Incoterms_® and Commercial Contracts

Installing an ethics and compliance function does not remove management’s duty to oversee operations and ensure that company activities are conducted in full compliance with applicable laws and ethical standards. In this Chapter, we start by highlighting the key elements of an effective ethics and compliance programme. We then describe the main role and responsibilities of the ethics and compliance function. Finally, we define the boundaries between the ethics and compliance function and the respective roles of management, control, and audit in securing the efficient functioning of the programme.

-

DESIGNING YOUR COMPANY’S ETHICS AND COMPLIANCE PROGRAMME

Emphasis of the programme

The formal emphasis of a corporate ethics and compliance programme is to prevent, detect, and appropriately respond to misconduct. One of the first texts available to define the main elements of an effective ethics and compliance programme was the United States Federal Sentencing Guidelines¹¹. It still stands today as a global reference point for business. The Sentencing Guidelines first served as a practical guide for enterprises based or having operations in the United States, but they were later used by numerous companies from other parts of the world. In 2012, the Criminal Division of the United States Department of Justice and the Enforcement Division of the United States Securities and Exchange Commission published a Resource Guide to the U.S. Foreign Corrupt Practices Act¹² to further guide companies on the application of the United States anti-corruption law.

[Page83:]

Other authoritative sources of reference include the OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance¹³ (2010) and the United Kingdom Bribery Act Guidance (2010) on “Adequate Procedures”¹⁴. The ICC Rules on Combating Corruption (2011) also provides examples of measures and good practices which companies should consider including as part of their ethics and compliance programme (see box below).

In order to be efficient, a corporate ethics and compliance programme should focus on those areas which are seen as posing the most significant legal and ethical risks for the company. As we have seen in Chapter 5, such evaluation should be made on the basis of a thorough risk assessment. While the risk exposure for a company may vary according to its industry segment(s), geographical markets, and business activities, companies whose operations have a global or multinational footprint will likely direct their compliance efforts towards the following areas:

• Anti-corruption;
• Anti-money laundering;
• Antitrust and competition law; and
• Export and import controls.

Depending on the company structure and industry segment(s), additional focus areas of the ethics and compliance programme may include human rights, disclosure controls, and insider trading.

While ethics and compliance programmes generally focus on legal compliance, they are often complemented in corporate documents by a value-based approach which encourages employees and business partners to commit to the highest standards of ethical conduct in their day-to-day professional activities.

Excerpt from the ICC Rules on Combating Corruption (2011)

“Each Enterprise should consider including all or part of the following good practices in its [corporate compliance] programme. In particular, it may choose, among the items listed hereunder, those measures which it considers most adequate to ensure a proper prevention against Corruption in its specific circumstances, no such measure being mandatory in nature:

