The document is a follow-up to the amendments to the anti-corruption law that entered into force on 8 September 2024 with regard to the fight against corruption abroad according to which a new corpus delicti is introduced against legal persons, i.e. inability to prevent bribery of a foreign official. A company can be exempted from liability if it proves that it has undertaken the “appropriate procedures” to prevent bribery.
The Guidance provides recommendations on the steps organisations can take to create the conditions to prevent foreign bribery. However, the decision on whether the measures taken are “appropriate” will be made by the court individually in each case. Besides the recommendations, the document contains case studies of their implementation by certain companies.
The Guidance has six elements in total on which it is suggested to build a corporate anti-corruption programme:
1. Fostering a control environment to prevent foreign bribery
The document stresses that the control measures adopted by organisations should be proportionate and effective.
The principle of proportionality means that the controls should be proportionate to the corporation’s operational circumstances, including its foreign bribery risks and the nature of its activities. To this end, companies should conduct the assessment of relevant risks. In a small corporation, top-level management may be highly engaged with the corporation’s compliance framework by nature of working in close proximity to the compliance function; in a large corporation – with multiple business units, tiered management structures and many reporting channels – more sophisticated controls may be required to connect the compliance function with top-level management: for example, top-level management sets bribery prevention controls and tasks lower-level management to design, implement and monitor these measures; however, top-level management would still be responsible for conducting regular compliance reviews and seeking regular reports on the effectiveness of the implemented measures.
As for the principle of effectiveness, the authors of the Guidance identify five indicators of compliance with it:
- A robust culture of integrity within the corporation, which means that a company conducts regular and thorough assessments of the effectiveness of bribery prevention controls and oversees these controls, has leaders who actively examine foreign bribery risks and use both words and actions to discourage bribery and encourage compliance, provides sufficient resourcing to put in place mechanisms that monitor the behaviour and compliance of senior leadership, investigates allegations of foreign bribery, undertaking full-documented assessments conducted by suitably qualified personnel, encourages employees to disclose potential instances of bribery etc.
- Demonstrated pro-compliance conduct by top-level management and, where applicable, the board of directors, including by actively examining foreign bribery risks, having a clear policy position and information on managing foreign bribery risks available on internal and external websites, including potential repercussions for failure to comply, actively and visibly promoting an anti-bribery culture on the ground, implementing a clear policy relating to facilitation payments, hospitality, gifts, sponsorships and donations, holding meetings with, and receiving briefings from, the corporation’s compliance function etc.
- A strong anti-bribery compliance function or functional equivalent, which means that the company should regularly train employees on requirements, report directly and regularly to top-level management and, where applicable, the board of directors, and have full and timely access to information, including confidential information, about allegations of foreign bribery, where the law allows.
- Effective risk assessment and due diligence procedures, where this procedures identify, analyse, prioritise and address foreign bribery risks, are endorsed and overseen by top-level management, receive appropriate resourcing proportionate to the scale of business/risk, are applied to relevant situations, including the process of engaging third parties and in mergers and acquisitions, and are tailored to reflect the corporation’s risk profile.
- Careful and proper use of third parties, if it is supported by a clear business rationale, subject to clear contractual terms that describe the services, appropriate payment terms and mechanisms to ensure the contractual work is performed etc.
2. Responsibilities of top-level management
Top-level management can include the owners of a small-to-medium sized enterprise, the Chief Executive Officer and executive team, a board of directors or equivalent persons within a corporation.
A corporation’s top-level management personnel should play a critical role in developing, implementing and promoting its anti-bribery compliance program and be responsible for fostering an anti-bribery culture within the corporation.
Top-level management’s role in developing and implementing an anti-bribery compliance program could include:
- Initiating the development of such policy and its subsequent revision, promoting thoughtful and effective measures to prevent foreign bribery;
- Overseeing the development and implementation of a code of conduct that reflects the anti-bribery compliance program and ensuring accessibility of the code to staff and third parties;
- Endorsing bribery prevention publications;
- Having specific involvement in high-profile and critical decision-making where appropriate;
- Communicating the corporation’s anti-bribery stance, for example, through a visible and easily accessible statement that demonstrates a top-level dedication to preventing bribery, a culture of integrity and a zero-tolerance approach to corruption;
- Generally overseeing responses to breaches of policies and providing feedback, where appropriate, to the board of directors (or equivalent body) on levels of compliance;
- Declaring personal bribery risks and other conflicts of interest;
- Promoting and raising awareness of the corporation’s anti-bribery compliance program among associates, including any protection and procedures for confidential reporting of bribery (whistleblowing) etc.
3. Risk assessment and due diligence
3.1. Risk assessment.
The Guidance stresses that risk assessment is the basis for the design of any anti-bribery compliance program, regardless of the size and risk level of the corporation, because a risk assessment gives a systemic view of where bribery risks lie and, as a result, a corporation can design its controls accordingly.
