Lessons learned in establishing anti-corruption codes of conduct


Financier Worldwide Magazine

June 2017 Issue

In recent years, our understanding of the essential role that assessing risk plays in the hour by hour functioning of business life has grown to the point that the very phrase ‘risk assessment’ has lost its focus and must be qualified in order to give it meaning in the moment. As corporate counsel or senior business managers we often define our roles as ones of risk management and assessment. When we say that someone has ‘great judgment’ we often mean that they assess risk well and provide business positive solutions. The conceptual stages of developing an anti-corruption compliance programme for an organisation begins with an assessment of risk. Only after a meaningful determination of what the risk profile of the organisation is, can a programme that manages and reduces risk be properly structured.

To begin, one must look to the following key factors. First, parties must consider the industry segment. Mining, resource extraction, oil & gas, pharma and technology all tend to be on the higher side of the risk continuum.

Geographic locations must also be a consideration. The jurisdictions in which an organisation operates, has assets or physical locations will be a key factor in determining risk. The starting reference point remains the Corruption Perceptions Index updated yearly by Transparency International (TI). TI ranks individual countries based on the perceived risk of corruption within that jurisdiction. Needless to say, if an organisation operates in any way in higher risk jurisdictions, its anti-corruption compliance risk is elevated. By comparison, retail organisations operating solely within the US and Canada will have a very low risk level.

The amount of government interaction must also be a factor. Risk is heightened for organisations that, by virtue of their industry or location, interact with and require approvals from government actors. For example, extractive resources industries are often at higher risk given their need to negotiate tenure agreements with governments, often in high risk jurisdictions.

If an organisation uses agents or other third parties to facilitate supply or sales agreements, risk can be heightened given the potential lack of direct control over the third parties’ interactions and motives. This risk factor is heightened yet again if there is a strong connection with government actors.

After giving thoughtful consideration to these classic risk factors, it is also understandable, as well as wise, to consider the financial resources available to an organisation when designing, implementing and ultimately maintaining a compliance programme. While legal compliance should not be subject to the whims of financial resources, there are a range of programme design options that may be considered ‘optional’ depending on available resources. Parties must not suffer from resource paralysis. While it is important to acknowledge the reality of resource limitations, it is equally critical that at the design stage of a compliance programme, the person accountable (for example, general counsel, chief compliance officer, CEO, among others) must take a firm stand with the board of directors or relevant controlling body or person by establishing the priority of compliance. It is only with a sufficient mandate for compliance that a programme can be designed to succeed. It is also at these early stages that the potential for a true ‘tone from the top’ is created.

So, now with a good handle on the organisation’s risk profile, coupled with a financial and compliance mandate, parties need to consider what organisational structure they want to create to oversee the programme that will be developed.

Establishing the foundation of the compliance programme

A company’s code of conduct and compliance policies form the foundation of its compliance programme.

Typically, the code of conduct is a broad statement of the company’s commitment to compliance with laws and ethical principles, its expectation of the same behaviour by its employees and representatives, and the consequences of non-compliance for both the company and individuals. Anti-bribery compliance policies and procedures address each of the components discussed above and target specific areas of risk exposure, as developed in accordance with the organisation’s risk assessments. Some organisations may combine the two while others keep them separate – either way, they should have both.

Keep in mind that parties need not necessarily start from scratch when putting together written codes of conduct and policies. Companies may already have some basic human resources or other internal policies and structures in place that they can build upon. There are also many precedents and samples available on the internet from businesses, NGOs and anti-corruption organisations that can be a starting point for developing codes of conduct and policies that will be tailored to the company’s specific circumstances and risk exposure.

Although codes of conduct and policies will differ widely in substance and focus from one company to another, in our experience certain basic principles should be followed when developing these for an organisation. Firstly, develop them to apply not only to directors, officers and employees, but also to third parties, such as contractors, agents, vendors, suppliers, consultants, joint venture parties and other business partners. The most significant anti-corruption risk exposure to companies arises out of third-party relationships.

Companies should also use clear, plain and direct language to express what is expected of employees and others, as well as what the consequences are when the policies are not followed, for example, discipline up to and including termination. Avoid use of acronyms or legalese.

Parties should include relevant and realistic examples from the day-to-day operations of the company to demonstrate what behaviour is acceptable and what is unacceptable under the policy.

Parties must clearly identify, by position and office, who is responsible for each aspect of the policy. Specific officer names and contact information should be provided to employees and others who have questions or concerns about the policy or wish to report any suspected violations. Information on making anonymous or confidential reports through a ‘whistleblower’ line should also be made available.

All policies and related materials should be translated into the local languages of all the jurisdictions in which the company operates. These policies should be easily accessible across all locations and functions of the organisation and should be made available to third-party representatives where appropriate. It may also be beneficial for the company to ensure it is accessible to shareholders, regulators, potential investors and business partners, as well as other stakeholders. In many cases, this can be facilitated through electronic access and publication on the company’s website.

Parties should adopt the ‘high watermark’. For companies operating across multiple jurisdictions that apply different anti-corruption standards and requirements, the easiest and safest approach will be to adopt the most rigorous standard for the entire organisation. For example, many organisations will simply prohibit the making of facilitation payments, which are illegal under the UK Bribery Act but still permitted under Canada’s Corruption of Foreign Public Officials Act and the US Foreign Corrupt Practices Act. Applying different standards and rules in different offices will lead to confusion, and, ultimately, mistakes.

A mechanism should be in place to update policies on a regular basis in order to reflect new or evolving risk exposure as a result of changes in the company’s operations, business lines, locations and business relationships. External developments, including changes to laws and policies, must also be incorporated on an ongoing basis.

Parties should not include procedures or controls unless they are absolutely certain that the company can meet those standards. The gold standard controls employed by large multinational organisations can be expensive and simply unattainable for an SME, especially in its early stages. Although the gold standard may look great on paper, it could do more harm than good when enforcement authorities are asking why companies were unable to meet the requirements of their own policy.

Those covered by the policies should certify on a regular basis that they have reviewed, understand and agree to follow them – this could coincide with the training of employees and third-party representatives when they first join the company and then during annual or more frequent training ‘refreshers’.

Again, remember that these codes and policies are not written in stone but instead should be treated as living documents subject to continuous review, scrutiny and change as the organisation grows and expands into new business relationships and jurisdictions. Further, parties must also generate and maintain documented evidence of implementation of these policies – for example, training logs, evaluations of third parties, and internal review reports and decisions. When a company is under investigation, there is nothing worse than having stale or ignored policies and procedures.


John W. Boscariol and Peter Brady are partners at McCarthy Tétrault LLP. Mr Boscariol can be contacted on +1 (416) 601 7835 or by email: jboscariol@mccarthy.ca. Mr Brady can be contacted on +1 (416) 601 8222 or by email: pbrady@mccarthy.ca.

© Financier Worldwide


John W. Boscariol and Peter Brady

McCarthy Tétrault LLP

©2001-2019 Financier Worldwide Ltd. All rights reserved.