SNI ISO 37001:2016Anti-Bribery Management Systems11 December 2017—

Owen HawkesPartner, KPMG Forensic

SNI ISO 37001:2016 – Three Concepts

Standard v. checklist

Certification v. effectiveness

Standard v. certification

— Provides a standard, promotes due diligence efficiency

— Internationally recognized— Permits certification (unlike

the related compliance system standard)

— Certification should reflect effectiveness

— Given issues with other certifications, may not provide assurance to third parties

— In the event of an incident, effectiveness likely to be focus of law enforcement agencies

— Like other risk management standards, is risk based

— No simple list of measures— List of risk assessments

Challenges – Overview123456

Auditing third parties for compliance

Variations in country requirements – data privacy etc.

Difficulty in conducting due diligence over foreign agents/third parties

Lack of internal resources

Difficulty in identifying & assessing risk

Cultural/language issues

Source: KPMG Global Anti-Bribery and Corruption Survey 2015

Challenges – Risk Assessment

The organization shall undertake regular bribery risk assessment(s), which shall:a. identify the bribery risks the

organization might reasonably anticipate, given the [context of the organization];

b. analyse, assess and prioritise the identified bribery risks;

c. evaluate the suitability and effectiveness of the organization’s existing controls to mitigate the assessed bribery risks.

Theorganizationshallestablishcriteriaforevaluatingitslevelofbriberyrisk,whichshalltakeinto accounttheorganization’spoliciesandobjectives.

Challenges – Risk assessment

WORKSHOPS POLICYREVIEWS INTERVIEWS

CURRENTSTATE:ABMS

BENCHMARKING

IMPROVEMENTPLAN

Challenges – Risk assessment

0

1

2

3

4

5

Duediligence Financialcontrols Anti-briberycommitments

Gifts,hospitality,donations

Ratin

g

BetterPractice

Industry

Organization

Challenges – Third Party Due Diligence

1) whetherthebusinessassociateisalegitimatebusinessentity,asdemonstratedbyindicatorssuchascorporateregistrationdocuments,annualfiledaccounts,taxidentificationnumber,listingonastockexchange;

2) whetherthebusinessassociatehasthequalifications,experienceandresourcesneededtoconductthebusinessforwhichitisbeingcontracted;

3) whetherandtowhatextentthebusinessassociatehasananti-briberymanagementsystem;4) whetherthebusinessassociatehasareputationforbribery,fraud,dishonestyorsimilar

misconduct,orhasbeeninvestigated,convicted,sanctionedordebarredforbriberyorsimilarcriminalconduct;

5) theidentityoftheshareholders(includingtheultimatebeneficialowner(s))andtopmanagementofthebusinessassociate,andwhetherthey:i) haveareputationforbribery,fraud,dishonestyorsimilarmisconduct;ii) havebeeninvestigated,convicted,sanctionedordebarredforbriberyorsimilarcriminal

conductiii) haveanydirectorindirectlinkstotheorganisation’scustomerorclientortoarelevant

publicofficialwhichcouldleadtobribery(thiswouldincludepersonswhoarenotpublicofficialsthemselves,butwhomaybedirectlyorindirectlyrelatedtopublicofficials,candidatesforpublicoffice,etc.);

6) thestructureofthetransactionandpaymentarrangements.

Challenges – Third Party Due Diligence

Identification34% (Asia:40%)ofrespondentsdonotformallyidentifyhigh-riskthirdpartyintermediariesorpersonsassociatedwithgovernment.31%(Asia:31%)donothaveformalrisk-basedonboardingprocessesforthirdparties,openingcompaniestothepossibilityofcorruptpractices.

CommunicationOnceonboard,60%(Asia:57%)saytheircompaniesdistributetheirABCpoliciestoallthirdpartiesorselectedthirdparties,stillfewerinthelocallanguage.ofthe524respondentswith

formalABCcomplianceprograms,424havecommunicationandtrainingprograms.

ofthe424statedthatthedevelopmentofeffectivemechanismsforcommunicationandtrainingprogramsarehighlyorexceedinglychallenging.

424

73

AssessmentOnly69% (Asia:70%)ofallrespondentsassessthird-partyrisk.