Corporations should conduct both periodic risk assessments and the assessments associated with the change of certain circumstances such as entry into a new marker, change of staff and third parties, and potential bribery cases that come to the knowledge of the company.
A risk assessment includes three key steps:
- Conduct a bribery risk assessment. A bribery risk assessment may take place as part of a broader compliance risk assessment.
In order to conduct a bribery risk assessment, a corporation should first identify its exposure to bribery risks by considering factors including, but not limited to: the countries and regulatory anti-corruption and anti-foreign bribery environment the corporation operates in; the sector(s) in which the corporation undertakes business in; the corporation’s common transactions, including those involving foreign public officials; the location of offshore operations and its rating for corruption perception (the authors recommend using Transparency International’s Corruption Perceptions Index); the controls the corporation has in place, including financial controls.
It is recommended to pay particular attention to the common “red flags”, if the corporation: operates in locations or sectors perceived to have high levels of corruption; deals with foreign public officials; wins large contracts in state-run economies; is requested to make political donations or donations to particular charities or social programs; is requested to make facilitation payments; is engaging with, or has relationships with, state-owned enterprises and politically exposed persons.
The corporation should also consider the risks arising from the use of third parties: vaguely described services and deliverables, high expenses, upfront fees, payments to personal accounts, complex corporate structures or payment methods, large or unusual commissions such as shares or incentive schemes, requests to employ certain people (usually associated with foreign officials make the request), excessive hospitality, expensive gifts, sponsorships and donations, inflated contracts.
To achieve the best results in risk assessments, the document recommends having consultation with management and employees, including sales, procurement, finance and legal areas, especially at the local level, consulting with external stakeholders including suppliers, customers, investors and peer corporations, the Australian Trade and Investment Commission; the corporations entering new jurisdictions should seek information from local anti-corruption practitioners and civil society organisations.
- Rate the risk. Having identified the relevant areas of risks, corporations should then rate both the likelihood that each risk might occur (how likely is it that the risks identified will occur in business transactions – rare, possible, probable or certain) and the potential impact of each occurrence to determine the overall risk to the corporation (what would the impact be on the corporation if the risks did occur – minor, moderate, significant or major).
If operating in multiple countries or in multiple sectors, it is recommended that this exercise takes place for every country or every sector.
Combining the likelihood and impact assessments for each risk will produce an assessment of the overall risk level without considering existing controls. The result of a rating exercise of this nature is for corporations to better target the risks that are most likely to occur and assess which will have the greatest impact on business. In practice, this may look like a redirection of resources to prioritise regions or sectors most in need of controls or conducting further due diligence on a particular business relationship.
- Document the process and findings. Risk assessments should be documented and stored in a centralised and easily accessible location, for example, in the form of a risk register that is reviewed and updated regularly. A risk register could contain details on each of the risks, the rating of each risk, the controls in place to mitigate the risk and when the risk was last assessed.
3.2. Due diligence.
Due diligence involves research, investigation, assessment and monitoring by a corporation in relation to both new and ongoing business relationships. Thorough due diligence should be conducted before entering into a business relationship and continue throughout the relationship.
Business relationships that may need more extensive due diligence include those: involving third-party intermediaries; the cases where timely due diligence could significantly mitigate corruption risk, e.g. the intermediary is assisting the corporation to establish business in a foreign market; that, once established, would be difficult to end, e.g. those in jurisdictions where it is common or necessary to engage local agents; involving mergers, acquisitions and foreign subsidiaries; that include state-owned enterprises.
The Guidance also highlights that non-controlled associates that are not controlled by the corporation but perform services for it, for example, incorporated joint venture partners or partially owned subsidiaries should be included in the risk assessment and due diligence processes of the corporation. To mitigate the risks associated with such companies the authors of the paper suggest the corporation may consider control measures such as: properly documented risk-based due diligence on the hiring or selection of the associate to perform services; informing the associate of the corporation’s commitment to anti-corruption compliance; a requirement for the associate to demonstrate its commitment to integrity; a requirement for the associate to demonstrate it has an effective compliance program; implementation of bribery prevention controls by the associate that are proportionate to the risk to address the transaction between itself and the corporation; check or encourage disclosure of beneficial ownership of non-controlled assets etc.
4. Communication and training
The Guidance states that corporations should conduct communication and training to employees and associates (and non-controlled associates, where appropriate) to ensure they understand the corporation’s anti-bribery compliance program, and the practical application of controls under the program. The frequency and content of communications and training should be proportionate to the bribery risks faced and include information, in particular, on how employees and associates are expected to respond to bribe solicitation and where to report bribery concerns.
4.1 Communication.
A corporation should have both internal and external communication. The main goal for internal communication is to convey dedication to the anti-bribery compliance to employees. Simply asking employees to acknowledge that they have read and understood the anti-bribery compliance program is inadequate. Corporations could provide opportunities for employees to engage in the anti-bribery corruption program through focus groups, meetings and online training. The controls themselves, or a document describing their practical implementation, may be communicated through a staff handbook, guidelines, intranet, notices and training materials and should be made accessible to all associates.
