Anti-corruption Handbook: Implementing the PACI Principles for Countering Bribery

A Manager’s Guide for Developing Anti-corruption Programmes

COMMITTED TO IMPROVING THE STATE

OF THE WORLD

The views expressed in this publication do not necessarily reflect those of theWorld Economic Forum.

World Economic Forum91-93 route de la CapiteCH-1223 Cologny/GenevaSwitzerlandTel.: +41 (0)22 869 1212Fax: +41 (0)22 786 2744E-mail: contact@weforum.orgwww.weforum.org

© 2007 World Economic ForumAll rights reserved.No part of this publication may be reproduced or transmitted in any form or by any means, including photocopying and recording, or by anyinformation storage and retrieval system.

REF: 200407

1 Introduction 5

2 The PACI Principles 7

3 Development of a Programme for Countering Bribery 9

4 The Programme: Scope and Guidelines 13

4.1 Bribes 14

4.2 Political Contributions 18

4.3 Charitable Contributions and Sponsorships 20

4.4 Facilitation Payments 22

4.5 Gifts, Hospitality and Expenses 24

5 Programme Implementation Requirements 25

5.1 Organization and Responsibilities 26

5.2 Business Relationships 28

5.3 Human Resources 36

5.4 Training 38

5.5 Raising Concerns and Seeking Guidance 41

5.6 Communication 43

5.7 Internal Controls and Audit 44

5.8 Monitoring and Review 47

6 Additional Resources 50

Footnotes 51

Contents

3

The Anti-corruption Handbook containssupplemental information for companies thatsubscribe to the Partnering Against CorruptionPrinciples for Countering Bribery (“the PACIPrinciples”). It provides practical guidance and is areference manual for developing and maintainingcorporate Programmes to implement thecommitment to countering Bribery.

This Handbook was developed by a multinationaltask force of signatory companies of the WorldEconomic Forum Partnering Against CorruptionInitiative (PACI), working with TransparencyInternational. Implementation practices describedhere are intended to provide companies of all sizeswith general guidance, rather than prescriptions, fordeveloping their own policy statements andProgrammes to combat Bribery and other forms ofcorruption in international business.

The Handbook identifies useful implementationpractices found at multinational companies. Specificpractices and recommendations do not necessarilyreflect the views of its individual members onparticular topics. Information contained in theHandbook is illustrative only and not intended aslegal advice nor to impose any new or additionallegal requirements or obligations on signatorycompanies, nor is it expected that any enterprise willfulfil all of these guidelines. Questions about legal orother obligations under national anti-corruption orother laws should be directed to appropriatecounsel.

The PACI Task Force wishes to explicitly thank allthose whose contributions made successfulcompletion of this guidance document possible.

4

Preface

International companies that sign on to the PACIPrinciples have taken an important step in joining theglobal campaign against public corruption. Thechallenge ahead is to transform this aspirationalcommitment into concrete action. This Handbook isdesigned to help compliance managers and theircolleagues put the PACI Principles into practice.

Global Context

There is no longer serious debate over the harmcaused by corruption. Numerous studies by theWorld Bank and others have shown that corruptpayments made to foreign government officials tosecure an unfair business or regulatory advantageare deeply corrosive.1 They undermine faircompetition, distort economic investments anddeprive governments of resources needed topromote growth and development.

A Commitment and Challenge

The PACI Principles reflect a commitment for changethrough anti-corruption standards and practices.They provide a framework for individual companiesto develop and implement more effective complianceProgrammes, thereby strengthening industry-widepractice and contributing to the goals of goodgovernance and economic development. A corollaryobjective is to secure a level economic playing fieldfor the increasing number of companies that refuseto pay bribes.

The PACI Principles recognize that an effectivecompliance Programme2 must have both substantiveand procedural components. Signatory companiescommit not only to a zero tolerance policy onBribery but also to developing and maintaining acomprehensive system of internal procedures andcontrols. In practical terms, this means having anoverall strategy for identifying priority corruptionrisks, educating relevant personnel, implementingoperational procedures, and monitoring and auditingfor compliance. As in other compliance areas, eventhe most sophisticated and well-intentionedcompanies will find this to be a complex andchallenging undertaking.

Using the Handbook

The PACI Principles establish an essentialProgramme baseline, but leave many practicaldetails to individual companies. The Handbook isdesigned to help compliance managers fill thisinformation gap.

The Handbook facilitates implementation efforts intwo ways. First, it offers supplemental guidance andclarification on the meaning of particular PACIstandards. Second, the Handbook identifiescommon implementation practices and suggests auseful planning model for analysing these and otherProgramme options.

For ease of reference, the Handbook tracks thestructure of the PACI Principles. Section 2 definesthe basic anti-corruption commitment – that is, to aneffective Anti-Bribery Programme andimplementation Programme. This is followed inSection 3 by general Programme guidelines thatemphasize the need for reasonable detail, tailoredpractices and employee involvement. Section 4 thendefines what it means to have an effectiveProgramme, in general terms and as applied topolitical contributions and other specific high-riskactivities. Finally, Section 5 describes coreoperational practices, such as high-level leadership,policy development, training, enforcement, auditingand oversight.

Practical Considerations

The Handbook is intended for use by enterprises ofall sizes in building new anti-corruption Programmesand refining existing ones. While some signatorycompanies may wish to construct new Programmesfrom the ground up, for many, benchmarking andstrengthening of current practice will be bothdesirable and appropriate. Experience has shownthat for companies with solid existing Programmes,targeted incremental refinements can dramaticallyimprove effectiveness.

The PACI Principles are calibrated to produceProgrammes that are also reasonable, cost effectiveand pragmatic. This Handbook identifies practicesfound to be effective in achieving a statedProgramme objective. Singling out a particular

5

1 Introduction

practice does not mean that it is right for allcompanies, only that the practice has workedelsewhere and deserves consideration on this basis.Information provided in the Handbook is predicatedon the belief that “no one size fits all” and thatimplementation practices can and should be tailoredto reflect individual corporate circumstances.Programme design must be results oriented,focused on what makes a particular system effectivefor a particular enterprise.

Getting Started

Whether a signatory company is building a newProgramme or refining an existing one, a formalstructured approach for assessment and planning isstrongly recommended.

The Handbook offers two practical tools fororganizing and conducting planning reviews. Thefirst tool is a procedure, described in Section 3, thatcan be used to develop work plans, identify prioritycorruption risks and assess implementation needsand options. This is supplemented by a resourceinventory, in Section 6, with links to anti-corruptionwebsites that can be used to monitor evolving legalstandards and industry practice.

Additional practical information about mattersdiscussed in this Handbook, the implementationprocess and evolving industry practice can beobtained by contacting the World Economic ForumPartnering Against Corruption Initiative (PACI) atpaci@weforum.org, tel.: +41 (0)22 869 1212.

6

Discussion

The PACI Principles, which take their name from thetwo “principles” in this section, reflect the samecomprehensive approach to corruption found in theTransparency International guidelines from whichthey derive.3 This approach combines a rigorousanti-corruption policy with detailed guidelines fordeveloping and implementing effective complianceProgrammes.

Policy

The first listed Principle commits signatorycompanies to prohibit “Bribery in any form”. Briberyis defined to include commercial bribes as well ascorrupt payments to government officials or politicalparties and candidates. The prohibition applieswhether improper payments are made directly orthrough an intermediary, and whether a bribe isactually paid or only offered or promised.

The definition of Bribery in this section should beused to develop, or benchmark, enterprise-specific

standards of conduct. Section 4 provides moredetailed guidance on applying the principle to theenterprise’s activities and developing conformingpolicy statements and practices.

An Effective Programme

The second listed Principle commits signatorycompanies “to develop and administer an internalcompliance Programme that effectively makes anenterprise’s anti-corruption policy an integral part ofdaily practice”.

A compliance Programme is much more than apolicy statement with which an enterprise intends tocomply. As explained in Section 2, an enterprise’sProgramme is “the entirety of [it’s] anti-Briberyefforts, specifically including its code of ethics,policies and procedures, administrative processes,training, guidance and oversight”. To be effective, aProgramme must address the full range of issuesand practices normally associated with compliance,from risk assessment, training and operationalprocedures through investigation, response action

7

2 The PACI Principles

The PACI Principles

The enterprise shall prohibit Bribery in any form.

Bribery (“Bribery”) is the offering, promising or giving, as well as demanding or accepting, of any undueadvantage, whether directly or indirectly, to or from:• A public official• A political candidate, party or party official• Any private sector employee (including a person who directs or works for a private sector enterprise in

any capacity)

in order to obtain, retain or direct business or to secure any other improper advantage in the conduct ofbusiness.

The enterprise shall commit to the continuation or implementation of an effective Programmeto counter Bribery.

An effective Programme is the entirety of an enterprise’s anti-bribery efforts, specifically including its code ofethics, policies and procedures, administrative processes, training, guidance and oversight. Thiscommitment is to develop and administer an internal compliance Programme that effectively makes anenterprise’s anti-corruption policy an integral part of daily practice.

Section 2 describes the essential PACI commitment, providing signatory companies with a baseline forProgramme development and benchmarking activities.

and oversight. High-level commitment, a goodorganizational structure and active engagementacross the organization also are important.

The PACI Principles recognize that signatorycompanies may have substantial experiencecomplying with legal regimes, including anti-corruption laws, developed over many years.Programmes to implement the PACI commitmentshould build on this experience and resource base.Implementation guidelines in Section 5, togetherwith additional guidance in this Handbook, can beused to benchmark and refine existing practice.

8

Discussion

These five listed guidelines reflect standardcompliance practice.

Articulation of the “Programme”

Section 3.1 provides that an enterprise “shoulddevelop a Programme that clearly and in reasonabledetail articulates values, policies and procedures tobe used to prevent Bribery from occurring in allactivities under its effective control.” The essentialrequirement is that a Programme describessubstantive standards and the practices used toimplement them in enough detail so that they can beunderstood by enterprise personnel and otherssubject to the policy. Practices described in Section4.1 (for policy formulation) and elsewhere in theHandbook can be used to satisfy this guideline.

Tailoring to Circumstances

Section 3.2 emphasizes the importance of tailoringProgramme practices “to reflect an enterprise’sparticular business circumstances and culture”. Thisdirective reflects the adage that “no one size fits all”in compliance. It recognizes that practices employedin some Programmes may not always be appropriateto others, at least without adjustment. However, it

also suggests a corollary responsibility to identifyand implement practices that do fit an enterprise’sunique circumstances.

Consistency with Law

Section 3.3 requires that a Programme “be consistentwith all laws relevant to countering Bribery in alljurisdictions in which the enterprise operates.” Thisstatement recognizes that compliance Programmesmust be developed in accordance with applicablenational laws and also that an enterprise operating inseveral countries may be subject to multiple andpotentially different anti-corruption laws andstandards. Applicable laws should be identified andanalysed for specific requirements as part of the“risk assessment” process described in this section.

Employee Involvement

Section 3.4 encourages signatory companies to“involve employees in the implementation of theProgramme.” It reflects expert opinion thatcompliance is most effective in organizations thatfind meaningful ways to engage corporatepersonnel. Harnessing their cooperation, motivationand practical experience is an important key toeffective implementation. Opportunities for employeeinvolvement are identified throughout the Handbook.

9

3 Development of a Programme for Countering Bribery

The PACI Principles

3.1 An enterprise should develop a Programme that clearly and in reasonable detail articulates values,policies and procedures to be used to prevent Bribery from occurring in all activities under itseffective control.

3.2 The Programme should be tailored to reflect an enterprise’s particular business circumstances andcorporate culture, taking into account such factors as size, nature of the business, potential risksand locations of operation.

3.3 The Programme should be consistent with all laws relevant to countering Bribery in all thejurisdictions in which the enterprise operates.

3.4 The enterprise should involve employees in the implementation of the Programme.

3.5 The enterprise should ensure that it is informed of all matters material to the effective developmentand implementation of the Programme, including emerging industry practices, through appropriatemonitoring activities and communications with relevant interested parties.

Guidelines in this section provide a general framework for the more detailed directives that follow in Sections 4and 5 of the PACI Principles.

Monitoring for Emerging Practices

This final guideline requires monitoring for emergingdevelopments in compliance practice. Regular“benchmarking” to measure current efforts andidentify compliance innovations is a common andessential feature in successful Programmes. It istypically conducted through a variety of mechanisms,both formal and informal, including interactions withindustry counterparts, seminars and other educationalactivities, and consultation with compliance experts.4

As explained in Section 5.8 of the Handbook,periodic Programme reviews can be used toregularize and coordinate this monitoring.

Implementation

Programme development should begin with a focusedreview of enterprise risk and existing compliancepractice and resources. This is an essential startingpoint whether planning is for an entirely newProgramme or benchmarking an existing one. Thethree-step process described here can also beadapted for use in Section 5.8 Programme reviews.5

Step 1: Establishing Work Plans

The first step in compliance planning is a basic“work plan” for the implementation process itself.This will help to assure that everyone on theimplementation team understands the task aheadand how it will be accomplished.

Work plans can be more or less formal. The importantpoint is that they address core planning issues.These include:

• Programme scope. Planning should be guided bya clear and reasonably detailed statement ofcorporate objectives. The implementation teammust understand that good compliance requiresdeveloping Programme structure and processes,not just crafting substantive legal rules.

• Planning elements. Core planning activities shouldbe identified, with particular attention to riskassessment and Programme evaluation.

• Work assignments. Work plans should establishclear lines of responsibility for conducting riskassessments, Programme evaluations and otherplanning activities. They also can be used to seethat necessary guidance and adequate resourcesare made available.

• Coordination. Effective compliance requirescoordination across business lines and servicedepartments. Work plans can highlight this issueand direct that individuals responsible for riskassessment and other preparatory activities reachout to other stakeholders in the organization.

• Timing. Work plans should establish a firmschedule for completing assignments. Fixeddeadlines help to keep the process focused andmoving forward.

Step 2: Conducting Risk Assessments

The second planning step is a review to identifycompany-specific corruption risks. Such reviews,commonly referred to as “risk assessments”, are astandard compliance practice and also a PACIrequirement.6 Assessments provide an individualizedcompliance profile that can be used to focusProgramme activities and resources.

Assessment Guidelines

Risk assessment is a complex process, made moreso when there are multiple lines of business orcomplicated business structures. Personnelresponsible for conducting assessments need tohave clear and consistent guidance on suchpractical issues as what questions to ask, for whichbusiness activities, and how frequently.

