Published on February 27, 2014
Whitepaper Adequate Procedures in Anti-Bribery Compliance Scott Lane Executive Chairman of The Red Flag Group
Contents 1. Overview 1.1 Anti-bribery laws 1.2 The concept of “adequate procedures” 1.3 Adequate procedures are not just about “procedures” 2. Adequate procedures 2.1 Establishing a base line – the code of conduct 2.2 Anti-bribery policy 2.3 Giving and receiving gifts 2.4 Hospitality and entertainment 2.5 Company-paid customer travel 2.6 Political contributions 2.7 Charitable donations 2.8 Sponsorships 2.9 Facilitation payments 2.10 Solicitation and extortion 2.11 Payments to state-owned media 2.12 Distributor and reseller commissions 2.13 Payments to agents, consultants and intermediaries 2.14 Channel and customer rebates 2.15 Marketing development funds 2.16 Due diligence 2.17 Channel programme (and other intermediary) risk reduction 2.18 Customer training 2.19 Appointment of subcontractors 3. Adequate tools for adequate procedures 3.1 Approval and work flow technology 3.2 Supporting tools to manage specific adequate procedures 4. Behavioural change 4.1 Tone at the top – leading by example 4.2 Drivers and motivators 4.3 Reward mechanisms 4.4 Disciplinary procedures 4.5 Employee training 4.6 Dealing with issues 5. Monitoring 5.1 Monitoring the adequate procedures 5.2 On-the-ground monitoring 5.3 Conducting surveys
Contents 6. Measurement 6.1 Identifying / building measureable indicators 6.2 Audits 7. Reporting 7.1 Establish criteria and reporting obligations 7.2 Dissemination of reports 7.3 Exception reporting 7.4 External reporting 8. Documentation 8.1 Establish record keeping mechanisms 8.2 Remediation 9. Compliance Checklist
1. Overview 1.1 Anti-bribery laws Every organisation in the world operates in a market that restricts bribery to public officials. Often, there are laws which prohibit commercial bribery. Complying with the written laws of each country in which your company is based or conducts business is paramount for any business. While the laws vary in name across jurisdictions, they are generally all designed to prevent one simple thing: giving something of value to someone (normally a government decision maker) for the purposes of gaining an unfair advantage. The UK Bribery Act 2010 For years, the Foreign Corrupt Practices Act was the main anti-corruption legislation on which companies operating in multiple jurisdictions (even non-US firms) focused because of its extra-territorial provisions. That is no longer the case with the passage of the UK Bribery Act 2010 in April 2010. Section 7 of the Bribery Act creates a new offence for companies who fail to prevent persons associated with them from committing bribery on their behalf. It is a defence however, for companies to show that they have adequate procedures in place to stop corruption from happening. Even more important however, is the Act’s extra-territorial powers. Like the FCPA, the UK Act’s corporate criminal offence will apply not only to commercial organisations in the UK, but also to non-UK companies which have a business presence there. That means an offence can be committed even if a bribe paid is not related to a foreign firm’s UK affiliate company. Moreover, corporate directors and senior management will be personally liable if their organisation participated in bribery with their consent. This liability is extended not only to British nationals, but to any person who is ordinarily resident in the UK, regardless of whether the conduct in question took place in the UK or not. 1.2 The concept of “adequate procedures” The UK Bribery Act refers to ‘’adequate procedures’’. Since it is a defence for a company if they can show that they have adequate bribery prevention procedures in place, it is important to understand what these adequate procedures consists of. The Ministry of Justice have included in their Consultation Paper, a set of six principles for bribery prevention which are intended as a flexible guide in interpreting what procedures a company might need to have in place. UK Ministry of Justice: Six principles for bribery prevention Principle 1: Risk assessment The commercial organisation regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed. Principle 2: Top level committment The top level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery. They establish a culture within the organisation in which bribery is never acceptable. They take steps to ensure that the organisation’s policy to operate without bribery is clearly communicated to all levels of management, the workforce and any relevant external actors. Adequate Procedures in Anti-Bribery Compliance Page 5
Principle 3: Due diligence The commercial organisation has due diligence polices and procedures which cover all parties to a business relationship, including the organisation’s supply chain, agents and intermediaries, all forms of joint venture and similar relationships and all markets in which the commercial organisation does business. Principle 4: Clear, practical and accessible policies and procedures The commercial organisation’s policies and procedures to prevent bribery being committed on its behalf are clear, practical, accessible and enforceable. Policies and procedures take account of the roles of the whole work force from the owners or board of directors to all employees, and all people and entities over which the commercial organisation has control. Principle 5: Effective implementation The commercial organisation effectively implements its anti-bribery policies and procedures and ensures they are embedded throughout the organisation. This process ensures that the development of policies and procedures reflects the practical business issues that an organisation’s management and workforce face when seeking to conduct business without bribery. Principle 6: Monitoring and review The commercial organisation institutes monitoring and review mechanisms to ensure compliance with relevant policies and procedures and identifies any issues as they arise. The organisation implements improvements where appropriate. This paper is focused on providing an overview and a perspective on best practices on building adequate procedures. At a high level, having a successful anti-bribery compliance programme is about ensuring that the risks to the organisation of making illegal payments are managed effectively. Success might be defined as the organisation being able to state that it has: Developed and implemented an anti-bribery compliance programme that adds business value and manages risks appropriately Rolled out ongoing improvements to the anti-bribery compliance programme in a consistent and measurable way across the company, its subsidiaries, joint ventures and third parties Regularly conducted anti-bribery audits and investigations and made on-going improvements to the programme over time Remediated compliance failures in a constructive manner (where appropriate) Escalated higher risk compliance failures with appropriate action being taken 1.3 Adequate procedures are not just about “procedures” The phrase “adequate procedures” should, not be limited to the typical definition of ‘’procedures’’. According to by the New Oxford American dictionary, “procedure” is defined as “an established or official way of doing something”. Adequate procedures, as proposed by the author, include something more than just an official way of doing something. Simply referring to the definition would miss essential parts of a successful anti-bribery programme which relate to the softer elements of compliance. The softer elements include two essential components: “behavioural change” and establishing a “culture of compliance’’. No amount of hard policy and procedure will be able to contribute to these softer elements of compliance. While repetition of “an established way of doing something” may ultimately establish a change in behaviour, this method is time consuming and may not be well-integrated into the business core. Page 6 The Red Flag Group
