Adequate procedures in anti bribery compliance

Adequate Procedures inAnti-Bribery Compliance

Whitepaper

Scott Lane Executive Chairman of The Red Flag Group

Contents1. Overview

1.1 Anti-bribery laws

1.2 The concept of “adequate procedures”

1.3 Adequate procedures are not just about “procedures”

2. Adequate procedures

2.1 Establishing a base line – the code of conduct

2.2 Anti-bribery policy

2.3 Giving and receiving gifts

2.4 Hospitality and entertainment

2.5 Company-paid customer travel

2.6 Political contributions

2.7 Charitable donations

2.8 Sponsorships

2.9 Facilitation payments

2.10 Solicitation and extortion

2.11 Payments to state-owned media

2.12 Distributor and reseller commissions

2.13 Payments to agents, consultants and intermediaries

2.14 Channel and customer rebates

2.15 Marketing development funds

2.16 Due diligence

2.17 Channel programme (and other intermediary) risk reduction

2.18 Customer training

2.19 Appointment of subcontractors

3. Adequate tools for adequate procedures

3.1 Approval and work flow technology

3.2 Supporting tools to manage specific adequate procedures

4. Behavioural change

4.1 Tone at the top – leading by example

4.2 Drivers and motivators

4.3 Reward mechanisms

4.4 Disciplinary procedures

4.5 Employee training

4.6 Dealing with issues

5. Monitoring

5.1 Monitoring the adequate procedures

5.2 On-the-ground monitoring

5.3 Conducting surveys

6. Measurement

6.1 Identifying / building measureable indicators

6.2 Audits

7. Reporting

7.1 Establish criteria and reporting obligations

7.2 Dissemination of reports

7.3 Exception reporting

7.4 External reporting

8. Documentation

8.1 Establish record keeping mechanisms

8.2 Remediation

9. Compliance Checklist

Contents

Page 5

1. Overview

1.1 Anti-bribery laws

Every organisation in the world operates in a market that restricts bribery to public officials. Often, there are

laws which prohibit commercial bribery.

Complying with the written laws of each country in which your company is based or conducts business is

paramount for any business. While the laws vary in name across jurisdictions, they are generally all

designed to prevent one simple thing: giving something of value to someone (normally a government

decision maker) for the purposes of gaining an unfair advantage.

The UK Bribery Act 2010

UK Ministry of Justice: Six principles for bribery prevention

For years, the Foreign Corrupt Practices Act was the main anti-corruption legislation on which companies

operating in multiple jurisdictions (even non-US firms) focused because of its extra-territorial provisions. That

is no longer the case with the passage of the UK Bribery Act 2010 in April 2010. Section 7 of the Bribery Act

creates a new offence for companies who fail to prevent persons associated with them from committing bribery

on their behalf. It is a defence however, for companies to show that they have adequate procedures in place to

stop corruption from happening.

Even more important however, is the Act’s extra-territorial powers. Like the FCPA, the UK Act’s corporate criminal

offence will apply not only to commercial organisations in the UK, but also to non-UK companies which have a

business presence there. That means an offence can be committed even if a bribe paid is not related to a foreign

firm’s UK affiliate company.

Moreover, corporate directors and senior management will be personally liable if their organisation participated

in bribery with their consent. This liability is extended not only to British nationals, but to any person who is

ordinarily resident in the UK, regardless of whether the conduct in question took place in the UK or not.

Principle 1: Risk assessment

The commercial organisation regularly and comprehensively assesses the nature and extent of the risks relating

to bribery to which it is exposed.

Principle 2: Top level committment

The top level management of a commercial organisation (be it a board of directors, the owners or any other

equivalent body or person) are committed to preventing bribery. They establish a culture within the organisation

in which bribery is never acceptable. They take steps to ensure that the organisation’s policy to operate without

bribery is clearly communicated to all levels of management, the workforce and any relevant external actors.

1.2 The concept of “adequate procedures”

The UK Bribery Act refers to ‘’adequate procedures’’. Since it is a defence for a company if they can show

that they have adequate bribery prevention procedures in place, it is important to understand what these

adequate procedures consists of. The Ministry of Justice have included in their Consultation Paper, a set of

six principles for bribery prevention which are intended as a flexible guide in interpreting what procedures a

company might need to have in place.

Adequate Procedures in Anti-Bribery Compliance

Page 6

This paper is focused on providing an overview and a perspective on best practices on building adequate

procedures.

At a high level, having a successful anti-bribery compliance programme is about ensuring that the risks to

the organisation of making illegal payments are managed effectively.

Success might be defined as the organisation being able to state that it has:

Developed and implemented an anti-bribery compliance programme that adds business value and

manages risks appropriately

Rolled out ongoing improvements to the anti-bribery compliance programme in a consistent and

measurable way across the company, its subsidiaries, joint ventures and third parties

Regularly conducted anti-bribery audits and investigations and made on-going improvements to the

programme over time

Remediated compliance failures in a constructive manner (where appropriate)

Escalated higher risk compliance failures with appropriate action being taken

1.3 Adequate procedures are not just about “procedures”

The phrase “adequate procedures” should, not be limited to the typical definition of ‘’procedures’’.

According to by the New Oxford American dictionary, “procedure” is defined as “an established or official

way of doing something”.

Adequate procedures, as proposed by the author, include something more than just an official way of

doing something. Simply referring to the definition would miss essential parts of a successful anti-bribery

programme which relate to the softer elements of compliance.

The softer elements include two essential components: “behavioural change” and establishing a “culture

of compliance’’. No amount of hard policy and procedure will be able to contribute to these softer

elements of compliance. While repetition of “an established way of doing something” may ultimately

establish a change in behaviour, this method is time consuming and may not be well-integrated into the

business core.

Principle 3: Due diligence

The commercial organisation has due diligence polices and procedures which cover all parties to a business

relationship, including the organisation’s supply chain, agents and intermediaries, all forms of joint venture and

similar relationships and all markets in which the commercial organisation does business.

Principle 4: Clear, practical and accessible policies and procedures

The commercial organisation’s policies and procedures to prevent bribery being committed on its behalf are clear,

practical, accessible and enforceable. Policies and procedures take account of the roles of the whole work force

from the owners or board of directors to all employees, and all people and entities over which the commercial

organisation has control.

Principle 5: Effective implementation

The commercial organisation effectively implements its anti-bribery policies and procedures and ensures they are

embedded throughout the organisation. This process ensures that the development of policies and procedures

reflects the practical business issues that an organisation’s management and workforce face when seeking to

conduct business without bribery.

Principle 6: Monitoring and review

The commercial organisation institutes monitoring and review mechanisms to ensure compliance with relevant

policies and procedures and identifies any issues as they arise. The organisation implements improvements

where appropriate.

The Red Flag Group

Page 7

2.Adequate procedures

2.1 Establishing a base line – the code of conduct

Every organisation should have a code of conduct, also known as a code of ethics or a business conduct

guide. These codes are designed to set a high level baseline for conduct within the firm. The code should

weave the firm’s value system into the overall way in which the company conducts itself from an integrity

perspective.

Some companies brand their codes to a unique brand like ‘’the way we work’’ or ‘’doing the right thing’’

which are intended to summarise the firm’s attitude and how it conducts itself.

Essential to any adequate procedure in managing anti-bribery risk is a section in the code on the company’s

tolerance for bribery. Typically, these code sections are reflective of the top ten major risks in the company

and most often include a foreign bribery risk.

While these sections in the code are very high level and do not contain details on the adequate procedures

that the company have adopted, it is useful to have these documents in the public domain as a statement

of your high level position on anti-bribery compliance.

