In terms of global anti-bribery compliance, the concept of proportionate policies and procedures must always be kept in mind in designing a compliance program and in implementing internal controls. Both the UK Bribery Act and the related guidance for commercial organizations places considerable emphasis on the proportionality of policies and procedures. The FCPA Resource Guide also focuses on the proportionality of policies and procedures, particularly as they may relate to risk.
Regardless of the nature of an entity or what activities in which it may be engaged, its resources are not unlimited. Any entity must allocate and apportion its resources among competing demands. In the context of anti-bribery compliance, the guidance is consistent in requiring that greater attention and resources be devoted to higher-risk situations. An entity is not expected to apply the same level of attention and resources to all situations, especially where there are substantial differences in the level of risk. However, an entity operating in a number of high-risk situations will need to devote much more in the way of resources than an entity subject to fewer situations in which the risk is high.
Implicit in the guidance is a general recognition that the compliance program of a smaller entity need not have the same level of formality and resources as that of a larger entity. As is noted in the U.S. Sentencing Guidelines, “[i]n appropriate circumstances, reliance on existing resources and simple systems can demonstrate a degree of commitment that, for a large organization, would only be demonstrated through more formally planned and implemented systems.”
Considerations of proportionally always need to be kept in mind. Too often, smaller entities are overwhelmed by the prospect of implementing a compliance program. There is a mistaken impression that they are required to implement a compliance program like those of much larger entities or those of smaller entities subject to far more high-risk situations. The result is that many smaller entities are reluctant to even take the first step. In so doing, they put themselves at risk in simply hoping that a problem does not arise.