foundations1


Implementation of Anti-Corruption Procedures by Controlled Organisations and by Business Associates

This section provides guidance in relation to the requirement that an organisation should implement procedures which ensure that all controlled organisations and, where reasonable, all more than low risk business associates, have implemented reasonable and proportionate anti-corruption procedures (Measure 12 of the Anti-Corruption Programme for Organisations).

(1) Intent of requirement

The intent of this requirement is that the organisation should:

  • ensure that all other organisations over which it has control implement reasonable and proportionate anti-corruption procedures; and
  • require where reasonable that all business associates which pose a more than low corruption risk to the organisation implement reasonable and proportionate anti- corruption procedures which include all relevant transaction(s) within their scope.

(2) Reason for requirement

The reason for this requirement is that these other organisations (whether controlled or not) can pose a corruption risk to the organisation, and that anti-corruption procedures implemented by these other organisations may help reduce these risks. The types of risk which the organisation is aiming to avoid in these cases are, for example:

  • a subsidiary of the organisation paying a bribe with the result that the organisation can be liable
  • a procurement manager of a client demanding a bribe from the organisation in return for a contract award
  • an agent or joint venture partner of the organisation paying a bribe to a manager of the organisation’s client on behalf of the organisation
  • a supplier or sub-contractor to the organisation paying a bribe to the organisation’s procurement manager in return for a contract award.

(3) Controlled organisations

This anti-corruption requirement distinguishes between those organisations over which the organisation has control, and those over which it does not.  The organisation must ensure that all other organisations over which it has control implement reasonable and proportionate anti-corruption procedures.

For the purposes of this requirement, an organisation has control over another organisation if it directly or indirectly controls the management of the organisation, including through the majority of the ownership interest or voting rights.  An organisation might have control, for example, over a subsidiary, joint venture or consortium through majority votes on the board, or through a majority shareholding.

It is reasonable to expect the organisation to use that control to ensure that the controlled organisation implements reasonable and proportionate anti-corruption procedures.

The procedures which should be implemented by the controlled organisation are likely to be similar to those adopted by the organisation, but appropriately adjusted so as to be reasonable and proportionate to the nature and extent of the corruption risks faced by the controlled organisation.

(4) Business associates

This sub-section applies to business associates over which the organisation does not have control.  Whether or not the organisation needs to take steps to ensure the implementation by a non-controlled business associate of anti-corruption procedures depends on whether or not it is reasonable to do so.  GIACC suggests that this reasonableness test can be dealt with in a systematic way as follows.

