Implementing the PACI A Manager - PDF document

Implementing the PACI A ManagerÕs Guide
Implementing the PACI A ManagerÕs Guide for Developing Anti-corruption Programmes COMMITTED TO IMPROVING THE STATE OF THE WORLDThe views expressed in this publication do not necessarily reflect those of theWorld Economic Forum.World Economic Forum91-93 route de la CapiteTel.: +41 (0)22 869 1212www.weforum.org© 2007 World Economic ForumAll rights reserved.No part of this publication may be reproduced or transmitted in any form or by any means, including photocopying and recording, or by anyinformation storage and retrieval system.1 Introduction2 The PACI Principles3 Development of a Programme for Countering Bribery4 The Programme: Scope and Guidelines4.1 Bribes144.2 Political Contributions184.3 Charitable Contributions and Sponsorships204.4 Facilitation Payments224.5 Gifts, Hospitality and Expenses245 Programme Implementation Requirements5.1 Organization and Responsibilities265.2 Business Relationships285.3 Human Resources5.4 Training5.5 Raising Concerns and Seeking Guidance5.6 Communication435.7 Internal Controls and Audit5.8 Monitoring and Review6 Additional Resources3supplemental information for companies thatPrinciples for Countering Bribery (Òthe PACIPrinciplesÓ). It provides practical guidance and is areference manual for developing and maintainingcorporate Programmes to implement thecommitment to countering Bribery. task force of signatory companies of the WorldInitiative (PACI), working with TransparencyInternational. Implementation practices describedhere are intended to provide companies of all sizeswith general guidance, rather than prescriptions, forProgrammes to combat Bribery and other forms ofcorruption in international business. practices found at multinational companies. Specificpractices and recommendations do not necessarilyreflect the views of its individual members onlegal requirements or obligations on signatoryfulfil all of these guidelines. Questions about legal orother laws should be directed to appropriateThe PACI Task Force wishes to explicitly thank all4International companies that sign on to the PACIcommitment into concrete action. This Handbook iscolleagues put the PACI Principles into practice. There is no l

onger serious debate over the harmcaused
onger serious debate over the harmcaused by corruption. Numerous studies by theWorld Bank and others have shown that corruptpayments made to foreign government officials tosecure an unfair business or regulatory advantageare deeply corrosive.deprive governments of resources needed topromote growth and development.The PACI Principles reflect a commitment for changethrough anti-corruption standards and practices.They provide a framework for individual companiesto develop and implement more effective complianceProgrammes, thereby strengthening industry-widegovernance and economic development. A corollaryobjective is to secure a level economic playing fieldfor the increasing number of companies that refuseThe PACI Principles recognize that an effectivecompliance Programmeand procedural components. Signatory companiescommit not only to a zero tolerance policy oncomprehensive system of internal procedures andcontrols. In practical terms, this means having anrisks, educating relevant personnel, implementingoperational procedures, and monitoring and auditingfor compliance. As in other compliance areas, evenThe PACI Principles establish an essentialProgramme baseline, but leave many practicaldesigned to help compliance managers fill thisThe Handbook facilitates implementation efforts intwo ways. First, it offers supplemental guidance andclarification on the meaning of particular PACIstandards. Second, the Handbook identifiescommon implementation practices and suggests aProgramme options. For ease of reference, the Handbook tracks thestructure of the PACI Principles. Section 2 defineseffective Anti-Bribery Programme andimplementation Programme. This is followed inSection 3 by general Programme guidelines thatemphasize the need for reasonable detail, tailoredpractices and employee involvement. Section 4 thendefines what it means to have an effectiveProgramme, in general terms and as applied toactivities. Finally, Section 5 describes corepolicy development, training, enforcement, auditingall sizes in building new anti-corruption Programmesand refining existing ones. While some signatorycompanies may wish to construct new Programmesfrom the ground up, for many, benchmarking a

ndstrengthening of current practice will
ndstrengthening of current practice will be bothdesirable and appropriate. Experience has shownthat for companies with solid existing Programmes,targeted incremental refinements can dramaticallyimprove effectiveness. The PACI Principles are calibrated to produceProgrammes that are also reasonable, cost effectivefound to be effective in achieving a statedProgramme objective. Singling out a particular1Introductionelsewhere and deserves consideration on this basis.Information provided in the Handbook is predicatedon the belief that Òno one size fits allÓ and thatimplementation practices can and should be tailoredto reflect individual corporate circumstances.Programme design must be results oriented,focused on what makes a particular system effectiveProgramme or refining an existing one, a formalstructured approach for assessment and planning isstrongly recommended. The Handbook offers two practical tools fororganizing and conducting planning reviews. Thefirst tool is a procedure, described in Section 3, thatand options. This is supplemented by a resourceinventory, in Section 6, with links to anti-corruptionstandards and industry practice. process and evolving industry practice can beobtained by contacting the World Economic ForumPartnering Against Corruption Initiative (PACI) at6The PACI Principles, which take their name from thetwo ÒprinciplesÓ in this section, reflect the samecomprehensive approach to corruption found in theTransparency International guidelines from whichThis approach combines a rigorousdeveloping and implementing effective complianceProgrammes. companies to prohibit ÒBribery in any formÓ. Briberyis defined to include commercial bribes as well ascorrupt payments to government officials or politicalparties and candidates. The prohibition applieswhether improper payments are made directly orthrough an intermediary, and whether a bribe isactually paid or only offered or promised. standards of conduct. Section 4 provides moreenterpriseÕs activities and developing conformingAn Effective Programmecompanies Òto develop and administer an internalcompliance Programme that effectively makes anenterpriseÕs anti-corruption policy an integral part ofA comp

liance Programme is much more than acomp
liance Programme is much more than acomply. As explained in Section 2, an enterpriseÕsProgramme is Òthe entirety of [itÕs] anti-Briberyefforts, specifically including its code of ethics,policies and procedures, administrative processes,training, guidance and oversightÓ. To be effective, aProgramme must address the full range of issuesand practices normally associated with compliance,from risk assessment, training and operationalprocedures through investigation, response action2The PACI PrinciplesThe PACI Principles The enterprise shall prohibit Bribery in any form. Bribery (ÒBriberyÓ) is the offering, promising or giving, as well as demanding or accepting, of any undueadvantage, whether directly or indirectly, to or from:¥A public official¥A political candidate, party or party official¥Any private sector employee (including a person who directs or works for a private sector enterprise into counter Bribery.An effective Programme is the entirety of an enterpriseÕs anti-bribery efforts, specifically including its code ofenterpriseÕs anti-corruption policy an integral part of daily practice.Section 2 describes the essential PACI commitment, providing signatory companies with a baseline forProgramme development and benchmarking activities.organizational structure and active engagementacross the organization also are important.The PACI Principles recognize that signatorycompanies may have substantial experiencecomplying with legal regimes, including anti-Programmes to implement the PACI commitmentshould build on this experience and resource base.Implementation guidelines in Section 5, togetherused to benchmark and refine existing practice.8These five listed guidelines reflect standardArticulation of the ÒProgrammeÓ Section 3.1 provides that an enterprise Òshoulddevelop a Programme that clearly and in reasonabledetail articulates values, policies and procedures tobe used to prevent Bribery from occurring in allactivities under its effective control.Ó The essentialrequirement is that a Programme describessubstantive standards and the practices used tosubject to the policy. Practices described in Section4.1 (for policy formulation) and elsewhere in theTailoring to C

ircumstances Programme practices Òto ref
ircumstances Programme practices Òto reflect an enterpriseÕsparticular business circumstances and cultureÓ. Thisdirective reflects the adage that Òno one size fits allÓin compliance. It recognizes that practices employedin some Programmes may not always be appropriateto others, at least without adjustment. However, italso suggests a corollary responsibility to identifyand implement practices that do fit an enterpriseÕsunique circumstances. Section 3.3 requires that a Programme Òbe consistentwith all laws relevant to countering Bribery in allstatement recognizes that compliance Programmesmust be developed in accordance with applicablepotentially different anti-corruption laws andstandards. Applicable laws should be identified andanalysed for specific requirements as part of theÒrisk assessmentÓ process described in this section.Programme.Ó It reflects expert opinion thatcompliance is most effective in organizations thatpersonnel. Harnessing their cooperation, motivationeffective implementation. Opportunities for employeeinvolvement are identified throughout the Handbook.3Development of a Programme for Countering BriberyThe PACI Principles 3.1 An enterprise should develop a Programme that clearly and in reasonable detail articulates values,policies and procedures to be used to prevent Bribery from occurring in all activities under its3.2 The Programme should be tailored to reflect an enterpriseÕs particular business circumstances and3.3 The Programme should be consistent with all laws relevant to countering Bribery in all the3.4 The enterprise should involve employees in the implementation of the Programme.3.5 The enterprise should ensure that it is informed of all matters material to the effective developmentand implementation of the Programme, including emerging industry practices, through appropriateGuidelines in this section provide a general framework for the more detailed directives that follow in Sections 4and 5 of the PACI Principles.This final guideline requires monitoring for emergingdevelopments in compliance practice. RegularÒbenchmarkingÓ to measure current efforts andessential feature in successful Programmes. It istypically conducted through a va

riety of mechanisms,periodic Programme r
riety of mechanisms,periodic Programme reviews can be used toregularize and coordinate this monitoring.Programme development should begin with a focusedreview of enterprise risk and existing compliancepractice and resources. This is an essential startingpoint whether planning is for an entirely newProgramme or benchmarking an existing one. Thethree-step process described here can also beadapted for use in Section 5.8 Programme reviews.Step 1: Establishing Work PlansThe first step in compliance planning is a basicÒwork planÓ for the implementation process itself.This will help to assure that everyone on theWork plans can be more or less formal. The importantpoint is that they address core planning issues.¥Programme scope.a clear and reasonably detailed statement ofcorporate objectives. The implementation teammust understand that good compliance requiresdeveloping Programme structure and processes,¥Planning elements. Core planning activities shouldassessment and Programme evaluation.¥Work assignments.Work plans should establishclear lines of responsibility for conducting riskassessments, Programme evaluations and otherthat necessary guidance and adequate resourcesare made available.¥Coordination.Effective compliance requirescoordination across business lines and servicedepartments. Work plans can highlight this issueand direct that individuals responsible for riskassessment and other preparatory activities reach¥Timing.Work plans should establish a firmdeadlines help to keep the process focused andmoving forward. The second planning step is a review to identifycompany-specific corruption risks. Such reviews,commonly referred to as Òrisk assessmentsÓ, are astandard compliance practice and also a PACIrequirement.Assessments provide an individualizedcompliance profile that can be used to focusProgramme activities and resources. Risk assessment is a complex process, made moreso when there are multiple lines of business orcomplicated business structures. Personnelresponsible for conducting assessments need tohave clear and consistent guidance on suchbusiness activities, and how frequently. Compliance managers are encouraged to developwritten guidelines for the assessm

