SNI ISO 37001:2016Anti-Bribery Management Systems11 December 2017—
Owen HawkesPartner, KPMG Forensic
SNI ISO 37001:2016 – Three Concepts
Standard v. checklist
Certification v. effectiveness
Standard v. certification
— Provides a standard, promotes due diligence efficiency
— Internationally recognized— Permits certification (unlike
the related compliance system standard)
— Certification should reflect effectiveness
— Given issues with other certifications, may not provide assurance to third parties
— In the event of an incident, effectiveness likely to be focus of law enforcement agencies
— Like other risk management standards, is risk based
— No simple list of measures— List of risk assessments
Challenges – Overview123456
Auditing third parties for compliance
Variations in country requirements – data privacy etc.
Difficulty in conducting due diligence over foreign agents/third parties
Lack of internal resources
Difficulty in identifying & assessing risk
Cultural/language issues
Source: KPMG Global Anti-Bribery and Corruption Survey 2015
Challenges – Risk Assessment
The organization shall undertake regular bribery risk assessment(s), which shall:a. identify the bribery risks the
organization might reasonably anticipate, given the [context of the organization];
b. analyse, assess and prioritise the identified bribery risks;
c. evaluate the suitability and effectiveness of the organization’s existing controls to mitigate the assessed bribery risks.
Theorganizationshallestablishcriteriaforevaluatingitslevelofbriberyrisk,whichshalltakeinto accounttheorganization’spoliciesandobjectives.
Challenges – Risk assessment
WORKSHOPS POLICYREVIEWS INTERVIEWS
CURRENTSTATE:ABMS
BENCHMARKING
IMPROVEMENTPLAN
Challenges – Risk assessment
0
1
2
3
4
5
Duediligence Financialcontrols Anti-briberycommitments
Gifts,hospitality,donations
Ratin
g
BetterPractice
Industry
Organization
Challenges – Third Party Due Diligence
1) whetherthebusinessassociateisalegitimatebusinessentity,asdemonstratedbyindicatorssuchascorporateregistrationdocuments,annualfiledaccounts,taxidentificationnumber,listingonastockexchange;
2) whetherthebusinessassociatehasthequalifications,experienceandresourcesneededtoconductthebusinessforwhichitisbeingcontracted;
3) whetherandtowhatextentthebusinessassociatehasananti-briberymanagementsystem;4) whetherthebusinessassociatehasareputationforbribery,fraud,dishonestyorsimilar
misconduct,orhasbeeninvestigated,convicted,sanctionedordebarredforbriberyorsimilarcriminalconduct;
5) theidentityoftheshareholders(includingtheultimatebeneficialowner(s))andtopmanagementofthebusinessassociate,andwhetherthey:i) haveareputationforbribery,fraud,dishonestyorsimilarmisconduct;ii) havebeeninvestigated,convicted,sanctionedordebarredforbriberyorsimilarcriminal
conductiii) haveanydirectorindirectlinkstotheorganisation’scustomerorclientortoarelevant
publicofficialwhichcouldleadtobribery(thiswouldincludepersonswhoarenotpublicofficialsthemselves,butwhomaybedirectlyorindirectlyrelatedtopublicofficials,candidatesforpublicoffice,etc.);
6) thestructureofthetransactionandpaymentarrangements.
Challenges – Third Party Due Diligence
Identification34% (Asia:40%)ofrespondentsdonotformallyidentifyhigh-riskthirdpartyintermediariesorpersonsassociatedwithgovernment.31%(Asia:31%)donothaveformalrisk-basedonboardingprocessesforthirdparties,openingcompaniestothepossibilityofcorruptpractices.
CommunicationOnceonboard,60%(Asia:57%)saytheircompaniesdistributetheirABCpoliciestoallthirdpartiesorselectedthirdparties,stillfewerinthelocallanguage.ofthe524respondentswith
formalABCcomplianceprograms,424havecommunicationandtrainingprograms.
ofthe424statedthatthedevelopmentofeffectivemechanismsforcommunicationandtrainingprogramsarehighlyorexceedinglychallenging.
424
73
AssessmentOnly69% (Asia:70%)ofallrespondentsassessthird-partyrisk.
