2. There are some critical questions being posed to busi-
ness leaders today: Has your organisation implement-
ed reasonable and proportionate measures to prevent
bribery? How will you know if your anti-bribery and
anti-corruption controls are adequate? Are you aware
of the latest best practices in preventing corruption? In
short, are you ready for ISO 37001?
The International Organization for Standardization
(ISO) issued the ISO 37001:2016 Anti-Bribery Manage-
ment System standard, which mirrors numerous steps
contained in the U.S. Foreign Corrupt Practices Act
(DOJ and SEC) and Good Practice Guidance on Inter-
nal Controls, Ethics and Compliance (OECD), Anti-Cor-
ruption Ethics and Compliance Handbook for Business
(OECD), U.K. Bribery Act 2010 and the British Ministry
of Justice’s Adequate Procedures document.
Welcome to our Rolls-Royce Case Study where you’ll
learn the facts surrounding Rolls-Royce performance
of in terms of anti-bribery and anti-corruption policies
within the scope of the ISO 37001 provisions. And
how ISO 37001 standard integrates top-level leader-
ship, training, bribery risk assessment, due diligence
adequacy, financial and commercial controls all to
keep your organisation better protected from harm.
After reading this case study, I invite you to contact
CRI Group to learn more about how we can help you
become ISO 37001 ready today.
Zafar I. Anjum, CFE, CIS, MICA, Int. Dip. (Fin. Crime),
MBCI Chief Executive Officer, CRI Group
Zafar I. Anjum Zafar Anjum is a
highly respected professional in
the fraud prevention, protective
integrity, security and compliance
fields. He is known for creating
stable and secure networks
across challenging global
markets. In addition to a Bachelor
of Arts, he earned a Master
of Science in Counter Fraud
and Counter Corruption, along
with specialised certification in
fraud investigations, fraud and
financial crimes, corporate fraud
control and pre-employment
investigations. Mr Anjum will
complete his Doctorate in
Criminal Justice in 2020. His
leadership abilities create strong
collaborative relationships
among prevention teams, crime
investigators, government
officials and business executives
seeking dynamic solutions across
international marketplaces.
t: +44 (0)7588 454 959
e: zanjum@CRIgroup.com
A MESSAGE
FROM THE CEO
3. BUSINESS OBJECTIVES CAN ONLY
BE ACHIEVED IF RISKS ARE MANAGED
EFFECTIVELY - IMPLEMENTING ANTI-
BRIBERY & ANTI-CORRUPTION POLICIES
HELP ANY BUSINESS MAXIMISE RETURNS
WHILE MANAGING REPUTATION.
INTRODUCTION
This report analyses the performance of Rolls-
Royce in terms of anti-bribery and anti-corruption
policies within the scope of the ISO 37001
provisions. This organisation has been involved
in several large-scale investigations in recent
years, which makes it especially interesting to
explore how it has changed its policies in this
sphere to address the identified deficiencies. The
findings indicate that Rolls-Royce has addressed
these problems by cooperating with a globally
recognised external auditor, revising its corporate
policies, and implementing additional employee
training. In terms of risks, the scope of company
operations presumes high degrees of risk since
it operates in 150 countries and experiences
severe rivalry in the defence contracts industry,
the energy sector, and the aerospace industry.
The presently utilised measures
imply an efficient system of internal
reporting and the supervision of
financial processes performed by
several departments, which provides
for a right level of transparency.
However, the effectiveness of the
REACH monitoring programme
may depend on the availability of
corporate resources since the legal
team, the governance team, and
the export team have to supervise
all potentially fraudulent operations
in multiple countries. This suggests
the need to prioritise the contexts
characterised by high corruption
levels.
4. HELPING YOU
MAKE INFORMED,
SOUND
DECISIONS
Since 1990, Corporate Research and Investigations
Limited (CRI Group) has been safeguarding businesses
from fraud and corruption, providing employee background
screening, insurance fraud investigations, investigative
due diligence, third-party risk management, compliance
and other professional investigative research services.
Globally, we are a leading Compliance and Risk
Management company licensed and incorporated entity
of the Dubai International Financial Center (DIFC), Abu
Dhabi Global Market (ADGM) and Qatar Financial Center
(QFC). CRI Group protects businesses by establishing
the legal compliance, financial viability, and integrity levels
of outside partners, suppliers and customers seeking to
affiliate with your business.
Based in London, United Kingdom, CRI Group is a global
company with experts and resources located in key
regional marketplaces across the Asia Pacific, South Asia,
the Middle East, North Africa, Europe, North and South
America. Our global team can support your organisation
anywhere in the world.
The international nature of business today dictates an
increasing demand for proactive measures such as global
investigations, compliance & risk management solutions to
reduce the exposure to organisations of economic crime
and civil wrongs, particularly in the financial, government
and multinational business sectors.
Are you making informed sound decisions regarding
M&A, strategic partnerships & selection of employees,
vendors or suppliers? g Visit CRIGroup.com.
ABAC® Center of Excellence
is an independent certification
body, powered by CRI Group.
ABAC® offers a complete
suite of services and solutions
designed to educate, equip and
support the world’s leading
business organisations with
the latest best-in-practice risk
and performance assessments,
systems improvement and
standards certification.
Build trust.
Ensure compliance.TM
ABAC® programs protect your
organisation from damaging
litigation and safeguard
your business in the global
marketplace by providing
certification and training in
internationally recognised ISO
standards, such as ISO 19600
Compliance Management
Systems, ISO 31000 Risk
Management Systems and
ISO 37001 Anti-Bribery
Management Systems. Its ISO
37001 Certification services
are accredited by the United
Kingdom Accreditation Service
(UKAS CB number: 10613),
making it the leading certification
body specialising in anti-bribery
management.
ABAC® operates through its
global network of certified ethics
and compliance professionals,
qualified auditors, financial and
corporate investigators, certified
fraud examiners, forensic
analysts and accountants.
g Visit ABACGroup.com.
5. 1.THE
ORGANISATION
& ITS CONTEXT
1.1. THE SIZE, STRUCTURE
AND DELEGATED DECISION-
MAKING AUTHORITY OF THE
ORGANISATION
The Rolls-Royce company presently employs
more than 40,000 workers in 50+ countries,
making it a large international corporation
with a complex structure. However, its
top executives characterise the company
decision-making patterns as slow and highly
bureaucratic (Hollinger, 2015, n.p.). This may
be potentially dangerous for monitoring and
addressing the causes of bribery.
