Essential Elements of Corporate Compliance 5 A GLOBAL TEMPLATE Prologue to the 5 Essential Elements 4 5 Essential Elements of Corporate Compliance 5 Introduction – Today’s Compliance Environment 6 Enforcement Around the World 9 Essential Element 1 – Leadership 11 Essential Element 2 – Risk Assessment 13 Essential Element 3 – Standards and Controls 15 Essential Element 4 – Training and Communication 17 Essential Element 5 – Oversight: Monitoring, 19 Auditing and Response The 5 Elements and Key Global Guidance 22 Foreign Bribery Enforcement Actions by Country/ 24 International Organization Total Domestic and Foreign Bribery Enforcement 25 Actions by Industry 2014: Corruption Perceptions Index 26 Content 4 | 5 Essential Elements of Corporate Compliance A strong corporate compliance program is designed to help prevent corporate officers and employees from engaging in illegal practices while also addressing a wide array of other compliance and risk management challenges. In today's global regulatory environment, it is difficult for multinational companies, with extended enterprises, to effectively manage corporate compliance efforts. Although enforcement guidelines around the world vary in length, tone and language, virtually all touch upon a set of key issues that can be boiled down to five essential elements: leadership, risk assessment, standards and controls, training and communication, and oversight. These five elements serve as the organizing principles for the way Baker & McKenzie counsels our clients in the area of corporate compliance. If a company's compliance program effectively covers these five elements, it will likely meet the wide variety of law enforcement expectations around the world and assist the company in proactively (and successfully) meeting its strategic business initiatives through strong risk management. This document offers practical guidance for legal counsel and compliance professionals responsible for establishing and maintaining compliance standards within their company and throughout its supply chain. Baker & McKenzie works with companies as a dedicated compliance advisor providing practical, real world advice to assist our clients in ensuring maintenance of a best practices compliance and risk management program. We hope you find the advice contained in these pages to be helpful and informative. Prologue to the 5 Essential Elements | 5 5 Essential Elements of Corporate Compliance Enforcement authorities across the globe are placing an increased emphasis on the importance of establishing robust and risk-based corporate compliance programs. While the precise formulation and detail of the guidance issued varies, for example, under the US Sentencing Guidelines, the official guidance relating to the UK Bribery Act, or the Good Practice program guidelines endorsed by the Organization for Economic Co-operation and Development, there are key themes that are common to all. Baker & McKenzie has distilled those key themes into the following five color-coded essential elements of corporate compliance: Leadership Risk Assessment Standards and Controls Training and Communication Monitoring, Auditing and Response 6 | 5 Essential Elements of Corporate Compliance Introduction The Challenge In business, trust is the glue that binds employers to employees, customers to companies, and companies to suppliers, regulators, governments and partners. Yet several years after the financial crisis, efforts to rebuild trust are ongoing. Clients, customers, employees, and stakeholders around the world now demand greater transparency and ethical behavior from businesses with which they are engaged. Companies and regulators alike are seeking to restore trust in industries, products and services, and government. An effective compliance program is a fundamental tool in a company’s ability to build trust. Maintaining a strong corporate compliance program designed to help prevent corporate officers, employees and third-party agents from engaging in illegal practices such as bribery, collusion, and fraud sounds simple enough. In reality, it’s extremely challenging. Government authorities around the world are steadily raising expectations with respect to the comprehensiveness of corporate compliance programs, expecting robust policies, procedures, and controls not only for anti-corruption, but also for trade, antitrust, data privacy, and anti-money laundering compliance (among other areas). Furthermore, today’s multinational companies operate in a highly competitive environment in which they have thousands of employees, multiple business partners and extensive operations throughout the world, including in emerging markets where the rules of public and commercial engagement often differ significantly from what they are used to at home. Global Trends In China, for example, foreign multinationals do most of their business with state-owned or state-operated companies, which can get them into trouble under the anti-corruption legislation of various countries, including the prohibition in the US Foreign Corrupt Practices Act (FCPA), the UK Bribery Act and the Brazil Clean Company Act against making improper payments to foreign Today’s Compliance Environment INTRODUCTION | 6 Leadership | 7 officials. In Russia and Nigeria, a foreign company may find it challenging to get its products into the country without bribing customs officials. And in Brazil and Indonesia foreign companies may have difficulty winning public bids without paying someone to shape the request for proposal in their favor. Companies with headquarters outside the US must also be aware of a significant trend toward enforcement by US, European, and Asia-Pacific enforcement agencies (such as the US Department of Justice, the UK Serious Fraud Office, and the Australian Federal Police) against companies in Eastern Europe, Latin America, Asia, and Africa. In fact, of the 10 largest FCPA settlements, only two involve US companies, with the rest being foreign multinationals, a number of which had no shares or debt registered in the US. Enforcement & Expectations Despite the impact of globalization on the business landscape, enforcement officials aren’t giving companies any breaks for improper behavior. In fact, the dramatic increase in global anti-corruption investigations has been accompanied by the rising cost of enforcement actions, an emergence of more aggressive cross-border cooperation in multi-country government investigations, and an increasing risk of prosecution faced by individuals. These days, a Brazilian subsidiary of a US company that comes under investigation by Brazilian authorities will likely also receive a subpoena from the US government. Further, non-US anti-corruption enforcement has seen a noticeable increase in