ent process.¥Scope of reviewbusiness pro
ent process.¥Scope of reviewbusiness profile, geographic location, nexus withgovernment, use of agents and other third parties,prior history, and other specific risk indicators.Assessments typically are conducted by line ofacross the full range of enterprise activities,including in connection with controlled affiliates.¥Relationship to general assessment process.is, focused on the types of risk addressed by zerotolerance policies on Bribery. Corruption-specificassessment will produce better information andorganizational focus for the planning process.10periodic updating may be handled through anenterpriseÕs general risk assessment process. ¥Conduct of assessments.be conducted internally or using outside experts.standards and procedures applicable on anFor many areas, their input may be the singlebest source of real-world information about¥Frequency.and nature of anti-corruption risk should beongoing. The nature of an enterpriseÕs legalover time. Periodic reviews help to prevent andrequire adjustment include new lines of businessCoverage Requirementsareas for inquiry. These include:¥Business profile.any context, some types of activity carry greaterinherent risk than others. Corporate riskassessments should provide a general profile ofperceived areas of higher risk. ¥Geographic location.activity, corruption risk can vary significantly bycountry and region. The Corruption PerceptionsIndex (CPI) published by Transparency Internationalidentifies perceived levels of corruption risk bycountry. This data, combined with informationfrom line personnel and other business sources,¥Government nexus.The greater the requirementfor government contacts, the greater the inherentrisk; hence, the need to access the full range ofgovernment nexus points. Risk factors unique to¥Operational factors.marketing for procurement activities), operationalstructures (use of agents, affiliates, joint ventures)and control practices (for example, consultantapprovals). This information can be used to targettraining and other implementation activities. ¥Applicable laws and policies.Cross-bordercorporate ethics rules. The assessment processSuspicious practices and circumstances that mayProgramme us

e. These are commonly referred to asÒred
e. These are commonly referred to asÒred flagsÓ.Red flags are an essential tool for risk assessmentand other Programme activities, including duediligence review. As the name suggests, they areheightened scrutiny. Common red flags include high-risk geographic areas or industry sectors, unusualgovernment ties (e.g. through family connections),lack of relevant business expertise or experience,non-standard compensation terms and suspiciouspayment circumstances. These and other generalindicators are most effective when adapted toparticular real-world situations. Step 3: Preparing ProgrammeThe third and final preparatory step is a ÒProgrammeevaluationÓ to determine whether identified risks arebeing effectively managed. Evaluations should be prepared by the individual orteam with operational responsibility for Programmeimplementation. A formal process is generallyrecommended for the initial anti-corruptionevaluation because of the scope and complexity ofissues that will need to be addressed. Planningshould take advantage of existing resources andengage relevant stakeholders. Both improve theProgramme support.11Programme evaluations provide a baselinea roadmap for refinements and futureimplementation. The resulting work product can beused as a reference document for planners and alsoto educate enterprise leadership about ProgrammeEvaluation typically is a four-step process. The steps¥Inventorying existing resources.existing resources should be prepared, describingcurrent compliance practice and identifyingrelevant personnel and other resources. For manycompanies, key Programme elements mayalready be in place that can be adapted for anti-¥Assessing strengths and weaknesses.resources can then be measured against thecorporate risk profile. This review should identifycurrent Programme strengths and weaknesses.¥Identifying needs and response options.step in the process is to identify areas forimprovement. These can be divided intonecessary and optional Programme refinements.A menu of possible response options can beHandbook and from other sources.¥Devising an appropriate implementation plan.refinements. Implementation planning shouldaddress the same operational issues noted

earlierfor preliminary work plans (e.g.
earlierfor preliminary work plans (e.g. scope,assignments, coordination and timing), as well asthe communications strategy for Òrolling outÓ thenew or modified anti-corruption Programme.As has been noted, implementation activities needto be tailored to an enterpriseÕs uniquecircumstances and there will be considerable latitudeProgramme evaluation will help to ensure judgmentsare made on a well informed, consistent andcoordinated basis.12Following this preamble, Section 4 explains what itmeans for an enterprise to Òprohibit Bribery in anyformÓ. Standards are set out in five subsections,beginning with a general statement of the policyThe preamble contains two general directives,enterprise Òidentify and assess specific areas thatpose the greatest risks from corruption.Ó Riskassessment procedures described in the precedingcradle-to-grave reviews for identifying priority risksThe second directive is that an enterprise Òreflectemerging practiceÓ in its Programme. This requiresactivity most susceptible to corruption and Bribery.ÓFor example, evidence that a competitor has beenconfronted by corruption demands in a particularmarket should draw attention to an enterpriseÕs ownstandards and protective measures for the same or4The Programme: Scope and GuidelinesThe PACI Principles In developing its Programme for countering Bribery, an enterprise should identify and assess specific areasThe Programme should reflect emerging practice, with particular attention to the industry sector and typesand locations of business activity most susceptible to corruption and Bribery. Section 4 of the PACI Principles establishes guidelines for an enterpriseÕs anti-Bribery policy and standards ofconduct. This is the substantive Programme component. The PACI Principles require a clear statement,reinforced by procedures and controls, that anbusiness dealings, whether carried out directly orthrough a third party. All third-party transactions arecovered by this rule, including those conductedthrough subsidiaries, joint ventures, agents or otherthe Bribery prohibition to these relationships areThe definition of Bribery in Section 2 of the PACIPrinciples should be used to guide corporate poli

cy.With one notable exception, the defin
cy.With one notable exception, the definition reflectsCombating Bribery of Foreign Public Officials inInternational Business Transactionsexception is for commercial Bribery, which is notaddressed by the OECD Convention. Most largeenterprises, however, already include prohibitions oncommercial Bribery in their business ethics rules.Companies in some jurisdictions are also subject toprohibit or require proper recording or disclosure ofcommercial Bribery. Bribery should be prohibited regardless of the form ittakes or the channels used to make or offer apayment. Financial payments are most common, buta prohibited inducement can come in any form.improper travel reimbursements and job or businessopportunities for an officialÕs family members, friendsWhile some applications of the Bribery prohibitionwill be obvious, many others are more subtle.Section 4.1.3 accordingly directs that a signatorycompany include in its Programme Òguidance on themeaning and scope of this prohibition, withparticular attention to areas of high riskÓ. Signatory companies are expected to reflect theiranti-Bribery commitments in a formal policystatement and Programme guidelines. This has threerisks; (ii) formulating an appropriate policy response;and (iii) developing written Programme materials.additional practical information (including samplePolicy development should begin with a review toidentify Òspecific areas that pose the greatest risksfrom corruptionÓ. This is the same Òrisk assessmentÓprocess described in Section 3. An initial baselineupdating to reflect changes in business or other risk4.1BribesThe PACI Principles All Programmes should at a minimum cover the following areas:4.1.1 The enterprise should prohibit Bribery in all business transactions that are carried out either directlyconsultants, brokers, contractors, suppliers or any other intermediary under its effective control.4.1.2 The enterprise should prohibit Bribery in any form, including on any contract payment or portion of a4.1.3 The Programme should provide guidance on the meaning and scope of this prohibition, withparticular attention to areas of high risk to a company in its business sector.This first section provides a

dditional guidance on the meaning and sc
dditional guidance on the meaning and scope of the PACI commitment to ÒprohibitProgramme policy statement and guidelines can beconsidered are Programme scope, consistency withProgramme Scope An enterpriseÕs anti-corruption policy should clearlyidentify all conduct prohibited by the policy. Policyprohibition applies to all business transactions andThey should also confirm the ProgrammeÕstransactions carried out through agents and otherPolicy guidelines should reflect the definition ofBribery found in Section 2 of the PACI Principles. Itis not enough, however, merely to restate thisshould also explain in more concrete terms what theprohibition means and how it applies to businessMany companies will find it useful for planning andtraining purposes to define the Bribery prohibitionthrough its component parts, each of which must bepresent to constitute Bribery. One commonformulation breaks down the policy into the following¥A person covered by the policy.An enterpriseÕsorganization, subject to pre-existing agreementssuch as collective bargaining agreements, and inall activities under its effective control. cash payments, but can involve giving or offeringbribe is actually given or only offered or promised,To a covered official or other person. All business-related bribes are prohibited, whether they involvepublic officials or private individuals. This includesany direct benefit to such persons, as well as anybenefit to others made at their request or for theirbenefit (such as a directed political or charitable¥Directly or indirectly.Bribery restrictions applywhether a bribe is made directly by enterprisepersonnel or through another person. Such other¥To secure an improper business advantage.Bribery may not be used to obtain, retain or directbusiness or to secure any improper businessadvantage. This includes regulatory benefits (suchas licensing or approvals), as well as obtaining orretaining business.This formulation and others like it provide a practicalBribery prohibition. Policy statements also can beofficialÓ and Òbusiness advantageÓ, and to distinguishpromotion). The PACI Principles set a floor for an enterpriseÕsanti-corruption policy and standards of conduct.T

his guidance should be considered in con
his guidance should be considered in conjunctionwith relevant national laws and regulations. Anti-establish comparable prohibitions, but may differ insome areas. Not all laws, for example, addressProgramme standards should be consistent withlaws relevant to countering Bribery in theWhere such laws are less restrictive than the PACIcontravene applicable law. For instance, Programmestandards should prohibit political payments madebe explicitly addressed by a particular national law. assessment process. Material differences should benoted and appropriate procedures devised tocalibrate Programme implementation for different15example, that operations conducted through somesubsidiaries or joint ventures but not others are injurisdictions that recognize a facilitation paymentsexception. Specific differences need not beimportant, however, to alert responsible personnel topossible differences and circumstances that maywarrant further legal inquiry.An enterpriseÕs Programme should provide practicalprohibition, with particular attention to areas of highrisk. This directive is codified in Section 4.1.3. The ultimate test of an effective Programme iscompliance with the zero tolerance policy. This canunderstand what the policy covers and requires.reinforced through training and othercommunications practices, with appropriate tailoringfor different employee functions and groups. Policystatements are discussed below in theimplementation section, and training and employeeadvice channels in Sections 5.4 and 5.5 of theBright-line Standards OptionProgramme standards should take into accountdifficulties that can occur in applying the Briberyprohibition to specific transactions or circumstances. Ð such as whether benefits offered or conveyed areÒimproperÓ. There are two common approaches tothis problem. One is to establish Òbright-lineÓ teststhat may be over-inclusive but easily understood andRules prohibiting political or charitablecontributions, or requiring prior managementapproval, are a frequent example. The alternativeapproach is a rule that more closely tracks legal andethical prohibitions and relies on line personnel andcompliance managers to identify and avoidproscribed con

duct. Programmes that permitÒreasonableÓ
duct. Programmes that permitÒreasonableÓ gifts, contributions or facilitationpayments reflect this practice.Both approaches are acceptable, and often foundfor different areas in the same Programme. Forstandards development, the critical difference is inthe detail required for explanatory materials andrelated training. Nuanced rules place a much heavierpremium on specifics. Personnel and agents subjectto the Bribery prohibition need to be given enoughinformation to Òred flagÓ suspicious circumstancesguidance. Bribery red-flagging is addressed atgreater length in the Handbook discussion onThe third step in standards development is toprepare Programme materials that memorialize andcommunicate the anti-Bribery policy. Primarystatements, practitioner handbooks and protectivecontract provisions. compliance document in most Programmes,providing a capsule summary of an enterpriseÕs legalreflect the new policy. Formulations that describe corporate policy in clear,non-technical terms are most effective. Where Codeformat and style permit, it can also be useful toinclude a statement explaining why zero toleranceon Bribery is an enterprise priority. Because this mayrange of conduct covered by the Bribery prohibitioncompliance materials and not enough, by itself, tosatisfy the requirement that a Programme Òclearlyand in reasonable detailÓ articulate corporate values,policies and procedures for preventing Bribery.relevant personnel more detailed guidance,commonly referred to as Òpolicy statementsÓ. Thesestatements provide an opportunity for moreexpansive discussion of anti-Bribery standards andprocedures, including sector-specific applications.Policy statements vary from company to company,much more comprehensive. More substantial policy16statements will be appropriate for most companies,given the nature and scope of corruption risks inindividual sectors. Practitioner guides (manuals or handbooks) are athird common type of document, used as acounselling aid for lawyers and others responsiblefor providing compliance advice. They contain morerules to particular circumstances. effective management tool, especially whereshould trigger periodic inquiries from personnel inthe fie

