How to build an anticorruption compliance programme in an enterprise | In Principle

Go to content
Subscribe to newsletter
In principle newsletter subscription form

How to build an anticorruption compliance programme in an enterprise

Introducing and applying internal procedures for combating corruption is becoming a legal obligation for businesses. The regulations identify the necessary elements of compliance programmes but do not propose specific solutions. Recommendations and best practice can fill the gap.

In late 2017 the French Anticorruption Agency (Agence française anticorruption) published recommendations to assist public and private legal persons in combating and uncovering corruption, influence-peddling and misuse of public funds. The recommendations were developed in cooperation between the agency and a number of French and international organisations (including the International Bar Association) involved in the battle against corruption in all forms.


The recommendations supplement the regulations set forth in the law known as Sapin II, which since 1 June 2017 has imposed an obligation on French enterprises employing at least 500 people or generating annual turnover of at least EUR 100 million to introduce and apply internal anticorruption procedures (as we reported in June 2017).

Under Sapin II, the pillars of internal anticorruption programmes are:

  • Code of practice
  • Internal system for reporting irregularities
  • Map of corruption risks, continually updated
  • Procedures for verifying counterparties
  • Internal and external procedures for auditing accounting books and records
  • Training
  • Disciplinary procedure
  • Procedure for evaluation and revision of applicable anticorruption procedures.

But Sapin II does not prescribe any specific technical or organisational solutions. Thus, the agency, acting under express statutory authorisation, developed recommendations to serve as a touchstone for enterprises when constructing, applying and monitoring their own internal anticorruption programmes.

The recommendations cover each of the pillars of anticorruption programmes indicated in the act and suggest how to implement them in each organisation, depending on its structure, type of business, and exposure to risk. The recommendations also address the issue of responsibility for introducing and applying anticorruption programmes.

Below we discuss certain of the solutions presented in the French recommendations, which may serve as a source of inspiration in the context of Poland’s forthcoming Act on Transparency of Public Life, which is expected to introduce an obligation on the part of Polish businesses to implement and apply anticorruption procedures.

Responsibility of managers

The responsibility for establishing, applying and monitoring internal anticorruption procedures rests on the persons managing the enterprise. They cannot completely escape this responsibility by delegating duties concerning anticorruption programmes to others. It is the management, standing at the head of the hierarchy of the organisation and representing the organisation externally, who should set the tone of zero tolerance for corrupt practices in the organisation and its business, and also promote a culture of ethical and lawful behaviour. In other words, it is up to the managers to shape the strategy of combating corrupt practices and establish the map of risks and policy for managing identified risks by taking concrete measures.

Implementation of the strategy and concrete measures of the anticorruption programme may be entrusted to a person responsible for organising compliance management systems, i.e. a compliance officer. At specific levels of the organisation or in distinct areas of activity (manufacturing, sales etc), responsibility for implementing anticorruption compliance programmes may be vested in division heads. This structure allows responsibility for carrying out duties under anticorruption programmes to be clearly assigned. It also enables effective oversight of realisation of such duties, and overall control of implementation of the strategy and programme for combating and uncovering corruption.


The map of risks constitutes the foundation and point of departure for formulating the strategy and programme for combating corrupt practices in the enterprise’s operations.

The basis of the map of risks is a careful analysis of every sphere of the enterprise’s activity, internal and external. The analysis should yield an identification of the degree of the enterprise’s exposure to risks of corruption in each sphere. This will then make it possible to take the appropriate decisions as to the means and mechanisms for minimising the risk.

The French recommendations describe in detail the methodology for analysis of risks. First and foremost, the analysis should involve persons from specific levels of the organisation’s hierarchy, with various areas of responsibility for implementing anticorruption programmes.

The typology of the risks (internal and external) for specific areas of the enterprise’s operations is also relevant, reflecting the specific nature of the business conducted by the organisation. Then there should be a valuation of the degree of exposure to risk, in gross and net terms, creation of a hierarchy of risks, and assessment of the risks in terms of existing preventive mechanisms, transposing the results of the analysis to the map of risks.

The risk analysis should be done in writing and enclosed with the map of risks, and should be open to modification whenever needed.

Dealings with external entities

The recommendations point to the need to verify anticorruption programmes implemented by contractors and other entities cooperating with the enterprise. The aim of this “due diligence” with respect to third parties is to protect the enterprise against more or less direct or knowing involvement in corrupt practices of third parties, and thus to protect the organisation against legal, financial and reputational consequences.

The point of departure for anticorruption due diligence should be an analysis of the risks relating to the third party with which the enterprise has or intends to have business dealings. This cannot be a one-off analysis, but must be updated along with any material change affecting the operations of the enterprise or the third party, or at certain previously established intervals.

This due diligence should reflect any material factors concerning the third party, such as its business profile, size, history, market recognition, and in certain circumstances also such factors as its shareholders, politically exposed persons, or beneficial owners.

The analysis should be conducted using the available tools, such as publicly available information about the entity (commercial register, sanctions orders, press reports), as well as information which the enterprise may request through its existing or prospective cooperation (e.g. a questionnaire). The litmus test in assessing the risk connected with a third party can also be its response to the request to present its anticorruption procedures and to sign an undertaking not to apply corrupt practices.

Aim and binding force

Implementation of the recommendations is intended to strengthen operations and competitiveness while protecting the reputation and economic value of enterprises.

Although the recommendations are not binding law, they will serve as a touchstone for constructing anticorruption programmes. It should be anticipated that regulators will rely on them when evaluating the functioning of internal anticorruption procedures, considering that their absence or ineffectiveness may result in fines for companies and their managers. The recommendations can thus serve as a source of arguments in favour of punishment as well as arguments in defence. Nevertheless, it must be borne in mind that the recommendations are not universal in nature and do not exhaust the whole issue of preventing and combating corruption.

It is also significant that the recommendations are applicable to all entities required to apply anticorruption procedures. This also applies to foreign branches or subsidiaries, as well as entities established in France but operating abroad, if the standards for programmes for combating and uncovering corruption are not at least as demanding as those in France.

Recommendations as a source of inspiration

The recommendations drafted in close cooperation with experts by the French Anticorruption Agency represent a practice worthy of following. With introduction of new legal obligations backed by financial sanctions, obligated entities are not left in regulatory uncertainty but are offered tools and methods for proceeding, helping them comply with their newly established duties.

From this point of view, the French recommendations can provide a valuable source of inspiration for Polish enterprises as well as Polish lawmakers planning to introduce the Act on Transparency of Public Life, which will require at least medium-sized enterprises to adopt and apply effective anticorruption procedures.

The bill indicates the building blocks of internal anticorruption compliance programmes. But as with the French regulations, they are generally defined pillars. The failure to adopt and apply anticorruption procedures, or a finding that the adopted procedures are ineffective or superficial, may result in imposition of fines.

Thus it would be reasonable to develop recommendations in Poland, serving as a point of reference in construction, application and evaluation of anticorruption programmes.

Aleksandra Stępniewska, adwokat, Business Crime practice, Wardyński & Partners