Content Material of Anti-Bribery & Anti-Corruption Master Class Presented at 2nd African Mining Security Summit at The Sandton Hilton Hotel, Johannesburg on 17 April 2015.
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
African mining security summit 2015 anti corruption workshop final draft
1. THE ANTI-BRIBERY AND CORRUPTION MASTER CLASS
PresentedbyMyron D. B. Betshanger
Introduction:
The fightagainstcorruptionhas significantlyintensifiedinthe recentdecade andwill continue tobe afocal pointoverthe
foreseeable future.Governmentsfromall regionsare introducing stricterlawsto combat briberyinbusinesstransactions.
Enforcementisonthe rise,withcriminal penaltiesforwrongdoingreachingrecordlevels.The extraterritorialreachof anti-
corruptionlawsalsomeansthatorganizationsdoingbusinessandraisingcapital inmultiplejurisdictionscanbe prosecuted for
acts of briberycommittedanywhere inthe world.Inlightof thisincrease inregulatoryandenforcementactivity,
organizationsare devotingmore andmore resourcestoestablishingpolicies,infrastructure andprocessesaimedatfighting
corruptionwithintheirownbusinessesandthroughouttheirsupplychains.
The purpose of thisworkshopistherefore notonlytoconscientizing attendeesaboutthe riskswhichbriberyandcorruption
posesto theirorganizations,butalsotoprovide guidelinesonpractical solutionswhichtheymayadopt,adaptandimplement
inorder to ensure thattheydonot directlyorindirectlyeitherfall victimtoactsof corruptionor unwittinglyviolate the
plethoraof anti-briberyandanti-corruptionlawsandregulations.
In orderto achieve thisoutcome the workshopisdividedintoFOUR(4) mainparts:
Third party due diligence: compliance red flags and best practice
Establishing effective whistle-blower procedures and responding to allegations
How to detect bribery in your business operations: a thorough look into case studies
Updating your governance, audit and fraud and anti-corruption controls for the new legislative landscape in Africa
2.
3. Part I. Good Practice Guidelines on Conducting Third-Party Due Diligence
Under manylegal frameworks,organizations mayindeedbe heldliableforactsof corruptionbytheirthirdparties,i.e.their
agents,consultants,suppliers,distributors,joint-venture partners,oranyindividual orentitythathassome formof business
relationshipwiththe organization.Therefore,before enteringintorelationshipswiththirdparties,organizationsare taking
active stepstoensure that potential corruptionrisksflowingfromthese relationshipsare responsiblyevaluatedandmanaged.
In fact,conductingrisk-baseddue diligence onthirdpartieshasbecome alegal expectationinmanycountriesthathave
ratifiedthe OECDAnti-BriberyConventionand/orthe UnitedNationsConventionagainstCorruption,andconducting
adequate due diligence mayhelporganizationsdecrease,andunder some lawsevenavoid,the riskof criminal culpabilityfor
corrupt third-partyconduct.
For purposesof thisworkshopwe will be dealinginthe mainwiththe Anti-corruptionlegislationof three jurisdictions,namely
SouthAfrica,the USA and the UnitedKingdom.
What does the law state ?
1. South Africa – The PreventionandCombating of Corrupt ActivitiesAct 12 of 2004.
Section5 – Offencesinrespectof corrupt activitiesrelatingto foreignpublicofficials
(1) “Any person who, directly or indirectlygives or agrees or offers to give any gratification to a foreign public official,
whether for the benefit of that foreign public official or for the benefit of another person, in order to act,
personally or by influencing another person so to act, in a manner –
(a) That amounts to the –
(i) iIleagl, dishonest, unauthorized, incomplete or biased; or
(ii) misuse or selling of information or material acquired in the course of the, exercise, carrying out or
performance of any powers, duties or functions arising out of a constitutional, statutory, contractual
or any other legal obligation;
(b) that amounts to-
(i) the abuse of a position of authority;
(ii) a breach of trust;or
(iii) the violation of a legal duty or a set of rules
(c) designed to achieve an unjustified result;or
(d) that amounts to any other unauthorized or improper inducement to do or not to do anything,
is guilty of the offence of corrupt activities relating to foreign public officials.
(2) “ Without derogating from the generalityof section 2 (4), “to act” in subsection (1) includes
(a) ……………
(b) obtaining or retaining a contract, business or an advantage in the conduct of business of that foreign state or
public international organization.
Section6 – Offencesinrespect ofcorrupt activitiesrelatingto agents
“Any –
(a) agent who, directly or indirectly –
(i) accepts or agrees or offers to accept any gratification from any other person, whether for the benefit of himself
4. or herself or for the benefit of another person; or
(ii) gives or agrees or offers to give any person any gratification, whether for the benefit of that person or
for the benefit of another person; or
(b) person who, directly or indirectly –
(i) accepts or agrees or offers to accept any gratification from an agent, whether for the benefit of himself
or herself or for the benefit of another person; or
(ii) gives or agrees or offers to give any gratification to an agent, whether for the benefit of that agent or
for the benefit of another person,
in order to act, personally or by influencing another person so to act, in a manner –
(aa) that amounts to the –
(aaa) illegal, dishonest, unauttorised, incomplete or biased; or
(bbb) misuse or selling of information or material acquired in the course of the exercise, carrying out or performance of
any powers, duties or functions arising out of a constitutional, statutory, contract or any other legal obligation
(bb) that amounts to –
(aaa) the abuse of a position of authority;
(bbb) a breach of trust; or
(ccc) the violation of a legal duty or a set of rules
(cc) designed to achieve an unjustified result;or
(dd) that amounts to any other unauthorized or improper inducement to do or not to do anything
is guilty of the offence of corrupt activities relating to agents.
2. The USA’sForeignCorrupt Practice Act
Under the FCPA,anorganizationorindividual maybe heldliable formakingapaymenttoa thirdparty while knowing
that all or a portionof the paymentwill godirectlyorindirectlytoa foreignofficial.AccordingtoUS Departmentof
Justice guidance issuedonthe FCPA,the term“knowing”includesconsciousdisregard,deliberate ignorance and
willfulblindness.Toavoidbeingheldliable forcorruptthird-partypayments,the USDepartmentof Justice encourages
companies“toexercise due diligenceand to take all necessaryprecautionsto ensure that they have formeda
businessrelationshipwithreputableand qualifiedpartnersandrepresentatives”.
3. The UnitedKingdom(UK’s) Bribery Act 2010
In itsAdequate ProceduresGuidance tothe new UK BriberyAct2010, the UK Ministryof Justice statesthat“a
commercial organizationwill be liable toprosecutionif apersonassociatedwithitbribesanotherpersonintendingto
obtainor retainbusinessoranadvantage inthe conduct of businessforthatorganization”.An “associatedperson”is
definedasanindividualorentitythat“performservicesfororonbehalf”of an organization.Inthe eventof failure to
preventbriberybyanassociatedperson,the UKBriberyActprovidesthatit isa “defense”foranorganization“to
5. prove that [it] hadinplace adequate proceduresdesignedtopreventpersonsassociatedwith[it] fromundertaking
such conduct”.
What the United Nations Convention against Corruption says
Article 21. Briberyin the Private Sector
“Each State Party shall consideradoptingsuchlegislativeandothermeasuresasmaybe necessarytoestablishascriminal
offences,whencommittedintentionallyinthe course of economic,financial orcommercial activities:
a. The promise,offeringorgiving,directlyorindirectly,of anundue advantage toany personwhodirectsorworks,in
any capacity,fora private-sectorentity,forthe personhimself orherself orforanotherperson,inorderthathe or
she,inbreach of hisor her duties,actor refrainfromacting.
b. The solicitationoracceptance,directlyorindirectly,of anundue advantage byanypersonwhodirectsor works,inany
capacity,for a private-sectorentity,forthe personhimselforherself orforanotherperson,inorderthathe or she,in
breachof hisor her duties,actor refrainfromacting.”
From the above itis therefore clearthatthe essential requirementof third-partydue diligence istoknow one’spartner.In
operational terms,thismeansmakingappropriate inquiriesto determinewhetheranorganization’sexistingorprospective
thirdpartiesare honestand can be reasonablyexpectedtorefrainfromcorruption.Effectivethird-partydue diligence should
helporganizationsreachthe followingconclusion:
“Weare confidentthatour agent(s),reseller(s),supplier(s) etc.does not make corrupt payments,and that our business
relationshipisa normal,legitimateone. Wecan thus explainto, andconvinceothers whyour confidenceis justified.”
6. QUESTIONNAIRE
1. Does your company currently operate in countries/ regionswith a high perceptionof corruption?
__________________________________________________________________________________________
__________________________________________________________________________________________
2. Does your company currently make use of third party agentsin these territoriesin order to conduct businessonits
behalf?