2.Adequate procedures 2.1 Establishing a base line – the code of conduct Every organisation should have a code of conduct, also known as a code of ethics or a business conduct guide. These codes are designed to set a high level baseline for conduct within the firm. The code should weave the firm’s value system into the overall way in which the company conducts itself from an integrity perspective. Some companies brand their codes to a unique brand like ‘’the way we work’’ or ‘’doing the right thing’’ which are intended to summarise the firm’s attitude and how it conducts itself. Essential to any adequate procedure in managing anti-bribery risk is a section in the code on the company’s tolerance for bribery. Typically, these code sections are reflective of the top ten major risks in the company and most often include a foreign bribery risk. While these sections in the code are very high level and do not contain details on the adequate procedures that the company have adopted, it is useful to have these documents in the public domain as a statement of your high level position on anti-bribery compliance. 2.2 Anti-bribery policy A significant aspect of having adequate procedures is to have an anti-bribery policy within your anti-bribery compliance programme. In the past, these anti-bribery policies have been drafted by external lawyers and have been a summary of the relevant law and its exceptions, with an overview of the exceptions to the law where certain payments have been permissible. Today, anti-bribery policies are: Shorter Written in plain English Focused less on the law and more on the company’s guidelines and direction on certain relevant risk areas Anti-bribery policies range in the details that it covers. Some are lengthy documents that encompass every potential issue regarding compliance, while others are shorter and point to specific external guidelines for support, resources and training requirements. 2.3 Giving and receiving gifts Past cases have shown that an adequate compliance programme must contain some guidance and procedures on the giving of gifts to government and commercial customers. These guidelines or procedures should ensure that if the company does give gifts that they are of a type, and given in a way that would not fall foul of anti-bribery laws. Adequate procedures with respect to the giving of gifts involve consideration of: What types of gifts are appropriate to be given to government officials (e.g., corporate branded gifts and toys) When those gifts would be acceptable (e.g., at the closing of a deal or at festivals) Whether gifts need to be limited in value (and further, whether those expense limits are universal or country-based) Whether gifts can only be given at a particular time of year (e.g., cultural festivals) Page 7
Whether the gift needs pre-approval and by whom What the expense reimbursement process is and how this is tracked by staff Whether the gift is given to a person, a department or the institution as a whole Whether the gift is linked to a particular transaction What the purpose of giving the gift was and whether it was given for a corrupt purpose Adequate procedures with respect to the receiving of gifts are: Whether there has been reason to believe the gift was given with the purpose of influencing a decision Whether the gift is given to you, your department or the institution at which you work and to whom the gift was presented to When those gifts would be acceptable (e.g., at the closing of a deal or at festivals) Whether the gift exceeds a certain limit (guidance should be given from your employer) An adequate procedure must ensure that: The request, the assessment, the approval and the payment are recorded correctly and that documentary evidence supports such a payment. 2.4 Hospitality and entertainment Similar to gift giving, entertaining customers and business partners is a very common aspect for business. On the face of it, hospitality and entertainment is normal and is an acceptable part of business expenditure. However, some companies push the limits of such hospitality and entertainment too far and have turned simple lunches and “get togethers” into lavish meetings intended only to influence and coerce a decision maker to decide in favour of the overly generous host. Adequate procedures for hospitality and entertainment should contain: A policy which details When providing hospitality of customers is acceptable What that hospitality should consist of How the hospitality should relate to a specific and legitimate business purpose Details on what class of person can receive hospitality and entertainment from the company Whether certain types of entertainment are banned Whether certain locations in entertainment districts are banned Whether the form of entertainment or the location in which such entertainment takes place needs to be directly related to the company’s product Whether there are limits on the annual amount of entertainment given to each individual or institution either by monetary cost or by amount of entertainment and hospitality A procedure that sets out What pre-approvals are required for providing hospitality and entertainment What documentary evidence needs to be maintained for the approval What documentary evidence needs to be maintained for the expense itself The receipt of written authorisation that the recipient in accepting the benefit did not breach any of its own internal rules on the receipt of the benefit An adequate procedure must ensure that: The request, the assessment, the approvals and the payment are recorded correctly and that documentary evidence supports such a payment. Page 8
2.5 Company-paid customer travel Company-paid travel for customers is common for large companies. However, advances in technology has meant that travel has become partly obsolete. Other changes in the industry and the business world have meant that: Companies often have more than one ‘’customer briefing centre’’ (where large expensive products are housed) Use of video conferencing technology has made the convening of meetings much easier Companies typically pay for the travel for a customer in the following circumstances: Demonstration of a product that is only available at another location Attendance at training for a product or service where the cost of such training has been embedded into the cost of the product or service Meeting with senior executives or a board where the travel of such a group is complex or unlikely to happen The adequate procedures for customer paid travel will include a policy, a procedural guideline and perhaps an online approval tool technology (see below for details). The policy would include: An assessment of whether the travel for the customer is paid by the company, or paid by the customer and reimbursed The level of travel provided, the routing, the number of nights and whether the travel is absolutely necessary Details of the agenda for the meeting being attended Travel dates match attendence for the specific event Whether the routing supports side visits or overnight stays in luxury locations Restrictions on the per diem paid to cover expenses Details of such travel including transfers and pickups Details of hotels including what class and any additional costs Details on who will be travelling, the seniority of the person and what benefit they will obtain from the travel An explanation on how the traveller was invited. This includes whether invitation was made directly to the person or entity, and whether or not there is written authorisation that the recipient, in accepting the travel, did not breach any of its own internal rules Whether the travel class can be changed after ticketing and who controls such changes Whether the attendance has conditions of purchase An adequate procedure would: Have forms or an online tool to complete travel requests and provide substantiation of travel Document the travel, the attendance and have documentary evidence substantiating that the travel was necessary and for the purpose in which it was described An adequate procedure must ensure that: The request, the assessment, the approvals and the payment are recorded correctly and that documentary evidence supports such a payment. Page 9
