Don’t let anyone to break into your moneybox!

Fraud is an act of illegal gain.

We all are victims of fraudulent practices, i.e. lost resources, decrease productivity, lower morale, reputational losses, and of course financial losses.

There is broad range of frauds:

• it can be an asset misappropriation (theft, payroll fraud, false expense reimbursement, false invoicing), 
• corruption (bribes, illegal facilitating payments, conflict of interest, gifts), 
• financial statement fraud, etc. 

Prevent from fraud for your and our common benefit

Fraud is a broad concept that refers generally to any intentional act committed to secure an unfair or unlawful gain.

We all play significant role in preventing company from fraud. Any fraud causes serious harm to companies finances and reputation. If Company loses, we all lose! Company has less money for investments, trainings and our development.

It is not true that fraud happens only with fake invoices. Financial fraud typically falls into 4 broad categories:

Fraudulent financial reporting which occurs in the event of improper revenue recognition, overstatement of assets or understatement of liabilities.

Misappropriation of assets which is a result of either internal of external theft (and may happen in case of cyberattack), or can be result of posting fault invoice, directing money to different bank account or paying “ghost” employees, or suppliers.

Expenditures and liabilities for improper purposes which is usually a bribery registered under improper payment scheme or other payments to suppliers for goods or services never received.

Fraudulently obtained revenue and assets, and costs and expenses avoided, these happen when a company commits a fraud against its employees or third parties, or when it improperly avoids an expense, such as taxes. 

Be careful and don’t become part of fraudulent events

Be watchful and be alerted in case you see any of the below red flags:

Responsible procurement

What is responsible procurement?

In simple words, this is a process within the business to ensure that the company has transparent supply chain. In details it it all about checking the supplier (before or during the contract) for their attitude and demonstrated actions in areas of business ethics, environment, labor, and trade.

How to set tone at the top?

Having a clear policy and procedures is a minimum. However this has to come with the real business actions taken by individual buyer. Responsible procurement is also about some level of investment. Audits can be costly, as well as contact validation. From time to time decision makers have to stand for good instead of profit, and either reject or discontinue business if the 3rd party is not meeting the code of conduct requirement.

What is the goal of responsible procurement?

The aim is to purchase goods and services at best value, commensurate with business needs, while minimizing risk and financial exposure. Relationships with suppliers has to be conducted in an impartial, transparent and ethical manner and in full compliance with all law and regulations.

What are the key requirements set by responsible procurement?

The key requirements for all employees involved in procurement activities with third parties are:

• To document rationale for purchase need, selecting a supplier and keep the selection process transparent internally.
• To obtain the best value for the Group or Operating Company.
• To use centrally negotiated terms and conditions, where available. These terms and conditions will need to be continuously tested by users and Group Procurement to ensure they remain competitive.
• To segregate purchasing duties.
• To use Purchase Orders (PO) in the system to capture commitments to suppliers.
• To obtain approval of the senior management or committees for significant/strategic contracts.
• To ensure supplier risks are proactively identified and mitigated.
• How to ensure that requirements are met?

Responsible procurement requires a strong governance around the process. It has to work on both sides: internally for business who needs goods and services and procurement department who executes that needs, as well as for 3rd parties who supply us.

First and foremost is to introduce Supplier Code of Conduct, which is applicable to all 3rd parties the company is doing business with. It should be mandatory element to sign off even before offers are presented. Supplier Code of Conduct should be published on company’s website as a public and easy to find document.

The aim of this document is to confirm by both sides that neither of them shall use any form of slave, bonded, forced, involuntary prison labour or engage in human trafficking or exploitation, and also will follow business ethics in terms of how they produce, distribute and sell their goods and services, including no engagement in money laundering or tax evasion,or unfair competition.

Moreover, the company can conduct a risk assessment analysis, using eg. TRACEsort platform (LINK) before starting any cooperation with a potential supplier, ensuring that they are of a good name and have a solid market reputation.

