Organized by the MENA-OECD Investment Programme in cooperation

with the IMF-Middle East Center for Economics and Finance

KuweitApril 22, 2013

Iohann Le FrapperAs Vice-chair of ICC Corporate Responsibility and Anti-corruption Commission

1.- Interactive session We all have part of the truth in matters of integrity My contribution to this Training is based on compliance

practice and integrity standards I am here to speak, to listen and to share: please interrupt me

for questions There are the national and the international standards There are worldwide norms (OECD and United Nations

Convention) which are recognized everywhere and goodcorporate practice which is based on a vast experience

The anti-corruption standards are universal and each companyhas to choose its prevention measures according to its culture,its size, its resources, its industry, its business model, etc..

2.- The Basics The basic rules

a.- UNCAC, OECD, FCPA, UK Bribery Act

b.- The basic terminology: economic fraud, bribery and corruption, various forms of corruption (national and international/public and

private/direct and indirect/mother company, subsidiaries andaffiliates/trading in influence),

Gifts, entertainment and hospitality, and money laundering

3.- Definitions The term “corruption” covers many aspects of economic fraud You can have

large and small corruption “street corruption” and “office corruption” corruption with money or other undue advantages corruption with laundered money or clean money corruption from a slush fund or from a regular stream national/international, public/private, direct from a company or

indirect through an intermediary, mother company or subsidiaryand affiliates

active v. passive trading in influence

4.- Risk Assessment I A company starts with a Risk Profile/Risk Assessment to identify and prioritize its

risks, esp. corruption. Pro-active or crisis mode. Risk assessment: cornerstone and critical initial step in designing an effective

compliance program. It is the task of the highest body of the corporation (the Board or the owner) to

define the risks the corporation is ready to take on. The basic approach of a risk assessment exercise:

identifying risks : scoping measuring them, and managing them.

Oversight by top-level management : from kick-off to final report Prioritization of areas of highest risks: likelihood/frequency ? Potential impact? As a result of such assessment, the company avoids focusing on false or minor

problems.

5.- Risk Assessment II Appropriate resources :Risk assessment with internal/external information sources

and resources. Work plan : need to plan budget, level of activity (eg. interview list, document

review?) and timing. Call upon operational people and experts: insurance people, Health, Safety,

Environment &Quality (“HSEQ”) people and lawyers Typical risks to review : country, industry-specificities, transactions, business

opportunities, business partnership/joint venture ? Identify precisely weak points/processes in the organization (e.g. where are you

dealing the most with cash?) In which countries do you have business operations where the risk for fraudulent

activity is the highest? Degree of business with government entities ? Level of regulation of relevant industry ? Which supply/marketing channel presents the most challenges? Are your intermediaries/business partners a low or high risk for your company? Gifts, hospitality and entertainment activities ?

6.- Risk Assessment III Gap analysis :address whether existing compliance program address identified risks

? Consider ethical awareness survey or interviews to gather data from employees

about high-risks and knowledge of values and policies of the organisation. Next stage : recommendations for design or improvement of internal controls

(remediation measures); Strength of internal controls : ascertain how compliance program operates in

practice. Purpose of risk-assessment is to educate senior managers, seek their input on

findings/report and get their buy-in for anti-corruption program (sponsor must be one senior executive).

The risk assessment must be documented (to evidence, if needed, the bona fide of anti-corruption program) and monitored;

Dynamic risk-assessment :regular reviews and updates needed to reflect external developments, risk profile changes and lessons learned through action plan’s implementation

7.- Due DiligenceBefore joining forces with a new partner, agent,

associate or even executive, you should makechecks on integrity, competence, reputation

You can do this in very different ways but itshould be a continuous and sustainable method leaving behind a paper trail, andno “box ticking”

8.-Adequate Procedures Guidance-UK Bribery Act.Principle 3 :Risk Assessment “The commercial organisation assesses the

nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it. The assessment is periodic, informed and documented”. http://www.justice.gov.uk/downloads/legislation/bribery-act-2010-guidance.pdf

9.-Adequate Procedures Guidance-UK Bribery Act. Commentary on Principle 3

“3.1 For many commercial organisations , this principle will manifest itself as part of a more general risk assessment carried out in relation to business objectives. For others, its application may produce a more specific stand alone bribery risk assessment. The purpose of this principle is to promote the adoption of risk assessment procedures that are proportionate to the organisation’s size and structure and to the nature, scale and location of its activities. But whatever approach is adopted the fuller the understanding of the bribery risks an organisationfaces, the more effective its efforts to prevent bribery are likely to be.

3.2 Some aspects of risk assessment involve procedures that fall within the generally accepted meaning of the term ‘due diligence’. The role of due diligence as a risk mitigation tool is separately dealt with under Principle 4.”

10.-Adequate Procedures Guidance-UK Bribery Act. Procedures for Principle 3

“3.3 Risk assessment procedures that enable the commercial organisation accurately to identify and prioritise the risks it faces will, whatever its size, activities, customers or markets, usually reflect a few basic characteristics. These are:

• Oversight of the risk assessment by top level management. • Appropriate resourcing – this should reflect the scale of the organisation’s business

and the need to identify and prioritise all relevant risks. • Identification of the internal and external information sources that will enable risk

to be assessed and reviewed. • Due diligence enquiries(see Principle 4). • Accurate and appropriate documentation of the risk assessment and its

conclusions. 3.4 As a commercial organisation’s business evolves, so will the bribery risks it faces

and hence so should its risk assessment. For example, the risk assessment that applies to a commercial organisation’s domestic operations might not apply when it enters a new market in a part of the world in which it has not done business before(see Principle 6 for more on this).”