As we continue to develop international and local business in the Philippines, in Asean, in Asia and beyond, there will be more and more pressure on companies to demonstrate that they follow the basic rules in anticorruption, in data-privacy compliance and in cybersecurity. Why?
Because certification standards, covering the above critical areas in doing business, match the expectations of American, British, German, Canadian and other prosecutorial authorities and of business partners; as such, they can be used to benchmark your company’s compliance programs and make sure they align with the expectations of these international authorities and your business contacts.
The certification looks at different requirements, and provides guidance on a range of topics relevant to antibribery, data privacy and cybersecurity compliance, such as financial and nonfinancial controls, internal audits and risk assessments. It also covers personnel, leadership and commitment, and the responsibilities of the governing body, top management and the compliance function.
It also provides a definition of public officials, controlled organizations and business associates, and provides guidance on due diligence and investigating and dealing with bribery cases, data-privacy breaches and cybercrime. In terms of your compliance program, it sets forth requirements for employee awareness and training, having well-designed policies covering the three areas and having reasonable and proportionate control measures in place. Let me add, that I am not referring to one certification for all three areas; I am talking about certification for each risk area.
Reasonable and proportionate requirements
You can think of certification standards as including elements that fall under “shall,” “must,” “should” and “may.” That’s because the requirements have different thresholds depending on the size and complexity of your organization. If your organization is large and complex, for example, you’d have need of more in-depth audits, controls and so on. The key is making sure the requirements are reasonable and proportionate.
An important related concept is the relevance of the requirements. Let’s
take antibribery training, for example. The training and the message should be
relevant to the targeted group and provided at the appropriate frequency. If you’re a very large company with employees based overseas, your training should be tailored for specific groups based on their location and other variables.
The necessity of documentation
The certification standards emphasize the need to document your compliance activities, from implementing a program to ongoing monitoring to ensure your program is effective. For example, if your company’s bribery risk has changed because your company has ventured into a new market, for example, you’ll have to reevaluate your risk and document that reevaluation. These documentation requirements should also be proportionate to your company’s size and complexity.
Documentation provides some protection in the event of misconduct or a breach of laws. It’s no defense for management to claim ignorance (or “willful blindness”) about a violation. You need to have procedures in place that show you have actively sought to guard against misconduct taking place.
Here are three tips for effective documentation:
■ Create and update documentation on all activities: This may be done manually or through an automated system.
■ Maintain version control: This helps ensure you always have the latest version of documents readily available and that the right personnel has access to the documents.
■ Control access rights: Define who has the rights to access specific compliance documents, such as internal investigation files.
The certification standards are global standards that any company can use to benchmark its compliance program. Key concepts with this standard are keeping requirements reasonable and proportionate, as well as the importance of documentation.
When it all hits the fan, your documentation is your best defense; it also helps you evaluate your compliance program and maintain an ongoing assessment of risks.
More important, with certifications in place, your business partners are keen and more relaxed to do business with you. You will be ahead of the curve and will have outsmarted your competitors. Of course, you can also sleep better.
Comments are welcome; e-mail me under [email protected]
Flashback: On July 11 I wrote about ‘Open Government Partnership – Part of Fighting Corruption’ and made extensive reference to reports prepared by the Independent Reporting Mechanism (IRM) of the local Open Government Partnership implementation group. The reason why I used the IRM source is that the Integrity Initiative is part of the Civil Society Groups supporting the OGP Program and the reporting of the IRM. In fact, the Integrity Initiative has added progress information to the latest IRM report.