adequate procedures in anti bribery compliance
Post on 13-Dec-2014
187 Views
Preview:
DESCRIPTION
TRANSCRIPT
Adequate Procedures inAnti-Bribery Compliance
Whitepaper
Scott Lane Executive Chairman of The Red Flag Group
Contents1. Overview
1.1 Anti-bribery laws
1.2 The concept of “adequate procedures”
1.3 Adequate procedures are not just about “procedures”
2. Adequate procedures
2.1 Establishing a base line – the code of conduct
2.2 Anti-bribery policy
2.3 Giving and receiving gifts
2.4 Hospitality and entertainment
2.5 Company-paid customer travel
2.6 Political contributions
2.7 Charitable donations
2.8 Sponsorships
2.9 Facilitation payments
2.10 Solicitation and extortion
2.11 Payments to state-owned media
2.12 Distributor and reseller commissions
2.13 Payments to agents, consultants and intermediaries
2.14 Channel and customer rebates
2.15 Marketing development funds
2.16 Due diligence
2.17 Channel programme (and other intermediary) risk reduction
2.18 Customer training
2.19 Appointment of subcontractors
3. Adequate tools for adequate procedures
3.1 Approval and work flow technology
3.2 Supporting tools to manage specific adequate procedures
4. Behavioural change
4.1 Tone at the top – leading by example
4.2 Drivers and motivators
4.3 Reward mechanisms
4.4 Disciplinary procedures
4.5 Employee training
4.6 Dealing with issues
5. Monitoring
5.1 Monitoring the adequate procedures
5.2 On-the-ground monitoring
5.3 Conducting surveys
6. Measurement
6.1 Identifying / building measureable indicators
6.2 Audits
7. Reporting
7.1 Establish criteria and reporting obligations
7.2 Dissemination of reports
7.3 Exception reporting
7.4 External reporting
8. Documentation
8.1 Establish record keeping mechanisms
8.2 Remediation
9. Compliance Checklist
Contents
Page 5
1. Overview
1.1 Anti-bribery laws
Every organisation in the world operates in a market that restricts bribery to public officials. Often, there are
laws which prohibit commercial bribery.
Complying with the written laws of each country in which your company is based or conducts business is
paramount for any business. While the laws vary in name across jurisdictions, they are generally all
designed to prevent one simple thing: giving something of value to someone (normally a government
decision maker) for the purposes of gaining an unfair advantage.
The UK Bribery Act 2010
UK Ministry of Justice: Six principles for bribery prevention
For years, the Foreign Corrupt Practices Act was the main anti-corruption legislation on which companies
operating in multiple jurisdictions (even non-US firms) focused because of its extra-territorial provisions. That
is no longer the case with the passage of the UK Bribery Act 2010 in April 2010. Section 7 of the Bribery Act
creates a new offence for companies who fail to prevent persons associated with them from committing bribery
on their behalf. It is a defence however, for companies to show that they have adequate procedures in place to
stop corruption from happening.
Even more important however, is the Act’s extra-territorial powers. Like the FCPA, the UK Act’s corporate criminal
offence will apply not only to commercial organisations in the UK, but also to non-UK companies which have a
business presence there. That means an offence can be committed even if a bribe paid is not related to a foreign
firm’s UK affiliate company.
Moreover, corporate directors and senior management will be personally liable if their organisation participated
in bribery with their consent. This liability is extended not only to British nationals, but to any person who is
ordinarily resident in the UK, regardless of whether the conduct in question took place in the UK or not.
Principle 1: Risk assessment
The commercial organisation regularly and comprehensively assesses the nature and extent of the risks relating
to bribery to which it is exposed.
Principle 2: Top level committment
The top level management of a commercial organisation (be it a board of directors, the owners or any other
equivalent body or person) are committed to preventing bribery. They establish a culture within the organisation
in which bribery is never acceptable. They take steps to ensure that the organisation’s policy to operate without
bribery is clearly communicated to all levels of management, the workforce and any relevant external actors.
1.2 The concept of “adequate procedures”
The UK Bribery Act refers to ‘’adequate procedures’’. Since it is a defence for a company if they can show
that they have adequate bribery prevention procedures in place, it is important to understand what these
adequate procedures consists of. The Ministry of Justice have included in their Consultation Paper, a set of
six principles for bribery prevention which are intended as a flexible guide in interpreting what procedures a
company might need to have in place.
Adequate Procedures in Anti-Bribery Compliance
Page 6
This paper is focused on providing an overview and a perspective on best practices on building adequate
procedures.
At a high level, having a successful anti-bribery compliance programme is about ensuring that the risks to
the organisation of making illegal payments are managed effectively.
Success might be defined as the organisation being able to state that it has:
Developed and implemented an anti-bribery compliance programme that adds business value and
manages risks appropriately
Rolled out ongoing improvements to the anti-bribery compliance programme in a consistent and
measurable way across the company, its subsidiaries, joint ventures and third parties
Regularly conducted anti-bribery audits and investigations and made on-going improvements to the
programme over time
Remediated compliance failures in a constructive manner (where appropriate)
Escalated higher risk compliance failures with appropriate action being taken
1.3 Adequate procedures are not just about “procedures”
The phrase “adequate procedures” should, not be limited to the typical definition of ‘’procedures’’.
According to by the New Oxford American dictionary, “procedure” is defined as “an established or official
way of doing something”.
Adequate procedures, as proposed by the author, include something more than just an official way of
doing something. Simply referring to the definition would miss essential parts of a successful anti-bribery
programme which relate to the softer elements of compliance.
The softer elements include two essential components: “behavioural change” and establishing a “culture
of compliance’’. No amount of hard policy and procedure will be able to contribute to these softer
elements of compliance. While repetition of “an established way of doing something” may ultimately
establish a change in behaviour, this method is time consuming and may not be well-integrated into the
business core.
Principle 3: Due diligence
The commercial organisation has due diligence polices and procedures which cover all parties to a business
relationship, including the organisation’s supply chain, agents and intermediaries, all forms of joint venture and
similar relationships and all markets in which the commercial organisation does business.
Principle 4: Clear, practical and accessible policies and procedures
The commercial organisation’s policies and procedures to prevent bribery being committed on its behalf are clear,
practical, accessible and enforceable. Policies and procedures take account of the roles of the whole work force
from the owners or board of directors to all employees, and all people and entities over which the commercial
organisation has control.
Principle 5: Effective implementation
The commercial organisation effectively implements its anti-bribery policies and procedures and ensures they are
embedded throughout the organisation. This process ensures that the development of policies and procedures
reflects the practical business issues that an organisation’s management and workforce face when seeking to
conduct business without bribery.
Principle 6: Monitoring and review
The commercial organisation institutes monitoring and review mechanisms to ensure compliance with relevant
policies and procedures and identifies any issues as they arise. The organisation implements improvements
where appropriate.
The Red Flag Group
Page 7
2.Adequate procedures
2.1 Establishing a base line – the code of conduct
Every organisation should have a code of conduct, also known as a code of ethics or a business conduct
guide. These codes are designed to set a high level baseline for conduct within the firm. The code should
weave the firm’s value system into the overall way in which the company conducts itself from an integrity
perspective.
Some companies brand their codes to a unique brand like ‘’the way we work’’ or ‘’doing the right thing’’
which are intended to summarise the firm’s attitude and how it conducts itself.
Essential to any adequate procedure in managing anti-bribery risk is a section in the code on the company’s
tolerance for bribery. Typically, these code sections are reflective of the top ten major risks in the company
and most often include a foreign bribery risk.
While these sections in the code are very high level and do not contain details on the adequate procedures
that the company have adopted, it is useful to have these documents in the public domain as a statement
of your high level position on anti-bribery compliance.
2.2 Anti-bribery policy
A significant aspect of having adequate procedures is to have an anti-bribery policy within your anti-bribery
compliance programme.
