MENA-OECD Business Integrity Training, 22-25 April, Kuwait

Organized by the MENA-OECD Investment Programme in cooperation

with the IMF-Middle East Center for Economics and Finance

KuweitApril 22, 2013

Session 1: HOW TO ASSESS RISKS FOR A COMPANYIohann Le FrapperAs Vice-chair of ICC Corporate Responsibility and Anti-corruption Commission

1.- Interactive sessionWe all have part of the truth in matters of integrityMy contribution to this Training is based on compliance practice

and integrity standards I am here to speak, to listen and to share: please interrupt me for

questionsThere are the national and the international standardsThere are worldwide norms (OECD and United Nations

Convention) which are recognized everywhere and good corporate practice which is based on a vast experience

The anti-corruption standards are universal and each company has to choose its prevention measures according to its culture, its size, its resources, its industry, its business model, etc..

2.- The BasicsThe basic rules

a.- UNCAC, OECD, FCPA, UK Bribery Act

b.- The basic terminology:

economic fraud,bribery and corruption,

various forms of corruption (national and international/public and private/direct and indirect/mother company, subsidiaries and affiliates/trading in influence),

Gifts, entertainment and hospitality, andmoney laundering

3.- DefinitionsThe term “corruption” covers many aspects of economic fraudYou can have

large and small corruption“street corruption” and “office corruption”corruption with money or other undue advantagescorruption with laundered money or clean money corruption from a slush fund or from a regular stream national/international, public/private, direct from a company or

indirect through an intermediary, mother company or subsidiary and affiliates

active v. passivetrading in influence

4.- Risk Assessment I A company starts with a Risk Profile/Risk Assessment to identify and prioritize its

risks, esp. corruption. Pro-active or crisis mode. Risk assessment: cornerstone and critical initial step in designing an effective

compliance program. It is the task of the highest body of the corporation (the Board or the owner) to define

the risks the corporation is ready to take on. The basic approach of a risk assessment exercise:

identifying risks : scoping measuring them, and managing them.

Oversight by top-level management : from kick-off to final report Prioritization of areas of highest risks: likelihood/frequency ? Potential impact? As a result of such assessment, the company avoids focusing on false or minor

problems.

5.- Risk Assessment II Appropriate resources :Risk assessment with internal/external information sources and

resources. Work plan : need to plan budget, level of activity (eg. interview list, document review?) and

timing. Call upon operational people and experts: insurance people, Health, Safety, Environment

&Quality (“HSEQ”) people and lawyers Typical risks to review : country, industry-specificities, transactions, business opportunities,

business partnership/joint venture ? Identify precisely weak points/processes in the organization (e.g. where are you dealing the

most with cash?) In which countries do you have business operations where the risk for fraudulent activity is the

highest? Degree of business with government entities ? Level of regulation of relevant industry ? Which supply/marketing channel presents the most challenges? Are your intermediaries/business partners a low or high risk for your company? Gifts, hospitality and entertainment activities ?

6.- Risk Assessment III Gap analysis :address whether existing compliance program address identified risks ? Consider ethical awareness survey or interviews to gather data from employees about

high-risks and knowledge of values and policies of the organisation. Next stage : recommendations for design or improvement of internal controls

(remediation measures); Strength of internal controls : ascertain how compliance program operates in practice. Purpose of risk-assessment is to educate senior managers, seek their input on

findings/report and get their buy-in for anti-corruption program (sponsor must be one senior executive).

The risk assessment must be documented (to evidence, if needed, the bona fide of anti-corruption program) and monitored;

Dynamic risk-assessment :regular reviews and updates needed to reflect external developments, risk profile changes and lessons learned through action plan’s implementation

7.- Due DiligenceBefore joining forces with a new partner, agent,

associate or even executive, you should make checks on integrity, competence, reputation

You can do this in very different ways but it should bea continuous and sustainable methodleaving behind a paper trail, andno “box ticking”

8.-Adequate Procedures Guidance-UK Bribery Act.Principle 3 :Risk Assessment“The commercial organisation

assesses the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it. The assessment is periodic, informed and documented”. http://www.justice.gov.uk/downloads/legislation/bribery-act-2010-guidance.pdf

9.-Adequate Procedures Guidance-UK Bribery Act.Commentary on Principle 3

“3.1 For many commercial organisations , this principle will manifest itself as part of a more general risk assessment carried out in relation to business objectives. For others, its application may produce a more specific stand alone bribery risk assessment. The purpose of this principle is to promote the adoption of risk assessment procedures that are proportionate to the organisation’s size and structure and to the nature, scale and location of its activities. But whatever approach is adopted the fuller the understanding of the bribery risks an organisation faces, the more effective its efforts to prevent bribery are likely to be.

3.2 Some aspects of risk assessment involve procedures that fall within the generally accepted meaning of the term ‘due diligence’. The role of due diligence as a risk mitigation tool is separately dealt with under Principle 4.”

10.-Adequate Procedures Guidance-UK Bribery Act. Procedures for Principle 3

“3.3 Risk assessment procedures that enable the commercial organisation accurately to identify and prioritise the risks it faces will, whatever its size, activities, customers or markets, usually reflect a few basic characteristics. These are:

• Oversight of the risk assessment by top level management. • Appropriate resourcing – this should reflect the scale of the organisation’s

business and the need to identify and prioritise all relevant risks. • Identification of the internal and external information sources that will enable

risk to be assessed and reviewed. • Due diligence enquiries(see Principle 4). • Accurate and appropriate documentation of the risk assessment and its

conclusions. 3.4 As a commercial organisation’s business evolves, so will the bribery risks it

faces and hence so should its risk assessment. For example, the risk assessment that applies to a commercial organisation’s domestic operations might not apply when it enters a new market in a part of the world in which it has not done business before(see Principle 6 for more on this).”