Responsible procurement is also about continued education of the suppliers and market in terms social responsibility and fair trade. Top class companies proactively manage their 3rd parties by undertaking targeted CSR / Social audits at factories and final assembly locations. It is practically done by continuously identifying supply categories where goods / services are potentially sourced in high-risk areas and asking suppliers to provide visibility of their supply chains.

This advanced 3rd party risk management brings continued progress in the important area of health, safety and environment. It can be done in two ways, either by procurement personnel - by executing audits and work on mitigation actions together with our suppliers through a focus on safety leadership, training and local programs; or through association with specialized auditors (eg. Sedex) adopting the ‘four pillar’ auditor methodology.  

Kinder Surprise with horrible surprise - when big names come with big CSR issues

You think that this simply cannot happen because we are so sensible and trust that corporation are providing ethical business. Until, one day you see the news like this:

Ferrero, prosecutors investigate Kinder egg child labour allegations (see more LINK)

The investigation actually revealed that indeed kinds under six were making toys for Kinder eggs, and it all happen just in Europe.

Child labour and other CSR issue are wide and common, and in most cases include powerful brands and billion dollar companies, such as Coca-Cola, Exxon, Shell, Disney, Nike.

Let’s have a deeper look at Nike’s boycott history and how they went through that:

• After prices rose and labor organized in Korea and Taiwan, Nikebegins to urge contractors to move to Indonesia, China, and Vietnam.
• 1991: Problems start in 1991 when activist Jeff Ballinger publishes a report documenting low wages and poor working conditions in Indonesia.
• Nike first formally responds to complaints with a factory code of conduct.
• 1992: Ballinger publishes an exposé of Nike. His Harper's article highlights an Indonesian worker who worked for a Nike subcontractor for 14 cents an hour, less than Indonesia's minimum wage, and documented other abuses.
• 1992-1993: Protests at the Barcelona Olympics in 1992, CBS' 1993 interview of Nike factory workers, and Ballinger's NGO "Press For Change" provokes a wave of mainstream media attention.
• 1996: Kathy Lee Gifford's clothing line is shown to be made bychildren in poor labor conditions. Her teary apology and activism makes it a national issue.
• 1996: Nike establishes a department tasked with working to improve the lives of factory laborers.
• 1997: Efforts at promotion become occasions for public outrage. The company expands its "Niketown" retail stores, only to see increasing protests. Sports media begin challenging spokespeople like Michael Jordan.
• Abuses continue to emerge, like a report that alleging that a Vietnamese sub-contractor ran women outside until they collapsedfor failing to wear regulation shoes.
• Nike tasks diplomat and activist Andrew Young with examining its labor practices abroad. His report is criticized for being soft on Nike. Critics object to the fact that he didn't address low wages, used Nike interpreters to translate, and was accompanied by Nike officials on factory visits. Since Young's report was largely favorable, Nike is quick to publicize it, which increases backlash.
• 1997: College students around the country began protesting the company.  
• 1998: Nike faces weak demand and unrelenting criticism. It has to lay off workers, and begins to realize it needs to change.
• The real shift begins with a May 1998 speech by then-CEO Phil Knight. “The Nike product has become synonymous with slave wages, forced overtime, and arbitrary abuse,” Knight said. “I truly believe the American consumer doesn’t want to buy products made under abusive conditions.”
• At that speech, he announces Nike will raise the minimum age of workers; significantly increase monitoring; and will adapt U.S. OSHA clean air standards in all factories.
• 1999: Nike begins creating the Fair Labor Association, a non-profit group that combines companies, and human rights and labor representatives to establish independent monitoring and a code of conduct, including a minimum age and a 60-hour work week, and pushes other brands to join.
• 2002-2004: The company performs some 600 factory audits between 2002 and 2004, including repeat visits to problematic factories.
• 2004: Human rights activists acknowledge that increased monitoring efforts at least deal with some of the worst problems, like locked factory doors and unsafe chemicals, but issues still remain.
• 2005: Nike becomes the first in its industry to publish a complete list of the factories it contracts with.
• 2005: Nike publishes a detailed 108-page report revealing conditions and pay in its factories and acknowledging widespread issues, particularly in its south Asian factories.
• 2005-Present: The company continues to post its commitments, standards, and audit data as part of its corporate social responsibility reports. 