ld about the anti-bribery policyÕs appli
ld about the anti-bribery policyÕs applicability inincrease consistent application. Contract Protections Anti-Bribery contract clauses are another commoncompliance tool. They are used for a variety ofThe PACI requirement, in Section 5.2, is thatBribery commitments and secure a right oftermination for non-compliance. Contract clausesa)ÒWarrantÓ (i.e. contractually promise) compliance b)Establish appropriate monitoring and oversightprocedures c)Mandate notice of violations and cooperation ind)Impose roll-down requirements (e.g. for agents,17The PACI Principles recognize that politicalbut require that an enterprise adopt reasonablemeasures to prevent circumvention of the Briberyprohibition. Contributions must be transparent,made in accordance with applicable law andmonitored through appropriate controls andprocedures. made directly or indirectly by an enterprise, itsemployees or intermediaries. Contributions coveredparty officials, candidates or organizations, or anysupport for a political party, cause or candidacy.Bribery through political contributions is a particularrisk depending upon the nature and location of anenterpriseÕs activities. Guidelines in this section canbe used to establish new control measures or tostrengthen existing ones.A threshold question for signatory companies iswhether to establish a bright-line prohibition againstprohibitions can be easier to administer, and alsosafer, but may not always be a practical option. Onthe other hand, campaign finance laws in somecountries may already prohibit or sharply restrictAn enterprise that prohibits some or all politicalCode of Conduct. Programmes that permitreasonably detailed guidelines that implementcontrols for anti-circumvention, transparency andcompliance with law mandated by Section 4.2.These are described in greater detail below. Programme guidelines should define coveredactivities. They should explain, for example, thatthat Programme controls apply whether a politicalcontribution is made directly or through an agent orother independent person or entity. Guidelinesshould also identify applicable restrictions andcontrol procedures, such as contribution limits(maximum contributions are often set

by local law),management approval proced
by local law),management approval procedures (common abovecertain de minimis thresholds) and record keepingand reporting requirements. Transparency and Consistency with LawSection 4.2.2 requires that political contributions betransparent and made only in accordance withapplicable law. Transparency requires accurate record keeping.accurately identified in enterprise accounts.Contributions should never be made from secret orother offline accounts, or made indirectly through4.2Political ContributionsThe PACI Principles 4.2.1 The enterprise, its employees or intermediaries should not make direct or indirect contributions tosubterfuge for Bribery.4.2.2 All political contributions should be transparent and made only in accordance with applicable law.4.2.3 The Programme should include controls and procedures to ensure that improper politicalSection 4 of the PACI Principles establishes guidelines for an enterpriseÕs anti-Bribery policy and standards ofconduct. This is the substantive Programme component. prohibition on indirect contributions should includeenterprise reimbursement of political contributionsmade by individuals (this is an express prohibition inmany countries that restrict corporate politicalsuspicious circumstances.An enterpriseÕs commitment to limiting politicallawÓ should be supported by appropriate controlsfor confirming that the laws of relevant jurisdictionsare identified and followed. This can be a challengefor companies with an international presence. Rulesgoverning corporate contributions vary from onecountry. While some laws prohibit corporatecontributions entirely, others merely limit contributionlevels or impose public disclosure or reportingrequirements. Compliance is further complicated bymay be made, for example, based on an entityÕsstatus (whether domestic or foreign) or for differentkinds of contribution activity.Controls and ProceduresThe directive that a Programme Òinclude controlsand procedures to ensure that improper politicalcontributions are not madeÓ may be satisfiedthrough training, due diligence, record keeping andA number of measures can be employed to managepolitical contributions activity. Prior-approvalprocedures are common

, and these are sometimescombined with a
, and these are sometimescombined with a more or less formal committeestructure to review and authorize politicalcontributions. Programmes also may establishselective restrictions by country (e.g. whereprohibited) or for particularly complex or sensitivecontributions expert from the legal department orcompliance office to field inquiries and help withan enterpriseÕs government relations personnel, asmeasures described in Section 5.2 of the Handbookcan also be adapted for contribution control19As with political contributions, the PACI Principlesrecognize that charitable contributions andpurposes but must be monitored to preventcircumvention of the Bribery prohibition. Section 4.3requires that contributions and sponsorships betransparent, made only in accordance with applicablelaw and subject to appropriate controls andprocedures. Charitable contributions are payments made for thebenefit of society, for charitable, educational, socialwelfare and similar purposes. The payments are madewithout demand or expectation of business return.investment programmes, which can involve importantSponsorship is a transaction where the enterprisereceives rights and benefits such as the use of thesponsored organizationÕs name, advertising creditsin events and publications, use of facilities andopportunities to promote its name, products andpart of promotion and advertising.Charitable and sponsorship activities are common,and most companies should be able to addressPACI concerns through incremental adjustments toestablished controls.Practices described in the preceding section forcontributions and sponsorship activity. Programmesshould have specific guidelines and procedures forpreventing circumvention of the Bribery prohibition.These should be reflected in policy documents andeffectively communicated to relevant personnelthrough training and other means.Transparency and Consistency with Lawtransparent and in accordance with applicable law.Payments should be fairly and accurately recordedcontributions, reputational risk can be a goodpractical measure. Activities that might embarrassscrutiny. Controls and ProceduresAn enterprise should have reasonable controls forpreventing improper

charitable contributions andsponsorship
charitable contributions andsponsorships. These typically address due diligence,management approval, monitoring and¥Due diligence.recipients of sponsorship are not conduits forBribery. Standard due diligence procedures can beemployed to verify a recipient organizationÕs bona4.3Charitable Contributions and SponsorshipsThe PACI Principles subterfuge for Bribery.applicable law.Charitable contributions and sponsorships are another potential corruption channel, subject to comparablecontrols for preventing Bribery.¥Approval procedures.Sponsorship is a routineapproved and administered within the normalpurchasing process. Designated levels ofapproval for charitable contributions should beestablished, with appropriate reporting and¥Monitoring and documentation.Proceduresshould provide for monitoring and tracking ofpayments to be sure they are applied to theintended purpose. Findings should be recordedand reviewed periodically by management toconfirm that payments fall within the policy and21The PACI Principles establish as an aspirational goalalso recognize that for the immediate future suchpayments may be allowed under some Programmes.To prevent abuse, signatory companies that continuethis exceptionÕs limited scope and establish effectivecontrol procedures.upon the specific anti-corruption statutes governingits business activity. Some but not all laws establishedpayments from general prohibitions. Activities subjectto restrictive laws should comport with those laws. Where facilitation payments are exempt fromapplicable statutes dealing with Bribery of foreigngovernment officials, an enterprise may makeLocal Law Prohibition Section 4.4.1(a) directs enterprises to ÒexplainÓ intheir Programme that facilitation payments aregenerally illegal in the foreign country concerned.This explanation should be conveyed through policydocuments, training and other appropriate means.Programmes should recognize the difficult practicaldemands. Local law prohibitions notwithstanding,facilitation demands by minor public officials aredemands are routine and can be managed throughrestrictive Programme standards. In some instances,however, refusal to respond to an extortionateor even rais

e threats to life and health. Signatory
e threats to life and health. Signatory companies are encouraged to develop anoversight process for handling non-routine facilitationdemands. This responsibility is often assigned to athrough a compliance committee. In either case, theprocess can be used to identify common facilitationdemands and formulate appropriate policy responses. Section 4.4.1(b) requires an enterprise to explain inits Programme that facilitation payments Òare of limitedscope and must be appropriately accounted forÓ. Programme guidance on facilitation payments shouldreflect applicable legal standards. Under most anti-corruption laws (and all those in conformance with theOECD Convention), payments exempted fromfacilitate routine governmental actions to which anenterprise is already entitled. The facilitationprovision in the US Foreign Corrupt Practices Act isillustrative. It limits exempt facilitation to Òroutinegovernment actionÓ, defined narrowly to mean: Òonly an action which is ordinarily and commonlyperformed by a foreign official in (i) obtaining4.4Facilitation PaymentsThe PACI Principles 4.4.1 Recognizing that facilitation payments are prohibited under the anti-bribery laws of most countries,foreign country concerned; (b) emphasizing in their Programme that they are of limited nature andits employees.These are small payments made to secure or expedite the performance ofCharitable contributions and sponsorships are another potential corruption channel, subject to comparablecontrols for preventing Bribery.qualify a person to do business in a foreign country;pick-up and delivery, or scheduling inspectionsrelated to transit of goods across country; (iv)providing phone service, power and water supply,deterioration; or (v) actions of a similar nature.Ósecure certain qualifying routine actions and notwhenever payments will ÒfacilitateÓ a desiredControls and ProceduresSection 4.4.1(c) directs that an enterprise include inits Programme Òappropriate controls and proceduresControl procedures typically address the followingareas: ¥Identification and assessment.assessment process. Timelines can be used todevelop appropriate policy responses. ¥Employee training and guidance.Programme materials

and training can be used toidentify gove
and training can be used toidentify government actions considered ÒroutineÓ¥Approval procedures.Prior-approval requirementsmay be considered above de minimus levels.Authorization also may be considered on a categorybasis, for certain business activities and regions. ¥Record keeping and reporting.Procedures shouldbe established for internal reporting of facilitationdemands and accounting when payments aremade. These should take into account relevant¥Monitoring and oversight. demands and payments should be reviewed forconsistency with enterprise policy. At-riskapplicable standards and procedures. 23The PACI Principles recognize that gifts, hospitality andpayment of expenses are necessary and reasonablevary across societies. Guidelines in this section areintended to prevent using gifts and hospitality orexpense payments as a subterfuge for Bribery. The terms ÒgiftÓ, ÒhospitalityÓ and ÒexpensesÓ are notdefined, but are intended to have their ordinaryfriendship or appreciation. ÒHospitalityÓ is generallybusiness development and relationship building.ÒExpensesÓ refers to reimbursement of travel andsimilar expenses incurred by a prospective client,customer or business partner.Corporate ethics Programmes typically includeand expense reimbursement. At most signatorycompanies, these general policies will satisfy PACIBribery concerns or can easily be modified to do so.StandardsProgramme policies can be flexible in recognizingand accommodating local customs and culturaldifferences, but should set out clear standards ofconduct and guidelines for preventing improperrelationships and transactions. Programmes should identify covered activities andprovide enterprise personnel with reasonablydetailed guidance on restrictions, approvalprocedures and reporting requirements.An enterprise should have reasonable controls andprocedures for preventing Bribery. Specific referenceis made in Section 4.5.2 to threshold and reportingrequirements common to many Programmes. Thesepayments above which reporting is required. Controlprocedures can also be used to establish prior-approval requirements above a certain level.4.5Gifts, Hospitality and ExpensesThe PACI Principles 4.5.1 The enterpri