MonitoringForthosethatdohaveaformalABCriskassessment,only56% (Asia:76%)haveright-to-auditclausesincontracts.

Only41%(Asia:40%)haveactuallyexercisedthem.

Challenges in the Indonesian context

Organizations make higher use of agents

Without agents, business progress would be severely comprised

Customary governmental interactions (e.g. permits)

Relates to less traditional matters (e.g. identifying the existence of business opportunities)Tradition of investing in relationshipsCounterparties lack internal controls (e.g. entertainment, sponsorship and gifts)

Ease of establishing entitiesLack of requirements to describe business activitiesDifficulties in obtaining reliable corporate registry informationGenerally, low level of detail in contracts and supporting documentation (e.g. invoices)

RegulationsGeneral

business opacity

Third party due

diligence

Appendix:Bribery Surveys / Publications

Appendix:Bribery Surveys / Publications

Bribery Surveys / Publications

Anti-Bribery and Corruption: Rising to the challenge in the age of globalization

KPMG – 2015

USAcompanies UKCompanies

RespondentsUS2011 Ranking

2011US2015 Ranking

2015UK 2011 Ranking

2011UK2015 Ranking

2015

Auditingthirdpartiesforcompliance 43.0% 1 77.0% 1 32.0% 1 51.0% 1

Difficultyinperformingduediligenceoverforeignagents/third parties 42.0% 2 54.0% 4 32.0% 2 48.8% 2

Variationsincountryrequirements– dataprivacyetc. 32.0% 3 60.0% 3 29.0% 2 43.9% 3

Company’sexpansionintohighgrowtheconomics 18.0% 4 53.0% 5 21.0% 3 34.2% 8

Monitoringandevaluatingcompliance 11.0% 5 38.0% 9 14.0% 4 29.3% 10

Cultural/languageissues 62.0% 2 5 34.2% 5

LackofInternalresources 39.0% 5

Difficultyinidentifying&assessingrisk 43.9% 3

Source: Global Anti-Bribery and Corruption Survey, KPMG International, 2015 Anti-bribery and corruption, p.5

Ranking of top ABC challengesAll respondents 2015

Source: Global Anti-Bribery and Corruption Survey, KPMG International, 2015 Anti-bribery and corruption, p.7

Auditing third parties for compliance Lack of internal resources

Variations in country requirements –data privacy etc. Difficulty in identifying & assessing risk

Difficulty in conducting due diligence over foreign agents/third parties Cultural/language issues

Bribery Surveys / Publications

659 executives

KPMG conducted a survey of

in a range of functions and industries from

around the world

8%54Fifty-four (8 percent) of these work in the ENR sector

38work

54 work

Source: Global Anti-Bribery and Corruption Survey, KPMG International, 2015

The growing global challenge, p.2

56%

Only

say they have right-to-audit

clauses in third party contracts.

41%69%

Say they don’t have a risk-based process for on boarding third parties, the same number as says they do have such a process.

of ENR respondents say their companies’ ANC risk assessment examines the potential risk posted by third parties.

ENR: Energy and Natural Resource

The growing global challenge, p.5

The growing global challenge, p.6

Source: Global Anti-Bribery and Corruption Survey, KPMG International, 2015

Managing anti-bribery and corruption

compliance in energy and natural resources

KPMG – 2015

Bribery Surveys / Publications• What makes ISO 37001 different from

existing guidance?– The content of the standard draws

on existing guidelines, such as those produced by the US and UK authorities, but it is by definition an international standard. It is designed to provide an approach to anti-bribery compliance that can be applied consistently on a global basis and independently assessed.

• How is ISO 37001 certification obtained?– Certification of compliance with the

standard is based on scrutiny of an organization’s anti-bribery management system by an independent third party that has been authorized to provide certifications by an ISO national member body. Maintaining the certification requires periodic external audits of ongoing compliance.

• Will ISO 37001 certification act as a shield against enforcement action?

– It is not expected that compliance with the standard will be treated by the competent authorities as proof positive that an organization has taken adequate measures to prevent bribery, providing it with an automatic defence or entitlement to leniency should a breach occur. However, an organization that operated to the standard can expect

to be in a position of strength in justifying its actions to the competent authorities in case a breach does occur. As past experience shows, the authorities will consider a range of factors, including the existence of an effective compliance program, when determining appropriate enforcement action.