Source: http://www.businessinsider.de/how-nike-solved-its-sweatshop-problem-2013-5?r=US&IR=T

Nike is again a great brand. It managed to turn it brand into great again with the huge investment in business ethics and marketing.

Watch more on the Nike better world:

Today Nike can act as an example:

“AT NIKE, WE BELIEVE IT IS NOT ENOUGH TO ADAPT TO WHAT THE FUTURE MAY BRING – WE’RE CREATING THE FUTURE WE WANT TO SEE THROUGH SUSTAINABLE INNOVATION.”- Mark Parker, President and CEO, NIKE, Inc.

Source: https://about.nike.com/pages/sustainable-innovation

However CSR is a continuous and very challenging journey, and it required a lot of investment in a responsible procurement, read about this in the next post!

CSR Policy - needed or not, and how to get started?

ISO 26000 standard defines CSR as “responsibility of an organization for the impacts of its decisions and activities on society and the environment through transparent and ethical behavior”.

The main actions concerning the corporate social responsibility are:

• To provide equal opportunities and challenging workplace, in which employees can expand their horizons and develop their professional and personal skills,

• To encourage business partners to act responsibly in terms of society, environment and working conditions,

• To procure goods and services from suppliers who can demonstrate ethical principles in the way they conduct their business,

• To take into consideration the impact onto the environment while undertaking business.

• Although CSR is not a must for most organisations and regulations are not concrete yet, in terms of what and how has to be done and reported, it is a big case for the business world. It is due to the sensible customers who wants to buy products which are not produced in a cruel way.

CSR in business is not a separate thing, it is a wide programme that needs full integration with procurement, sales, production, marketing, and even employment.

To start thinking about CSR strategy one need to bare in mind 3 aspects of a business: Environment, Economics, and Social.

The full picture will only come up if there will be a proper governance and regulations within that, means: CSR Policy, CSR Committee, KPIs and measures integrated into the business strategy, and … internal/external ‘marketing’.

Should you want to take an action and start work on your CSR Policy, you may use some easy to apply examples, as well as get inspired from already existing materials published on various company websites:

Corporate social responsibility company policy: https://resources.workable.com/corporate-social-responsibility-company-policy

GENERIC POLICY - https://www.ecta.com/resources/Documents/Other%20publications/ecta_generic_corporate_and_social_responsibility_policy_issue_1_september_2014.pdf

Internal Control and Compliance in your SSC? Let's do it!

I had a pleasure to be a speaker on SSON conference (Budapest, 9-11 October, 2017). That was a great event, with enormous number of  presentations and discussion. What I wanted to share with others was my experience from organizing a shared function around Internal Control and Compliance.

This is still a very niche topic, and many managers from SSC / GBS prefer to keep it in HQ. I totally agree with approach that – due to its strategic importance – Internal Control & Compliance needs its stable and direct link to “top” of the organization.

Nothing stops us from making it customer-oriented, efficient, integrated, collaborative, technology-driven, though. Internal Control and Compliance is a great “product” to be shared as a function, act as-a-service and bring value in terms of standardization to the wider business.

Our mantra should be: as global as possible and as local as necessary.

Find a blueprint on building-in a governance & compliance into your SSC:

Twin Towers – can Shared Services in Europe and Asia be like them?

It is an absolute fact that Shared Services business model is based on global processes and IT systems. Nevertheless it is also true that what works for one, will not necessary work for the other. Simply copy-paste is never good for a business, however being too flexible and adaptable to country specifics is also a bad idea, which drives for complexity and cost increase.

How to balance the need of process orchestration and business needs in SSC?