recent years – a trend likely to continue as countries around the world enact robust anti-bribery legislation to meet rising global expectations regarding anticorruption enforcement. With the stakes so high, where should companies making compliance a priority look to ensure their compliance programs meet regulators’ expectations? The answer to that question has become increasingly complicated. The gold standard for what types of rules, protocols, communications and oversight a company must have in place in order to meet best practice compliance program requirements used to be contained in the US Sentencing Guidelines’ (USSG) “Seven Elements of an Effective Compliance Program,” originally published in 1991. Since then, however, those guidelines have been revised numerous times and other country-specific and international standards have been added to the equation. A major development with respect to compliance program best practices occurred in November 2012, when the US Department of Justice (DOJ) and the US Securities and Exchange Commission (SEC) jointly released their aptly titled A Resource Guide to the U.S. Foreign Corrupt Practices Act. The Resource Guide, a mustread for US and global anticorruption practitioners and compliance officers, addresses a wide variety of topics related to the US agencies’ enforcement of the FCPA. Significantly, the Resource Guide provides direction on the hallmarks of an effective corporate compliance program and the best practices that the DOJ and the SEC expect companies to deploy when developing and maintaining a compliance program. When assessing a compliance program, the Resource Guide asks three key questions: (1) Is the program well designed? (2) Is it applied in good faith? and (3) Does it work? Importantly, the Resource Guide warns against paper tiger programs, which are often accompanied by assurances of efficacy, but in practice fail to demonstrate program effectiveness. Similarly, the global compliance landscape has evolved significantly in the past several years. In 2010, the Organization for Economic Co-operation and Development (OECD) released its “Good Practice Guidance on Internal Controls, Ethics, and Compliance.” A year later, Introduction Today’s Compliance Environment 8 | 5 Essential Elements of Corporate Compliance the UK Ministry of Justice published six principles for “adequate procedures” following the enactment of the UK Bribery Act. Transparency International, a leading anticorruption organization, has also established “Nine Business Principles for Countering Bribery,” and the World Economic Forum’s Partnership Against Corruption Initiative has become a leading voice on the global compliance stage. In light of the recent enactment of the Clean Company Act in Brazil, it is expected that Brazilian authorities will also issue detailed guidelines and expectations for corporate compliance programs. The Solution Prosecutors in the US, the UK, and other countries routinely insert compliance program requirements into negotiated resolutions with companies under investigation for corruption. This further adds to the long checklist of what enforcement agencies around the world expect companies to do to detect and prevent misconduct. The good news is that although these guidelines vary in length, tone and language, they have a lot in common. They all touch upon a set of key issues that can be boiled down to five essential elements: leadership, risk assessment, standards and controls, training and communication, and oversight. If a company’s corporate compliance program effectively covers these five essential elements, it will likely fulfill the wide variety of law enforcement expectations around the world and help prevent costly prosecutions. In the event of a government investigation, a company with a robust compliance program that encompasses these five elements is much more likely to be granted compliance credit, a reduction in penalties and other forms of leniency that could ultimately minimize damages. Two key factors that prosecutors in the US and other countries consider when deciding whether to file an enforcement action include a company’s level of cooperation and its preexisting compliance program. To help companies meet the government’s demands for maintaining successful compliance programs, we’ve distilled the various standards to five essential elements based on our extensive experience working on these cases in jurisdictions around the world. For each element, we’ve included specific actions that companies can take to ensure they are fulfilling the requirements of each element. While our primary focus in this document is in the area of anti-corruption, the five elements framework can be practically and effectively applied in other areas of your compliance program, such as trade, antitrust, data privacy, and anti-money laundering. Our subject matter experts around the globe can provide you with the detailed guidance to apply the five elements to such areas, based on your company’s unique risk profile. INTRODUCTION | 8 Leadership | 9 Enforcement Around the World US In November 2012, the DOJ and SEC jointly released A Resource Guide to the U.S. Foreign Corrupt Practices Act. This highly anticipated, watershed publication represents a comprehensive overview of the US government’s enforcement positions and expectations for corporate compliance programs. The Resource Guide also includes practical guidelines for companies around the world grappling day-to-day with the challenges of designing, implementing, and enforcing a comprehensive anticorruption compliance program. UK In the wake of the passage of the UK Bribery Act, prosecutors in the UK are pursuing significant, high-profile corruption matters and charging individuals and companies with corruptionrelated offenses. In August 2013, the Serious Fraud Office brought its first Bribery Act charges and has since formally announced active investigations involving large, multinational corporations. Importantly, beginning in February 2014 with the passage of The Crime and Courts Act, UK prosecutors can now employ deferred prosecution agreements as an additional means to efficiently resolving corruptionrelated matters. CHINA As discussed throughout this document, anti-corruption enforcement is extremely active in China. Corruption and bribery are historically linked to business and government operations in the country and remain key concerns of the Chinese government and company executives. In addition to initiating many recent highprofile investigations involving multinational companies, the Chinese government also recently amended its criminal laws to cover foreign bribery, adding a new provision that criminalizes paying bribes to non-PRC government officials and to officials