Tag: Procurement

Categories
Blog

Returning to Venezuela: Part 1 – Bribery, Corruption and the Risks You Must Confront Before You Enter

When US energy companies talk about returning to Venezuela, the conversation almost always starts with opportunity. Yet the CEO of Exxon has said Venezuela is ‘uninvestible’. There is another set of problems that every corporate compliance team will face if their company decides to enter the Brazilian market. For the compliance professional, it must start with corruption. Not episodic corruption. Not bad actors at the margins. Systemic, embedded, institutionalized corruption that touches government agencies, state-owned enterprises, procurement systems, and the judiciary. This is not a theoretical risk. It is the operating environment.

The Department of Justice (DOJ) has made clear in the Evaluation of Corporate Compliance Programs (ECCP) that high-risk jurisdictions require tailored, well-resourced, and empowered compliance programs. Venezuela is the textbook example of why. Over the next several blog posts, we will explore key issues every company and CCO will face when considering whether to enter (or re-enter) Venezuela. In Parts 1 and 2, I will consider the top 10 anti-bribery/anti-corruption (ABC) risks a compliance professional will face. (Part 1, risks 1-5; Part 2, risks 6-10). We will then consider AML risk, export control and trade sanctions, security risks, and end with operational risks.

1. Systemic Corruption Is the Baseline Condition

Risk

Venezuela is not a market where corruption appears as an exception. It is the default condition against which all business activity must be measured. For compliance professionals, this means risk assessments cannot ask whether corruption exists. They must assume it does and ask where pressure will arise. Licensing, customs, inspections, labor issues, utilities, and currency all present opportunities for improper advantage. Boards must understand this upfront. Entering Venezuela without acknowledging systemic corruption is not optimism. It is a governance failure.

Compliance Framework Response

Before addressing individual risks, the compliance function must establish baseline principles governing how risk is assessed and managed in Venezuela.

  1. Assume corruption pressure exists. The risk assessment does not ask if corruption will arise, but where and how.
  2. Controls must be operational, not theoretical. Policies without authority, monitoring, and escalation are not controls.
  3. Risk ownership must be explicit. Every risk category has a business owner, a compliance owner, and a board oversight hook.
  4. Boards govern risk; they do not run operations. Oversight is mandatory. Tactical interference is prohibited.

2. PdVSA as a Prominent and Persistent Risk

Risk

Any discussion of bribery risk in Venezuela must begin with Petróleos de Venezuela S.A. (PdVSA), which has been at the center of some of the most significant corruption schemes in modern enforcement history, involving contracts, invoices, intermediaries, and payment routing. Indeed, 10 years ago, I wrote that it would cost a fortune to schedule and confirm a meeting. But companies make the mistake of treating PdVSA as a single risk node. In reality, it is a network risk. Joint ventures, service contracts, maintenance agreements, and procurement relationships all radiate outward, exposing the organization to corruption. If your counterparty touches PdVSA, you have inherited PdVSA risk.

Compliance Framework Response

The starting point is a Venezuela-specific bribery and corruption risk assessment, refreshed whenever business scope, counterparties, or operating conditions change.

This assessment must:

  • Map all government touchpoints.
  • Identify all third parties by function, not just by name;
  • Distinguish systemic risk from transactional risk; and
  • Flag PdVSA exposure explicitly.

Outputs are not static reports. They are control design inputs.

3. Joint Ventures and Service Contracts: Shared Risk, Shared Liability

Risk

Joint ventures are often framed as risk mitigation tools. In Venezuela, they frequently do the opposite. Local partners may be politically connected. Governance structures may be opaque. Control rights may be illusory. Compliance professionals must scrutinize who appoints management, who controls procurement, and who interacts with government officials. Under the ECCP, regulators ask whether compliance has authority commensurate with risk. In a Venezuelan JV, symbolic compliance oversight is not enough.