• What other benefits can an organization expect from ISO 37001 certification?

– For organizations subjected to complex and time-consuming due diligence or monitoring from business partners, proof of ISO 37001 certification may provide sufficient assurance for business partners to reduce the amount of due diligence necessary, reducing with a source of competitive advantage in winning business.

• Can an organization benefit from ISO 37001 without obtaining certification?

– Organizations who do not seek certification themselves may find the standard valuable as a basis for evaluating and improving their existing anti-bribery management system or for evaluating the anti-bribery management systems of current and potential business partners.

ISOstandardonanti-briberymanagement

systems

KPMG– 2016

Bribery Surveys / PublicationsToday’sreality

ForensicFocus,p.1

Circumventingcompliancecorruptionreachestopfirmsintheoilandgasindustry

— Unaoil went from a little-known entity to one of the most commented upon corporations in the compliance community today due to an elaborate bribery scheme.

— Implicated companies should consider taking action to determine what, if anything, illegal was done on their behalf.

— Compliance practices applied to ordinary third parties are often not enough to prevent corruption in the riskiest countries. Companies that enter those countries should place anti-bribery and corruption at the center of their business strategy

— True “tone at the top” requires more than just a good code of conduct. It requires the commitment of resources toward follow-through at every phase of third-party risk management.

— Robust up-front reputational and integrity due diligence is essential, but companies operating in these countries should strongly consider regular compliance audits and business structures that give them full visibility into how third-party intermediaries spend funds on their behalf.

ForensicFocusCircumventingcompliance:Corruptionreachestopfirmsintheoilandgas

industry

KPMG– 2016

CertificationAppendix: Certification

Certification – ProcessCHECK THE RELEVANT SNI

SEND RELEVANT DOCUMENTS EVALUATION

CHECK THE LSPro

APPLICATION REVIEWED

EVALUATION REVIEW

CERTIFICATION

0102

0304

0506

07

Source: http://bsn.go.id

Certification – TimelineMonth

Activities 1 2 3 4 5 6 7

Review&Implement

Preparation ofdocumentation

Systemimplementation/integration

Review&rectification

EvaluationIdentifytherelevantcertificationbody

Evaluation&review

Certification Certification

About KPMG ForensicAppendix: About KPMG Forensic

Global network of forensic professionalsKPMG Forensic has a global network of over 3,600 Forensic professionals supported by the specialist skills of over 189,000 KPMG people across more than 152 country locations. KPMG Forensic offices are shown below. KPMG Forensic in Singapore comprise experienced investigators with strong IT, regulatory and law enforcement backgrounds. Over 90 full-time professionals, including forensic technology professionals, are based across Singapore and Indonesia.

FORENSICPROFESSIONALS

880APPROXIMATELY

North and South America

FORENSICPROFESSIONALS

340APPROXIMATELY

Asia Pacific

FORENSICPROFESSIONALS

2,390APPROXIMATELY

Europe, the Middle Eastand Africa

KPMG in Singapore and Indonesia

Singapore

Jakarta

Singaporeofficeestablishedin1941andintegratedwiththe

Indonesianofficein2014

5forensicpartners

Over90forensicprofessionals

OfficesinSingaporeandJakarta

CORE SERVICES OFFERED

Anti-BriberyandCorruptionCompliance

Investigations

ForensicTechnology

ForensicDataAnalytics

ExpertWitnessandDisputeAdvisoryServices

Anti-MoneyLaunderingandTradeSanctionsServices

FraudRiskManagement

CorporateIntelligence

DocumentClassification:KPMGConfidential

©2017,PTKPMGSiddhartaAdvisory,anIndonesianlimitedliabilitycompanyandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternationalCooperative("KPMGInternational"),aSwissentity.Allrightsreserved.

TheKPMGname,logoareregisteredtrademarksortrademarksofKPMGInternational.

The information contained herein is of a general nature and is not intended to address the circumstances of any particularindividual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that suchinformation is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act onsuch information without appropriate professional advice after a thorough examination of the particular situation.

kpmg.com/socialmedia kpmg.com/app

ContactsOwenHawkesPartner,ForensicKPMGSingaporeT:+6562132280E:ohawkes@kpmg.com.sg