2.2 Anti-bribery policy

A significant aspect of having adequate procedures is to have an anti-bribery policy within your anti-bribery

compliance programme.

In the past, these anti-bribery policies have been drafted by external lawyers and have been a summary of

the relevant law and its exceptions, with an overview of the exceptions to the law where certain payments

have been permissible.

Today, anti-bribery policies are:

Shorter

Written in plain English

Focused less on the law and more on the company’s guidelines and direction on certain relevant risk

areas

Anti-bribery policies range in the details that it covers. Some are lengthy documents that encompass every

potential issue regarding compliance, while others are shorter and point to specific external guidelines for

support, resources and training requirements.

2.3 Giving and receiving gifts

Past cases have shown that an adequate compliance programme must contain some guidance and

procedures on the giving of gifts to government and commercial customers. These guidelines or

procedures should ensure that if the company does give gifts that they are of a type, and given in a way

that would not fall foul of anti-bribery laws.

Adequate procedures with respect to the giving of gifts involve consideration of:

What types of gifts are appropriate to be given to government officials (e.g., corporate branded gifts

and toys)

When those gifts would be acceptable (e.g., at the closing of a deal or at festivals)

Whether gifts need to be limited in value (and further, whether those expense limits are universal or

country-based)

Whether gifts can only be given at a particular time of year (e.g., cultural festivals)


Page 8

Whether the gift needs pre-approval and by whom

What the expense reimbursement process is and how this is tracked by staff

Whether the gift is given to a person, a department or the institution as a whole

Whether the gift is linked to a particular transaction

What the purpose of giving the gift was and whether it was given for a corrupt purpose

Adequate procedures with respect to the receiving of gifts are:

Whether there has been reason to believe the gift was given with the purpose of influencing a decision

Whether the gift is given to you, your department or the institution at which you work and to whom

the gift was presented to

When those gifts would be acceptable (e.g., at the closing of a deal or at festivals)

Whether the gift exceeds a certain limit (guidance should be given from your employer)

An adequate procedure must ensure that:

The request, the assessment, the approval and the payment are recorded correctly and that

documentary evidence supports such a payment.

2.4 Hospitality and entertainment

Similar to gift giving, entertaining customers and business partners is a very common aspect for

business. On the face of it, hospitality and entertainment is normal and is an acceptable part of business

expenditure.

However, some companies push the limits of such hospitality and entertainment too far and have turned

simple lunches and “get togethers” into lavish meetings intended only to influence and coerce a decision

maker to decide in favour of the overly generous host.

Adequate procedures for hospitality and entertainment should contain:

A policy which details

When providing hospitality of customers is acceptable

What that hospitality should consist of

How the hospitality should relate to a specific and legitimate business purpose

Details on what class of person can receive hospitality and entertainment from the company

Whether certain types of entertainment are banned

Whether certain locations in entertainment districts are banned

Whether the form of entertainment or the location in which such entertainment takes place needs

to be directly related to the company’s product

Whether there are limits on the annual amount of entertainment given to each individual or

institution either by monetary cost or by amount of entertainment and hospitality

A procedure that sets out

What pre-approvals are required for providing hospitality and entertainment

What documentary evidence needs to be maintained for the approval

What documentary evidence needs to be maintained for the expense itself

The receipt of written authorisation that the recipient in accepting the benefit did not breach any of

its own internal rules on the receipt of the benefit


The request, the assessment, the approvals and the payment are recorded correctly and that


The Red Flag Group

Page 9

2.5 Company-paid customer travel

Company-paid travel for customers is common for large companies. However, advances in technology has

meant that travel has become partly obsolete.

Other changes in the industry and the business world have meant that:

Companies often have more than one ‘’customer briefing centre’’ (where large expensive products

are housed)

Use of video conferencing technology has made the convening of meetings much easier

Companies typically pay for the travel for a customer in the following circumstances:

Demonstration of a product that is only available at another location

Attendance at training for a product or service where the cost of such training has been embedded

into the cost of the product or service

Meeting with senior executives or a board where the travel of such a group is complex or unlikely to

happen

The adequate procedures for customer paid travel will include a policy, a procedural guideline and perhaps

an online approval tool technology (see below for details). The policy would include:

An assessment of whether the travel for the customer is paid by the company, or paid by the customer

and reimbursed

The level of travel provided, the routing, the number of nights and whether the travel is absolutely

necessary

Details of the agenda for the meeting being attended

Travel dates match attendence for the specific event

Whether the routing supports side visits or overnight stays in luxury locations

Restrictions on the per diem paid to cover expenses

Details of such travel including transfers and pickups

Details of hotels including what class and any additional costs

Details on who will be travelling, the seniority of the person and what benefit they will obtain

from the travel

An explanation on how the traveller was invited. This includes whether invitation was made directly to

the person or entity, and whether or not there is written authorisation that the recipient, in accepting

the travel, did not breach any of its own internal rules

Whether the travel class can be changed after ticketing and who controls such changes

Whether the attendance has conditions of purchase

An adequate procedure would:

Have forms or an online tool to complete travel requests and provide substantiation of travel

Document the travel, the attendance and have documentary evidence substantiating that the travel

was necessary and for the purpose in which it was described





Page 10

2.6 Political contributions

Contributions by companies to political parties, politicians or political causes will need to be reviewed for

anti-bribery compliance.

Adequate procedures will include policies and procedures which address the following issues:

Whether the request for donation and support was related to a pending decision by that or a related

entity

Whether it was requested by an outside party, or if it was proposed internally, and for what reason

The specific purpose of the payment, the circumstances of its request, the benefits of the payment and

the details of any special treatment provided by virtue of the payment

Whether the payee has any impending decisions to make that may directly affect the company

Whether any government official or party official will personally benefit from the payment even if such

personal benefit is not monetary

Whether payment to one political party is made public and disclosed on the company’s website or on

another public space

How the payment is going to be made, invoiced and receipted


The request, assessment, approvals and payment are recorded correctly and that documentary

evidence supports such a payment.

2.7 Charitable donations

Contributions by companies to charities will need to be reviewed for anti-bribery compliance.

Adequate procedures will include policies and procedures which address the following issues:

Whether the request for donation or support was related to a pending decision

Whether the charity is a legitimate charity, is registered and is recognised by a government as an

official charity

Whether the charity is led by a government official

Whether the request came from an external party or originated inside the company and for what reason

The specific purpose of the payment, the circumstances of its request and payment, the benefits of the

payment and the details of any special treatment provided by virtue of the payment


Whether any government official or party official will personally benefit from the payment, even if such


Whether payment to the charity is made public and disclosed on the company’s website or on another

public space


What the payment is going to be used for; whether that use is illegal, or is being used to support an

individual (either directly or indirectly) and whether that individual is connected to government and the

company




The Red Flag Group

Page 11

2.8 Sponsorships

Companies are often requested to sponsor events, groups, teams and other people in their community Adequate

procedures will include policies and procedures which address the following issues:

Whether the request for sponsorship was related to a pending decision by that entity, a related entity or a

person in power who represents the entity

Whether the sponsorship is legitimate

Whether the sponsorship is sought by an organisation that is led by a government official or is connected to

decision making that will benefit the company

Whether the request came from an external party or originated from inside the company, and for what reason

The specific purpose of the payment, the circumstances of its request and payment, the benefits of the

payment and the details of any special treatment provided by virtue of the payment


Whether any government official or party official will personally benefit from the payment even if such


Whether the sponsorship is made public and disclosed on the company’s website or on another public space


What the sponsorship payment is going to be used for; whether that use is illegal, or is being used to support an

individual (either directly or indirectly) and whether that individual is connected to government and the company

What the company receives as a result of the sponsorship payment in the form of branding, advertising,

access, etc.