1.2. THE LOCATIONS AND SECTORS
IN WHICH THE ORGANISATION
OPERATES OR ANTICIPATES
OPERATING
The company is presently operating in the
aerospace, marine, and energy sectors. It
manufactures propulsion equipment, aircraft
engines, gas compression stations, and other
products for both civil customers and the
defence sector organisations.
1.3. THE NATURE, SCALE, AND
COMPLEXITY OF ORGANISATIONAL
ACTIVITIES AND OPERATIONS
The presence in more than 150 countries and
a wide range of international partnerships
make Rolls-Royce activities and operations
highly complex. The company is involved
in extensive supply chain relationships and
customer relationships, making it challenging
to monitor potential bribery issues in the local
markets from the central headquarters.
1.4. THE BUSINESS MODEL OF THE
ORGANISATION
The company business model is built on the
global customer base. Rolls-Royce targets
large international markets with medium
and high barriers to entry and the expected
development time reaching 20 years. A
substantial share of future profits is expected
from servicing the delivered equipment,
which further supports the need for effective
relationship management.
6. 1.5. THE ENTITIES OVER WHICH THE
ORGANISATION HAS CONTROL AND
ENTITIES WHICH EXERCISE CONTROL
OVER THE ORGANISATION
The recent acquisitions of Rolls-Royce include
Aero Engine Controls, Siemens electric propulsion,
and Tognum AG. All of these organisations are
associated with the core company business and
contribute to the research and development (R&D)
function.
1.6. THE BUSINESS ASSOCIATES OF
THE ORGANISATION
Company associates, joint venture partners, and
suppliers are closely monitored via the Dow Jones
Risk and Compliance Platform to ensure that they
comply with applicable industry regulations and
have a positive reputation.
1.7. THE NATURE AND EXTENT
OF INTERACTIONS WITH PUBLIC
OFFICIALS
The company maintains press contacts on both
divisional and regional basis.
1.8. APPLICABLE STATUTORY,
REGULATORY, CONTRACTUAL, AND
PROFESSIONAL OBLIGATIONS AND
DUTIES
Applicable statutory and regulatory obligations
include the need to pay applicable taxes and
observe all regulations and laws governing
business conduct in the countries of Rolls-Royce
presence.
In terms of contractual and professional duties,
the company stimulates its employees to not
tolerate corruption and bribery in any form. The
employees are expected to report all such cases
to the management and limit the acceptance of
the offering of hospitality items and gifts to the
provisions outlined by corporate policies.
PROVE THAT YOUR
BUSINESS IS ETHICA -
WE WELCOME YOU
TO HAVE FREE GAP
ANALYSIS OF HIGHEST
ETHICAL BUSINESS
SURVEY
Complete our FREE Highest
Ethical Business Assessment
(HEBA) & evaluate your current
Corporate Compliance Program.
Find out if your organisation’s
compliance program is in the
line with worldwide Compliance,
Business Ethics, Anti-Bribery and
Anti-Corruption Frameworks.
Let ABAC® experts prepare a
complimentary gap analysis of your
compliance program to evaluate
if it meets “adequate procedures”
requirements under UK Bribery
Act, DOJ’s Evaluation of Corporate
Compliance Programs Guidance
and Malaysian Anti-Corruption
Commission.
TAKE THE GAP ANALYSIS
7. 2.THE NEEDS
& EXPECTATIONS
OF STAKEHOLDERS
2.1. THE STAKEHOLDERS THAT
ARE RELEVANT TO THE ANTI-
BRIBERY MANAGEMENT SYSTEM
(ABMS)
Within the scope of bribery scandals,
such as the one considered by Pegg et al.
(2016), there exist multiple stakeholders
responsible for implementing anti-bribery
measures.
• First, company directors involved in
negotiations with local authorities and
decision-makers must refrain from
offering bribes and inform the top
management about such cases.
• Second, industry regulators, including
the Serious Fraud Office (SFO) are
responsible for the identification of
malpractices and the prevention of
corrupt payments.
• Third, local organisations involved in
tender bids and similar arrangements
may inform the authorities and the top
management of Rolls-Royce about
any cases of fraudulent behaviours
on the part of the company managers
and decision-makers leading to unfair
competition and preferential treatment.
2.2. THE RELEVANT
REQUIREMENTS OF THESE
STAKEHOLDERS
Internal stakeholders are obliged to refrain
from bribery activities in accordance with
their job descriptions and corporate codes
of conduct. The inability to do so results
in contract termination and possible
legal prosecution. At the same time, non-
mandatory expectations include proactive
compliance monitoring on their part and
the readiness to disclose such issues if
they were experienced by them or their
colleagues. According to Bellaby (2018),
such arrangements may create substantial
conflicts of interest when there exists
collusion and the individuals aware of
fraudulent practices cannot report them to
corrupt managers and may only have to use
whistleblowing.
External stakeholders in the form of local
authorities and industry regulators are
obliged to discover and investigate all
cases of corruption and bribery reported
to them by third parties or Rolls-Royce
representatives. They may rely on the police
and other law enforcement agencies in
these activities. Finally, local organisations
do not have mandatory commitments in
this sphere but may inform the company
or industry regulators about the cases of
potentially fraudulent behaviours.
8. 3. THE SCOPE
OF THE ABMS
The current anti-bribery management system of Rolls-Royce is based on a number of
ABC Policies and the underlying Global Anti-Bribery and Corruption Policy.
From the legislative standpoint, they rely on the OECD Convention on Combating Bribery
of Foreign Public Officials in International Business Transactions, the UK Bribery Act, and
other local and international regulations. Internally, compliance with the ABC Policies is
monitored by the ABC Compliance team that provides informational support and observes
company-wide performance in this sphere.
Employees are obliged to be fully familiarised with the ABC Policies and report any
breaches to the aforementioned department, the Ethics Line or the Legal Function. Top-
level executives are responsible for controlling the awareness and compliance of regular
staff members, performing regular training sessions, allocating sufficient resources to
realise the earlier mentioned policies, and maintaining the records of all issues emerging in
relation to the company anti-bribery management activities.
g Need a reason for ISO 37001 certification? How about 25 of them?