Based on my recent experience from go live of FSSC Europe and preparation for go life in FSSC Asia, I would advise you to concentrate on three items:

Global Processes – start from one unified process, designed for the best cost efficiency and performance effectiveness. Work out common solutions, organizational structure, and the simplest possible way of doing your financial processes. You don’t need to reinvent the wheel! There are a lot of shared services already existing around the world, so the best you can do is to find the once which are in your industry and learn from their experience.

Process maps, procedures or working instructions, and all related forms and templates need to be well documented and aligned with the process flow.

Never forget that controls are integral part of your financial processes and simply build them in. Make sure that your controls are evaluated by the auditors, especially if your company is listed on NYSE or need to follow any ‘SOX-equivalent’ rules, eg. as per Spanish ICFR rules.

Exceptions – once your global process maps and org charts are completed, you can start listing all country nuances based on local law or other regulations. It is very true that EU is much easier in that terms,  because it provides more homogeneous legal environment, however if your FSSC Europe provides services also to Russia or UK, you need to be much more careful. Never forget also about specifics in Spain (SII, Spanish Code), France (tax requirements), etc.

When it comes to Asia, you need to consider deeper analyses into Chinese taxation, archival process or payment regulations, which will mostly be based on cheques instead of wire transfer.

Document all of the exceptions and ensure proper time for the analyses before you move on. Your process maps will for sure need adjustments. You need to make sure that your processes work for your organization. In case of Europe/Asia nuances you need to only add notes on the maps. However in case of very specific process eg. for Cheque Payments you will need to create additional maps and supporting documentation.

Local Markets (operating companies) – moving finance process to SSC is always difficult for the organization. We cannot forget about the whole personnel related elements of the strategy. From the process perspective it is also not easy. It has an serious impact on business and business parties. All invoiced in this shifting exercise need to gradually learn how to communicate and work with each other for the common benefit and companies objectives.

You need a good local market alignment strategy built into the overall planning and performance communication. You cannot forget that details such as who is doing which step, or who is retrieving which reports become a crucial matter to be solved, agreed, and documented.

Speaking to your stakeholders is an absolute must. Easy to say, not that easy to do. Markets will not give you a total buy-in until you confirm to them that you bring them benefits. That can be probably achieved only after some time of operations. So, what you can do just before go-live? Be transparent,… communicate what they can expect, and what is expected from them.

To me, FSSC in Europe and Kuala Lumpur are very much the same, in terms of construction. They are both based on the same basis and have the same framework. I truly see them as Twin Towers! The differences between these two towers are within their constructions, i.e. within the processes.

3 Levels of Defense

Does any statement below sounds familiar to you?

• You are Internal Control team, so you are controls owner. 
• You are Internal Control team, so we cannot tell you what is wrong with our processes, cause you will put that into official audit report.
• You are Internal Controls team, so need to tell me how to perform controls.

There is a lot of confusion and misunderstanding in terms of split of responsibilities between business process owner, Internal Control and Audit. 

These can be easly explained by 3 level of defense in the process of internal controls. Here is what the differences are:

1)       Control Owner is the owner of the process or sub-process (eg. Acoount Payable Manager), and is responsible for identifying risks & control objectives, along with specifying controls and effectively implement control activity while performing it.

2)     Internal Control team is to support creating process documentation and validating its accuracy. The team also propose new controls or changes to existing ones, and help the wider team to prepare for an audit. Internal Controls also actively search for synergies and improvements within company processes. It is an advisor and consultant for Control Owner. 

3)     Internal Audit is an independent function from both business and Internal Control. It is not acting as advisor or consultant. Internal Audit is testing controls design, effectiveness and completeness of evidences. IA designs controls methodology and tools (Chart of Controls, ICFR) and conduct audits as per annual plan.

Prevent, Detect, React…How to explain the meaning of controls in 6 simple steps?

1. Start with definition…

Control is any action taken to mitigate or manage risk and increase the probability that the business/process will achieve its goals and objectives.

2. Emphasize that we all perform business actions and execute controls while doing that!

We all are responsible for ensuring that corporate assets are used properly and are well protected.

We are all key players. We have critical role in mitigating risks and preventing our business from losses.

