SNI ISO 37001:2016 Anti-Bribery Management Systems 11 December 2017 Owen Hawkes Partner, KPMG Forensic
SNI ISO 37001:2016 Three Concepts Standard v. certification Certification v. effectiveness Standard v. checklist Provides a standard, promotes due diligence efficiency Internationally recognized Permits certification (unlike the related compliance system standard) Certification should reflect effectiveness Given issues with other certifications, may not provide assurance to third parties In the event of an incident, effectiveness likely to be focus of law enforcement agencies Like other risk management standards, is risk based No simple list of measures List of risk assessments
Challenges Overview 1 2 3 4 5 6 Auditing third parties for compliance Variations in country requirements data privacy etc. Difficulty in conducting due diligence over foreign agents/third parties Lack of internal resources Difficulty in identifying & assessing risk Cultural/language issues Source: KPMG Global Anti-Bribery and Corruption Survey 2015
Challenges Risk Assessment The organization shall undertake regular bribery risk assessment(s), which shall: a. identify the bribery risks the organization might reasonably anticipate, given the [context of the organization]; b. analyse, assess and prioritise the identified bribery risks; c. evaluate the suitability and effectiveness of the organization s existing controls to mitigate the assessed bribery risks. The organization shall establish criteria for evaluating its level of bribery risk, which shall take into account the organization s policies and objectives.
Challenges Risk assessment WORKSHOPS POLICY REVIEWS INTERVIEWS CURRENT STATE: ABMS BENCHMARKING IMPROVEMENT PLAN
Challenges Risk assessment 5 4 Rating 3 2 Better Practice Industry Organization 1 0 Due diligence Financial controls Anti-bribery commitments Gifts, hospitality, donations
Challenges Third Party Due Diligence 1) whether the business associate is a legitimate business entity, as demonstrated by indicators such as corporate registration documents, annual filed accounts, tax identification number, listing on a stock exchange; 2) whether the business associate has the qualifications, experience and resources needed to conduct the business for which it is being contracted; 3) whether and to what extent the business associate has an anti-bribery management system; 4) whether the business associate has a reputation for bribery, fraud, dishonesty or similar misconduct, or has been investigated, convicted, sanctioned or debarred for bribery or similar criminal conduct; 5) the identity of the shareholders (including the ultimate beneficial owner(s)) and top management of the business associate, and whether they: i) have a reputation for bribery, fraud, dishonesty or similar misconduct; ii) have been investigated, convicted, sanctioned or debarred for bribery or similar criminal conduct iii) have any direct or indirect links to the organisation s customer or client or to a relevant public official which could lead to bribery (this would include persons who are not public officials themselves, but who may be directly or indirectly related to public officials, candidates for public office, etc.); 6) the structure of the transaction and payment arrangements.
Identification Challenges Third Party Due Diligence 34% (Asia: 40%) of respondents do not formally identify high-risk third party intermediaries or persons associated with government. 31% (Asia: 31%) do not have formal risk-based onboarding processes for third parties, opening companies to the possibility of corrupt practices. Assessment Only 69% (Asia: 70%) of all respondents assess third-party risk. Communication 424 73 of the 524 respondents with formal ABC compliance programs, 424 have communication and training programs. of the 424 stated that the development of effective mechanisms for communication and training programs are highly or exceedingly challenging. Once on board, 60% (Asia: 57%) say their companies distribute their ABC policies to all third parties or selected third parties, still fewer in the local language. Monitoring For those that do have a formal ABC risk assessment, only 56% (Asia: 76%) have rightto-audit clauses in contracts. Only 41% (Asia: 40%) have actually exercised them.
Challenges in the Indonesian context Regulations General business opacity Third party due diligence Organizations make higher use of agents Without agents, business progress would be severely comprised Customary governmental interactions (e.g. permits) Relates to less traditional matters (e.g. identifying the existence of business opportunities) Tradition of investing in relationships Counterparties lack internal controls (e.g. entertainment, sponsorship and gifts) Ease of establishing entities Lack of requirements to describe business activities Difficulties in obtaining reliable corporate registry information Generally, low level of detail in contracts and supporting documentation (e.g. invoices)
Appendix: Appendix: Bribery Surveys / Bribery Surveys / Publications
Bribery Surveys / Publications USA companies US 2011 Ranking 2011 US 2015 Ranking 2015 UK 2011 Ranking 2011 UK 2015 Ranking 2015 Auditing third parties for compliance 43.0% 1 77.0% 1 32.0% 1 51.0% 1 Difficulty in performing due diligence over foreign agents/third parties 42.0% 2 54.0% 4 32.0% 2 48.8% 2 Variations in country requirements data privacy etc. 32.0% 3 60.0% 3 29.0% 2 43.9% 3 Company s expansion into high growth economics 18.0% 4 53.0% 5 21.0% 3 34.2% 8 Monitoring and evaluating compliance 11.0% 5 38.0% 9 14.0% 4 29.3% 10 62.0% 2 5 Respondents Cultural/language issues 34.2% 5 Lack of Internal resources 39.0% 5 Difficulty in identifying & assessing risk 43.9% 3 Source: Anti-Bribery and Corruption: Rising to the challenge in the age of globalization UK Companies Global Anti-Bribery and Corruption Survey, KPMG International, 2015 Anti-bribery and corruption, p.5 Ranking of top ABC challenges All respondents 2015 KPMG 2015 Source: Auditing third parties for compliance Lack of internal resources Variations in country requirements data privacy etc. Difficulty in identifying & assessing risk Difficulty in conducting due diligence over foreign agents/third parties Cultural/language issues Global Anti-Bribery and Corruption Survey, KPMG International, 2015 Anti-bribery and corruption, p.7