Check out “25 Benefits of ISO 37001 ABMS Certification.”
THE CATALYSTS FOR ECONOMIC CRIME: AN INVESTIGATIVE
STUDY INTO CAUSAL FACTORS OF THE PERPETRATION OF
TRANSNATIONAL FINANCIAL CRIMES
READ MORE DOWNLOAD YOUR FREE EBOOK
This whitepaper provides an in-depth
study of transnational financial crimes
and the national laws and regulations
that govern them. Laws in the U.S. and
the U.K, in particular, are compared
and examined in terms of effectiveness
in preventing financial crimes. The
comparative study focuses on corporate
fraud. “The Catalysts for Economic
Crime” pursues the question as to
how weaknesses in national laws can
be considered “a core causal factor
in the perpetration of transnational
financial crimes.” Readers will learn
about the need to strengthen such laws
or risk continued and increased
criminal activity. Different types
of financial crimes are examined,
including money laundering,
due to its prominence as a form
of transnational financial crime.
The research provides a detailed
discussion of the inadequacies in
current national laws, and proposes
solutions through increased
accountability, compliance-focused
on self-governance and heightened
monitoring for violations, among
other important considerations.
9. 4. WHY
ABMS?
4.1. HOW IT IS DOCUMENTED
The extended Global Anti-Bribery and Corruption
Policy covers such areas as the gifts and
hospitality policy, the conflict of interest policy,
the lobbying and political support policy, the
facilitation payments and extortion policy, the
know your partner policy, the speak-up policy,
and the advisers’ policy. These elements cover
most of the areas and processes of company
activities ranging from procurement and supply
chain management to the establishment of new
customer relationships and the capability of all
stakeholders to voice their ethical concerns or
ask questions to the company via the Rolls-
Royce Ethics Line, line managers, Local Ethics
Advisers or Ethics and Compliance managers.
4.2. HOW IT IS REVIEWED
Constituent policies are reviewed on an annual
basis to reflect any updates related to new
conflicts of interest or new ethical challenges.
The Ethics and Compliance team supervises and
approves all such revisions.
4.3. WHAT PROCESSES ARE NEEDED
AND HOW THEY INTERACT
The implementation of the aforementioned
policies requires the coordination of business
processes occurring at the levels of multiple
departments. Specifically, the Ethics and
Compliance team and the Rolls-Royce Ethics
Line must be able to control the execution
of certain corporate strategies and intervene
into their realisation if they recognise some
potentially concerning signs of incompliance or
receive anonymous reports about fraudulent
malpractices. These procedures may require
the presence of department representatives in
local branches operating in multiple countries as
well as the employment of additional specialists
such as translators, interpreters, and auditors
assisting the specialists from the head office in
their investigations.
DEBUGGING FEARS
THAT PARALYSE FRAUD
PREVENTION
Often, an organisation doesn’t put
a robust process in place until it’s
in the news with a violation, an
FCPA incident or an internal case of
undetected embezzlement that might
have gone on for years. But why?
As money walks out the door, why
wouldn’t companies adopt a more
proactive stance for early detection?
The answer is fear. Fear can prevent a
mom-and-pop shop or a Fortune 500
industry leader from becoming serious
about fighting fraud. Business analytics
and portal systems certainly enable
companies to more quickly mine through
volumes of data and identify red flags,
yet they’re not a requirement for fraud
prevention. Depending on the size of the
company, it can data mine and detect
fraud early with such basic tools as
Microsoft Access and Excel. And while
companies pay lip service to efforts to
fight fraud, they’re often slow to take
advantage of even these most elementary
methods. Read more about the fear factor
that play into the decision — or indecision
— to fight fraud.
READ MORE
10. 5. BRIBERY RISK
ASSESSMENT
5.1. RE-ASSESSMENT OF BRIBERY RISKS
5.1.1. IDENTIFICATION OF THE
BRIBERY RISKS THAT CAN BE
ANTICIPATED
Current company policies anticipate such
bribery risks as reputational risks associated
with cooperation with unreliable third parties,
the risks arising from the non-performance of
liabilities on the part of the contractors that are
not suitably resourced or qualified for some
works, and compliance risks arising from any
activities on the part of Rolls-Royce or its
partners that may be qualified as a violation of
applicable legislative provisions.
These threats are recognised by the Global
Anti-Bribery and Corruption Manual, and
company executives are obliged to avoid
specific behaviours increasing the probability
of negative outcomes.
5.1.2. ANALYSIS, ASSESSMENT,
AND PRIORITISATION OF THE
IDENTIFIED BRIBERY RISKS
The analysis of existing risks in this dimension
is based on the appraisal of internal reports by
the top management. Unfortunately, the 2017
SFO investigation identified that the senior
company executives were aware of multiple
bribery cases but failed to report them to the
authorities.
In terms of risks prioritisation, the company
appears to prioritise compliance risks due to
their severe consequences for its business
reputation, financial well-being, and the
capability to take part in state-initiated
procurement projects. A compromised status
may exclude it from official tender bids and
defence supply chains, which will affect Rolls-
Royce to the greatest degree.
5.1.3. EVALUATION OF
THE SUITABILITY AND
EFFECTIVENESS OF THE
ORGANISATION’S EXISTING
CONTROLS TO MITIGATE THE
ASSESSED BRIBERY RISKS
The effectiveness of the current bribery
risks mitigation measures may be
appraised as medium since the company
has been engaged in a number of large-
scale Serious Fraud Office investigations.
The uncovered fraud cases involved
the inability to prevent corruption and
fraudulent behaviours in ten countries
of Rolls-Royce operations, including
Indonesia, China, Thailand, and India.
This may be seen as a highly problematic
situation considering the identified
scope of problems and the fact that
the company was aware of them but
preferred to not report these cases to
industry regulators and resolved these
problems by firing the involved managers.
While the achieved Deferred Prosecution
Agreement (DPA) deal creates a
substantial burden for the company
amounting to more than £400,000,000
in financial penalties and disgorgement
of profit, the greatest problem is the risk
of a criminal conviction that may exclude
it from contractual agreements with
defence organisation and other public
bodies.
