OECD publishes updated good practice guide on internal controls, ethics and compliance


On November 26, 2021, the Organization for Economic Co-operation and Development adopted a revised version Recommendation of the Council for the Further Fight against Bribery of Foreign Public Officials in International Business Transactions. Paul hastings previously detailed all revisions, noting that the revised recommendation includes significant new guidance on improving anti-corruption compliance programs and internal controls. In this article, we will expand on the details of the updates to Annex II, the Guide to good practices on internal controls, ethics and compliance, with emphasis on section A, Guide to good practices for companies (“Guide updated”).

  • Risk assessment: The updated Guide includes an expanded list of factors for assessing the risk of foreign bribery. While the previous version of the guide encouraged companies to take into account their geographic and industrial sector of activity in the assessment of foreign bribery risks, the updated guide also encourages companies to take into account the “”the regulatory environment, potential customers and business partners, transactions with foreign governments and the use of third parties.“Regarding the regular monitoring and reassessment of these risk factors, the updated Guide notes that these measures can help”determine the allocation of compliance resourcesAs well as ensuring the effectiveness of a compliance program.
  • High level engagement: The updated Guide includes a revised good practice which, in addition to senior management, the Board of directors demonstrate strong, explicit and visible support and commitment to the compliance program. This is to ensure that companies are “establish a culture of ethics and compliance.The updated Guide also adds that a “clearly articulated and visible corporate policy prohibiting foreign bribery” should be “easily accessible to all employees and relevant third parties, including foreign affiliates, where applicable, and translated as necessary.
  • Autonomy and resources: To ensure effective oversight of a company’s compliance program, the updated guidance notes that the authority to report issues to an independent oversight board or the board of directors should rest with “one or more senior executives of the company. the company, as a senior compliance officer, with an adequate level of autonomy vis-à-vis management and other operational functions, Resources, access to relevant sources of data, experience, qualification, and authority.
  • Policies and Procedures: The updated Guide expands the areas in which companies need to design adequate compliance measures. The previous version listed the following areas: “gifts; hospitality, entertainment and expenses; customer travel; political contributions; charitable donations and sponsorships; facilitation payments; and solicitation and extortion. The updated Guide expands’ customer travel ‘to’travel, including customer travelAnd adds the following: “conflicts of interest; hiring processes; risks associated with the use of intermediaries, especially those who interact with foreign public officials; and the processes for responding to public tenders, if applicable.
  • Third party management: The updated Guide contains a list of “essentials” for assessing the risks associated with business partners, including agents, consultants, representatives, distributors, contractors, suppliers, consortia and joint venture partners. . The updated Guide encourages ” continued monitoring of business partners throughout the business relationship”, Not just during integration. The updated Guide also adds three new essential elements: mechanisms to ensure that payment terms are appropriate; inclusion (and exercise) of audit rights; and mechanisms for dealing with incidents of foreign bribery by business partners (eg contractual termination rights). In describing the importance of training on the company’s compliance program, the updated Guide now states that in addition to employees at all levels of a company, “business partnersShould receive training, where appropriate.
  • Incentives and disciplinary measures; Misconduct investigation: The updated Guide recommends that businesses “incite, “in addition to encouraging and supporting employee respect for the company’s ethics and compliance program” at all levels of the company in particular by integrating ethics and compliance into human resources processes, with a view to establishing a culture of compliance.”The updated Guide also contains a new section identifying“measures to deal with cases of suspected foreign bribery.“These measures include:

I. the processes for identifying, investigating and reporting misconduct and for engaging in genuine and proactive dialogue with law enforcement authorities;

ii. remediation, including, but not limited to, analyzing the root causes of the misconduct and addressing identified weaknesses in the company’s program or compliance measures;

iii. appropriate and coherent disciplinary measurements and procedures for dealing with, among other things, violations at all levels of the company of the laws against foreign bribery, and of the company’s program or ethics and compliance measures relating to foreign bribery; and

iv. appropriate communication to ensure awareness of these measures and the consistent application of disciplinary procedures throughout the company.

The updated Guide also encourages businesses to adopt “measures to ensure that there is no retaliation against any person within the company who is instructed or pressured, including from superiors, to engage in foreign bribery and chooses not to.

In addition, the updated Guide reinforces previous recommendations on reporting mechanisms. While previous guidelines required confidential reporting “to the extent possible”, updated guidelines require confidential reporting “and, where applicable, anonymous report. “The updated Guide also adds that reporting procedures should be”visible [and] accessible“and that the reporting channels are”diversified.

  • Continuous improvement, periodic testing and review: The updated Guide recommends that companies periodically “test“(not just review) their internal controls and compliance programs,”including training. . . both on a regular basis and on specific developments.The updated Guide also includes three new factors to ‘take[e] into account [when evaluating] changes in the company’s risk profile.The previous version encouraged companies to take into account “relevant developments in the field and the evolution of international and industrial standards”. The updated Guide complements this guide by encouraging businesses to consider “changes in the business structure and operating model of the company; monitoring and audit results; [and] lessons learned from a possible fault of one company and that of other companies facing similar risks based on the relevant documentation and data.
  • New Best Practices – Internal Control Systems, Mergers & Acquisitions and External Communication: Finally, the updated Guide includes three new best practices for businesses that did not appear in the previous guide. The first new good practice is to use “internal control systems to identify revealing patterns of foreign bribery, including, where appropriate, by applying innovative technologies, Suggesting that companies should integrate data analytics into their compliance programs. Second, with regard to “cases of mergers and acquisitions,”The new orientation urges “A complete due diligence based on the risks of the acquisition targets; the rapid integration of the acquired company into its internal control and ethics and compliance program; and training of new employees and post-acquisition audits.”The third new good practice recommends “External communication of the company’s commitment to effective internal controls and ethics and compliance programs.

As described by Nicola Bonucci and Nathaniel Edmonds in their recent Customer Alert, Revitalizing global anti-corruption enforcement: OECD releases new recommendations that could increase multi-jurisdictional enforcement and spur additional investment in compliance, these changes to Annex II of the OECD Good Practice Guidance are probably not surprising to anti-bribery compliance practitioners, and largely follow guidelines previously issued by the US, UK , France and other regulators and international organizations. Collectively, this reflects an increased awareness of the types of policies and controls companies can put in place to prevent and detect corruption. It also signals an increased sophistication of regulators in OECD countries.

Since the Guide to Good Practice serves as a benchmark of what the international community at large considers to be generally accepted best practices, even though it is not legally binding on businesses, businesses would benefit from carefully evaluating how their ethics and compliance programs compare and to take action to ensure that their programs meet these standards of internal controls and compliance programs. Part of this assessment should include consideration of one of the key themes throughout these reviews: developing and improving a compliance program is an ongoing exercise, not a one-off publication of policies and of procedures that create a “paper” program. This requires continuous risk analysis and testing, continuous third party monitoring, and improvement of identified gaps and weaknesses. The OECD, as well as national regulators, have made this message clear of the need for continuous improvement, resource allocation and a “feedback loop” that incorporates lessons learned. This consistency in messaging should be welcomed by compliance practitioners.


Comments are closed.