The Guidelines for the implementation and functioning of the prevention model (Lineamientos para la implementación y funcionamiento del modelo de prevención) have been issued by the Superintendence of Securities Market (Superintendencia de Mercado de Valores – SMV). Their development is due to the entry into force of Law No. 30424 “On Administrative Liability of Legal Persons for Transnational Active Bribery” (Ley Que Regula La Responsabilidad Administrativa De Las Personas Jurídicas Por El Delito De Cohecho Activo Transnacional) in 2018 which introduced liability of legal persons for corruption. The Law also provides for a possible exemption of legal persons from liability, if the entity has adopted all necessary measures to prevent crimes, or for a mitigation of sanctions in the event that such measures have been either introduced only in part or taken after the commission of a crime.
The list of these measures includes:
1. Risk detection, assessment and mitigation;
2. Appointment of an independent person (persons) responsible for the prevention of infringements;
3. Introduction of internal reporting mechanisms;
4. Awareness-raising and training of the staff of the organisation on prevention matters;
5. Constant monitoring and evaluation of the prevention system.
The Guidelines offer a detailed explanation of how entities shall implement in practice the measures provided for by the Law, taking into account their own specific characteristics; the publication will also be used by the SMV to estimate whether the adopted measures are sufficient*.
The document, in particular, stresses that the companies intending to adopt prevention measures must be guided primarily by the following general principles:
- the measures that are being implemented should take into consideration the legal provisions both of Peru and the other countries where the company operates; the company should also conduct periodic monitoring of the measures with respect to their compliance with the legislation;
- the management, third parties and other stakeholders should be engaged in the process of building a culture of trust, integrity and respect for relevant requirements and ethical standards;
- although the introduction of prevention measures is not an obligation, when deciding to develop a set of such measures the organisation should ensure their implementation in all areas of its activity and at all levels of corporate governance, going beyond separate elements of the prevention model or specific business processes;
- the measures which are being introduced should be clear for the corporate staff, management and third parties; for instance, they can be illustrated by practical examples or explained in videos;
- the entity should develop a culture of integrity primarily through rewards rather than retaliation and sanctions;
- the organisation should autonomously define the list of necessary measures, the procedure for their development, introduction and subsequent implementation in accordance with its needs, risks and other characteristics.
In addition to the general principles, the Guidelines offer detailed information on the prevention measures provided for by the Law which can be introduced at the corporate level.
1. Risk assessment
To develop a set of prevention measures, an organisation should, in the first place, carry out the assessment of risks related to the commission of violations that arise throughout all business processes and in relations among the employees and between them and the third parties. Such assessment consists of four stages:
- Preparatory stage, at which all operational functions of the entity, the business processes forming them, the duties of the employees necessary for their implementation and existing control and oversight mechanisms should be identified.
To do this work, those responsible should be appointed, their functions, mandate and the area of analysis (all processes and levels of corporate governance or a part of them) should be defined; the documents establishing the procedure for detecting, assessing and mitigating risks should be adopted; the documentation necessary for the work should be gathered; the involvement in this work of all personnel of the organisation should be ensured; a person or a unit responsible for overseeing the risk management processes should be appointed.
- Risk detection stage, where the types of activities, operations and business processes the most exposed to violations, as well as the actions that can affect the existing risks or create new ones should be identified.
To this end, at this stage the areas and/or internal and external factors affecting specific risks inherent in the activities of the organisation are identified; the methodology for identification of relevant risks is developed with the support of different methods (for example, brainstorming, scenario analysis, overview of historic data, interview, survey, questionnaire etc.); the criteria allowing for the detection of the areas / processes subject to the greatest risks are established; the actions or processes subject to the greatest risks of crime (for instance, the use of cash; gifts or hospitality, sponsorship; protocol and travel expenses; commission charges for sales, public contracts, external consultants etc.) are defined along with the factors that affect the probability of their occurrence or the emergence of new risks; the actions and operations that involve the interaction of the organisation with the public sector are defined; the presence of operations implying the interaction of the company with the organisations based in the regions where risks of unlawful activities are high, for instance, offshore zones or countries with a high level of corruption, is analysed.