In the past, these anti-bribery policies have been drafted by external lawyers and have been a summary of
the relevant law and its exceptions, with an overview of the exceptions to the law where certain payments
have been permissible.
Today, anti-bribery policies are:
Shorter
Written in plain English
Focused less on the law and more on the company’s guidelines and direction on certain relevant risk
areas
Anti-bribery policies range in the details that it covers. Some are lengthy documents that encompass every
potential issue regarding compliance, while others are shorter and point to specific external guidelines for
support, resources and training requirements.
2.3 Giving and receiving gifts
Past cases have shown that an adequate compliance programme must contain some guidance and
procedures on the giving of gifts to government and commercial customers. These guidelines or
procedures should ensure that if the company does give gifts that they are of a type, and given in a way
that would not fall foul of anti-bribery laws.
Adequate procedures with respect to the giving of gifts involve consideration of:
What types of gifts are appropriate to be given to government officials (e.g., corporate branded gifts
and toys)
When those gifts would be acceptable (e.g., at the closing of a deal or at festivals)
Whether gifts need to be limited in value (and further, whether those expense limits are universal or
country-based)
Whether gifts can only be given at a particular time of year (e.g., cultural festivals)
Adequate Procedures in Anti-Bribery Compliance
Page 8
Whether the gift needs pre-approval and by whom
What the expense reimbursement process is and how this is tracked by staff
Whether the gift is given to a person, a department or the institution as a whole
Whether the gift is linked to a particular transaction
What the purpose of giving the gift was and whether it was given for a corrupt purpose
Adequate procedures with respect to the receiving of gifts are:
Whether there has been reason to believe the gift was given with the purpose of influencing a decision
Whether the gift is given to you, your department or the institution at which you work and to whom
the gift was presented to
When those gifts would be acceptable (e.g., at the closing of a deal or at festivals)
Whether the gift exceeds a certain limit (guidance should be given from your employer)
An adequate procedure must ensure that:
The request, the assessment, the approval and the payment are recorded correctly and that
documentary evidence supports such a payment.
2.4 Hospitality and entertainment
Similar to gift giving, entertaining customers and business partners is a very common aspect for
business. On the face of it, hospitality and entertainment is normal and is an acceptable part of business
expenditure.
However, some companies push the limits of such hospitality and entertainment too far and have turned
simple lunches and “get togethers” into lavish meetings intended only to influence and coerce a decision
maker to decide in favour of the overly generous host.
Adequate procedures for hospitality and entertainment should contain:
A policy which details
When providing hospitality of customers is acceptable
What that hospitality should consist of
How the hospitality should relate to a specific and legitimate business purpose
Details on what class of person can receive hospitality and entertainment from the company
Whether certain types of entertainment are banned
Whether certain locations in entertainment districts are banned
Whether the form of entertainment or the location in which such entertainment takes place needs
to be directly related to the company’s product
Whether there are limits on the annual amount of entertainment given to each individual or
institution either by monetary cost or by amount of entertainment and hospitality
A procedure that sets out
What pre-approvals are required for providing hospitality and entertainment
What documentary evidence needs to be maintained for the approval
What documentary evidence needs to be maintained for the expense itself
The receipt of written authorisation that the recipient in accepting the benefit did not breach any of
its own internal rules on the receipt of the benefit
An adequate procedure must ensure that:
The request, the assessment, the approvals and the payment are recorded correctly and that
documentary evidence supports such a payment.
The Red Flag Group
Page 9
2.5 Company-paid customer travel
Company-paid travel for customers is common for large companies. However, advances in technology has
meant that travel has become partly obsolete.
Other changes in the industry and the business world have meant that:
Companies often have more than one ‘’customer briefing centre’’ (where large expensive products
are housed)
Use of video conferencing technology has made the convening of meetings much easier
Companies typically pay for the travel for a customer in the following circumstances:
Demonstration of a product that is only available at another location
Attendance at training for a product or service where the cost of such training has been embedded
into the cost of the product or service
Meeting with senior executives or a board where the travel of such a group is complex or unlikely to
happen
The adequate procedures for customer paid travel will include a policy, a procedural guideline and perhaps
an online approval tool technology (see below for details). The policy would include:
An assessment of whether the travel for the customer is paid by the company, or paid by the customer
and reimbursed
The level of travel provided, the routing, the number of nights and whether the travel is absolutely
necessary
Details of the agenda for the meeting being attended
Travel dates match attendence for the specific event
Whether the routing supports side visits or overnight stays in luxury locations
Restrictions on the per diem paid to cover expenses
Details of such travel including transfers and pickups
Details of hotels including what class and any additional costs
Details on who will be travelling, the seniority of the person and what benefit they will obtain
from the travel
An explanation on how the traveller was invited. This includes whether invitation was made directly to
the person or entity, and whether or not there is written authorisation that the recipient, in accepting
the travel, did not breach any of its own internal rules
Whether the travel class can be changed after ticketing and who controls such changes
Whether the attendance has conditions of purchase
An adequate procedure would:
Have forms or an online tool to complete travel requests and provide substantiation of travel
Document the travel, the attendance and have documentary evidence substantiating that the travel
was necessary and for the purpose in which it was described
An adequate procedure must ensure that:
The request, the assessment, the approvals and the payment are recorded correctly and that
documentary evidence supports such a payment.
Adequate Procedures in Anti-Bribery Compliance
Page 10
2.6 Political contributions
Contributions by companies to political parties, politicians or political causes will need to be reviewed for
anti-bribery compliance.
Adequate procedures will include policies and procedures which address the following issues:
Whether the request for donation and support was related to a pending decision by that or a related
entity
Whether it was requested by an outside party, or if it was proposed internally, and for what reason
The specific purpose of the payment, the circumstances of its request, the benefits of the payment and
the details of any special treatment provided by virtue of the payment
Whether the payee has any impending decisions to make that may directly affect the company
Whether any government official or party official will personally benefit from the payment even if such
personal benefit is not monetary
Whether payment to one political party is made public and disclosed on the company’s website or on
another public space
How the payment is going to be made, invoiced and receipted
An adequate procedure must ensure that:
The request, assessment, approvals and payment are recorded correctly and that documentary
evidence supports such a payment.
2.7 Charitable donations
Contributions by companies to charities will need to be reviewed for anti-bribery compliance.
Adequate procedures will include policies and procedures which address the following issues:
Whether the request for donation or support was related to a pending decision
Whether the charity is a legitimate charity, is registered and is recognised by a government as an
official charity
Whether the charity is led by a government official
Whether the request came from an external party or originated inside the company and for what reason
The specific purpose of the payment, the circumstances of its request and payment, the benefits of the
payment and the details of any special treatment provided by virtue of the payment
Whether the payee has any impending decisions to make that may directly affect the company
Whether any government official or party official will personally benefit from the payment, even if such
personal benefit is not monetary
Whether payment to the charity is made public and disclosed on the company’s website or on another
public space
How the payment is going to be made, invoiced and receipted
What the payment is going to be used for; whether that use is illegal, or is being used to support an
individual (either directly or indirectly) and whether that individual is connected to government and the
company
An adequate procedure must ensure that:
The request, the assessment, the approvals and the payment are recorded correctly and that
documentary evidence supports such a payment.
The Red Flag Group
Page 11
2.8 Sponsorships
Companies are often requested to sponsor events, groups, teams and other people in their community Adequate
procedures will include policies and procedures which address the following issues:
Whether the request for sponsorship was related to a pending decision by that entity, a related entity or a
person in power who represents the entity
Whether the sponsorship is legitimate
Whether the sponsorship is sought by an organisation that is led by a government official or is connected to
decision making that will benefit the company
Whether the request came from an external party or originated from inside the company, and for what reason
The specific purpose of the payment, the circumstances of its request and payment, the benefits of the
payment and the details of any special treatment provided by virtue of the payment
Whether the payee has any impending decisions to make that may directly affect the company
Whether any government official or party official will personally benefit from the payment even if such
personal benefit is not monetary
Whether the sponsorship is made public and disclosed on the company’s website or on another public space
How the payment is going to be made, invoiced and receipted
What the sponsorship payment is going to be used for; whether that use is illegal, or is being used to support an
individual (either directly or indirectly) and whether that individual is connected to government and the company
What the company receives as a result of the sponsorship payment in the form of branding, advertising,
access, etc.