At the employee level, the company
provides specialised training in anti-
bribery and anti-corruption to the staff
members with the highest possibility of
being exposed to these threats. However,
11. it was reported that the programmes of these
sessions had been changed and they may
cover only some areas of the ABC Policies
due to time limitations.
g To learn more about ISO 37001 training,
visit ABACGroup.com/ISO-37001-training
The independent audits are prepared
in accordance with United Kingdom
Accounting Standards and other applicable
laws. They are primarily focused on
material misstatement risks in terms of the
Consolidated Financial Statements as well as
the cases of alleged corruption and bribery
in foreign markets.The identified risks in
these dimensions are associated with a high
degree of rivalry in overseas environments
that force company executives to engage in
controversial practices in order to close deals
with governmental or non-governmental
customers.
The 2018 audit concluded that these risks
were still present and could re-emerge in the
future, which means that the existing anti-
bribery regulations may not be sustainable
on the global level. At the same time, this
type of risks was deemed to have the gravest
implications in terms of adverse financial,
reputational, and compliance consequences.
5.2. CRITERIA FOR EVALUATING
THE LEVELS OF BRIBERY RISK
The 2018 Annual Report published by the
company suggests that its present-day anti-
bribery and corruption policies are based
on the assessment and due diligence of
both internal risks and third-party risks in
this dimension. The identified potentially
problematic departments and organisations
are assigned different’ threat levels’ with
regular audits and screening procedures
being focused on the highest-threat areas.
A similar approach is utilised for appraising
potential joint venture partners and improving
the compliance of existing partners if their
ethical standards do not match Rolls-Royce
expectations.
Bribery-related risks are largely perceived
by the company as compliance risks,
DEMONSTRATING
ADEQUATE PROCEDURES
WITH ISO 37001 ABMS
CERTIFICATION AND
TRAINING
“Adequate procedures” is a term made
popular through the UK Bribery Act of
2010, which poses the potential of a
company avoiding liability for failing to
prevent bribery if that organisation can
demonstrate sound and established
policies and procedures that deter
individuals (inside and outside of
the organisation) from partaking in
questionable or corrupt conduct.
A key challenge, though, is that
“adequate procedures” takes on different
meanings, depending on what country or
jurisdiction one may reside. Further, most
enforcement agencies and government
authorities offer little guidance that
pinpoints what exactly “adequate
procedures” means when considered as a
possible defense in a legal proceeding.
Consider two international legislative
provisions that offer “adequate
procedures” as a possible legal defense
consideration along with the most recent
National Anti-Corruption Plan of the
Malaysian Government, and discover how
a newly adopted international standard
can offer multi-national organisations
specific guidelines in developing
a globally accepted anti-bribery
management system that may support
most “adequate procedures” defenses.
READ MORE
which confirms the earlier suggested
high significance of this type of threat.
Rolls-Royce has a specialised REACH
programme in this sphere that involves
compliance and export teams, the legal
team, and the governance team. These
actors inspect the ongoing business
operations to ensure that they match the
internal governance framework and the
ABC policies. However, the analysis of
12. existing risk levels presented in Appendix
B suggests that the company is exposed to
substantial levels of bribery and corruption
risks in its global operations.
5.3. FREQUENCY OF BRIBERY
RISKS REASSESSMENTS
Bribery risks are presently reassessed on
an annual basis in accordance with the
company policies. At the same time, the
US court recommendations provided after
the 2016 proceedings suggest that reviews
should be performed more frequently.
g Find out how to make your organisation’s
risk management more effective. Learn more
about ISO 31000 standard today.
The results of every inspection must be
reported to the Fraud Section and the Office
and must be accompanied by the suggested
remediation strategies for the identified
issues. The earlier analysed company report
suggests that external auditors present
relevant information to the Board of Directors
on a quarterly and semi-annual basis, which
may suggest that the semi-annual review
of bribery risks may be seen as the optimal
middle-of-the-road choice.
5.4. MAINTENANCE OF
ASSESSMENT DOCUMENTATION
The provisions on due diligence published
by the company indicate that Rolls-Royce
employees and managers must keep
all original contracts and paperwork as
well as all supporting documentation and
reports. They must also record any ‘red flag’
events and issues as well as the response
measures initiated for their mitigation. In the
case of bribery issues, the presence of these
documents may indemnify the company
against state investigations if it proves that
fraudulent offers were recognised, declined,
and properly reported.
A similar approach is applicable to company
advisers who are associated with risks of
unethical or corrupt behaviours. Specifically,
employees and managers making payments
to advisers must clearly substantiate the
need for utilising their competencies and
keep records of their performance and the
quality of the provided services. Overall,
company personnel members are obliged to
thoroughly document all red flag issues on
the part of third parties, external contractors,
customers, government officials, and internal
stakeholders.
g Check out CRI Group Insights! Find
publications including white papers and case
studies.
E-learning Anti-Bribery Management
System Courses of the ABAC®
Center of Excellence Limited are
profoundly instructive and momentous
for my professional career ambition,
particularly in my Integrity and Ethics
Officer role.”
Chief Integrity & Ethics Officer for a
Malaysian-based palm oil company
“
Organisations of all sizes, industries
and regions have engaged CRI
Group’s ABAC® Center of Excellence
for ISO 37001:2016 Anti-Bribery
Management System training and
certification to reduce risk, increase
compliance and maintain anti-bribery
standards.
gSee “ABAC® certifies Mudajaya
Group for ISO 37001:2016 ABMS.”
gSee “ABAC® certifies RM Leopad
Sdn Bhd for ISO 37001:2016 ABMS.”
13. 6. BRIBERY
& CORRUPTION
RESPONSE
PROTOCOL
The following section summarises the response protocols utilised
by Rolls-Royce to mitigate its bribery and corruption threats. A more
thorough review of applicable risks and potential strategies for their
mitigation is presented in Appendix A.
THREAT TYPE 1: COMPENSATION-
RELATED OR TRANSACTIONAL
Red Flag 1: a third party asks for some
form of compensation in monetary or
non-monetary format for performing some
services to Rolls-Royce.
Risk Concern 1: payments performed
in the cash format or in the form of cash
equivalents have been identified as
bribes in the past in the case of some
company departments, which led to court
proceedings and substantial fines.
