Are You at Risk? The 5 Pillars of a Solid Compliance Program

Canada has stepped up anti-corruption enforcement. What every SME with international operations needs to know

Written by John Boscariol

The recent conviction of Canadian businessman Nazir Karigar, who conspired to bribe officials with the Indian government to help win a contract for Ontario-based Cryptometrics, is an important reminder of Canada’s stepped up anti-corruption enforcement, particularly against individual business executives (see First Canadian Convicted Under Bribery Law). By now, exporters should have received the message loud and clear: ignoring anti-corruption and trade control laws—laws governing the transfer of sensitive goods and technologies as well as where and with whom you can do business—can damage reputation and the bottom line.

Read: 5 Crucial Steps for Pain-Free Exporting

Businesses with operations outside Canada must be proactive about educating themselves about compliance legislation and implementing anti-corruption and trade control compliance policies for internal use. Those policies should be supported with training sessions for staff and senior management.

Through a Google search, you can easily find numerous examples of policies and training programs that appear to cover all the right bases. However, simply dropping a pro forma compliance plan into your company won’t work.  In fact, it could do more damage than good.

First things first: conduct a risk assessment

Enforcement authorities in Canada, the U.S., and elsewhere, expect companies to undertake a thorough risk assessment before crafting a compliance program.  This means taking into account any risks arising from the countries where you do business, the industry you’re in and your company’s business practices and culture. A software company that only sells to small businesses in Canada and the U.S. will have a very different risk profile—and compliance program—than a defense company selling weapons to governments around the world.

When you’re doing a risk assessment, consider whether the goods or services you provide could be used for unintended purposes (for example, military activities); check if your product or technology is listed on Canada’s Export Control List or subject to sanctions measures because of the destination. If so, you’ll need a permit before exporting the goods or transferring the technology.

Consider, too, the kinds of customers you sell to—governments and state-owned or controlled enterprises are a higher risk for anti-corruption compliance; Canada also maintains many sanctions blacklists that your customers, suppliers and other business partners should be screened against. Finally, think carefully about the extent to which you rely on agents and other third parties acting on your behalf. Their actions in other countries could cause major compliance headaches for you at home.

The five pillars of a solid compliance program

Now that you’ve completed a risk assessment of your business, you’re ready to draft a compliance and anti-corruption policy for the office along with devising supporting activities.  For the sake of efficiency and effectiveness, I recommend that a compliance officer be appointed, who would report directly to the CEO, or even better, the board of directors.

Your program should include these critical elements:

  1. Clear statements from the CEO and board of directors that compliance is a priority for the company; failure to adhere to the policies will have consequences, up to and including termination.
  2. Guidelines regarding anti-corruption and trade control policies and procedures that are readily accessible by staff and provide clear direction. This will include an outline of the process for screening (e.g., against sanctions blacklists or for bribery concerns) and ongoing monitoring of customers, suppliers, third parties acting on behalf of your firm, and other business partners. The screening process can include background and criminal checks. Moreover, screening should include consulting the “designated persons” lists established under Canadian economic sanctions laws.
  3. An internal auditing system to regularly review and test the compliance regime and correct any errors or weaknesses. The system should include processes for internal reporting and voluntary disclosure to government authorities where appropriate.
  4. A combination of positive incentives and disciplinary measures to encourage employee and executive compliance.
  5. Contractual clauses, end-use certificates (which document the intended use of your product or service), and other due diligence tools, to ensure compliance.

I can recommend several helpful online resources that will assist you in building a solid compliance program, including:

The end goal

Ultimately, your policy should ensure that employees, particularly those dealing with outside parties and approving projects and expenditures, understand the requirements and know that they must raise any concerns with the compliance officer. Ongoing executive and employee training, especially for those on the front lines—e.g., sales and business development—will help ensure that this happens.

Keep in mind that no compliance policy can guarantee that your company will have a perfect compliance record.  It is inevitable that businesses operating abroad will trip up from time to time.  The key is how companies deal with the situation when it arises.

An effective compliance program will demonstrate to authorities that the company did what it could reasonably be expected to do under the circumstances and ought to be given credit for its efforts.

Related: Don’t Leave Overseas Employees Unprotected

Originally appeared on