Compliance managers are encouraged to developwritten guidelines for the assessment process.Relevant operational parameters include:

• Scope of review. Corruption risk should be targetedon an enterprise-wide basis, taking into accountbusiness profile, geographic location, nexus withgovernment, use of agents and other third parties,prior history, and other specific risk indicators.Assessments typically are conducted by line ofbusiness. Potential risks should be assessedacross the full range of enterprise activities,including in connection with controlled affiliates.7

• Relationship to general assessment process.Assessments should be corruption specific – thatis, focused on the types of risk addressed by zerotolerance policies on Bribery. Corruption-specificassessment will produce better information andorganizational focus for the planning process.

10

Once a good baseline has been established,periodic updating may be handled through anenterprise’s general risk assessment process.

• Conduct of assessments. Risk assessments maybe conducted internally or using outside experts.In either case, assessment should be guided bystandards and procedures applicable on anenterprise-wide basis. It will also be important toinvolve business personnel with line experience.For many areas, their input may be the singlebest source of real-world information aboutpractical risks.

• Frequency. Assessment to determine the scopeand nature of anti-corruption risk should beongoing. The nature of an enterprise’s legalobligations and ways that specific organizationalactivities interact with those obligations can changeover time. Periodic reviews help to prevent anddetect Bribery and to make adjustments tochanging business activities. Changes that canrequire adjustment include new lines of businessand geographic expansion.

Coverage Requirements

Risk assessment guidelines should identify specificareas for inquiry. These include:

• Business profile. Although corruption can occur inany context, some types of activity carry greaterinherent risk than others. Corporate riskassessments should provide a general profile ofbusiness activities, with particular attention toperceived areas of higher risk.

• Geographic location. As with types of businessactivity, corruption risk can vary significantly bycountry and region. The Corruption PerceptionsIndex (CPI) published by Transparency Internationalidentifies perceived levels of corruption risk bycountry. This data, combined with informationfrom line personnel and other business sources,should be used to identify high-risk markets.8

• Government nexus. The greater the requirementfor government contacts, the greater the inherentrisk; hence, the need to access the full range ofgovernment nexus points. Risk factors unique toparticular activities should be highlighted.

• Operational factors. Assessments should identifyhigh-risk operating units (such as sales andmarketing for procurement activities), operationalstructures (use of agents, affiliates, joint ventures)and control practices (for example, consultantapprovals). This information can be used to targettraining and other implementation activities.

• Applicable laws and policies. Cross-borderbusiness activities may be subject to multipleanti-corruption laws, as well as voluntarycorporate ethics rules. The assessment processcan be used to identify applicable laws andpolicies, by line of business.

Red Flags

Suspicious practices and circumstances that mayindicate corruption risk should be identified forProgramme use. These are commonly referred to as“red flags”.

Red flags are an essential tool for risk assessmentand other Programme activities, including duediligence review. As the name suggests, they arecautionary indicators signalling the need forheightened scrutiny. Common red flags include high-risk geographic areas or industry sectors, unusualgovernment ties (e.g. through family connections),lack of relevant business expertise or experience,non-standard compensation terms and suspiciouspayment circumstances. These and other generalindicators are most effective when adapted toparticular real-world situations.

Step 3: Preparing ProgrammeEvaluations

The third and final preparatory step is a “Programmeevaluation” to determine whether identified risks arebeing effectively managed.

Evaluations should be prepared by the individual orteam with operational responsibility for Programmeimplementation. A formal process is generallyrecommended for the initial anti-corruptionevaluation because of the scope and complexity ofissues that will need to be addressed. Planningshould take advantage of existing resources andengage relevant stakeholders. Both improve thequality of analysis and help to build consensus andProgramme support.

11

Programme evaluations provide a baselineassessment of existing compliance capabilities anda roadmap for refinements and futureimplementation. The resulting work product can beused as a reference document for planners and alsoto educate enterprise leadership about Programmeobjectives, means and needs.

Evaluation typically is a four-step process. The stepsinvolve:

• Inventorying existing resources. An inventory ofexisting resources should be prepared, describingcurrent compliance practice and identifyingrelevant personnel and other resources. For manycompanies, key Programme elements mayalready be in place that can be adapted for anti-corruption use.

• Assessing strengths and weaknesses. Inventoriedresources can then be measured against thecorporate risk profile. This review should identifycurrent Programme strengths and weaknesses.

• Identifying needs and response options. The nextstep in the process is to identify areas forimprovement. These can be divided intonecessary and optional Programme refinements.A menu of possible response options can bedeveloped based on practices found in thisHandbook and from other sources.

• Devising an appropriate implementation plan. Thefinal step is to develop a plan for implementingrefinements. Implementation planning shouldaddress the same operational issues noted earlierfor preliminary work plans (e.g. scope,assignments, coordination and timing), as well asthe communications strategy for “rolling out” thenew or modified anti-corruption Programme.

As has been noted, implementation activities needto be tailored to an enterprise’s uniquecircumstances and there will be considerable latitudein choosing among available options. A goodProgramme evaluation will help to ensure judgmentsare made on a well informed, consistent andcoordinated basis.

12

Discussion

Following this preamble, Section 4 explains what itmeans for an enterprise to “prohibit Bribery in anyform”. Standards are set out in five subsections,beginning with a general statement of the policy(Section 4.1) followed by applications of the policy topolitical contributions (Section 4.2), charitablecontributions and sponsorships (Section 4.3),facilitation payments (Section 4.4) and gifts,hospitality and expenses (Section 4.5).

The preamble contains two general directives,applicable to all five subsections. The first is that anenterprise “identify and assess specific areas thatpose the greatest risks from corruption.” Riskassessment procedures described in the precedingsection may be used for this purpose, includingcradle-to-grave reviews for identifying priority risksby line of business.

The second directive is that an enterprise “reflectemerging practice” in its Programme. This requiresmonitoring of industry compliance practice, withparticular attention to sectors in which an enterpriseis active and the “types and locations of businessactivity most susceptible to corruption and Bribery.”For example, evidence that a competitor has beenconfronted by corruption demands in a particularmarket should draw attention to an enterprise’s ownstandards and protective measures for the same orsimilar business activities.

13

4 The Programme: Scope and Guidelines

The PACI Principles

In developing its Programme for countering Bribery, an enterprise should identify and assess specific areasthat pose the greatest risks from corruption.

The Programme should reflect emerging practice, with particular attention to the industry sector and typesand locations of business activity most susceptible to corruption and Bribery.

Section 4 of the PACI Principles establishes guidelines for an enterprise’s anti-Bribery policy and standards ofconduct. This is the substantive Programme component.

Discussion

The PACI Principles require a clear statement,reinforced by procedures and controls, that anenterprise will not tolerate Bribery in any of itsbusiness dealings, whether carried out directly orthrough a third party. All third-party transactions arecovered by this rule, including those conductedthrough subsidiaries, joint ventures, agents or otherintermediaries, such as consortium partners ornominated subcontractors. Guidelines for applyingthe Bribery prohibition to these relationships aredetailed in Section 5.2.

The definition of Bribery in Section 2 of the PACIPrinciples should be used to guide corporate policy.With one notable exception, the definition reflectscoverage terms found in the OECD Convention onCombating Bribery of Foreign Public Officials inInternational Business Transactions and mostnational laws modelled on the Convention.9 Theexception is for commercial Bribery, which is notaddressed by the OECD Convention. Most largeenterprises, however, already include prohibitions oncommercial Bribery in their business ethics rules.Companies in some jurisdictions are also subject togeneral corporate, securities or other laws thatprohibit or require proper recording or disclosure ofcommercial Bribery.

Bribery should be prohibited regardless of the form ittakes or the channels used to make or offer apayment. Financial payments are most common, buta prohibited inducement can come in any form.

Common examples include expensive gifts,improper travel reimbursements and job or businessopportunities for an official’s family members, friendsor associates.

While some applications of the Bribery prohibitionwill be obvious, many others are more subtle.Section 4.1.3 accordingly directs that a signatorycompany include in its Programme “guidance on themeaning and scope of this prohibition, withparticular attention to areas of high risk”.

Implementation

Signatory companies are expected to reflect theiranti-Bribery commitments in a formal policystatement and Programme guidelines. This has threeoperational aspects: (i) identifying priority corruptionrisks; (ii) formulating an appropriate policy response;and (iii) developing written Programme materials.Guidelines for each follow in this section, andadditional practical information (including sampledocuments) can be found on websites listed inSection 6 of the Handbook.

Step 1: Risk Assessment

Policy development should begin with a review toidentify “specific areas that pose the greatest risksfrom corruption”. This is the same “risk assessment”process described in Section 3. An initial baselineassessment should be conducted, with periodicupdating to reflect changes in business or other riskfactors.

14

4.1 Bribes

The PACI Principles

All Programmes should at a minimum cover the following areas:

4.1.1 The enterprise should prohibit Bribery in all business transactions that are carried out either directlyor through third parties, specifically including subsidiaries, joint ventures, agents, representatives,consultants, brokers, contractors, suppliers or any other intermediary under its effective control.

4.1.2 The enterprise should prohibit Bribery in any form, including on any contract payment or portion of acontract payment, or by any means or channels to provide improper benefits to customers, agents,contractors, suppliers or employees thereof.

4.1.3 The Programme should provide guidance on the meaning and scope of this prohibition, withparticular attention to areas of high risk to a company in its business sector.

This first section provides additional guidance on the meaning and scope of the PACI commitment to “prohibitBribery in any form”.

Step 2: Policy Formulation

Once priority risks have been identified, aProgramme policy statement and guidelines can beformulated.10 Among the issues that will need to beconsidered are Programme scope, consistency withlaw and operational practices.

Programme Scope

An enterprise’s anti-corruption policy should clearlyidentify all conduct prohibited by the policy. Policystatements should explain, for example, that theprohibition applies to all business transactions andto Bribery in any form, as detailed in Section 4.1.They should also confirm the Programme’senterprise-wide scope and its applicability totransactions carried out through agents and otherbusiness partners.

Policy guidelines should reflect the definition ofBribery found in Section 2 of the PACI Principles. Itis not enough, however, merely to restate thistechnical definition or others like it found inapplicable anti-corruption statutes. An enterpriseshould also explain in more concrete terms what theprohibition means and how it applies to businessactivities.

Many companies will find it useful for planning andtraining purposes to define the Bribery prohibitionthrough its component parts, each of which must bepresent to constitute Bribery. One commonformulation breaks down the policy into the followingfive elements:

• A person covered by the policy. An enterprise’santi-corruption rules apply to everyone in theorganization, subject to pre-existing agreementssuch as collective bargaining agreements, and inall activities under its effective control.

• Gives something of value. Bribery is not limited tocash payments, but can involve giving or offeringanything of value. Restrictions apply whether abribe is actually given or only offered or promised,and also to demands for and acceptance of abribe by enterprise personnel.

• To a covered official or other person. All business-related bribes are prohibited, whether they involvepublic officials or private individuals. This includesany direct benefit to such persons, as well as any

benefit to others made at their request or for theirbenefit (such as a directed political or charitablecontribution).

• Directly or indirectly. Bribery restrictions applywhether a bribe is made directly by enterprisepersonnel or through another person. Such otherpersons include agents, advisers andintermediaries, as well as business partners,contractors and suppliers.

• To secure an improper business advantage.Bribery may not be used to obtain, retain or directbusiness or to secure any improper businessadvantage. This includes regulatory benefits (suchas licensing or approvals), as well as obtaining orretaining business.11

This formulation and others like it provide a practicalframework for understanding and applying theBribery prohibition. Policy statements also can beused to define key coverage terms, such as “publicofficial” and “business advantage”, and to distinguishpermitted activities (such as legitimate businesspromotion).

Consistency with Law

The PACI Principles set a floor for an enterprise’santi-corruption policy and standards of conduct.This guidance should be considered in conjunctionwith relevant national laws and regulations. Anti-corruption laws based on the OECD Conventionestablish comparable prohibitions, but may differ insome areas. Not all laws, for example, addresspolitical contributions or exempt so-called“facilitation” payments.

Programme standards should be consistent withlaws relevant to countering Bribery in thejurisdictions in which an enterprise does business.Where such laws are less restrictive than the PACIPrinciples, guidelines established by the Principlesshould be followed unless doing so wouldcontravene applicable law. For instance, Programmestandards should prohibit political payments madeas a subterfuge for Bribery even though this may notbe explicitly addressed by a particular national law.

Anti-corruption laws applicable to enterpriseactivities should be identified as part of the riskassessment process. Material differences should benoted and appropriate procedures devised tocalibrate Programme implementation for different

15

operations. Signatory companies may find, forexample, that operations conducted through somesubsidiaries or joint ventures but not others are injurisdictions that recognize a facilitation paymentsexception. Specific differences need not beenumerated in general policy documents. It will beimportant, however, to alert responsible personnel topossible differences and circumstances that maywarrant further legal inquiry.

Guidance on Meaning and Scope

An enterprise’s Programme should provide practicalguidance on the meaning and scope of the Briberyprohibition, with particular attention to areas of highrisk. This directive is codified in Section 4.1.3.

The ultimate test of an effective Programme iscompliance with the zero tolerance policy. This canonly happen if personnel subject to the policyunderstand what the policy covers and requires.Education starts with a good policy statement,reinforced through training and othercommunications practices, with appropriate tailoringfor different employee functions and groups. Policystatements are discussed below in theimplementation section, and training and employeeadvice channels in Sections 5.4 and 5.5 of theHandbook.

Bright-line Standards Option

Programme standards should take into accountdifficulties that can occur in applying the Briberyprohibition to specific transactions or circumstances.

Coverage rules establish criteria that line personnelmay not always fully understand or be able to apply– such as whether benefits offered or conveyed are“undue” or business advantage sought is“improper”. There are two common approaches tothis problem. One is to establish “bright-line” teststhat may be over-inclusive but easily understood andapplied.12 Rules prohibiting political or charitablecontributions, or requiring prior managementapproval, are a frequent example. The alternativeapproach is a rule that more closely tracks legal andethical prohibitions and relies on line personnel andcompliance managers to identify and avoidproscribed conduct. Programmes that permit“reasonable” gifts, contributions or facilitationpayments reflect this practice.