MonitoringForthosethatdohaveaformalABCriskassessment,only56% (Asia:76%)haveright-to-auditclausesincontracts.
Only41%(Asia:40%)haveactuallyexercisedthem.
Challenges in the Indonesian context
Organizations make higher use of agents
Without agents, business progress would be severely comprised
Customary governmental interactions (e.g. permits)
Relates to less traditional matters (e.g. identifying the existence of business opportunities)Tradition of investing in relationshipsCounterparties lack internal controls (e.g. entertainment, sponsorship and gifts)
Ease of establishing entitiesLack of requirements to describe business activitiesDifficulties in obtaining reliable corporate registry informationGenerally, low level of detail in contracts and supporting documentation (e.g. invoices)
RegulationsGeneral
business opacity
Third party due
diligence
Appendix:Bribery Surveys / Publications
Appendix:Bribery Surveys / Publications
Bribery Surveys / Publications
Anti-Bribery and Corruption: Rising to the challenge in the age of globalization
KPMG – 2015
USAcompanies UKCompanies
RespondentsUS2011 Ranking
2011US2015 Ranking
2015UK 2011 Ranking
2011UK2015 Ranking
2015
Auditingthirdpartiesforcompliance 43.0% 1 77.0% 1 32.0% 1 51.0% 1
Difficultyinperformingduediligenceoverforeignagents/third parties 42.0% 2 54.0% 4 32.0% 2 48.8% 2
Variationsincountryrequirements– dataprivacyetc. 32.0% 3 60.0% 3 29.0% 2 43.9% 3
Company’sexpansionintohighgrowtheconomics 18.0% 4 53.0% 5 21.0% 3 34.2% 8
Monitoringandevaluatingcompliance 11.0% 5 38.0% 9 14.0% 4 29.3% 10
Cultural/languageissues 62.0% 2 5 34.2% 5
LackofInternalresources 39.0% 5
Difficultyinidentifying&assessingrisk 43.9% 3
Source: Global Anti-Bribery and Corruption Survey, KPMG International, 2015 Anti-bribery and corruption, p.5
Ranking of top ABC challengesAll respondents 2015
Source: Global Anti-Bribery and Corruption Survey, KPMG International, 2015 Anti-bribery and corruption, p.7
Auditing third parties for compliance Lack of internal resources
Variations in country requirements –data privacy etc. Difficulty in identifying & assessing risk
Difficulty in conducting due diligence over foreign agents/third parties Cultural/language issues
Bribery Surveys / Publications
659 executives
KPMG conducted a survey of
in a range of functions and industries from
around the world
8%54Fifty-four (8 percent) of these work in the ENR sector
38work
54 work
Source: Global Anti-Bribery and Corruption Survey, KPMG International, 2015
The growing global challenge, p.2
56%
Only
say they have right-to-audit
clauses in third party contracts.
41%69%
Say they don’t have a risk-based process for on boarding third parties, the same number as says they do have such a process.
of ENR respondents say their companies’ ANC risk assessment examines the potential risk posted by third parties.
ENR: Energy and Natural Resource
The growing global challenge, p.5
The growing global challenge, p.6
Source: Global Anti-Bribery and Corruption Survey, KPMG International, 2015
Managing anti-bribery and corruption
compliance in energy and natural resources
KPMG – 2015
Bribery Surveys / Publications• What makes ISO 37001 different from
existing guidance?– The content of the standard draws
on existing guidelines, such as those produced by the US and UK authorities, but it is by definition an international standard. It is designed to provide an approach to anti-bribery compliance that can be applied consistently on a global basis and independently assessed.
• How is ISO 37001 certification obtained?– Certification of compliance with the
standard is based on scrutiny of an organization’s anti-bribery management system by an independent third party that has been authorized to provide certifications by an ISO national member body. Maintaining the certification requires periodic external audits of ongoing compliance.
• Will ISO 37001 certification act as a shield against enforcement action?
– It is not expected that compliance with the standard will be treated by the competent authorities as proof positive that an organization has taken adequate measures to prevent bribery, providing it with an automatic defence or entitlement to leniency should a breach occur. However, an organization that operated to the standard can expect
to be in a position of strength in justifying its actions to the competent authorities in case a breach does occur. As past experience shows, the authorities will consider a range of factors, including the existence of an effective compliance program, when determining appropriate enforcement action.