External communication will convey the corporation’s stance on bribery, explain how the anti-bribery compliance program operates and the expectations the corporation has for business relationships. A corporation may wish to make a public anti-bribery statement, or include foreign bribery in its high-level mission statement.
4.2. Training.
The document stresses that training should be tailored to the needs identified through the risk assessment process and designed to mitigate the risks identified. Potential training methods include classroom teaching, external courses, seminars, online learning and conferences, which may be supported by publications and training materials. Corporations should maintain training records of completion, including participant attendance lists.
The authors of the Guidance highlight that training should:
- be provided to the corporation’s directors, managers and employees, as well as to other associates, such as agents, contractors or suppliers considered at risk of foreign bribery;
- be accessible in different formats and languages as necessary;
- cover general and sector-specific bribery risks and the corporation’s anti-corruption compliance program, including all policies relating to anti-bribery and corruption;
- be tailored to employees who face particular corruption risk or work in higher risk functions;
- include case studies or real-life scenarios relevant to the business and specific business processes;
- be included as part of induction for new employees;
- undergo periodic review to ensure it addresses contemporary bribery risks;
- be continuous;
- be integrated into the business environment as much as possible, to emphasize the real harm that bribery causes.
5. Reporting foreign bribery
The Guidance highlights that all corporations, regardless of size, should adopt a mechanism that encourages and facilitates reporting of actual or suspected instances of bribery or bribery solicitation. Corporations must comply with whistleblower protection provisions in the Corporations Act (including requirements which may limit access to reported information, or the manner in which investigations of such reports is conducted) and should have mechanisms in place to respond to concerns.
The Corporations Act requires public companies, large proprietary companies and some other entities to have a whistleblower policy. This policy should include:
- a section that addresses the purpose and scope of the whistleblower policy;
- clear instructions on how a whistleblower can disclose misconduct;
- an outline of how the corporation will investigate the matter disclosed and what staff should expect after an investigation has concluded;
- assurances regarding confidentiality, support and protections for staff, including how the corporation will keep the identity of whistleblowers confidential and how it will protect them from consequences, including in the workplace or legally.
The document also stresses that the Australian Securities and Investments Commission recommends that organisations:
- document its whistleblower policy;
- define and allocate roles and responsibilities for its program;
- design and establish supporting procedures or guidelines;
- ensure the program has adequate resources and measure to keep whistleblowers’ information secure.
In developing reporting channels and mechanisms to respond to reports, the authors of the document recommend that organizations:
- make mechanisms for reporting visible and accessible to all employees and associated persons, including those based overseas and those in roles where they would be well-placed to detect potential foreign bribery (for example, audit functions);
- provide information about protections that are available to persons who make a report, and information on how the corporation will receive, investigate or otherwise process the report as well as complaints of retaliation;
- provide options for reports to be made confidentially, anonymously (if required), securely and at any time;
- delegate, if necessary, the functions to accept and process reports to a third-party with relevant training and expertise (which could encourage disclosure from employees who would otherwise be uncomfortable making a report internally);
- create a response system that ensures appropriate consideration and investigation of reports that contain allegations of foreign bribery; the investigations should be properly scoped, objective, timely, appropriately conducted, and properly documented;
- ensure appropriate action is taken to address the outcomes of investigations, including by amending existing polices, taking disciplinary action against wrongdoers, putting new systems in place etc.
6. Monitoring and review
Monitoring the anti-bribery compliance program establishes the level of effectiveness over time, and should align to continuous improvement of the compliance program. Monitoring should be conducted on a regular basis in accordance with a plan, while the ways to improve the anti-bribery compliance program can be learned through the documentation and analysis of incidents and violations.
Events that may prompt a review and evaluation process outside a scheduled review could include: entering new markets; changes to the corporation’s activities, a bribery or corruption incident; changes in the corporation’s governance or regulatory environment; employee or associate feedback from surveys or training.
As regards specific mechanisms for monitoring and reviewing, the authors of the document suggest that companies consider the following measures:
- adequate internal audit and financial control mechanisms to ensure the maintenance of accurate records and accounts to detect and deter foreign bribery and monitor transactions, including by undertaking targeted data analytics and post-transaction reviews;
- staff and associate surveys to test the level of awareness of the corporation’s anti-bribery compliance program;
- confidential and anonymous reporting channels for staff and associates to raise concerns about bribery risks, including reviews on how complaints are handled;
- feedback from training (and other general feedback mechanisms) about the effectiveness of the anti-bribery compliance program;
- periodic reviews conducted by suitable experts (internal or external) that are provided to top-level management for consideration;
- undertaking exit interviews with staff and asking questions on corruption and bribery;
- encouraging all staff to sign annual declarations on compliance with the corporation’s foreign bribery policy and procedures;
- relevant information from industry bodies;
- verification or certification of the effectiveness of the anti-bribery compliance program provided by an external provider.