___________________________________________________________________________________________
3. What mechanismsdo your company have in place to monitor third party agents acting on its behalf ?
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
4. What existingcontrolsdo your company / organization have inplace to preventand detectthird-party bribe
facilitationpaymentsby agentsacting on itsbehalf?
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
5. In your opinion, do you think that the above stated mechanismsis sufficientinmitigatingthird-party briberyand
corruption risks that agents acting for or on behalfof your company may pose ?
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
7. Basic Attributesof a Third Party Due Diligence Investigation
Third-Party Due Diligence – A Risk-based Approach
The level of scrutinynecessaryforanorganizationtoreachreasonable confidence thatitisengagedinanormal,legitimate
businesstransactionvarieswithcorruptionrisk.The level of corruptionriskdetermineshow much scrutinyisrequiredtobe
able to defendbefore ajudge ora prosecutorthatthe organizationisconfidentitisdealingwithabonafide thirdparty. The
higherthe risk,the broaderand deeperthe third-partydue diligence shouldbe.
Due Diligence
Parameters
Media
Profiling
Watchlist
Database
Politically
Exposed
Persons
Company
Registry
Site Visits
Reference
Checking
Litigation
Records
Character
Testing
8.
9. Risk-basedDue DiligenceProcessMap
1. Scope of Third PartiesUnderstandingthe universeof thirdpartiesandwhichonesshouldbe subjecttodue diligence .
2. Third-PartyRiskAssessmentAssessingthe levelof corruptionriskassociatedwithindividual thirdparties.
3. Due Diligence Conductingrisk-basedanti-corruptiondue diligence.
4. Approval ProcessandPost-Approval RiskMitigationManagingthe approval processandmitigatingidentifiedrisks.
5. Managing ExistingThird-partyRelationships.
1. Scope of Third Parties.
(a) Defining Third Parties
It isimportantthat third-partydue diligenceencompassthirdpartiescontractedinbothsalesandsupplychannels.
While experience showsthatsalesintermediaries(suchasagentsor distributors) maybe more frequentlyabused
than suppliersinordertorelaycorruptpayments,supplierscanlikewise be usedcorruptly.
(b) Initial Screening of Third Parties
To performan initial screeningtodetermine “inscope”thirdparties,organizationsmaystartbyaskingthemselves
the followingquestions:
- Is the thirdparty inan industryor geographiclocationperceivedtohave highercorruptionrisks?
- Will the thirdparty performservicesonbehalf of the organization,orbe authorizedtorepresentthe
organizationvis-à-visotherthirdparties?
- Is itreasonable toexpectthatthe thirdparty will come intocontactwithgovernmentofficialswhen
representingthe organization?
- Will the thirdparty be ina positiontoinfluence decisionsorthe conductof other thirdpartiesforthe benefitof
the organization?
A positive answertoany of these questionsmayleadorganizationstoconsiderthe thirdpartyunderreviewasan
“in scope”thirdparty.In practice,agents,advisersandotherintermediaries,aswell asjoint-venture and
Scope of Third
Parties
Third Party Risk
Assessment
Due Diligence
Approval & Post-
Approval Risk
Mitigation
Managing
ExistingThird-
Party
Relationships
10. consortiumpartners,will likelybe considered“inscope”thirdparties.Contractors,suppliersanda range of other
businesspartnersmayalsofall inthiscategoryif theyare to performservicesonbehalf of the organization.
2. Third-Party Risk Assessment
Once an organization has identifiedwhichofits third parties
are “inscope” for risk-baseddue diligence,the nextstep is
to define the riskand findthe appropriate level of
due diligence foreach entity.The appropriate amount of
due diligence shouldbe guided by the resultsof a risk
assessmentprocess.The ideaistoassessthirdpartiesas
high-,medium- orlow-riskthirdparties.Suchriskassessmentcanbe made foreach individual thirdpartyorfor
groupsof thirdparties.The level of riskwill ultimatelydetermine the amountof due diligencethatneedstobe
performed,withhigh-riskthirdpartiessubjecttoa more detaileddue diligence process.
(a) Key Risk Indicators
(i) Geographiclocation
High-risk factors:
The geographiclocationwhere the thirdpartyresidesand/oroperates(asperthe contract) is:
- A countryperceivedtobe a high-riskcountryforcorruption(see forexampleTransparency
International’s CorruptionPerceptionsIndex1)
- A jurisdictionknowntohave highlevelsof banksecrecyandpresentingahighriskfor facilitatingillicit
financial flows(see forexample the Tax Justice Network’sFinancial SecrecyIndex2)
– A jurisdictionthatencouragesorrequiresorganizationstohire local agentstotransactbusinessforthe
government.
(ii) Industry
High-riskFactors
- The industrywithwhichthe thirdpartyconducts businesstransactionsisperceivedtopresentahigh
riskfor corruption(see forexampleTransparencyInternational’sBribe PayersIndex3).
- - The thirdparty belongstoan industrywithahistoryof anti-corruptionenforcementscrutiny.
(iii) Background and identityof the third party
High-RiskFactors
- Initial Internetsearchesanduse of newsserviceshave revealedglaringproblemsrelatedtothe third
party’sreputationforintegrity.
- The third party,or any of its seniorofficials,haspreviouslybeensubjecttoregulatoryactionorlegal
proceedingsasa resultof allegedbreachesof anti-corruptionlaws.
11. - The third party,or any of its seniorofficials,appearsonadeniedparties/personslistinconsequence
of national orinternationalsanctionsorasa resultof pastmisconduct.
- The third partyhas little orno experience inthe relevantindustrysectorand/orisunknowntothe
organization.
(iv) Connectionwith governmentofficialsorentities (PEPS–PoliticallyExposedPersons).
High Risk Factors
- The third party,inthe course of doingworkfor your organization,will have frequentinteractionwith
governmentofficials(includingcustomsofficials),governmentalagenciesorgovernment-controlled
entities.
- The third partyis whollyorpartly(directlyorindirectly) ownedbyagovernmentofficial/entityorhas
director indirectlinkswithgovernmentofficials/entities.
- The third partyhas previouslyworkedforgovernment,oriscloselyconnectedwith the political elite.
(v) Compensationstructure ofthe proposedarrangement
High-RiskFactors
- The third party’scompensationistobe basedonperformance (i.e.successfees,bonusfeesandother
contingencyfees).
- The third partyrequirespaymentby unusual means(e.g.deviatingfromstandardpractice,tomultiple
accounts,withupfrontpayments,splitintosmallamounts,incashor similar,inacountryor currency
that isdifferentfromthatof the thirdparty’sdomicile orthe countrywhere the workwill be
performed).
- The third party’scompensationistotake the formof a political orcharitable contribution.
(vi) Selectionofthe third party
High-RiskFactors
- The third partywas recommendedbyacustomer.
- The retentionof thisspecificthirdpartywasencouragedorrequiredbya governmentofficial.
(vii) Additional factors relatedto the scope of the servicesto be rendered
High-riskFactors
- The third party’srole isto enhance the organization’schancesof winningcommercial and/or
governmentcontracts.
- The third partyrequestsdiscretionaryauthoritytohandle local mattersalone.
12. (b) The Risk Assessment Process
For eachof the riskindicatorsdetailedabove,anorganizationshouldevaluate whetherthe thirdpartyandthe
businessrelationshipunderreviewpresentahigh,medium, orlow corruptionrisk.These indicatorsor“redflags”
shouldthenbe reviewedtogethersothatjudgmentcanbe appliedonthe basisof an overall riskevaluation(high,
mediumorlow),whichwill triggerthe levelof due diligencetobe applied.
Managementandemployee interviewsare avaluable tool tohelpassessandsubstantiate riskevaluationswhen
conductingthirdpartyrisk assessment.Keyquestionstoconsiderwheninterviewingbusinessmanagersand
employersinclude:
- What are third-partycontractorsusedfor?
- - Whenare theyneeded,andwhencanthe companydo without?
- - What is a relevantthirdparty’snormal expertise?
- - Where and howdo these thirdpartiesnormallyoperate,andwhatare theirnormal deliverables?
- - What istheirnormal compensationscheme?
- - What documentationisnormallykeptwithinthe companyonthird-partytransactions?
- - What part of the relevantbusinessdivision’srevenue dependsonsalesintermediaries?
- - Howoftenare thirdpartiesusuallychanged?
- - What is the usual selectionprocessforthirdparties?
- - Whichthirdpartiesare involvedingovernmentalcontractsandfor whatpurpose?
Managementandemployee interviewscanalsohelpgettothe detailsof specificcorruptionrisksorcontrol
weaknessesinabusinessunitbyaskingquestionssuchas:
- Do youuse non-standardthird-partyagreements?
- Do youpay rates exceedingthe normal fee level?