se should prohibit the offer or receipt
se should prohibit the offer or receipt of gifts, hospitality or expenses whenever such4.5.2 The Programme should include controls and procedures, including thresholds and reportingprocedures, to ensure that the enterpriseÕs policies relating to gifts, hospitality and expenses areThis final section establishes guidelines for preventing improper gift, hospitality and expense practices. Section 5 identifies the structural and proceduralrequirements Òthat an enterprise should meet, at aminimum, when implementing the Programme.ÓThey give operational meaning to the PACI principlethat an enterprise match its commitment with aneffective Programme of internal procedures andcontrols. Programme requirements are addressed in eightseparate categories. The first category, in Section5.1, emphasizes the importance of high-levelleadership and a good organizational structure forguidelines for applying Programme requirements toaffiliates, joint ventures, agents and other businesspartners. Section 5.3 discusses screening,evaluation and other Human Resources practicesnecessary to an open compliance environment. Three additional categories address training (Section5.4), advice and reporting channels (Section 5.5)and other communications (Section 5.6). The finaltwo categories deal with internal control and auditThese eight categories, when implemented, willconstitute the basis of an effective Programme. 5Programme Implementation RequirementsThe PACI Principles Section 5 of the PACI Principles describes the minimum requirements when implementing the Programme. Section 5.1 places ultimate responsibility for anenterpriseÕs Programme on its board of directors, orÒequivalent bodyÓ for enterprises with a differentgovernance structure. As in other areas of corporategovernance, the responsibility is one of generaldirection and oversight. Directors are expected to beProgramme, to provide Òleadership, resources andactive support for managementÕs implementation ofthe ProgrammeÓ and to ensure that the Programmeis reviewed periodically for effectiveness. Operational responsibility rests with an enterpriseÕschief executive officer (CEO), or executive board fororganizations with this managemen

t structure. Theresponsibility is to see
t structure. Theresponsibility is to see Òthat the Programme isHaving Òclear lines of authorityÓ means a reasonableand effective management structure for complianceactivities. Programme responsibility may beredelegated, but only to high-level managers with adirect reporting line to the CEO or executive board. In addition to these oversight responsibilities, anenterpriseÕs board, CEO and senior management arecommitmentÓ to implementation of the PACIleadership are identified in the discussion thatThe board and senior management are responsiblefor creating and maintaining an environment thatactively promotes compliance with the commitment.Implementation should begin with a strong andunambiguous statement of commitment from anenterpriseÕs senior leadership. The board and seniororganization that they are serious about theProgramme and have made it a high priority. If anenterpriseÕs leaders do not appear to takecompliance seriously, neither will its employees. 5.1Organization and ResponsibilitiesThe PACI Principles 5.1.1 The Board of Directors (or equivalent body) is responsible for overseeing the development and5.1.2 The Programme should be based on the PACI Principles and the Board (or equivalent body) shouldprovide leadership, resources and active support for managementÕs implementation of the Programme.5.1.3 The Board (or equivalent body) should ensure that the Programme is reviewed for effectiveness and,5.1.4 The Chief Executive Officer (or executive board) is responsible for seeing that the Programme iscarried out consistently with clear lines of authority. 5.1.5 Authority for implementation of the Programme should be assigned to senior management withdirect line reporting to the Chief Executive Officer or comparable authority.5.1.6 The Board of Directors (or equivalent body), Chief Executive Officer (or executive board) and seniormanagement should demonstrate visible and active commitment to the implementation of the PACIThis initial implementation category addresses minimum Programme requirements for leadership andorganizational structure. begins with an enterpriseÕs policy statement andcompliance expectations. With the appropriatewording and tone, they can

also be used toCommitment statements sh
also be used toCommitment statements should reflect goodcommunication practice. Programme documents aremost effective when they (a) convey organizationalthe organization (one company, one set of rules). Where feasible, communications should combine adirective to follow corporate policy with positivereasons for doing so. It can be especially helpful toLine personnel are being asked to forego practicesthat may be common elsewhere and still considerednecessary by some. Understanding the reasons forthis approach can help to minimize resistance. Policy documents are a necessary starting point, butonly part of what should be a broader leadershipeffort. As in other areas important to an enterprise,careful planning is needed to inform the relevantstakeholders about Programme goals andexpectations. Primary stakeholder groups include anenterpriseÕs directors, management, businesspersonnel and support groups (e.g. audit, legal,human resources). The planning process in Section3 can be used to shape the Programme messagefor these discrete groups and to devise effectiveIn addition to facilitating initial Programme Òroll-outÓ,the planning process can be used to identifyleadership tools for periodically refreshing thepersonal statement from the CEO or other seniorbusiness manager when Code or other Programmematerials are circulated. Other commoncommunication tools include periodic remindersfrom senior management to key personnel,statements at management meetings, newslettersand training directives. Matching Words and ActionsEnterprise leaders can reinforce the compliancemessage through staffing and other resourceallocation decisions, attention to Programme details,activities and other similar actions. Programme guidance provided to directors andsenior management can be another importantmarker. Leadership education is implicit in the PACI guidelinethat the board ÒoverseeÓ development andimplementation of an effective Programme and thechief executive officer see that an effectiveProgramme is carried out. Basic knowledge of theparticular information and reporting systemsemployed by the enterprise is a predicaterequirement for concluding that the system issend the message that Prog

ramme requirements,in the organization a
ramme requirements,in the organization as appropriate.An enterpriseÕs commitment to leadership educationdoes not mean that directors and senior managersmust participate in routine training activities. Contentcan be tailored to supervisory and oversightresponsibilities and communicated via pre-existingchannels. For directors, necessary information maybe provided through additions to standard ÒBoardBookÓ materials and periodic Programme briefings asrequired. As an example of the latter, many companiesthat manage compliance through an audit or otherspecialized committee supplement this with anannual briefing for the entire Board. This may also bepart of a larger, more comprehensive complianceand ethics report to the board or its committees.Step 2: Organizational Structure appropriate organizational structure for complianceactivities with clear lines of authority. Many enterprises find it helpful to formalizeProgramme functions and responsibilities in a writtenpolicy document. Organizational plans may restatean enterpriseÕs policy commitment, assign Programmeresponsibilities and list minimum implementationrequirements. 27Business activities are conducted through a varietyof legal structures, including controlled subsidiaries,joint ventures, consortiums and teamingagreements. Programme requirements have beenextended to these relationships because of theSection 5.2 identifies guidelines for differentcategories of business relationships. Requirementsare calibrated based on the degree of enterprisecontrol and the nature of the relationship. Signatorycompanies are expected to extend Programmerequirements in all material respects to the activitiesof branch offices, wholly-owned subsidiaries andother controlled entities. More limited guidelines,detailed in separate sections, are established forjoint ventures, agents, suppliers and contractors.5.2Business RelationshipsThe PACI Principles Section 5.2 establishes guidelines for applying Programme requirements to different kinds of businessrelationships. Details vary depending on the extent of control and nature of the relationship.This first section addresses Programme coverage for branch offices, wholly-owned subsidiari

es and othercontrolled entities.Program
es and othercontrolled entities.Programmes should be designed and implementedrespects to controlled subsidiaries. A controlledsubsidiary is any entity in which the parent companyhas a majority equity interest or otherwise exerciseseffective control over operations. Full Programmecoverage should also extend to controlled branchoffices.Programme coverage for controlled subsidiaries andbranch offices should be at the same level, and withthe same basic standards and requirements, as atthe parent company. In operational terms, thismeans providing for comparable employee training,reporting channels, oversight and other Programmeactivities. Practice can be tailored to reflect localneeds and circumstances, provided thatProgramme requirements in Òall material respectsÓ. The PACI Principles 5.2.1.1 The Programme should be designed and implemented on an enterprise-wide basis, applicable in allmaterial respects to controlled subsidiary entities.5.2.1.2 The enterprise should undertake measures to see that the conduct of subsidiary entities isProgramme planning and evaluation, including riskwide basis. Coverage for controlled subsidiaries andbranch offices should be explicit, with clearly definedlines of responsibility, reporting and accountability. Inmost cases, it will be appropriate to extendProgramme coverage and requirements directly tocontrolled subsidiaries. Where this is not feasible, anand implement a comparable Programme of its own. Section 5.2.1.2 directs companies, to Òundertakemeasures to see that the conduct of subsidiaryentities is consistent with the PACI Principles.Ó Asappropriate to the corporate structure, if subsidiariescompliance functions, periodic assurance from asubsidiaryÕs senior business manager thatProgramme requirements are being followed mightbe required. Such assurances may be in the form ofan annual certification that reports on enforcementexperience, overall Programme effectiveness andfuture implementation planning. Annual certificationis discussed in Section 5.8. Coordination also canbe addressed through enterprise-wide compliancecommittees and appointment of subordinate5.2.2 Joint VenturesSection 5.2.2 identifies Programme requirements fo

r business conducted through non-control
r business conducted through non-controlled entities,including joint ventures, minority-controlled subsidiaries, consortium partners, teaming agreements andThe PACI Principles 5.2.2.1 Due diligence should be conducted before entering into a joint venture, and on an ongoing basis as5.2.2.2 The enterprise should undertake appropriate measures, including contract protections, to ensurethat the conduct of joint ventures is consistent with the PACI Principles.Joint ventures and other legal structures for sharingbusiness risk are common. It is important tounderstand the challenges they pose for Programmeimplementation. Joint venture partners, especially localavenue for corruption. The PACI Principles recognizethat an enterpriseÕs ability to control third-activities may be limited. At the same time, they requirea reasonable and good faith effort to prevent conductthat could not be taken directly by the enterprise. Section 5.2.2 establishes two basic requirements.The first is that an enterprise undertake reasonabledue diligence to confirm the suitability of a potentialbusiness partner. Many companies already include acorruption screen in their normal pre-venturereviews, and for those not currently covered, theadditional administrative burden should be modest.The second Programme commitment is toundertake ÒappropriateÓ measures to ensure thatconduct by the venture is consistent with the PACIPrinciples. The foremost of such measures includeprophylactic contract provisions. The diligence ÒdueÓ before entering into a joint venture,on specific risks and circumstances. This is a flexiblestandard, requiring companies to use their goodfaith judgment to determine the appropriate leveland frequency of review for a particular businessrelationship or project. Similar considerations governjudgments about the specific measures deemedÒappropriateÓ to ensure that venture conduct remainsconsistent with the PACI anti-corruption extending Programme requirements to activitiesconducted through joint ventures and other similarbusiness structures.Even more than in other business contexts, effectivecompliance for joint ventures requires carefulwith implementation responsibility. conducted as

part of the general planning processdes
part of the general planning processdescribed in Section 3 of the Handbook. Joint venturealso for the quality and effectiveness of anti-corruptionprocedures and controls. Resulting action plans canProgramme requirements to joint venture activities. Section 5.2.2.1 mandates due diligence review forall joint ventures, as warranted, before entering intothe relationship and Òon an ongoing basis ascircumstances warrantÓ.diligence requirement is to Òknow oneÕs partnerÓ. Inoperational terms, this means making appropriatepartner is honest, ethical and can reasonably berefrain from Bribery. Primary areas of inquiry includea potential partnerÕs business qualifications (e.g.objectives), its ethics reputation and record (e.g.whether there is evidence of past corruption) and itspersonnel and their relationships (e.g. the nature andextent of governmental ties). An ethics questionnaire or other standardreviews, and can be helpful and appropriate for aat the outset. Information provided by a potentialcompared with data from other sources. Additionalinformation sources include an enterpriseÕs owngovernment (especially consular officials), publicrecords (often, although not always, available in thepartnerÕs home country), general publications(accessible through web searches) and specializedThe diligence due for a particular relationship orproject will depend on specific circumstances andshould be more thorough where corruption risk ishigh and can be more limited where perceived risk islow. Monitoring for corruption risk is an ongoingobligation. For joint ventures with a high level ofassociated risk, the ability to have periodic reviewsshould be considered. Whether or not periodicreviews are scheduled, an enterprise should monitorfor red flags and promptly investigate suspiciouscircumstances.Management Approvals Management approvals are an important means ofcontrolling risk. Most companies already requirehigh-level approval before entering into substantialjoint venture or other third-party businessrelationships. Corruption factors should be aninformation developed through project-specific duediligence and risk assessment reviews.Contract Protections Prophylactic contract provision