2.6 Political contributions Contributions by companies to political parties, politicians or political causes will need to be reviewed for anti-bribery compliance. Adequate procedures will include policies and procedures which address the following issues: Whether the request for donation and support was related to a pending decision by that or a related entity Whether it was requested by an outside party, or if it was proposed internally, and for what reason The specific purpose of the payment, the circumstances of its request, the benefits of the payment and the details of any special treatment provided by virtue of the payment Whether the payee has any impending decisions to make that may directly affect the company Whether any government official or party official will personally benefit from the payment even if such personal benefit is not monetary Whether payment to one political party is made public and disclosed on the company’s website or on another public space How the payment is going to be made, invoiced and receipted An adequate procedure must ensure that: The request, assessment, approvals and payment are recorded correctly and that documentary evidence supports such a payment. 2.7 Charitable donations Contributions by companies to charities will need to be reviewed for anti-bribery compliance. Adequate procedures will include policies and procedures which address the following issues: Whether the request for donation or support was related to a pending decision Whether the charity is a legitimate charity, is registered and is recognised by a government as an official charity Whether the charity is led by a government official Whether the request came from an external party or originated inside the company and for what reason The specific purpose of the payment, the circumstances of its request and payment, the benefits of the payment and the details of any special treatment provided by virtue of the payment Whether the payee has any impending decisions to make that may directly affect the company Whether any government official or party official will personally benefit from the payment, even if such personal benefit is not monetary Whether payment to the charity is made public and disclosed on the company’s website or on another public space How the payment is going to be made, invoiced and receipted What the payment is going to be used for; whether that use is illegal, or is being used to support an individual (either directly or indirectly) and whether that individual is connected to government and the company An adequate procedure must ensure that: The request, the assessment, the approvals and the payment are recorded correctly and that documentary evidence supports such a payment. Page 10
2.8 Sponsorships Companies are often requested to sponsor events, groups, teams and other people in their community Adequate procedures will include policies and procedures which address the following issues: Whether the request for sponsorship was related to a pending decision by that entity, a related entity or a person in power who represents the entity Whether the sponsorship is legitimate Whether the sponsorship is sought by an organisation that is led by a government official or is connected to decision making that will benefit the company Whether the request came from an external party or originated from inside the company, and for what reason The specific purpose of the payment, the circumstances of its request and payment, the benefits of the payment and the details of any special treatment provided by virtue of the payment Whether the payee has any impending decisions to make that may directly affect the company Whether any government official or party official will personally benefit from the payment even if such personal benefit is not monetary Whether the sponsorship is made public and disclosed on the company’s website or on another public space How the payment is going to be made, invoiced and receipted What the sponsorship payment is going to be used for; whether that use is illegal, or is being used to support an individual (either directly or indirectly) and whether that individual is connected to government and the company What the company receives as a result of the sponsorship payment in the form of branding, advertising, access, etc. An adequate procedure must ensure that: The request, assessment, approvals and payment are recorded correctly and that documentary evidence supports such a payment. 2.9 Facilitation payments The UK Bribery Act remains silent as to whether small bribes are allowable for minor inconsequential expenses, therefore making them illegal. For those companies who are prepared to make such payments (known as facilitation payments under the Foreign Corrupt Practices Act), adequate procedures must include a set of policies and procedures that address the inherent challenges with approving them. While such policies might be perceived as having procedures to authorise an illegal act, this is a grey area where your code of conduct and Ethics are vital to guide your staff on the ground. Following these procedures and having a set of rules to apply for such payments, particularly if they are made in emergency situations, is advisable. Define what a facilitation payment is Provide examples of payments that would satisfy the test of being a facilitation payment Have procedures recording how the request for the facilitation payment was made, its cost to the company, and to whom and in what circumstances the request was made. Remember that not correctly recording a facilitation payment can be an offence under the Books and Records section of the FCPA, even if the payment itself is okay Have procedures for the approvals for the payment, how the payment was made and documented Conduct an analysis as to whether the payment would be in breach of local laws and whether that knowledge has raised additional concerns, risks or required additional controls to be inserted to address such issues An adequate procedure must ensure that: The request, assessment, approvals and payment are recorded correctly and that documentary evidence supports such a payment. Page 11
2.10 Solicitation and extortion From time to time, companies may be the subject of extortion or solicitation for payments which, if not made, would open the requested person to be harmed physically, emotionally or mentally. Such extortion, black mail and solicitation of funds often happens in situations where ‘’there is no alternative’’ and the personal safety of an individual is at risk if the payment is not made. Adequate procedures would include: Guidelines for knowing when an extortion payment can be made, under what circumstances and how much might be acceptable What documentation is needed to support the payment reimbursement and guidelines for such reimbursements What external reporting is necessary to law enforcement agencies about the payment and in what circumstances is further disclosure to authorities required The timeframe for reporting such a payment after the payment was made An adequate procedure must ensure that: The request, assessment, approvals and payment are recorded correctly and that documentary evidence supports such a payment. 2.11 Payments to state-owned media Payments to state-owned media often happens in controlled emerging markets where members of the media request payments in order to: Attend a press conference Write a story Film and report a story or event Adequate procedures for controlling payments to media should include: Evidence that any proposed payment is a genuine reimbursement of limited travel expenses for stateowned media to attend an event That the payment is supported either by an original travel receipt or a payment without a receipt that was determined to be a correct and valid estimate of the un-receipted fare Whether any payments were included in any invoices from public relations firms Whether any invoices that include unclear ‘’service fees’’ represent payments to members of the stateowned media An adequate procedure must ensure that: The request, assessment, approvals and payment are recorded correctly and that documentary evidence supports such a payment. 2.12 Distributor and reseller commissions Most companies sell their products through some form of channel, whether through agents, intermediaries, distributors or resellers. For anti-bribery compliance the management of the reseller commissions is essential to manage potential illegal payments on behalf of third-parties, in this case, distributors and resellers. Adequate procedures for the management of variances in distributor and reseller commissions and margins include: A mechanism to be alerted when distributor commissions fall below a particular level An approved methodology that reviews the additional request for a discount or margin and the reasons why it is being sought A set of documentation that supports the reasons given and the justifications for the payment Page 12