3. Touch the bases! 

The essence of control is an attitude, common sense and doing right things.

It has to be done in a regular, structured, and documented way.

•       Internal controls ARE NOT THINGS in the process maps

•       Internal Controls ARE PEOPLE at every level of an organisation.

•       Evidences needs to be so clear that anyone who wants to check the control simply follow the instruction and receive exactly the same results.

4. Explain two types of controls.

Controls can be either preventive or detective. The intent of these controls is different:

•         Preventive controls attempt to deter or prevent undesirable events from occurring. They are proactive controls that help to prevent a loss.
•          Detective controls, on the other hand, attempt to detect undesirable acts. They provide evidence that a loss has occurred but do not prevent a loss from occurring.

5. Controls may fail… and what if they fail?

Control deficiency exists when the design or operation of a control does not prevent or detect misstatements on a timely basis. It may result in wrong or duplicate payment, data loss or discloser to authorised person, etc.

Once controls are weak, we need to fix them. Process Owner should understand root cause of the weaknesses and take all necessary remediation actions.

6. Give simple example!

One of the most common control is the access control. This is an action we take to secure our company data, like strategy, recipe, supplier spent; and information on our business partners, like prices, contracts, bank accounts, etc.

We all perform this control by encrypting the files, checking the list of recipients when sending the e-mail, storing contracts in secured archive, or logging our laptops when leaving the desk… simple as that!

This can be both preventing and detective control. Preventing is logging laptop when leaving the desk, detecting is checking logs to systems and track changes in master data by IT Security.

This control can easy fail, if we send confidential files to wrong e-mail address, if we are victims to phishing scam and our credentials are used by unauthorised person, or if we leave some print out copy of product strategy in hotel’s lobby…

SOX, what’s all about?

Do you often hear that question and need a short and clear explanation for your non financial colleagues or junior personnnel? 

You may use the below one.

Remind your colleagues that they need to remmeber that no matter if this is SOX control or not, all controls require their attention, use of common sense, right behaviour and professional attitute.


SOX is a short name of a Sarbanes–Oxley Act, which came into force in 2002 as a reaction to major corporate and accounting scandals, including Enron.

Basically it is a law which regulates company’s governance and  accounting.

SOX regulations set stronger CONTROLs to secure financial transparency, accuracy in financial statements, and investors and clients’ interests.

SOX controls are focused on every activity which can influence accuracy of financial statements, especially those related with invoicing processing, payments, reconciliations, consolidation and reporting.

SOX requires that:

•         Financial statements are certified by CEO and CFO.
•          Internal Controls report is filed with the annual report and is assessed by an independent auditor.
•          Material changes in Internal Controls, financial condition or operations are disclosed in real time in company books.

The law sets also severe penelties for misconduct, which include fees and imprisonment,

Get off the starting blocks!

Congratulation! You got a job and just starting as a new Compliance Manager.

Staring a new job is always, both, exciting and challenging. Don’t let the new environment overwhelm you. Take your time and use first month to gain as much knowledge on the new company as you can.

3 times LEARN!

Read and Learn!

Take your time and review Intranet, check if a Code of Conduct exists, check out for the shape of documented policies, procedures, finance manuals, chart of controls, etc. Create you initial “compliance check list”, i.e. a very simple list of what is missing or outdated. Make your initial comments to documents, especially if you don’t understand something.

This whole exercise may does not sound like an exciting thing to do, but trust me, it is worth your time and effort. You will gain an absolute overview and will know where to go and check for information.

Greet and Learn!

Make sure you have a chance to introduce yourself, don’t let HR to only send short and dull note or post it on intranet. Use stand-up meetings, dinners, unofficial after work drinks. Keep professional but don’t let yourself to stay disconnected. Your colleagues need to trust you and feel that you are part of the team.

Spend some time on organization chart to have a good overview of who does what and what interactions comes in place. Make relations. Don’t wait for invitations, just go around the office, shake hands, ask what the person is doing. Send invitations to different managers for an 1 hour meetings (try to invite for breakfast, lunch if possible). Ask every individual about the role, key projects, challenges and issue. Ask what you can do for them. Listen to them. Make notes (you will use them next months!).