Both approaches are acceptable, and often foundfor different areas in the same Programme. Forstandards development, the critical difference is in

the detail required for explanatory materials andrelated training. Nuanced rules place a much heavierpremium on specifics. Personnel and agents subjectto the Bribery prohibition need to be given enoughinformation to “red flag” suspicious circumstancesand to know when and how to seek expertguidance. Bribery red-flagging is addressed atgreater length in the Handbook discussion ontraining practices in Section 5.4.

Step 3: Materials Development

The third step in standards development is toprepare Programme materials that memorialize andcommunicate the anti-Bribery policy. Primarydocuments may include Codes of Conduct, policystatements, practitioner handbooks and protectivecontract provisions.

Codes of Conduct

The corporate Code of Conduct is the centralcompliance document in most Programmes,providing a capsule summary of an enterprise’s legaland ethics priorities. Codes should be updated toreflect the new policy.

Formulations that describe corporate policy in clear,non-technical terms are most effective. Where Codeformat and style permit, it can also be useful toinclude a statement explaining why zero toleranceon Bribery is an enterprise priority. Because this maybe the only policy statement some personnel eversee, it is important to explain in basic terms therange of conduct covered by the Bribery prohibitionand how to obtain additional information andcompliance advice.

Policy Statements

The Code of Conduct is only a starting point forcompliance materials and not enough, by itself, tosatisfy the requirement that a Programme “clearlyand in reasonable detail” articulate corporate values,policies and procedures for preventing Bribery.Enterprises also need to develop and distribute torelevant personnel more detailed guidance,commonly referred to as “policy statements”. Thesestatements provide an opportunity for moreexpansive discussion of anti-Bribery standards andprocedures, including sector-specific applications.

Policy statements vary from company to company,with some only a few pages in length and othersmuch more comprehensive. More substantial policy

16

statements will be appropriate for most companies,given the nature and scope of corruption risks inindividual sectors.

Practitioner Guides

Practitioner guides (manuals or handbooks) are athird common type of document, used as acounselling aid for lawyers and others responsiblefor providing compliance advice. They contain moredetailed “expert” guidance on applying anti-Briberyrules to particular circumstances.

Practitioner guides can be a useful and also costeffective management tool, especially wherebusiness considerations militate against bright-linecompliance rules. If compliance training is working, itshould trigger periodic inquiries from personnel inthe field about the anti-bribery policy’s applicability inspecific cases. A good practitioner guide will help toincrease consistent application.

Contract Protections

Anti-Bribery contract clauses are another commoncompliance tool. They are used for a variety ofpurposes in contracts with employees and businesspartners.

The PACI requirement, in Section 5.2, is thatcontracts with business partners acknowledge anti-Bribery commitments and secure a right oftermination for non-compliance. Contract clausesalso can be used to:

a) “Warrant” (i.e. contractually promise) compliance b) Establish appropriate monitoring and oversight

procedures c) Mandate notice of violations and cooperation in

investigations d) Impose roll-down requirements (e.g. for agents,

subcontractors)

17

Discussion

The PACI Principles recognize that politicalcontributions may be made for legitimate purposes,but require that an enterprise adopt reasonablemeasures to prevent circumvention of the Briberyprohibition. Contributions must be transparent,made in accordance with applicable law andmonitored through appropriate controls andprocedures.

These conditions apply to political contributionsmade directly or indirectly by an enterprise, itsemployees or intermediaries. Contributions coveredby the rule include those made to political parties,party officials, candidates or organizations, or anyother individuals engaged in politics. The term“contribution” is not defined, but is generallyunderstood to mean contributions of cash or in-kindsupport for a political party, cause or candidacy.

Implementation

Bribery through political contributions is a particularrisk depending upon the nature and location of anenterprise’s activities. Guidelines in this section canbe used to establish new control measures or tostrengthen existing ones.

Contributions Policy

A threshold question for signatory companies iswhether to establish a bright-line prohibition againstsome or all political contributions. This policydetermination should take into account business,administrative and legal considerations. Bright-lineprohibitions can be easier to administer, and alsosafer, but may not always be a practical option. On

the other hand, campaign finance laws in somecountries may already prohibit or sharply restrictcontributions by businesses.

An enterprise that prohibits some or all politicalcontributions activity should make this known in itsCode of Conduct. Programmes that permitlegitimate contributions activity will need to developreasonably detailed guidelines that implementcontrols for anti-circumvention, transparency andcompliance with law mandated by Section 4.2.These are described in greater detail below.

Programme guidelines should define coveredactivities. They should explain, for example, thatcontributions may be in-kind as well as financial andthat Programme controls apply whether a politicalcontribution is made directly or through an agent orother independent person or entity. Guidelinesshould also identify applicable restrictions andcontrol procedures, such as contribution limits(maximum contributions are often set by local law),management approval procedures (common abovecertain de minimis thresholds) and record keepingand reporting requirements.

Transparency and Consistency with Law

Section 4.2.2 requires that political contributions betransparent and made only in accordance withapplicable law.

Transparency requires accurate record keeping.Corporate political contributions should be fairly andaccurately identified in enterprise accounts.Contributions should never be made from secret orother offline accounts, or made indirectly throughcorporate personnel, agents or other persons. The

18

4.2 Political Contributions

The PACI Principles

4.2.1 The enterprise, its employees or intermediaries should not make direct or indirect contributions topolitical parties, party officials, candidates, organizations or individuals engaged in politics, as asubterfuge for Bribery.

4.2.2 All political contributions should be transparent and made only in accordance with applicable law.

4.2.3 The Programme should include controls and procedures to ensure that improper politicalcontributions are not made.

Section 4 of the PACI Principles establishes guidelines for an enterprise’s anti-Bribery policy and standards ofconduct. This is the substantive Programme component.

prohibition on indirect contributions should includeenterprise reimbursement of political contributionsmade by individuals (this is an express prohibition inmany countries that restrict corporate politicalcontributions). The form of and channels used tomake a contribution should be scrutinized forsuspicious circumstances.13

An enterprise’s commitment to limiting politicalcontributions to those “consistent with applicablelaw” should be supported by appropriate controlsfor confirming that the laws of relevant jurisdictionsare identified and followed. This can be a challengefor companies with an international presence. Rulesgoverning corporate contributions vary from onecountry to the next, and sometimes even within acountry. While some laws prohibit corporatecontributions entirely, others merely limit contributionlevels or impose public disclosure or reportingrequirements. Compliance is further complicated bythe intricacies of many laws. Important distinctionsmay be made, for example, based on an entity’sstatus (whether domestic or foreign) or for differentkinds of contribution activity.

Controls and Procedures

The directive that a Programme “include controlsand procedures to ensure that improper politicalcontributions are not made” may be satisfiedthrough training, due diligence, record keeping andoversight practices.

A number of measures can be employed to managepolitical contributions activity. Prior-approvalprocedures are common, and these are sometimescombined with a more or less formal committeestructure to review and authorize politicalcontributions. Programmes also may establishselective restrictions by country (e.g. whereprohibited) or for particularly complex or sensitivecontribution categories. Enterprises with significantcontributions activity typically designate a politicalcontributions expert from the legal department orcompliance office to field inquiries and help withother compliance activities.

In addition to these management and oversighttools, targeted policy guidance can be developed foran enterprise’s government relations personnel, aswell as advisers and political consultants. Contractmeasures described in Section 5.2 of the Handbookcan also be adapted for contribution controlpurposes.

19

Discussion

As with political contributions, the PACI Principlesrecognize that charitable contributions andsponsorships may be made for legitimate businesspurposes but must be monitored to preventcircumvention of the Bribery prohibition. Section 4.3requires that contributions and sponsorships betransparent, made only in accordance with applicablelaw and subject to appropriate controls andprocedures.

Charitable contributions are payments made for thebenefit of society, for charitable, educational, socialwelfare and similar purposes. The payments are madewithout demand or expectation of business return.This category of activity includes participation in socialinvestment programmes, which can involve importantand valuable contributions to social and economicdevelopment but also heightened corruption risk.

Sponsorship is a transaction where the enterprisemakes a payment, in cash or in kind, to associate itsname with an activity or other organization. Inconsideration for the sponsorship fee, the enterprisereceives rights and benefits such as the use of thesponsored organization’s name, advertising creditsin events and publications, use of facilities andopportunities to promote its name, products andservices. Sponsorship is a business transaction andpart of promotion and advertising.

Implementation

Charitable and sponsorship activities are common,and most companies should be able to addressPACI concerns through incremental adjustments toestablished controls.

Policy Guidelines

Practices described in the preceding section forpolitical contributions also apply to charitablecontributions and sponsorship activity. Programmesshould have specific guidelines and procedures forpreventing circumvention of the Bribery prohibition.These should be reflected in policy documents andeffectively communicated to relevant personnelthrough training and other means.

Transparency and Consistency with Law

Charitable contributions and sponsorships should betransparent and in accordance with applicable law.Payments should be fairly and accurately recordedin corporate accounts. As with politicalcontributions, reputational risk can be a goodpractical measure. Activities that might embarrassthe enterprise if publicly disclosed warrant particularscrutiny.

Controls and Procedures

An enterprise should have reasonable controls forpreventing improper charitable contributions andsponsorships. These typically address due diligence,management approval, monitoring anddocumentation.

• Due diligence. Reasonable inquiry should be madeto determine that charitable organizations andrecipients of sponsorship are not conduits forBribery. Standard due diligence procedures can beemployed to verify a recipient organization’s bonafides and confirm its ability to perform the activityfor which a donation or sponsorship is given.

20

4.3 Charitable Contributions and Sponsorships

The PACI Principles

4.3.1 The enterprise should ensure that charitable contributions and sponsorships are not used as asubterfuge for Bribery.

4.3.2 All charitable contributions and sponsorships should be transparent and made in accordance withapplicable law.

4.3.3 The Programme should include controls and procedures to ensure that improper charitablecontributions and sponsorships are not made.

Charitable contributions and sponsorships are another potential corruption channel, subject to comparablecontrols for preventing Bribery.

• Approval procedures. Sponsorship is a routinebusiness transaction and, as such, should beapproved and administered within the normalpurchasing process. Designated levels ofapproval for charitable contributions should beestablished, with appropriate reporting andoversight.

• Monitoring and documentation. Proceduresshould provide for monitoring and tracking ofcharitable contributions and sponsorshippayments to be sure they are applied to theintended purpose. Findings should be recordedand reviewed periodically by management toconfirm that payments fall within the policy andguidelines.

21

Discussion

The PACI Principles establish as an aspirational goalthe eventual elimination of facilitation payments, butalso recognize that for the immediate future suchpayments may be allowed under some Programmes.To prevent abuse, signatory companies that continueto permit facilitation payments must clearly describethis exception’s limited scope and establish effectivecontrol procedures.

Implementation

In the first instance, the making of facilitation paymentswill be a question of law for an enterprise dependingupon the specific anti-corruption statutes governingits business activity. Some but not all laws establishedpursuant to the OECD Convention exempt facilitationpayments from general prohibitions. Activities subjectto restrictive laws should comport with those laws.

Where facilitation payments are exempt fromapplicable statutes dealing with Bribery of foreigngovernment officials, an enterprise may makefacilitation payments.

Local Law Prohibition

Section 4.4.1(a) directs enterprises to “explain” intheir Programme that facilitation payments aregenerally illegal in the foreign country concerned.This explanation should be conveyed through policydocuments, training and other appropriate means.

Programmes should recognize the difficult practicalissues that can be raised by facilitation payment

demands. Local law prohibitions notwithstanding,facilitation demands by minor public officials arecommon in many parts of the world. Many suchdemands are routine and can be managed throughrestrictive Programme standards. In some instances,however, refusal to respond to an extortionatedemand may carry significant business consequencesor even raise threats to life and health.

Signatory companies are encouraged to develop anoversight process for handling non-routine facilitationdemands. This responsibility is often assigned to asenior compliance expert, but may also be managedthrough a compliance committee. In either case, theprocess can be used to identify common facilitationdemands and formulate appropriate policy responses.

Guidance on Exception Limits

Section 4.4.1(b) requires an enterprise to explain inits Programme that facilitation payments “are of limitedscope and must be appropriately accounted for”.

Programme guidance on facilitation payments shouldreflect applicable legal standards. Under most anti-corruption laws (and all those in conformance with theOECD Convention), payments exempted fromliability must be modest and can only be made tofacilitate routine governmental actions to which anenterprise is already entitled. The facilitationprovision in the US Foreign Corrupt Practices Act isillustrative. It limits exempt facilitation to “routinegovernment action”, defined narrowly to mean:

“only an action which is ordinarily and commonlyperformed by a foreign official in (i) obtaining

22

4.4 Facilitation Payments

The PACI Principles

4.4.1 Recognizing that facilitation payments are prohibited under the anti-bribery laws of most countries,enterprises which have not yet eliminated them entirely should support their identification andelimination by (a) explaining in their Programme that facilitation payments are generally illegal in theforeign country concerned; (b) emphasizing in their Programme that they are of limited nature andscope and must be appropriately accounted for; and (c) including in their Programme appropriatecontrols and procedures for monitoring and oversight of facilitation payments by the enterprise andits employees.

Facilitation payments: These are small payments made to secure or expedite the performance ofroutine action to which the enterprise is entitled.

Charitable contributions and sponsorships are another potential corruption channel, subject to comparablecontrols for preventing Bribery.

permits, licenses, or other official documents toqualify a person to do business in a foreign country;(ii) processing governmental papers, such as visasand work orders; (iii) providing police protection, mailpick-up and delivery, or scheduling inspectionsassociated with contract performance or inspectionsrelated to transit of goods across country; (iv)providing phone service, power and water supply,loading and unloading cargo, or protectingperishable products or commodities fromdeterioration; or (v) actions of a similar nature.”

Enterprise employees and agents must understandthat facilitation payments can only be made tosecure certain qualifying routine actions and notwhenever payments will “facilitate” a desiredobjective.

Controls and Procedures

Section 4.4.1(c) directs that an enterprise include inits Programme “appropriate controls and proceduresfor monitoring and oversight of facilitation paymentsby the enterprise and its employees”.

Control procedures typically address the followingareas:

• Identification and assessment. Facilitation issuesshould be analysed as part of the riskassessment process. Timelines can be used toidentify common payment demand points and todevelop appropriate policy responses.

• Employee training and guidance. Corporate policyshould be communicated to employees, withparticular attention to high-risk activities.Programme materials and training can be used toidentify government actions considered “routine”and eligible for facilitation. Personnel should alsoknow when and how to obtain complianceguidance.