- Have you usedthirdpartieswithonlypost-office boxesinoffshorejurisdictionsandnophysical
offices?
- Have you usedthirdpartieswhere nobodyeversaw theirrepresentative inperson?
- Is itpossible foranyone totweakmattersinthe course of third-partytransactions(e.g.byinflating
invoices,fabricatingagreements,manipulatingthe selectionprocessetc.) inordertoabuse third
partiestocovertlysiphonoff moneyfromthe companywhich subsequentlymaybe usedtocorrupt
others?
- What are some of the suboptimal ormissingcontrolswhichcouldfacilitate suchtweaks?
13. 3. Due Diligence
Once an organizationhasdecidedwhichthirdpartiesare
“in scope”for due diligence,andwhatlevelof riskthe
third-partybusinessrelationshipposes,the mainprocessof
due diligence begins.The three keyelementstoconducta thorough third-partydue diligence are:
(a) Data collection.
(b) Verificationandvalidationof data.
(c) Evaluationof results,includingidentificationof redflags.
(a) Data Collection:
Data collectiontosupportthird-partydue diligence cangenerallybe accomplishedthroughthe followingtools:
1. Internet,database andmediasearches,includingdenied partieslistsandpoliticallyexposedpersons(PEP)
screening,toobtaininformationaboutthe thirdparty’sintegrityprofileandtoidentifyflagrantproblems
whichmay be of publicknowledge.
2. Aninternal questionnaire,tobe completedbythe businessunitlookingtohire the thirdparty.
3. An external questionnaire,tobe completedbythe candidate thirdparty.
The basic objective of the datacollectionprocessistoassembleanddocumentrelevantinformationaboutthe
structure,ownershipandoperationsof the thirdparty,itsreputationforandcommitmenttointegrity,andits
suitabilityforthe type of businessrelationshipbeingconsidered.
The following5KeyFocus Areasmay be coveredaspart of the data collectionprocessforhigh-riskthirdparties:
(a) Organization and Affiliations
focusareas fordata collectionrelatedtothe thirdparty’sorganizationanditsaffiliationsmayinclude:
- Contact information.
- Ownershipstructure.
- Financial situation.
- Whetherthe thirdparty, or any keyemployee orseniormanagementmember,isrelatedinanywayto a
public official.
- Whetherany shareholderorpartnerof the thirdparty isownedinwhole orinpart by a public official ora
personrelatedinanyway toa publicofficial.
- Whetherpublicofficialsoramemberof a publicofficial’sfamilyhave anyinterestorstandto benefitinany
wayas a resultof the proposedagreement.
14. Compliance Health Check
The aimof conductinga compliance healthcheckistoverifythe
existence,withinthe thirdparty’sinternalorganization,of:
- A code of conduct.
- Internal anti-corruptionpolicies(forexample,awhistleblowerpolicy).
- A compliance function.
- Internal compliance trainings.
- Internal auditsinwhichcompliance featuresasa topic.
(b) Necessityand ProperRetentionof Third Parties
Keyquestionstoaskrelatedtothe necessityforandselectionof the thirdpartymay include:
- Why isthe proposedrelationshipnecessary?
- Why wasthisthirdparty chosen?
- What otherpartieswere consideredascandidates?
- Doesthe third partyplanto use any otherentitiesorindividuals,includingsubsidiaries,affiliates,
partnershipsorjointventures,toperformservicesunderthe proposedagreement?
- Doesthe organizationhave previousorcurrentrelationshipswiththe thirdparty?Isita knownentity?
(c ) Expertise
A keyquestiontoaskrelatingtothe expertise of the thirdpartyis:
- Doesthe third party,or itskeyemployees,possessthe necessaryprofessional degrees,experience,
regulatorylicensesandcertificatestoperformservicesunderthe proposedagreement
(d)Compensation,FeesandMethodof Payment
The feespaidtothe thirdparty shouldbe reasonablycommensurate withthe servicesperformedorgoods
delivered.Thiswillbe the case if the fee complieswithnormal marketpricesorother(e.g.internal)
benchmarks. Some keyquestionstoaskisthe following:
- Doesthe compensationexpectedbythe thirdpartyvarysignificantlyfromwhatisdictatedbylocal
marketpricesor internal benchmarksforsimilarservices?
- Has the third party,or any keyemployeeorseniormanagementmemberof the thirdparty,made
commentstothe effectthatanyparticularpayment,contributionorotheractivityisneededto“get
the business”or“make necessaryarrangements”?
15. - Has anyone,includingthe thirdparty,requestedthatanypaymentbe made outto “cash” or “bearer”,
or that paymentsbe made insome othersimilar form?
(e ) Integrity
Some keyfactorsto consideristhe following:
(i) Legal Proceedings
- Has the thirdparty, or any keyemployee orseniormanagementmemberof the thirdparty,ever
beenconvictedof afelony,misdemeanouroranyothercrime?
- Has the thirdparty made any settlementsoutof courtfor matters relatedtocorruption,
facilitationpaymentsorfraud?
- Is there negative presscoverage orfindingsinpubliclyaccessible registersorfilingsindicating
any regulatoryorlegal proceedingsof thisnature pendingagainstthe third-partyorganization
or any of itskeyemployeesorseniormanagement?
- Doesthe thirdparty, or any of itskeyemployeesorseniormanagement,appearona denied-
parties or -personslist?
(ii) References
- What isthe general reputationof the thirdpartyaccordingto its business/bankreferencesand
the opinionof otherpartiesinterviewed?
(b) Evaluation of Results,includingIdentificationofRedFlags
Once data has been properlyverifiedandvalidated,acertaindegree of judgmentwillbe necessarytodetermine
whetherornot to move forwardwiththe proposedthird-partybusinessrelationship.Tohelpreachsucha
judgment,the informationcollectedshouldbe testedagainsta“redflag”checklist.Redflagsreferto
circumstancessuggestingastrongcorruptionriskthatshouldbe properlyidentifiedandmitigatedthrough
adequate safeguards.
NB. The identificationofared flagdoes notmean that an organizationcannotgoahead withthe third-party
businessrelationship.
However,noredflagshouldbe leftunaddressedorunresolved,andorganizationsshouldimplementmitigating
measuresthatreflectthe levelof seriousnessof the redflag(s) identified.
16. Examplesof redflags:
- The third partyappearsto lack sufficientcapabilityorstaff qualificationstoprovide the servicesor
goodsfor whichitis beingengaged.
- The third partywants to workwithoutacontract (orwitha vague contract).
- The third partyis hesitanttomake anti-corruptioncompliance certificationsinanagreement.
- The third partyhas familyorbusinesstieswithgovernmentofficials.
- The total amountto be paidfor goodsand servicesappearstobe unreasonablyhighorabove the
customaryor arms-lengthamount.
- Unusual upfrontor excessive paymentshave beenrequestedbythe thirdparty. - Indirectorunusual
paymentor billingproceduresare beingrequested.
4. Approval Process andPost-Approval Risk Mitigation
Once a companyisconfidentithassufficientlyrobustinformationaboutthe proposedthirdpartyandthe specificsof
the businessrelationship,itshouldbe ina positiontodecide whetherornot to go ahead withthe proposed
transaction. Whateverthe decision,the organization shouldclearlydocument its due diligence effortsandexplain
the rationale for its decision. Itshouldalsoidentifyandimplementthe necessarymitigatingmeasurestoaddressany
risksexposedduringthe due diligence process.
(a) Approval Process
Once the risk assessmentanddue diligence processesare complete,the organizationshouldapplyaclearsystem
of approval fordeterminingwhetherornotto move forwardwiththe thirdparty:
- For low-riskthirdparties,itisappropriate forthe managementof the businessunittobe responsible
for approvingthe businessrelationship.
- For medium- tohigh-riskthirdparties,there shouldbe aminimumof twobusinessunitsinvolvedin
the approval process:
17. - the managementof the business unit,and - anotherlevelof managementwhichhasnothingtogain
fromthe selectionof the thirdparty(e.g.the compliance orlegal department).
All documentationrelatingtothe riskassessmentanddue diligence processes,andtothe evaluationof redflags
andshouldbe signedbythe partiesresponsible andretainedbythe organization.
5. Managing Existing Third-party Relationships
Organizationsshouldtake appropriate measurestoensure thattheircurrent third-partyrelationshipsdonotpose
significantcorruptionrisks.Todothis,organizationsmaystartby performingageneral portfolioreviewof their
existingthirdparties,usingalistof keyriskfactorsto identifythose whomaybe high-risk,anddevelopappropriate
mitigatingplansinthe contextof existingcontractual agreements.
External
Due Diligence
Services
Company
Experience
Existing
Contracts
Certifications
&
Training
Past Issues
Allegationsof
Corporate
Malfeasance
18.
