BHP invited 176 government officials and employees of state-owned enterprises – mainly from Asia and Africa – to the 2008 Olympics at its own expense, and ultimately paid for 60 guests and some spouses and others who joined them.
The SEC said the guests enjoyed three and four-day hospitality packages worth between $12,000 to $16,000, including event tickets, luxury hotel accommodations and sightseeing excursions.
An SEC investigation found that BHP “failed to devise and maintain sufficient internal controls over its global hospitality program connected to the company’s sponsorship of the 2008 Summer Olympic Games in Beijing”
“BHP Billiton footed the bill for foreign government officials to attend the Olympics while they were in a position to help the company with its business or regulatory endeavours,” SEC enforcement director Andrew Ceresney said.
Jean-Michael Ferat, Washington managing director of The Claro Group, which deals with disputes, claims and investigations, noted that the SEC did not charge the Aussie miner and oiler with either a “books and records” violation or an anti-bribery offence, but an internal controls violation alone.
“This case appears to be an outlier,” Ferat, who has 18 years of experience in the specialised fields of forensic accounting and fraud detection, said yesterday.
“A look at SEC enforcement actions over the past five years suggests that BHP may be the only instance in which the SEC did not also allege a books and records violation along with an internal control failure. In other words, in the other cases there was shady accounting.
“But with BHP, the SEC found that the company identified a specific corruption risk, established a control to mitigate the risk, but failed to execute it adequately.
“There was no slush fund, and no fake invoices, fictitious vendors, or circuitous payments to government officials. In other words, there was no shady accounting.”
He noted that, to BHP’s credit, the company’s employees actively identified a new corruption risk and sought to mitigate it.
“Where the company apparently went wrong was by not integrating the newly identified risk into its overall risk management process, and not ensuring that the newly established control was adequate to mitigate the risk,” Ferat said.
“Had BHP included the identified risk into its overall risk management process, it likely would have benefited from:
- Visibility of the perceived risk by various parts of the organization including finance, legal, operations and members of the risk committee of the board, if one existed;
- A clear determination of who within the organisation was responsible for mitigating the risk; and
- A chance for internal audit or another group within the organisation to evaluate whether the established controls were sufficient and operating effectively.
Ferat said that while linking detailed internal controls to identified risks was a “laborious task” – made harder in decentralised and far-flung organisations– it was still a powerful compliance tool.
“Compliance professionals and commentators will eventually know whether the BHP case was part of an emerging pattern of internal controls enforcement or a one off anomaly,” Ferat said.
“That's later. For now, issuers should consider shoring up their risk management and internal control processes before the regulators come knocking.”