1. Expressing a strong, explicit and visible support and commitment to the Corporate Compliance Programme by the Board of Directors or other body with ultimate responsibility for the Enterprise and by the Enterprise’s senior management (‘tone at the top’);
2. Establishing a clearly articulated and visible policy reflecting these Rules and binding for all directors, officers, employees, and Third Parties and applying to all controlled subsidiaries, foreign and domestic;
   [Page84:]
3. Mandating the Board of Directors or other body with ultimate responsibility for the Enterprise, or the relevant committee thereof, to conduct periodical risk assessments and independent reviews of compliance with these Rules and recommending corrective measures or policies, as necessary. This can be done as part of a broader system of corporate compliance reviews and/or risk assessments;
4. Making it the responsibility of individuals at all levels of the Enterprise to comply with the Enterprise’s policy and to participate in the Corporate Compliance Programme;
5. Appointing one or more senior officers (full or part time) to oversee and coordinate the Corporate Compliance Programme with an adequate level of resources, authority and independence, reporting periodically to the Board of Directors or other body with ultimate responsibility for the Enterprise, or to the relevant committee thereof;
6. Issuing guidelines, as appropriate, to further elicit the behaviour required and to deter the behaviour prohibited by the Enterprise’s policies and programme;
7. Exercising appropriate due diligence, based on a structured risk management approach, in the selection of its directors, officers, and employees, as well as of its Business Partners who present a risk of corruption or of circumvention of these Rules;
8. Designing financial and accounting procedures for the maintenance of fair and accurate books and accounting records, to ensure that they cannot be used for the purpose of engaging in or hiding of corrupt practices;
9. Establishing and maintaining proper systems of control and reporting procedures, including independent auditing;
10. Ensuring periodic internal and external communication regarding the Enterprise’s anti-corruption policy;
11. Providing to their directors, officers, employees, and Business Partners, as appropriate, guidance and documented training in identifying corruption risks in the daily business dealings of the Enterprise as well as leadership training;
12. Including the review of business ethics competencies in the appraisal and promotion of management and measuring the achievement of targets not only against financial indicators but also against the way the targets have been met and specifically against the compliance with the Enterprise’s anti-corruption policy;
13. Offering channels to raise, in full confidentiality, concerns, seek advice or report in good faith established or soundly suspected violations without fear of retaliation or of discriminatory or disciplinary action. Reporting may either be compulsory or voluntary; it can be done on an anonymous or on a disclosed basis. All bona fide reports should be investigated;
14. Acting on reported or detected violations by taking appropriate corrective action and disciplinary measures and considering making appropriate public disclosure of the enforcement of the Enterprise’s policy;
15. Considering the improvement of its Corporate Compliance Programme by seeking external certification, verification or assurance; and
    [Page85:]
16. Supporting collective action, such as proposing or supporting anti-corruption pacts regarding specific projects or anti-corruption long-term initiatives with the public sector and/or peers in the respective business segments”.

While all items listed above are recommended by ICC, none should be considered compulsory in their own right. It will be up to your company to select a combination of these various processes and policies, based on its particular circumstances and needs. For instance, no company should feel obliged, unless it is a legal or regulatory requirement, to put into place a whistleblowing system. Nor should a small enterprise feel constrained to opt for one of the above measures, if inappropriate.

Accountability for your company’s ethics and compliance programme

Your company, like every other, will have to decide how best to assign accountability between the various players involved in your company’s ethics and compliance programme. The matter to decide upon is: who will bear the brunt of accountability for the programme? Should it be management, internal audit, external audit, or the ethics and compliance function? Or should accountability be shared among them all?

In fact, there is no universally applicable formula in this area, just as there is no unique formula for designing and setting up an effective ethics and compliance programme. The sharing of accountability, as decided by your company, will need to fit its overall governance structure (Is it centralized or decentralized? Is it focused on one product line or is it largely diversified?), as well as its particular business circumstances (as for instance, its size, its industry segments, and the countries where it is operating).

For example, companies operating in highly regulated industries often decide to assign policy-setting, implementation, monitoring, and enforcement to a central ethics and compliance function. Others will prefer to assign policy-setting authority to functions which are already in place in the corporate structure (such as legal, finance, or human resources) and hold management accountable for policy compliance, including implementing required controls and procedures. In the latter kind of set up, the ethics and compliance function would typically be assigned a support, advice, and reporting role. But again, there are various types of models which can be effective. The decision to go for one or another model will shape the boundaries (and the conditions for cooperation) between management, control, audit, and the ethics and compliance function.

Reporting line of the Chief Ethics and Compliance Officer

The appointment of a Chief Ethics and Compliance Officer is an important decision for a company. Various organizational structures and options can be considered when establishing such a role, depending on the size and the complexity of the organization. In a smaller enterprise, the ethics and compliance function may be exercised on a part-time basis. In large multinationals, the compliance group may have a headcount of dozens if not hundreds of persons.