• Approval procedures. Prior-approval requirementsmay be considered above de minimus levels.Authorization also may be considered on a categorybasis, for certain business activities and regions.

• Record keeping and reporting. Procedures shouldbe established for internal reporting of facilitationdemands and accounting when payments aremade. These should take into account relevantlegal considerations.

• Monitoring and oversight. Reported facilitationdemands and payments should be reviewed forconsistency with enterprise policy. At-riskpersonnel should also be queried periodically toconfirm knowledge of and conformance withapplicable standards and procedures.

23

Discussion

The PACI Principles recognize that gifts, hospitality andpayment of expenses are necessary and reasonablebusiness activities and also that custom and practicevary across societies. Guidelines in this section areintended to prevent using gifts and hospitality orexpense payments as a subterfuge for Bribery.

The terms “gift”, “hospitality” and “expenses” are notdefined, but are intended to have their ordinarymeaning. A “gift” is anything of value (goods orservices as well as money) given as a mark offriendship or appreciation. “Hospitality” is generallyunderstood to mean entertaining, meals, tickets toevents and other similar activities associated withbusiness development and relationship building.“Expenses” refers to reimbursement of travel andsimilar expenses incurred by a prospective client,customer or business partner.

Implementation

Corporate ethics Programmes typically includepolicies on giving and acceptance of gifts, hospitalityand expense reimbursement. At most signatorycompanies, these general policies will satisfy PACIBribery concerns or can easily be modified to do so.

Standards

Programme policies can be flexible in recognizingand accommodating local customs and culturaldifferences, but should set out clear standards ofconduct and guidelines for preventing improperconduct. Policies should apply to all businessrelationships and transactions.

Guidance

Programmes should identify covered activities andprovide enterprise personnel with reasonablydetailed guidance on restrictions, approvalprocedures and reporting requirements.

Oversight

An enterprise should have reasonable controls andprocedures for preventing Bribery. Specific referenceis made in Section 4.5.2 to threshold and reportingrequirements common to many Programmes. Thesegenerally set levels for gifts, hospitality and expensepayments above which reporting is required. Controlprocedures can also be used to establish prior-approval requirements above a certain level.

24

4.5 Gifts, Hospitality and Expenses

The PACI Principles

4.5.1 The enterprise should prohibit the offer or receipt of gifts, hospitality or expenses whenever sucharrangements could improperly affect, or might be perceived to improperly affect, the outcome of aprocurement or other business transaction and are not reasonable and bona fide expenditures.

4.5.2 The Programme should include controls and procedures, including thresholds and reportingprocedures, to ensure that the enterprise’s policies relating to gifts, hospitality and expenses arefollowed.

This final section establishes guidelines for preventing improper gift, hospitality and expense practices.

Discussion

Section 5 identifies the structural and proceduralrequirements “that an enterprise should meet, at aminimum, when implementing the Programme.”They give operational meaning to the PACI principlethat an enterprise match its commitment with aneffective Programme of internal procedures andcontrols.

Programme requirements are addressed in eightseparate categories. The first category, in Section5.1, emphasizes the importance of high-levelleadership and a good organizational structure forcompliance. This is followed in Section 5.2 byguidelines for applying Programme requirements toaffiliates, joint ventures, agents and other businesspartners. Section 5.3 discusses screening,evaluation and other Human Resources practicesnecessary to an open compliance environment.

Three additional categories address training (Section5.4), advice and reporting channels (Section 5.5)and other communications (Section 5.6). The finaltwo categories deal with internal control and auditpractices (Section 5.7) and management oversight(Section 5.8).

These eight categories, when implemented, willconstitute the basis of an effective Programme.

25

5 Programme Implementation Requirements

The PACI Principles

The following sets out the requirements that an enterprise should meet, at a minimum, when implementingthe Programme.

Section 5 of the PACI Principles describes the minimum requirements when implementing the Programme.

Discussion

Section 5.1 places ultimate responsibility for anenterprise’s Programme on its board of directors, or“equivalent body” for enterprises with a differentgovernance structure. As in other areas of corporategovernance, the responsibility is one of generaldirection and oversight. Directors are expected to beknowledgeable about the anti-corruptionProgramme, to provide “leadership, resources andactive support for management’s implementation ofthe Programme” and to ensure that the Programmeis reviewed periodically for effectiveness.

Operational responsibility rests with an enterprise’schief executive officer (CEO), or executive board fororganizations with this management structure. Theresponsibility is to see “that the Programme iscarried out consistently with clear lines of authority”.Having “clear lines of authority” means a reasonableand effective management structure for complianceactivities. Programme responsibility may beredelegated, but only to high-level managers with adirect reporting line to the CEO or executive board.

In addition to these oversight responsibilities, anenterprise’s board, CEO and senior management are

expected to demonstrate “visible and activecommitment” to implementation of the PACIPrinciples. Practices that demonstrate suchleadership are identified in the discussion thatfollows.

Implementation

The board and senior management are responsiblefor creating and maintaining an environment thatactively promotes compliance with the commitment.This has both leadership and organizationalcomponents.

Step 1: High-level Leadership

Implementation should begin with a strong andunambiguous statement of commitment from anenterprise’s senior leadership. The board and seniormanagement must make clear to everyone in theorganization that they are serious about theProgramme and have made it a high priority. If anenterprise’s leaders do not appear to takecompliance seriously, neither will its employees.

26

5.1 Organization and Responsibilities

The PACI Principles

5.1.1 The Board of Directors (or equivalent body) is responsible for overseeing the development andimplementation of an effective Programme.

5.1.2 The Programme should be based on the PACI Principles and the Board (or equivalent body) shouldprovide leadership, resources and active support for management’s implementation of the Programme.

5.1.3 The Board (or equivalent body) should ensure that the Programme is reviewed for effectiveness and,when shortcomings are identified, that appropriate corrective action is taken.

5.1.4 The Chief Executive Officer (or executive board) is responsible for seeing that the Programme iscarried out consistently with clear lines of authority.

5.1.5 Authority for implementation of the Programme should be assigned to senior management withdirect line reporting to the Chief Executive Officer or comparable authority.

5.1.6 The Board of Directors (or equivalent body), Chief Executive Officer (or executive board) and seniormanagement should demonstrate visible and active commitment to the implementation of the PACIPrinciples.

This initial implementation category addresses minimum Programme requirements for leadership andorganizational structure.

Commitment Statements

Communication of the leadership commitmentbegins with an enterprise’s policy statement andother formal written documents. As explained inSection 4.1, Codes of Conduct and policystatements set basic enterprise policy andcompliance expectations. With the appropriatewording and tone, they can also be used tocommunicate high-level engagement andseriousness of purpose.

Commitment statements should reflect goodcommunication practice. Programme documents aremost effective when they (a) convey organizationalcommitment in simple, understandable language(rather than technical legal formulations); (b) emphasizethat compliance is an organizational priority; and (c)make clear that the policy applies to everyone withinthe organization (one company, one set of rules).

Where feasible, communications should combine adirective to follow corporate policy with positivereasons for doing so. It can be especially helpful toexplain the larger social and economic issues at stake.Line personnel are being asked to forego practicesthat may be common elsewhere and still considerednecessary by some. Understanding the reasons forthis approach can help to minimize resistance.

Demonstrating Commitment

Policy documents are a necessary starting point, butonly part of what should be a broader leadershipeffort. As in other areas important to an enterprise,careful planning is needed to inform the relevantstakeholders about Programme goals andexpectations. Primary stakeholder groups include anenterprise’s directors, management, businesspersonnel and support groups (e.g. audit, legal,human resources). The planning process in Section3 can be used to shape the Programme messagefor these discrete groups and to devise effectivecommunication strategies.

In addition to facilitating initial Programme “roll-out”,the planning process can be used to identifyleadership tools for periodically refreshing thecommitment message. Many companies include apersonal statement from the CEO or other seniorbusiness manager when Code or other Programmematerials are circulated. Other commoncommunication tools include periodic remindersfrom senior management to key personnel,statements at management meetings, newslettersand training directives.

Matching Words and Actions

Enterprise leaders can reinforce the compliancemessage through staffing and other resourceallocation decisions, attention to Programme details,participation in planning and implementationactivities and other similar actions.

Educating Enterprise Leaders

Programme guidance provided to directors andsenior management can be another importantmarker.

Leadership education is implicit in the PACI guidelinethat the board “oversee” development andimplementation of an effective Programme and thechief executive officer see that an effectiveProgramme is carried out. Basic knowledge of theparticular information and reporting systemsemployed by the enterprise is a predicaterequirement for concluding that the system isadequate. Just as important is the opportunity tosend the message that Programme requirements,including education and training, apply to everyonein the organization as appropriate.

An enterprise’s commitment to leadership educationdoes not mean that directors and senior managersmust participate in routine training activities. Contentcan be tailored to supervisory and oversightresponsibilities and communicated via pre-existingchannels. For directors, necessary information maybe provided through additions to standard “BoardBook” materials and periodic Programme briefings asrequired. As an example of the latter, many companiesthat manage compliance through an audit or otherspecialized committee supplement this with anannual briefing for the entire Board. This may also bepart of a larger, more comprehensive complianceand ethics report to the board or its committees.

Step 2: Organizational Structure

High-level leadership should be matched by anappropriate organizational structure for complianceactivities with clear lines of authority.

Many enterprises find it helpful to formalizeProgramme functions and responsibilities in a writtenpolicy document. Organizational plans may restatean enterprise’s policy commitment, assign Programmeresponsibilities and list minimum implementationrequirements.

27

Discussion

Business activities are conducted through a varietyof legal structures, including controlled subsidiaries,joint ventures, consortiums and teamingagreements. Programme requirements have beenextended to these relationships because of thepotential for corruption, especially in high-riskmarkets.

Section 5.2 identifies guidelines for differentcategories of business relationships. Requirementsare calibrated based on the degree of enterprisecontrol and the nature of the relationship. Signatorycompanies are expected to extend Programmerequirements in all material respects to the activitiesof branch offices, wholly-owned subsidiaries andother controlled entities. More limited guidelines,detailed in separate sections, are established forjoint ventures, agents, suppliers and contractors.

28

5.2 Business Relationships

The PACI Principles

The enterprise should apply its Programme in its dealings with subsidiaries, joint venture partners, agents,contractors and other third parties with whom it has business relationships.

Section 5.2 establishes guidelines for applying Programme requirements to different kinds of businessrelationships. Details vary depending on the extent of control and nature of the relationship.

5.2.1 Subsidiaries

This first section addresses Programme coverage for branch offices, wholly-owned subsidiaries and othercontrolled entities.

Discussion

Programmes should be designed and implementedon an enterprise-wide basis, applicable in all materialrespects to controlled subsidiaries. A controlledsubsidiary is any entity in which the parent companyhas a majority equity interest or otherwise exerciseseffective control over operations. Full Programmecoverage should also extend to controlled branchoffices.

Implementation

Programme coverage for controlled subsidiaries andbranch offices should be at the same level, and withthe same basic standards and requirements, as atthe parent company. In operational terms, thismeans providing for comparable employee training,reporting channels, oversight and other Programmeactivities. Practice can be tailored to reflect localneeds and circumstances, provided thatimplementation is otherwise consistent withProgramme requirements in “all material respects”.

The PACI Principles

5.2.1.1 The Programme should be designed and implemented on an enterprise-wide basis, applicable in allmaterial respects to controlled subsidiary entities.

5.2.1.2 The enterprise should undertake measures to see that the conduct of subsidiary entities isconsistent with the International Business Principles.

Programme planning and evaluation, including riskassessment, should be managed on an enterprise-wide basis. Coverage for controlled subsidiaries andbranch offices should be explicit, with clearly definedlines of responsibility, reporting and accountability. Inmost cases, it will be appropriate to extendProgramme coverage and requirements directly tocontrolled subsidiaries. Where this is not feasible, anenterprise should work with the subsidiary to developand implement a comparable Programme of its own.

Section 5.2.1.2 directs companies, to “undertakemeasures to see that the conduct of subsidiaryentities is consistent with the PACI Principles.” As

appropriate to the corporate structure, if subsidiariesoperate independently and have their owncompliance functions, periodic assurance from asubsidiary’s senior business manager thatProgramme requirements are being followed mightbe required. Such assurances may be in the form ofan annual certification that reports on enforcementexperience, overall Programme effectiveness andfuture implementation planning. Annual certificationis discussed in Section 5.8. Coordination also canbe addressed through enterprise-wide compliancecommittees and appointment of subordinatecompliance managers.

29

5.2.2 Joint Ventures

Section 5.2.2 identifies Programme requirements for business conducted through non-controlled entities,including joint ventures, minority-controlled subsidiaries, consortium partners, teaming agreements andnominated subcontractors.

The PACI Principles

5.2.2.1 Due diligence should be conducted before entering into a joint venture, and on an ongoing basis ascircumstances warrant. The Programme should provide guidance for conducting due diligence.

5.2.2.2 The enterprise should undertake appropriate measures, including contract protections, to ensurethat the conduct of joint ventures is consistent with the PACI Principles.

Discussion

Joint ventures and other legal structures for sharingbusiness risk are common. It is important tounderstand the challenges they pose for Programmeimplementation. Joint venture partners, especially localcompanies in high-risk countries, have been a commonavenue for corruption. The PACI Principles recognizethat an enterprise’s ability to control third-partyactivities may be limited. At the same time, they requirea reasonable and good faith effort to prevent conductthat could not be taken directly by the enterprise.

Section 5.2.2 establishes two basic requirements.The first is that an enterprise undertake reasonabledue diligence to confirm the suitability of a potentialbusiness partner. Many companies already include acorruption screen in their normal pre-venture

reviews, and for those not currently covered, theadditional administrative burden should be modest.The second Programme commitment is toundertake “appropriate” measures to ensure thatconduct by the venture is consistent with the PACIPrinciples. The foremost of such measures includeprophylactic contract provisions.

The diligence “due” before entering into a joint venture,and on an ongoing basis as warranted, will dependon specific risks and circumstances. This is a flexiblestandard, requiring companies to use their goodfaith judgment to determine the appropriate leveland frequency of review for a particular businessrelationship or project. Similar considerations governjudgments about the specific measures deemed“appropriate” to ensure that venture conduct remainsconsistent with the PACI anti-corruption commitment.

Implementation

This section describes general industry practices forextending Programme requirements to activitiesconducted through joint ventures and other similarbusiness structures.

Planning and Guidelines

Even more than in other business contexts, effectivecompliance for joint ventures requires carefuladvance planning and clear guidelines for personnelwith implementation responsibility.