s are anotherimportant Programme tool. T
s are anotherimportant Programme tool. They are one of severalÒappropriate measuresÓ an enterprise is expected toÒundertake [...] to ensure that the conduct of jointventures is consistent with the PACI Principles.Ó standard contract language for use on an enterprise-wide basis. Such provisions are added to theinventory of general representations, warranties andprotections available for joint venture agreements. These typically include a representation/warranty to comply with law and remedies should includeinnocent party.30Documentation Implementation activities should be fully documented.Section 5.2.3 addresses Programme requirements for business conducted through an agent, adviser or other intermediary.The PACI Principles 5.2.3.1The enterprise should undertake due diligence before appointing an agent, adviser or otherintermediary, and on an ongoing basis as circumstances warrant.5.2.3.2The Programme should provide guidance for conducting due diligence, entering into contractualrelationships and supervising the conduct of an agent, adviser or other intermediary.5.2.3.3Due diligence review and other material aspects of the relationship with the agent, adviser or otherintermediary should be documented. 5.2.3.4All agreements with agents, advisers and other intermediaries should require prior approval of senior5.2.3.5The agent, adviser or other intermediary should contractually agree in writing to comply with theenterpriseÕs Programme and should be provided with materials explaining this obligation.5.2.3.6Provision should be included in all contracts with agents, advisers and other intermediaries relatingremuneration for legitimate services rendered and should be paid through bona fide channels.5.2.3.8The enterprise should monitor the conduct of its agents, advisers and other intermediaries and5.2.3.8.1 All agreements with agents, advisers and other intermediaries should require prior approval of5.2.3.8.2 The agent, adviser or other intermediary should contractually agree in writing to comply with theenterpriseÕs Programme and should be provided with materials explaining this obligation.Provision should be included in all contracts with agents, advisers and other

intermediaries relatingto5.2.3.8.4 remu
intermediaries relatingto5.2.3.8.4 remuneration for legitimate services rendered and should be paid through bona fide channels.have a contractual right of termination in case of conduct inconsistent with the Programme.Agents, advisers and other intermediaries areanother source of potential corruption risk forsignatory companies. The PACI Principles recognizethe valuable contribution of these relationships inmany areas of business, but require measures toprevent Bribery. As in joint venture relationships, an enterpriseÕsprimary responsibility is to undertake reasonable duediligence to confirm the suitability of a prospectivecircumstances warrant. Many companies alreadyinclude a corruption screen in their normal reviewpossible to address additional PACI directivesthrough incremental adjustments to existing practice. As elsewhere, the diligence due before entering intoan agent relationship, and on an ongoing basis, willdepend on specific risks and circumstances. Thisflexible standard requires an enterprise to exerciseits good faith judgment to determine the appropriatelevel and frequency of review for a particularbusiness relationship.Section 5.2.3 enumerates six specific Programmerequirements in addition to conducting reasonabledue diligence. Each is discussed in theimplementation section below. Briefly, they directthat an enterprise provide its employees withcontractual relationships and supervising a retainedagent or other intermediary. Guidance shouldaddress documentation requirements, approvalprocedures, contract protections, compensationRequirements in this section apply to all businessrelationships with agents, advisers and other similarintermediaries. These coverage terms are notdefined, but are generally understood to mean aor to otherwise represent, an enterprise infurtherance of its business interests. For ease ofreference, the discussion that follows uses the termPACI standards for agent relationships are moredetailed than in other areas because of thepractices are summarized below. guidelines and procedures for applying Programmerequirements to relationships with agents. This isimplicit in the directive in Section 5.2.3.2 that anenterprise Òprovide gu

idanceÓ for conducting duediligence, ent
idanceÓ for conducting duediligence, entering into contractual relationships andsupervising an agentÕs conduct.Programme applies to the appointment andresponsible for implementation and describe relevantanti-corruption standards and procedures. The latterGuidelines for applying the Programme to agentrelationships can be developed as part of theSection 3 planning process. The diligence due for a particular agent relationshipwill depend on specific circumstances and associatedcorruption risk. As a general matter, inquiry shouldbe more thorough where corruption risk is high andcan be more limited where perceived risk is low. Aswith joint ventures, high-risk relationships maywarrant periodic review to confirm an agentÕscontinuing suitability to represent the enterprise.Practices described in the preceding section for jointventures also apply to due diligence review for agentrelationships. The operative requirement is todetermine whether a prospective agent is honest,ethical and reasonably likely to abide by its contractcommitment to refrain from Bribery. Priority areas forreview include a prospective agentÕs businessexpertise and experience, reputation and ethicsrecord, and possible relationships with governmentcorruption risk. Threshold judgments should also bemade about the need for an agent. 32Ethics questionnaires or other standard documentationmay be used to focus due diligence review.Information supplied by a prospective agent shouldbe assessed independently and compared with datafrom other sources. Inquiry for most relationshipsshould include a reasonable search for publicinformation about a prospective agent (e.g. throughmedia reports, official public records). In addition,reputational inquiry in the local business communityand through official sources (e.g. oneÕs own consularofficials) will often be appropriate. For significantrelationships in high-risk markets, specializedinvestigative services should be considered. Management ApprovalSection 5.2.3.2 directs that all agency relationshipsreceive Òprior approval of senior managementÓ. Aformal approval process is recommended, with clearlines of responsibility and guidelines forContract ProtectionsStandard pr

ovisions for use on an enterprise-wideba
ovisions for use on an enterprise-widebasis are generally recommended. Most importantly,Consideration to a breach resulting insuspension/termination may be considered.Section 5.2.3.2.5 establishes three basic guidelinesbe compensated for ÒlegitimateÓ services; fees andcommissions should be reasonable in relation to theservices provided; and payment should be throughThe restriction on compensation to ÒlegitimateservicesÓ is intended to reinforce the basic PACIprohibition on Bribery. An enterprise may not retainan agent to engage in prohibited conduct Ð forexample, to secure Òan improper advantageÓ ingovernmental or commercial procurement.The directive that compensation for an agentÕsservices be Òappropriate and justifiableremunerationÓ addresses the problem of excessivepayments used to finance Bribery. What isappropriate and justifiable will depend on thespecific services procured, unique agentcharacteristics (e.g. quality of service, reputation)and relevant market conditions. Where feasible,The requirement that payments to agents only bemade through bona fide channels is a standardaccounting control. Programme guidelines shouldrequire that compensation arrangements be openand transparent, made through reputable financialchannels and properly recorded in enterpriserecords. Requests for unusual paymentarrangements should be treated as a red flag,triggering heightened scrutiny and other measures toprevent Bribery. Provision should be made for monitoring agents.develop agent-specific procedures and controls. 33This final category of business relationshipsaddresses potential corruption risk from enterprisesuppliers. The guidelines differ in two respects fromthose for other types of relationships. Section 5.2.4draws attention to an enterpriseÕs own procurementpractices, and its application of other Programmerequirements is more limited. Both differences reflecta presumption that business dealings are on anÒarmÕs lengthÓ basis with independent entities.and ÒsupplierÓ are not defined in the PACI Principles,but are meant to have their normal and customarymeaning. For ease of reference, the Handbook usescontrolled person or entity that provides goods orÒsubcontractorÓ is

a person or entity that providesgoods o
a person or entity that providesgoods or services to a contractor/supplier. The threshold requirement for contractor/supplierrelationships is that an enterprise conduct its ownprocurement in a Òfair and transparent mannerÓ.Fairness and transparency relate to the processrather than any particular award procedure.Procurement may be on a competitive bid or solesource basis, at an enterpriseÕs discretion, so longas the process is reasonable under thecircumstances and subject to appropriate oversight.The PACI intention is to prevent corruption byand suppliers as a subterfuge in dealings with thirdSection 5.2.4.2 further requires that an enterprisedetermine whether prospective contractors/suppliershave effective anti-Bribery policies of their own. Aswith other business relationships, signatorycompanies are expected to make reasonable inquiryto confirm that a contractor/supplier can be reliedupon to comply with the zero tolerance policy inenterprise-related business activities. The standardreview appropriate to the particular relationship andcircumstances. policy to contractors/suppliers, establish appropriatecontract protections and monitor contractor/supplierconduct for consistency. As with other types ofrelationships, implementation should be tailored toreflect the level and type of corruption risk specific toa particular relationship or transaction. Practices described earlier for joint venture andagent relationships can be modified for use withSection 5.2.4 establishes Programme guidelines for enterprise relationships with contractors, subcontractors andThe PACI Principles 5.2.4.1 The enterprise should conduct its procurement practices in a fair and transparent manner. subcontractors and suppliers to ensure that they have effective anti-bribery policies.5.2.4.3 The enterprise should make known its anti-bribery policies to contractors, subcontractors andFair and Transparent Procurement The Section 5.2.4.1 requirement that procurementbe conducted in a fair and transparent mannerreflects standard industry practice and can besatisfied at most signatory companies throughexisting procedures and controls. Although not expressly required by the PACI Principles,signator

y companies are encouraged to developfor
y companies are encouraged to developformal written procurement guidelines that can beused by responsible personnel and evaluatedperiodically for effectiveness. Guidelines typicallyaddress procurement eligibility, award procedures,management approval requirements, documentationand oversight. Written guidelines can besupplemented with targeted training and throughSection 5.2.4.2 mandates Òdue diligence, asappropriate, in evaluating contractors, subcontractorsand suppliers to ensure that they have effective anti-As with other types of business relationships, theessential due diligence requirement is to know withwhom one is doing business. This requires, at aminimum, ascertaining whether a prospectivecontractor/supplier has an effective anti-corruptionpolicy. The phrase Òas appropriateÓ is intended to conveyflexibility in applying the due diligence requirement todiverse business relationships. Enterprises aredetermine the appropriate level and frequency ofdue diligence review. Often, informal discussionswith responsible compliance managers together withprotective contract measures may suffice. Whereperceived corruption risk is high, however, moreextensive inquiry may be necessary. obligation. As in other contexts, periodic reviewsshould be considered for contractor/supplierrelationships with a high level of associated risk.Whether or not periodic reviews are scheduled, anenterprise should monitor for red flags and promptlyinvestigate suspicious circumstances.Section 5.2.4.3 directs that an enterprise ÒmakeNotice is most certain and effective when conveyedthrough an appropriate contract provision. Sampletext described earlier for joint venture and agentrelationships can be modified for use withcontractors/suppliers. Where a formal contractprovision is not feasible, notice of the enterpriseÕsanti-corruption policy and Programme requirementsshould be conveyed in writing to a responsiblesenior official of the contractor/supplier anddocumented in enterprise records. Whether notice is communicated through a formalcontract provision or management letter, thewill act consistently with the policy. requirements, one relating to contract monitoringand the second to relief when