[Page86:]

To be credible, the Chief Ethics and Compliance Officer should be given a senior enough position within the company so that the incumbent can perform his or her duties with sufficient influence and autonomy. As already touched upon in Chapter 1 (‘A Daunting but Fascinating Task’) and Chapter 6 (‘The Role of the Board of Directors’) of this Handbook, consideration should be given to provide him or her with direct access to the Board of Directors and top management of the company. In particular, he or she should be able to provide a regular assessment on the effectiveness of the compliance programme to the Board of Directors or its Audit Committee. These types of decisions will determine the actual impact of the Chief Ethics and Compliance Officer function within the company and vis-à-vis external stakeholders.

Resourcing the ethics and compliance function

It is important to ensure that the ethics and compliance function has sufficient authority and enjoys adequate human and financial resources to perform its duties. To assess the amount of resources required to run an effective ethics and compliance programme, elements to be factored in (and to be revisited on a regular basis) include: the size of the company, the number and diversity of business units, the number and importance of subsidiaries and affiliates, the company’s exposure to legal and ethical risks, its corporate culture, the complexity of its business model, the structure of the company’s ethics and compliance function, and the extent to which the company uses third parties or business partners to conduct its business operations. An ethics and compliance programme is usually run in-house but may benefit from the support of external third-party service providers in areas which require specific outside expertise.

Skills for the ethics and compliance function

Many people working in ethics and compliance have a legal background. However, compliance departments increasingly include individuals with technical, managerial, and financial skills and experience. Other relevant backgrounds for the compliance function include human resources, information technology, communications, and project management. But first and foremost, an ethics and compliance person should enjoy a high degree of credibility and should be or become truly familiar with the company’s products, processes, and daily activities.

THE INTERFACE WITH MANAGEMENT, CONTROL, AND AUDIT

Ethical leadership

As we have seen in Chapter 6 (‘The Role of the Board of Directors’), top management plays a significant role in shaping, embedding, and spreading authority, norms and culture in the company. In this respect, the role of top management is to set the tone and to lead by example. As leaders, the top of the company should be seen by their colleagues as those who articulate and personify the values and standards of the enterprise. Their leadership is critical for consistently embedding and implementing the ethics and compliance programme in all spheres of the company’s activities.

[Page87:]

The interface between the ethics and compliance function and management

In any company, the ultimate responsibility for achieving corporate goals, and for ensuring that these goals are achieved in full compliance with applicable laws, corporate policies, and ethical standards, belongs to management. In other words, it is the responsibility of management to define accountability, allocate sufficient resources, and establish adequate processes and structures designed to ensure that:

1. Policies are followed;
2. Adequate procedures and compliance controls are properly implemented; and
3. Assurance is obtained via an appropriate blend of monitoring and self-assessment. To be most effective, the processes established for conducting real-time monitoring and periodic self-assessment of compliance controls should be integrated into routine business activities.

The ethics and compliance function may play a role in establishing corporate policies and ethical standards. This may be done, for example, by taking an active part in the development of the company’s Code of Conduct. The compliance function is also typically involved in helping management, staff and employees of business partners to understand how these corporate policies and ethical standards address compliance risks in their businesses.

More broadly, the ethics and compliance function is there to support and promote the effective implementation of the ethics and compliance programme. Support activities include the training of management and staff, answering questions, providing advice, and helping to identify where controls and monitoring mechanisms can be embedded in daily business activities.

Another role of the ethics and compliance function is to ensure that systems are in place to allow staff and employees to ask questions, to raise concerns and to ensure that those concerns are properly investigated. Such systems should be designed in a way which reflects the size and governance style of the company. You will find more specifics on how to set up a whistleblowing system in Chapter 11 of this Training Handbook (‘Whistleblowing’) as well as in the ICC Guidelines on Whistleblowing (2008).

In consultation with human resources and legal, the ethics and compliance function supports management in determining consequence management and in identifying lessons learned from incidents, with a view to fostering continuous improvement. Finally, the compliance function is typically responsible for monitoring and reporting on the effectiveness of the ethics and compliance programme. All those activities and functions will require frequent interfaces with management and staff. To perform its duties, the ethics and compliance function must therefore be seen as a business partner: it should not be isolated. On the contrary, it should be visible on the ground.

