FCPA Compliance and Ethics Blog

September 16, 2013

Are You at Risk? The 5 Pillars of a Solid Compliance Program

Filed under: Best Practices,compliance programs,John Boscariol — tfoxlaw @ 7:13 am

ED. Note-today we have a guest post from our colleague John Boscariol, a partner at McCarthy Tétrault LLP.

The recent conviction of Canadian businessman Nazir Karigar, who conspired to bribe officials with the Indian government to help win a contract for Ontario-based Cryptometrics, is an important reminder of Canada’s stepped up anti-corruption enforcement, particularly against individual business executives (see First Canadian Convicted Under Bribery Law). By now, exporters should have received the message loud and clear: ignoring anti-corruption and trade control laws—laws governing the transfer of sensitive goods and technologies as well as where and with whom you can do business—can damage reputation and the bottom line.

Businesses with operations outside Canada must be proactive about educating themselves about compliance legislation and implementing anti-corruption and trade control compliance policies for internal use. Those policies should be supported with training sessions for staff and senior management.

Through a Google search, you can easily find numerous examples of policies and training programs that appear to cover all the right bases. However, simply dropping a pro forma compliance plan into your company won’t work.  In fact, it could do more damage than good.

First things first: conduct a risk assessment

Enforcement authorities in Canada, the U.S., and elsewhere, expect companies to undertake a thorough risk assessment before crafting a compliance program.  This means taking into account any risks arising from the countries where you do business, the industry you’re in and your company’s business practices and culture. A software company that only sells to small businesses in Canada and the U.S. will have a very different risk profile—and compliance program—than a defense company selling weapons to governments around the world.

When you’re doing a risk assessment, consider whether the goods or services you provide could be used for unintended purposes (for example, military activities); check if your product or technology is listed on Canada’s Export Control List or subject to sanctions measures because of the destination. If so, you’ll need a permit before exporting the goods or transferring the technology.

Consider, too, the kinds of customers you sell to—governments and state-owned or controlled enterprises are a higher risk for anti-corruption compliance; Canada also maintains many sanctions blacklists that your customers, suppliers and other business partners should be screened against. Finally, think carefully about the extent to which you rely on agents and other third parties acting on your behalf. Their actions in other countries could cause major compliance headaches for you at home.

The five pillars of a solid compliance program

Now that you’ve completed a risk assessment of your business, you’re ready to draft a compliance and anti-corruption policy for the office along with devising supporting activities.  For the sake of efficiency and effectiveness, I recommend that a compliance officer be appointed, who would report directly to the CEO, or even better, the board of directors.

Your program should include these critical elements:

Clear statements from the CEO and board of directors that compliance is a priority for the company; failure to adhere to the policies will have consequences, up to and including termination.

Guidelines regarding anti-corruption and trade control policies and procedures that are readily accessible by staff and provide clear direction. This will include an outline of the process for screening (e.g., against sanctions blacklists or for bribery concerns) and ongoing monitoring of customers, suppliers, third parties acting on behalf of your firm, and other business partners. The screening process can include background and criminal checks. Moreover, screening should include consulting the “designated persons” lists established under Canadian economic sanctions laws.

An internal auditing system to regularly review and test the compliance regime and correct any errors or weaknesses. The system should include processes for internal reporting and voluntary disclosure to government authorities where appropriate.

A combination of positive incentives and disciplinary measures to encourage employee and executive compliance.

Contractual clauses, end-use certificates (which document the intended use of your product or service), and other due diligence tools, to ensure compliance.

I can recommend several helpful online resources that will assist you in building a solid compliance program, including:

Transparency International Canada’s Anti-Corruption Compliance Checklist

Transparency International’s Business Principles for Countering Bribery SME Edition

U.S. Department of Commerce Export Compliance Management Program

The end goal

Ultimately, your policy should ensure that employees, particularly those dealing with outside parties and approving projects and expenditures, understand the requirements and know that they must raise any concerns with the compliance officer. Ongoing executive and employee training, especially for those on the front lines—e.g., sales and business development—will help ensure that this happens.

Keep in mind that no compliance policy can guarantee that your company will have a perfect compliance record.  It is inevitable that businesses operating abroad will trip up from time to time.  The key is how companies deal with the situation when it arises.

An effective compliance program will demonstrate to authorities that the company did what it could reasonably be expected to do under the circumstances and ought to be given credit for its efforts.


John W. Boscariol is head of the firm’s International Trade & Investment Law Group and a partner in the Litigation Group. He can be reached via email at jboscariol@mccarthy.ca.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. 

Blog at WordPress.com.