An adequate procedure must ensure that:
The request, assessment, approvals and payment are recorded correctly and that documentary evidence
supports such a payment.
2.9 Facilitation payments
The UK Bribery Act remains silent as to whether small bribes are allowable for minor inconsequential expenses,
therefore making them illegal. For those companies who are prepared to make such payments (known as
facilitation payments under the Foreign Corrupt Practices Act), adequate procedures must include a set of
policies and procedures that address the inherent challenges with approving them. While such policies might be
perceived as having procedures to authorise an illegal act, this is a grey area where your code of conduct and
Ethics are vital to guide your staff on the ground.
Following these procedures and having a set of rules to apply for such payments, particularly if they are made in
emergency situations, is advisable.
Define what a facilitation payment is
Provide examples of payments that would satisfy the test of being a facilitation payment
Have procedures recording how the request for the facilitation payment was made, its cost to the company, and
to whom and in what circumstances the request was made. Remember that not correctly recording a facilitation
payment can be an offence under the Books and Records section of the FCPA, even if the payment itself is okay
Have procedures for the approvals for the payment, how the payment was made and documented
Conduct an analysis as to whether the payment would be in breach of local laws and whether that knowledge
has raised additional concerns, risks or required additional controls to be inserted to address such issues
An adequate procedure must ensure that:
The request, assessment, approvals and payment are recorded correctly and that documentary evidence
supports such a payment.
Adequate Procedures in Anti-Bribery Compliance
Page 12
2.10 Solicitation and extortion
From time to time, companies may be the subject of extortion or solicitation for payments which, if not
made, would open the requested person to be harmed physically, emotionally or mentally. Such extortion,
black mail and solicitation of funds often happens in situations where ‘’there is no alternative’’ and the
personal safety of an individual is at risk if the payment is not made.
Adequate procedures would include:
Guidelines for knowing when an extortion payment can be made, under what circumstances and how
much might be acceptable
What documentation is needed to support the payment reimbursement and guidelines for such
reimbursements
What external reporting is necessary to law enforcement agencies about the payment and in what
circumstances is further disclosure to authorities required
The timeframe for reporting such a payment after the payment was made
An adequate procedure must ensure that:
The request, assessment, approvals and payment are recorded correctly and that documentary
evidence supports such a payment.
2.11 Payments to state-owned media
Payments to state-owned media often happens in controlled emerging markets where members of the
media request payments in order to:
Attend a press conference
Write a story
Film and report a story or event
Adequate procedures for controlling payments to media should include:
Evidence that any proposed payment is a genuine reimbursement of limited travel expenses for
stateowned media to attend an event
That the payment is supported either by an original travel receipt or a payment without a receipt that
was determined to be a correct and valid estimate of the un-receipted fare
Whether any payments were included in any invoices from public relations firms
Whether any invoices that include unclear ‘’service fees’’ represent payments to members of the
stateowned media
An adequate procedure must ensure that:
The request, assessment, approvals and payment are recorded correctly and that documentary
evidence supports such a payment.
2.12 Distributor and reseller commissions
Most companies sell their products through some form of channel, whether through agents,
intermediaries, distributors or resellers.
For anti-bribery compliance the management of the reseller commissions is essential to manage potential
illegal payments on behalf of third-parties, in this case, distributors and resellers. Adequate procedures for
the management of variances in distributor and reseller commissions and margins include:
A mechanism to be alerted when distributor commissions fall below a particular level
An approved methodology that reviews the additional request for a discount or margin and the
reasons why it is being sought
A set of documentation that supports the reasons given and the justifications for the payment
The Red Flag Group
Page 13
An adequate procedure must ensure that:
The request, assessment, approvals and discount are recorded correctly and that documentary
evidence supports such a discount.
2.13 Payments to agents, consultants and intermediaries
The use of agents, consultants and intermediaries (together here known as ‘’intermediaries’’) is a well-
known mechanism to make illegal payments to third parties, including government officials.
Adequate procedures to ensure that such intermediaries are not used for the facilitation of a bribe include:
The approval of each intermediary before engagement
Conducting due diligence to understand the circumstances upon which the third party has been
engaged and instructed including the background of the third party
Only engaging the intermediary after having received verification of their level of integrity and
transparency
Having a contract with the intermediary that addresses compliance with bribery laws and appropriate
warranties and indemnities
Paying the intermediary for services rendered that has been properly verified and validated. The payment
should reflect the reasonable value which has been attributed to the services under the circumstances
An adequate procedure must ensure that:
The request, assessment, approvals and payment are recorded correctly and that documentary
evidence supports such a payment.
2.14 Channel and customer rebates
Channel and customer rebates often occur in international business. Channel rebates are often paid when
a channel partner (e.g., a distributor sales or intermediary) achieve a particular target or sell a product or
service. Channel rebates, and indirectly - customer rebates paid directly or indirectly through the channel
are sometimes in the form of personal products, gifts, incentive trips and entertainment. In many cases they
form personal items.
Adequate procedures should ensure:
That the request for any rebates paid to the channel or through the channel to customers (particularly
government ones) are reviewed and approved subject to a documented approval process
That gifts and other rebates are provided to the company, not to an individual
That purchase orders and invoices correspond to such payments and that they are accurately recorded
That rebates are never paid in the form of un-documentable vouchers or items that are of a personal nature
An adequate procedure must ensure that:
The request, the assessment, the approvals and the payment are recorded correctly and that
documentary evidence supports such a payment.
2.15 Marketing development funds
It is common in channel marketing for a vendor to provide some support to a channel partner. In addition
to rebates as shown above, marketing development funds (often referred to as MDF) are payments made
to the channel, by the vendor, for services rendered in the form of some agreed marketing purposes. In
some organisations, these payments are misused and are not genuine reimbursements of joint marketing
expenses. Rather, they are reimbursements for extra costs that the channel partner suffered in a sale. And
in some cases, actually amount to an additional discount that misses the adequate procedures in managing
variances in discounts.
Adequate Procedures in Anti-Bribery Compliance
Page 14
Adequate procedures for managing MDF should ensure:
That a documented MDF program exists and that the terms of the fund are approved by legal counsel
That the request for MDF should be received in writing in accordance with the programme
That the request is assessed and approved taking into consideration the risk that funding could be
misapplied in the form of corrupt payments
That reimbursement of the share of the funding by the company is only issued after evidence has been
shown that the funds were actually spent for the approved marketing purpose in the form which was
agreed
An adequate procedure must ensure that:
The request, assessment, approvals and payment are recorded correctly and that documentary evidence
supports such a payment.
2.16 Due diligence
Adequate procedures for anti-bribery compliance include having due diligence (detailed review on the
integrity of channel partners, agents, intermediaries, support partners, suppliers) conducted and maintained
for the term of their relationship.
It is important to remember that due diligence should:
Be different for different third parties
Be risk based and show a different focus for different third parties
Be flexible enough to be changed as risk profiles change
Be broad enough to cover suppliers, vendors, agents, intermediaries and distributors / resellers
Not be static and should be revised regularly based on the risk profile and potential liability for breaches
Be for senior employees and other key hires that are in the business or come into the business
Cover newly acquired entities and also their intermediaries (e.g., those that are acquired as a result of an
acquisition)
Be documented and be available for review and improvement
Due diligence from a legal perspective should only be a part of an overall due diligence programme. These
statutory risks are only one among many being considered when conducting a due diligence. Other risks
might include counterfeit product risks, forward revenue recognition, product liability, supplier over-pricing
and other contractual risks. It is an effective use of budget and resources to consider all these risks at the
same time rather than simply focus on the due diligence required by the Bribery Act or the FCPA.