[Page88:]

Management controls

Standards are set by the laws of the various countries where the company operates and by the additional ethical policies and rules which the company has adopted. Evidently, those requirements (including those that support legal and regulatory compliance) are mandatory and need to be communicated to management and staff.

It will be management’s duty to insure that these requirements are reflected in the company’s operational procedures. Management should also establish regular controls to check that those procedures continue to operate effectively. The ethics and compliance function will interact with management at various stages of this exercise, for instance when updating corporate policies and rules, or when monitoring how those policies and rules are implemented. The depth of the influence of the ethics and compliance function, and its level of activity and pro-activity, will depend on its accountability and on the level of resources it enjoys.

Board governance and oversight responsibilities

Key documents and standards for your company (such as its Code of Conduct) should be subject to the review and approval of the Board of Directors. Members of the Board should be knowledgeable about key ethics and compliance issues facing the company and be regularly informed about specific risks and the effectiveness of the ethics and compliance programme in mitigating those risks. The Chief Ethics and Compliance Officer, as well as your company’s assurance providers, should be able to talk and report to the Board of Directors (or a dedicated committee of the Board, such as the Audit Committee) on a regular basis.

The role of internal audit

The first role of internal audit in the compliance context is that of an assurance provider. Internal audit provides the Board of Directors and management with an independent assurance on the design and operation of the system of internal controls in the company. The Chief Ethics and Compliance Officer has a similar independent role when communicating his or her assessment of the effectiveness of the corporate compliance programme to the Board of Directors and management.

The second role of internal audit is to perform compliance audits. The internal audit function develops independently a risk-based assurance plan to cover the key operations of the company. It is responsible for implementing the plan and reporting on its findings. Its scope can be either purely financial or it can be broader to cover strategic, technical and operational risks including those that fall under the umbrella of the ethics and compliance programme.

In the latter case, it is critical for the ethics and compliance function to work closely with internal audit so that testing of the implementation of the ethical and compliance standards of the company is also incorporated into the internal audit programme (using a risk-based approach).

[Page89:]

Results from internal audits will provide the Chief Ethics and Compliance Officer and the Board of Directors with precious input to measure the effective implementation of the ethics and compliance programme within the various business lines, subsidiaries and functional departments of the company. These may incorporate testing of the employees’ knowledge of the legal and self-regulatory standards, as well as checks of the business controls in place and of the various self-assurance processes implemented to test effectiveness of the ethics and compliance programme. Management is subsequently accountable to implement the audit recommendations to address the gaps found in the control system.

Internal audit can also fulfil a third role: auditing the ethics and compliance function. In particular, internal audit may provide assurance to the Board of Directors on the performance of the ethics and compliance function.

The role of external audit

External audit provides shareholders assurance that the framework of controls established by the company operates effectively and that its financial accounts and mandatory disclosures are a fair reflection of the operations of the business. In that respect, external auditors will also decide to rely on the work done by internal audit, if available, to assess the scope of their tests and to develop and prepare their opinion.

-

About the author

Carlos Desmet is Global Compliance Officer for Shell International since 2009. Shell is a global group of energy and petrochemicals companies with around 90,000 employees in more than 80 countries and territories. Based in the Netherlands, Mr. Desmet heads the global compliance office for the Shell Project and Technology business. He supports the Projects organization, supply chain, third party services, research and development, safety and environment and technical IT. His team members are based in the United States, Netherlands, Malaysia, China, Nigeria and India. Prior to this role, he was appointed as Upstream compliance officer in 2006. Mr. Desmet is also Vice President of ICC Netherlands’ Anti-corruption and Corporate Social Responsibility Working Group and a member of ICC’s Commission on Corporate Responsibility and Anti-corruption.

---

---