of international public organizations. Potential bribery targets include officials, companies (state-owned enterprises and privatelyowned companies) and their employees. A September 2014 ruling against GlaxoSmtihKline signaled the country’s intent to levy large financial penalties against companies and sentence individuals to prison time for violating its laws. BRAZIL Brazil's new anti-bribery law, often referred to as the Clean Company Act, officially took effect in January 2014. The Act 10 | 5 Essential Elements of Corporate Compliance applies to business organizations in Brazil (whether incorporated or not), Brazilian foundations or associations, and foreign companies with any presence in Brazil. Under the new law, such entities can be strictly liable for prohibited acts committed in their interest or for their benefit. With this new law, Brazil has created a template with which to maximize the enforcement capabilities of the country’s authorities and simultaneously set the bar for other Latin American countries to follow suit with similarly robust legislation. RUSSIA Anti-bribery initiatives in Russia are growing in strength and momentum and there is an increasing focus on enforcement. Over 160 corruption related cases have been brought against companies in the past three years and the Kremlin launched a robust anti-corruption campaign during the fall of 2012. Furthermore, there is a growing recognition in Russia that compliance is good for business, supported by measures such as a November 2013 regulation issued by the Ministry of Labor outlining recommended anti-corruption compliance guidelines for commercial and non-commercial entities. INDIA India is actively increasing its attention to a longstanding culture of bribery and corruption. Traditional anti-corruption laws in India are primarily based upon colonial laws enacted while India was under British control. However, recently proposed legislation, including the Prevention of Corruption (Amendment) Bill 2013 (currently pending before the Indian government) and the Prevention of Bribery of Foreign Public Officials and Officials of Public International Organizations Bill 2011 (currently pending before the Indian government) are expected to significantly enhance the Indian government’s ability to crack down on offenders. AUSTRALIA The Australian anti-corruption landscape is experiencing rapid change. The country has active state and federal anti-corruption laws that prohibit bribery of public officials and commercial entities. Penalties are significant – up to A$ 11 million for corporations and up to A$ 1.1 million and 10 years of imprisonment for individuals. In addition, recent enforcement matters including the 2012 Securency and Note Printing Australia case have significantly raised the profile of Australia’s anti-corruption regime. CANADA In 2013, Canada significantly strengthened its Corruption of Foreign Public Officials Act (CFPOA), including enhanced books and records obligations, broader jurisdiction, elimination of the exception for facilitation payments, and increased penalties. In May 2014, a judge in Ottawa handed down the first prison sentence under the CFPOA since it originally came into force in 1999. Leadership | 11 Increasingly, boards are finding that trust is on their agenda as a key business enabler – this means trust in the business, its leadership, its stakeholders, and its network of suppliers. Corporate structures and processes are essential, but they must also be fortified with values that include integrity, transparency, and respect for the rule of law. Likewise, a successful compliance program must be built on a solid foundation of ethics and integrity that is fully endorsed by senior management. Otherwise it's just a hollow set of internal rules and regulations. But compliance standards require even more than support from the top. Companies must have high-ranking compliance officers with the authority and resources to manage the program on a day-to-day basis. The compliance officers must have the ear of those individuals ultimately responsible for corporate conduct, including members of the Board of Directors. The US Sentencing Commission reinforced the importance of ensuring that compliance officers have direct access to the Board of Directors when it published amendments to the US Sentencing Guidelines in 2010. To receive a “culpability score reduction” during sentencing under the Guidelines, a company must now show that its compliance officers can promptly report any matter involving criminal conduct directly to the board or appropriate board committee. Compliance officers should also report to the board on the implementation and effectiveness of the company’s compliance program at least once a year. As a best practice, however, we advise clients to take this component of their programs a step further. We recommend that a company’s chief compliance officer or legal department compliance manager provide quarterly presentations to the board about ongoing internal investigations, general developments in anti-corruption laws and enforcement, compliance challenges the company is facing and what is being done to address those challenges. That way, it is clear that the line of communication between the compliance team and the board is open. Leadership What key global guidance resources say about leadership: OECD: Support from senior management is strong, explicit and visible. Program is overseen by senior corporate officers with sufficient resources, authority and access to the board. USSG: Leaders understand and oversee the compliance program to verify its effectiveness; specific individuals have the authority and responsibility to carry out the program. The company denies leadership positions to people who have engaged in misconduct. UK’s 6 Principles: Top-level commitment. 