An adequate procedure must ensure that: The request, assessment, approvals and discount are recorded correctly and that documentary evidence supports such a discount. 2.13 Payments to agents, consultants and intermediaries The use of agents, consultants and intermediaries (together here known as ‘’intermediaries’’) is a wellknown mechanism to make illegal payments to third parties, including government officials. Adequate procedures to ensure that such intermediaries are not used for the facilitation of a bribe include: The approval of each intermediary before engagement Conducting due diligence to understand the circumstances upon which the third party has been engaged and instructed including the background of the third party Only engaging the intermediary after having received verification of their level of integrity and transparency Having a contract with the intermediary that addresses compliance with bribery laws and appropriate warranties and indemnities Paying the intermediary for services rendered that has been properly verified and validated. The payment should reflect the reasonable value which has been attributed to the services under the circumstances An adequate procedure must ensure that: The request, assessment, approvals and payment are recorded correctly and that documentary evidence supports such a payment. 2.14 Channel and customer rebates Channel and customer rebates often occur in international business. Channel rebates are often paid when a channel partner (e.g., a distributor sales or intermediary) achieve a particular target or sell a product or service. Channel rebates, and indirectly - customer rebates paid directly or indirectly through the channel are sometimes in the form of personal products, gifts, incentive trips and entertainment. In many cases they form personal items. Adequate procedures should ensure: That the request for any rebates paid to the channel or through the channel to customers (particularly government ones) are reviewed and approved subject to a documented approval process That gifts and other rebates are provided to the company, not to an individual That purchase orders and invoices correspond to such payments and that they are accurately recorded That rebates are never paid in the form of un-documentable vouchers or items that are of a personal nature An adequate procedure must ensure that: The request, the assessment, the approvals and the payment are recorded correctly and that documentary evidence supports such a payment. 2.15 Marketing development funds It is common in channel marketing for a vendor to provide some support to a channel partner. In addition to rebates as shown above, marketing development funds (often referred to as MDF) are payments made to the channel, by the vendor, for services rendered in the form of some agreed marketing purposes. In some organisations, these payments are misused and are not genuine reimbursements of joint marketing expenses. Rather, they are reimbursements for extra costs that the channel partner suffered in a sale. And in some cases, actually amount to an additional discount that misses the adequate procedures in managing variances in discounts. Page 13
Adequate procedures for managing MDF should ensure: That a documented MDF program exists and that the terms of the fund are approved by legal counsel That the request for MDF should be received in writing in accordance with the programme That the request is assessed and approved taking into consideration the risk that funding could be misapplied in the form of corrupt payments That reimbursement of the share of the funding by the company is only issued after evidence has been shown that the funds were actually spent for the approved marketing purpose in the form which was agreed An adequate procedure must ensure that: The request, assessment, approvals and payment are recorded correctly and that documentary evidence supports such a payment. 2.16 Due diligence Adequate procedures for anti-bribery compliance include having due diligence (detailed review on the integrity of channel partners, agents, intermediaries, support partners, suppliers) conducted and maintained for the term of their relationship. It is important to remember that due diligence should: Be different for different third parties Be risk based and show a different focus for different third parties Be flexible enough to be changed as risk profiles change Be broad enough to cover suppliers, vendors, agents, intermediaries and distributors / resellers Not be static and should be revised regularly based on the risk profile and potential liability for breaches Be for senior employees and other key hires that are in the business or come into the business Cover newly acquired entities and also their intermediaries (e.g., those that are acquired as a result of an acquisition) Be documented and be available for review and improvement Due diligence from a legal perspective should only be a part of an overall due diligence programme. These statutory risks are only one among many being considered when conducting a due diligence. Other risks might include counterfeit product risks, forward revenue recognition, product liability, supplier over-pricing and other contractual risks. It is an effective use of budget and resources to consider all these risks at the same time rather than simply focus on the due diligence required by the Bribery Act or the FCPA. Adequate procedures for due diligence includes: Collecting material and background from the third party prior to any engagement Reviewing the material by use of an independent compliance-focused background screening organisation that tests the veracity of such information and independently assesses their integrity status in the marketplace Having due diligence reviewed and approved prior to engagement Having due diligence reviewed at regular intervals and constant monitoring of the parties concerned against watchlists, sanction lists and parties known to have engaged in corruption Due diligence of third parties is a complex topic that requires a detailed discussion. Another whitepaper has been drafted on this topic and is available at: https://www.redflaggroup.com/education-centre/thought-leadership/whitepaper-best-practices-conductingfcpa-anti-bribery-due-diligence Page 14
2.17 Channel programme (and other intermediary risk reduction) Conducting due diligence on resellers, distributors, and other intermediaries is insufficient to effectively manage the risk of corruption. A proactive methodology is required to maintain adequate procedures. Adequate procedures in managing channel partner risks for corruption include: Identifying channel partners with a sense of integrity Conducting due diligence on their integrity and transparency Providing direction to the channel partner by giving advice on policies, procedures and their code of ethics The provision of training, compliance tools and direction to the channel partner in the standards expected of them regarding integrity issues Conducting health checks and audits on the channel partners at regular intervals More information can be obtained here: https://www.redflaggroup.com/education-centre/thought-leadership/whitepaper-building-effectivecompliance-programmes-third-parties 2.18 Customer training Providing customers with product training in luxurious locations has been the subject of several cases which have fallen foul of anti-bribery laws. Adequate procedures should ensure: That company-paid customer training is legitimate and essential for the customer That the training has an open and accepted curriculum That the training is provided in a facility which is controlled by the company and in a location that is not luxurious or inappropriate That the selected recipients require the training for the purposes of being licensed to own or able to operate the product That the other rules associated with company paid travel for the customer to travel to the training are complied with That if the training is provided by a third party that the third party adheres to such conditions An adequate procedure must ensure that: The request, assessment, approvals and payment is of such training are recorded correctly and that documentary evidence supports such a payment. Page 15