Response Strategy 1: the company
should seek to eliminate all forms of
cash payments and execute appropriate
documentation for all transactions and
fees charged by local organisations
or authorities. This will improve
transparency and provide evidence of
Rolls-Royce innocence if some of these
reimbursements will be identified as
fraudulent.
THREAT TYPE 2: COMPENSATION-
RELATED OR TRANSACTIONAL
Red Flag 2: the sum of the requested fee
or payment seems abnormal and exceeds
the expected amount substantially.
Risk Concern 2: the attempt to charge
an excess commission or fee may be a
sign of bribery where local contractors
or authorities seek to get unreasonable
compensation for their services while
masking these non-bona-fide practices as
official documentation.
Response Strategy 2: financial
statements of all company branches and
departments must be closely monitored
by internal and external audit teams to
identify such unusual compensations that
vary more than 10-15% from the standard
rates. This task should be delegated to
these stakeholders since local managers
or executives may be involved in these
fraudulent schemes, and their objectivity
may be compromised.
THREAT TYPE 3: REGIONAL OR
INDUSTRY-LEVEL
Red Flag 3: some geographical contexts
or industries are characterised by high
levels of bribery and corruption, which is
confirmed by multiple expert appraisals,
the history of past investigations, and the
overall number of criminal proceedings
associated with these violations.
Risk Concern 3: the operation in these
countries and industries will expose Rolls-
14. Royce to higher levels of bribery and
corruption threats due to the lack of
governmental regulatory mechanisms
controlling the fairness of competition
and proper business behaviours.
Response Strategy 3: if possible,
Rolls-Royce should appraise the
risk/benefit ratio for existing markets
and limit its operations in high-threat
and low-profitability environments.
In the case of high-threat and high-
profitability regions and industries, the
company should implement stricter
due diligence procedures and audits
to instantly recognise any problematic
trends. or situations.
ISO 37001 suggests that the
corporate anti-bribery compliance
function must be carried out by
specifically appointed persons or
groups that are held responsible for
the effectiveness of these activities.
In the studied company, the main
supervisor of this sphere if the
Chief Executive who is responsible
for all actions and issues related
to the decisions of the Board of
Directors. At the same time, the audit
committee controls principal risks,
including the risks of financial fraud
at the level of individual branches
and departments.
This department utilises the
services of PwC as an external
auditor that provides its appraisals
to Rolls-Royce and contributes to
the exposure of potential areas of
bribery and corruption. However,
this function was only handed over
to this organisation in 2017. Hence,
it is possible that its awareness of
all internal Rolls-Royce business
processes and problematic issues
may not be complete yet, especially
considering the ongoing restructuring
of the company.
From the structural standpoint, the
relevant information is transferred
from the internal audit director to the
company Committee on an annual,
BREXIT POSES NEW BRIBERY
CHALLENGES - HOWEVER ISO
37001 PROVIDES SOLUTIONS
While the UK has positioned itself as a leader in the
fight against fraud and corruption, the shifting economic
conditions surrounding Brexit have raised uncertainty
and vulnerability. As some organisations are forced to
forge new trade deals outside of already established EU
relationships, some experts warn that there will be more
exposure to corrupt markets. This new wrinkle comes
10 years after passage of the Bribery Act 2010, which
marked a major salvo in the war against bribery and
corruption.
The Bribery Act enhanced existing British law against
corruption and placed a new level of responsibility
squarely at the feet of organisations. It requires
organisations to demonstrate anti-bribery procedures
and controls, while also providing strict penalties for
breaches of anti-bribery laws. The takeaway for UK
companies is that they need to take action now.
With Brexit posing challenges through new, untested
trade deals in various markets, organisations need ISO
37001 – Anti-Bribery Management Systems standard
as a comprehensive approach to mitigating risk. ISO
37001 include adopting an anti-bribery policy, including
anti-bribery compliance, training, risk assessments and
due diligence on projects and business associates. It
also calls for implementing financial and commercial
controls, and instituting reporting and investigation
procedures.
In this FREE ebook you can read about real life cases
and get the answers to the following questions:
• Why does Bribery and Corruption persists?;
• Rolls-Royce and Cadbury case studies
• What is the Bribery Act 2010 and UK Anti-Corruption
Strategy 2017-2022?;
• How will BREXIT Increase Bribery?
• What’s ISO 37001 ABMS Standard?
READ MORE DOWNLOAD YOUR FREE EBOOK
15. biannual, or quarterly basis with ‘as
required’ reports being available for high-
risk situations. The plans for external
auditors are approved once a year,
which may be seen as a compromise
in terms of the overall effectiveness.
The company also maintains its
compliance programme prescribed by
the DPA in 2017 in combination with
the Implementation Plan developed
by Lord Gold as an external expert. In
addition to internal threats recognition
and compliance benefits, these
measures may protect the company from
governmental prosecution in the case of
future bribery scandals. The capability to
demonstrate the proper risk assessment
policy and the intention to comply in
the case of the 2017 bribery issues
uncovered by the SFO reduced the
severity of the penalties imposed upon
the company by the investigators. While
it may not be possible to completely
mitigate the threat of corruption, the
readiness to disclose the results of
internal investigations and cooperate
with authorities may be seen as an
optimal strategy for Rolls-Royce to avoid
future problems.
16. SOURCES & CREDITS
1. Broughton, K.’ UK’s Serious Fraud
Office Opens Probe into Bank
Note Producer’, The Wall Street
Journal, July 23, 2019. Accessed
September 9, 2019. https://www.
wsj.com/articles/u-k-s-serious-fraud-
office-opens-probe-into-bank-note-
producer-11563918135.
2. Burton, R. and Obel, B.’ The science
of organisational design: the fit
between structure and coordination’,
Journal of Organisation Design
(2018) p.5.
3. Evans, R. and Pegg, D.’
Campaigners condemn the closure
of Rolls-Royce bribery inquiry’,
Guardian, February 22, 2019.