Meet and Learn!

Your boss just grabs you to join different meeting. You feel lost? Don’t be, it’s great! Take as much as you can from these opportunities. Listen carefully and put down all key topics discussed, issues raised and useful references to teams, documents, projects, etc.

Remember that you don’t need to play active role yet. Rather be an astute observer! This is the very time you have during your career which is a given time. Simply as that, everybody understands that you are new to the company, and obviously you don’t have actions and deadlines at your plate yet.

This is the moment to ask questions, all questions that comes to your mind! Use first month to learn as much as you can. Asking questions is always good and valuable, however some questions are not appreciated after some time in the company, like.. “so what is our finance system”, or “who is our external auditor”.

Good luck!

Childhood dream job: When I grow up I will be … a Compliance Officer? :)

When we are young, we are dreaming of being fireman, doctor, movie or rock star, teacher, … . Becoming a Compliance Officer is not something that can be named as a child dream. None of us woke up in the middle of the night and run to parents to share a desire of working with regulations, policies and corporate governance. So how all of that begins?

Why one wants to become Compliance Officer? I asked that question to students who are just about to receive the certificate of Compliance Officer. In all of the responses I could recognize one common goal. They all want to influence and guard, either business or government, politics or other forms of human activities.

Being a Compliance Officer means you have a desire to change the world. You want to have a great impact on it. You have a courage and persistence to fight for an ethical values.

21 new Compliance Officers from Wroclaw University of Economics are just entering workforce. I am extremely proud that I had a chance to be part of their journey. During the last year we discussed a lot our daily job challenges. We all have this very understanding that we are all vulnerable to fear and persuasion. However, our conviction of acting as a face of ethical values is much stronger. That is why we all made a choice:

STAY STRONG. Stick to the values.  

Cyber-Reality - 10 domains of cybersecurity you need to know

Cybersecurity, cyberwars, cyberattacks, cyber law … cyber – something is becoming a new reality. One day (very soon) we will stop thinking of cyber as something intangible and distant. It will simply become a reality we live in.

Take few minutes to understand 10 domains of cybersecurity and understand why it is your reality right now.

1. Access Control
2. Software Development Security
3. Business Continuity and Disaster Recovery Planning
4. Cryptography
5. Information Security Governance and Risk Management
6. Legal, Regulations, Investigations, and Compliance
7. Operations Security
8. Physical and Environmental Security
9. Security Architecture and Desige
10. Telecommunications and Network Security

From deliberate attacks to unforeseen errors, software failures to web weakness, today's IT environment is complex. Get more insight into cybersecurity importance! See the video:

Access is an ability (usually a technical one such as a read, create, modify, or delete) to do something with a computer resource.

Access control includes authorization – the permission to use a resource, and an authentication – prove that the user is the one who claims to be.

Software development security requires full process or system lifecycle control. It means proper planning  complete analysis, proper design,  careful implementation and maintenance.  

Once system is in place it needs strong procedures to assist organization in case of disruption events. That is why BCP (Business Continuity Plan) is being prepared as well more details procedures of disaster recovery.

Cryptography is used to scramble plaintext into cyphertext (which is called encryption) and then back again into a simple text (which is called decryption). It is used to for storing and transmitting data in a particular form so that only those for whom it is intended can read and process it.

Even strong encryption cannot secure data when it does not come along with strong governance and risk management. Key element here is to classify all data and properly secure all of them. Apart from that all roles in an organization need to understand responsibilities for data protection and need to have knowledge on how to make their duties. Education is key to success!

Once there is lack of strong data protection and governance risk may come true.. there are lots of examples of data leakage, legal allegations or criminal investigations on a daily news.. Google, Sony, Facebook, Talk Talk, LinkedIN.. just to name few spectacular ones.

It simply shows that all data processed by the company needs special attention and need to be handled, secured and destroyed in a proper way.