Initial planning and guidelines development can beconducted as part of the general planning processdescribed in Section 3 of the Handbook. Joint ventureactivities should be evaluated for corruption risk andalso for the quality and effectiveness of anti-corruptionprocedures and controls. Resulting action plans canbe used to develop general guidelines for applyingProgramme requirements to joint venture activities.

Due Diligence

Section 5.2.2.1 mandates due diligence review forall joint ventures, as warranted, before entering intothe relationship and “on an ongoing basis ascircumstances warrant”.

For anti-corruption purposes, the essential duediligence requirement is to “know one’s partner”. Inoperational terms, this means making appropriateinquiries to determine whether a potential businesspartner is honest, ethical and can reasonably beexpected to abide by its contract commitment torefrain from Bribery. Primary areas of inquiry includea potential partner’s business qualifications (e.g.whether expertise and experience match businessobjectives), its ethics reputation and record (e.g.whether there is evidence of past corruption) and itspersonnel and their relationships (e.g. the nature andextent of governmental ties).

An ethics questionnaire or other standarddocuments may be used to focus due diligencereviews, and can be helpful and appropriate for apotential business partner to supply this informationat the outset. Information provided by a potentialpartner may be assessed independently and

compared with data from other sources. Additionalinformation sources include an enterprise’s owngovernment (especially consular officials), publicrecords (often, although not always, available in thepartner’s home country), general publications(accessible through web searches) and specializedinvestigative firms.

The diligence due for a particular relationship orproject will depend on specific circumstances andassociated corruption risk. In general, investigationshould be more thorough where corruption risk ishigh and can be more limited where perceived risk islow. Monitoring for corruption risk is an ongoingobligation. For joint ventures with a high level ofassociated risk, the ability to have periodic reviewsshould be considered. Whether or not periodicreviews are scheduled, an enterprise should monitorfor red flags and promptly investigate suspiciouscircumstances.

Management Approvals

Management approvals are an important means ofcontrolling risk. Most companies already requirehigh-level approval before entering into substantialjoint venture or other third-party businessrelationships. Corruption factors should be anexplicit factor in this analysis, incorporatinginformation developed through project-specific duediligence and risk assessment reviews.

Contract Protections

Prophylactic contract provisions are anotherimportant Programme tool. They are one of several“appropriate measures” an enterprise is expected to“undertake [...] to ensure that the conduct of jointventures is consistent with the PACI Principles.”

Many companies find it advantageous to devisestandard contract language for use on an enterprise-wide basis. Such provisions are added to theinventory of general representations, warranties andprotections available for joint venture agreements.

These typically include a representation/warranty to comply with law and remedies should includesuspension/termination at the option of the innocent party.

30

Documentation

Implementation activities should be fully documented.

31

5.2.3 Agents, Advisers and Other Intermediaries

Section 5.2.3 addresses Programme requirements for business conducted through an agent, adviser or other intermediary.

The PACI Principles

5.2.3.1 The enterprise should undertake due diligence before appointing an agent, adviser or otherintermediary, and on an ongoing basis as circumstances warrant.

5.2.3.2 The Programme should provide guidance for conducting due diligence, entering into contractualrelationships and supervising the conduct of an agent, adviser or other intermediary.

5.2.3.3 Due diligence review and other material aspects of the relationship with the agent, adviser or otherintermediary should be documented.

5.2.3.4 All agreements with agents, advisers and other intermediaries should require prior approval of seniormanagement.

5.2.3.5 The agent, adviser or other intermediary should contractually agree in writing to comply with theenterprise’s Programme and should be provided with materials explaining this obligation.

5.2.3.6 Provision should be included in all contracts with agents, advisers and other intermediaries relatingto access to records, cooperation in investigations and similar matters pertaining to the contract.

5.2.3.7 Compensation paid to agents, advisers and other intermediaries should be appropriate and justifiableremuneration for legitimate services rendered and should be paid through bona fide channels.

5.2.3.8 The enterprise should monitor the conduct of its agents, advisers and other intermediaries andshould have a contractual right of termination in case of conduct inconsistent with the Programme.

5.2.3.8.1 All agreements with agents, advisers and other intermediaries should require prior approval ofsenior management.

5.2.3.8.2 The agent, adviser or other intermediary should contractually agree in writing to comply with theenterprise’s Programme and should be provided with materials explaining this obligation.

5.2.3.8.3 Provision should be included in all contracts with agents, advisers and other intermediaries relating toaccess to records, cooperation in investigations and similar matters pertaining to the contract.

5.2.3.8.4 Compensation paid to agents, advisers and other intermediaries should be appropriate and justifiableremuneration for legitimate services rendered and should be paid through bona fide channels.

5.2.3.8.5 The enterprise should monitor the conduct of its agents, advisers and other intermediaries and shouldhave a contractual right of termination in case of conduct inconsistent with the Programme.

Discussion

Agents, advisers and other intermediaries areanother source of potential corruption risk forsignatory companies. The PACI Principles recognizethe valuable contribution of these relationships inmany areas of business, but require measures toprevent Bribery.

As in joint venture relationships, an enterprise’sprimary responsibility is to undertake reasonable duediligence to confirm the suitability of a prospectiveagent, adviser or other intermediary as thecircumstances warrant. Many companies alreadyinclude a corruption screen in their normal reviewpractices in such cases, and for most it should bepossible to address additional PACI directivesthrough incremental adjustments to existing practice.

As elsewhere, the diligence due before entering intoan agent relationship, and on an ongoing basis, willdepend on specific risks and circumstances. Thisflexible standard requires an enterprise to exerciseits good faith judgment to determine the appropriatelevel and frequency of review for a particularbusiness relationship.

Section 5.2.3 enumerates six specific Programmerequirements in addition to conducting reasonabledue diligence. Each is discussed in theimplementation section below. Briefly, they directthat an enterprise provide its employees withguidance for conducting due diligence, entering intocontractual relationships and supervising a retainedagent or other intermediary. Guidance shouldaddress documentation requirements, approvalprocedures, contract protections, compensationpractices and performance oversight.

Requirements in this section apply to all businessrelationships with agents, advisers and other similarintermediaries. These coverage terms are notdefined, but are generally understood to mean aperson or entity authorized to act for or on behalf of,or to otherwise represent, an enterprise infurtherance of its business interests. For ease ofreference, the discussion that follows uses the term“agent” to mean advisers and other intermediariesas well.

Implementation

PACI standards for agent relationships are moredetailed than in other areas because of theheightened corruption risk. Some suggestedpractices are summarized below.

Planning and Guidelines

Signatory companies should establish specificguidelines and procedures for applying Programmerequirements to relationships with agents. This isimplicit in the directive in Section 5.2.3.2 that anenterprise “provide guidance” for conducting duediligence, entering into contractual relationships andsupervising an agent’s conduct.

Guidelines should explain when and how theProgramme applies to the appointment andsupervision of an agent, identify personnelresponsible for implementation and describe relevantanti-corruption standards and procedures. The lattershould include practices enumerated in this section.Guidelines for applying the Programme to agentrelationships can be developed as part of theSection 3 planning process.

Due Diligence

The diligence due for a particular agent relationshipwill depend on specific circumstances and associatedcorruption risk. As a general matter, inquiry shouldbe more thorough where corruption risk is high andcan be more limited where perceived risk is low. Aswith joint ventures, high-risk relationships maywarrant periodic review to confirm an agent’scontinuing suitability to represent the enterprise.

Practices described in the preceding section for jointventures also apply to due diligence review for agentrelationships. The operative requirement is todetermine whether a prospective agent is honest,ethical and reasonably likely to abide by its contractcommitment to refrain from Bribery. Priority areas forreview include a prospective agent’s businessexpertise and experience, reputation and ethicsrecord, and possible relationships with governmentor enterprise customers that could heightencorruption risk. Threshold judgments should also bemade about the need for an agent.

32

Ethics questionnaires or other standard documentationmay be used to focus due diligence review.Information supplied by a prospective agent shouldbe assessed independently and compared with datafrom other sources. Inquiry for most relationshipsshould include a reasonable search for publicinformation about a prospective agent (e.g. throughmedia reports, official public records). In addition,reputational inquiry in the local business communityand through official sources (e.g. one’s own consularofficials) will often be appropriate. For significantrelationships in high-risk markets, specializedinvestigative services should be considered.

Management Approval

Section 5.2.3.2 directs that all agency relationshipsreceive “prior approval of senior management”. Aformal approval process is recommended, with clearlines of responsibility and guidelines fordocumentation and oversight.

Contract Protections

Standard provisions for use on an enterprise-widebasis are generally recommended. Most importantly,a warranty by the agent that they will act consistentwith law should be included in agent contracts.Consideration to a breach resulting insuspension/termination may be considered.14

Compensation

Section 5.2.3.2.5 establishes three basic guidelinesfor compensation of agents. An agent should onlybe compensated for “legitimate” services; fees andcommissions should be reasonable in relation to theservices provided; and payment should be throughbona fide channels.

The restriction on compensation to “legitimateservices” is intended to reinforce the basic PACIprohibition on Bribery. An enterprise may not retainan agent to engage in prohibited conduct – forexample, to secure “an improper advantage” ingovernmental or commercial procurement.

The directive that compensation for an agent’sservices be “appropriate and justifiableremuneration” addresses the problem of excessivepayments used to finance Bribery. What isappropriate and justifiable will depend on thespecific services procured, unique agentcharacteristics (e.g. quality of service, reputation)and relevant market conditions. Where feasible,compensation terms should be benchmarkedagainst arrangements for similar services within theenterprise and at other similarly situated companies.

The requirement that payments to agents only bemade through bona fide channels is a standardaccounting control. Programme guidelines shouldrequire that compensation arrangements be openand transparent, made through reputable financialchannels and properly recorded in enterpriserecords. Requests for unusual paymentarrangements should be treated as a red flag,triggering heightened scrutiny and other measures toprevent Bribery.

Monitoring

Provision should be made for monitoring agents.Practices described in Section 5.7 can be used todevelop agent-specific procedures and controls.

33

Discussion

This final category of business relationshipsaddresses potential corruption risk from enterprisedealings with contractors, subcontractors andsuppliers. The guidelines differ in two respects fromthose for other types of relationships. Section 5.2.4draws attention to an enterprise’s own procurementpractices, and its application of other Programmerequirements is more limited. Both differences reflecta presumption that business dealings are on an“arm’s length” basis with independent entities.

The coverage terms “contractor”, “subcontractor”and “supplier” are not defined in the PACI Principles,but are meant to have their normal and customarymeaning. For ease of reference, the Handbook usesthe term “contractor/supplier” to mean any non-controlled person or entity that provides goods orservices to an enterprise under contract. A“subcontractor” is a person or entity that providesgoods or services to a contractor/supplier.

The threshold requirement for contractor/supplierrelationships is that an enterprise conduct its ownprocurement in a “fair and transparent manner”.Fairness and transparency relate to the processrather than any particular award procedure.Procurement may be on a competitive bid or solesource basis, at an enterprise’s discretion, so longas the process is reasonable under thecircumstances and subject to appropriate oversight.

The PACI intention is to prevent corruption byenterprise personnel in dealings with contractorsand suppliers as a subterfuge in dealings with thirdparties.

Section 5.2.4.2 further requires that an enterprisedetermine whether prospective contractors/suppliershave effective anti-Bribery policies of their own. Aswith other business relationships, signatorycompanies are expected to make reasonable inquiryto confirm that a contractor/supplier can be reliedupon to comply with the zero tolerance policy inenterprise-related business activities. The standardof inquiry is a flexible one, intended to encouragereview appropriate to the particular relationship andcircumstances.

A signatory company is expected to make known itspolicy to contractors/suppliers, establish appropriatecontract protections and monitor contractor/supplierconduct for consistency. As with other types ofrelationships, implementation should be tailored toreflect the level and type of corruption risk specific toa particular relationship or transaction.

Implementation

Practices described earlier for joint venture andagent relationships can be modified for use withcontractors/suppliers.

34

5.2.4 Contractors, Subcontractors and Suppliers

Section 5.2.4 establishes Programme guidelines for enterprise relationships with contractors, subcontractors andsuppliers.

The PACI Principles

5.2.4.1 The enterprise should conduct its procurement practices in a fair and transparent manner.

5.2.4.2 The enterprise should undertake due diligence, as appropriate, in evaluating contractors,subcontractors and suppliers to ensure that they have effective anti-bribery policies.

5.2.4.3 The enterprise should make known its anti-bribery policies to contractors, subcontractors andsuppliers. It should monitor their conduct and should have a contractual right of termination in caseof conduct inconsistent with the Programme.

Fair and Transparent Procurement

The Section 5.2.4.1 requirement that procurementbe conducted in a fair and transparent mannerreflects standard industry practice and can besatisfied at most signatory companies throughexisting procedures and controls.

Although not expressly required by the PACI Principles,signatory companies are encouraged to developformal written procurement guidelines that can beused by responsible personnel and evaluatedperiodically for effectiveness. Guidelines typicallyaddress procurement eligibility, award procedures,management approval requirements, documentationand oversight. Written guidelines can besupplemented with targeted training and throughother implementation practices described in theHandbook.

Due Diligence

Section 5.2.4.2 mandates “due diligence, asappropriate, in evaluating contractors, subcontractorsand suppliers to ensure that they have effective anti-Bribery policies.”

As with other types of business relationships, theessential due diligence requirement is to know withwhom one is doing business. This requires, at aminimum, ascertaining whether a prospectivecontractor/supplier has an effective anti-corruptionpolicy.

The phrase “as appropriate” is intended to conveyflexibility in applying the due diligence requirement todiverse business relationships. Enterprises areexpected to use their good faith judgment todetermine the appropriate level and frequency ofdue diligence review. Often, informal discussionswith responsible compliance managers together withprotective contract measures may suffice. Whereperceived corruption risk is high, however, moreextensive inquiry may be necessary.

Monitoring for corruption risk is an ongoingobligation. As in other contexts, periodic reviewsshould be considered for contractor/supplierrelationships with a high level of associated risk.Whether or not periodic reviews are scheduled, an

enterprise should monitor for red flags and promptlyinvestigate suspicious circumstances.

Notice

Section 5.2.4.3 directs that an enterprise “makeknown its anti-Bribery policies to contractors,subcontractors and suppliers.”