Accessed September 9, 2019.
https://www.theguardian.com/
business/2019/feb/22/campaigners-
condemn-closure-of-rolls-royce-
bribery-inquiry
4. Evans, R., David, P. and Watt, H.’
Rolls-Royce to pay £671m over
bribery claims’, Guardian, January
16, 2017. Accessed September 9,
2019. https://www.theguardian.com/
business/2017/jan/16/rolls-royce-to-
pay-671m-over-bribery-claims.
5. Farrell, S.’ Rolls-Royce ready for
a rough ride amid no-deal Brexit
turbulence’, Guardian, August 4,
2019. Accessed September 9,
2019. https://www.theguardian.com/
business/2019/aug/04/rolls-royce-
rough-ride-brexit-no-deal-turbulence.
6. Harrison, J., Freeman, E. and Abreu,
M.’ Stakeholder theory as an ethical
approach to effective management:
Applying the theory to multiple
contexts’, Revista Brasileira de
gestão de negócios, (2015) p.858.
7. Hollinger, P.’ Rolls-Royce chief
executive, seeks to create leaner
organisation’, Financial Times,
December 2015, 2015. Accessed
September 9, 2019. https://www.
ft.com/content/fafa429e-a349-11e5-
8d70-42b68cfae6e4.
8. ISO 37001, ‘Anti-Bribery
Management Systems’, January 1,
2016. Accessed September 9, 2019.
https://www.iso.org/iso-37001-anti-
bribery-management.html
9. Justice.gov, ‘United States of
America v. Rolls-Royce PLC’, The
United States District Court for the
Southern District of Ohio, December
20, 2016. Accessed September 9,
2019. https://www.justice.gov/opa/
press-release/file/927221/download.
10. Luz, R. and Spagnolo, G.’
Leniency, collusion, corruption,
and whistleblowing’, Journal of
Competition Law & Economics
(2017), p.729.
11. Pegg, D., Evans, R. and Watt, H.
‘Why the Rolls-Royce investigation
is so important to the SFO’,
Guardian, October 31, 2016.
Accessed September 9, 2019.
https://www.theguardian.com/
business/2016/oct/31/why-the-rolls-
royce-investigation-is-so-important-
to-the-sfo
12. Rolls-Royce, ‘2018 Annual Report’,
Rolls-Royce, n/a. Accessed
September 9, 2019. https://www.
rolls-royce.com/~/media/Files/R/
Rolls-Royce/documents/annual-
report/2018/2018-full-annual-report.
pdf.
13. Rolls-Royce, ‘Anti-Bribery and
Corruption’, Rolls-Royce, n/a.
Accessed September 9, 2019.
https://ourcode.rolls-royce.com/
act-with-integrity/anti-bribery-and-
corruption.aspx.
14. Rolls-Royce, ‘Board of Directors’,
Rolls-Royce, n/a. Accessed
September 9, 2019. https://www.
rolls-royce.com/~/media/Files/R/
Rolls-Royce/documents/annual-
report/rr-ar2016-directors-report.pdf.
15. Rolls-Royce, ‘Business model’,
Rolls-Royce, n/a. Accessed
September 9, 2019. https://www.
rolls-royce.com/~/media/Files/R/
Rolls-Royce/documents/investors/
our-business-model.pdf.
16. Rolls-Royce, ‘Due Diligence
Risk Assessment Toolkit’, Rolls-
Royce, n/a. Accessed September
9, 2019. https://www.rolls-royce.
com/~/media/Files/R/Rolls-Royce/
documents/sustainability/ABC%20
compliance%20docs/Due_
Diligence_Risk_Assessment_Toolkit.
pdf.
17. Rolls-Royce, ‘Global Advisers
Policy’, Rolls-Royce, n/a. Accessed
September 9, 2019. https://
www.rolls-royce.com/~/media/
Files/R/Rolls-Royce/documents/
sustainability/final-global-advisers-
policy-oct-14-tcm92-59211.pdf.
18. Rolls-Royce, ‘Global Anti-Bribery
and Corruption Manual’, Rolls-
Royce, n/a. Accessed September
9, 2019. https://www.rolls-royce.
com/~/media/Files/R/Rolls-Royce/
documents/sustainability/ABC%20
Manual.pdf.
19. Rolls-Royce, ‘Media’, Rolls-Royce,
n/a. Accessed September 9, 2019.
https://www.rolls-royce.com/media/
contacts.aspx.
20. Rolls-Royce, ‘Our Group policies’,
Rolls-Royce, July 30, 2018.
Accessed September 9, 2019.
https://www.rolls-royce.com/~/media/
Files/R/Rolls-Royce/documents/
sustainability/group-policies-manual.
pdf.
21. Rolls-Royce, ‘Rolls-Royce
accelerates electrification strategy
with the acquisition of Siemens’
electric and hybrid-electric
aerospace propulsion business’,
Rolls-Royce, n/a. Accessed
September 9, 2019. https://www.
rolls-royce.com/media/press-
releases/2019/18-06-2019-rr-
accelerates-electrification-strategy.
aspx.
22. Rolls-Royce, ‘Rolls-Royce
completes agreements with
investigating authorities’, Rolls-
Royce, March 1, 2017. Accessed
September 9, 2019. https://
www.rolls-royce.com/media/
press-releases/2017/17-01-2017-
statement.aspx.
23. Rolls-Royce, ‘Supplier Information’,
Rolls-Royce, n/a. Accessed
September 9, 2019. https://www.
rolls-royce.com/sustainability/
customers-and-suppliers.
aspx#section-supplier-information.
24. Rolls-Royce, ‘Sustainability: Anti-
Bribery and Corruption’, Rolls-
Royce, n/a. Accessed September
9, 2019. https://www.rolls-royce.
com/~/media/Files/R/Rolls-Royce/
documents/sustainability/anti-
bribery-and-corruption-03-01-2017.
pdf.
25. Rolls-Royce, ‘Where We Operate’,
Rolls-Royce, n/a. Accessed
September 9, 2019. https://www.
rolls-royce.com/about/where-we-
operate.aspx.
26. Ross Bellaby, ‘The ethics of
whistleblowing: Creating a new limit
on intelligence activity’, Journal of
International Political Theory (2018),
p. 61.
27. Schultz, D. and Harutyunyan,
K.’ Combating corruption: The
development of whistleblowing laws
in the United States, Europe, and
Armenia’, International Comparative
Jurisprudence, p.87
28. SFO, ‘SFO completes £497.25m
Deferred Prosecution Agreement
with Rolls-Royce PLC’, Serious
Fraud Office, January 17, 2017.