2.19 Appointment of subcontractors It is also common for the selection of subcontractors by a company or its intermediary to be done for illegal purposes. Often subcontractors are bogus and are selected in order to channel money to a third party or to the owners of the chosen subcontractor itself who are often in a position of conflict with the end user. While the management of this risk is similar to that with the selection and management of intermediaries, this group is often much harder to control as it is done further down the chain and the decisions as to which subcontractor is selected is often uncontrolled and left up to the business unit. Adequate procedures to ensure that such subcontractors are not used for the facilitation of bribes include: The approval of each subcontractor before engagement Conducting due diligence to understand the circumstances upon which the subcontractor has been engaged and instructed, including the background of the subcontractor Only engaging the subcontractors after having received verification of their level of integrity and transparency Having a contract with the subcontractors that addresses compliance with bribery laws and appropriate warranties and indemnities Paying the subcontractor for services rendered that has been properly verified and validated. The payment should reflect the reasonable value which has been attributed to the services under the circumstances An adequate procedure must ensure that: The request, assessment, approvals and payment are recorded correctly and that documentary evidence supports such a payment. Page 16
3. Adequate tools for adequate procedures In today’s society, paper-based compliance will almost always fail, be subject to delays, or simply be confusing in what could be a very straight-forward process. Adequate procedures that focus solely on policies and procedures are likely to be insufficient to effectively manage corruption risks. Adequate procedures must include a set of tools and technology mechanisms to help support and manage the adequate procedures. The technology and tools aspect of adequate procedures often include: Approval and work flow technology Supporting tools to manage specific adequate procedures tailored for your industry Reporting mechanisms 3.1 Approval and work flow technology Objectives Having some form of approval and workflow technology solution to manage the adequate procedures shown above is essential to achieving maximum compliance. Tip 1 Use a workflow software programme to automate some approvals. Relying on email approvals through a singlepoint is destined to fail Tip 2 Creating tight and restrictive policies and procedures generally means requiring all requests to be approved. Not having a clear approval process and workflow typically means that the inbox of the lawyer or compliance officer will be filled with multiple requests. 3.2 Supporting tools to manage specific adequate procedures Using online tools and technology is essential to manage the adequate procedures. Indeed, some would say that having such tools and technology in the first place is part of the adequate procedures themselves. Simply having paper-based procedures and not being able to maintain an audit trail would in effect, not be adequate at all. Examples of tools include: Policy tools Tools that support the online storage of policies and the tracking of those policies across an organisation Links from policies to further training and certifications Reporting and tracking of non-complete policy certifications Gift tools Tools where a user can request the giving of gifts to government and commercial customers Are mapped against a policy, so that the tool can auto-approve or route for approval Allow for requests to be approved online with audit trails of the approvals Give documentation to support the approval which is stored and trackable Records the recipient of the gift on a database Scans the recipient against watchlists to aid in the approval process Adequate Procedures in Anti-Bribery Compliance Page 17
Travel tools Tools where a user can request travel for a government or commercial customers Are mapped against a policy, so that the tool can auto-approve or route for approval based on specific rules around the type of travel, the reason for the travel, the agenda and the person involved in the travel Allow for requests to be approved online with audit trails of the approvals Give documentation to support the approval which is stored and trackable Scans the recipient against watchlists before they can be approved for travel Efficiently links the financial systems of the company with the approval Hospitality approvals Tools where a user can request hospitality or entertainment for a government or commercial customers in advance of incurring the expense Are mapped against a policy, so that the tool can auto-approve or route for approval based on specific rules around the type of hospitality or entertainment Allow for requests to be approved online with audit trails of the approvals Give documentation to support the approval which is stored and trackable Scans the recipient against watchlists before they can be approved for the receipt of any benefit Efficiently links the financial systems of the company with the approval Third-party due diligence questionnaires and risk ratings Allows for input from selected third parties Are available online and in multiple languages (which supports completion in multiple languages online) Gives an analysis of such completed questionnaires with the automatic scoring of answers based on a risk and scoring methodology designed along with the development of the questionnaire Due diligence management tools Have the ability to manage the request and delivery of due diligence reports on selected third parties Have the ability to review, approve and track the reports which are to be facilitate Conduct ongoing reviews (daily) of due diligence subjects (including their shareholders, directors and officers) against international watchlists Conducts ongoing reviews against negative media of due diligence subjects (including their shareholders, directors and officers) Online certification tools Have the ability to obtain certifications from both external and internal people in multiple languages where the person can certify compliance with anti-corruption controls Ensures that certifications are tracked, automated and reminders set for on-going compliance insuccessive periods Online training and learning management systems Are systems that allow for short-focused training to be released which teaches the practical aspects of anti-bribery compliance to both internal and external parties The successful completion of each training session is tracked and reported upon as part of an overall anti-corruption adequate procedures risk management process Page 18
Conflicts of interest disclosure tools Have the ability to obtain conflicts disclosures from both external and internal parties in multiple languages where the person can disclose any non-conformance with the conflicts of interest policy Tracks non-conformance and any controls, allowances or waivers against a remediation tool that supports integrated tracking together with an ongoing analysis Ensures that disclosures are tracked, automated and reminders set for on-going compliance in successive periods Communications management Where all communications both internally and externally are managed through a tool that documents the adequate procedures anti-bribery compliance programme Watchlist scanning tools A tool that allows for self scanning (in batches if necessary) of third parties against international watchlists, sanction lists and known or suspected illegal or corrupt parties Page 19