The request, assessment, approvals and payment are recorded correctly and that documentary evidence

supports such a payment.

2.9 Facilitation payments

The UK Bribery Act remains silent as to whether small bribes are allowable for minor inconsequential expenses,

therefore making them illegal. For those companies who are prepared to make such payments (known as

facilitation payments under the Foreign Corrupt Practices Act), adequate procedures must include a set of

policies and procedures that address the inherent challenges with approving them. While such policies might be

perceived as having procedures to authorise an illegal act, this is a grey area where your code of conduct and

Ethics are vital to guide your staff on the ground.

Following these procedures and having a set of rules to apply for such payments, particularly if they are made in

emergency situations, is advisable.

Define what a facilitation payment is

Provide examples of payments that would satisfy the test of being a facilitation payment

Have procedures recording how the request for the facilitation payment was made, its cost to the company, and

to whom and in what circumstances the request was made. Remember that not correctly recording a facilitation

payment can be an offence under the Books and Records section of the FCPA, even if the payment itself is okay

Have procedures for the approvals for the payment, how the payment was made and documented

Conduct an analysis as to whether the payment would be in breach of local laws and whether that knowledge

has raised additional concerns, risks or required additional controls to be inserted to address such issues





Page 12

2.10 Solicitation and extortion

From time to time, companies may be the subject of extortion or solicitation for payments which, if not

made, would open the requested person to be harmed physically, emotionally or mentally. Such extortion,

black mail and solicitation of funds often happens in situations where ‘’there is no alternative’’ and the

personal safety of an individual is at risk if the payment is not made.

Adequate procedures would include:

Guidelines for knowing when an extortion payment can be made, under what circumstances and how

much might be acceptable

What documentation is needed to support the payment reimbursement and guidelines for such

reimbursements

What external reporting is necessary to law enforcement agencies about the payment and in what

circumstances is further disclosure to authorities required

The timeframe for reporting such a payment after the payment was made




2.11 Payments to state-owned media

Payments to state-owned media often happens in controlled emerging markets where members of the

media request payments in order to:

Attend a press conference

Write a story

Film and report a story or event

Adequate procedures for controlling payments to media should include:

Evidence that any proposed payment is a genuine reimbursement of limited travel expenses for

stateowned media to attend an event

That the payment is supported either by an original travel receipt or a payment without a receipt that

was determined to be a correct and valid estimate of the un-receipted fare

Whether any payments were included in any invoices from public relations firms

Whether any invoices that include unclear ‘’service fees’’ represent payments to members of the

stateowned media




2.12 Distributor and reseller commissions

Most companies sell their products through some form of channel, whether through agents,

intermediaries, distributors or resellers.

For anti-bribery compliance the management of the reseller commissions is essential to manage potential

illegal payments on behalf of third-parties, in this case, distributors and resellers. Adequate procedures for

the management of variances in distributor and reseller commissions and margins include:

A mechanism to be alerted when distributor commissions fall below a particular level

An approved methodology that reviews the additional request for a discount or margin and the

reasons why it is being sought

A set of documentation that supports the reasons given and the justifications for the payment

The Red Flag Group

Page 13


The request, assessment, approvals and discount are recorded correctly and that documentary

evidence supports such a discount.

2.13 Payments to agents, consultants and intermediaries

The use of agents, consultants and intermediaries (together here known as ‘’intermediaries’’) is a well-

known mechanism to make illegal payments to third parties, including government officials.

Adequate procedures to ensure that such intermediaries are not used for the facilitation of a bribe include:

The approval of each intermediary before engagement

Conducting due diligence to understand the circumstances upon which the third party has been

engaged and instructed including the background of the third party

Only engaging the intermediary after having received verification of their level of integrity and

transparency

Having a contract with the intermediary that addresses compliance with bribery laws and appropriate

warranties and indemnities

Paying the intermediary for services rendered that has been properly verified and validated. The payment

should reflect the reasonable value which has been attributed to the services under the circumstances




2.14 Channel and customer rebates

Channel and customer rebates often occur in international business. Channel rebates are often paid when

a channel partner (e.g., a distributor sales or intermediary) achieve a particular target or sell a product or

service. Channel rebates, and indirectly - customer rebates paid directly or indirectly through the channel

are sometimes in the form of personal products, gifts, incentive trips and entertainment. In many cases they

form personal items.

Adequate procedures should ensure:

That the request for any rebates paid to the channel or through the channel to customers (particularly

government ones) are reviewed and approved subject to a documented approval process

That gifts and other rebates are provided to the company, not to an individual

That purchase orders and invoices correspond to such payments and that they are accurately recorded

That rebates are never paid in the form of un-documentable vouchers or items that are of a personal nature




2.15 Marketing development funds

It is common in channel marketing for a vendor to provide some support to a channel partner. In addition

to rebates as shown above, marketing development funds (often referred to as MDF) are payments made

to the channel, by the vendor, for services rendered in the form of some agreed marketing purposes. In

some organisations, these payments are misused and are not genuine reimbursements of joint marketing

expenses. Rather, they are reimbursements for extra costs that the channel partner suffered in a sale. And

in some cases, actually amount to an additional discount that misses the adequate procedures in managing

variances in discounts.


Page 14

Adequate procedures for managing MDF should ensure:

That a documented MDF program exists and that the terms of the fund are approved by legal counsel

That the request for MDF should be received in writing in accordance with the programme

That the request is assessed and approved taking into consideration the risk that funding could be

misapplied in the form of corrupt payments

That reimbursement of the share of the funding by the company is only issued after evidence has been

shown that the funds were actually spent for the approved marketing purpose in the form which was

agreed




2.16 Due diligence

Adequate procedures for anti-bribery compliance include having due diligence (detailed review on the

integrity of channel partners, agents, intermediaries, support partners, suppliers) conducted and maintained

for the term of their relationship.

It is important to remember that due diligence should:

Be different for different third parties

Be risk based and show a different focus for different third parties

Be flexible enough to be changed as risk profiles change

Be broad enough to cover suppliers, vendors, agents, intermediaries and distributors / resellers

Not be static and should be revised regularly based on the risk profile and potential liability for breaches

Be for senior employees and other key hires that are in the business or come into the business

Cover newly acquired entities and also their intermediaries (e.g., those that are acquired as a result of an

acquisition)

Be documented and be available for review and improvement

Due diligence from a legal perspective should only be a part of an overall due diligence programme. These

statutory risks are only one among many being considered when conducting a due diligence. Other risks

might include counterfeit product risks, forward revenue recognition, product liability, supplier over-pricing

and other contractual risks. It is an effective use of budget and resources to consider all these risks at the

same time rather than simply focus on the due diligence required by the Bribery Act or the FCPA.

Adequate procedures for due diligence includes:

Collecting material and background from the third party prior to any engagement

Reviewing the material by use of an independent compliance-focused background screening organisation

that tests the veracity of such information and independently assesses their integrity status in the

marketplace

Having due diligence reviewed and approved prior to engagement

Having due diligence reviewed at regular intervals and constant monitoring of the parties concerned against

watchlists, sanction lists and parties known to have engaged in corruption

Due diligence of third parties is a complex topic that requires a detailed discussion. Another whitepaper has

been drafted on this topic and is available at:

https://www.redflaggroup.com/education-centre/thought-leadership/whitepaper-best-practices-conducting-

fcpa-anti-bribery-due-diligence

The Red Flag Group

Page 15

2.17 Channel programme (and other intermediary risk reduction)

Conducting due diligence on resellers, distributors, and other intermediaries is insufficient to effectively

manage the risk of corruption. A proactive methodology is required to maintain adequate procedures.