Accessed September 9, 2019.
https://www.sfo.gov.uk/2017/01/17/
sfo-completes-497-25m-deferred-
prosecution-agreement-rolls-royce-
plc/.
29. SFO, ‘The future of Deferred
Prosecution Agreements after
Rolls-Royce’, Serious Fraud
Office, March 8, 2017. Accessed
September 9, 2019. https://www.
sfo.gov.uk/2017/03/08/the-future-of-
deferred-prosecution-agreements-
after-rolls-royce/.
30. The US Department of Justice,
‘Rolls-Royce plc Agrees to Pay $170
Million Criminal Penalty to Resolve
Foreign Corrupt Practices Act Case’,
Department of Justice, January 17,
2017. Accessed September 9, 2019.
https://www.justice.gov/opa/pr/rolls-
royce-plc-agrees-pay-170-million-
criminal-penalty-resolve-foreign-
corrupt-practices-act.
31. Transparency International, ‘Rolls-
Royce Case: Justice for Sale or
Fair Settlement?’, Transparency
International, n/a. Accessed
September 9, 2019. https://www.
transparency.org.uk/our-work/
business-integrity/rolls-royce-case-
dpas/.
17. WHY CRI GROUP?
Since 1990, Corporate Research and Investigations Limited “CRI Group” has safeguarded businesses from
fraud and corruption, providing insurance fraud investigations, employee background screening, investigative
due diligence, third-party risk management, compliance and other professional investigative research services.
CRI Group’s expertise will add to the diverse pool of business support services available within your region
WHY WORK WITH US?
CRI Group has one of the largest,
most experienced and best-trained
integrity due diligence teams in the
world.
We have a flat structure which means
that you will have direct access to
senior members of staff throughout
the due diligence process.
Our multi-lingual teams have
conducted assignments on
thousands of subjects in over 80
countries, and we’re committed to
maintaining and constantly evolving
our global network.
Our 3PRM™ solution is easily
customisable, flexible and we will
tailor our scope to address your
concerns and risk areas; saving you
time and money.
Our team of more than 50 full-time
analysts is spread across Europe,
Middle East, Asia, North and South
America and is fully equiped with the
local knowledge to serve your needs
globally.
Our extensive solutions include
due diligence, employee pre & post
background screening, business
intelligence and compliance,
facilitating any decision-making
across your business no matter what
area or department.
37th Floor, 1 Canada Square,
Canary Wharf,
London, E14 5AA,
United Kingdom
t: +44 203 927 5250
e: london@CRIgroup.com
Global Leader in Risk Management,
Background Screening & Due Diligence Solutions
Zafar I. Anjum, Group Chief Executive Officer
e: zanjum@CRIgroup.com | t: +971 50 9038184
Zafar, Group CEO of Corporate Research and Investigations Limited (CRI Group), has been
building a 30 years’ career in the areas of anti-corruption, fraud prevention, protective integrity,
security, and compliance. Possessing both industry expertise and an extensive educational
background (MS, MSc, CFE, CII, CIS, MICA, Int. Dip. (Fin. Crime), CII, MIPI, MABI), Zafar Anjum
is often the first certified global investigator on the scene when multi-national EMEA corporations
seek to close compliance or security gaps.
19. APPENDIX A
- RISK REGISTER
RISK
CATEGORY
RISK DESCRIPTION
& CONSEQUENCES
POTENTIAL CONSEQUENCES
DAMAGE
LIKELIHOOD
RISK
LEVEL
RISK MITIGATION MEASURES
RISK
OWNER
Legal Risks
1. The company may violate
local regulations regarding an-
ti-bribery and corruption provi-
sions
• Governmental fines
• Legal prosecution leading to the inability to
establish new contracts
• Reputational damage
High
Medium
High
• Constantly supervise all processes that
have high probability or bribery and
corruption issues
• Create anonymous reporting channels for
employees and managers
Legal and
Ethical team
Management
team risks
2. Insufficient readiness of
employees and managers for
recognising and preventing
bribery and corruption issues
• Company representatives may engage in the
behaviours that may be recognised as fraudulent
• The discovery of such issues may lead to legal
prosecution and reputational problems
High
Medium
Medium
• Provide extensive training opportunities
• Regularly check the skill levels and
awareness of the ABC Policies
HR Director
Legal risks
3. Inability to recognise the
cases of bribery due to the mis-
leading information provided by
contractors or local partners
• Employees may pay or receive bribes considering
them ‘consultancy costs’ or ‘official processing
fees’
• These expenses will be registered on company
accounts
• The audits performed by local governments will
lead to the legal prosecution of Rolls-Royce for
these activities
High
High
High
• The company must extensively train its
decision-makers on how to recognise
fraudulent offerings
• All expenses and auditing invoices must be
documented and signed by third parties
Director of
Commerce
Legal risks
4. Prospective customers or local
authorities may demand bribes
from the company for completing
business transactions or provid-
ing the required documentation
and provisions
• Legal prosecution
• Reputational damage
High
Medium
Medium
• Document all expenses and ask for official
confirmations in the case of any additional
third-party demands
• Avoid contractual agreements where their
lawful execution becomes impossible
Director of
Commerce
20. RISK
CATEGORY
RISK DESCRIPTION
& CONSEQUENCES
POTENTIAL CONSEQUENCES
DAMAGE
LIKELIHOOD
RISK
LEVEL
RISK MITIGATION MEASURES
RISK
OWNER
Political risks
5. The lack of clarity between
the UK and the EU regarding
post-Brexit trade relationships
makes it difficult to maintain sus-
tainability in terms of servicing
existing international customers.
• Reduced supplier readiness
• Greater delays in servicing and deliveries
• Customer dissatisfaction
High
Medium
Medium
• Increase inventory stocks in mainland
Europe
•
Assess supplier readiness and implement
contingency measures where necessary
Board of
Directors
Operational
risks
6. The company is in the process
of revising its organisational op-
erating model due to the existing
inefficiencies in customer servic-
ing and resource utilisation.