Notice is most certain and effective when conveyedthrough an appropriate contract provision. Sampletext described earlier for joint venture and agentrelationships can be modified for use withcontractors/suppliers. Where a formal contractprovision is not feasible, notice of the enterprise’santi-corruption policy and Programme requirementsshould be conveyed in writing to a responsiblesenior official of the contractor/supplier anddocumented in enterprise records.

Whether notice is communicated through a formalcontract provision or management letter, theenterprise should make clear its commitment to itsanti-bribery policy and its expectation that thecontractor/supplier and its employees and agentswill act consistently with the policy.

Monitoring

Section 5.2.4.3. contains two additionalrequirements, one relating to contract monitoringand the second to relief when non-complianceoccurs.

Monitoring practices described elsewhere in theHandbook can be tailored for use incontractor/supplier relationships. These relate toplanning, employee guidelines, managementapprovals, documentation and reporting, andmanagement oversight.

Contract relief, including a right of termination in theevent of non-compliance, can be addressed throughstandard contract provisions, using the sameguidelines and sample text described earlier for jointventure and agency relationships. Although notexpressly required for contractor/supplieragreements, compliance managers may considerincluding modified versions of the warranty andcooperation provisions.

35

Discussion

The effectiveness of an enterprise’s Programmedepends to a substantial degree on theunderstanding, commitment and performance of itsemployees. HR practices are a primary tool forshaping this compliance environment.

The PACI Principles recognize that HR practices varyfrom company to company and that no one set ofpractices will be appropriate to all companies. Thedirective to reflect Programme commitment in anenterprise’s HR practices is accordingly quitegeneral. Signatory companies are expected toexercise good faith judgment in deciding how bestto meet this stated objective. Representativepractices are offered for consideration in theimplementation section below.

Two exceptions to this flexible standard should benoted. Section 5.3.2 requires an enterprise to makeclear that compliance with the Programme ismandatory for all personnel and that a refusal to paya bribe will not trigger adverse action if it results inlost business. Section 5.3.3 further provides thatappropriate sanctions be established and applied forviolations of the Programme, up to and includingtermination of employment. Both provisions aredesigned to demonstrate the seriousness of anenterprise’s commitment to the zero tolerance policy.

Implementation

This section describes general industry practicesthat can be used to shape the HR component of anenterprise’s Programme.

Screening of New Hires

Programmes typically include a basic screeningprocedure to confirm that personnel in high riskpositions are honest, ethical and can be trusted tofollow an enterprise’s legal and ethics rules.

Care should be taken to comply with applicableprivacy or other employment law protections. Theseconsiderations are not unique to corruptionscreening, and as in other areas are best managedin coordination with employment law experts.

Conditions of Employment

Enterprise personnel should understand thatcompliance with Programme requirements is anorganizational priority and condition of employment.This message should be communicated to new hiresas part of the induction process and reiteratedperiodically.

All personnel should be on notice that “compliancewith the Programme is mandatory” (Section 5.3.2)and that non-compliance is subject to serioussanction, up to and including termination ofemployment (Section 5.3.3). Communication is mosteffective when in writing, and in some jurisdictionsformal notice may also be a precondition for takingdisciplinary employment action.

36

5.3 Human Resources

The PACI Principles

5.3.1 The enterprise’s commitment to the Programme should be reflected in its Human Resources practices.

5.3.2 The enterprise should make clear that compliance with the Programme is mandatory and that noemployee will suffer demotion, penalty or other adverse consequences for refusing to pay bribeseven if it may result in the enterprise losing business.

5.3.3 The enterprise should apply appropriate sanctions for violation of the Programme, up to and includingtermination in appropriate circumstances.

Section 5.3 establishes guidelines for a signatory company’s Human Resources (HR) practices, includingprotections for employees who refuse to pay bribes and sanctions for Programme violations.

Enterprise expectations can be communicatedthrough Code certifications and, where formalemployment contracts are negotiated, throughexpress contractual provisions. In both cases, goodcommunication practices should be followed. Codeand contract documents serve educational as wellas legal purposes, and accordingly should be writtenin non-technical terms easily understood by theintended audience.

A growing number of companies require new hiresto review the corporate Code of Conduct and sign acertification statement upon induction. Suchstatements typically confirm that a new employeehas received and reviewed the Code, and are madepart of the employee’s permanent record. MostCode certifications are general, covering a widerange of legal and business ethics rules includingbut not limited to Bribery prohibitions. Corruption-specific certifications may also be considered forsensitive positions. In addition to certifying receiptand review of Code or other enterprise policydocuments, certifications can be used to putemployees on notice that non-compliance mayresult in termination of employment.

Training

New employees should receive information aboutthe enterprise’s Programme as part of their inductiontraining. Appropriate continuing training should beprovided thereafter. This topic is covered in Section5.4 of the Handbook.

Communications

Secure and accessible channels should beestablished for seeking implementation guidance,reporting suspicious circumstances and suggestingProgramme improvements. These practices areaddressed in Section 5.5 of the Handbook.

Performance and Evaluation

As has been noted, Section 5.3.2 requires anenterprise to make clear that compliance with theProgramme is mandatory for all personnel and thatemployees will not be penalized if refusal to pay abribe results in lost business.

A common employee concern is that a decline inbusiness, for whatever reason, may lead to adversepersonnel action, potentially including reducedcompensation, demotion or even loss ofemployment. When an employee’s productivity

declines, it can be very difficult to determine theexact reason. The PACI commitment is to a goodfaith effort to isolate and protect employees fromthose losses.

Good faith can be demonstrated through specificHR practices. These include:a) A clear and unequivocal statement of enterprise

policy b) Periodic supplemental directives (reminders) to

management personnelc) Heightened oversight of the evaluation process

Reminders should be provided regularly, as part ofgeneral Programme training for managers and inconjunction with annual employee evaluations.

Discipline

Guidelines should also be developed to ensure thatappropriate disciplinary action is taken whenviolations occur, consistent with the Section 5.3.3directive.

This Programme element has three aspects. First,discipline must be “appropriate” to thecircumstances. While the form of sanction may vary,and may not always warrant termination ofemployment, judgments should reflect theProgramme objective of deterring future violations aswell as punishing the offending conduct. Second,disciplinary action should be applied consistently.This means imposing similar sanctions for similarmisconduct. Third, accountability should extend toall aspects of the Programme.

37

Discussion

Training is a primary tool for communicatingProgramme standards and procedures to enterprisepersonnel.

The PACI Principles require “specific training on theProgramme” for managers, employees and agents.Specific training means targeted education thatpromotes an understanding of the anti-corruptioncommitment and all relevant rules and procedures.Signatory companies have flexibility in deciding onthe most effective combination of training and othercommunication tools.

Training content and methods should be tailored toemployee responsibilities. All personnel, includingagents, should receive basic information about theProgramme and enterprise expectations, includingprompt reporting of concerns or suspiciouscircumstances. This information typically iscommunicated through an enterprise’s businessCode and as part of general employee training.Personnel engaged in marketing and other high-riskactivities generally need more detailed guidance,which may be provided through written policystatements, training and related educational tools.Business managers should also receive specifictraining, geared to their respective Programmeresponsibilities.

Section 5.4.2 provides for signatory companies tomake training available to contractors and suppliers“where appropriate”. Decisions about when to offertraining support and in what form should reflect anenterprise’s corruption risk profile. In some cases,participation in training sessions developed for

enterprise personnel may be desirable, while inothers sharing of training materials or other supportfor a contractor/supplier’s own compliance effortsmay be a more practical option.

Implementation

Practices described in this section reflect recentcompliance innovations that can be used tostrengthen an enterprise’s existing trainingcapabilities.

Planning

Training can be a difficult compliance challenge evenfor the most experienced enterprises. Thecompliance message must reach different audienceswithin an organization, often with varying degrees ofsophistication, experience and education. For manysignatory companies, language and culture will be afurther complicating factor. Decisions also need tobe made about training content, tailoring for differentgroups, methods and frequency.

One common response has been to develop moreformal processes for planning and implementingtraining activities. Planning typically is part of anannual review, with compliance and businessmanagers working together to identify training needsby business and job function. Reviews can be usedto evaluate training methods and materials, establishminimum training requirements, assign trainingresponsibilities and assess effectiveness. Relianceon computer software to schedule and monitortraining for individual employees is common.

38

5.4 Training

The PACI Principles

5.4.1 Managers, employees and agents should receive specific training on the Programme, tailored torelevant needs and circumstances.

5.4.2 Where appropriate, contractors and suppliers should receive training on the Programme.

5.4.3 Training activities should be assessed periodically for effectiveness.

Section 5.4 addresses the training component of an enterprise’s Programme.

Training Content

Although all enterprise personnel are expected toreceive “specific training on the Programme”, detailswill vary and should be “tailored to relevant needsand circumstances”.

All personnel should receive basic information aboutthe Programme, including an explanation of thepolicy and what it covers, and guidance on whenand how to obtain compliance advice or reportconcerns (reporting channels are addressed inSection 5.5). This is also an opportunity toemphasize the affirmative obligation of all personnelto promptly report suspicious circumstances. As hasbeen noted, basic Programme information can beprovided through an enterprise’s business Code andgeneral employee training.

Personnel engaged in high-risk activities, such asmarketing and procurement, should receive moredetailed guidance. Managers and other employeesin these categories need not be experts on thepolicy, but they should know enough to avoidobvious violations and to red flag other conduct thatmay be problematic. They should understand, forexample, the different forms Bribery can take andthat the policy applies whether a payment is madedirectly or through an agent or business partner.Depending on an employee’s particularresponsibilities, guidance on political or charitablecontributions, facilitation payments or other specificpractices may also be appropriate.

Specialized guidance is provided through anti-Bribery guidelines and targeted training. Policystatements and other Programme materials used forthis purpose are discussed in Section 4.1, andtraining methods are addressed below. Trainingcontent and methods should match jobresponsibilities. As an example, training formarketing personnel should focus on common salesand procurement risks, while the comparabletraining for a manager would emphasize oversightresponsibilities. More advanced training should alsobe considered for personnel in the legal departmentor compliance office responsible for answeringemployee inquiries and investigating reportedconcerns.

Trainers

Training should be conducted by qualified personnelwith appropriate knowledge of the subject andeffective communications skills. Expertise can bedeveloped within the enterprise or provided throughan outside expert, and many Programmes do both.

The planning process can be used to match trainerswith training activities. Code and other basicemployee training is often provided by generalists inan enterprise’s HR department or ethics office, whilemore specialized functions may require support fromthe legal department or an outside expert. Examplesof the latter include skills training (especially fortrainers and managers), materials development andother technical support.

Whether training is for basic awareness orspecialized functions, an enterprise’s compliancemanager should work with the trainers to shape thetraining message and substantive details.Coordination may be informal or, as in somecompanies, achieved through targeted Programmetraining for trainers.

Methods

An enterprise should use training methods bestsuited to its needs and circumstances. Although in-person training is usually most effective, this may notalways be a practical option. Common alternativesinclude instructional videos and computerizedtraining modules, and these are often mixed with in-person training where possible.

Programmes typically have some form of “blendedtraining” that combines several training methods. Acommon practice is to use written Programmematerials and general Code training for basicawareness, online training for more in-depthknowledge, and in-person sessions or seminars onmore technical matters for select job functions.Online training can be a useful adjunct forspecialized training, especially for companies with alarge and geographically dispersed workforce.

Where feasible, training content should be tailored toreflect an enterprise’s actual business and riskprofile. Training is much more effective when

39

presented in concrete terms that relate to anemployee’s responsibilities and experience. Use ofcase scenarios is common, and these can beespecially helpful when drawn from actual industrypractice.

Frequency

New employees should receive basic informationabout the enterprise’s Programme as part of theirinduction training, and on a continuing basisthereafter. Specialized training for personnel in high-risk areas similarly should be provided uponcommencement of those responsibilities, withperiodic updating. Frequency should reflect thenature and degree of risk. Updating on an annual orbiennial basis is common.

Certifications

Training certifications are a standard compliancefeature, used to acknowledge receipt of Code orother Programme materials. They can also be usedto confirm participation in training sessions,adherence to Programme requirements andknowledge of reporting obligations and channels.

The most basic and common formulation is anacknowledgment that an enterprise’s Code hasbeen received and reviewed. Many Programmesalso ask personnel to confirm that they understandcompliance rules and have followed them, and arenot aware of violations by others. Although lesscommon, certifications can also be used todocument training. Certifications may be renewedperiodically, and usually are maintained in anemployee’s personnel file.

Documentation

Certification procedures and other less formal meanscan be used to record employee participation intraining sessions, seminars and other educationalactivities. Many Programmes now collect thisinformation in a computerized format so that it canbe easily aggregated for reporting and assessment.Documentation of planning and otherimplementation activities will facilitate requiredperiodic training assessments.

40

Discussion

Compliance Programmes are most effective inorganizations that encourage employees and othersto seek expert advice when questions arise and toreport suspected wrongdoing promptly forinvestigation and response. To this end, anenterprise is expected to supplement traditionalcommunication channels with a secure channel forraising Bribery concerns.

Prompt reporting is encouraged through an opencompliance environment. Enterprise personnel,agents and business partners must be persuadedthat reporting is an organizational priority, and theymust have confidence that good faith inquiries andreporting will be taken seriously and not lead toretaliation. This is a basic leadership responsibilityand challenge, to be achieved through practicesdescribed in Section 5.1 and elsewhere in theHandbook.

The Programme requirement is that “secure andaccessible” channels be provided for raisingcompliance concerns and reporting suspiciouscircumstances (commonly referred to as “whistle-blowing”). A “secure” channel is one through whichcommunication can be made in confidence andwithout risk of reprisal. Neither anonymity noroutsourcing is required, but in their absence othermeasures to secure the reporting channel may benecessary. An “accessible” channel is one that is

easy to use, in a compatible language, and widelypublicized within the enterprise. Telephone hotlinesare a common Programme option.

Confidential reporting is matched by a policy toprovide channels for seeking compliance advice andsuggesting improvements to the Programme. Formany companies, the practical benefit from a goodadvisory channel will be many times greater than forthe reporting hotline. An enterprise’s employees andagents are its compliance front line. If training hasbeen effective, frequent questions should arise aboutthe zero tolerance policy’s applicability to particularsituations and personnel should have practicalsuggestions for Programme refinements.