non-complianceMonitoring practices desc
non-complianceMonitoring practices described elsewhere in theHandbook can be tailored for use incontractor/supplier relationships. These relate toapprovals, documentation and reporting, andContract relief, including a right of termination in theevent of non-compliance, can be addressed throughstandard contract provisions, using the sameventure and agency relationships. Although notexpressly required for contractor/supplieragreements, compliance managers may considercooperation provisions.35The effectiveness of an enterpriseÕs Programmedepends to a substantial degree on theemployees. HR practices are a primary tool forshaping this compliance environment. The PACI Principles recognize that HR practices varyfrom company to company and that no one set ofpractices will be appropriate to all companies. Thedirective to reflect Programme commitment in anenterpriseÕs HR practices is accordingly quitegeneral. Signatory companies are expected toexercise good faith judgment in deciding how bestto meet this stated objective. Representativepractices are offered for consideration in theimplementation section below.Two exceptions to this flexible standard should benoted. Section 5.3.2 requires an enterprise to makeclear that compliance with the Programme ismandatory for all personnel and that a refusal to paya bribe will not trigger adverse action if it results inlost business. Section 5.3.3 further provides thatappropriate sanctions be established and applied forviolations of the Programme, up to and includingtermination of employment. Both provisions areenterpriseÕs commitment to the zero tolerance policy. enterpriseÕs Programme. Screening of New Hires Programmes typically include a basic screeningprocedure to confirm that personnel in high riskpositions are honest, ethical and can be trusted tofollow an enterpriseÕs legal and ethics rules.Care should be taken to comply with applicableprivacy or other employment law protections. Theseconsiderations are not unique to corruptionscreening, and as in other areas are best managedin coordination with employment law experts.compliance with Programme requirements is anThis message should be communicated to new hiresas part of the i

nduction process and reiteratedperiodica
nduction process and reiteratedperiodically.with the Programme is mandatoryÓ (Section 5.3.2)effective when in writing, and in some jurisdictionsformal notice may also be a precondition for taking5.3Human ResourcesThe PACI Principles 5.3.1 The enterpriseÕs commitment to the Programme should be reflected in its Human Resources practices.5.3.2 The enterprise should make clear that compliance with the Programme is mandatory and that noSection 5.3 establishes guidelines for a signatory companyÕs Human Resources (HR) practices, includingprotections for employees who refuse to pay bribes and sanctions for Programme violations. through Code certifications and, where formalemployment contracts are negotiated, throughexpress contractual provisions. In both cases, goodas legal purposes, and accordingly should be writtenA growing number of companies require new hiresto review the corporate Code of Conduct and sign acertification statement upon induction. Suchhas received and reviewed the Code, and are madepart of the employeeÕs permanent record. MostCode certifications are general, covering a widebut not limited to Bribery prohibitions. Corruption-specific certifications may also be considered forsensitive positions. In addition to certifying receiptand review of Code or other enterprise policyresult in termination of employment. TrainingNew employees should receive information aboutthe enterpriseÕs Programme as part of their inductiontraining. Appropriate continuing training should beprovided thereafter. This topic is covered in SectionSecure and accessible channels should bereporting suspicious circumstances and suggestingProgramme improvements. These practices areaddressed in Section 5.5 of the Handbook. As has been noted, Section 5.3.2 requires anenterprise to make clear that compliance with theProgramme is mandatory for all personnel and thatemployees will not be penalized if refusal to pay abribe results in lost business. A common employee concern is that a decline inbusiness, for whatever reason, may lead to adversepersonnel action, potentially including reducedemployment. When an employeeÕs productivitydeclines, it can be very difficult to determine theexact reas

on. The PACI commitment is to a goodfait
on. The PACI commitment is to a goodfaith effort to isolate and protect employees fromGood faith can be demonstrated through specifica)A clear and unequivocal statement of enterpriseb)Periodic supplemental directives (reminders) toc)Heightened oversight of the evaluation process Reminders should be provided regularly, as part ofgeneral Programme training for managers and inconjunction with annual employee evaluations. Guidelines should also be developed to ensure thatappropriate disciplinary action is taken whenviolations occur, consistent with the Section 5.3.3directive.This Programme element has three aspects. First,discipline must be ÒappropriateÓ to thecircumstances. While the form of sanction may vary,employment, judgments should reflect theProgramme objective of deterring future violations aswell as punishing the offending conduct. Second,disciplinary action should be applied consistently.misconduct. Third, accountability should extend toall aspects of the Programme. 37Training is a primary tool for communicatingProgramme standards and procedures to enterpriseThe PACI Principles require Òspecific training on theProgrammeÓ for managers, employees and agents.Specific training means targeted education thatpromotes an understanding of the anti-corruptioncommitment and all relevant rules and procedures.the most effective combination of training and otherTraining content and methods should be tailored toemployee responsibilities. All personnel, includingagents, should receive basic information about theProgramme and enterprise expectations, includingprompt reporting of concerns or suspiciouscircumstances. This information typically iscommunicated through an enterpriseÕs businessactivities generally need more detailed guidance,which may be provided through written policystatements, training and related educational tools.Business managers should also receive specifictraining, geared to their respective Programmeresponsibilities.Section 5.4.2 provides for signatory companies toÒwhere appropriateÓ. Decisions about when to offertraining support and in what form should reflect anenterpriseÕs corruption risk profile. In some cases,for a contractor/supplierÕs own compl

iance effortsmay be a more practical opt
iance effortsmay be a more practical option. Practices described in this section reflect recentcompliance innovations that can be used tostrengthen an enterpriseÕs existing trainingTraining can be a difficult compliance challenge evencompliance message must reach different audienceswithin an organization, often with varying degrees ofsignatory companies, language and culture will be afurther complicating factor. Decisions also need tobe made about training content, tailoring for differentgroups, methods and frequency. One common response has been to develop moreformal processes for planning and implementingannual review, with compliance and businessminimum training requirements, assign trainingresponsibilities and assess effectiveness. Relianceon computer software to schedule and monitor5.4TrainingThe PACI Principles 5.4.1Managers, employees and agents should receive specific training on the Programme, tailored torelevant needs and circumstances.5.4.2Where appropriate, contractors and suppliers should receive training on the Programme.5.4.3Training activities should be assessed periodically for effectiveness.Section 5.4 addresses the training component of an enterpriseÕs Programme. Training ContentAlthough all enterprise personnel are expected toreceive Òspecific training on the ProgrammeÓ, detailswill vary and should be Òtailored to relevant needsand circumstancesÓ. All personnel should receive basic information aboutthe Programme, including an explanation of theand how to obtain compliance advice or reportconcerns (reporting channels are addressed inemphasize the affirmative obligation of all personnelto promptly report suspicious circumstances. As hasbeen noted, basic Programme information can beprovided through an enterpriseÕs business Code andmarketing and procurement, should receive morepolicy, but they should know enough to avoidobvious violations and to red flag other conduct thatmay be problematic. They should understand, forexample, the different forms Bribery can take anddirectly or through an agent or business partner.Depending on an employeeÕs particularresponsibilities, guidance on political or charitablepractices may also be appropriate. Speci

alized guidance is provided through anti
alized guidance is provided through anti-statements and other Programme materials used forthis purpose are discussed in Section 4.1, andtraining methods are addressed below. Trainingresponsibilities. As an example, training forand procurement risks, while the comparableresponsibilities. More advanced training should alsobe considered for personnel in the legal departmentor compliance office responsible for answeringemployee inquiries and investigating reportedconcerns. TrainersTraining should be conducted by qualified personnelwith appropriate knowledge of the subject andeffective communications skills. Expertise can bedeveloped within the enterprise or provided throughan outside expert, and many Programmes do both. The planning process can be used to match trainersemployee training is often provided by generalists inan enterpriseÕs HR department or ethics office, whilemore specialized functions may require support fromWhether training is for basic awareness orspecialized functions, an enterpriseÕs complianceCoordination may be informal or, as in somecompanies, achieved through targeted Programmesuited to its needs and circumstances. Although in-person training is usually most effective, this may notalways be a practical option. Common alternativestraining modules, and these are often mixed with in-person training where possible. Programmes typically have some form of Òblendedcommon practice is to use written Programmematerials and general Code training for basicawareness, online training for more in-depthmore technical matters for select job functions.specialized training, especially for companies with alarge and geographically dispersed workforce.Where feasible, training content should be tailored toreflect an enterpriseÕs actual business and riskprofile. Training is much more effective when39presented in concrete terms that relate to anemployeeÕs responsibilities and experience. Use ofcase scenarios is common, and these can beespecially helpful when drawn from actual industryFrequencyNew employees should receive basic informationabout the enterpriseÕs Programme as part of theirthereafter. Specialized training for personnel in high-risk areas similarly should

be provided uponcommencement of those r
be provided uponcommencement of those responsibilities, withperiodic updating. Frequency should reflect thenature and degree of risk. Updating on an annual orbiennial basis is common. Training certifications are a standard compliancefeature, used to acknowledge receipt of Code orother Programme materials. They can also be usedadherence to Programme requirements andknowledge of reporting obligations and channels.The most basic and common formulation is anacknowledgment that an enterpriseÕs Code hasbeen received and reviewed. Many Programmescompliance rules and have followed them, and arenot aware of violations by others. Although lesscommon, certifications can also be used todocument training. Certifications may be renewedperiodically, and usually are maintained in anemployeeÕs personnel file. Certification procedures and other less formal meanscan be used to record employee participation inactivities. Many Programmes now collect thisbe easily aggregated for reporting and assessment.Documentation of planning and otherimplementation activities will facilitate required40Compliance Programmes are most effective inreport suspected wrongdoing promptly forinvestigation and response. To this end, ancommunication channels with a secure channel forraising Bribery concerns.Prompt reporting is encouraged through an opencompliance environment. Enterprise personnel,that reporting is an organizational priority, and theyreporting will be taken seriously and not lead toretaliation. This is a basic leadership responsibilityand challenge, to be achieved through practicesdescribed in Section 5.1 and elsewhere in theThe Programme requirement is that Òsecure andaccessibleÓ channels be provided for raisingcompliance concerns and reporting suspiciouscircumstances (commonly referred to as Òwhistle-blowingÓ). A ÒsecureÓ channel is one through whichwithout risk of reprisal. Neither anonymity noroutsourcing is required, but in their absence othermeasures to secure the reporting channel may benecessary. An ÒaccessibleÓ channel is one that ispublicized within the enterprise. Telephone hotlinesare a common Programme option.Confidential reporting is matched by a policy toprovide channels for

seeking compliance advice andsuggesting
seeking compliance advice andsuggesting improvements to the Programme. Formany companies, the practical benefit from a goodadvisory channel will be many times greater than forthe reporting hotline. An enterpriseÕs employees andagents are its compliance front line. If training hasbeen effective, frequent questions should arise aboutthe zero tolerance policyÕs applicability to particularsuggestions for Programme refinements.Companies should make advice and reportingchannels available to Òemployees and othersÓ.Reference to ÒothersÓ is meant to include agentssubject to Programme standards and requirements.In both cases, prospective advice about theprohibitions can help to avoid confusion and preventviolations of law or corporate policy. Agents andbusiness partners can also be a valuable source ofinformation for risk assessment and other pro-active5.5Raising Concerns and Seeking Guidance The PACI Principles 5.5.1The Programme should encourage employees and others to raise concerns and report suspicious5.5.2To this end, the enterprise should provide secure and accessible channels through which5.5.3These channels should also be available for employees and others to seek advice or suggestemployees and others on applying the ProgrammeÕs rules and requirements to individual cases.This fifth Programme category emphasizes the importance of a compliance environment that encourages promptraising of concerns and reporting of suspicious circumstances.PACI requirements may be satisfied through hotlinemaintaining an open compliance environment.Encouraging Prompt ReportingThe enterprise commitment to an open complianceenvironment can be conveyed through targetedprovisions (see, for example, Section 5.2). Basic information about confidential reporting channelsand other protections should be included in Code andother Programme materials. These materials canalso be used to remind personnel of their obligationto raise compliance concerns promptly with asupervisor or through other designated channels. Programmes typically provide multiple channels forraising compliance concerns and reportingsuspicious circumstances. report compliance concerns to a responsiblesupervisor. This channe