19. PART II. ESTABLISH EFFECTIVE WHISTLEBLOWER PROCEDURES
Introduction
An importantaspectof accountabilityandtransparencyisamechanismtoenable all
individualstovoice concernsinternallyinaresponsible andeffective mannerwhentheydiscoverinformationwhich
they believe showsseriousmalpractice. Aneffective whistleblowerprogramshouldprovideamethodof properly
addressing bonafide concernsthatindividualswithinthe firmmighthave,whilealsoofferingwhistleblowersprotection
from victimization,harassment ordisciplinaryproceedings.
However,itisunfortunatelyafactthat eveninthe presentdayhyper-speed
informationenvironmentmanycompaniesandorganization generallystill
adoptand applyan “see no evil,hearnoevil andspeak noevil”approachto
whistleblowing.The mediaare aboundwithexamplesof organizationsand
theircorporate leadershiphaving ignoredthe importanceof havingan
effective internal whistleblowingprogram.The age-oldcorporate “excuse”
that informationwasleakedbya“disgruntledemployee”isfindinglesserandlessersympathyfrominvestors,
shareholders andlawenforcementagenciesandregulatorsalike.Thisisevenmore sowhere there isevidence thatan
organizationorany of its“actors” retaliatedagainstandvictimizedthe whistleblower.
WHAT ARE THE OBJECTIVES OF AN INTERNAL WHISTLEBLOWER PROGRAM ?
The mainobjectivesof aninternal whistleblowingprogramare -
to encourage employeestobringethical and legal violationsthey are aware of to an internal authority so that
action can be taken immediatelytoresolve the problem,
to minimize the organization'sexposure to the damage that can occur when employeescircumventinternal
mechanisms,
to let employeesknowthe organization isseriousabout adherence to codesof conduct.
20. WHAT ARE THE BARRIES TO AN EFFECTIVE INTERNAL WHISTLEBLOWER PROGRAM ?
The barriersto a successful internal whistleblowingprogramare -
A lack oftrust in the internal system
Unwillingnessofemployeestobe "snitches"
Misguidedunionsolidarity
Beliefthat managementis not heldto the same standard
Fear of retaliation
Fear of alienationfrompeers
Althoughcompaniesshouldseektoremove these barriers,itisalsoimportanttoacknowledgethatsome whistleblowers
have less-than-honorable motives.Whatif the whistleblowerisretaliatingagainstasupervisorwithfalseaccusations?
What if the whistleblowerisbringinggenuine problemstothe fore butisalsoa subparemployee?Inthatcase,doesthe
whistleblowergetafree passjustbecause he or she exposedanissue?Whatshouldbe done whenitbecomesclearthat
encouragingemployeestobypassthe properchannelsisunderminingmanagementdecisionmaking?
What if whistleblowersparticipatedinthe veryactionstheyare now exposing,perhapsasameansof escaping the
consequencesof theirparticipation?
What if there isreasonto suspecta whistlebloweristargetingaspecificemployee because of hisorherrace, gender,or
ethnicity?
These are justa fewof the issuestobe consideredincreatingawhistleblowingculture.
21. QUESTIONNAIRE
1. Does your company/organization have an existingwhistleblowerprogram ?
______________________________________________________________________________
2. Do your company’s existingwhistleblowerprogramprovide for multiple meansof communicating concerns?
________________________________________________________________________________________
3. How effective isyour company at communicatingits whistleblowerpoliciesandproceduresto employees?
_________________________________________________________________________________________
_________________________________________________________________________________________
_________________________________________________________________________________________
4. As an employee howmuch confidence do you have in your company’s internal whistleblowerprogram?
__________________________________________________________________________________________
5. Are you fearful of employerretaliationand victimizationforreporting concerns via the company’s whistleblower
processes?
___________________________________________________________________________________________
6. Has your company identifiedall potential stakeholders(users,the accusedand others) inthe whistleblower
process?
___________________________________________________________________________________________
7. Are the needsof stakeholdersinthe whistleblowerprocesssufficientlyunderstoodbythe company?
___________________________________________________________________________________________
8. Does the audit and/or ethics& compliance committee have guidelinesforaddressingcompetingstakeholderneeds
for informationonce a complaint has occurred?
____________________________________________________________________________________________
9. Does the company screenclaimsto determine thatthey have meritand relevance forthe audit committee?
_____________________________________________________________________________________________
10. What assurances do directorsand managementhave that complaints are appropriatelyreportedto themin a timely
manner?
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
22. HOW THAN DOES AN ORGANIZATION ESTABLSH AN EFFECTIVE INTERNAL WHISTLEBLOWER PROGRAM ?
STEPS FOR ESTABLISHING AN EFFECTIVE INTERNAL WHISTLEBLOWING CULTURE
A. Create Policy
A policyaboutreportingillegal orunethical practicesshouldinclude
Formal mechanismsforreportingviolations,such ashotlinesandmailboxes
Clearcommunicationsaboutthe processof voicingconcerns,suchasa specificchainof command,or the
identificationof aspecificpersoninthe organization,suchasan ombudsmanora humanresourcesprofessional
Clearcommunicationsaboutbansonretaliation
In addition,aclearconnectionshouldexistbetweenanorganization'scode of ethicsandperformance measures.For
example,inthe performance review process,employeescanbe heldaccountable notonlyformeeting theirgoalsand
objectivesbutalsofordoingsoinaccordance withthe statedvaluesorbusinessstandardsof the company.
B. Obtain Top ManagementEndorsement
Top management,startingwiththe CEO,shoulddemonstrate astrongcommitmenttoencouraging whistleblowing.
Thismessage mustbe communicatedbyline managersatall levels,whoare trainedcontinuouslyincreatingan
open-doorpolicyregardingemployee complaints.
C. Publicize the Organization’sCommitmentto the Internal WhistleblowerProgram.
To create a culture of opennessandhonesty,itisimportantthat
employeeshearaboutthe policyregularly.Topmanagementshould
make everyefforttotalkaboutthe commitmenttoethical behaviorin
memos,newsletters,andspeechestocompanypersonnel.
Publiclyacknowledgingandrewardingemployeeswhopinpoint
ethical issuesisone waytosendthe message thatmanagementis
seriousaboutaddressingissuesbefore theybecomeendemic.
Create Policy
Obtain Top
Management
Endorsement
Publicize
Organization's
Commitment
Investigate
Compliants &
Folow up
Continued
Assessment of
Internal
Whistleblower
Program
23. D. Investigate Complaints& FollowUp
Managers shouldbe requiredtoinvestigateall allegationspromptlyandthoroughly,andreportthe originsandthe
resultsof the investigationtoahigherauthority.Inactionisthe bestwayto create cynicismaboutthe seriousness
of an organization'sethicspolicy.
E. ContinuousAssessmentofOrganization’sInternal WhistleblowerProgram
Findout employees'opinionsaboutthe organization'sculture vis-à-visitscommitmenttoethicsandvalues.For
example,Searsconductsanannual employee surveyrelatedtoethics.Some questionsare:Doyou believe
unethical issuesare toleratedhere?Doyouknow how to reportan ethical issue?
NB. Internal WhistleblowerProceduresmust“facilitate disclosures,encourage properindividual conductandalert the
Audit Committee / Ethics & Compliance Committee to potential problemsbefore theyhave seriousconsequences.
WHAT ARE THE HALLMARKS OF EFFECTIVE WHISTLEBLOWER PROCEDURES ?
1. WhistleblowerComplaintHandlingRequirements
Requirement Definition
Facilitate disclosures Discover,ina timelymanner,evidence of activitiesthat
may threatenorimpede compliance withlaws,rules,
regulationsandstandardsrelatedtofinancial
statementsandassociateddisclosures,regulatoryfilings
and otherpublicdisclosures.
Encourage properindividualconduct Provide aprocessthat, whenimplementedandproperly
maintained,will assistineffortstoreinforce pre-defined
and acceptable ethical behaviorsrelatedtoaccounting,
internal accountingcontrolsorauditingmattersor,
alternatively,will prevent,ordetectandcorrect,
unacceptable conduct.
Alertthe auditcommittee,orothergoverningbody,to
potential problemsbefore theyhave serious
consequences
Establishan“earlywarningsystem”tobringaccounting,
internal accountingcontrol andauditingmatterstothe
attentionof the auditcommittee intime toprevent,or
detectandcorrect, possible problemsbefore theycause
seriousharmor damage.
24. 2. Identifying& UnderstandingStakeholdersandtheir needs.
A critical firststepto establishingandeffective internal whistlebowerprogramisidentifyingstakeholdersand
understandingtheirdisparate needs.There are three primarysets
of stakeholdersinthe whistleblowerprocess.