  1. Allocate business associates into categories according to the assessed corruption risk they pose to the organisation.  See the guidance section on Business Associate Corruption Risk Assessments where GIACC recommends that business associates are divided into three risk categories; low, medium and high.
  2. If the risk assessment concludes that a business associate poses only a low risk of corruption, then the organisation does not need to take steps to ensure that the business associate has anti-corruption procedures in place. This reflects the reasonableness and proportionality of the programme, in that the organisation should not have to take disproportionate steps in relation to low risk business associates.  Therefore, the organisation is determining that it would be unreasonable to require low risk business associates to implement anti-corruption procedures, or to have to verify whether low risk business associates have such procedures in place.
  3. If the risk assessment concludes that a business associate poses a medium risk of corruption, it is recommended that the organisation takes steps to identify whether the business associate has anti-corruption procedures in place.  The recommended due diligence (see the guidance section on Business Associate Corruption Risk Assessments) suggests that proof of anti-corruption procedures should be obtained from the business associate by means of requesting it to provide a copy of its anti-corruption policy and details of its anti-corruption procedures (if any).  The organisation can then assess whether the business associate has procedures in place, and, if so, whether they are appropriate.
  4. If the risk assessment concludes that a business associate poses a high risk of corruption, it is recommended that the organisation takes the steps listed in clause 3) above), and, in addition, obtains further verification of the high risk business associate’s anti-corruption procedures by questioning a relevant senior officer of the business associate about its anti-corruption procedures (see the guidance section on Business Associate Corruption Risk Assessments).  Therefore, there is a higher level of verification of the procedures by the organisation in the case of a high risk business associate than in the case of a medium risk business associate.
  5. From the enquiries in clauses 3) and 4) above, the organisation should be able to assess to a reasonable level whether the business associate has appropriate anti-corruption procedures in place.  If these enquiries reasonably satisfy the organisation that the medium or high risk business associate has appropriate anti-corruption procedures in place, then this requirement is satisfied (subject to reasonable and proportionate on-going verification and monitoring as per sub-section 5 clauses 6 and 7 below).
  6. If the enquiries in clauses 3) and 4) above do not reasonably satisfy the organisation that the medium or high risk business associate has appropriate procedures in place, or if the organisation is unable to undertake such enquiries, then the organisation should determine whether it is reasonable to require the business associate to implement anti-corruption procedures as a condition of working with the organisation.  Whether or not it is reasonable depends on the circumstances.  For example:
    • It will normally be reasonable when both bullet points below apply:
      1. When the implementation of anti-corruption procedures by the business associate would be likely to help minimise the corruption risk.
      2. When the organisation has a significant degree of influence over the business associate.  For example, where the organisation is appointing an agent to act on its behalf in a transaction, or is appointing a sub-contractor with a large scope of work. In this case the organisation will normally be able to make implementation of adequate anti-corruption procedures by the business associate a condition of appointment.
    • It will normally not be reasonable when any of the bullet points below apply:
      1. When the implementation of procedures by the business associate would be unlikely to make any practical difference to the risk (e.g. if the risk can be adequately controlled by the organisation’s own existing procedures)
      2. When the organisation does not have a significant degree of influence over the business associate:  For example, where the business associate is:
        • a client for a major project
        • a major sub-contractor or supplier where the bargaining power of the sub-contractor or supplier  is far greater than that of the organisation (for example, when the organisation is buying components from a major supplier on the supplier’s standard terms).
      3. When the business associate lacks the resources or expertise to be able to implement procedures (e.g. an organisation with only a few people, or which due to low administrative resource or experience could not practically implement such procedures). 
  7. Where the organisation deems it reasonable under clause 6) above, then it should require the business associate to implement anti-corruption procedures which include the relevant transaction within their scope.  The organisation will normally impose this requirement over the business associate as a pre-condition to working with the business associate and/or as part of the contract between them.
  8. Where the organisation deems it unreasonable under clause 6) above for it to require the business associate to implement anti-corruption procedures, then the absence of these procedures, or the inability to verify them, is likely to be a negative factor to be taken into account by the organisation in undertaking the risk assessment on the business associate.  This does not necessarily mean that the organisation cannot go ahead with the relationship or transaction. However, the organisation should consider, as part of the risk assessment, the likelihood of the business associate being involved in corruption, and the organisation should take the absence of such procedures into account in assessing the overall risk.  It may be that the organisation assesses that the risk of working with a high risk business associate which has not implemented anti-corruption procedures is too high.  On the other hand the organisation may identify the risk, but determine that it can manage these risks within the scope of the organisation’s existing procedures, or by the implementation by the organisation of a higher level of control in relation to the business associate relationship.