Adequate procedures in managing channel partner risks for corruption include:

Identifying channel partners with a sense of integrity

Conducting due diligence on their integrity and transparency

Providing direction to the channel partner by giving advice on policies, procedures and their code of

ethics

The provision of training, compliance tools and direction to the channel partner in the standards

expected of them regarding integrity issues

Conducting health checks and audits on the channel partners at regular intervals

More information can be obtained here:

https://www.redflaggroup.com/education-centre/thought-leadership/whitepaper-building-effective-

compliance-programmes-third-parties

2.18 Customer training

Providing customers with product training in luxurious locations has been the subject of several cases

which have fallen foul of anti-bribery laws.

Adequate procedures should ensure:

That company-paid customer training is legitimate and essential for the customer

That the training has an open and accepted curriculum

That the training is provided in a facility which is controlled by the company and in a location that is not

luxurious or inappropriate

That the selected recipients require the training for the purposes of being licensed to own or able to

operate the product

That the other rules associated with company paid travel for the customer to travel to the training are

complied with

That if the training is provided by a third party that the third party adheres to such conditions


The request, assessment, approvals and payment is of such training are recorded correctly and that



Page 16

2.19 Appointment of subcontractors

It is also common for the selection of subcontractors by a company or its intermediary to be done for

illegal purposes. Often subcontractors are bogus and are selected in order to channel money to a third

party or to the owners of the chosen subcontractor itself who are often in a position of conflict with the

end user.

While the management of this risk is similar to that with the selection and management of intermediaries,

this group is often much harder to control as it is done further down the chain and the decisions as to

which subcontractor is selected is often uncontrolled and left up to the business unit.

Adequate procedures to ensure that such subcontractors are not used for the facilitation of bribes include:

The approval of each subcontractor before engagement

Conducting due diligence to understand the circumstances upon which the subcontractor has been

engaged and instructed, including the background of the subcontractor

Only engaging the subcontractors after having received verification of their level of integrity and

transparency

Having a contract with the subcontractors that addresses compliance with bribery laws and

appropriate warranties and indemnities

Paying the subcontractor for services rendered that has been properly verified and validated. The

payment should reflect the reasonable value which has been attributed to the services under the

circumstances




The Red Flag Group

Page 17

3.2 Supporting tools to manage specific adequate procedures

Using online tools and technology is essential to manage the adequate procedures. Indeed, some would

say that having such tools and technology in the first place is part of the adequate procedures themselves.

Simply having paper-based procedures and not being able to maintain an audit trail would in effect, not be

adequate at all.

Examples of tools include:

Policy tools

Tools that support the online storage of policies and the tracking of those policies across an

organisation

Links from policies to further training and certifications

Reporting and tracking of non-complete policy certifications

Gift tools

Tools where a user can request the giving of gifts to government and commercial customers

Are mapped against a policy, so that the tool can auto-approve or route for approval

Allow for requests to be approved online with audit trails of the approvals

Give documentation to support the approval which is stored and trackable

Records the recipient of the gift on a database

Scans the recipient against watchlists to aid in the approval process

3. Adequate tools for adequate procedures

In today’s society, paper-based compliance will almost always fail, be subject to delays, or simply be

confusing in what could be a very straight-forward process.

Adequate procedures that focus solely on policies and procedures are likely to be insufficient to effectively

manage corruption risks. Adequate procedures must include a set of tools and technology mechanisms to

help support and manage the adequate procedures.

The technology and tools aspect of adequate procedures often include:

Approval and work flow technology

Supporting tools to manage specific adequate procedures tailored for your industry

Reporting mechanisms

3.1 Approval and work flow technology

Having some form of approval and workflow technology solution to manage the adequate procedures

shown above is essential to achieving maximum compliance.

Tip 1

Use a workflow software programme to automate some approvals. Relying on email approvals through a

singlepoint is destined to fail

Tip 2

Creating tight and restrictive policies and procedures generally means requiring all requests to be approved. Not

having a clear approval process and workflow typically means that the inbox of the lawyer or compliance officer

will be filled with multiple requests.


Objectives

Page 18

Travel tools

Tools where a user can request travel for a government or commercial customers

Are mapped against a policy, so that the tool can auto-approve or route for approval based on specific

rules around the type of travel, the reason for the travel, the agenda and the person involved in the travel



Scans the recipient against watchlists before they can be approved for travel

Efficiently links the financial systems of the company with the approval

Hospitality approvals

Tools where a user can request hospitality or entertainment for a government or commercial customers

in advance of incurring the expense

Are mapped against a policy, so that the tool can auto-approve or route for approval based on specific

rules around the type of hospitality or entertainment



Scans the recipient against watchlists before they can be approved for the receipt of any benefit

Efficiently links the financial systems of the company with the approval

Third-party due diligence questionnaires and risk ratings

Allows for input from selected third parties

Are available online and in multiple languages (which supports completion in multiple languages online)

Gives an analysis of such completed questionnaires with the automatic scoring of answers based on a

risk and scoring methodology designed along with the development of the questionnaire

Due diligence management tools

Have the ability to manage the request and delivery of due diligence reports on selected third parties

Have the ability to review, approve and track the reports which are to be facilitate

Conduct ongoing reviews (daily) of due diligence subjects (including their shareholders, directors and

officers) against international watchlists

Conducts ongoing reviews against negative media of due diligence subjects (including their

shareholders, directors and officers)

Online certification tools

Have the ability to obtain certifications from both external and internal people in multiple languages

where the person can certify compliance with anti-corruption controls

Ensures that certifications are tracked, automated and reminders set for on-going compliance

insuccessive periods

Online training and learning management systems

Are systems that allow for short-focused training to be released which teaches the practical aspects of

anti-bribery compliance to both internal and external parties

The successful completion of each training session is tracked and reported upon as part of an overall

anti-corruption adequate procedures risk management process

The Red Flag Group

Page 19

Conflicts of interest disclosure tools

Have the ability to obtain conflicts disclosures from both external and internal parties in multiple

languages where the person can disclose any non-conformance with the conflicts of interest policy

Tracks non-conformance and any controls, allowances or waivers against a remediation tool that

supports integrated tracking together with an ongoing analysis

Ensures that disclosures are tracked, automated and reminders set for on-going compliance in

successive periods

Communications management

Where all communications both internally and externally are managed through a tool that documents

the adequate procedures anti-bribery compliance programme

Watchlist scanning tools

A tool that allows for self scanning (in batches if necessary) of third parties against international

watchlists, sanction lists and known or suspected illegal or corrupt parties


Page 20

Adequate procedures are nothing unless you effect behavioural change. Behavioural change is another

important aspect of building an anti-bribery compliance programme and is often overlooked.

Managing adequate procedures in the form of policies and procedures, tools and technology is ineffective

unless the behavioural change of paying illegal payments to win business is addressed.

In many emerging markets there is a long standing practice of giving gifts and hospitality to government

officials. Companies who address this risk by simply putting in place adequate procedures will find the

following results of failure:

No one will follow them up

Everyone claims they are following them up and the activity simply goes underground

They find other ways of making the payment

The big problem here is that the underlying behaviour was never successfully changed.

Behavioural change is extremely difficult to effect in a large organisation. It requires an analysis of why that

behaviour exists and what the reason for the behaviour is.