• Customer dissatisfaction
•
High operational expenses
Medium
Medium
Medium
• Complete the planned strategic transfor-
mation
• Implement a horizon scanning system to
plan the required updates to corporate
strategies
The digital
strategy
leadership
committee
Technological
risks
7. The company has medium ef-
fectiveness in the identification of
innovative solutions and imple-
menting new technologies
• Inability to gain access to new technologies
emerging in the market
•
Technological inferiority and decreased competi-
tiveness
High
Medium
High
• To establish the Innovation Hub for devel-
oping internal competencies in innovation
•
Establish strategic partnerships with the
developers of cutting-edge technologies
Board of
Directors
Financial risks
8. The lack of economic stability
in a number of markets including
the UK market increase costs
and adversely affect profit mar-
gins and existing credit lines
• Reduced profitability
• The difficulty of paying dividends to shareholders
Medium
Medium
Medium
• Improve the quality of financial monitoring
to account for all existing trends in costs
structure
• Look for more cost-effective solutions
and third-party providers of products and
services
Science and
technology
committee
APPENDIX A
- RISK REGISTER
21. RISK
CATEGORY
RISK DESCRIPTION
& CONSEQUENCES
POTENTIAL CONSEQUENCES
DAMAGE
LIKELIHOOD
RISK
LEVEL
RISK MITIGATION MEASURES
RISK
OWNER
Technological
risks
9. The increasing number of cy-
ber-threats in the online environ-
ment may compromise customer
data confidentiality as well as the
integrity of Rolls-Royce systems
and data
• Disruption of business processes
• Decreased customer satisfaction
High
High
High
• Provide training in cybersecurity to all staff
members
•
Implement multi-layered security systems
combining passive software mechanisms
with specific routine security processes
IT department
Safety risks
10. Diversified production and
supply chains make it difficult to
ensure that all products are man-
ufactured in a risk-free environ-
ment with minimal incidents and
the sustainable use of resources
• Compliance threats in the case of government
investigations of Rolls-Royce manufacturing enter-
prises and partnering organisations
• Reputational damage in the case of accidents and
emergency situations
High
Medium
Medium
•
Thorough training in sustainable manufac-
turing and safety-first policies
•
Regular audits of all manufacturing en-
terprises involved in Rolls-Royce supply
chains
APPENDIX A
- RISK REGISTER
22. BRIBERY RISK ASSESSMENT
For each question, please choose from the following alternatives and insert the appropriate number in the
right-hand column: 1 = low risk, 2 = some risk, 3 = medium risk, 4 = high risk, 5 = very high risk
1. COUNTRY RISK
1.1 Does the organisation operate mostly in the UK? — If yes, give low score. 5
1.2 Does the organisation operate mostly in the UK, Europe and US? — If yes, give low score. 5
1.3
Does the country in which the organisation operates, or will operate have perceived high
levels of corruption? — If yes, give high score
5
1.4
Has the organisation recently acquired or merged with any organisations in countries with
perceived high levels of corruption? — If yes, give high score.
3
1.5
Does the country in which activity is taking place or is proposed have effectively implemented
anti-bribery legislation? — If yes, give low score.
3
1.6
Does the country in which activity is taking place or is proposed have effective procurement
and investment policies by the local government and agencies? — If yes, give a low score.
3
2. SECTORAL RISK
2.1
Is the proposed activity within an industry sector at risk of bribery practices?
— If yes, give high score.
5
3. TRANSACTION RISK
3.1 Does the transaction involve charitable donations? — If yes, give high score. 1
3.2 Does the transaction involve political donations? — If yes, give high score. 3
3.3
Does the transaction involve licences, permits and transactions relating to public procurement
which brings employees and others into frequent contact with public officials? — If yes, give
high score.
5
4. OPPORTUNITY RISK
4.1
Does the project involve a number of contractors and intermediaries? — If yes, give high
score.
5
4.2 Does the project involve below-market prices? — If yes, give high score. 3
4.3 Does the project involve a tendering exercise? — If yes, give high score 5
5. PARTNERSHIP RISK
APPENDIX B
- BRIBERY
RISK ASSESSMENT
FORM
23. BRIBERY RISK ASSESSMENT
5.1
Will the proposed activity involve the potential use of intermediaries in transactions with for-
eign public officials?
— If yes, give high score.
5
5.2
Is there a risk of relationships with politically sensitive persons where the proposed relation-
ship involves or is linked to prominent public officials? — If yes, give high score.
5
6. PERCEIVED PRESSURE AT WORK
6.1
Is there a robust and clear anti-bribery policy in place within the organisation?
— If no, give high score.
4
6.2
Is there a board member or senior manager appointed to take responsibility for all anti-bribery
measures within the organisation? — If no, give high score.
3
6.3
Are there robust internal financial controls in place to monitor all payments and transactions?
— If no, give high score.
4
6.4
Are there clear policies in place in relation to hospitality, entertainment, promotional expendi-
ture and expenses? — If no give high score.
4
Total score (out of a possible 110) 76
Scoring assessment
A score of 50 to 95 indicates a high risk of bribery. Immediate steps need to be taken to counter the high risk
and probability of bribery occurring. In certain cases, it may be necessary to stop certain operations or trans-
actions occurring. Urgent action will need to be taken in relation to specific high-risk areas identified above.
A score of 30 to 49 indicates a medium risk of bribery. A full anti-bribery policy needs to be in place and train-
ing rolled out at all levels. Such training should be given to staff and associated persons, including agents,
consultants, and temporary workers, working on behalf of the organisation, in the UK and overseas. Leader-
ship is required from the board to ensure full engagement and compliance. The organisation should ensure
that clear reporting mechanisms are in place so that suspected bribery may be immediately dealt with. Spe-
cific high-risk areas identified above should be dealt with at the highest levels, preferably by board members
as an urgent priority.
A score of 19 to 29 indicates a low risk of bribery. Where there is a low risk on the basis of the risk factors
identified above, steps will be taken to ensure that there are adequate procedures in place to counter bribery.
This may include a written policy that is available to all employees and associated persons working on behalf
of the organisation and regular audits of key financial processes, including expenses and hospitality. The
organisation should keep its risk assessment under review and take appropriate steps should a bribery risk
emerge.
APPENDIX B
- BRIBERY
RISK ASSESSMENT
FORM