• What other benefits can an organization expect from ISO 37001 certification?
– For organizations subjected to complex and time-consuming due diligence or monitoring from business partners, proof of ISO 37001 certification may provide sufficient assurance for business partners to reduce the amount of due diligence necessary, reducing with a source of competitive advantage in winning business.
• Can an organization benefit from ISO 37001 without obtaining certification?
– Organizations who do not seek certification themselves may find the standard valuable as a basis for evaluating and improving their existing anti-bribery management system or for evaluating the anti-bribery management systems of current and potential business partners.
ISOstandardonanti-briberymanagement
systems
KPMG– 2016
Bribery Surveys / PublicationsToday’sreality
ForensicFocus,p.1
Circumventingcompliancecorruptionreachestopfirmsintheoilandgasindustry
— Unaoil went from a little-known entity to one of the most commented upon corporations in the compliance community today due to an elaborate bribery scheme.
— Implicated companies should consider taking action to determine what, if anything, illegal was done on their behalf.
— Compliance practices applied to ordinary third parties are often not enough to prevent corruption in the riskiest countries. Companies that enter those countries should place anti-bribery and corruption at the center of their business strategy
— True “tone at the top” requires more than just a good code of conduct. It requires the commitment of resources toward follow-through at every phase of third-party risk management.
— Robust up-front reputational and integrity due diligence is essential, but companies operating in these countries should strongly consider regular compliance audits and business structures that give them full visibility into how third-party intermediaries spend funds on their behalf.
ForensicFocusCircumventingcompliance:Corruptionreachestopfirmsintheoilandgas
industry
KPMG– 2016
CertificationAppendix: Certification
Certification – ProcessCHECK THE RELEVANT SNI
SEND RELEVANT DOCUMENTS EVALUATION
CHECK THE LSPro
APPLICATION REVIEWED
EVALUATION REVIEW
CERTIFICATION
0102
0304
0506
07
Source: http://bsn.go.id
Certification – TimelineMonth
Activities 1 2 3 4 5 6 7
Review&Implement
Preparation ofdocumentation
Systemimplementation/integration
Review&rectification
EvaluationIdentifytherelevantcertificationbody
Evaluation&review
Certification Certification
About KPMG ForensicAppendix: About KPMG Forensic
Global network of forensic professionalsKPMG Forensic has a global network of over 3,600 Forensic professionals supported by the specialist skills of over 189,000 KPMG people across more than 152 country locations. KPMG Forensic offices are shown below. KPMG Forensic in Singapore comprise experienced investigators with strong IT, regulatory and law enforcement backgrounds. Over 90 full-time professionals, including forensic technology professionals, are based across Singapore and Indonesia.
FORENSICPROFESSIONALS
880APPROXIMATELY
North and South America
FORENSICPROFESSIONALS
340APPROXIMATELY
Asia Pacific
FORENSICPROFESSIONALS
2,390APPROXIMATELY
Europe, the Middle Eastand Africa
KPMG in Singapore and Indonesia
Singapore
Jakarta
Singaporeofficeestablishedin1941andintegratedwiththe
Indonesianofficein2014
5forensicpartners
Over90forensicprofessionals
OfficesinSingaporeandJakarta
CORE SERVICES OFFERED
Anti-BriberyandCorruptionCompliance
Investigations
ForensicTechnology
ForensicDataAnalytics
ExpertWitnessandDisputeAdvisoryServices
Anti-MoneyLaunderingandTradeSanctionsServices
FraudRiskManagement
CorporateIntelligence
DocumentClassification:KPMGConfidential
©2017,PTKPMGSiddhartaAdvisory,anIndonesianlimitedliabilitycompanyandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternationalCooperative("KPMGInternational"),aSwissentity.Allrightsreserved.
TheKPMGname,logoareregisteredtrademarksortrademarksofKPMGInternational.
The information contained herein is of a general nature and is not intended to address the circumstances of any particularindividual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that suchinformation is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act onsuch information without appropriate professional advice after a thorough examination of the particular situation.
kpmg.com/socialmedia kpmg.com/app
ContactsOwenHawkesPartner,ForensicKPMGSingaporeT:+6562132280E:[email protected]