In June, Deloitte published One Step Ahead: Obtaining and maintaining the edge, the report of our 2017 survey on Anti-Bribery and Corruption (ABC) in Australia and New Zealand. The survey asked risk leaders across the private, public and non-profit sectors for their perceptions and experiences of bribery and corruption. At a time of greater public scrutiny and political focus – with a number of initiatives taking place across the region that could tighten and heighten corporate ABC responsibilities – some might expect our survey to show a rise in activity since our 2012 and 2015 surveys. But that was not the core theme of our findings. Instead, our findings might indicate a plateauing – even a slowdown – in the development of ABC frameworks. While respondents appreciated the serious reputational implications of a bribery incident, the activity that they reported would not adequately manage that risk. Most senior risk leaders in Australia and New Zealand want to do the right thing, and NEDs play a critical role in guiding them towards that. In this article, and based on our conversations with clients, we unpack five top critical questions that NEDs can ask of the senior executive. 1. How do we know our ABC controls are fit for purpose? One of the survey’s most widely-discussed findings was that amongst respondents for whom the risk of foreign bribery was relevant, only 30% had conducted a bribery risk assessment. Without a comprehensive and regularly-updated risk assessment, an organisation cannot be sure that its ABC countermeasures are proportionate or effective. And further, for organisations operating with the ambit of extraterritorial legislation like the UK’s Bribery Act 2010 – which contains a failure to prevent offence – the absence of meaningful risk assessment could present a problem for an organisation hoping to make use of ‘adequate procedures’-style defences in the event of incidents. The absence of a considered and contextualised risk assessment may explain another finding – that most respondent organisations did not consider bribery to be a ‘top five’ risk. While this might seem reasonable within the vast risk universe in which a modern organisation lives, it is part of a wider family of financial crime and integrity risks that share similar drivers and enablers. That family should be a key concern for all organisations. Risk assessment is not optional – it is the foundation of a responsible organisation’s work to manage any risk, including that of bribery and corruption. 2. Does the senior executive control reputational risk, or does reputational risk control the senior executive? Most respondents considered the greatest consequence of bribery and corruption to be its reputational impact. And yet, the activity they reported to manage that risk did not appear to match that assessment. We found that since 2015, the number of respondents reporting the existence of relevant policies and compliance frameworks had dropped, and that despite a rapidly-changing environment in Australia and the Asia-Pacific region, nearly half of respondents did not plan to update their ABC frameworks in the next five years. A well-functioning ABC control framework can reduce the likelihood of incidents that could materially impact an organisation’s reputation and detect them early, giving the organisation a fighting chance to minimise impact. The quality of the framework marks the difference between reactive and proactive reputational risk management. 3. Is silence golden? One Step Ahead reported that only one in five respondents had detected an incident of corruption in the last five years. At face value, an executive might find a low detection rate encouraging. However, if we take into account the full array of corruption risks covered in our survey (including bribery, unmanaged conflicts of interest and nepotism), then one in five appears less a credible measure of the true scale of the problem, and more indicative of under-detection. This is a common error amongst senior executives. A low detection rate may not, in fact, be indicative of low exposure but symptomatic of low visibility. Corruption, like other financial crime, is a risk whose DNA is to hide. Maintaining our visibility of it requires effort. Consider the coherence, breadth and effectiveness of the detection component of your bribery and corruption control plan. Critical questions might include, does it make use of whistleblowing mechanisms, data analytics and structured proactive review protocols? Are they effective, and how is this validated? Are they embedded in the life of the business, and how does the executive know? Does the organisation’s internal culture help or hinder them? 4. What do you really believe about internal culture? Most of our respondents told us that developing the right culture was a key tool for preventing bribery. As we noted in One Step Ahead, ABC can be a facilitating – even driving – force in helping organisations to define, articulate and develop the cultures they seek. But to what extent does the senior executive truly believe that internal culture can be steered, and how does it evaluate the quality of the organisation’s ABC culture? Appraising culture can be vulnerable to our own cognitive biases, heuristics and errors – and if we think we ‘have the right culture,’ how do we know, and how can we show it? Gathering data to measure the development of culture, aligning ABC cultural development with wider organisational initiatives, and harnessing the power of training and communication to change behaviours are all powerful means to ensure we maintain visibility of this great enabler or disrupter of corruption. After all, even cultures that value compliance with internal controls can contain vulnerabilities. 5. Is the senior executive future-ready, or future-reluctant? There are no signs that the growth in global public scrutiny of corruption is slowing down. In fact, quite the opposite – in Australia, for example, a series of initiatives have the potential to impact upon public and governmental expectations of organisations. These include potential changes to beneficial ownership and whistleblowing legislation, and the introduction of a ‘failure to prevent’ foreign bribery offence along the lines of the UK’s Bribery Act. Aside from the possibility of changes to corporate liability, the scope for the media, activists and other actors to hold organisations to account has never been greater. This is a changing world in which organisations will be – directly or indirectly – increasingly judged by customers, shareholders, regulators and lawyers on the quality of their risk management activity. Senior executives can either prepare to be the kind of organisation that succeeds in that environment – developing and bedding down strong ABC processes – or they can be late adopters, racing to catch up later, weighed down by arms full of potentially materialised risk. This is the key takeaway for readers of One Step Ahead, and demands a fundamental question about the kind of senior executive that yours perceives itself to be. Is it reactive, or proactive? Does it live in the now, or prepare for the future? Is it treading water – or One Step Ahead?