1. Users: individualswhofile whistleblowercomplaints,
2. The accused: individuals,groups(e.g.,departments) thatare
the focusof the complaint,and
3. Otherinterestedparties:stakeholderswithavestedinterest
inthe assertedclaim,investigationand/oroutcome.
Stakeholdersin the whistleblowercomplaint-handlingprocess
STAKEHOLDER INTERNAL EXTERNAL
Users (whistleblowers) Employees
Management
Directors/Officers
Customers
Vendors/Suppliers
Investors
Accusedparties Employees
Management
Directors/Officers
Customers
Vendors/Suppliers
Investors or Brokers
Otherinterestedparties General legal counsel
Internal Audit
Riskmanagement
InformationTechnology
Human Resources
Publicandinvestorrelations
Outside legal counsel
Bankers
Insurance companies
Government/regulators
Ratingagencies
Shareholders
External auditors
Creditors
Debtors
25. (a) Internal StakeholderComplaints
Internallygeneratedwhistleblowerclaims maybe submittedinwritingorprovidedorally.Ingeneral,internal sources
will wantthe followingfromtheircompany’sinternalwhistleblowerproceduresandprocesses:
(i) Choice of reportingvenues:
(ii) Confidentialityandanonymity:
(iii) Ease of use:
(iv) Informationonprogressof complaint:
(b) External Users
External usersare whistleblowersoutsidethe organization,suchasvendors,customersandsuppliers.While itisnot
mandatoryfor claimsfromexternal sourcestobe keptanonymous,externalsourceshave the same needasinsiders
do forready accessto an appropriate venue tolodge complaints.Thismeansthatthe auditcommittee shouldhave
establishedpoliciestoreceive suchcomplaintsandthatcompany representativesmustbe trainedand
knowledgeable aboutthe procedurestoaccept,reportand processan outsider’scomplaint.
(c ) The Accused
Partieswhobecome targetsof a whistleblowerclaimalsoneedtobe considered.Confidentialityisespecially
importantbecause anindividual accusedof wrongdoingmustbe affordeddue processandprotectionfrom
unmeritedpersonal andprofessional harm.Unlesssuchsituationsare handledverycarefully,individualswhohave
beenwrongly accusedcanexperience seriousdamage totheirreputation,possiblyjeopardizingtheirlivelihood.
The organization therefore needstodevelopasetof policiesforhandlingthe special needsof the accused.
(d ) Other InterestedParties
Onthe otherside of the table fromthe accusedare stakeholderswhowill be impactedbythe investigation.Their
needsare generallyquite simple:theywantasmuchinformationaspossible.Insidethe company,management,
employees,the auditcommitteeandotherdirectorswill have aneedforinformation.Inmostcases,general
counsel, internal auditpersonnel,riskmanagementprofessionals,informationtechnologistsandhumanresources
personnel will be askedtoassistthe auditcommitteebygatheringintelligencethroughresearchandinterviews.
Investor, marketingandpublicrelationsspecialists,whowillhave responsibilityforproperlyinformingcompany
26. personnel and the publicaboutthe matter,alsohave a stake. Outside the company,otherswill be atriskandhave a
pressingneed forinformationandaccesstoinsiders.Thisiswhymanycompaniesstruggle withdisclosure issues
afterwhistleblowercomplaintshave beenfiled.Shareholderswanttobe assuredtheirinvestmentissafe,bankers
may wantto reassess lendingrisk,insurerswillwanttodetermine if the claimiscovered,andratingagenciesmust
measure the effecton creditworthiness.
The external auditorwill wanttoknow if the companyhas assessedthe impactonthe financial statements.Also,
anxiousregulatorsandclassactionlawyerswill be quicktorespond.Tocomplicate matters,asthe
complaintmovesthroughthe system,the nature of these stakeholdersmaychange.
HANDLING WHISTLEBLOWER COMPLAINTS – WHAT ARE THE MOST EFFECTIVE WAY ?
One of the surestwaysfor an organizationtodraw unwantedmediaandregulatory
attentiontoitself istoignore internal complaintsaboutpossiblewrongdoing.
Adoptinga“ a “head-in-the-sand”approachhadproventobe far more damagingtoan
organization than facingand dealingwithwhistleblowercomplaintshead-on.The mediaisalways
on the lookout forthe nextcorporate scandal and ignoringcomplaintsraisedthrough
internal reportingstructures,includingthe internalwhistleblowerprogramissurelya
wayto cause oftenincalculable damage toorganizational reputation.
Similarlywill retaliationandvictimizationof whistleblowersbymanagersand
Executivesonlyresultinevengreaterriskof enforcementandregulatory
actionand mediahype thanwhatwouldotherwise have beenthe case.
Giventhese clearrisks,whatare than the mosteffective waysindealingwith
internal whistleblowercomplaints?The Internal WhistleblowerComplaints
ManagementProcessbasicallyinvolvesthe followingsix (steps).
27. The Internal Whistleblower Complaints Management Process
An effective WhisteblowerComplaintsManagementProcessthusconsistsof six basicsteps:
• Receive the complaint;
• Analyze the complaint;
• Investigate the complaint;
• Resolve the complaint;
• Reportthe resolutionof the complaint;and
• Retainthe necessarydocumentation.
Step 1. Receive
The act of receivingacomplaintmightappearsimple andintuitivebut,infact,itrequiresconsiderableplanningto
ensure thatitis structuredappropriately.Specifically,itneedstoaddressthe:
• methodfordocumenting andhousing claims,includingappropriate trainingforthose responsible forclaimintake
• processfor screeningclaimsand determiningif theyneedtobe passedonto the auditcommittee.
(a) Acceptingincomingcomplaints
Each whistleblowerclaim,whetheroral or written,shouldbe loggedinandassignedaunique claimnumberfor
trackingand control purposes. A ClaimsLogis usedtocapture basicinformationinastandardformat as soonas it
isreceived.Italsoservesasa control at the endof the processto ensure all reportedclaimsare handled.
A ClaimsLogwill include the followinginformation:
• Claimnumber
• Date of claim
• Basicclaiminformationsuchas: – Source of complaint(i.e.,internal,suchasanemployee,vs.external,suchas
a customer) – Suspectedparty,grouporcompany
• Outside source contactinformation(note:internal sourcesmustbe keptconfidential andanonymousatthis
point)
• ActionbasedonrecommendationfromClaimsScreeningCommittee (seenextsection)7: – Dismissed(as
irrelevantorunmerited) –Referredtothe auditcommittee –Referredtoanotherresponsibleparty
(suchas HR for a personnel issue orcustomerservice foraclientservice matter).
Whistleblower
Complaint
Receipt of
Complaint
Analyse Investigate Resolve Report Retain
28. (b) Screeningcomplaints
Anyclaimthat has the potential tomateriallyimpactthe organizationshouldbe referredtoa ClaimsScreening
Committee.Membersof thisgroup are appointedandoverseenbythe Auditand/orEthics and Compliance
Committee andmay include:
• Auditcommittee memberorappropriate designee;
• Legal counsel (eitherinternal orexternal);
• Internal audit(IA;)
• Humanresources(HR) and/or
• Internal riskmanagement
One of the biggestchallengesinscreeningcomplaintsisdeterminingwhetherornotto pursue a specificmatter
basedon the available facts.Frivolouscomplaintsmaybe common,anddisgruntledemployeesmaysimplywant
a vehicle forventingtheirfrustrations.Moreover,complaintsmaynotbe indicativeof fraudulentactivity,ormay
be unrelatedtoaccountingandauditingmatters.Hence,aprimarypurpose of the ClaimsScreeningCommitteeis
to examine eachwhistleblowerclaimanddetermine whetherithas:
• Merit(i.e.,itiscredible,validandnotfrivolousorunsubstantiated),inwhichcase itwill be referredtothe
appropriate governingbodyforfurtheranalysisandinvestigation.Anyclaimthathasmeritmustbe
referredforinvestigation.
• Relevance toaccounting,internal accountingcontrols,auditingand/orcompliance matters,inwhichcase itwill
be referredtothe relevantcommittee orsub-committeeforfurtheranalysisandinvestigation.
(c ) Documenting complaints
For anycomplaintthatis consideredtohave merit,aseparate ClaimsReportshouldbe preparedindependently
fromthe Claims Log. A segregationof dutiesbetweenthe preparersof the ClaimsLogandthe ClaimsReportwill
add anotherlayerof internal control overclaimshandling.