4. Behavioural change Adequate procedures are nothing unless you effect behavioural change. Behavioural change is another important aspect of building an anti-bribery compliance programme and is often overlooked. Managing adequate procedures in the form of policies and procedures, tools and technology is ineffective unless the behavioural change of paying illegal payments to win business is addressed. In many emerging markets there is a long standing practice of giving gifts and hospitality to government officials. Companies who address this risk by simply putting in place adequate procedures will find the following results of failure: No one will follow them up Everyone claims they are following them up and the activity simply goes underground They find other ways of making the payment The big problem here is that the underlying behaviour was never successfully changed. Behavioural change is extremely difficult to effect in a large organisation. It requires an analysis of why that behaviour exists and what the reason for the behaviour is. Often the behaviour of making bribes or illegal payments is because: The payee is underpaid and needs the bribe for their sustenance and living The payer is under heavy obligations to produce sales results “at any cost” and is pushed to achieve targets The payer is working within a cultural environment where relationships, favours and gift giving is common The payer is working in a company which is known for paying bribes to win business, and as a result, it is expected that they facilitate a payment despite their own personal objections The payer works in a company whose products are inferior or sub-standard and needs to be bribed in order to elevate the production standards The payer works in a company that does not reward staff for turning away from corruption and there is no visible incentive to turn away The payer works in a company that is ignorant of the risks and has no corruption programme in place The study of changing corporate behaviour will be addressed in a separate whitepaper that supports this paper. It is a topic in of itself and is one of the most challenging aspects of an anti-bribery compliance programme. However, it is essential that taking steps towards changing the behaviour is the only way that adequate procedures will actually work and be effective. 4.1 Tone at the top – leading by example Behavioural change is very hard to achieve in a large diverse multi-cultural workplace. However, one common ingredient is that leadership usually dictates how people will react and be a foundation for their behaviour. The CEO’s and senior management’s actions are under scrutiny everyday by staff, and they are being looked at to set the example of integrity and good behaviour. For this reason, it is essential that the tone at the top is solid and supportive of the compliance programme, not just on paper but also in spirit. Example: In anti-bribery compliance programmes, many long-time partners often rely on long-term relationships with the CEO or the country manager as the basis for some form of protection. It is important that the CEO or senior manager really endorses the anti-corruption compliance programme, and shows that pre-existing relationships do not necessarily support any form of amnesty. Page 20
4.2 Drivers and motivators Human nature is often at the centre of most behavioural change. Tip There are only a handful of recognised drivers of human behaviours: Greed Power Status or prestige Success Culture A sales-driven environment is a place where it is common to see compensation plans driving behaviour. Understanding the true motivators of the recipients and stakeholders of a compliance programme is essential to having them change behaviour. Take the time to assess: Each stakeholder in the compliance programme Each person who owes a compliance obligation Decide which category of behavioural driver they are in, and then develop a specific plan for that person or stakeholder to move them along the path towards the preferred behavioural pattern. A good compliance person has a well-trained ability to understand organisational behaviour and how to change it. Understanding the culture of an organisation is essential in making an assessment on how effective any behavioural change will be. In some cases, it is necessary to re-adjust the approach because of a strong overriding cultural reason. Look for the driver and then work out how to motivate them to act Example: In an anti-bribery compliance programme: Distributors are generally motivated by: Margin (the amount of money they make on the buying and selling of your products or services) or the status of their eligibility in a defined partner programme (e.g., a Gold Certified Partner) Their ability to sell to the government as an authorised partner (e.g., GSA schedule) and many would never jeopardise that benefit The possibility of going to an IPO, or raising capital and therefore they would not want to damage their brand in any way Sales people are generally motivated by commission Management is usually motivated by revenue, margin, and success Country management is normally motivated by: Revenue, margin, and success The political requirement to not have their country or region being viewed as problematic and being the subject of endless audits by headquarters for compliance issues (classic face saving activities in Asian cultures) Page 21
You can almost guarantee that there is no stakeholder that you can move along the path towards behavioural change without some form of mentoring and coaching. Tip Good coaching involves good listening skills. Always stop and listen to the concerns of the person whose behaviour you are looking to change. In many cases, they just want to be heard. You need to spend time talking face-to-face with people that you need to coach. Email is not a coaching tool, nor is using power to compel change. 4.3 Reward mechanisms It was the Russian psychologist Ivan Pavlov’s theories that supported the idea that behavioural change and reward worked together like hand and glove. Expecting people to change without any form of incentive is misguided and extremely hopeful. Human mechanisms support the argument that compliance programmes need to have an incentive to change. The Human Resources department is essential in helping push through incentive mechanisms. Linking behaviour to compensation is essential in most business environments, and generally HR control the purse strings on linking business results to compensation. Example: In anti-bribery compliance programmes, reward mechanisms for good compliance might include aspects of the adequate procedures: Employees Payment of additional bonuses for solid compliance Awards and recognitions Partners Continuation of certified status for a partner (e.g., as a “Gold” partner) Extra discounts or market development funds (MDF) for partners Extension of product list or government purchase authority Approval to be a first-tier distributor Referrals of direct deals to the channel Page 22