Often the behaviour of making bribes or illegal payments is because:

The payee is underpaid and needs the bribe for their sustenance and living

The payer is under heavy obligations to produce sales results “at any cost” and is pushed to achieve targets

The payer is working within a cultural environment where relationships, favours and gift giving is common

The payer is working in a company which is known for paying bribes to win business, and as a result, it

is expected that they facilitate a payment despite their own personal objections

The payer works in a company whose products are inferior or sub-standard and needs to be bribed in

order to elevate the production standards

The payer works in a company that does not reward staff for turning away from corruption and there is

no visible incentive to turn away

The payer works in a company that is ignorant of the risks and has no corruption programme in place

The study of changing corporate behaviour will be addressed in a separate whitepaper that supports this paper.

It is a topic in of itself and is one of the most challenging aspects of an anti-bribery compliance programme.

However, it is essential that taking steps towards changing the behaviour is the only way that adequate

procedures will actually work and be effective.

4.1 Tone at the top – leading by example

Behavioural change is very hard to achieve in a large diverse multi-cultural workplace. However, one

common ingredient is that leadership usually dictates how people will react and be a foundation for their

behaviour. The CEO’s and senior management’s actions are under scrutiny everyday by staff, and they are

being looked at to set the example of integrity and good behaviour.

For this reason, it is essential that the tone at the top is solid and supportive of the compliance programme,

not just on paper but also in spirit.

Example:

In anti-bribery compliance programmes, many long-time partners often rely on long-term relationships with the

CEO or the country manager as the basis for some form of protection. It is important that the CEO or senior

manager really endorses the anti-corruption compliance programme, and shows that pre-existing relationships do

not necessarily support any form of amnesty.

4. Behavioural change

The Red Flag Group

Page 21

A sales-driven environment is a place where it is common to see compensation plans driving behaviour.

Understanding the true motivators of the recipients and stakeholders of a compliance programme is

essential to having them change behaviour.

Take the time to assess:

Each stakeholder in the compliance programme

Each person who owes a compliance obligation

Decide which category of behavioural driver they are in, and then develop a specific plan for that person or

stakeholder to move them along the path towards the preferred behavioural pattern. A good compliance

person has a well-trained ability to understand organisational behaviour and how to change it.

Understanding the culture of an organisation is essential in making an assessment on how effective any

behavioural change will be. In some cases, it is necessary to re-adjust the approach because of a strong

overriding cultural reason.

4.2 Drivers and motivators

Human nature is often at the centre of most behavioural change.

Tip

There are only a handful of recognised drivers of human behaviours:

Greed

Power

Status or prestige

Success

Culture

Look for the driver and then work out how to motivate them to act

Example:

In an anti-bribery compliance programme:

Distributors are generally motivated by:

Margin (the amount of money they make on the buying and selling of your products or services) or the

status of their eligibility in a defined partner programme (e.g., a Gold Certified Partner)

Their ability to sell to the government as an authorised partner (e.g., GSA schedule) and many would

never jeopardise that benefit

The possibility of going to an IPO, or raising capital and therefore they would not want to damage their

brand in any way

Sales people are generally motivated by commission

Management is usually motivated by revenue, margin, and success

Country management is normally motivated by:

Revenue, margin, and success

The political requirement to not have their country or region being viewed as problematic and being the

subject of endless audits by headquarters for compliance issues (classic face saving activities in Asian

cultures)


Page 22

You can almost guarantee that there is no stakeholder that you can move along the path towards

behavioural change without some form of mentoring and coaching.

Tip

Good coaching involves good listening skills. Always stop and listen to the concerns of the person whose behaviour

you are looking to change. In many cases, they just want to be heard. You need to spend time talking face-to-face

with people that you need to coach. Email is not a coaching tool, nor is using power to compel change.

4.3 Reward mechanisms

It was the Russian psychologist Ivan Pavlov’s theories that supported the idea that behavioural change

and reward worked together like hand and glove. Expecting people to change without any form of

incentive is misguided and extremely hopeful. Human mechanisms support the argument that compliance

programmes need to have an incentive to change.

The Human Resources department is essential in helping push through incentive mechanisms. Linking

behaviour to compensation is essential in most business environments, and generally HR control the purse

strings on linking business results to compensation.

Example:

In anti-bribery compliance programmes, reward mechanisms for good compliance might include aspects of the

adequate procedures:

Employees

Payment of additional bonuses for solid compliance

Awards and recognitions

Partners

Continuation of certified status for a partner (e.g., as a “Gold” partner)

Extra discounts or market development funds (MDF) for partners

Extension of product list or government purchase authority

Approval to be a first-tier distributor

Referrals of direct deals to the channel

The Red Flag Group

Page 23

4.5 Employee training

The successful implementation of compliance programme depends on training. The training must include

training for:

Board members, Executive Committee

Employees, contractors

Business partners, agents, suppliers

While each and every one of the above parties should receive training, it is advisable that the training be

customised in style, format and content. This can be done by varying:

Style of the training (detailed, summaries, point form)

Format of the training (e-learning, classroom style, lecture style)

Content of the training (scenario-based, hands-on learning, legal content)

It should also be kept in mind that while all of the audiences above should be considered for training, it

does not mean that all of the people in each audience need to get the training. It is incorrect to suggest that

training should be provided to all audience groups. However, it is correct to say that 100% training should be

provided to those people who have been identified as having a job description or role that crosses with issues

that could be relevant.

For example, training manufacturing plant employees on corruption might be a fruitless exercise. However,

training dock and stevedore workers (who interact with customs and other officials) might be appropriate.

The first step in developing the training program is conducting a needs assessment and risk assessment base

on the job descriptions and job functions.

Example:

In an anti-bribery compliance programme, disciplinary procedures are often related to termination of the employee

or the reseller and distributor agreement where a partner has been involved in an allegation.

However, other options are available, and it should be made clear to the people involved what the potential

consequences are for certain infringements.

Employees

Mandatory training and integrity coaching

Reassignment away from government dealings

Removal of spending privileges

Demotions (e.g., individual contributor)

Warnings

Partners

Audits (including by a third-party)

Rebates / Reductions / Return of commissions

Withdrawal of privileges (e.g., stocking, government sales)

Mandatory training

4.4 Disciplinary procedures

Coupled with reward mechanisms, disciplinary procedures are a key piece of any compliance programme.

Disciplinary procedures are often the only form of motivator used by companies (people often forget to apply

reward mechanisms). They are typically used as a “stick” to get performance and often with mixed results.


Page 24

4.6 Dealing with issues

It is common after training to receive a number of questions about everyday conduct being carried out by

the company and its employees. Certain conduct is often raised for discussion and review. There needs to

be a mechanism for these issues to be raised and to have them discussed and resolved. Often some issues

are resolved after only small changes are made, while certain conduct may need to be stopped altogether.

Mechanisms need to be in place to support issues being raised. This mechanism may include:

Contact information in the policies and procedures where people can go to get help and ask follow-up

questions

A small focus group or workshop of employees in an office that get together to talk regularly about

conduct and whether it raises integrity issues

An online tool that allows for compliance related FAQs to be asked and reviewed

These mechanisms should be relatively informal in order to encourage staff to raise issues and questions.

They should be different to the typical ‘Ethics Hotline’ that is used more to report illegal or suspicious

conduct. A more informal approach would encourage questions about existing conduct and practices in

the company.

Having an online tool for employees to ask questions and be answered by the Compliance or Legal team

is the best way to expand the knowledge to a broader audience. The online tool should be available for all

staff and form part of the corporate intranet or some other forum designed specifically for this purpose.