Adequate procedures for due diligence includes:
Collecting material and background from the third party prior to any engagement
Reviewing the material by use of an independent compliance-focused background screening organisation
that tests the veracity of such information and independently assesses their integrity status in the
marketplace
Having due diligence reviewed and approved prior to engagement
Having due diligence reviewed at regular intervals and constant monitoring of the parties concerned against
watchlists, sanction lists and parties known to have engaged in corruption
Due diligence of third parties is a complex topic that requires a detailed discussion. Another whitepaper has
been drafted on this topic and is available at:
https://www.redflaggroup.com/education-centre/thought-leadership/whitepaper-best-practices-conducting-
fcpa-anti-bribery-due-diligence
The Red Flag Group
Page 15
2.17 Channel programme (and other intermediary risk reduction)
Conducting due diligence on resellers, distributors, and other intermediaries is insufficient to effectively
manage the risk of corruption. A proactive methodology is required to maintain adequate procedures.
Adequate procedures in managing channel partner risks for corruption include:
Identifying channel partners with a sense of integrity
Conducting due diligence on their integrity and transparency
Providing direction to the channel partner by giving advice on policies, procedures and their code of
ethics
The provision of training, compliance tools and direction to the channel partner in the standards
expected of them regarding integrity issues
Conducting health checks and audits on the channel partners at regular intervals
More information can be obtained here:
https://www.redflaggroup.com/education-centre/thought-leadership/whitepaper-building-effective-
compliance-programmes-third-parties
2.18 Customer training
Providing customers with product training in luxurious locations has been the subject of several cases
which have fallen foul of anti-bribery laws.
Adequate procedures should ensure:
That company-paid customer training is legitimate and essential for the customer
That the training has an open and accepted curriculum
That the training is provided in a facility which is controlled by the company and in a location that is not
luxurious or inappropriate
That the selected recipients require the training for the purposes of being licensed to own or able to
operate the product
That the other rules associated with company paid travel for the customer to travel to the training are
complied with
That if the training is provided by a third party that the third party adheres to such conditions
An adequate procedure must ensure that:
The request, assessment, approvals and payment is of such training are recorded correctly and that
documentary evidence supports such a payment.
Adequate Procedures in Anti-Bribery Compliance
Page 16
2.19 Appointment of subcontractors
It is also common for the selection of subcontractors by a company or its intermediary to be done for
illegal purposes. Often subcontractors are bogus and are selected in order to channel money to a third
party or to the owners of the chosen subcontractor itself who are often in a position of conflict with the
end user.
While the management of this risk is similar to that with the selection and management of intermediaries,
this group is often much harder to control as it is done further down the chain and the decisions as to
which subcontractor is selected is often uncontrolled and left up to the business unit.
Adequate procedures to ensure that such subcontractors are not used for the facilitation of bribes include:
The approval of each subcontractor before engagement
Conducting due diligence to understand the circumstances upon which the subcontractor has been
engaged and instructed, including the background of the subcontractor
Only engaging the subcontractors after having received verification of their level of integrity and
transparency
Having a contract with the subcontractors that addresses compliance with bribery laws and
appropriate warranties and indemnities
Paying the subcontractor for services rendered that has been properly verified and validated. The
payment should reflect the reasonable value which has been attributed to the services under the
circumstances
An adequate procedure must ensure that:
The request, assessment, approvals and payment are recorded correctly and that documentary
evidence supports such a payment.
The Red Flag Group
Page 17
3.2 Supporting tools to manage specific adequate procedures
Using online tools and technology is essential to manage the adequate procedures. Indeed, some would
say that having such tools and technology in the first place is part of the adequate procedures themselves.
Simply having paper-based procedures and not being able to maintain an audit trail would in effect, not be
adequate at all.
Examples of tools include:
Policy tools
Tools that support the online storage of policies and the tracking of those policies across an
organisation
Links from policies to further training and certifications
Reporting and tracking of non-complete policy certifications
Gift tools
Tools where a user can request the giving of gifts to government and commercial customers
Are mapped against a policy, so that the tool can auto-approve or route for approval
Allow for requests to be approved online with audit trails of the approvals
Give documentation to support the approval which is stored and trackable
Records the recipient of the gift on a database
Scans the recipient against watchlists to aid in the approval process
3. Adequate tools for adequate procedures
In today’s society, paper-based compliance will almost always fail, be subject to delays, or simply be
confusing in what could be a very straight-forward process.
Adequate procedures that focus solely on policies and procedures are likely to be insufficient to effectively
manage corruption risks. Adequate procedures must include a set of tools and technology mechanisms to
help support and manage the adequate procedures.
The technology and tools aspect of adequate procedures often include:
Approval and work flow technology
Supporting tools to manage specific adequate procedures tailored for your industry
Reporting mechanisms
3.1 Approval and work flow technology
Having some form of approval and workflow technology solution to manage the adequate procedures
shown above is essential to achieving maximum compliance.
Tip 1
Use a workflow software programme to automate some approvals. Relying on email approvals through a
singlepoint is destined to fail
Tip 2
Creating tight and restrictive policies and procedures generally means requiring all requests to be approved. Not
having a clear approval process and workflow typically means that the inbox of the lawyer or compliance officer
will be filled with multiple requests.
Adequate Procedures in Anti-Bribery Compliance
Objectives
Page 18
Travel tools
Tools where a user can request travel for a government or commercial customers
Are mapped against a policy, so that the tool can auto-approve or route for approval based on specific
rules around the type of travel, the reason for the travel, the agenda and the person involved in the travel
Allow for requests to be approved online with audit trails of the approvals
Give documentation to support the approval which is stored and trackable
Scans the recipient against watchlists before they can be approved for travel
Efficiently links the financial systems of the company with the approval
Hospitality approvals
Tools where a user can request hospitality or entertainment for a government or commercial customers
in advance of incurring the expense
Are mapped against a policy, so that the tool can auto-approve or route for approval based on specific
rules around the type of hospitality or entertainment
Allow for requests to be approved online with audit trails of the approvals
Give documentation to support the approval which is stored and trackable
Scans the recipient against watchlists before they can be approved for the receipt of any benefit
Efficiently links the financial systems of the company with the approval
Third-party due diligence questionnaires and risk ratings
Allows for input from selected third parties
Are available online and in multiple languages (which supports completion in multiple languages online)
Gives an analysis of such completed questionnaires with the automatic scoring of answers based on a
risk and scoring methodology designed along with the development of the questionnaire
Due diligence management tools
Have the ability to manage the request and delivery of due diligence reports on selected third parties
Have the ability to review, approve and track the reports which are to be facilitate
Conduct ongoing reviews (daily) of due diligence subjects (including their shareholders, directors and
officers) against international watchlists
Conducts ongoing reviews against negative media of due diligence subjects (including their
shareholders, directors and officers)
Online certification tools
Have the ability to obtain certifications from both external and internal people in multiple languages
where the person can certify compliance with anti-corruption controls
Ensures that certifications are tracked, automated and reminders set for on-going compliance
insuccessive periods
Online training and learning management systems
Are systems that allow for short-focused training to be released which teaches the practical aspects of
anti-bribery compliance to both internal and external parties
The successful completion of each training session is tracked and reported upon as part of an overall
anti-corruption adequate procedures risk management process
The Red Flag Group
Page 19
Conflicts of interest disclosure tools
Have the ability to obtain conflicts disclosures from both external and internal parties in multiple
languages where the person can disclose any non-conformance with the conflicts of interest policy
Tracks non-conformance and any controls, allowances or waivers against a remediation tool that
supports integrated tracking together with an ongoing analysis
Ensures that disclosures are tracked, automated and reminders set for on-going compliance in
successive periods
Communications management
Where all communications both internally and externally are managed through a tool that documents
the adequate procedures anti-bribery compliance programme
Watchlist scanning tools
A tool that allows for self scanning (in batches if necessary) of third parties against international
watchlists, sanction lists and known or suspected illegal or corrupt parties
Adequate Procedures in Anti-Bribery Compliance
Page 20
Adequate procedures are nothing unless you effect behavioural change. Behavioural change is another
important aspect of building an anti-bribery compliance programme and is often overlooked.