1 12 | 5 Essential Elements of Corporate Compliance Ensure board level accountability for the effectiveness of your compliance program. A key element of successful compliance programs is that responsibility for developing and maintaining a culture of compliance ultimately rests with the Board of Directors. This is also where the trust-building of a company originates, as the Board must endorse ethical values at every level of the company in a manner that will influence behavior across reporting lines and help ensure these values reach all employees. Robust compliance programs require those responsible for the effective operations of the company to ensure that appropriate operational systems and corporate structures are in place to enable the company to operate in a compliant manner. A Board of Directors should therefore oversee implementation of a company’s compliance program, ensure that it is effective in addressing the risks faced by the company, and provide direct supervision of those responsible for the day-to-day management of the program. And the Board should get familiar with the business, know what is happening on the ground, consider how corporate values are being followed, and ensure employees feel they can speak up with any concerns they might have. Make sure central compliance communicates with those in the field. One of the biggest impediments to effective compliance leadership is poor communication between a company’s central compliance department and country managers working in the field. This can be a major oversight considering that country managers are often the employees in the trenches overseeing sales people and third-party agents who are selling and distributing the company’s products and services. Neglecting to provide appropriate compliance training for country managers or keep them in the corporate loop increases the chances that efforts to establish a strong local compliance culture will fail. Management tactics such as incorporating specific compliance requirements into annual evaluation criteria and connecting compensation to performance under these requirements can be effective for guiding employee behavior towards a greater respect for compliance. Local managers are often best situated to set the tone for compliance and to detect and address illegal or unethical practices before they become compliance issues that put the company at risk. Place compliance officers in high-risk markets. Another common oversight is failing to have well-trained compliance personnel in a company’s foreign offices. Maintaining a leadership structure that is too centralized will stifle efforts to foster a healthy compliance culture across all geographies and to minimize global risk. Ethical edicts issued from faraway headquarters are often ineffective without buy-in from local managers who have the training and experience to reinforce such rules. The determination of which overseas offices should have the strongest compliance presence should be made on a risk basis. Companies can begin by building an active presence of trained compliance managers in markets with the greatest compliance risk, then expand this presence to other jurisdictions. Conduct periodic board training and provide reports on hot topics in compliance and risk management. Corporate board members face the prospect of personal liability for failing to meet their fiduciary responsibilities in overseeing these policies and practices. With greater awareness of compliance issues from sources such as whistleblowers and bloggers there comes a greater duty and expectation for board members to act. By providing regular, timely compliance training for board members and keeping them updated on compliance and risk management trends, legal and compliance departments can help directors fulfill their compliance obligations and steer the company away from potential misconduct. Leverage Internal Audit, Finance, and other risk management functions. In order for a compliance program to be successful, multiple disciplines within the company must assist the compliance department in leading the way. Internal Audit and Finance are in the best position to understand the company’s financial risks and are often on the front lines of identifying red flags. Leveraging their expertise and internal structure will extend the reach of the compliance program into those functions that are key to a successful compliance program. Recommendations RISK ASSESSMENT | 13 Although the original 1991 version of the US Sentencing Guidelines did not specifically identify the completion of a formal risk assessment as one of the seven elements of effective corporate compliance, Sarbanes-Oxley directed the Commission to add it to the list. As a result, government officials now routinely emphasize risk assessments as the foundation of an effective program. What changed? The answer may be globalization. As multinationals have expanded their enterprises and become more dependent on global supply chains, knowing and understanding the nature and extent of business risks has become a critical first step for implementing successful compliance programs. Enforcement authorities around the world increasingly expect multinationals to have formal processes for periodically assessing the compliance risks everywhere they do business, particularly in higher-risk regions, including emerging markets like China, Russia, India and Brazil. During the risk assessment process, companies must evaluate numerous compliance issues, including the degree to which the company’s employees conduct business with government officials, the company’s use of third-party agents and intermediaries, the regulatory environment of the regions where the company operates, and the effects of any recent business developments such as new joint ventures, corporate affiliations, or expansion into markets that could create additional risk. What key global guidance resources say about risk assessment: OECD: Risk assessment should be the basis for effective internal controls and compliance programs. USSG: Companies must conduct periodic assessments of risk of criminal conduct and take appropriate steps to design, implement or modify each element to reduce risk. UK’s 6 Principles: Broad categories of risk must be carefully examined, including country, sectoral, transaction, business opportunity and partnerships. Program priorities, resources and controls should be determined based on the results of the risk assessment. Risk Assessment 2 14 | 5 Essential Elements of Corporate Compliance Conduct annual risk assessments. The purpose of a risk assessment is to gauge where your company’s greatest compliance risks are so you can target resources in those areas and establish policies and protocols to minimize those risks. Yet it’s surprising how many companies do not perform this task. Companies will often wait until something goes wrong before self-assessing. To avoid the inherent risks in the “wait and see” approach, we recommend that you conduct a formal risk assessment every year. Because enforcement trends, such as those involving anti-corruption, trade, antitrust, data privacy, and anti-money laundering laws evolve rapidly and multinationals tend to go through numerous significant changes within a given fiscal year, we have found this to be an optimal timeframe. Build this annual risk assessment into your compliance program. Not only should you conduct annual risk assessments, but you should try to perform them at the same time each year. To pass muster with government regulators, it will be helpful to demonstrate that your risk assessment is a regular, systemic part of your compliance efforts rather than an