The Red Flag Group

Page 25

5.1 Monitoring the adequate procedures

Monitoring the adequate procedures is a crucial, yet often overlooked, ingredient to the compliance

programme. Often, companies rely simply on anonymous reporting hotlines and internal audit to conduct

monitoring and measurement, but have no real programme to support these claims.

Monitoring the adequate procedures is essential. Putting in place or mandating adequate procedures

without also having a mechanism to manage them is a waste of resources.

Monitoring the adequate procedures is an area that most compliance officers are relatively unfamiliar with.

They tend to focus only on whether training (which is but one adequate procedure) has being completed.

This is because it is easy to assess (as it involves simply an assessment of completed training versus the

overall employee base) and involves minimal cost.

The monitoring of adequate procedures must assess the actual effectiveness of the procedures: whether

they are in place, are known, understood, and working well.

Monitoring the adequate procedures could involve:

Making sure the objectives of the adequate procedures, the overall compliance programme and the

business needs are aligned

Assessing any cultural change brought about by the procedures

Identifying if there is a change in the behaviour of those following the procedures

Determining whether business value has been realised by putting in place the adequate procedures

5. Monitoring

Example:

In anti-bribery compliance programmes, these involve testing whether the business’s overall risk and violations have

decreased over time, and whether the culture of compliance has been improved.

5.2 On-the-ground monitoring

The best form of compliance monitoring is ‘on-the-ground’ monitoring. This means scheduling time

each quarter to get out of the office or headquarters to travel to the outer regions of the business

(usually to the emerging markets where these issues occur more frequently). The purpose of these visits

is to monitor directly the health of the compliance programme. This is best done by talking to people,

setting up meetings to talk about the compliance programme, observe what the experiences are from

the implementation and to generally monitor the ‘noise’ that is in the system. This sort of monitoring is

essential because it is informal and generally produces better results than a formal programme which may

place duress on the people being monitored.

Tip

The sort of monitoring proposed here is simple. It is to visit a country and sit down individually with the Head of

Sales, the Country Manager, and the Finance Director to talk about their experiences with the programme. These

discussions are often best had over dinner or breakfast in an informal and relaxed setting. The key is to ask broad

open–ended questions that support the discussion of the topics. This is a fact-finding discussion not an interview nor

an inquisition, nor an audit. Planning these meetings is a key to ensure that the relevant people are in town for your

visit. There is nothing like getting the real unadulterated data at the coalface.


Page 26

5.3 Conducting surveys

Conducting surveys are a great way to feel the pulse of the whole organisation. The surveys are best

conducted online in a secure environment and distributed by the Business group (as opposed to Legal or

Compliance). These surveys should be targeted to a specific compliance issue (e.g., bribery) rather than

having a general set of compliance questions. The value in the surveys is to ask specific questions that will

induce an answer. For example, the following questions would be relevant:

Do you feel that our anti-bribery compliance programme has been adopted by your management?

Have you experienced situations where you now behave differently given the new focus on

compliance?

Do you feel that management ‘walks the talk’ when it comes to the anti-corruption programme?

Have you changed your approach to certain situations in the field since conducting the training?

Has there been a change in the engagement of third parties and intermediaries since the programme

was enacted?

Have there been any negative effects on the business since implementing the programme?

Do you feel that the programme is consistent with good business practice in the region?

Do you feel that the programme is consistent with our brand and our values?

Tip

An online survey can be easily structured with mandatory questions and options that allow for extra commentary.

The survey can be completed anonymously in order to encourage responses unless participants wish to give their

information for further follow-up. Ideally, the survey link should be sent out by the Business teams rather than

Compliance or Legal. Studies show that the staffs are more likely to complete the survey if it comes from their direct

manager. It is also advisable to run the same survey (with the same set of questions) quarterly for several quarters

following the implementation of the Programme. That way, trending analyses can be built on the answers to the

questions over time.

The Red Flag Group

Page 27

6.1 Identifying / building measureable indicators

Building measurable indicators is quite challenging for certain adequate procedures. Most often, it requires

looking specifically at single indicators of successful compliance.

Common measurements include the following:

Efficacy of the adequate procedures

Number of failures of each adequate procedure

Number of hotline or other reporting issues raised

Number of “near misses”

Training effectiveness results

Business value

Number of deals supported through new measures

Return on investment from the compliance programme

Measurement is all about how well the adequate procedures are working – and presenting evidence to

prove it.

It requires that the objectives of the programme to be assessed and measured.

Targets should have been set in the earlier stages of the programme and agreed with the CEO and the

board on the future success of the programme. All these now need to be measured and reported.

Measurement involves active review of the programme. In most cases, this involves:

Testing the adequate procedures with audits

Conducting interviews and behaviour / culture assessments

6. Measurement

Example:

In anti-bribery compliance programmes, measurements could include:

Number of requests sought for gifts, travel or hospitality through an online system or tool

Volume of requests for charitable donations

Number of due diligence requests for new distributors

Number of customer complaints relating to distributor conduct

Number of audit violations

Volume of revenue adjustments


Page 28

6.2 Audits

Most compliance programmes include some form of audit of each adequate procedure in order to

measure the effectiveness of each procedure.

Example:

A typical audit of the adequate procedure for use of a distributor might look like this:

Draft Reports Templates

Remediation Guidelines

Communication Plans

Excalation Paths

Partner Checklist

Interview Questions

Task Lists

Meeting Schedules

Risk Assessment Templates

Attribute Weightings

Guide to Risk Weightings

Notifications Letters

Internal Communication Matrix

Partner Review Checklist

Document Request List

Business Interview Checklist

Report RiskAssessment

PlanningExecution

The audit should cover all aspects of the adequate procedure, including its actual performance of the

adequate procedure. It is important to audit whether the adequate procedure is working and, if not, find

out why. Are employees aware of their obligations? Do they know what they should and should not do in

a particular situation? Do they know where to go to get help?

The nature of the audit-framework you develop will very much depend on the company and its compliance

background and culture, whether you are at the initial stages of implementing adequate procedures, how

developed your auditing systems are and other such considerations. It is important to make sure that any

audit is realistic in its purpose, maps the objectives and targets of the adequate procedure and provides

useful and insightful results which can be used to ensure on-going improvement.

It is essential to determine who or what is being audited. The audit typically includes:

Awareness of the adequate procedure throughout the organisation

Assessment of whether the adequate procedure has been complied with and to what extent

Assessment of whether the training has been effective

Establishing the frequency of audits or measurements

The frequency of measurement very much depends on the adequate procedure itself, and is often agreed

at the commitment stage for reporting purposes.

Audits can be long and expensive processes.

It is, therefore, important to make sure the frequency of audits and other measurements provided for in

the compliance programme are realistic, aligned with the objectives and targets of the programme and

that they take into account the risks faced by the company.

Another whitepaper has been drafted on this topic and is available at:

https://www.redflaggroup.com/education-centre/thought-leadership/whitepaper-best-practices-auditing-

third-parties-fcpa-anti-bribery-compliance

The Red Flag Group

Page 29

Example:

An anti-bribery audit programme that consists of several adequate procedures might cover the following aspects:

Gifts

Review of expense claims over a specified period

Assessment of whether or not those gifts fall within the gift approval policy, whether they were within the

prescribed gift limits, and whether they were approved properly

Cross-referencing of any gifts given to government officials against deals done at the same time

Review of the number of gifts given per sales person or received per customer over a period of time

Travel

Review of expense claims over a specified period for any person who accompanied government officials on

company-paid travel

Review of expense claims to identify any side trips or lavish entertainment

Charitable donations

Review of charitable donations to ensure compliance with the review and approval process and to identify

whether the charities have associations with any government officials

Third parties

Review of third parties to determine if due diligence has been performed and whether that due diligence

revealed any issues

Comparison of margins received for commissions with the average or standard commissions earned by

third parties

Review of the training records of partners

Use of consultants

Review of consultancy contracts and payments made to consultants

Assessment of due diligence performed on consultants

Review of consultancy contracts, the purpose of each contract, the services provided and the price paid

Comparison of deals around that period to gauge the legitimacy of the particular deal


Page 30

Example:

Adequate procedures in an anti-bribery compliance programme audit typically involve both internal audit and

external audit of third parties.