Managing adequate procedures in the form of policies and procedures, tools and technology is ineffective
unless the behavioural change of paying illegal payments to win business is addressed.
In many emerging markets there is a long standing practice of giving gifts and hospitality to government
officials. Companies who address this risk by simply putting in place adequate procedures will find the
following results of failure:
No one will follow them up
Everyone claims they are following them up and the activity simply goes underground
They find other ways of making the payment
The big problem here is that the underlying behaviour was never successfully changed.
Behavioural change is extremely difficult to effect in a large organisation. It requires an analysis of why that
behaviour exists and what the reason for the behaviour is.
Often the behaviour of making bribes or illegal payments is because:
The payee is underpaid and needs the bribe for their sustenance and living
The payer is under heavy obligations to produce sales results “at any cost” and is pushed to achieve targets
The payer is working within a cultural environment where relationships, favours and gift giving is common
The payer is working in a company which is known for paying bribes to win business, and as a result, it
is expected that they facilitate a payment despite their own personal objections
The payer works in a company whose products are inferior or sub-standard and needs to be bribed in
order to elevate the production standards
The payer works in a company that does not reward staff for turning away from corruption and there is
no visible incentive to turn away
The payer works in a company that is ignorant of the risks and has no corruption programme in place
The study of changing corporate behaviour will be addressed in a separate whitepaper that supports this paper.
It is a topic in of itself and is one of the most challenging aspects of an anti-bribery compliance programme.
However, it is essential that taking steps towards changing the behaviour is the only way that adequate
procedures will actually work and be effective.
4.1 Tone at the top – leading by example
Behavioural change is very hard to achieve in a large diverse multi-cultural workplace. However, one
common ingredient is that leadership usually dictates how people will react and be a foundation for their
behaviour. The CEO’s and senior management’s actions are under scrutiny everyday by staff, and they are
being looked at to set the example of integrity and good behaviour.
For this reason, it is essential that the tone at the top is solid and supportive of the compliance programme,
not just on paper but also in spirit.
Example:
In anti-bribery compliance programmes, many long-time partners often rely on long-term relationships with the
CEO or the country manager as the basis for some form of protection. It is important that the CEO or senior
manager really endorses the anti-corruption compliance programme, and shows that pre-existing relationships do
not necessarily support any form of amnesty.
4. Behavioural change
The Red Flag Group
Page 21
A sales-driven environment is a place where it is common to see compensation plans driving behaviour.
Understanding the true motivators of the recipients and stakeholders of a compliance programme is
essential to having them change behaviour.
Take the time to assess:
Each stakeholder in the compliance programme
Each person who owes a compliance obligation
Decide which category of behavioural driver they are in, and then develop a specific plan for that person or
stakeholder to move them along the path towards the preferred behavioural pattern. A good compliance
person has a well-trained ability to understand organisational behaviour and how to change it.
Understanding the culture of an organisation is essential in making an assessment on how effective any
behavioural change will be. In some cases, it is necessary to re-adjust the approach because of a strong
overriding cultural reason.
4.2 Drivers and motivators
Human nature is often at the centre of most behavioural change.
Tip
There are only a handful of recognised drivers of human behaviours:
Greed
Power
Status or prestige
Success
Culture
Look for the driver and then work out how to motivate them to act
Example:
In an anti-bribery compliance programme:
Distributors are generally motivated by:
Margin (the amount of money they make on the buying and selling of your products or services) or the
status of their eligibility in a defined partner programme (e.g., a Gold Certified Partner)
Their ability to sell to the government as an authorised partner (e.g., GSA schedule) and many would
never jeopardise that benefit
The possibility of going to an IPO, or raising capital and therefore they would not want to damage their
brand in any way
Sales people are generally motivated by commission
Management is usually motivated by revenue, margin, and success
Country management is normally motivated by:
Revenue, margin, and success
The political requirement to not have their country or region being viewed as problematic and being the
subject of endless audits by headquarters for compliance issues (classic face saving activities in Asian
cultures)
Adequate Procedures in Anti-Bribery Compliance
Page 22
You can almost guarantee that there is no stakeholder that you can move along the path towards
behavioural change without some form of mentoring and coaching.
Tip
Good coaching involves good listening skills. Always stop and listen to the concerns of the person whose behaviour
you are looking to change. In many cases, they just want to be heard. You need to spend time talking face-to-face
with people that you need to coach. Email is not a coaching tool, nor is using power to compel change.
4.3 Reward mechanisms
It was the Russian psychologist Ivan Pavlov’s theories that supported the idea that behavioural change
and reward worked together like hand and glove. Expecting people to change without any form of
incentive is misguided and extremely hopeful. Human mechanisms support the argument that compliance
programmes need to have an incentive to change.
The Human Resources department is essential in helping push through incentive mechanisms. Linking
behaviour to compensation is essential in most business environments, and generally HR control the purse
strings on linking business results to compensation.
Example:
In anti-bribery compliance programmes, reward mechanisms for good compliance might include aspects of the
adequate procedures:
Employees
Payment of additional bonuses for solid compliance
Awards and recognitions
Partners
Continuation of certified status for a partner (e.g., as a “Gold” partner)
Extra discounts or market development funds (MDF) for partners
Extension of product list or government purchase authority
Approval to be a first-tier distributor
Referrals of direct deals to the channel
The Red Flag Group
Page 23
4.5 Employee training
The successful implementation of compliance programme depends on training. The training must include
training for:
Board members, Executive Committee
Employees, contractors
Business partners, agents, suppliers
While each and every one of the above parties should receive training, it is advisable that the training be
customised in style, format and content. This can be done by varying:
Style of the training (detailed, summaries, point form)
Format of the training (e-learning, classroom style, lecture style)
Content of the training (scenario-based, hands-on learning, legal content)
It should also be kept in mind that while all of the audiences above should be considered for training, it
does not mean that all of the people in each audience need to get the training. It is incorrect to suggest that
training should be provided to all audience groups. However, it is correct to say that 100% training should be
provided to those people who have been identified as having a job description or role that crosses with issues
that could be relevant.
For example, training manufacturing plant employees on corruption might be a fruitless exercise. However,
training dock and stevedore workers (who interact with customs and other officials) might be appropriate.
The first step in developing the training program is conducting a needs assessment and risk assessment base
on the job descriptions and job functions.
Example:
In an anti-bribery compliance programme, disciplinary procedures are often related to termination of the employee
or the reseller and distributor agreement where a partner has been involved in an allegation.
However, other options are available, and it should be made clear to the people involved what the potential
consequences are for certain infringements.
Employees
Mandatory training and integrity coaching
Reassignment away from government dealings
Removal of spending privileges
Demotions (e.g., individual contributor)
Warnings
Partners
Audits (including by a third-party)
Rebates / Reductions / Return of commissions
Withdrawal of privileges (e.g., stocking, government sales)
Mandatory training
4.4 Disciplinary procedures
Coupled with reward mechanisms, disciplinary procedures are a key piece of any compliance programme.
Disciplinary procedures are often the only form of motivator used by companies (people often forget to apply
reward mechanisms). They are typically used as a “stick” to get performance and often with mixed results.
Adequate Procedures in Anti-Bribery Compliance
Page 24
4.6 Dealing with issues
It is common after training to receive a number of questions about everyday conduct being carried out by
the company and its employees. Certain conduct is often raised for discussion and review. There needs to
be a mechanism for these issues to be raised and to have them discussed and resolved. Often some issues
are resolved after only small changes are made, while certain conduct may need to be stopped altogether.