4.4 Disciplinary procedures Coupled with reward mechanisms, disciplinary procedures are a key piece of any compliance programme. Disciplinary procedures are often the only form of motivator used by companies (people often forget to apply reward mechanisms). They are typically used as a “stick” to get performance and often with mixed results. Example: In an anti-bribery compliance programme, disciplinary procedures are often related to termination of the employee or the reseller and distributor agreement where a partner has been involved in an allegation. However, other options are available, and it should be made clear to the people involved what the potential consequences are for certain infringements. Employees Mandatory training and integrity coaching Reassignment away from government dealings Removal of spending privileges Demotions (e.g., individual contributor) Warnings Partners Audits (including by a third-party) Rebates / Reductions / Return of commissions Withdrawal of privileges (e.g., stocking, government sales) Mandatory training 4.5 Employee training The successful implementation of compliance programme depends on training. The training must include training for: Board members, Executive Committee Employees, contractors Business partners, agents, suppliers While each and every one of the above parties should receive training, it is advisable that the training be customised in style, format and content. This can be done by varying: Style of the training (detailed, summaries, point form) Format of the training (e-learning, classroom style, lecture style) Content of the training (scenario-based, hands-on learning, legal content) It should also be kept in mind that while all of the audiences above should be considered for training, it does not mean that all of the people in each audience need to get the training. It is incorrect to suggest that training should be provided to all audience groups. However, it is correct to say that 100% training should be provided to those people who have been identified as having a job description or role that crosses with issues that could be relevant. For example, training manufacturing plant employees on corruption might be a fruitless exercise. However, training dock and stevedore workers (who interact with customs and other officials) might be appropriate. The first step in developing the training program is conducting a needs assessment and risk assessment base on the job descriptions and job functions. Page 23
4.6 Dealing with issues It is common after training to receive a number of questions about everyday conduct being carried out by the company and its employees. Certain conduct is often raised for discussion and review. There needs to be a mechanism for these issues to be raised and to have them discussed and resolved. Often some issues are resolved after only small changes are made, while certain conduct may need to be stopped altogether. Mechanisms need to be in place to support issues being raised. This mechanism may include: Contact information in the policies and procedures where people can go to get help and ask follow-up questions A small focus group or workshop of employees in an office that get together to talk regularly about conduct and whether it raises integrity issues An online tool that allows for compliance related FAQs to be asked and reviewed These mechanisms should be relatively informal in order to encourage staff to raise issues and questions. They should be different to the typical ‘Ethics Hotline’ that is used more to report illegal or suspicious conduct. A more informal approach would encourage questions about existing conduct and practices in the company. Having an online tool for employees to ask questions and be answered by the Compliance or Legal team is the best way to expand the knowledge to a broader audience. The online tool should be available for all staff and form part of the corporate intranet or some other forum designed specifically for this purpose. Page 24
5. Monitoring 5.1 Monitoring the adequate procedures Monitoring the adequate procedures is a crucial, yet often overlooked, ingredient to the compliance programme. Often, companies rely simply on anonymous reporting hotlines and internal audit to conduct monitoring and measurement, but have no real programme to support these claims. Monitoring the adequate procedures is essential. Putting in place or mandating adequate procedures without also having a mechanism to manage them is a waste of resources. Monitoring the adequate procedures is an area that most compliance officers are relatively unfamiliar with. They tend to focus only on whether training (which is but one adequate procedure) has being completed. This is because it is easy to assess (as it involves simply an assessment of completed training versus the overall employee base) and involves minimal cost. The monitoring of adequate procedures must assess the actual effectiveness of the procedures: whether they are in place, are known, understood, and working well. Monitoring the adequate procedures could involve: Making sure the objectives of the adequate procedures, the overall compliance programme and the business needs are aligned Assessing any cultural change brought about by the procedures Identifying if there is a change in the behaviour of those following the procedures Determining whether business value has been realised by putting in place the adequate procedures Example: In anti-bribery compliance programmes, these involve testing whether the business’s overall risk and violations have decreased over time, and whether the culture of compliance has been improved. 5.2 On-the-ground monitoring The best form of compliance monitoring is ‘on-the-ground’ monitoring. This means scheduling time each quarter to get out of the office or headquarters to travel to the outer regions of the business (usually to the emerging markets where these issues occur more frequently). The purpose of these visits is to monitor directly the health of the compliance programme. This is best done by talking to people, setting up meetings to talk about the compliance programme, observe what the experiences are from the implementation and to generally monitor the ‘noise’ that is in the system. This sort of monitoring is essential because it is informal and generally produces better results than a formal programme which may place duress on the people being monitored. Tip The sort of monitoring proposed here is simple. It is to visit a country and sit down individually with the Head of Sales, the Country Manager, and the Finance Director to talk about their experiences with the programme. These discussions are often best had over dinner or breakfast in an informal and relaxed setting. The key is to ask broad open–ended questions that support the discussion of the topics. This is a fact-finding discussion not an interview nor an inquisition, nor an audit. Planning these meetings is a key to ensure that the relevant people are in town for your visit. There is nothing like getting the real unadulterated data at the coalface. Page 25
5.3 Conducting surveys Conducting surveys are a great way to feel the pulse of the whole organisation. The surveys are best conducted online in a secure environment and distributed by the Business group (as opposed to Legal or Compliance). These surveys should be targeted to a specific compliance issue (e.g., bribery) rather than having a general set of compliance questions. The value in the surveys is to ask specific questions that will induce an answer. For example, the following questions would be relevant: Do you feel that our anti-bribery compliance programme has been adopted by your management? Have you experienced situations where you now behave differently given the new focus on compliance? Do you feel that management ‘walks the talk’ when it comes to the anti-corruption programme? Have you changed your approach to certain situations in the field since conducting the training? Has there been a change in the engagement of third parties and intermediaries since the programme was enacted? Have there been any negative effects on the business since implementing the programme? Do you feel that the programme is consistent with good business practice in the region? Do you feel that the programme is consistent with our brand and our values? Tip An online survey can be easily structured with mandatory questions and options that allow for extra commentary. The survey can be completed anonymously in order to encourage responses unless participants wish to give their information for further follow-up. Ideally, the survey link should be sent out by the Business teams rather than Compliance or Legal. Studies show that the staffs are more likely to complete the survey if it comes from their direct manager. It is also advisable to run the same survey (with the same set of questions) quarterly for several quarters following the implementation of the Programme. That way, trending analyses can be built on the answers to the questions over time. Page 26