Before embarking on such a project, it is a good idea to conduct a simple risk assessment on the third parties

themselves to determine which third parties to audit.

To determine the risk profile of the third parties, it is a good idea for your risk assessment to cover both financial

and non-financial risks.

Once completed, a smaller more manageable group of third parties will have been marked for audit and a more

manageable audit programme can be developed.

FinancialAttributes

Amountof Sales

Direct Salesvs

Indirect SalesPrivate

vsPublic

LegalRisk

PreviousIssues

Countryof Concern

ExportControl

Restrictions

ContractType

Time sinceLast Audit

Sub-TierPartners

High % ofGovernment

Business

BusinessPerception

ProductType

Free Goods,Samples &

Returns

MarginAnalysis

StockingLevels

ReturnedGoods

MDFAmounts

Non-Financial

Attributes

Notification to business

Discuss objectives with country managersD-8

D-7

D-2

D

D+2

Assess country risks and marco compliance risks

Collect and review sample data submitted

Report out internally

Report out to partner

Conduct risk assessment with channel

Determine focus partners and country

Request data from partner

On-site assessment at partner

Execution and testing

Interview, review and data analysis

The Red Flag Group

Page 31

7.1 Establish criteria and reporting obligations

For most organisations, some form of reporting on the efficacy of the adequate procedures is expected. At

the very least, there is an expectation to report on the progress of the roll-out of the programme itself.

All too often, companies make the mistake of limiting reporting to simply the roll-out status. Several other

reports that could be produced include:

Actual spend of budget versus target spend of the development and operation of the adequate procedures

Effectiveness of behavioural changes that form part of the adequate procedures

Effectiveness of training relating to the adequate procedures

Results of audits of the adequate procedures

Number of claims lodged from compliance regarding the adequate procedures

Business value added / realised through the adoption of the adequate procedures

Cost savings achieved to-date through the adoption of the adequate procedures

Return on investment from implementing the adequate procedures

When assessing the reporting criteria and obligations, it is also important to consider the following points:

Graphs are more useful to management than raw data. While some management will wishto dig

deeper into the numbers, most reporting managers want to see graphs (however, always structure such

graphs so that a “double-click” can reveal the underlying numbers).

Trending analysis. For most managers, simple numbers are not particularly helpful to the task of assessing

a programme. For example, stating that 122 people have reported issues through a reporting hotline is not

very helpful. It is far more helpful to explain:

How this relates to last year

How this relates to pre- and post-implementation of the programme

How this relates to the overall objectives of the programme

How this relates to industry peers

It is important that you also assess who needs to see the actual reports. While many people will claim they

need to see them, it is important to establish some boundaries regarding who truly needs to receive the

reports, at what point in time, and in what format.

7. Reporting


Page 32

Example:

For anti-bribery based adequate procedures, it is very common to have a set of reporting mechanism. This might be

designed as follows:

What reports should be produced?

Number of gift requests per country or per region

Number of requests for government official hospitality and the average spend trend per request

Number of marketing requests for approval to fix the company logo to marketing merchandise

Number of partners or third parties that are being screened as part of the anti-bribery compliance programme

Number of third parties that have completed a third party questionnaire versus those that have not started

Number of due diligences that have been conducted versus the total number of potential third parties

Time for on-boarding a third party and conducting the necessary checks

Number of issues identified through third party due diligence that required additional feedback and follow-up

Number of times the anti-bribery compliance programme has been accessed online with a country-by-country

breakdown

Number of staff and partners who have undergone anti-bribery policy training

Number of escalations or issues found as a result of audits

Number of audits conducted and the cost of those audits

Who should receive them?

This depends on the company. However, in most programmes the following sections might need to be provided

with some of the reports:

The sales, sales operations and channel teams

Finance and audit, the legal team

Training and HR, the audit committee

How often?

This also depends on the nature of the report itself. If trending analysis is a significant part of the report, then

typically a longer period of time will be needed to show the trending.

The Red Flag Group

Page 33

7.2 Dissemination of reports

There is a need to determine how reports should be disseminated. While this should be self-explanatory,

here are some things to consider:

Consider reporting verbally (for highly sensitive material)

Consider executive summaries and shorter reports for certain people, and longer reports for others

Consider channelling the reporting through legal in order to maintain privilege over the reports

7.3 Exception reporting

Many organisations work on the basis of exception reporting, meaning that if there is an event that

needs to be reported, then there needs to be a separate mechanism to immediately report on that

event, even if other reporting mechanisms are already in place (but which may take longer).

In addition, it is common to report on unusual items that appear to be out of sync with the normal

setting or results expected.

Example:

In anti-bribery compliance programmes, there are some exception reports that might be the subject of reporting:

Unexplained spikes at the end of quarter for gift or hospitality requests

Unexplained requests for customers to receive off-site training

Unexplained requests late in deals to appoint an intermediary

Deals that happen too fast, well below the expected time frame for something of that size or complexity (may

suggest that the deal is not real, that the product is for a different end-user, or that the product is being on-

sold or diverted {potentially raising export control risks})


Page 34

7.4 External reporting

There is also a need to have a policy on self-reporting to external regulators. The procedures for ‘selfreferral’

or ‘self-reporting’ are well documented on the Serious Fraud Office`s website.

It is clear that regulators both in the UK and the US look more favourably towards companies who self-report

breach of anti-corruption legislation. Companies which are deciding whether or not to self-report need

to tread carefully, as it may expose the company to civil actions from shareholders, or obligate to release

information in securities filings and lead to prosecutions that might not otherwise have happened had the

self-reporting not been done.

The procedure on self-reporting should address:

The role of compliance as compared to that of the legal function

To whom the self-report should be made and in what format

Whether the self-report is made in writing or in an initial meeting to gauge the seriousness or interest of

the regulator

Whether the media also needs to be informed at the same time with a holding statement noting that an

investigation is underway

Whether there are other exchanges or bodies that need to be informed (e.g., regulators in different

countries if the suspected bribery happened in a country which is different to your ‘home’ country)

Whether there are contractual issues (e.g., confidentiality clauses) in contracts with customers or third

parties that prohibit the statement being made when it has not be compelled by a law or regulation but

is voluntary only

The extent of the issue, though protections need to be in place to prevent the disclosure of confidential

information or information about specific people whose innocence must be maintained before proven guilty

The status of the investigation

How the investigation is being conducted, by whom, and in what capacity

The likelihood of further follow-up and how that follow-up should be made

The procedure on self-reporting should also delegate the designated spokespersons or those in the company

that have the express authority to speak about the issue and to the regulator or the media. It is advisable to

have a holding statement ready and a procedure to deal with crisis communications should the story develop

into a significant news item.

The Red Flag Group

Page 35

Documenting the adequate procedures and the results of their implementation is often overlooked by

compliance departments. When asked to view the compliance programme, there is no one place where it

is located. It is common to have the programme in various pieces and at various stages of completion, and

stored in various formats and locations.