occasional, ad-hoc exercise cobbled together when convenient. We also recommend designating a specific group, such as your compliance team, internal audit department or enterprise risk management team to spearhead the annual review. This will help demonstrate to the government that your risk assessment is a formal corporate process. Scrutinize new business partners and third-party agents. One of the key areas that can get companies into compliance trouble is their lack of internal controls over business partners and third-party intermediaries such as consultants, distributors, contractors and sales agents. The majority of FCPA enforcement actions involve some use of third parties. Compliance standards require companies to conduct due diligence on new business partners and third-party intermediaries. But in the rush to close deals and enter new markets, that doesn’t always happen as thoroughly as it should. Conducting a formal risk assessment each year provides an opportunity to take a closer look at newer business relationships to make sure partners and third parties do not have improper connections to government officials or involvement in unethical, improper, or illegal conduct. Any risk that you uncover should be addressed and remediated. Update your policies and procedures based on enforcement trends. Throughout the course of a year, government officials around the world file numerous enforcement actions against companies for all kinds of corporate misconduct. Paying attention to the specific compliance areas that the government is targeting in these enforcement actions will tell you a lot about what your program needs to focus on to stay out of the government’s cross hairs. If, for example, you notice that the government has been clamping down on gift giving and hospitality in Asia and you conduct considerable business in that region, that should become a focus area for your risk assessment. Then, depending on whether your hospitality policies and procedures in Asia are in line with what the government now expects, you should make necessary changes. Memorialize your findings in an annual report. When conducted every year, routine risk assessments should generally take three to four weeks, depending on the size of your company and your compliance resources. Once the assessment is complete, the compliance or audit team should compile its findings and recommendations in a comprehensive report to be presented to the chief compliance officer and Board of Directors for review and consideration of appropriate program enhancements. However, the process should not stop there. An action plan that prioritizes the recommendations from the risk assessment and assigns parties responsible for implementation should then be developed to ensure that the necessary program enhancements are implemented. Recommendations STANDARDS AND CONTROLS | 15 It would be challenging to find a global company today that doesn’t have a code of business conduct — an easy-to-read summary of corporate do’s and don’ts. But compliance standards require that companies go much further. Besides a flagship code of conduct, corporations should have detailed written policies covering issues such as bribery, corruption, trade, antitrust, data privacy, money laundering and accounting practices, as well as clear procedures and protocols for making sure those policies are followed and enforced. A code of conduct will usually expressly prohibit bribery. However, best practices now require additional standards and controls, including detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on paper. What key global guidance resources say about standards and controls: OECD: Company policy should clearly and visibly state that bribery is prohibited. Compliance programs should address key risk areas. Companies should conduct due diligence on business partners and implement effective internal controls for accurate books and records. Employees should be able to report violations confidentially without fear of retaliation. USSG: Companies should have standards and procedures to prevent and detect criminal conduct. They should provide incentives and discipline misconduct. UK’s 6 Principles: Policies and procedures should be clear, practical and accessible. Companies should have due diligence protocols for screening third-party intermediaries. Standards and Controls 3 16 | 5 Essential Elements of Corporate Compliance Establish stringent protocols for screening business partners and third parties. In most risk assessments we perform for clients, we find gaps in the company’s third-party due diligence program. Many companies have not yet created an effective platform for screening third-party intermediaries and other business partners for previous misconduct and improper ties to the government. Some companies still give their business partners only a cursory look — a considerable oversight considering how often government investigations involve allegations of impropriety by a company’s third-party agents. To conduct proper due diligence, companies must require third parties and other business partners to complete background questionnaires detailing, among other things, their financial stability, foreign government ties and any history of investigations. Third parties should also declare their commitment to robust corporate compliance in a signed certification form. To increase accountability, we also recommend using business sponsor forms in which employees who refer or hire thirdparty agents provide background information about the agents, such as the experience and attributes that qualify the agents for the role they will play as new company partners. Conduct background checks on important business partners in high-risk markets. Performing background checks on third parties can be an expensive undertaking. But it may be advisable when screening major business partners and third parties in higher-risk markets to make sure they’ve represented themselves accurately in their paperwork. Accordingly, consider hiring trained, local investigators to get an even clearer picture of whether your potential partner could become a compliance liability. Include strict compliance covenants in your third-party contracts. Today’s best practice compliance standards also require companies to monitor the conduct of third parties and other business partners. We strongly encourage companies to integrate contractual provisions with business partners that facilitate the company’s ability to do so. At a minimum, these compliance covenants should cover three core concerns: adherence to the anticorruption laws that are of most relevance to the relationship, audit rights, and termination rights. More specifically, these provisions should require the business partner to