Companies should make advice and reportingchannels available to “employees and others”.Reference to “others” is meant to include agentsand business partners who may engage in activitiessubject to Programme standards and requirements.In both cases, prospective advice about themeaning and scope of applicable Briberyprohibitions can help to avoid confusion and preventviolations of law or corporate policy. Agents andbusiness partners can also be a valuable source ofinformation for risk assessment and other pro-activecompliance activities.

41

5.5 Raising Concerns and Seeking Guidance

The PACI Principles

5.5.1 The Programme should encourage employees and others to raise concerns and report suspiciouscircumstances to responsible enterprise officials as early as possible.

5.5.2 To this end, the enterprise should provide secure and accessible channels through whichemployees and others can raise concerns and report suspicious circumstances (“whistle-blowing”)in confidence and without risk of reprisal.

5.5.3 These channels should also be available for employees and others to seek advice or suggestimprovements to the Programme. As part of this process, the enterprise should provide guidance toemployees and others on applying the Programme’s rules and requirements to individual cases.

This fifth Programme category emphasizes the importance of a compliance environment that encourages promptraising of concerns and reporting of suspicious circumstances.

Implementation

PACI requirements may be satisfied through hotlineand other common practices for building andmaintaining an open compliance environment.

Encouraging Prompt Reporting

The enterprise commitment to an open complianceenvironment can be conveyed through targetedleadership communications (Section 5.1), training(Section 5.4), performance evaluations and other HRpractices (Section 5.3) and mandatory contractprovisions (see, for example, Section 5.2).

Basic information about confidential reporting channelsand other protections should be included in Code andother Programme materials. These materials canalso be used to remind personnel of their obligationto raise compliance concerns promptly with asupervisor or through other designated channels.

Reporting Channels

Programmes typically provide multiple channels forraising compliance concerns and reportingsuspicious circumstances.

It is traditional and most common for personnel toreport compliance concerns to a responsiblesupervisor. This channel is often supplemented by aseparate contact point in the legal department orcompliance office for expert advice. Additionalmechanisms that permit more confidential reportinginclude hotlines, suggestion boxes, employee exitinterviews, e-mails and other means for promotinginformation exchange.

For many companies, some form of hotline servicewill be the easiest and most effective way to satisfythe PACI confidentiality directive. Companies thatalready maintain a general hotline for raising legaland ethics concerns may adapt these for Programmeuse. For others, information about hotline optionsand evolving industry practice can be obtained froma variety of sources, including service vendors.

Hotline services raise a number of practical issuesfor Programme planning:

• Operation. Hotline services can be operatedinternally or through an independent serviceprovider. Independent services are easier toadminister and may instil greater confidence inpotential “whistle-blowers”, but they can also bemore expensive and may not be practical in someregions. Enterprise-run hotlines are a reasonableProgramme option, provided suitable measuresare taken to preserve confidentiality andemployee confidence.

• Anonymity. A second question is whether to allowemployees and business partners to raiseconcerns on an anonymous basis. Anonymitymakes it easier and more likely for people to usethe system, but also harder for complianceofficials to evaluate and follow up on reportedconcerns. Hotlines often balance theseconsiderations by offering anonymity but alsoencouraging individuals making reports to identifythemselves on a confidential basis.

• Accessibility. A third planning considerationrelates to hotline accessibility. Decisions will needto be made about hours of operation (“24/7”vendor answering service is ideal, but can bedifficult to replicate in enterprise-run hotlines) andlanguage compatibility (translation needs shouldbe identified).

In addition to providing for a confidential reportingchannel, Programmes should have a protocol forprocessing and investigating compliance inquiriesand reports. Protocols typically address recordkeeping requirements, confidentiality protections,responsibility for investigations and reporting (usuallyto the audit committee). They are also used topreserve attorney-client and other legal privileges,and to ensure appropriate follow up with the originalreporting source (i.e. whistle-blower).

Compliance Advice

Enterprise personnel should be encouraged to seekcompliance guidance per the enterprise’s policies,which may include a contact point in the legaldepartment or compliance office and, in someProgrammes, access to a hotline or otherconfidential mechanism for raising sensitivequestions. These various channels should beidentified in Programme materials and throughtraining and other communications tools.

42

Discussion

An enterprise should have “effective mechanisms”for internal communication of its anti-corruptionProgramme. This is a non-specific directive,intended to ensure that reasonable means areemployed to communicate relevant Programmeinformation to employees, agents and businesspartners. Such means include written Programmematerials, employee training, protective contractprovisions and other similar measures.

Enterprises are encouraged to publicly disclose theircommitment to the policy. Many companies will havealready aligned themselves publicly with the PACIPrinciples, through the PACI signatory process. Thisidentification can be reinforced through otherstandard communication practices. Such publiccommunications advance Programme objectives inseveral ways. They supplement the internalcompliance message to an enterprise’s employeesand business partners, and put potential bribers onnotice that corruption will not be tolerated.

An enterprise’s anti-bribery commitment can bepublicized in a number of different ways, dependingon the target audience. These include statements,annual reports or other communications toshareholders and other stakeholders, commitmentstatements on an enterprise’s website and in itsCode of Conduct and other Programme materials,and directives and protections in contracts withsuppliers, agents and other business partners.

In addition to publicly disclosing the commitment tozero tolerance on Bribery, signatory companiesshould “be open to receiving communications fromrelevant interested parties with respect to its Policyfor countering Bribery”. This is an application of thegeneral directive in Section 3.5 to keep abreast ofevolving developments in compliance practice.Public and private organizations can be a valuablesource of information about corruption risk andevolving compliance practice.

Implementation

Procedures described elsewhere in the Anti-corruption Handbook can be used to implement thesection 5.6 communication directive.

Internal communication practices are addressed,respectively, in the Handbook guidance onleadership, HR practices, training and confidentialreporting channels. Practices for communicatingProgramme requirements and expectations tobusiness partners are described in Section 5.2.External communication directives may be satisfiedthrough established corporate public relationschannels and practices.

43

5.6 Communication

The PACI Principles

5.6.1 The enterprise should establish effective mechanisms for internal communication of the Programme.

5.6.2 The enterprise should publicly disclose its policy for countering Bribery.

5.6.3 The enterprise should be open to receiving communications from relevant interested parties withrespect to its policy for countering Bribery.

Section 5.6 contains general guidelines for the communications component of an enterprise’s Programme.These supplement more specific directives found elsewhere in the PACI Principles.

Discussion

Requirements in this section target the looseaccounting practices commonly associated withBribery. They require an enterprise to maintain fairand accurate financial accounts, subject to effectiveinternal controls, periodic verification audits and aninternal process for continual improvement of thesystem. For most signatory companies, thisessentially restates applicable law and financialpractice.15

The baseline accounting requirement is that anenterprise maintain accurate books and records.This standard reflects established financialaccounting rules that mandate accuratedocumentation, in fair and reasonable detail, of alltransactions and other dispositions of assets. Theexpress prohibition of “off-the-books accounts”acknowledges the historical use of such accounts todisguise corrupt payments.

Accounting requirements are to be supported by aneffective system of internal controls, defined inSection 5.7.2 to include both financial controls andorganizational checks and balances. The PACIexpectation is that the enterprise have internalcontrols sufficient to provide a prudent manager withreasonable assurance that the Programme iseffective and operating as intended. This is a flexible

standard, meant to provide high-level but notabsolute assurance. It is understood that internalcontrols cannot prevent or detect all conductinconsistent with the Programme.

The directive in Section 5.7.3 to establish feedbackmechanisms and other internal processes for identifyingopportunities for improvement is a corollary to the“reasonable assurance” measure for internalcontrols. What is reasonable will change over time,as improvements strengthen a Programme.

The final guideline in this section requires that anenterprise subject its internal control system to periodiccompliance audits. Once again, this reflects establishedpractice at most, if not all, signatory companies.

Implementation

An enterprise’s general accounting, control and auditprocedures may be used to satisfy PACIrequirements. Planning should focus on necessaryadjustments to reflect corruption risks and relatedProgramme activities.

Fair and Accurate Records

The directive to maintain fair and accurate recordsshould be considered in relation to specific nationallaws and regulations governing an enterprise’sbusiness activity. Although basic requirements will be

44

5.7 Internal Controls and Audit

The PACI Principles

5.7.1 The enterprise should maintain accurate books and records, which properly and fairly document allfinancial transactions. The enterprise should not maintain off-the-books accounts.

5.7.2 The enterprise should establish and maintain an effective system of internal controls, comprisingfinancial and organizational checks and balances over the enterprise’s accounting and recordkeeping practices and other business processes related to the Programme.

5.7.3 The enterprise should establish feedback mechanisms and other internal processes designed tosupport the continuous improvement of the Programme.

5.7.4 The enterprise should subject the internal control systems, in particular the accounting and recordkeeping practices, to regular audits to verify compliance with the Programme.

Section 5.7 identifies guidelines for an enterprise’s accounting and audit practices. These should be used to testand confirm compliance with the Programme.

similar in most jurisdictions, especially those withanti-corruption laws based on the OECD Convention,there may be differences in some details.16

As a general matter, a signatory company maysatisfy the PACI requirement through application ofGenerally Accepted Accounting Principles or othercomparable financial accounting standards. Anenterprise’s books, records and accounts shouldcorrectly record the financial facts of a transactionand other information that may be necessary todirect a reviewer’s attention to possible illegality orimpropriety. Books should be maintained on acurrent basis, with transactions recordedchronologically and supported by appropriatedocumentation. Care should be taken to establish acomprehensive filing system that creates an audittrail by transaction from origin to completion.

Historically, off-the-books “slush funds” have been acommon source for Bribery payments. These areaccounts financed by commissions and other receiptsnot recorded in an enterprise’s official books. ThePACI standard requires that an enterprise establishan express and absolute rule against maintaining orusing such accounts. Internal and independentauditing of accounts is a necessary precaution toreduce this risk.

Enterprise policy should also address so-called“special purpose entities”, which have been anothercommon funding source for corrupt payments. Useof such entities is strictly regulated by the securitieslaws in many countries.

The PACI requirement applies to all transactions andother asset dispositions. In addition, enterpriserecords should reflect steps taken to implement thecompliance Programme (such as records foremployee training, due diligence review of agentsand other business partners and compliancereporting to senior management). These additionalrecords are essential to the Programme auditprocess, described below, as well as to the periodicsenior management reviews required by Section 5.8.

Effective Internal Controls

The requirement that records be maintained in a fairand accurate manner is to be enforced through

reasonable internal controls. Internal control refersgenerally to the steps taken by an enterprise toensure that accounting and other directives arebeing followed. This is a large topic, about whichuseful practical information is available from variouspublic and private sector sources. Signatorycompanies are encouraged to work with theirexternal auditors and other experts to identify andimplement relevant anti-corruption control practices.

The PACI expectation is that an enterprise will havereasonable controls for testing and confirmingcompliance with all significant Programme elements.This is reflected in the directive in Section 5.7.2 that“an effective system of internal controls” beestablished and maintained not only for financialmatters but also for “other business processesrelated to the Programme.” Such other processesinclude, among others, employee and agentscreening, anti-corruption training, compliancecertifications, communications channels for adviceand reporting and various management approvalrequirements.

An “effective” control system is one that providesreasonable assurance that Programme requirementshave been properly designed and implemented andare being followed. As in other compliance contexts,reasonableness depends on an enterprise’sparticular risk profile and other circumstances,including size.

Companies that already have a substantial system ofinternal controls may use these to satisfy the PACIdirective. However, existing control systems typicallyrequire some adjustment to reflect corruption-specific risks and Programme activities. Additionalcontrols are often needed for unique Programmeactivities (such as agent due diligence or charitablecontribution controls) or to highlight corruption-specific accounting risks (such as slush funds ordisguised payments).

Continuous Improvement

The directive in Section 5.7.3 to “establish feedbackmechanisms and other internal processes designedto support the continuous improvement of theProgramme” reflects standard accounting practice.Although an enterprise is only expected to have a

45

system of internal controls that provides reasonableassurance to a prudent manager, what is reasonablewill change over time and with experience.Programmes accordingly are expected to have anappropriate process for identifying shortcomings andmaking improvements.

Continuous improvement applies to the full range ofProgramme activities, again including but not limitedto accounting and record keeping practices. Auditreviews are a primary source of information for thecontinuous improvement process, supplemented byhotlines and other channels used for Programmecommunications.

Periodic Auditing

The final point requirement in this section is that anenterprise subject its internal controls to regularaudits to verify Programme compliance. Section5.7.4 does not specify a particular audit procedure,and a comprehensive review of audit practices isbeyond the scope of this Handbook. The PACIexpectation is that an enterprise will adapt itsexisting audit practices to address Programmeconcerns.

Although no particular audit procedure is required bythe PACI Principles, there are some generalpractices that could be considered.

• Formal planning. Auditing is most effective whenconducted pursuant to a formal written plan.Plans are used to establish audit priorities,standards and timing for reviews.

• Audit responsibilities. Reviews normally aremanaged through an enterprise’s audit department,in coordination with independent auditors.Compliance managers also have an importantrole, working with auditors to develop corruption-specific guidelines and to respond to problems.

• Scope of review. Auditing should address allrelevant Programme requirements. Accountingand record keeping practices are a primary auditfocus, but reviews should also test compliance

with screening, training, management approvaland “other business processes related to theProgramme”.

• Auditor profile. Audit reviews should beconducted by personnel with experience in theareas being audited and who are independentfrom the activities being reviewed. Care should betaken to ensure that they have requisite skills,training and judgment to make reasonableassessments.

• Methods. Audit information can be gatheredthrough a variety of methods. In addition tofinancial records review, these may include (a) sitevisits; (b) interviews with responsible personnel inmanagement, operations and the compliancearea; (c) questionnaires to a cross-section ofenterprise personnel; (d) review of Programmedocumentation (such as agent screening reports);and (e) trend analyses to identify deviations fromexpectations or past practice. In appropriatecircumstances, information may also be gatheredfrom an enterprise’s agents and businesspartners.

• Spot audits. Spot auditing is common in thegovernment procurement area, where some largegovernment contractors routinely target home-country transactions on a random basis forcomprehensive review – i.e. unravelling thetransaction to test financial records. This can alsobe an effective practice for high-risk internationalprocurements.

• Documentation and reporting. Audit activitiesshould be properly documented, with respectboth to the process and findings. Seriousproblems should be reported promptly to seniormanagement and the audit committee, withcorrective actions taken or recommended. Seniormanagement and the board should also receiveregular status reports on Programmeimplementation, including follow-up monitoring forcorrective actions.