6. Measurement Measurement is all about how well the adequate procedures are working – and presenting evidence to prove it. It requires that the objectives of the programme to be assessed and measured. Targets should have been set in the earlier stages of the programme and agreed with the CEO and the board on the future success of the programme. All these now need to be measured and reported. Measurement involves active review of the programme. In most cases, this involves: Testing the adequate procedures with audits Conducting interviews and behaviour / culture assessments Example: In anti-bribery compliance programmes, measurements could include: Number of requests sought for gifts, travel or hospitality through an online system or tool Volume of requests for charitable donations Number of due diligence requests for new distributors Number of customer complaints relating to distributor conduct Number of audit violations Volume of revenue adjustments 6.1 Identifying / building measureable indicators Building measurable indicators is quite challenging for certain adequate procedures. Most often, it requires looking specifically at single indicators of successful compliance. Common measurements include the following: Efficacy of the adequate procedures Number of failures of each adequate procedure Number of hotline or other reporting issues raised Number of “near misses” Training effectiveness results Business value Number of deals supported through new measures Return on investment from the compliance programme Page 27
6.2 Audits Most compliance programmes include some form of audit of each adequate procedure in order to measure the effectiveness of each procedure. Example: A typical audit of the adequate procedure for use of a distributor might look like this: Draft Reports Templates Risk Assessment Templates Remediation Guidelines Attribute Weightings Communication Plans Guide to Risk Weightings Excalation Paths Report Partner Checklist Risk Assessment Execution Planning Notifications Letters Interview Questions Internal Communication Matrix Task Lists Partner Review Checklist Meeting Schedules Document Request List Business Interview Checklist The audit should cover all aspects of the adequate procedure, including its actual performance of the adequate procedure. It is important to audit whether the adequate procedure is working and, if not, find out why. Are employees aware of their obligations? Do they know what they should and should not do in a particular situation? Do they know where to go to get help? The nature of the audit-framework you develop will very much depend on the company and its compliance background and culture, whether you are at the initial stages of implementing adequate procedures, how developed your auditing systems are and other such considerations. It is important to make sure that any audit is realistic in its purpose, maps the objectives and targets of the adequate procedure and provides useful and insightful results which can be used to ensure on-going improvement. It is essential to determine who or what is being audited. The audit typically includes: Awareness of the adequate procedure throughout the organisation Assessment of whether the adequate procedure has been complied with and to what extent Assessment of whether the training has been effective Establishing the frequency of audits or measurements The frequency of measurement very much depends on the adequate procedure itself, and is often agreed at the commitment stage for reporting purposes. Audits can be long and expensive processes. It is, therefore, important to make sure the frequency of audits and other measurements provided for in the compliance programme are realistic, aligned with the objectives and targets of the programme and that they take into account the risks faced by the company. Another whitepaper has been drafted on this topic and is available at: https://www.redflaggroup.com/education-centre/thought-leadership/whitepaper-best-practices-auditingthird-parties-fcpa-anti-bribery-compliance Page 28
Example: An anti-bribery audit programme that consists of several adequate procedures might cover the following aspects: Gifts Review of expense claims over a specified period Assessment of whether or not those gifts fall within the gift approval policy, whether they were within the prescribed gift limits, and whether they were approved properly Cross-referencing of any gifts given to government officials against deals done at the same time Review of the number of gifts given per sales person or received per customer over a period of time Travel Review of expense claims over a specified period for any person who accompanied government officials on company-paid travel Review of expense claims to identify any side trips or lavish entertainment Charitable donations Review of charitable donations to ensure compliance with the review and approval process and to identify whether the charities have associations with any government officials Third parties Review of third parties to determine if due diligence has been performed and whether that due diligence revealed any issues Comparison of margins received for commissions with the average or standard commissions earned by third parties Review of the training records of partners Use of consultants Review of consultancy contracts and payments made to consultants Assessment of due diligence performed on consultants Review of consultancy contracts, the purpose of each contract, the services provided and the price paid Comparison of deals around that period to gauge the legitimacy of the particular deal Page 29
Example: Adequate procedures in an anti-bribery compliance programme audit typically involve both internal audit and external audit of third parties. Before embarking on such a project, it is a good idea to conduct a simple risk assessment on the third parties themselves to determine which third parties to audit. To determine the risk profile of the third parties, it is a good idea for your risk assessment to cover both financial and non-financial risks. Amount of Sales Direct Sales vs Indirect Sales Free Goods, Samples & Returns Stocking Levels Financial Attributes MDF Amounts Margin Analysis Returned Goods Product Type Legal Risk Previous Issues Time since Last Audit Contract Type NonFinancial Attributes Private vs Public Country of Concern Export Business Control Perception Restrictions High % of Sub-Tier Government Partners Business Once completed, a smaller more manageable group of third parties will have been marked for audit and a more manageable audit programme can be developed. D-8 D-7 D-2 D D+2 Page 30 Notification to business Discuss objectives with country managers Conduct risk assessment with channel Determine focus partners and country Request data from partner Assess country risks and marco compliance risks Collect and review sample data submitted On-site assessment at partner Execution and testing Interview, review and data analysis Report out internally Report out to partner
7. Reporting 7.1 Establish criteria and reporting obligations For most organisations, some form of reporting on the efficacy of the adequate procedures is expected. At the very least, there is an expectation to rep
Regulatory Compliance / Bribery Act; The Bribery Act & DocRead. ... Define anti-bribery adequate procedures.
What Are Adequate Procedures? ... review their anti-bribery and corruption compliance programs to determine ... has adequate procedures is matter ...
The UK Bribery Act and Adequate Procedures The UK Bri B ery Ac T A nd Adeq UAT e Proced U res SAI Global has developed a range of products and services ...
BRIBERY ACT. 2010. Guidance. about procedures which relevant commercial . organisations can put into place to prevent ... not have adequate procedures.
UK Bribery Act Is your house in order? ... compliance with anti-bribery legislation. ... Adequate Procedures and Anti-Bribery and .
on what constitutes bribery and what they need to do to show that they have adequate procedures in ... compliance with anti-bribery legislation and what to ...
Employing Adequate Procedures for a Compliant Anti-Bribery & Anti-Corruption Culture The far-reaching impact of the UK Bribery Act combined with
The UK Bribery Act 1 ... Conducting anti-corruption compliance and ... The defense available to an organization is one of having “adequate procedures ...
Großbritannien hat eines der schärfsten Anti ... den drakonischen Strafen des UK Bribery ... "Mit der Veröffentlichung der 'Adequate Procedures ...