- Risk assessment and analysis stage, at which the organisation defines the probability of occurrence of the risks identified at the previous stage and the possibilities for their minimization.
In order to do so, the organisation should develop a methodology and instruments for risk assessment; estimate the degree of exposure of operations and business processes to risks (for example, by creating a database of risks or categorizing them); lay down qualitative and/or quantitative assessment indicators and criteria for measuring the probability of their occurrence; ensure regular risk assessment (for example, by establishing a centralised set of control instruments, updating and improving them as needed).
- Risk minimization stage, where the organisation takes measures for preventing, detecting and reducing risks based on the assessment conducted.
To this end, the company should develop and introduce control measures or means to reduce the probability of occurrence of each of the identified priority risks or mitigate the consequences of their occurrence; introduce a system of preventive (due diligence, dual control of payment negotiation, monitoring of appointment and dismissal of trustees or representatives etc.), detecting (means of control for subsequent verification of payments made and accounting records confirming urgent, unusual expenses etc.) and corrective (conducted based on the audit results, internal investigations, disciplinary and administrative sanctions imposed, court proceedings) control, financial (the prohibition to use cash, the levels of payments approval) and non-financial (due diligence) control; ensure enhanced control over the actions and operations subject to the greatest risks; ensure the monitoring of effectiveness, efficiency and adequacy of the existing control measures to minimise the detected risks.
Risk assessment is carried out both at the initial stage of the development of a set of corporate prevention measures, and later, in the event of changes in the activities of the company, if it enters new markets, launches new goods/services, introduces new technological solutions, undergoes structural or organizational changes or in any other circumstances that can affect the risk profile of the company.
2. Appointment of the responsible person
The functions to introduce and ensure the functioning of the prevention model may be assigned to a certain employee (employees) or a unit of the organisation (the supreme management body in micro-, small and medium enterprises) or outsourced.
The main task of this responsible person (unit) is to ensure the application, implementation, compliance with and constant improvement of the prevention measures introduced. Its fulfillment implies that such person (unit) has sufficient autonomy, independence and relevant powers, adequate human, financial and material resources, timely and direct communication with the senior management, the possibility to participate in the adoption of strategic and operational corporate decisions, hiring of new employees and rearrangement of duties of the active staff members, as well as incentives to further professional training.
The Guidelines also define the general requirements for the qualification of the responsible persons, including the knowledge of specific characteristics of the corporate activities, relevant experience, moral and financial integrity; organisations may formulate their own requirements for such employees in accordance with their size and the character of their activities.
3. Creation of reporting channels
The Guidelines clarify a standard procedure for the development and introduction of internal channels for reporting violations, mechanisms for the protection of whistleblowers, incentives to the disclosure of information on violations and the procedures for internal investigation and imposition of disciplinary sanctions.
In particular, the organisation should appoint the person (unit) responsible for managing reporting channels and conducting internal investigations (these functions can be also outsourced); at the same time, the Guidelines recommend that this should be a person (unit) different from the one that develops and maintains the functioning of the prevention model as a whole to avoid conflict-of-interest situations.
After that, the company should create virtual and face-to-face reporting channels (for example, hotlines, a mailbox, an on-line reporting system, an online complaint form, mobile applications, in-person reporting etc.) that will be made available to a great number of employees and third parties; it should also ensure due registration of the reports filed. Additionally, it should adopt the measures to ensure confidentiality and anonymity of reports, their confidential and secure storage and processing of personal data of whistleblowers.
In addition, organisations should ensure the protection of whistleblowers, including the prohibition of retaliation, discriminatory or punitive measures and sanctions against them for defying the relevant ban, as well as other measures, such as the maintenance of confidentiality (anonymity) even after the investigation is concluded or the provision of legal representation if necessary.
Besides that, organisations can introduce the measures that encourage employees (third parties) to disclose information on infringements; these can be either incentives (promotion, bonuses, training fees, additional holidays etc.) or other measures, for example, internal circulation of information about disciplinary measures or sanctions imposed for a violation or imposition of sanctions for reporting knowingly false information or slander.