(5) Anti-corruption procedures to be implemented by the business associate 

  1. The organisation needs to identify the type of anti-corruption procedures which the business associate would be expected to implement or have implemented. These procedures should be reasonable and proportionate to the risks faced, and at minimum should include all relevant transactions between the organisation and business associate within their scope.  The factors which should be taken into account by the organisation when assessing the business associate’s anti-corruption procedures include:
    • size of the business transaction
    • size and complexity of the business associate
    • countries and sectors in which the transaction is taking place
    • structure of the transaction
    • size and method of payments
    • whether the business associate will deal with other parties (e.g. the client or government officials) on behalf of the organisation
    • applicable statutory, regulatory, contractual and/or professional obligations and duties
    • any other specific corruption risks that the business associate poses to the organisation. 
  2. Depending on the nature of the business associate and the nature of the risk it poses, the organisation may, for example, take the following steps:
    • In the case of a major high risk business associate with a large and complex scope of work, the organisation may require the business associate to have implemented anti-corruption procedures equivalent to those adopted by the organisation.
    • In the case of a medium size and medium risk business associate, the organisation may require the business associate to have implemented some minimum anti-corruption procedures in relation to the transaction, such as an anti-corruption policy, training for its relevant employees, a manager with responsibility for compliance in relation to the transaction, controls over key payments and a reporting line.
    • In the case of a very small business associate which poses a medium or high risk, but which lacks the size or resources to implement substantive anti-corruption measures, the organisation may require specific controls, such as training for relevant employees, and controls over key payments and gifts and hospitality.
  3. The cases in clause 2) above are examples only.  The important issue is for the organisation to identify the key corruption risks in relation to the transaction, and to require as far as reasonable that the business associate has implemented reasonable and proportionate controls over those key risks.
  4. In some cases, the business associate may have implemented anti-corruption procedures which cover its whole business, including all relevant transactions.  In other cases, the business associate may implement anti-corruption procedures in relation only to the relevant transaction(s) with the organisation.  While, the former is preferable, the organisation may accept the latter situation, as it is unlikely that the organisation will have influence over the business associate wider than the relevant transactions.
  5. As anti-corruption procedures can take some time to implement, it is likely to be reasonable for an organisation to give its business associates time to implement such procedures. Subject to an assessment of the risks involved, the organisation could continue to work with that business associate in the interim, but the absence of such a system in the interim should be taken account of by the organisation as a negative factor in the risk assessment.  The organisation may also in the interim impose a higher level of monitoring over the transaction.
  6. In most cases, the organisation would not be required to verify proper on-going implementation by the business associate of its anti-corruption procedures, as this would be very difficult for the organisation to verify, and is likely to be unreasonable and disproportionate.  However, the organisation should take reasonable steps to satisfy itself that the business associate has implemented the procedures (e.g. by requesting the business associate to provide copies of its relevant policy and procedure documents, and by on-going monitoring (see clause 7 below).  In high corruption risk cases (e.g. an agent on a success fee based commission), the organisation may determine that it is necessary to implement some verification procedures, for example, by periodic sample audits of the agent’s accounts and procedures.
  7. The organisation should implement a reasonable monitoring programme on the relevant activities of its medium and high risk business associates. For the duration of the project or transaction, a suitably senior manager of the organisation should be allocated responsibility for monitoring the activities of the business associate on an on-going basis.  Monitoring does not require permanent on-site observation.  It requires having a reasonable and cost effective awareness of the activities of the business associate, and keeping an eye open for any suspicious indicator of corruption in relation to the business associate.  For example, does the business associate seem to be unusually quick or successful in obtaining contracts or government services?  Have rumours about corruption started circulating about the business associate?  Any indication of suspected corruption by the business associate should immediately be reported by the manager to the compliance manager.

Implementation checklist for Measure 12

Controlled organisations

The organisation should identify its controlled organisations and ensure that they have implemented reasonable and proportionate anti-corruption procedures (see sub-section 3) above).

Non–controlled business associates

  1. In relation to non–controlled business associates, the organisation should undertake a risk assessment, and divide the business associates into, for example, three risk categories; low, medium and high (see sub-section 4) clause 1) above).
  2. No specific procedure is necessary in relation to low risk business associates (see sub-section 4) clause 2) above).
  3. In relation to medium and high risk business associates, the organisation should take steps to identify their anti-corruption procedures as per sub-section 4) clauses 3) and 4) above).
  4. If the business associate anti-corruption procedures are appropriate, then the requirement is satisfied, subject to ongoing verification and monitoring (see sub-section 4) clause 5) above).
  5. If the business associate anti-corruption procedures are not appropriate, or cannot be verified, then the organisation should determine whether it is reasonable to require the business associate to implement appropriate anti-corruption procedures (see sub-section 4) clause 6) above).
  6. Where the organisation deems it reasonable, then it should require the business associate to implement appropriate anti-corruption procedures (see sub-section 4) clause 7) above). 
  7. Where the organisation deems it unreasonable, then the absence of these procedures, or inability to verify them, is likely to be a negative factor to be taken into account in undertaking the risk assessment on the business associate (see sub-section 4) clause 8) above). 
  8. See sub-section 5) above for guidance on appropriate anti-corruption procedures for implementation by business associates.

Most recent update on 10th April 2020

Page first published on 17th February 2016

© GIACC