Bribery Surveys / Publications KPMG conducted a survey of 659 executives in a range of functions and industries from around the world 54 8% Fifty-four (8 percent) of these work in the ENR sector 54 work 38 work The growing global challenge, p.2 Managing anti-bribery and corruption compliance in energy and natural resources KPMG 2015 Source: Global Anti-Bribery and Corruption Survey, KPMG International, 2015 Only 56% say they have right-to-audit clauses in third party contracts. The growing global challenge, p.6 ENR: Energy and Natural Resource 41% Say they don t have a risk-based process for on boarding third parties, the same number as says they do have such a process. Source: Global Anti-Bribery and Corruption Survey, KPMG International, 2015 69% of ENR respondents say their companies ANC risk assessment examines the potential risk posted by third parties. The growing global challenge, p.5
Bribery Surveys / Publications ISO standard on antibribery management systems KPMG 2016 What makes ISO 37001 different from existing guidance? The content of the standard draws on existing guidelines, such as those produced by the US and UK authorities, but it is by definition an international standard. It is designed to provide an approach to antibribery compliance that can be applied consistently on a global basis and independently assessed. How is ISO 37001 certification obtained? Certification of compliance with the standard is based on scrutiny of an organization s anti-bribery management system by an independent third party that has been authorized to provide certifications by an ISO national member body. Maintaining the certification requires periodic external audits of ongoing compliance. Will ISO 37001 certification act as a shield against enforcement action? It is not expected that compliance with the standard will be treated by the competent authorities as proof positive that an organization has taken adequate measures to prevent bribery, providing it with an automatic defence or entitlement to leniency should a breach occur. However, an organization that operated to the standard can expect to be in a position of strength in justifying its actions to the competent authorities in case a breach does occur. As past experience shows, the authorities will consider a range of factors, including the existence of an effective compliance program, when determining appropriate enforcement action. What other benefits can an organization expect from ISO 37001 certification? For organizations subjected to complex and time-consuming due diligence or monitoring from business partners, proof of ISO 37001 certification may provide sufficient assurance for business partners to reduce the amount of due diligence necessary, reducing with a source of competitive advantage in winning business. Can an organization benefit from ISO 37001 without obtaining certification? Organizations who do not seek certification themselves may find the standard valuable as a basis for evaluating and improving their existing anti-bribery management system or for evaluating the antibribery management systems of current and potential business partners.
Bribery Surveys / Publications Forensic Focus Circumventing compliance: Corruption reaches top firms in the oil and gas industry KPMG 2016 Circumventing compliance corruption reaches top firms in the oil and gas industry Today s reality Unaoil went from a little-known entity to one of the most commented upon corporations in the compliance community today due to an elaborate bribery scheme. Implicated companies should consider taking action to determine what, if anything, illegal was done on their behalf. Compliance practices applied to ordinary third parties are often not enough to prevent corruption in the riskiest countries. Companies that enter those countries should place anti-bribery and corruption at the center of their business strategy True tone at the top requires more than just a good code of conduct. It requires the commitment of resources toward follow-through at every phase of third-party risk management. Robust up-front reputational and integrity due diligence is essential, but companies operating in these countries should strongly consider regular compliance audits and business structures that give them full visibility into how third-party intermediaries spend funds on their behalf. Forensic Focus, p. 1
Certification Appendix: Certification
Certification Process CHECK THE RELEVANT SNI SEND RELEVANT DOCUMENTS EVALUATION 01 02 03 04 05 06 07 CHECK THE LSPro APPLICATION REVIEWED EVALUATION REVIEW CERTIFICATION Source: http://bsn.go.id
Certification Timeline Month Activities 1 2 3 4 5 6 7 Preparation of documentation Review & Implement System implementation / integration Review & rectification Evaluation Identify the relevant certification body Evaluation & review Certification Certification
About KPMG Appendix: Forensic About KPMG Forensic
Global network of forensic professionals KPMG Forensic has a global network of over 3,600 Forensic professionals supported by the specialist skills of over 189,000 KPMG people across more than 152 country locations. KPMG Forensic offices are shown below. KPMG Forensic in Singapore comprise experienced investigators with strong IT, regulatory and law enforcement backgrounds. Over 90 full-time professionals, including forensic technology professionals, are based across Singapore and Indonesia. Europe, the Middle East and Africa APPROXIMATELY 2,390 FORENSIC PROFESSIONALS North and South America Asia Pacific APPROXIMATELY 880 FORENSIC PROFESSIONALS APPROXIMATELY 340 FORENSIC PROFESSIONALS
KPMG in Singapore and Indonesia Singapore office established in 1941 and integrated with the Indonesian office in 2014 5 forensic partners Over 90 forensic professionals Offices in Singapore and Jakarta CORE SERVICES OFFERED Singapore Jakarta Anti-Bribery and Corruption Compliance Investigations Forensic Technology Forensic Data Analytics Anti-Money Laundering and Trade Sanctions Services Fraud Risk Management Corporate Intelligence Expert Witness and Dispute Advisory Services
Contacts Owen Hawkes Partner, Forensic KPMG Singapore T: +65 6213 2280 E: ohawkes@kpmg.com.sg kpmg.com/socialmedia kpmg.com/app The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2017, PT KPMG Siddharta Advisory, an Indonesian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. The KPMG name, logo are registered trademarks or trademarks of KPMG International. Document Classification: KPMG Confidential