In parallel with the creation of reporting channels organisations should establish the procedure for conducting internal investigations of tips and holding the perpetrators disciplinary liable. The persons that carry out such investigations should be impartial, objective and independent; they should also be provided with necessary resources. The protection of the fundamental rights and personal data as well as procedural safeguards should be ensured to the persons under investigation. Additionally, organisations should adopt a set of measures to ensure the protection and storage of information, documents and other evidence gathered throughout the internal investigation, and ensure that the action to repair or improve the prevention model is taken in the event that the information received through internal reporting channels is confirmed.
Finally, companies should develop and introduce a system of adequate sanctions for infringements; to this end, they should appoint a person (unit) responsible for determining and imposing them, ensure that sanctions can be imposed on all employees regardless of their position and provide for the recording of the sanctions imposed and the mechanisms of control over their implementation.
4. Awareness-raising and training of employees
In introducing a prevention model, the management should pay attention to the dissemination of the information about it among all employees and periodically organise training of employees of all levels, third parties and other stakeholders, if necessary.
To this end, the organisation should allocate sufficient financial, material, technological and human resources for training; it should further create accessible and adequate reporting channels for employees (third parties), for instance, paper leaflets, web publications, video materials etc., and publish the documents related to the existing corporate prevention model; it should also provide training to all employees and senior management, including those just hired, third parties and other stakeholders that can be differentiated in accordance with the business process, the area of activity of the organisation and the degree of their exposure to the commission of crimes or the grade level and functions of the employees; additionally, the organisation should adopt measures to ensure monitoring and improve the awareness-raising materials and the learning process as well as increase their effectiveness; finally, it should create feedback channels in the event that employees (third parties) have queries about the introduction and implementation of prevention measures.
5. Assessment and monitoring
The Guidelines stress that the prevention model has dynamic and non-static character, which implies the need to adapt, update and improve it as the experience of its implementation is accumulated also with due regard to the structural, organisational, operational and normative developments that the entity undergoes. Consequently, the organisation should provide for the feedback mechanisms for a wide range of stakeholders along with other measures necessary for ensuring monitoring of the effectiveness of the implementation of the prevention model and timely corrective action.
To this end, the individual (unit) conducting monitoring should have the access to all necessary information and documents (contracts, reports, accounting and financial documents, appointments records, emails etc.). The monitoring should include assessment, monitoring and/or systematic oversight of the effectiveness of the prevention model, assessment of the efficiency of employees and senior management with regard to their compliance with the model, adoption of the measures aimed at improving the model (update and/or adoption of additional measures or control mechanisms and refusal to take ineffective or inapplicable measures) and organisation of meetings with employees and senior management of the organisation, necessary for obtaining a feedback.
The assessment of the prevention model should be conducted at least once a year and can be carried out either by employees of the company or external organisations engaged for this purpose.
6. Due diligence
In addition to the elements of the prevention model, defined by the Law, the Guidelines provide for another important component of this model, i.e. due diligence, which includes the following actions:
- collect general information about the third parties;
- verify whether these third parties have prevention models in place;
- gather information about the shareholders of third parties, their area of activities and geographical expansion to detect potential conflict of interest;
- collect information about whether third parties have been held liable or subject to administrative or criminal sanctions, if they have “black” or “grey lists” of individuals involved in crimes or relations with such individuals;
- get the data on the financial condition and credit record of third parties;
- analyse the relations of third parties with politically exposed persons;
- pay in-person visits to third parties to meet them, analyse information about them provided by their business partners or gathered via interviews/surveys.
* The SMV is designated as a body responsible for the assessment of the introduction and implementation of the models of prevention of infringements in organisations. The authority will conduct such assessment when it receives the respective request of prosecutors that conduct investigations against or prosecute legal persons. Throughout the assessment process the SMV can ask organisations to provide any information and documents, conduct on-site inspections, interview witnesses and gather evidence, as well as undertake any other actions as may be needed to assess the introduction and functioning of prevention models. The assessment concludes with a technical report (Informe Técnico) that the SMV submits to prosecutors.
The authority will have only 30 days to prepare the technical report: it seems that this tight deadline will not allow for a sufficiently thorough assessment of the measures adopted by organisations. Consequently, the process to verify whether the measures taken to prevent offences are sufficient risks becoming a sham in Peru.