A ClaimsReportincludesdetailsof the complaintincluding,butnotlimitedto:
• Type of violation(i.e.,legal,accounting,ethical,employment)
• Descriptionof claim
• Identificationof parties/departmentsinvolved
• Internal reportinghierarchy(e.g.,managers,supervisors)
29. • Identificationof otherswhomighthave knowledgeaboutthe claim
• Whistleblowerauthorizationfordisclosure (i.e.,waiverof anonymity)
• Claimstatus(whichwill change asthe claimmovesthroughthe handlingprocess,e.g., PendingAction,No
Action,UnderInvestigation,Withdrawn,Resolved,Dismissed)
• Commentsectionsforstatusupdatesasthe claimmovesthroughthe process
Step 2. Analyze
Aftera whistleblowercomplainthasbeenreferredtoitby
the ClaimsScreeningCommittee,assistedbylegal
counsel,compliance andinternalauditshouldthenperforma
more in-depthanalysistodeterminethe bestcourse of
action.An ideal waytomake this assessmentistoemployastandardforclassifyingcomplaints.The primary
objective inclassifyingcomplaintsistodetermine whichadvisorswill be requiredduringthe investigationphase.
Consistentlyclassifyingwhistleblowercomplaintsalsospeedsupandimprovesdecisionmaking.
Whistleblowercomplaintscanbe dividedintoclassesbasedontwobroadsetsof factors,namely:
(a) Sensitivity:those factorsthat,if disclosed,maycause significantharmtothe company.Theymightinclude the
allegedinvolvementof seniorofficersordirectors,potentialviolationsof lawsandassertedbreachesof fiduciary
duties,amongothers.
(b) Materiality:those factorsthathave the potential tosignificantlyimpactfinancial statements,regulatoryfilings,
restrictive covenantsorincentive compensation,toname a few.
Step 3. Investigate
How a whistleblowercomplaintisinvestigatedis
directlydependentonhowitisclassifiedduring
the analysis phase.Specifically,the attributesof the complaint
will determinewhich groupswithinandoutside the organizationmayneedtobe involvedinthe investigation.
30. (i) Appointingthe investigationteam
Dependingonthe nature of the whistleblower’scomplaintthe AuditCommitteeand/orthe Ethicsand
Compliance Committeeisresponsible forinvestigatingthe claimsreferredtoit,butitwill wanttobring
othersinas advisors,whenappropriate.If acomplaintisfoundtobe neithersensitive normaterial tothe
financial statements,the investigationcanbe assignedbythe auditcommittee to
uninvolved/disinterestedmanagementpersonnel andemployeesof the organization.
Groups whichmaybe involvedinthe investigationphase of awhistleblowercomplaintare:
NS/NM NS/M S/NM S/M
Management * *
Human Resources
Internal Audit * *
Ethics& Compliance
Legal (internal orexternal) * *
InvestorandPublicRelations
RiskManagement *
InformationTechnology
External Auditor8
NS = Not Sensitive :NM= Not Material : S= Sensitive:M= Material
Recommended
* InvolvedbasedonAudit/Ethics& Compliance Recommendation
(ii) Conductingthe investigation
The investigationshouldconsistof all necessaryproceduresand
actionsto provide forthe discovery, locationandprocurementof
sufficientfactstoreachaccurate conclusions.Thiswill often
require the use of specializedskillstolocate,analyzeandpreserve
evidence.Inaddition,counterclaimsbysuspectsare expected,and
the companyshouldprepare forthis.Throughoutthisphase,the investigationteamwill needto
determine whoshouldreceive sensitiveinformationasitbecomesavailable.The whistleblowerwillwant
to knowwhathappenedtothe complaint.The individualsimplicatedwillneedinformationtodefend
themselves.
31. Otherswill alsohave avestedinterest.Forexample,inanyinvestigationof amaterial whistleblower
complaintrelatedtofinancial reporting,the external auditorswill needtobe involvedandrequire
information;however,theycannotbe partof the actual investigationteamforreasonsof independence.
Accordingly,theymay“shadow”the investigation.Inanothercase,if aninvestigationissensitive innature
and there isa potential for“leaks,”itmaybe necessarytoinvolve the internalpublicrelationsteamoran
outside agencysothat an appropriate communicationsplancanbe implemented.Ingeneral,itis
advisable forlegal counseltodirectthe companyas towho needstoreceive whatinformation, andwhen
it shouldbe released.
Step 4. Resolve
The resolutionof acomplaintmayonlyimpacta verynarrow portionof the company,as inthe case of the
handlingof a single invoice oranexpense report.Onthe otherhand,acorrective action— forexample,the
terminationof aseniorexecutive officerforindiscretionsorthe restatementof previouslyissuedfinancial
statements— couldbe pervasive andfar-reaching.Accordingly,the resolution of complaintsrequiresthe
diligentandfocusedeffortsof the auditcommittee andthe partiesdesignatedbyitto assistincompleting
corrective actions.
(a) Issuinga Corrective Action Plan
A Corrective ActionPlanisasetof anticipatedprocedurestobe performedandactionstobe followedto
addressandresolve awhistleblowercomplaint.The CorrectiveActionPlanshouldbe formallyapprovedand
adoptedbythe auditcommittee.Before finalizingit,the AuditCommitteean/orThe Ethics& Compliance
Committee will normallyconsultwithmanagementandexternaladvisorstoadequatelyconsidercompany
resource requirementsandcosts,aswell asto addresspractical limitations.
(b) Implementingthe Corrective ActionPlan
The Auditand/orEthics & Compliance Committeeshouldmonitorthe implementationof the Corrective
ActionPlanuntil the matterisclosed.Anymaterial changestothe planshouldbe reviewedandapprovedby
the auditcommittee.Insome cases,the Corrective ActionPlanwill call forstepstobe takenbefore an
investigationiscomplete.Progressinthe Corrective ActionPlanshouldbe documentedinthe comments
sectionof the ClaimsReport.
32. Step 5. Report.
Everyaction takenregardinga whistleblowercomplaintwillgeneratecuriosityandbe closelymonitoredby
interestedparties.Whistleblowerswillexpecttimelyreportsonthe statusof theirclaims.Innocentsuspectsof
wrongdoingwanttheirabsolutiontobe communicatedpromptly.Guiltypartiesneedtobe dealtwithswiftlyand
decisively.The company’sresponsivenesssignalsthatittakesthese complaintsseriouslyandispreparedtodeal
withthemappropriately.Therefore,itisimportanttohave well-definedcommunicationandreportingprotocols
inplace. These protocolsmustrespectprivacyandconfidentialitybutstill provide areasonable level of
informationtopartiesinside,aswell asoutside,the organization.
To provide the auditcommittee with assurance thatall whistleblowerclaimsreferredtoithave beenaddressed,
the ClaimsLogshouldbe regularlyreconciledtothe ClaimsReportsandCorrective ActionPlans.Asnecessary,
Corrective ActionPlanscanbe summarizedandreportedtothe full boardof directors,regulatorsorother
appropriate parties.
Step 6 Retain.
All Documentsproducedduringthe WhistleblowerCompliantManagementProcessrepresentevidence that
shouldbe preserved,protectedandretainedinaccordance witheachcompany’sdocumentretentionpolicies.
Astheymay pertaintoconfidentialmattersreportedbywhistleblowers affordedanonymityunderthe law,care
must be takento restrictaccessto hard-copydocumentsandto store and secure electronicdata.Thismaterial
alsoservesas a record of the company’scompliance withlegal,regulatoryand/orethicsrequirementsthese
documentsprovidesevidence thatthe organizationissuccessfullyaddressingaccounting,internal control,
auditingandcompliance risks.
33. Part III. Detecting Bribery in Business Operations.
IN THE REAL-WORLD HOWDOES ONEDETACT CORRUPTION IN AN ORGANIZATION’S BUSINESS
OPERATIONS ?
Giventhe clandestine nature of corruptactivities,detectingcorruptioninone’sbusinessoperationsisbynostretchof the
imaginationaneasytask.Veryoften,countlessman-hoursof researchandinvestigationsmayturnoutverylittle inthe
formof tangible evidence.The reasonbeingthatpersonswhoengage incorruptactivitiesdonotwishthe corruptconduct
to be broughtout intothe open,secondly,people whoengagesincorruptionalwaysseemtofindnew andinnovative ways
to hide awaytheircorrupt conductand the unjustifiedandunlawful proceedstheyderive fromit.
34. However,despite thesedifficultiesindetectingcorruption,itisequallytrue thatcertaintypologiesof corruptionhas
manifestitself throughoutthe years.Dr. Elaine Byrne, in her2007 PhD Thesis entitled“TheMoral and Legal
Development ofCorruption:Nineteeth andTwentieth CenturyCorruptionin Ireland” identifyanddealswiththe
FollowingFive(5) typesof corruption:
1. Systemiccorruption - As opposed to exploitingoccasional opportunities, endemic or systemic corruption is when corruption is
an integrated and essential aspectof the economic, social and political system,when it is embedded in a wider situation that
helps sustain it.Systemic corruption is not a special category of corrupt practice,but rather a situation in which the major
institutions and processes of the state are routinely dominated and used by corruptindividualsand groups, and in which most
people have no alternatives to dealingwith corruptofficials.