Compliance Framework Response

1. Assessment Controls

  • Government interaction mapping by function and frequency
  • Identification of pressure points where discretion exists
  • Historical analysis of delays, denials, or unexplained variability

2. Management Controls

  • Pre-approval requirements for all government-facing interactions
  • Clear prohibitions on facilitation payments
  • Mandatory escalation for any demand tied to speed, access, or discretion

Monitoring

  • Trend analysis of approvals and delays
  • Comparison of processing times across regions or projects

1. Board Oversight Questions

  • Where do we face the highest government discretion risk?
  • What interactions cannot proceed without a compliance sign-off?

4. Procurement as the First Corruption Flashpoint

Risk

Procurement is where corruption pressure materializes fastest. Vendors expect to be paid for access. Officials expect influence. Intermediaries promise to “make things happen.” This is even more true in Venezuela. This is where third parties begin to matter and where compliance must be in place before contracts are signed. Retrospective diligence does not cure a corrupted procurement process. Boards should demand visibility into how vendors are selected, not just who they are.

Compliance Framework Response

1. Assessment Controls

  • Explicit identification of direct and indirect PdVSA touchpoints
  • Mapping of PdVSA influence over pricing, approvals, and payments
  • Review of historical enforcement patterns tied to similar structures

2. Management Controls

  • Enhanced due diligence for any counterparty touching PdVSA
  • Compliance approval of all PdVSA-facing contract terms
  • Segregation of duties around invoicing and change orders

Monitoring

  • Continuous review of intermediaries interacting with PdVSA
  • Red flag monitoring for unusual invoice timing or routing
  1. Board Oversight Questions
  2. How are PdVSA’s risks different from those of other SOEs we engage with?
  3. What controls exist beyond standard third-party diligence?

5. The Illusion of “Routine” Government Interaction

Risk

Companies often underestimate corruption risk by labeling interactions as routine: inspections, permits, customs clearances, utilities, and labor approvals. And yes, the DOJ has said it will back off on enforcement of small payments, which may be traditionally made, but in Venezuela, routine functions are often monetized.  Compliance programs must draw hard lines early and firmly.

Compliance Framework Response

1. Assessment Controls

  • Governance and control-rights analysis
  • Identification of who appoints management and controls procurement
  • Mapping of partner government relationships

2. Management Controls

  • Contractual compliance rights with audit and termination authority
  • Compliance veto power over high-risk activities
  • Mandatory training for JV-appointed personnel

Monitoring

  • Periodic compliance audits of JV operations
  • Review of partner interactions with officials

1. Board Oversight Questions

  • Where do we lack real compliance leverage in our JVs?
  • Are control rights aligned with our risk exposure?

Join us tomorrow as we look at ABC risks 6-10, including third parties, extortion, organized crime, currency issues, and a weak rule of law.

Categories
Blog

Ethical AI Is Built in Procurement, Not Posters

In the ongoing conversation about AI, companies are increasingly highlighting their ethical principles. They publish responsible AI statements, share aspirational values, and post impressive slide decks. However, any experienced compliance professional knows that ethics does not live in posters. It lives in systems. It lives in contracts. It lives in the infrastructure choices that decide who holds power, who can be audited, and who is accountable when things go wrong.

When you pull back the curtain on most modern AI deployments, you find a hard truth. Ethical outcomes depend less on high-level values and more on the mundane details of compute access, data governance, vendor resilience, and transparency. Those details are not glamorous, but they are decisive. They are also exactly where the compliance function must lead. The companies that treat AI as a technical problem will struggle. The companies that understand AI as a governance problem will succeed. Compliance should be at the center of that governance effort.

The Infrastructure Beneath Ethical AI

The most important element of ethical AI is the part no one sees. The infrastructure decisions made today are the ethical outcomes of tomorrow. Consider four core factors that determine the integrity of an AI system long before it begins making predictions.

a. Compute Access

The amount of compute you grant, the regions in which it can be used, and the failover plan for outages are not IT decisions. They are about fairness, safety, and continuity. If only certain business units have access to the most powerful models, you have created inequities inside your own walls. If you cannot maintain operations during a provider outage, you have made a resilience gap that regulators will notice.

b. Data Governance

AI systems amplify the quality and cleanliness of your data practices. Data lineage, retention schedules, classification levels, and access controls determine who can see what, when, and under what safeguards. If the data is flawed, every model output built on it is flawed. Compliance already governs data privacy, confidentiality, and use restrictions. AI raises the stakes.