In some situations, the documentation of the adequate procedures might be simply a printed document.

Again, this is not terribly effective. Adequate procedures are not static. They must always be monitored,

reported and improved upon.

It is rare that adequate procedures can become part of a bound printed document. This is a good sign that

the programme is not a living and breathing instrument.

8.1 Establish record keeping mechanisms

Record keeping mechanisms in the post-2000 era need to be web-based and available online. A document

management system is the most basic form of records system. However, the system typically also needs to

include the following:

The ability to show the actual compliance programme itself

A document repository to show all documents that reflect the programme and its implementation

A dashboard that shows all the necessary reporting mechanisms and the current or up-to-date state of

play of the programme

The ability to record incidents and issues arising from the programme

A mechanism to communicate with stakeholders about the programme in a clearly articulated and

effective way

8.2 Remediation

Remediation efforts are one of the key aspects of any adequate procedure. Recording the remediation

steps for any adequate procedures is essential and must be readily available.

The key aspects of remediation are:

Recording (or linking to) the remediation requirement / obligation for the particular event or incident that

gave rise to the remediation

Naming an owner for the remediation effort

Describing the remediation effort, and showing the steps to complete remediation

Identifying a time for completion of the remediation steps

Identifying any testing to confirm remediation measures are in place and that they have been validated as

effective

8. Documentation


Page 36

Example:

In anti-bribery adequate procedures, remediation steps might include:

Annual confirmation from all sales-facing staff and distributors that they will not make payments to

government officials or engage subcontractors

Declaration of conflicts of interest

Additional audit steps in other countries where it is likely there will be similar integrity issues or violations

More training and scenario-based education

More tools to help approval routing and reporting

More detailed due diligence versus watchlist screening

Better documentation of the programme, and increased awareness through advertising, branding and internal

newsletters

Senior executives “talking the talk” more often

A requirement that your partners conduct their own audits for compliance, and that they make these available

to your company

A requirement that your partners conduct annual assessments of their adoption and culture of compliance

standards, and that these are provided and reported back to your organisation annually

The Red Flag Group

Page 37

This checklist is designed to be a guide for you to evaluate your company’s present and future compliance

activities. The scope of this checklist depends on the size and available resources of each company.

9. Compliance Checklist

Details Start Date

Date Completed

The Programme

Code of Conduct

Does your company have a code of conduct?

How regularly is the code of conduct reviewed?

Due Diligence

Is there a procedure for collecting material and background from all third parties prior to engagement?

Is your company using an independent compliance-focused background screening organisation to independently verify and assess the third parties?

Is the due diligence regularly reviewed and monitored against watchlists and sanctions lists?

Structure

Is there a Compliance Committee?

Is there a Compliance Officer?

How successfully integrated are the roles of the Compli-ance Committee and Compliance Officer into the business structure of the company?

Who from each business group reports to the Compliance Officer?

Is there access to senior management?

Is there a mechanism for whistleblowers to tip anony-mously?

Is there a system for employees to seek guidance about potential violations?

Adequate Procedures

Anti-bribery

Is there an anti-bribery policy?

Does the company have written agreements for every inter-national consultant?

Does the company prohibit the use of subagents without prior approval by the company?

What is the rate of commission paid to international con-sultants?

Are there guidelines or prohibitions on payments to certain countries?

Gifts

Is there a system for requesting, approving and recording down gifts?

Was the gift linked to a particular transaction?

Is there a policy regarding the receiving of gifts?


Page 38

Details Start Date

Date Completed

Hospitality & Entertainment

Is there an approval process for the provision of hospitality and entertainment?

Company-paid travel

Is there an approval process for company travel requests?

Is there a system to collect documentary evidence of the company travel?

Is there an approval process for customer travel requests?

Donations

Is there an approval process for payments made to political parties, politicians or political causes?

Is there an approval process for payments made to chari-ties?

Are payments disclosed publicly?

What is the purpose of the payment?

Sponsorships

Is the sponsorship legitimately for marketing purposes only?

Is the sponsorship made public?

Facilitation payments

Is there an approval process for facilitation payments?

Has there been proper legal analysis of whether the pay-ment would be in breach of local laws?

Solicitation and extortion

Are there guidelines for knowing when an extortion pay-ment can be made?

Is the company required to report to law enforcement agencies about the payment?

Payments to state-owned media

Is there a policy requiring payments made to state-owned media outlets be recorded?

What are the procedures for reimbursing state-owned media to attend a company event?

What if the payments were actually paid via a public rela-tions company?

Distributor and reseller commissions

Are there mechanisms for alerting when a distributor com-mission falls below a particular level?

Agents, consultants and intermediaries

Is there a process to verify that payments correspond to sales activities?

Has due diligence been conducted on the third party to verify their level of integrity?

Does the contract address compliance with anti-bribery laws?

Channel and customer rebates

The Red Flag Group

Page 39

Details Start Date

Date Completed

Is there a verification process ensuring that rebates are properly documented?

Marketing Development Funds (MDF)

Is there a documented MDF program?

Is there an approval process to ensure that reimbursement is only paid after evidence has been shown that the funds were actually spent for the marketing purpose?

Subcontractors

Has due diligence been conducted on the subcontractor?

What is the purpose for employing the subcontractor?

Does the contract address compliance with anti-bribery laws?

Is there a process to verify that payments correspond to the services?

Training

Tone at the top

Does senior management consistently promote the compli-ance programme and culture?

Are there mechanisms to prevent long-time partners from relying on their long-term relationships with senior man-agement as the basis for non-compliance?

Regular training on:

Code of Conduct training

Business practices training for sales, marketing, HR etc

Anti-corruption

Data privacy and confidentiality

Channel partners

Is there a methodology for providing advice to channel partners on policies, procedures and code of ethics?

Customers

Are there measures in place to ensure that company-paid customer training is legitimate and essential for the cus-tomer?

Are there policies against providing training in locations that are overly luxurious or inappropriate?

Disciplinary procedures

Are there both disciplinary procedures in place for when an employee or reseller breach their compliance obligations?

Monitoring

Are there indicators in place that assist in quantifying the performance of the compliance programme?

Does the compliance programme include auditing activities to detect breaches of laws and regulations?

Reporting

Is there a system to report on the efficacy of the pro-gramme itself?


Page 40

Details Start Date

Date Completed

Do the reports contain trending analyses as well?

Is there a procedure for how reports are disseminated?

Is there a known system for exception reporting?

Documentation

Is there a mechanism to keep records digitally on a search-able database?

Is there a way to record incidents and issues?

Is there a process by which to communicate with stakehold-ers about the programme?

Remediation

Is there a process for remediating the issues which arise from the programme?

Is there somebody to whom the remediation effort can be assigned?

The Red Flag Group

Page 41

About The Red Flag GroupThe Red Flag Group is The Compliance Firm™ that helps companies turn compliance into a competitive advantage. We create customised and

integrated compliance solutions that add value to your business.

For more information, go to www.redflaggroup.com

About the authorScott Lane, Executive Chairman of The Red Flag Group, has over 15 years’ experience in legal, compliance, internal audit, export

control, ethics and corporate governance, providing counselling and advice to senior management throughout the world in the

development of legal and compliance practices. Scott has worked as a senior director and general counsel in various multinational

corporations in Australia, the United Kingdom and Hong Kong, and has significant experience in complex compliance issues.


Page 42 The Red Flag Group

The Red Flag Group is a truly global company with offices and research centers in the USA, Europe, Asia, Africa and Latin America.

For more information visit: www.redflaggroup.com