l is often supplemented by acompliance o
l is often supplemented by acompliance office for expert advice. Additionalmechanisms that permit more confidential reportinginterviews, e-mails and other means for promotingFor many companies, some form of hotline servicewill be the easiest and most effective way to satisfythe PACI confidentiality directive. Companies thatalready maintain a general hotline for raising legaland ethics concerns may adapt these for Programmeand evolving industry practice can be obtained froma variety of sources, including service vendors. for Programme planning: ¥Operation. internally or through an independent serviceprovider. Independent services are easier toadminister and may instil greater confidence inmore expensive and may not be practical in someregions. Enterprise-run hotlines are a reasonableProgramme option, provided suitable measuresare taken to preserve confidentiality and¥Anonymity.concerns on an anonymous basis. Anonymitymakes it easier and more likely for people to usethe system, but also harder for complianceofficials to evaluate and follow up on reportedconcerns. Hotlines often balance theseconsiderations by offering anonymity but alsoencouraging individuals making reports to identifythemselves on a confidential basis. ¥Accessibility.A third planning considerationrelates to hotline accessibility. Decisions will needdifficult to replicate in enterprise-run hotlines) andbe identified). In addition to providing for a confidential reportingchannel, Programmes should have a protocol forprocessing and investigating compliance inquiriesand reports. Protocols typically address recordkeeping requirements, confidentiality protections,responsibility for investigations and reporting (usuallyto the audit committee). They are also used topreserve attorney-client and other legal privileges,and to ensure appropriate follow up with the originalreporting source (i.e. whistle-blower). compliance guidance per the enterpriseÕs policies,department or compliance office and, in someProgrammes, access to a hotline or otherconfidential mechanism for raising sensitiveidentified in Programme materials and through42An enterprise should have Òeffective mechanismsÓfor internal communication of

its anti-corruptionProgramme. This is a
its anti-corruptionProgramme. This is a non-specific directive,intended to ensure that reasonable means areemployed to communicate relevant Programmepartners. Such means include written Programmematerials, employee training, protective contractprovisions and other similar measures.Enterprises are encouraged to publicly disclose theircommitment to the policy. Many companies will havealready aligned themselves publicly with the PACIPrinciples, through the PACI signatory process. Thisidentification can be reinforced through otherstandard communication practices. Such publiccommunications advance Programme objectives inseveral ways. They supplement the internalcompliance message to an enterpriseÕs employeesAn enterpriseÕs anti-bribery commitment can bepublicized in a number of different ways, dependingon the target audience. These include statements,annual reports or other communications toshareholders and other stakeholders, commitmentstatements on an enterpriseÕs website and in itsCode of Conduct and other Programme materials,and directives and protections in contracts withzero tolerance on Bribery, signatory companiesshould Òbe open to receiving communications fromrelevant interested parties with respect to its Policygeneral directive in Section 3.5 to keep abreast ofevolving developments in compliance practice.source of information about corruption risk andProcedures described elsewhere in the Anti-section 5.6 communication directive. Internal communication practices are addressed,respectively, in the Handbook guidance onreporting channels. Practices for communicatingProgramme requirements and expectations tobusiness partners are described in Section 5.2.External communication directives may be satisfiedthrough established corporate public relations5.6CommunicationThe PACI Principles 5.6.1 The enterprise should establish effective mechanisms for internal communication of the Programme.5.6.2 The enterprise should publicly disclose its policy for countering Bribery.5.6.3 The enterprise should be open to receiving communications from relevant interested parties withrespect to its policy for countering Bribery.Section 5.6 contains general guidelines for the commu

nications component of an enterpriseÕs P
nications component of an enterpriseÕs Programme.These supplement more specific directives found elsewhere in the PACI Principles. Requirements in this section target the looseBribery. They require an enterprise to maintain fairand accurate financial accounts, subject to effectiveinternal controls, periodic verification audits and aninternal process for continual improvement of theessentially restates applicable law and financialThe baseline accounting requirement is that anenterprise maintain accurate books and records.This standard reflects established financialdocumentation, in fair and reasonable detail, of allexpress prohibition of Òoff-the-books accountsÓAccounting requirements are to be supported by aneffective system of internal controls, defined inSection 5.7.2 to include both financial controls andorganizational checks and balances. The PACIexpectation is that the enterprise have internalcontrols sufficient to provide a prudent manager withreasonable assurance that the Programme iseffective and operating as intended. This is a flexiblestandard, meant to provide high-level but notabsolute assurance. It is understood that internalcontrols cannot prevent or detect all conductinconsistent with the Programme. The directive in Section 5.7.3 to establish feedbackmechanisms and other internal processes for identifyingopportunities for improvement is a corollary to theÒreasonable assuranceÓ measure for internalcontrols. What is reasonable will change over time,as improvements strengthen a Programme. The final guideline in this section requires that anenterprise subject its internal control system to periodiccompliance audits. Once again, this reflects establishedpractice at most, if not all, signatory companies. An enterpriseÕs general accounting, control and auditprocedures may be used to satisfy PACIrequirements. Planning should focus on necessaryadjustments to reflect corruption risks and relatedProgramme activities. Fair and Accurate RecordsThe directive to maintain fair and accurate recordsshould be considered in relation to specific nationallaws and regulations governing an enterpriseÕsbusiness activity. Although basic requirements will be445.7 Internal

Controls and AuditThe PACI Principles 5
Controls and AuditThe PACI Principles 5.7.1The enterprise should maintain accurate books and records, which properly and fairly document all5.7.2The enterprise should establish and maintain an effective system of internal controls, comprisingfinancial and organizational checks and balances over the enterpriseÕs accounting and record5.7.3The enterprise should establish feedback mechanisms and other internal processes designed to5.7.4The enterprise should subject the internal control systems, in particular the accounting and recordSection 5.7 identifies guidelines for an enterpriseÕs accounting and audit practices. These should be used to testand confirm compliance with the Programme. there may be differences in some details.As a general matter, a signatory company maysatisfy the PACI requirement through application ofcomparable financial accounting standards. AnenterpriseÕs books, records and accounts shouldcorrectly record the financial facts of a transactiondirect a reviewerÕs attention to possible illegality orimpropriety. Books should be maintained on acurrent basis, with transactions recordedchronologically and supported by appropriatedocumentation. Care should be taken to establish acomprehensive filing system that creates an audittrail by transaction from origin to completion. Historically, off-the-books Òslush fundsÓ have been acommon source for Bribery payments. These areaccounts financed by commissions and other receiptsnot recorded in an enterpriseÕs official books. ThePACI standard requires that an enterprise establishan express and absolute rule against maintaining orusing such accounts. Internal and independentauditing of accounts is a necessary precaution toreduce this risk. Enterprise policy should also address so-calledcommon funding source for corrupt payments. Useof such entities is strictly regulated by the securitieslaws in many countries. The PACI requirement applies to all transactions andrecords should reflect steps taken to implement thecompliance Programme (such as records foremployee training, due diligence review of agentsreporting to senior management). These additionalrecords are essential to the Programme auditprocess, described b

elow, as well as to the periodicsenior m
elow, as well as to the periodicsenior management reviews required by Section 5.8.Effective Internal ControlsThe requirement that records be maintained in a fairand accurate manner is to be enforced throughreasonable internal controls. Internal control refersensure that accounting and other directives areuseful practical information is available from variouspublic and private sector sources. Signatorycompanies are encouraged to work with theirexternal auditors and other experts to identify andimplement relevant anti-corruption control practices. The PACI expectation is that an enterprise will havereasonable controls for testing and confirmingcompliance with all significant Programme elements.This is reflected in the directive in Section 5.7.2 thatÒan effective system of internal controlsÓ beestablished and maintained not only for financialmatters but also for Òother business processesrelated to the Programme.Ó Such other processesinclude, among others, employee and agentscreening, anti-corruption training, complianceand reporting and various management approvalrequirements. An ÒeffectiveÓ control system is one that providesreasonable assurance that Programme requirementshave been properly designed and implemented andare being followed. As in other compliance contexts,reasonableness depends on an enterpriseÕsparticular risk profile and other circumstances,Companies that already have a substantial system ofinternal controls may use these to satisfy the PACIdirective. However, existing control systems typicallyrequire some adjustment to reflect corruption-specific risks and Programme activities. Additionalcontrols are often needed for unique Programmecontribution controls) or to highlight corruption-Continuous ImprovementThe directive in Section 5.7.3 to Òestablish feedbackmechanisms and other internal processes designedto support the continuous improvement of theProgrammeÓ reflects standard accounting practice.45system of internal controls that provides reasonableassurance to a prudent manager, what is reasonablewill change over time and with experience.Programmes accordingly are expected to have anappropriate process for identifying shortcomings andmaking improv

ements. Continuous improvement applies t
ements. Continuous improvement applies to the full range ofProgramme activities, again including but not limitedto accounting and record keeping practices. Auditreviews are a primary source of information for thecontinuous improvement process, supplemented byhotlines and other channels used for ProgrammeThe final point requirement in this section is that anenterprise subject its internal controls to regularaudits to verify Programme compliance. Section5.7.4 does not specify a particular audit procedure,and a comprehensive review of audit practices isbeyond the scope of this Handbook. The PACIexisting audit practices to address Programmeconcerns. Although no particular audit procedure is required bythe PACI Principles, there are some generalpractices that could be considered.¥Formal planning. Auditing is most effective whenPlans are used to establish audit priorities,standards and timing for reviews. ¥Audit responsibilities. Reviews normally aremanaged through an enterpriseÕs audit department,in coordination with independent auditors.role, working with auditors to develop corruption-specific guidelines and to respond to problems. ¥Scope of review. Auditing should address allrelevant Programme requirements. Accountingand record keeping practices are a primary auditfocus, but reviews should also test compliancewith screening, training, management approvaland Òother business processes related to theProgrammeÓ. ¥Auditor profile. Audit reviews should beareas being audited and who are independentfrom the activities being reviewed. Care should betaken to ensure that they have requisite skills,training and judgment to make reasonable¥Methods. Audit information can be gatheredthrough a variety of methods. In addition tofinancial records review, these may include (a) sitevisits; (b) interviews with responsible personnel inarea; (c) questionnaires to a cross-section ofenterprise personnel; (d) review of Programmedocumentation (such as agent screening reports);and (e) trend analyses to identify deviations fromexpectations or past practice. In appropriatecircumstances, information may also be gatheredfrom an enterpriseÕs agents and business¥Spot audits. Spot auditing is commo

n in thegovernment procurement area, whe
n in thegovernment procurement area, where some largegovernment contractors routinely target home-comprehensive review Ð i.e. unravelling thetransaction to test financial records. This can alsobe an effective practice for high-risk internationalprocurements.¥Documentation and reporting. Audit activitiesshould be properly documented, with respectboth to the process and findings. Seriousproblems should be reported promptly to seniorcorrective actions taken or recommended. Seniormanagement and the board should also receiveregular status reports on Programmecorrective actions. 46commitment described in Section 5.1. An enterpriseÕsboard and senior management are charged withlaunching the Programme; they then have acontinuing responsibility to monitor implementation,evaluate Programme effectiveness periodically andsee that necessary improvements are made. Section 5.8 places primary responsibility formonitoring and evaluation on an enterpriseÕs seniormanagement. As used here, monitoring refers toongoing supervision and oversight of Programmeoperations. Evaluation is a separate process,requiring periodic assessment of Òthe ProgrammeÕssuitability, adequacy and effectivenessÓ. A ÒsuitableÓProgramme is one that is tailored to an enterpriseÕsparticular needs and circumstances; an ÒadequateÓProgramme has sufficient resources and coverage;and an ÒeffectiveÓ Programme is one in which the noFrequency is not specified, but annual evaluationsare generally recommended. Programme reviewscan be coordinated with implementation planningand audit procedures described elsewhere in theHandbook. Once they are reported to the enterpriseboard (or equivalent body), the board has a furtherresponsibility to Òreceive and evaluateÓ these reports. In most cases, as with an enterpriseÕs internalcontrol and audit practices, existing procedures forProgramme monitoring and evaluation requirements. organized and managed under the direction ofsenior enterprise officials responsible for overallThe PACI Principles do not prescribe particularprocedures for Programme monitoring andevaluation. However, there is an expectation thatpractice at signatory companies will reflect recentcorporate governance innov