46

Discussion

Oversight is an essential part of the leadershipcommitment described in Section 5.1. An enterprise’sboard and senior management are charged withlaunching the Programme; they then have acontinuing responsibility to monitor implementation,evaluate Programme effectiveness periodically andsee that necessary improvements are made.

Section 5.8 places primary responsibility formonitoring and evaluation on an enterprise’s seniormanagement. As used here, monitoring refers toongoing supervision and oversight of Programmeoperations. Evaluation is a separate process,requiring periodic assessment of “the Programme’ssuitability, adequacy and effectiveness”. A “suitable”Programme is one that is tailored to an enterprise’sparticular needs and circumstances; an “adequate”Programme has sufficient resources and coverage;and an “effective” Programme is one in which the nobribes objective is being achieved in practice.

Frequency is not specified, but annual evaluationsare generally recommended. Programme reviewscan be coordinated with implementation planningand audit procedures described elsewhere in theHandbook. Once they are reported to the enterpriseboard (or equivalent body), the board has a furtherresponsibility to “receive and evaluate” these reports.

Implementation

In most cases, as with an enterprise’s internalcontrol and audit practices, existing procedures forhigh-level oversight may be adapted to satisfyProgramme monitoring and evaluation requirements.

General Considerations

Monitoring and evaluation should be centrallyorganized and managed under the direction ofsenior enterprise officials responsible for overallimplementation.

The PACI Principles do not prescribe particularprocedures for Programme monitoring andevaluation. However, there is an expectation thatpractice at signatory companies will reflect recentcorporate governance innovations. High-leveloversight has been a priority focus in recent years,resulting in requirements for corporate boards andsenior management that are more formal and morestringent. These rules establish a regulatory baselinefor public companies and can be a useful source ofpractical information for others.

In general, the litmus test for an oversight process iswhether it provides enterprise leadership with sufficientinformation to confirm that an anti-corruptionProgramme has been properly designed andimplemented and is being followed. The informationrequired, and associated monitoring and evaluationpractices, will depend on such factors as anenterprise’s compliance history, size, organizationalstructure, culture and corruption risk profile.

47

5.8 Monitoring and Review

The PACI Principles

5.8.1 Senior management of the enterprise should monitor the Programme and periodically review theProgramme’s suitability, adequacy and effectiveness and implement improvements as appropriate.They should periodically report the result of the Programme review to the board, audit committee orequivalent body.

5.8.2 The board, audit committee or equivalent body should receive and evaluate periodically anassessment of the adequacy of the Programme.

This final implementation category addresses the responsibility of an enterprise’s senior leadership to monitor theProgramme and periodically review it for effectiveness.

48

Monitoring

Section 5.8 monitoring may be satisfied through anyreasonable oversight procedure.

Monitoring by senior management serves twoimportant purposes. First, it should confirm thatbasic Programme requirements are being followed.Second, it should communicate high-levelcommitment to the Programme, demonstrating thatsenior management is engaged. Audit reviews are aprimary tool for monitoring Programmeimplementation and may be supplemented bycompliance questionnaires, certifications, reportsand other less formal means for gatheringinformation. As in other areas, established enterprisepractices should be adjusted to highlightProgramme priorities.

The monitoring by senior management required inSection 5.8 is focused on such questions as whetheremployee and agent screening is being conducted,effective training is being provided and managementapproval requirements are being followed.Monitoring for compliance in particular businesstransactions is a separate operational responsibility,addressed elsewhere in the Handbook.

Employee use of communication channels for seekingcompliance advice can be an especially goodindicator of overall Programme effectiveness. Asexplained in the Handbook section on training, thefocus for most personnel is on red flagging potentialconcerns. If the system is working, an enterprise’sexperts should be receiving periodic inquiries.

Periodic Evaluation

Programme evaluation is closely related to monitoring,but with a different focus. In addition to confirmingcompliance with established standards andprocedures, reviews must be able to identifyshortcomings in the Programme and opportunitiesfor improvement. Section 5.8 contemplates thesame basic process for “continuous improvement”described earlier for auditing. In an area that hasseen so much change in recent years,benchmarking to identify innovative compliancepractices will also be important.

No specific procedure is mandated for seniormanagement evaluations, but there is anexpectation that an enterprise will develop asubstantial oversight process appropriate to itscircumstances. Because of the range andcomplexity of issues presented, a formal process forperiodic evaluations is generally recommended.

Although formal Programme evaluation may be newto many signatory companies, most will be able todraw on relevant experience from other areas.

• Programme planning. Planning and evaluationprocedures described in Section 3 can beadapted for Section 5.8 Programme reviews.

• Programme audits. Connection can also bedrawn to the Programme auditing processdescribed in Section 5.7. Although Section 5.8reviews have broader scope, they cover much ofthe same ground.

• Related laws. Oversight practices developedpursuant to statutory or regulatory requirementscan also be adapted for Programme use.Examples from US law include “executivecertifications” for securities filings, “managementreviews” of financial controls and Programmeassessments under the US SentencingGuidelines.17

Sections 5.8 reviews should be coordinated with anenterprise’s annual planning process for training andother Programme activities. Many Programmesrequire senior business managers to certifycompliance by their units. “Roll-down” certificationsto subordinate managers are also common, and canbe an effective oversight tool when supported byreasonable inquiry and documentation. A morestructured alternative (and best practice) is to keybusiness unit compliance reviews to an annualplanning process that looks retrospectively at thepast year’s experience and prospectively at trainingand other needs.

Board Oversight

Programme evaluations by an enterprise’s seniormanagement should be reported to and reviewed bythe board. Reporting typically is through anenterprise’s audit committee or other boardoversight committee, with periodic status updates tothe entire board.

Review by the board is less detailed than what isexpected of senior management, in keeping with theboard’s more general oversight responsibility inSection 5.1.1. As in other oversight contexts, boardoversight should focus on the adequacy andreliability of the evaluation process (in scope, detailand frequency) and on senior management findings,including recommended changes. Board reviewshould also confirm that necessary improvementsare being made.

49

Further tools for implementing the PACI Principlesare in development as part of the World EconomicForum’s ongoing anti-corruption initiative. These willoffer additional practical direction on riskassessment, due diligence and other coreimplementation activities. Available materials will behighlighted on the PACI website(www.weforum.org/paci).

There are many useful websites for monitoring anti-corruption developments and related industrypractice. A representative list follows, through whichlinks to additional resources can be found.

World Economic Forum – PACI (www.weforum.org/paci)The PACI home page contains all PACI tools anddocuments available and a listing of all PACIsignatory companies.

Transparency International – Resource Inventory (www.transparency.org)Transparency International maintains acomprehensive inventory of corruption materials,including international conventions, corruptionsurveys, country studies, implementation resourcesand links to other websites.

OECD – Anti-Bribery Convention(http://www.oecd.org/department/0,2688,en_2649_34859_1_1_1_1_1,00.html)The OECD anti-corruption page offers detailedinformation about the OECD Anti-Bribery Conventionand individual national laws adopted under theConvention, including the status of localenforcement efforts.

World Bank – Corruption (www.worldbank.org/corruption) World Bank anti-corruption efforts are describedhere, including relevant procurement policies andenforcement practices. Firms debarred forcorruption reasons are listed, and there are also linksto IBRD, IFC and other bank entities.

United Nations – Corruption (www.unodc.org/corruption.html) This site provides background information aboutvarious UN initiatives, including the GlobalProgramme against Corruption, which assists UNMember States in their efforts to curb corruption; theCrime and Justice Information Network and UNConvention against Corruption. Furthermore, thewebsite of the UN Global Compact – and inparticular the Global Compact 10th Principle on anti-corruption – provides invaluable information forcompanies engaging on the issue(www.unglobalcompact.org).

U4 Anti-corruption Resource Centre (www.u4.no)This useful anti-corruption site offers selectedliterature, implementation tools and an annotatedlisting of public and private sector anti-corruptionorganizations and institutions. The Centre ismaintained by the six member countries of theUtstein Group.

International Chamber of Commerce – Anti-corruption Commission(http://www.iccwbo.org/policy/anticorruption)The ICC anti-corruption page describes Chamberefforts in this area, including development of an anti-corruption Code of Conduct and relatedimplementation tools.

Trace International (www.traceinternational.org)Trace is a non-profit membership association thatspecializes in anti-Bribery due diligence andcompliance training for international commercialintermediaries.

50

6 Additional Resources

51

1 See, for example, the World Bank report “Assessing AID: WhatWorks, What Doesn’t Work and Why”, No. 61123 (ISBN-0-19-521123-5), 2001. The World Bank report and others like itprovide useful source material for understanding adversecorruption impacts and explaining the enterprise commitment toa zero tolerance policy to employees and business partners. Fora concise summary of business reasons for combatingcorruption, see A. Boeckmann, “Taking a Corporate Standagainst Corruption”, World Energy at 94, 2003.

2 Corporate programmes are referred to in some countries as“implementation” programmes and in others as “compliance”programmes. These terms are used interchangeably in theHandbook to mean a systematic process for an enterprise toeducate its personnel with the goal that they understand andcomply with applicable laws and ethics standards. The terms“enterprise” and “company” also are used interchangeably. Bothare non-technical terms intended to include all businessorganizations, whether structured as corporations, partnershipsor in some other form. As in the PACI Principles, capitalization of“Bribery” and “Programme” incorporates by reference theexpansive definitions found in Section 2.

3 The PACI Principles build on general industry guidelinesdeveloped in 2002 by Transparency International and a coalitionof private sector interests, non-governmental organizations andtrade unions. Transparency International’s “Business Principlesfor Countering Bribery” can be found on the organization’swebsite, together with additional guidance on corruption risksand Programme development practices.

4 Anti-corruption websites maintained by governmental andprivate sector organizations can also be a useful source ofinformation about continuing developments. Links to primarywebsites are provided in Appendix A.

5 A good planning process will be especially important for thePACI Principles, given their broad scope and complexity.Procedures in this section address preliminary work plans, riskassessment and Programme evaluation. All three are commonindustry practices.

6 The PACI requirement, in Section 4, directs that in developing itscompliance Programme, “an enterprise should identify andassess specific areas that pose the greatest risks fromcorruption.” Risk assessment is also a common feature in ISOstandards and other general industry guidelines, and in 2004was made a formal requirement for companies subject to USSentencing Guidelines criteria for evaluating corporatecompliance programmes. Programme criteria are enumerated inchapter 8 of the Sentencing Guidelines, which can be found onthe US Sentencing Commission website (http://ussc.gov). Riskassessment is addressed in §8B2.1(c).

7 It is important at this preliminary stage to have as complete apicture of potential risks as possible. Including joint venture andother third-party activities in the risk assessment phase will notpreclude subsequent tailoring of response options, consistentwith guidelines in Section 5.2 for applying Programmerequirements to different types of business relationships.

8 Assessment guidelines should include a cautionary directive toconsider corruption risk in all markets, not just those with highCPI ratings. Corruption can occur anywhere, and this should bereflected in the risk assessment and resulting Programmecoverage.

9 Detailed information about the OECD Convention and individualnational laws adopted under the Convention is available on theOECD website, at http://www.oecd.org.

10 As used here, “policy statement” refers to the baselineProgramme document used to describe an enterprise’s zero

tolerance commitment. Policy statements, Codes of Conductand other standard Programme documents are discussed laterin this section.

11 Corrupt intent is implicit in this formulation. It is treated as adistinct legal element under some laws, including the US FCPA.

12 As used here, the term “bright-line” test refers to the commonpractice of establishing business rules that clearly distinguish(i.e. draw a bright line) between permitted and prohibitedconduct. For clarity and also administrative convenience, suchrules are often more restrictive than required by law. Anenterprise may, for example, decide to bar all politicalcontributions, not just those prohibited by law, in order to avoidhaving to make fine distinctions and deal with the associated legaland reputational risks when mistakes are made.

13 A good practical test, often emphasized in Programme standardsand training, is to ask whether particular contributions activitywould be embarrassing to the enterprise were it to become public.

14 Standard provisions should address four basic areas: (1) Notice.Language that communicates the enterprise’s commitment to azero tolerance policy on Bribery and the expectation thatconduct by the agent will be consistent with the PACI Principlesshould be included in agent contracts. Additional informationabout the enterprise’s Programme should be provided to allagents; (2) Representations and warranties. Many companiesrequire agents to “warrant” that they understand the anti-corruption policy, will not engage in inconsistent behaviour andwill establish appropriate anti-corruption controls of their own;(3) Cooperation. Contracts should establish minimumcooperation requirements, including guaranteed access torecords and personnel, prompt reporting of possible violationsand cooperation in the investigation of alleged violations orsuspicious circumstances; and (4) Remedies. Contracts shouldinclude a provision expressly authorizing remedial action forProgramme violations. Such provisions typically identify seriouscorruption as a material breach of contract, subject to remedialaction up to and including termination. Actionable breach shouldbe defined to include non-compliance with Programme-relatedcontract provisions.

15 Although requirements in this section restate general law andpractice, effective implementation may in some cases requireheightened attention to corruption-specific risks and safeguards.As an example, additional controls may be necessary to confirmthat off-the-books accounts are not being used to facilitatecorrupt payments.

16 Article 8 of the OECD Convention provides in relevant part thatmeasures be taken “to prohibit the establishment of off-the-books accounts, the making of off-the-books or inadequatelyidentified transactions, the recording of non-existentexpenditures, the entry of liabilities with incorrect identification oftheir object, as well as the use of false documents […] for thepurpose of bribing foreign public officials or of hiding suchbribery.” Specific applications of this directive, however, maydiffer by jurisdiction.

17 Executive certifications, also referred to as “Section 302”certifications, require regular written confirmation by anenterprise’s chief executive and financial officers that internalcontrols for accounting and other compliance requirements arein place and have been assessed for effectiveness. “Section404” management reviews, which have a narrower financialfocus, also require regular and comprehensive controlassessments. In addition, recent changes to the US SentencingGuidelines emphasize the importance of regular risk assessmentand updating of compliance practice. These oversightmechanisms, and others of a similar nature outside the US, offera baseline for Section 5.8 reviews.

Footnotes

The World Economic Forum is an independentinternational organization committed to improvingthe state of the world by engaging leaders inpartnerships to shape global, regional andindustry agendas.

Incorporated as a foundation in 1971, and basedin Geneva, Switzerland, the World EconomicForum is impartial and not-for-profit; it is tied tono political, partisan or national interests.(www.weforum.org)