c. Vendor Resilience

The more an organization invests in a single AI provider, the more dependent it becomes on that provider’s risk posture. Multi-cloud strategies, vendor exit rights, and enforceable SLAs are not operational niceties. They are governance tools to prevent concentration risk. Compliance has long experience managing third-party risk; AI vendors are simply the newest category.

d. Model Operations

Model versioning, approval workflows, rollback procedures, and audit trails determine how quickly an organization can detect harm and correct it. These operational controls map almost perfectly onto compliance best practices. They reflect the same principles that underpin any effective risk management program: evidence, traceability, and documented decision-making.

Where Compliance Must Lead

Most organizations underestimate the extent to which AI governance requires the same discipline found in mature compliance programs. The compliance function knows how to operationalize policies, create audit trails, and embed accountability. These strengths translate directly into AI. Below are the areas where compliance should play the lead role.

1. Embedding Ethical Standards Into Procurement

Ethical AI begins with ethical procurement. RFPs should require model documentation, bias testing, data ownership guarantees, audit logs, content filtering, and evidence of secure development practices. A vendor that cannot demonstrate its internal controls will not protect your ethical commitments. Compliance is uniquely positioned to identify those red flags.

2. Contracting for Power, Not Promises

Every compliance professional knows that a vendor promise without contractual force is aspiration, not assurance. AI contracts must include termination for harm, financially meaningful remedies, data portability, and clear assignment of responsibilities. Regulators will expect companies to demonstrate that they negotiated governance into their agreements.

3. Designing for Resilience

AI systems break in unfamiliar and sometimes spectacular ways. Multi-region deployment, validated failover paths, and regular stress testing are mandatory. Resilience is an ethical value because it protects customers, employees, and stakeholders from foreseeable harm. Compliance should insist on documented resilience planning as part of deployment approval.

4. Governing the Data Layer

Data minimization, differential access, immutable lineage, and standard retention schedules must be embedded across AI use cases. AI does not excuse a company from its privacy or data-governance obligations. It heightens them. Compliance should ensure that every AI initiative begins with a data governance review before a single line of code is written.

5. Operationalizing Oversight

AI oversight is not a once-a-year assessment. It is a living discipline. Compliance should push for model risk reviews, red-team exercises, change-control approvals, and clearly defined escalation pathways. When issues arise, there must be a time-boxed rollback plan in place. Clearly assigned control owners must be accountable for results.

6. Measuring What Matters

Without metrics, oversight is performance art. Companies should measure false positives and false negatives for each AI use case, especially across protected classes. They should track incident rates, drift detection outcomes, model approval times, and vendor SLA performance. These indicators form a dashboard that demonstrates whether AI governance is real or merely decorative.

7. Funding Ethics as an Operational Requirement

Ethical AI is not free. It requires a budget for monitoring, red teaming, data curation, and external verification. Compliance should push for these resources and make the case that ethics is a form of operational continuity. A company that cannot demonstrate that it has funded its governance model will struggle in any regulatory examination.

8. Building Exit Capability

Most companies underestimate how difficult it is to transition away from an AI vendor. Compliance should require that every material AI system have an exit plan that includes timelines, data-migration standards, and a documented process to ensure continuity. Only an exit tested under realistic conditions qualifies as a real control.

9. Clarifying Accountability

AI governance fails when accountability is diffuse. Every operational risk must have an owner. Compliance should map each AI risk to a responsible executive and require quarterly reviews. Regulators do not want to know who wrote the policy. They want to know who owns the risk.

10. Training the Front Line

AI governance is not the exclusive domain of data scientists. Product teams, procurement staff, and engineers must understand their responsibilities. Compliance should provide scenario-based training and reward early escalation. Culture determines how quickly issues surface, and AI issues must surface fast.

Closing Thoughts

Ethical AI is not an aspirational project. It is a systems problem, a contracting problem, a data problem, and an accountability problem. Compliance has the experience and discipline to lead the organization through these challenges. When procurement, contracts, and architecture embody the company’s values, ethical outcomes follow. When they do not, no principle statement on a website will save you.