Mechanisms need to be in place to support issues being raised. This mechanism may include:
Contact information in the policies and procedures where people can go to get help and ask follow-up
questions
A small focus group or workshop of employees in an office that get together to talk regularly about
conduct and whether it raises integrity issues
An online tool that allows for compliance related FAQs to be asked and reviewed
These mechanisms should be relatively informal in order to encourage staff to raise issues and questions.
They should be different to the typical ‘Ethics Hotline’ that is used more to report illegal or suspicious
conduct. A more informal approach would encourage questions about existing conduct and practices in
the company.
Having an online tool for employees to ask questions and be answered by the Compliance or Legal team
is the best way to expand the knowledge to a broader audience. The online tool should be available for all
staff and form part of the corporate intranet or some other forum designed specifically for this purpose.
The Red Flag Group
Page 25
5.1 Monitoring the adequate procedures
Monitoring the adequate procedures is a crucial, yet often overlooked, ingredient to the compliance
programme. Often, companies rely simply on anonymous reporting hotlines and internal audit to conduct
monitoring and measurement, but have no real programme to support these claims.
Monitoring the adequate procedures is essential. Putting in place or mandating adequate procedures
without also having a mechanism to manage them is a waste of resources.
Monitoring the adequate procedures is an area that most compliance officers are relatively unfamiliar with.
They tend to focus only on whether training (which is but one adequate procedure) has being completed.
This is because it is easy to assess (as it involves simply an assessment of completed training versus the
overall employee base) and involves minimal cost.
The monitoring of adequate procedures must assess the actual effectiveness of the procedures: whether
they are in place, are known, understood, and working well.
Monitoring the adequate procedures could involve:
Making sure the objectives of the adequate procedures, the overall compliance programme and the
business needs are aligned
Assessing any cultural change brought about by the procedures
Identifying if there is a change in the behaviour of those following the procedures
Determining whether business value has been realised by putting in place the adequate procedures
5. Monitoring
Example:
In anti-bribery compliance programmes, these involve testing whether the business’s overall risk and violations have
decreased over time, and whether the culture of compliance has been improved.
5.2 On-the-ground monitoring
The best form of compliance monitoring is ‘on-the-ground’ monitoring. This means scheduling time
each quarter to get out of the office or headquarters to travel to the outer regions of the business
(usually to the emerging markets where these issues occur more frequently). The purpose of these visits
is to monitor directly the health of the compliance programme. This is best done by talking to people,
setting up meetings to talk about the compliance programme, observe what the experiences are from
the implementation and to generally monitor the ‘noise’ that is in the system. This sort of monitoring is
essential because it is informal and generally produces better results than a formal programme which may
place duress on the people being monitored.
Tip
The sort of monitoring proposed here is simple. It is to visit a country and sit down individually with the Head of
Sales, the Country Manager, and the Finance Director to talk about their experiences with the programme. These
discussions are often best had over dinner or breakfast in an informal and relaxed setting. The key is to ask broad
open–ended questions that support the discussion of the topics. This is a fact-finding discussion not an interview nor
an inquisition, nor an audit. Planning these meetings is a key to ensure that the relevant people are in town for your
visit. There is nothing like getting the real unadulterated data at the coalface.
Adequate Procedures in Anti-Bribery Compliance
Page 26
5.3 Conducting surveys
Conducting surveys are a great way to feel the pulse of the whole organisation. The surveys are best
conducted online in a secure environment and distributed by the Business group (as opposed to Legal or
Compliance). These surveys should be targeted to a specific compliance issue (e.g., bribery) rather than
having a general set of compliance questions. The value in the surveys is to ask specific questions that will
induce an answer. For example, the following questions would be relevant:
Do you feel that our anti-bribery compliance programme has been adopted by your management?
Have you experienced situations where you now behave differently given the new focus on
compliance?
Do you feel that management ‘walks the talk’ when it comes to the anti-corruption programme?
Have you changed your approach to certain situations in the field since conducting the training?
Has there been a change in the engagement of third parties and intermediaries since the programme
was enacted?
Have there been any negative effects on the business since implementing the programme?
Do you feel that the programme is consistent with good business practice in the region?
Do you feel that the programme is consistent with our brand and our values?
Tip
An online survey can be easily structured with mandatory questions and options that allow for extra commentary.
The survey can be completed anonymously in order to encourage responses unless participants wish to give their
information for further follow-up. Ideally, the survey link should be sent out by the Business teams rather than
Compliance or Legal. Studies show that the staffs are more likely to complete the survey if it comes from their direct
manager. It is also advisable to run the same survey (with the same set of questions) quarterly for several quarters
following the implementation of the Programme. That way, trending analyses can be built on the answers to the
questions over time.
The Red Flag Group
Page 27
6.1 Identifying / building measureable indicators
Building measurable indicators is quite challenging for certain adequate procedures. Most often, it requires
looking specifically at single indicators of successful compliance.
Common measurements include the following:
Efficacy of the adequate procedures
Number of failures of each adequate procedure
Number of hotline or other reporting issues raised
Number of “near misses”
Training effectiveness results
Business value
Number of deals supported through new measures
Return on investment from the compliance programme
Measurement is all about how well the adequate procedures are working – and presenting evidence to
prove it.
It requires that the objectives of the programme to be assessed and measured.
Targets should have been set in the earlier stages of the programme and agreed with the CEO and the
board on the future success of the programme. All these now need to be measured and reported.
Measurement involves active review of the programme. In most cases, this involves:
Testing the adequate procedures with audits
Conducting interviews and behaviour / culture assessments
6. Measurement
Example:
In anti-bribery compliance programmes, measurements could include:
Number of requests sought for gifts, travel or hospitality through an online system or tool
Volume of requests for charitable donations
Number of due diligence requests for new distributors
Number of customer complaints relating to distributor conduct
Number of audit violations
Volume of revenue adjustments
Adequate Procedures in Anti-Bribery Compliance
Page 28
6.2 Audits
Most compliance programmes include some form of audit of each adequate procedure in order to
measure the effectiveness of each procedure.
Example:
A typical audit of the adequate procedure for use of a distributor might look like this:
Draft Reports Templates
Remediation Guidelines
Communication Plans
Excalation Paths
Partner Checklist
Interview Questions
Task Lists
Meeting Schedules
Risk Assessment Templates
Attribute Weightings
Guide to Risk Weightings
Notifications Letters
Internal Communication Matrix
Partner Review Checklist
Document Request List
Business Interview Checklist
Report RiskAssessment
PlanningExecution
The audit should cover all aspects of the adequate procedure, including its actual performance of the
adequate procedure. It is important to audit whether the adequate procedure is working and, if not, find
out why. Are employees aware of their obligations? Do they know what they should and should not do in
a particular situation? Do they know where to go to get help?
The nature of the audit-framework you develop will very much depend on the company and its compliance
background and culture, whether you are at the initial stages of implementing adequate procedures, how
developed your auditing systems are and other such considerations. It is important to make sure that any
audit is realistic in its purpose, maps the objectives and targets of the adequate procedure and provides
useful and insightful results which can be used to ensure on-going improvement.
It is essential to determine who or what is being audited. The audit typically includes:
Awareness of the adequate procedure throughout the organisation
Assessment of whether the adequate procedure has been complied with and to what extent
Assessment of whether the training has been effective
Establishing the frequency of audits or measurements
The frequency of measurement very much depends on the adequate procedure itself, and is often agreed
at the commitment stage for reporting purposes.
Audits can be long and expensive processes.
It is, therefore, important to make sure the frequency of audits and other measurements provided for in
the compliance programme are realistic, aligned with the objectives and targets of the programme and
that they take into account the risks faced by the company.