2. Sporadic (individual) corruption- Sporadic corruption is theopposite of systemtic corruption.Sporadic corruption occurs
irregularly and therefore itdoes not threaten the mechanisms of control nor the economy as such.Itis not crippling,butitcan
seriously underminemoraleand sap the economy of resources.
3. Political (Grand) corruption - Political corruption isany transaction between privateand public sector actors through which
collectivegoods are illegitimately converted into private-regardingpayoffs.Political corruption isoften used synonymously with
“grand” or high level corruption,distinguished frombureaucratic or petty corruptionbecauseitinvolves political decision-
makers. Political or grand corruption takes placeatthe high levels of the political system, when politiciansand stateagents
entitled to make and enforce the laws in the name of the people, are usingthis authority to sustain their power, status and
wealth.
4. Grand corruption - High level or “grand” corruption takes placeat the policy formulation end of politics.Itrefers not so much
to the amount of money involved as to the level in which ittakes place:grand corruption is atthe top levels of the public sphere,
where policies and rules areformulated in the firstplace.Usually (butnot always) synonymous to political corruption.
5. Petty corruption - Small scale,bureaucratic or petty corruption is the everyday corruption that takes placeat the
implementation end of politics,wherethe public officialsmeet the public.Petty corruption is bribery in connection with the
implementation of existinglaws,rules and regulations,and thus different from “grand” or political corruption.Petty corruption
refers to the modest sums of money usually involved,and has also been called “lowlevel” and “street level” to name the kind of
corruption that people can experience more or less daily,in their encounter with public administration and services like
hospitals,schools,local licensingauthorities,police,taxingauthorities and so on.
35. One of the minimumrequirementsof aneffective anti-corruptioncompliance programishavingasystemmonitoringthe
effectivenessof the compliance program,includinganti-corruptioncompliance audits,toidentifyanypotential"redflags"
inthe businessoperations.“ RedFlags” are generallydefinedascircumstanceswhichcouldplace areasonable personon
notice thatillegal orimproperconducthasor mayoccur. A Red Flagsdoesnotmeanthat an actionor transactionshould
immediatelybe terminated.Itdoesmeanthatyoushouldengage inanappropriate level of additional due diligence and
investigationbefore movingforward.
36. WHAT ARETHE “RED FLAGS”THAT MAY INDICATEINSTANCES OF BRIBERY ?
Doingbusinessinahighriskcountry.
Allegationsthatthe third-partyagentactingonthe company’sbehalf hasmade facilitationpaymentstogovernment
officials.
Refusal bythird-partyagentorbusinesspartnertowarrantcompliance withrecognized anti-briberyoranti-corruption
laws.
Reluctance toparticipate indue diligence checks.
Allegationsof illegal orunethical conduct.
Convictionsforillegal conduct.
Anysuggestionthatlawsor regulationsorcompanycompliance policiesneednotbe followed.
Anysuggestionthatunethical conductiscustomorthe normin the countryconcerned.
Refusal tofollowyourcode of conduct.
Use of shell companies.
Refusal toidentifyaprincipal of beneficial owner.
Recommendationof use bya governmental official
Ownershipbyorclose relationshiptoagovernmental official
Lack of experience inthe field.
Requirementof anusuallyhighcommission.
Insistence onpaymentincash.
Insistence onpaymentinthirdpartycountryor to an unrelatedthirdparty
Requestforadvances.
Sharingof compensationwithundisclosedparties.
Offeringtoprovide falseinvoices.
Refusal toprovide adequate invoices.
Refusal tosigna contract.
37. Building AnEffective Anti-Bribery andAnti-CorruptionMonitoring Program
Monitoringenablesacompanytounderstandthe effectivenessof itsanti-corruptioncompliance programandwhere
future efforts shouldfocustominimize risks.Itcan,however,be achallenge todetermine whattomeasure,howto
do it,and howto reportthe resultsina way that stimulatesactionratherthanfostersbureaucracy.
Here are some keystepstobuildinganeffective Anti-Bribery&Anti-CorruptionMonitoringProgram.
1. Developmonitoringplan - the monitoringplanshouldbe basedonathoroughriskassessment.The riskassessment
will addefficiencyandcredibility.
2. Define rolesand responsibilities–Organizations should tailorthe rolesandresponsibilitiesforthe anti-corruption
monitoringprogrambasedonthe structure,resources,size,andparticularriskswhere the companiesoperate.A
commonapproach istaskingthe compliance department withenforcingthe program, andtaskingthe internal audit
departmenttoperformperiodicauditsof the program.
3. Plan the Anti-corruptioncompliance audit- The primaryobjectivesof the auditare to testthe effectivenessof the
currentanti-corruption compliance programandidentifypotential briberyandcorruptionriskstothe organization.
Compliance is a continuous process. What is measuredgets done !
38. Conducting Anti-corruption ComplianceInvestigations& Audits
Whenconductingan anti-corruptioncompliance investigationand/oraudit,activitiesfocusaroundthe reviewof
policies andprocedures,the general ledgerandaccountingsystem, detailedtestingoncertainareassuchas cash
disbursementsandthird-partyintermediaries. Considerations include:
1. Policiesand procedures - Giventhat a large part of conductingthe auditrelatestotestingcompliance withthe
policiesandproceduresinplace,itisimportantthatthe auditteamobtainall anti-corruptionrelatedpoliciesand
proceduresinadvance tofamiliarize themselvespriortocommencingfieldwork.
2. General ledgeraccount review- the chart of accounts and trial balance forthe businessunitunderreview
shouldbe obtainedandthe teamshouldrequesttransaction-leveldetailof selectedG/Laccountsand,on a
judgmental basis,selectasample of transactionsfortestingandrequestsupportingdocumentation.
3. Cash disbursements- The auditteam shouldobtainadisbursementsschedule byvendorwithtotal Rand
amountsspentforthe years underreview.
4. Paymentsto third-party salesintermediaries - Anarea of special focusforthe auditteam are paymentstothird-
party intermediaries,salesrepresentatives,agents,andconsultants.
5. Transaction testing- Testingshouldfocusonadequate documentationastothe nature and purpose of the
transactions,paymentapprovals,agreementwiththe underlyingcontracts,andproperrecordingof the
transactioninthe company'sbooksand records.
6. Interviews- Conductinginterviewswithindividualsinkeyrolesrelatedtoanti-corruptioncompliance isoften
the most critical part of the audit.
7. Anti-corruptiontraining compliance - the auditshouldalsotestcompliance withrequiredanti-corruption
training.
8. Reporting- The resultsof an anti-corruptionauditare generallydocumentedinareportwhichwouldincludethe
scope of workperformed,time frame of the testing,interviewsconducted,detail incidentsof non-compliance
and recommendationsforimprovements.
39. Areas of Special Anti-Bribery &Anti-CorruptionDue Diligence Checks
Withinanorganization’sbusinessoperationsthe following
operational functionsmayrequire special Anti-Bribery&
Anti-Corruptiondue diligence checks.
1. Salesand Marketing– have provento be a particularlyhighriskareafor the paymentsof bribesin the form
of “kick-backs”especiallywherethird-partyintermediaries,salesrepresentatives,agents,andconsultants
are involvedandtheirremunerationare structuredona commissionbasis.Seeforexample the recentcase
involvingGSK’sChinaoperations where executivesinthe company’ssalesandmarketingdivisionhasbeen
investigatedandare facingprosecutionforpayingbribes inthe formof “kick-backs”tonumerousChinese
healthprofessionals inexchange fororderingandprescribingdrugsmanufacturedandsuppliedbythe
pharmaceutical company.
2. Procurement– giventhe enormousamountsof moniesinvolvedandthe increasingcompetitivenessin
global supplychains,procurementhasbecome anincreasinglyhighriskareaforcorruptionbothfroma
supply side aswell asdemandside.Inanenvironmentwhere goodsandservicesare requiredonanurgent
basis,procurementmaybe forcedtopay bribestocustomsand otherofficialstoexpedite the speedy
clearance of goodsprocuredfrom international suppliers.Fromademandside,procurementprofessionals
may extortbribesfromexistingandpotential contractorsinexchange toeitherawardorextendlucrative
contracts to such contractorsor suppliers.
3. Human Resources – the hiringof “princelings”, thatisrelativesof highrankinggovernmentofficialsand
political leaders“inordertoobtainor retainbusiness”byorganizationshasbecome anincreasingfocal point
for anti-corruptionlawenforcementagenciesandregulators.A recentcase forexample isthe hiring
practicesof J.P. Morgan Chase inrelationtothe bank’sChinese operationwhichisbeinginvestigatedbythe
US Departmentof Justice.