agree not to violate relevant anti-corruption laws, to give the company the right to review the partner’s books and records, and to enable the company to terminate the contract if it later determines the partner is engaged in misconduct, unethical behavior or illegal activity. Establish internal controls to ensure accounting records are accurate. The FCPA and the anti-corruption laws of many other countries require companies to book transactions correctly by securing receipts and accurately recording the date and amount of the payment. To be compliant, companies should reconcile bank accounts with outgoing and incoming payments every month and inquire into any suspicious payments and missing funds that could indicate misappropriation or off-thebooks transactions. Companies should pay particular attention to transactions with consultants and business development agents, customs payments, charitable giving arrangements, political contributions and gifts and hospitality involving government officials. Provide clear guidelines for gift giving and hospitality. Giving clients and business associates gifts, treating them to dinner or taking them to sporting events are common business development practices. But anything too extravagant or lavish could quickly cross the line into bribery. Differences in culture and economic prosperity can make it difficult for companies to establish one-size-fits-all giftgiving and hospitality guidelines for the countries where they conduct business. While paying $150 a head for a business dinner in Australia may not constitute bribery, in poorer countries such as Nigeria or Indonesia it could. That’s why it’s so important to tailor hospitality policies to individual countries. Companies can do this in any number of ways, including through the use of a thresholds table listing permissible hospitality amounts based on local laws and regulations in each country where they operate, plus advice from experienced local counsel. Recommendations TRAINING | 17 One of the most important elements of a strong compliance program is properly training company officers, employees and third parties on relevant laws, regulations, corporate policies, and prohibited conduct. In recent years, the rise of technology platforms such as webinars, video conferencing and online self-testing has made training easier and more affordable. But simply conducting some compliance training for employees isn’t enough. Enforcement officials want to be sure management's compliance message gets through in a meaningful way. Thus, when determining whether a company’s training program meets its expectations for effectiveness, government authorities often scrutinize who a company trains, how the training was conducted and how often training occurs. What key global guidance resources say about training: OECD: Training should be periodic, consistent, and documented. USSG: Companies must communicate the standards and procedures of its compliance program and conduct effective training. UK’s 6 Principles: Effective implementation of compliance program policies and procedures through adequate training. Training and Communication 4 18 | 5 Essential Elements of Corporate Compliance Develop an annual, risk-based, training plan. Regulators in countries across the globe have come to expect companies to provide training programs. In order to demonstrate a true understanding of the anticorruption risks unique to your company, regulators will want to see that your training program is adequately comprehensive, for example, by including both computer-based and live components. Also, government authorities will seek to ensure that employees performing your highest risk activities, and those who are in a position to monitor your highest risk transactions, are regularly trained on policies and procedures designed to help minimize risk, identify red flags, and escalate or remediate compliance-related problems. A training plan should include a schedule for tracking when employees complete required compliance training. Tools for encouraging timely completion can include a reduction in performance scores for staff who do not complete required training and supervisors whose staff are delinquent. Provide live compliance training for country managers. If resources permit, officers and managers in your foreign offices should receive live, in-person compliance training every year, particularly those working in your highest risk markets. In the compliance world, anti-corruption laws, enforcement trends and government priorities change quickly. Waiting more than a year to conduct periodic compliance training can impede awareness. If lack of resources is an issue, conducting live videoconferences or webinars with question-and-answer sessions is a good alternative. Train the right people. When providing compliance training, it’s important to prioritize which audience to educate first, particularly when you have limited resources. Besides country managers, it’s important to focus your initial training efforts on high-risk markets and directors, officers, sales employees, and third-party intermediaries who have direct contact with government officials or deal with state-owned entities. Then expand the training around the globe and across your employee spectrum. Conduct live, annual training in high-risk markets. Enforcement officials have made it clear that live, in-person training is the preferred method in high-risk markets and that this training should be relatively frequent. Therefore, merely conducting a simple five-question online anti-corruption compliance test in a higher-risk country such as Russia, or performing training in China once every five years, will probably not be sufficient from a regulator’s perspective. Also, one of the many benefits of conducting live, in-person training is that you often receive immediate feedback. During live training, employees are more likely to casually mention a potentially risky practice, giving you the opportunity to address an impropriety before it becomes a larger problem. Develop your training to address a broad range of global issues. Some companies make the mistake of having a generic script for all compliance training that misses the practical challenges employees routinely face. Training programs typically cover the FCPA, UK Bribery Act, OECD guidelines, Brazil Clean Company Act, and enforcement trends in other countries in Europe, Asia-Pacific, and South America. Additionally, you need to focus on the specific compliance risks in the country where the employees are working. In China, for example, training should address the many corruption risks of dealing with state-owned entities. In Brazil and Nigeria, training should include guidance on how to handle government officials