Another whitepaper has been drafted on this topic and is available at:
https://www.redflaggroup.com/education-centre/thought-leadership/whitepaper-best-practices-auditing-
third-parties-fcpa-anti-bribery-compliance
The Red Flag Group
Page 29
Example:
An anti-bribery audit programme that consists of several adequate procedures might cover the following aspects:
Gifts
Review of expense claims over a specified period
Assessment of whether or not those gifts fall within the gift approval policy, whether they were within the
prescribed gift limits, and whether they were approved properly
Cross-referencing of any gifts given to government officials against deals done at the same time
Review of the number of gifts given per sales person or received per customer over a period of time
Travel
Review of expense claims over a specified period for any person who accompanied government officials on
company-paid travel
Review of expense claims to identify any side trips or lavish entertainment
Charitable donations
Review of charitable donations to ensure compliance with the review and approval process and to identify
whether the charities have associations with any government officials
Third parties
Review of third parties to determine if due diligence has been performed and whether that due diligence
revealed any issues
Comparison of margins received for commissions with the average or standard commissions earned by
third parties
Review of the training records of partners
Use of consultants
Review of consultancy contracts and payments made to consultants
Assessment of due diligence performed on consultants
Review of consultancy contracts, the purpose of each contract, the services provided and the price paid
Comparison of deals around that period to gauge the legitimacy of the particular deal
Adequate Procedures in Anti-Bribery Compliance
Page 30
Example:
Adequate procedures in an anti-bribery compliance programme audit typically involve both internal audit and
external audit of third parties.
Before embarking on such a project, it is a good idea to conduct a simple risk assessment on the third parties
themselves to determine which third parties to audit.
To determine the risk profile of the third parties, it is a good idea for your risk assessment to cover both financial
and non-financial risks.
Once completed, a smaller more manageable group of third parties will have been marked for audit and a more
manageable audit programme can be developed.
FinancialAttributes
Amountof Sales
Direct Salesvs
Indirect SalesPrivate
vsPublic
LegalRisk
PreviousIssues
Countryof Concern
ExportControl
Restrictions
ContractType
Time sinceLast Audit
Sub-TierPartners
High % ofGovernment
Business
BusinessPerception
ProductType
Free Goods,Samples &
Returns
MarginAnalysis
StockingLevels
ReturnedGoods
MDFAmounts
Non-Financial
Attributes
Notification to business
Discuss objectives with country managersD-8
D-7
D-2
D
D+2
Assess country risks and marco compliance risks
Collect and review sample data submitted
Report out internally
Report out to partner
Conduct risk assessment with channel
Determine focus partners and country
Request data from partner
On-site assessment at partner
Execution and testing
Interview, review and data analysis
The Red Flag Group
Page 31
7.1 Establish criteria and reporting obligations
For most organisations, some form of reporting on the efficacy of the adequate procedures is expected. At
the very least, there is an expectation to report on the progress of the roll-out of the programme itself.
All too often, companies make the mistake of limiting reporting to simply the roll-out status. Several other
reports that could be produced include:
Actual spend of budget versus target spend of the development and operation of the adequate procedures
Effectiveness of behavioural changes that form part of the adequate procedures
Effectiveness of training relating to the adequate procedures
Results of audits of the adequate procedures
Number of claims lodged from compliance regarding the adequate procedures
Business value added / realised through the adoption of the adequate procedures
Cost savings achieved to-date through the adoption of the adequate procedures
Return on investment from implementing the adequate procedures
When assessing the reporting criteria and obligations, it is also important to consider the following points:
Graphs are more useful to management than raw data. While some management will wishto dig
deeper into the numbers, most reporting managers want to see graphs (however, always structure such
graphs so that a “double-click” can reveal the underlying numbers).
Trending analysis. For most managers, simple numbers are not particularly helpful to the task of assessing
a programme. For example, stating that 122 people have reported issues through a reporting hotline is not
very helpful. It is far more helpful to explain:
How this relates to last year
How this relates to pre- and post-implementation of the programme
How this relates to the overall objectives of the programme
How this relates to industry peers
It is important that you also assess who needs to see the actual reports. While many people will claim they
need to see them, it is important to establish some boundaries regarding who truly needs to receive the
reports, at what point in time, and in what format.
7. Reporting
Adequate Procedures in Anti-Bribery Compliance
Page 32
Example:
For anti-bribery based adequate procedures, it is very common to have a set of reporting mechanism. This might be
designed as follows:
What reports should be produced?
Number of gift requests per country or per region
Number of requests for government official hospitality and the average spend trend per request
Number of marketing requests for approval to fix the company logo to marketing merchandise
Number of partners or third parties that are being screened as part of the anti-bribery compliance programme
Number of third parties that have completed a third party questionnaire versus those that have not started
Number of due diligences that have been conducted versus the total number of potential third parties
Time for on-boarding a third party and conducting the necessary checks
Number of issues identified through third party due diligence that required additional feedback and follow-up
Number of times the anti-bribery compliance programme has been accessed online with a country-by-country
breakdown
Number of staff and partners who have undergone anti-bribery policy training
Number of escalations or issues found as a result of audits
Number of audits conducted and the cost of those audits
Who should receive them?
This depends on the company. However, in most programmes the following sections might need to be provided
with some of the reports:
The sales, sales operations and channel teams
Finance and audit, the legal team
Training and HR, the audit committee
How often?
This also depends on the nature of the report itself. If trending analysis is a significant part of the report, then
typically a longer period of time will be needed to show the trending.
The Red Flag Group
Page 33
7.2 Dissemination of reports
There is a need to determine how reports should be disseminated. While this should be self-explanatory,
here are some things to consider:
Consider reporting verbally (for highly sensitive material)
Consider executive summaries and shorter reports for certain people, and longer reports for others
Consider channelling the reporting through legal in order to maintain privilege over the reports
7.3 Exception reporting
Many organisations work on the basis of exception reporting, meaning that if there is an event that
needs to be reported, then there needs to be a separate mechanism to immediately report on that
event, even if other reporting mechanisms are already in place (but which may take longer).
In addition, it is common to report on unusual items that appear to be out of sync with the normal
setting or results expected.
Example:
In anti-bribery compliance programmes, there are some exception reports that might be the subject of reporting:
Unexplained spikes at the end of quarter for gift or hospitality requests
Unexplained requests for customers to receive off-site training
Unexplained requests late in deals to appoint an intermediary
Deals that happen too fast, well below the expected time frame for something of that size or complexity (may
suggest that the deal is not real, that the product is for a different end-user, or that the product is being on-
sold or diverted {potentially raising export control risks})
Adequate Procedures in Anti-Bribery Compliance
Page 34
7.4 External reporting
There is also a need to have a policy on self-reporting to external regulators. The procedures for ‘selfreferral’
or ‘self-reporting’ are well documented on the Serious Fraud Office`s website.
It is clear that regulators both in the UK and the US look more favourably towards companies who self-report
breach of anti-corruption legislation. Companies which are deciding whether or not to self-report need
to tread carefully, as it may expose the company to civil actions from shareholders, or obligate to release
information in securities filings and lead to prosecutions that might not otherwise have happened had the
self-reporting not been done.
The procedure on self-reporting should address:
The role of compliance as compared to that of the legal function
To whom the self-report should be made and in what format
Whether the self-report is made in writing or in an initial meeting to gauge the seriousness or interest of
the regulator
Whether the media also needs to be informed at the same time with a holding statement noting that an
investigation is underway
Whether there are other exchanges or bodies that need to be informed (e.g., regulators in different
countries if the suspected bribery happened in a country which is different to your ‘home’ country)
Whether there are contractual issues (e.g., confidentiality clauses) in contracts with customers or third
parties that prohibit the statement being made when it has not be compelled by a law or regulation but
is voluntary only
The extent of the issue, though protections need to be in place to prevent the disclosure of confidential
information or information about specific people whose innocence must be maintained before proven guilty
The status of the investigation
How the investigation is being conducted, by whom, and in what capacity
The likelihood of further follow-up and how that follow-up should be made
The procedure on self-reporting should also delegate the designated spokespersons or those in the company
that have the express authority to speak about the issue and to the regulator or the media. It is advisable to
have a holding statement ready and a procedure to deal with crisis communications should the story develop
into a significant news item.