ations. High-leveloversight has been a p
ations. High-leveloversight has been a priority focus in recent years,resulting in requirements for corporate boards andsenior management that are more formal and morestringent. These rules establish a regulatory baselinefor public companies and can be a useful source ofIn general, the litmus test for an oversight process iswhether it provides enterprise leadership with sufficientProgramme has been properly designed andimplemented and is being followed. The informationrequired, and associated monitoring and evaluationenterpriseÕs compliance history, size, organizationalstructure, culture and corruption risk profile. 5.8Monitoring and ReviewThe PACI Principles 5.8.1Senior management of the enterprise should monitor the Programme and periodically review theProgrammeÕs suitability, adequacy and effectiveness and implement improvements as appropriate.equivalent body.5.8.2The board, audit committee or equivalent body should receive and evaluate periodically anThis final implementation category addresses the responsibility of an enterpriseÕs senior leadership to monitor theProgramme and periodically review it for effectiveness. Section 5.8 monitoring may be satisfied through anyreasonable oversight procedure.basic Programme requirements are being followed.commitment to the Programme, demonstrating thatsenior management is engaged. Audit reviews are aprimary tool for monitoring Programmecompliance questionnaires, certifications, reportsinformation. As in other areas, established enterpriseProgramme priorities. The monitoring by senior management required inemployee and agent screening is being conducted,effective training is being provided and managementapproval requirements are being followed.transactions is a separate operational responsibility,addressed elsewhere in the Handbook.indicator of overall Programme effectiveness. Asfocus for most personnel is on red flagging potentialconcerns. If the system is working, an enterpriseÕsexperts should be receiving periodic inquiries. Programme evaluation is closely related to monitoring,but with a different focus. In addition to confirmingcompliance with established standards andprocedures, reviews must be able to identif

yshortcomings in the Programme and oppor
yshortcomings in the Programme and opportunitiesfor improvement. Section 5.8 contemplates thesame basic process for Òcontinuous improvementÓdescribed earlier for auditing. In an area that hasseen so much change in recent years,benchmarking to identify innovative complianceNo specific procedure is mandated for seniormanagement evaluations, but there is ansubstantial oversight process appropriate to itscircumstances. Because of the range andcomplexity of issues presented, a formal process forperiodic evaluations is generally recommended. Although formal Programme evaluation may be newdraw on relevant experience from other areas. ¥Programme planning.procedures described in Section 3 can beadapted for Section 5.8 Programme reviews.¥Programme audits.Connection can also bedrawn to the Programme auditing processreviews have broader scope, they cover much ofthe same ground. ¥Related laws.pursuant to statutory or regulatory requirementscan also be adapted for Programme use.Examples from US law include ÒexecutivereviewsÓ of financial controls and ProgrammeSections 5.8 reviews should be coordinated with anenterpriseÕs annual planning process for training andother Programme activities. Many Programmesrequire senior business managers to certifyto subordinate managers are also common, and canbe an effective oversight tool when supported byreasonable inquiry and documentation. A morestructured alternative (and best practice) is to keybusiness unit compliance reviews to an annualplanning process that looks retrospectively at thepast yearÕs experience and prospectively at trainingBoard OversightProgramme evaluations by an enterpriseÕs seniormanagement should be reported to and reviewed bythe board. Reporting typically is through anenterpriseÕs audit committee or other boardthe entire board.Review by the board is less detailed than what isboardÕs more general oversight responsibility inSection 5.1.1. As in other oversight contexts, boardreliability of the evaluation process (in scope, detailand frequency) and on senior management findings,including recommended changes. Board reviewshould also confirm that necessary improvementsare being made. 49Further tools for implementing th

e PACI Principlesare in development as p
e PACI Principlesare in development as part of the World EconomicForumÕs ongoing anti-corruption initiative. These willoffer additional practical direction on riskassessment, due diligence and other coreimplementation activities. Available materials will behighlighted on the PACI website(www.weforum.org/paci). There are many useful websites for monitoring anti-corruption developments and related industrypractice. A representative list follows, through whichlinks to additional resources can be found.World Economic Forum Ð PACI (www.weforum.org/paci)The PACI home page contains all PACI tools anddocuments available and a listing of all PACITransparency International Ð Resource Inventory (www.transparency.org)Transparency International maintains acomprehensive inventory of corruption materials,including international conventions, corruptionsurveys, country studies, implementation resources(http://www.oecd.org/department/0,2688,en_2649_The OECD anti-corruption page offers detailedenforcement efforts.World Bank Ð Corruption (www.worldbank.org/corruption) World Bank anti-corruption efforts are describedhere, including relevant procurement policies andenforcement practices. Firms debarred forcorruption reasons are listed, and there are also links(www.unodc.org/corruption.html) This site provides background information aboutProgramme against Corruption, which assists UNMember States in their efforts to curb corruption; theConvention against Corruption. Furthermore, thecorruption Ð provides invaluable information for(www.unglobalcompact.org). U4 Anti-corruption Resource Centre (www.u4.no)This useful anti-corruption site offers selectedliterature, implementation tools and an annotatedorganizations and institutions. The Centre isUtstein Group. International Chamber of Commerce Ð Anti-(http://www.iccwbo.org/policy/anticorruption)efforts in this area, including development of an anti-corruption Code of Conduct and relatedTrace International (www.traceinternational.org)Trace is a non-profit membership association thatcompliance training for international commercial6Additional ResourcesSee, for example, the World Bank report ÒAssessing AID: WhatWorks, What DoesnÕt Work and Why

Ó, No. 61123 (ISBN-0-19-521123-5), 2001.
Ó, No. 61123 (ISBN-0-19-521123-5), 2001. The World Bank report and others like itprovide useful source material for understanding adversea zero tolerance policy to employees and business partners. Fora concise summary of business reasons for combatingcorruption, see A. Boeckmann, ÒTaking a Corporate Standagainst CorruptionÓ, World Energy at 94, 2003. Corporate programmes are referred to in some countries asÒimplementationÓ programmes and in others as ÒcomplianceÓprogrammes. These terms are used interchangeably in theHandbook to mean a systematic process for an enterprise tocomply with applicable laws and ethics standards. The termsÒenterpriseÓ and ÒcompanyÓ also are used interchangeably. Bothare non-technical terms intended to include all businessorganizations, whether structured as corporations, partnershipsor in some other form. As in the PACI Principles, capitalization ofÒBriberyÓ and ÒProgrammeÓ incorporates by reference theThe PACI Principles build on general industry guidelinesdeveloped in 2002 by Transparency International and a coalitionof private sector interests, non-governmental organizations andtrade unions. Transparency InternationalÕs ÒBusiness Principlesfor Countering BriberyÓ can be found on the organizationÕsand Programme development practices.Anti-corruption websites maintained by governmental andprivate sector organizations can also be a useful source ofwebsites are provided in Appendix A.A good planning process will be especially important for thePACI Principles, given their broad scope and complexity.Procedures in this section address preliminary work plans, riskassessment and Programme evaluation. All three are commonThe PACI requirement, in Section 4, directs that in developing itscompliance Programme, Òan enterprise should identify andassess specific areas that pose the greatest risks fromcorruption.Ó Risk assessment is also a common feature in ISOstandards and other general industry guidelines, and in 2004was made a formal requirement for companies subject to USSentencing Guidelines criteria for evaluating corporatecompliance programmes. Programme criteria are enumerated inchapter 8 of the Sentencing Guidelines, which can be found onasses

sment is addressed in ¤8B2.1(c). It is i
sment is addressed in ¤8B2.1(c). It is important at this preliminary stage to have as complete apicture of potential risks as possible. Including joint venture andother third-party activities in the risk assessment phase will notpreclude subsequent tailoring of response options, consistentwith guidelines in Section 5.2 for applying Programmerequirements to different types of business relationships.Assessment guidelines should include a cautionary directive toCPI ratings. Corruption can occur anywhere, and this should bereflected in the risk assessment and resulting ProgrammeDetailed information about the OECD Convention and individualOECD website, at http://www.oecd.org. As used here, Òpolicy statementÓ refers to the baselineProgramme document used to describe an enterpriseÕs zerotolerance commitment. Policy statements, Codes of Conductand other standard Programme documents are discussed laterin this section. Corrupt intent is implicit in this formulation. It is treated as adistinct legal element under some laws, including the US FCPA.As used here, the term Òbright-lineÓ test refers to the common(i.e. draw a bright line) between permitted and prohibitedconduct. For clarity and also administrative convenience, suchrules are often more restrictive than required by law. Anenterprise may, for example, decide to bar all politicalcontributions, not just those prohibited by law, in order to avoidand reputational risks when mistakes are made. A good practical test, often emphasized in Programme standardswould be embarrassing to the enterprise were it to become public. Standard provisions should address four basic areas: (1) Notice.Language that communicates the enterpriseÕs commitment to azero tolerance policy on Bribery and the expectation thatconduct by the agent will be consistent with the PACI Principlesabout the enterpriseÕs Programme should be provided to allagents; (2) Representations and warranties. Many companiesrequire agents to ÒwarrantÓ that they understand the anti-corruption policy, will not engage in inconsistent behaviour andwill establish appropriate anti-corruption controls of their own;cooperation requirements, including guaranteed access torecords and

personnel, prompt reporting of possible
personnel, prompt reporting of possible violationsand cooperation in the investigation of alleged violations orsuspicious circumstances; and (4) Remedies. Contracts shouldinclude a provision expressly authorizing remedial action forProgramme violations. Such provisions typically identify seriouscorruption as a material breach of contract, subject to remedialaction up to and including termination. Actionable breach shouldbe defined to include non-compliance with Programme-relatedcontract provisions.Although requirements in this section restate general law andpractice, effective implementation may in some cases requireheightened attention to corruption-specific risks and safeguards.As an example, additional controls may be necessary to confirmthat off-the-books accounts are not being used to facilitateArticle 8 of the OECD Convention provides in relevant part thatmeasures be taken Òto prohibit the establishment of off-the-books accounts, the making of off-the-books or inadequatelyidentified transactions, the recording of non-existentexpenditures, the entry of liabilities with incorrect identification ofect identification ofpurpose of bribing foreign public officials or of hiding suchbribery.Ó Specific applications of this directive, however, maydiffer by jurisdiction. Executive certifications, also referred to as ÒSection 302Ócertifications, require regular written confirmation by anenterpriseÕs chief executive and financial officers that internalcontrols for accounting and other compliance requirements arein place and have been assessed for effectiveness. ÒSection404Ó management reviews, which have a narrower financialfocus, also require regular and comprehensive controlassessments. In addition, recent changes to the US SentencingGuidelines emphasize the importance of regular risk assessmentmechanisms, and others of a similar nature outside the US, offera baseline for Section 5.8 reviews. The World Economic Forum is an independentinternational organization committed to improvingpartnerships to shape global, regional andin Geneva, Switzerland, the World EconomicForum is impartial and not-for-profit; it is tied tono political, partisan or national interests.(www