a member of the board. Companies report that employees and officials are offered the choice of who to go to and how.

• Participating SOEs estimated that almost half, 48%, of all claims made through such channels in the last 12 months pertained to corruption or other related irregular practices.

• Some companies send such reports to specific units -- such as a high level whistleblowing committee; an ethics committee that is separate from the board as in one Italian company; a working group consisting of heads of HR, quality, security and of the management board as does one company in Latvia; an Ethics and Conflict of Interest Prevention Committee and Internal Oversight Department; or to a Chief Governance Officer in a Corporate Governance Office such as in the Philippines; or the quality department, the Ombudsman office, or an Investigation Department as is done in one company in Turkey.

• SOEs in the survey predominantly classify claims as confidential (60%). One third classifies them as anonymous, and the remainder are attributed to the individual making the claim or report (Figure 2.7).

Figure 2.7. Classification of claims: confidential, anonymous or attributed.

Note: Based on the 128 companies that knew how claims were categorised, or that could agree upon the classification (in companies with multiple respondents) in response to: “How are internal and external reports/claims about corruption or other irregular practices categorised/classified when coming through your company’s reporting mechanism”?

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs.

Three quarters of SOEs offer legal protection from discriminatory or disciplinary action for those who disclose wrongdoing in good faith on reasonable grounds, yet 21% do not. Those that do so are either required by law (45%) or have done so voluntarily (30%).

Of the 42% of respondents that have seen corruption or other irregular practices in their company in the last three years, 92% said they had reported it. One chief compliance officer from a European SOE admitted that he did not report what he saw as the anti-corruption programme had not yet been in place. Of the vast majority of respondents that reported witnessing corrupt or irregular activity, only two reported experiencing retaliation for doing so, which is a much lower rate than those found in another comparable international study (ECI, 2016).

Thirty-seven percent of SOE board members and executive management report that ineffectiveness of reporting channels and whistleblowing mechanisms as an obstacle to integrity in their company. This ranks it amongst the top ten obstacles to integrity of the participating SOEs. Companies should focus not only on the channels but the action undertaken by the reports. As mentioned above, SOEs appear less likely to take strict action (cancelling projects and taking remedial action, for instance) compared to other private companies.

A common concern is that those witnessing corruption will not report for fear of retaliation or discrimination, but only two who saw and reported corruption or other irregular practices experienced retaliation as a result. For one respondent, retaliation came in the form of increased time delays, administrative costs and friction in relationships. Retaliation for "doing the right thing" was generally ranked as a low likelihood of occurrence on average across participating countries.

The general finding that the vast majority were not retaliated against may signal that mechanisms for protecting whistleblowers are effective. Figure 2.8 shows that 70% of respondents report that their company has legal protection for those who disclose wrongdoing, 45% of which do so as required by law. An OECD survey on business integrity and corporate governance showed that over one third of companies surveyed did not have a written policy for protecting whistleblowers from reprisal (OECD, 2015a). OECD’s Committing to Effective Whistleblower Protection, showed that while much progress has been made in whistleblower protection in the public sector that the private sector lagged behind (OECD, 2016b).

Figure 2.8. Protection for those disclosing or reporting wrong-doing in good faith

Note: Based on 129 companies that responded to the question and could agree (where multiple respondents) on the answer to the question “Does your company have legal protection from discriminatory or disciplinary action for those who disclose wrongdoing in good faith, to competent authorities, on reasonable grounds?”

Source: OECD 2017 Survey of anti-corruption and integrity in SOEs.

Another study by the Ethics and Compliance Initiative (2016) showed that of the 34% of respondents in the public sector had observed misconduct, and 32% in the private sector; The majority report the misconduct (59%, both categories), but at least one third (36%) experience retaliation for reporting (private sector 33% and public 41%).

Table 2.11 outlines the ways in which companies do ensure such legal protection in practice. One company provides protection from retaliation on a more subjective basis: if the person reporting is well intentioned and their claims are true. A few report that while protection through law exists that it is only partially guaranteed or it has not been applied. One company “guarantees discretion and confidentiality during the entire disclosure management process, from the time the disclosure is received to the preliminary investigation and conclusion phase”.

Box 2.11 provides example questions that companies may use to self-assess the systems in place for reporting, as put forth in the OECD, UNODC and World Bank, Anti-Corruption Ethics and Compliance Handbook for Business (2013).

Impact, response and improvement

Penalties and their severity for corruption or other irregular practices will vary, and may include the following, based on real cases presented by SOEs and state ownership entities participating in this study:

• civil or criminal fines or sanctions

• imprisonment

• debarment

• dissolution

• organisational restructuring and/or removal of officials or board members

• increased monitoring

• requirements to improve or overhaul integrity measures and/or to or implement compliance or anti-corruption programmes.

Following a corruption investigation in a Dutch SOE, the board chairman, under whose responsibility irregularities took place, left the company. There were additional criminal procedures against some former directors. The SOE’s board of directors was expanded to include a portfolio of Governance, Risk and Compliance. Internal procedures and codes of conduct for procurement (and compliance with them) have been tightened.

In one corruption case, individuals in a Colombian SOE were handed seven prison sentences. Executives in the third-party company with whom the bribery occurred received fines, and the third-party company was debarred and subject to increased monitoring through the SOEs’ compliance division.

The OECD’s Foreign Bribery Report (2014) found that the majority of the 427 foreign bribery cases concluded between 1999 and 2014 resulted predominantly in civil or criminal fines (261). Other types of punishment included confiscation (82), imprisonment (80), compliance programmes (70), injunction (67), suspended prison sentence (38), compensation (12), debarment (2) and dissolution (1). Of the cases for which data was available, 46% had a sanction that was less than 50% of the proceeds obtained by the defendant as a result of bribery foreign public officials. In 13% of cases, the sanction was 50-100% of the profits, in 19% of cases it was 100-200% and in 22% cases it was greater than 200% of the proceeds of the bribe.

SOEs have suffered financial losses and penalties, but are also fearful of reputational damage. Forty-seven percent of surveyed SOEs report financial losses as a result of corruption and other irregular practices, amounting to an average loss of 1.4% of annual corporate profits (including cost estimates relating to compliance with enforcement actions or sanctions that have been paid). Moreover, in establishing prevention and detection mechanisms, SOEs were more motivated by a fear of reputational damage, enforcement or divestment by broader investors (non-state), than by risk of legal or enforcement actions by shareholders. For SOEs that are not listed, and have a larger share of SOE ownership, attention may be paid to the “too public to fail” mentality, where SOEs feel insulated from legal or enforcement action.

SOEs could consult the US’ Department of Justice (DoJ) “Evaluation of Corporate Compliance Programs” (2017) which is a valuable tool for reflecting on the strength of the SOEs’ integrity mechanisms in face of suspected misconduct. As an indication of the types of questions that are asked in evaluations by the DoJ, it is not meant to be a check-the-box list of items. It too should be tailored to an individual company. It can effectively enable SOEs to reverse engineer their integrity and anti-corruption programmes. Examples of these questions that can be used to assess the strength of a company’s response and improvement in face of corruption allegations are provided in Box 2.13.