who expect facilitation fees to move business processes along more quickly. Finally, certain functions that are key to effective compliance monitoring should receive functionspecific training. For example, accounts payable should receive training on how to identify red flags related to improper payments or otherwise signaling potentially corrupt or fraudulent activity. Update your training regularly. Enforcement trends and anticorruption laws change quickly, and government officials are increasingly collaborating across borders to conduct large-scale investigations. That’s why it is important to monitor what’s happening around the world and incorporate those developments into your training. Compliance is a global issue that requires corporate vigilance and constant attention. By providing timely, effective employee training, companies can demonstrate their commitment to cultivating and supporting a strong compliance culture. Recommendations OVERSIGHT | 19 After all the ethical messages have been put in place and communicated to the appropriate audiences, the question remains whether the workforce is actually complying. Two of the seven compliance elements in the US Sentencing Guidelines call for corporations to monitor, audit and respond quickly to allegations of misconduct. These three activities — monitoring, auditing and responding — are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs. Many companies fall short on this element, often because of confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance problems in real time, then acting quickly to remediate them. The primary goal is to identify and address gaps in your program on a regular basis. An audit is a more limited review that targets a specific business component, region or market sector during a particular timeframe to uncover or evaluate certain risks. Some companies assume that because they conduct audits or have a dedicated auditing team, they are effectively monitoring. This is usually not the case. A robust compliance program should include separate monitoring and auditing functions. While unique in protocol, these two program components are often viewed as compliance “cousins” because they work in tandem. If, for example, you notice a trend of suspicious payments in recent monitoring reports from Indonesia, you may decide it’s the appropriate time to conduct an audit of those operations to target and further investigate the issue. What key global guidance resources say about oversight: OECD: Individuals at all levels of the company should be responsible for monitoring. Companies should discipline employees for violations of the policy. Companies should regularly review their compliance programs and make necessary revisions. USSG: Companies should monitor and audit their compliance programs and maintain reporting mechanisms. They should respond quickly to allegations and modify their programs as needed. UK’s 6 Principles: Companies must monitor and review their compliance programs. Oversight 5 20 | 5 Essential Elements of Corporate Compliance Establish a regular monitoring system to spot problems and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on a continuing basis. Ongoing, real-time monitoring, when effectively managed, will provide valuable insight into who a company’s business partners are and the specific transactions entered into with such business partners. Monitoring compliments the risk assessment and audit processes by providing additional context for the nature and scope of high-risk relationships and transactions. It facilitates ongoing visibility into these risks for the period of time between regularly-scheduled risk assessments and audits. The result is that compliance personnel have the opportunity to thwart corruption and bribery attempts while in process. This is why your compliance team should be checking in regularly with local finance departments in your foreign offices to ask whether they’ve noticed recent accounting irregularities. Also, as part of their corporate compliance accountability, regional business directors should be required to keep tabs on potentially improper activity in the countries they manage. Your global compliance committee or enterprise risk group should talk as often as feasible (perhaps every month) to discuss and address issues as they arise. Ongoing efforts like these will show government authorities that you are serious about compliance. Require country managers to complete regular compliance reports. One of the nine factors that US prosecutors consider when deciding whether to file an enforcement action is whether a company is applying its compliance program in good faith. The program may look good on paper but the government wants to know, is it really working? One of the most effective ways of answering that question is being able to show prosecutors regular, periodic monitoring and auditing reports prepared by senior executives and managers across your operations. Pay attention to what employees say during training. Training is a form of monitoring because it can alert you to potential problems based on the types of questions employees ask and their reception to certain concepts. For example, during training employees sometimes ask specific questions about their interactions with government officials or gift-giving practices that can raise red flags, which should be addressed quickly. The information learned from the engagement of employees in this manner will assist the company in taking appropriate actions to initiate program improvements and further enhance corporate values. Regularly test your compliance program to verify its effectiveness. Regulators expect a well-functioning compliance program to identify program weaknesses and promptly address those weaknesses. While companies typically test their financial controls they should be mindful of testing the entire anti-corruption program, not just the financial controls system. One particularly useful method of testing is to track categories of payment methods often used by third-party agents -- such as commissions -- and require compliance to confirm that due diligence screening was successfully completed. Upon implementation of an enhanced in-person training program, periodically review hotline reports and inquiries to determine whether such reports have increased, or whether more compliance-related inquiries have been received from categories of employees who have not previously communicated with the compliance department. Conduct employee surveys to measure the compliance culture and employee knowledge and awareness of compliance practices and procedures. Establish protocols for internal investigations and disciplinary action. Responding swiftly and effectively to compliance issues