The Red Flag Group
Page 35
Documenting the adequate procedures and the results of their implementation is often overlooked by
compliance departments. When asked to view the compliance programme, there is no one place where it
is located. It is common to have the programme in various pieces and at various stages of completion, and
stored in various formats and locations.
In some situations, the documentation of the adequate procedures might be simply a printed document.
Again, this is not terribly effective. Adequate procedures are not static. They must always be monitored,
reported and improved upon.
It is rare that adequate procedures can become part of a bound printed document. This is a good sign that
the programme is not a living and breathing instrument.
8.1 Establish record keeping mechanisms
Record keeping mechanisms in the post-2000 era need to be web-based and available online. A document
management system is the most basic form of records system. However, the system typically also needs to
include the following:
The ability to show the actual compliance programme itself
A document repository to show all documents that reflect the programme and its implementation
A dashboard that shows all the necessary reporting mechanisms and the current or up-to-date state of
play of the programme
The ability to record incidents and issues arising from the programme
A mechanism to communicate with stakeholders about the programme in a clearly articulated and
effective way
8.2 Remediation
Remediation efforts are one of the key aspects of any adequate procedure. Recording the remediation
steps for any adequate procedures is essential and must be readily available.
The key aspects of remediation are:
Recording (or linking to) the remediation requirement / obligation for the particular event or incident that
gave rise to the remediation
Naming an owner for the remediation effort
Describing the remediation effort, and showing the steps to complete remediation
Identifying a time for completion of the remediation steps
Identifying any testing to confirm remediation measures are in place and that they have been validated as
effective
8. Documentation
Adequate Procedures in Anti-Bribery Compliance
Page 36
Example:
In anti-bribery adequate procedures, remediation steps might include:
Annual confirmation from all sales-facing staff and distributors that they will not make payments to
government officials or engage subcontractors
Declaration of conflicts of interest
Additional audit steps in other countries where it is likely there will be similar integrity issues or violations
More training and scenario-based education
More tools to help approval routing and reporting
More detailed due diligence versus watchlist screening
Better documentation of the programme, and increased awareness through advertising, branding and internal
newsletters
Senior executives “talking the talk” more often
A requirement that your partners conduct their own audits for compliance, and that they make these available
to your company
A requirement that your partners conduct annual assessments of their adoption and culture of compliance
standards, and that these are provided and reported back to your organisation annually
The Red Flag Group
Page 37
This checklist is designed to be a guide for you to evaluate your company’s present and future compliance
activities. The scope of this checklist depends on the size and available resources of each company.
9. Compliance Checklist
Details Start Date
Date Completed
The Programme
Code of Conduct
Does your company have a code of conduct?
How regularly is the code of conduct reviewed?
Due Diligence
Is there a procedure for collecting material and background from all third parties prior to engagement?
Is your company using an independent compliance-focused background screening organisation to independently verify and assess the third parties?
Is the due diligence regularly reviewed and monitored against watchlists and sanctions lists?
Structure
Is there a Compliance Committee?
Is there a Compliance Officer?
How successfully integrated are the roles of the Compli-ance Committee and Compliance Officer into the business structure of the company?
Who from each business group reports to the Compliance Officer?
Is there access to senior management?
Is there a mechanism for whistleblowers to tip anony-mously?
Is there a system for employees to seek guidance about potential violations?
Adequate Procedures
Anti-bribery
Is there an anti-bribery policy?
Does the company have written agreements for every inter-national consultant?
Does the company prohibit the use of subagents without prior approval by the company?
What is the rate of commission paid to international con-sultants?
Are there guidelines or prohibitions on payments to certain countries?
Gifts
Is there a system for requesting, approving and recording down gifts?
Was the gift linked to a particular transaction?
Is there a policy regarding the receiving of gifts?
Adequate Procedures in Anti-Bribery Compliance
Page 38
Details Start Date
Date Completed
Hospitality & Entertainment
Is there an approval process for the provision of hospitality and entertainment?
Company-paid travel
Is there an approval process for company travel requests?
Is there a system to collect documentary evidence of the company travel?
Is there an approval process for customer travel requests?
Donations
Is there an approval process for payments made to political parties, politicians or political causes?
Is there an approval process for payments made to chari-ties?
Are payments disclosed publicly?
What is the purpose of the payment?
Sponsorships
Is the sponsorship legitimately for marketing purposes only?
Is the sponsorship made public?
Facilitation payments
Is there an approval process for facilitation payments?
Has there been proper legal analysis of whether the pay-ment would be in breach of local laws?
Solicitation and extortion
Are there guidelines for knowing when an extortion pay-ment can be made?
Is the company required to report to law enforcement agencies about the payment?
Payments to state-owned media
Is there a policy requiring payments made to state-owned media outlets be recorded?
What are the procedures for reimbursing state-owned media to attend a company event?
What if the payments were actually paid via a public rela-tions company?
Distributor and reseller commissions
Are there mechanisms for alerting when a distributor com-mission falls below a particular level?
Agents, consultants and intermediaries
Is there a process to verify that payments correspond to sales activities?
Has due diligence been conducted on the third party to verify their level of integrity?
Does the contract address compliance with anti-bribery laws?
Channel and customer rebates
The Red Flag Group
Page 39
Details Start Date
Date Completed
Is there a verification process ensuring that rebates are properly documented?
Marketing Development Funds (MDF)
Is there a documented MDF program?
Is there an approval process to ensure that reimbursement is only paid after evidence has been shown that the funds were actually spent for the marketing purpose?
Subcontractors
Has due diligence been conducted on the subcontractor?
What is the purpose for employing the subcontractor?
Does the contract address compliance with anti-bribery laws?
Is there a process to verify that payments correspond to the services?
Training
Tone at the top
Does senior management consistently promote the compli-ance programme and culture?
Are there mechanisms to prevent long-time partners from relying on their long-term relationships with senior man-agement as the basis for non-compliance?
Regular training on:
Code of Conduct training
Business practices training for sales, marketing, HR etc
Anti-corruption
Data privacy and confidentiality
Channel partners
Is there a methodology for providing advice to channel partners on policies, procedures and code of ethics?
Customers
Are there measures in place to ensure that company-paid customer training is legitimate and essential for the cus-tomer?
Are there policies against providing training in locations that are overly luxurious or inappropriate?
Disciplinary procedures
Are there both disciplinary procedures in place for when an employee or reseller breach their compliance obligations?
Monitoring
Are there indicators in place that assist in quantifying the performance of the compliance programme?
Does the compliance programme include auditing activities to detect breaches of laws and regulations?
Reporting
Is there a system to report on the efficacy of the pro-gramme itself?
Adequate Procedures in Anti-Bribery Compliance
Page 40
Details Start Date
Date Completed
Do the reports contain trending analyses as well?
Is there a procedure for how reports are disseminated?
Is there a known system for exception reporting?
Documentation
Is there a mechanism to keep records digitally on a search-able database?
Is there a way to record incidents and issues?
Is there a process by which to communicate with stakehold-ers about the programme?
Remediation
Is there a process for remediating the issues which arise from the programme?
Is there somebody to whom the remediation effort can be assigned?
The Red Flag Group
Page 41
About The Red Flag GroupThe Red Flag Group is The Compliance Firm™ that helps companies turn compliance into a competitive advantage. We create customised and
integrated compliance solutions that add value to your business.
For more information, go to www.redflaggroup.com
About the authorScott Lane, Executive Chairman of The Red Flag Group, has over 15 years’ experience in legal, compliance, internal audit, export
control, ethics and corporate governance, providing counselling and advice to senior management throughout the world in the
development of legal and compliance practices. Scott has worked as a senior director and general counsel in various multinational
corporations in Australia, the United Kingdom and Hong Kong, and has significant experience in complex compliance issues.
Adequate Procedures in Anti-Bribery Compliance
Page 42 The Red Flag Group
The Red Flag Group is a truly global company with offices and research centers in the USA, Europe, Asia, Africa and Latin America.
For more information visit: www.redflaggroup.com
top related