40. 4. Corporate Social Responsibility (CSR) – hasalso proventobe a highriskarea forcorruption.Political leaders
and governmentofficialsaswell ascorporationshave beenknowntouse CSRinitiativessuchasNGO’s as a
conduitforthe paymentsof bribesbycorporationstothe eventual beneficiarieswhichisoftencorrupt
political leadersandgovernment officials. There isaconcerteddrive bythe International Extractive Industry
Initiative (IEITI) to encourage companiesinthe oil,gas,miningandlumberindustriestomake disclosures
not onlyaboutthe taxestheypayto foreigngovernmentsbutalsoall paymentsrelatingtominingroyalties
and Corporate Social Responsibilityfundinginitiativesin andaroundthe communitiestheyoperate.
5. Executive Discretionary(“Slush”) Funds – In manyorganizations,executivediscretionaryfundsaka“Slush
Funds”are oftennotsubjecttothe same type of financial oversightandscrutinyasthe rest of the corporate
finances.Ithasunfortunatelyalsobecame practice that such“corporate slushfunds”are beingusedasa
conduitto channel bribe paymentstocorruptpolitical leadersandgovernmentofficials.
The OrganizationFor Economic Developmentand Cooperation(OECD)’sWorkingGroup on Briberyin
International BusinessTransactions has developedandissuedthe “GOOD PRACTICE GUIDANCE
ON INTERNAL CONTROLS, ETHICS, AND COMPLIANCE” whichstatesas follows:
“Companies should consider, inter alia, the following good practices for ensuring effective internal controls, ethics,
and compliance programmes or measures for the purpose of preventing and detecting foreign bribery:
1. Strong, explicit and visible support and commitment from senior management to the company's internal controls,
ethics and compliance programmes or measures for preventing and detecting foreign bribery;
2. A clearly articulated and visible corporate policy prohibiting foreign bribery;
3. Compliance with this prohibition and the related internal controls, ethics, and compliance programmes or
measures is the duty of individuals at all levels of the company;
4. Oversight of ethics and compliance programmes or measures regarding foreign bribery, including the authority to
report matters directly to independent monitoring bodies such as internal audit committees of boards of directors or of
supervisory boards, is the duty of one or more senior corporate officers, with an adequate level of autonomy from
management, resources, and authority;
41. 5. Ethics and compliance programmes or measures designed to prevent and detect foreign bribery, applicable to all
directors, officers, and employees, and applicable to all entities over which a company has effective control, including
subsidiaries, on, inter alia, the following areas:
i) Gifts;
ii) Hospitality, entertainment and expenses;
iii) Customer travel;
iv) Political contributions;
v) Charitable donations and sponsorships;
vi) Facilitation payments; and
vii) Solicitation and extortion;
6. Ethics and compliance programmes or measures designed to prevent and detect foreign bribery applicable, where
appropriate and subject to contractual arrangements, to third parties such as agents and other intermediaries,
consultants, representatives, distributors, contractors and suppliers, consortia, and joint venture partners (hereinafter
“business partners”), including, inter alia, the following essential elements:
i) Properly documented risk-based due diligence pertaining to the hiring, as well as the appropriate
and regular oversight of business partners;
ii) Informing business partners of the company’s commitment to abiding by laws on the prohibitions
against foreign bribery, and of the company’s ethics and compliance programme or measures for
preventing and detecting such bribery; and
iii) Seeking a reciprocal commitment from business partners.
7. A system of financial and accounting procedures, including a system of internal controls, reasonably designed to
ensure the maintenance of fair and accurate books, records, and accounts, to ensure that they cannot be used for the
purpose of foreign bribery or hiding such bribery;
8. Measures designed to ensure periodic communication, and documented training for all levels of the company, on
the company’s ethics and compliance programme or measures regarding foreign bribery, as well as, where
appropriate, for subsidiaries;
9. Appropriate measures to encourage and provide positive support for the observance of ethics and compliance
programmes or measures against foreign bribery, at all levels of the company;
10. Appropriate disciplinary procedures to address, among other things, violations, at all levels of the company, of
laws against foreign bribery, and the company’s ethics and compliance programme or measures regarding foreign
bribery;
11. Effective measures for:
i) Providing guidance and advice to directors, officers, employees, and, where appropriate, business
partners, on complying with the company's ethics and compliance programme or measures, including
when they need urgent advice on difficult situations in foreign jurisdictions;
ii) Internal and where possible confidential reporting by, and protection of, directors, officers,
employees, and, where appropriate, business partners, not willing to violate professional standards or
ethics under instructions or pressure from hierarchical superiors, as well as for directors, officers,
employees, and, where appropriate, business partners, willing to report breaches of the law or
professional standards or ethics occurring within the company, in good faith and on reasonable
grounds; and
42. iii) Undertaking appropriate action in response to such reports;
12. Periodic reviews of the ethics and compliance programmes or measures, designed to evaluate and improve their
effectiveness in preventing and detecting foreign bribery, taking into account relevant developments in the field, and
evolving international and industry standards.
B) Actions by Business Organisations and Professional Associations
Business organisations and professional associations may play an essential role in assisting companies, in
particular SMEs, in the development of effective internal control, ethics, and compliance programmes or
measures for the purpose of preventing and detecting foreign bribery. Such support may include, inter alia:
1. Dissemination of information on foreign bribery issues, including regarding relevant developments in international
and regional forums, and access to relevant databases;
2. Making training, prevention, due diligence, and other compliance tools available;
3. General advice on carrying out due diligence; and
4. General advice and support on resisting extortion and solicitation.
CONCLUSION
Corruptionisa societal evil thatnegativelyimpactssocial andeconomicdevelopment.Itcostsgovernmentsandbusiness
billionsof dollarsannuallyandcan onlymeaningfullycombated,preventedandreducedif nottotallyeradicatedisthrough
multi-stakeholderinitiativesinvolvinggovernments,businessandcivil society.Thisworkshopisundoubtedlyastep,though
perhapsa tinyone,inthe right direction.Itrepresentsanacknowledgementfromaveryimportantsectorof our economythat
somethingiswrong, butmostimportantlythatsomethingisbeingdone tocombatcorruption.ALLAttendeesof thisworkshop
are encouragedtonotonlyimplementsome of the bestpracticestoucheduponinthisworkshopbuttobecome anti -
corruptionchampionswithintheirorganizationsandbyencouragingotherstoengage inethical behaviorthroughstrategic
trainingandmanagement.
As PresenterIwishtoexpressmymostsincere gratitude tothe workshoporganizersandall attendees.Itwasindeeda
pleasure andprivilege inpresentingthisworkshopandIwishto expressthe hope of future engagementsonmattersrelating
to combatingcorruption.
43. ACKNOWLEDGEMENTS
The followingresourceswere usedbythe Presenterinthe compilationof thismaterial.
1. Thomas Fox – FCPA Compliance& Ethics Blog - https://tfoxlaw.wordpress.com/2011/03/23/some-red-flags/
2. Richard Bistrong – ALL Cartoons
3. Micheal Volkov – Third Party Audits – BitingThe Bullet-Corruption , Crime & Compliance Blog–
http://blog.volkovlaw.com/2015/02/third-party-audits-biting-bullet/
4. The United Nations Convention AgainstCorruption (UNCAC) –
http://www.unodc.org/documents/treaties/UNCAC/Publications/Convention/08-50026_E.pdf
5. The OEDC - Good PracticeGuidanceon Internal Controls,Ethics,and Compliance
http://www.oecd.org/investment/anti-bribery/anti-briberyconvention/44884389.pdf
6. The OEDC - Decisions,Recommendations and other Instruments of the Organisation for Economic Co-Operation and
Development - http://acts.oecd.org/Instruments/ShowInstrumentView.aspx?InstrumentID=258&Lang=en
7. Ernst & Young -Briberyand Corruption:NavigatingtheGlobalRisks - http://www.ey.com/US/en/Services/Assurance/Fraud-
Investigation---Dispute-Services/Bribery-and-Corruption—Monitoring
8. UN Global Compact 10th PrincipleAgainstCorruption
https://www.unglobalcompact.org/aboutthegc/thetenprinciples/principle10.html
9. UN Global Compact – RESIST – ResistingExtortion and Solicitation in International Transactions -
https://www.unglobalcompact.org/docs/issues_doc/Anti-Corruption/RESIST.pdf
10. The Business Anti-Corruption Portal –Due DiligenceTools - http://www.business-anti-corruption.com/tools/due-diligence-
tools.aspx
Workshop Presenter – Myron D. B. Betshanger
Contact Details:e-mail: betshangermyron2@gmail.com
Cell. +27 74 780 3862 / +27 76 228 6088
SKYPE: myronbetshanger @betshangermyron