will sometimes require your company to conduct an internal investigation. Each company should have procedures already in place to make sure every investigation is thorough and authentic. Those procedures Recommendations OVERSIGHT | 21 should include document preservation protocols, data privacy policies, and communication systems designed to manage information and get it to the appropriate people quickly. Best practice compliance guidelines also encourage companies to establish disciplinary policies that clearly state how they regulate and discipline employees engaged in misconduct. Remediate problems quickly. A key concept behind the oversight element of effective corporate compliance is the idea that if companies are policing themselves for compliancerelated issues, the government won’t have to do it for them. That is why remediation is such an important component of oversight. If it’s clear that your sales people in Thailand are doing something potentially improper partly because they never received adequate compliance training, remediate the deficiency by scheduling that training immediately. In the end, it’s not enough to just gather information and identify compliance problems. To fulfill this essential element of compliance, you also have to fix them. 22 | 5 Essential Elements of Corporate Compliance The 5 Elements and Key Global Guidance USSG’s 7 Elements of an Effective Compliance Program 1. Standards and procedures to prevent and detect criminal conduct 2. Leaders understand / oversee the compliance program to verify effectiveness and adequacy of support; specific individuals vested with implementation authority / responsibility 3. Deny leadership positions to people who have engaged in misconduct 4. Communicate standards and procedures of compliance program, and conduct effective training 5. Monitor and audit; maintain reporting mechanism 6. Provide incentives; discipline misconduct 7. Respond quickly to allegations and modify program NOTE: A general provision requires periodic assessment of risk of criminal conduct and appropriate steps to design, implement, or modify each element to reduce risk 1. Commitment from Senior Management and Clearly Articulated Policy 2. Code of Conduct and Compliance Policies and Procedures 3. Oversight, Autonomy and Resources 4. Risk Assessment 5. Training and Continuing Advice 6. Incentives and Disciplinary Measures 7. Third-Party Due Diligence and Payments 8. Continuous Improvement: Periodic Testing and Review 9. Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration DOJ/SEC FCPA Resource Guide Hallmarks of Effective Compliance Programs | 23 OECD’s Good Practice Guidance on Internal Controls, Ethics, and Compliance 1. Risk assessment as basis for effective internal controls and compliance program 2. Policy that clearly and visibly states bribery is prohibited 3. Training – periodic, documented 4. Responsibility – individuals at all levels should be responsible for monitoring 5. Support from senior management – strong, explicit and visible 6. Oversight by senior corporate officers with sufficient resources, authority, and access to Board 7. Specific risk areas – promulgation and implementation programs to address key issues 8. Business partners due diligence 9. Accounting – effective internal controls for accurate books and records 10. Guidance – provision of advice to ensure compliance 11. Reporting violations confidentially with no retaliation 12. Discipline for violations of policy 13. Re-assessment – regular review and necessary revisions 1. Proportionate procedures 2. Top level commitment 3. Risk assessment 4. Due diligence 5. Communication 6. Monitoring and review UK’s 6 Principles for “Adequate Procedures” 24 | 5 Essential Elements of Corporate Compliance Foreign Bribery Enforcement Actions by Country/International Organization 1977-2013 (N = 515) Twenty-six countries and three public international organizations (the United Nations, European Bank for Reconstruction and Development (“EBRD”) and the World Bank) pursued 515 foreign bribery enforcement actions (which includes ongoing investigations) from 1977 through 2013. The US maintained the strongest enforcement record during this period, undertaking over 61% of all foreign bribery enforcement actions. The enactment of the FCPA in 1977 gave the US a considerable head start on foreign bribery enforcement compared to other countries. The US has accumulated nearly seven times as many foreign bribery enforcement actions as the country with the next highest total (the UK). Many countries have not pursued a single foreign bribery enforcement action in the 36-year period covered by the Global Enforcement Report. Source: © | 25 Total Domestic and Foreign Bribery Enforcement Actions by Industry 1977 – 2013 (N=701) This shows the industries that have experienced the most domestic and foreign bribery enforcement activity from 1977 through 2013. As in 2012, the extractive industries again represent the highest number of domestic and foreign bribery enforcement actions, although the manufacturer/service provider sector has nearly as many domestic and foreign bribery enforcement actions. These two sectors account for approximately 35% of known domestic and foreign bribery enforcement activity, and are followed by the aerospace, defense and security sector and the health care industry. These four industries had the largest number of domestic and foreign bribery enforcement actions from 2010 through 2013, and numerous companies in these industries are currently being investigated. Source: © 26 | 5 Essential Elements of Corporate Compliance Corruption Perceptions Index 175 COUNTRIES. 175 SCORES. HOW DOES YOUR COUNTRY MEASURE UP? The perceived levels of public sector corruption in 175 countries/territories around the world. 2014 | 27 Source: If you have any questions about this document or would like more information about our Global Corporate Compliance Practice, please contact: Mini vandePol Chair, Global Corporate Compliance +1 852 2846 2562 email@example.com Contacts © 2015 Baker & McKenzie. All rights reserved. Baker & McKenzie International is a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome. www.bakermckenzie.com Baker & McKenzie has been global since inception. Being global is part of our DNA. Our difference is the way we think, work and behave – we combine an instinctively global perspective with a genuinely multicultural approach, enabled by collaborative relationships and yielding practical, innovative advice. Serving our clients with more than 4,200 lawyers in more than 45 countries, we have a deep understanding of the culture of business the world over and are able to bring the talent and experience needed to navigate complexity across practices and borders with ease.