However cybersecurity is not only about the cyberspace, physical & environmental threats and equally important. It may be that emergencies, service interruptions, natural disasters or sabotage would impact on systems or processes data.

It is usually true that the hardware is not that important as all data stored and accessible via it. That is why cybersecurity is about all 3: hardware, software and OS system security. If one of element is defected, all are in serious threat.

Threats are coming from a much wider space, which is telecommunication and computer network. It is necessary to use firewalls and protected routers as well as various protocols and secured voice communicators.

It is worth to see how easy it is to break what you think is strong cybersecurity. Watch Inventing for the world's largest problems: Pablos Holman at TEDxMidwest: https://www.youtube.com/watch?v=FtYW4sPefhY&feature=youtu.be

Should I get Anti-Bribery program certified? Is it worth it?

It’s been four months since the ISO 37001 Anti-Bribery Management Systems document was published. 

It is not only very new, but also questioned in terms of its value and importance.

It is a fundamental change that we finally have international standard that can support us to certify our anti-bribery program. You ask me why? I tell you that ISO 37001 can help your organisation not only to achieve high standards and stronger compliance, but also can support to leverage reputation. 

In short ISO 37001 certificate can support in:

• Building holistic program and accurate documentation which is continually improved on all levels and across all functions of organisation
• Becoming first-to-market with certification in your country or industry.
• Creating strong mitigating factor for an organization in the event of a government action
• Ensuring that your program meets the Federal Sentencing Guidelines’ requirement of an effective compliance and ethics program

Why bribery is so widely discussed?

Bribery is a widespread phenomenon. It raises serious social, moral, economic and political concerns, undermines good governance, hinders development and distorts competition. It erodes justice, undermines human rights and is an obstacle to the relief of poverty. It also increases the cost of doing business, introduces uncertainties into commercial transactions, increases the cost of goods and services, diminishes the quality of products and services, which can lead to loss of life and property, destroys trust in institutions and interferes with the fair and efficient operation of markets (source: ISO 37001).

What government does about it?

There are a number of activities undertaken by international government to address through international agreements such as the Organization for Economic Co-operation and Development Convention on Combating Bribery of Foreign Public Officials in International Business Transactions and the United Nations Convention against Corruption. Apart from that there are number of national laws to set up requirements and obligations on this issue. In most jurisdictions, it is an offence for individuals to engage in bribery and there is a growing trend to make organizations, as well as individuals, liable for bribery.

What organisations can do about bribery?

The law alone is not sufficient to solve this problem. Organizations have a responsibility to proactively contribute to combating bribery. This can be achieved by an anti-bribery compliance programs and strong compliance cultures.

ISO 37001 is to set up the tone of the proper management system to mitigate bribery risks. This document is providing guidelines on structure for establishing a culture of integrity, transparency, openness and compliance. The nature of an organization's culture is critical to the success or failure of an anti-bribery management system. This document reflects international good practice and can be used in all jurisdictions. It is applicable to small, medium and large organizations in all sectors, including public, private and not-for-profit sectors. The bribery risks facing an organization vary according to factors such as the size of the organization, the locations and sectors in which the organization operates, and the nature, scale and complexity of the organization's activities. This document specifies the implementation by the organization of policies, procedures and controls which are reasonable and proportionate according to the bribery risks the organization faces. Conformity with this document cannot provide assurance that no bribery has occurred or will occur in relation to the organization, as it is not possible to completely eliminate the risk of bribery. However, this document can help the organization implement reasonable and proportionate measures designed to prevent, detect and respond to bribery. (based on ISO 37001)

What is the key to be compliant?

A well-managed organization is expected to have a compliance policy supported by appropriate management systems to assist it in complying with its legal obligations and commitment to integrity. An anti-bribery policy is a component of an overall compliance policy. The anti-bribery policy and supporting management system helps an organization to avoid or mitigate the costs, risks and damage of involvement in bribery, to promote trust and confidence in business dealings and to enhance its reputation.