LATIN AMERICAN COMPANIES CIRCLE Recommendations on Ethics and Compliance

Wichtiger HINWEIS ! Innerhalb der Schutzzone (hellblauer Rahmen) darf kein anderes Element platziert werden! Ebenso darf der Abstand zu Format- resp. Papierrand die Schutzzone nicht verletzen! Hellblauen Rahmen der Schutzzonenie drucken!

Siehe auch Handbuch „Corporate Design der Schweizerischen Bundesverwaltung“ Kapitel „Grundlagen“, 1.5 / Schutzzone www . cdbund.admin.ch In partnership with: ©2017 Copyright. All Rights Reserved This paper is one in a series by the members of the Latin American Companies Circle and intended as a thought piece to encourage debate on important corporate governance topics.The conclusions and judgments contained in this report represent the views of the authors and should not be attributed to, and do not necessarily represent the views of the IFC or its Board of Directors or the World Bank or its Executive Directors, or the countries they represent. IFC and the World Bank do not guarantee the accuracy of the data in this publication and accept no responsibility for any consequences of their use. The material in this work is protected by copyright. Copying and/or transmitting portions or all of this work may be a violation of applicable law. The Latin American Companies Circle encourages dissemination of works such as these and hereby grants permission to users of this work to copy portions for their personal, noncommercial use, without any right to resell, redistribute, or create derivative works there from. Any other copying or use of this work requires the express written permaission of the Latin American Companies Circle. For information, please contact Magdalena Rego at [email protected]

About the Latin American Companies Circle The Latin American Companies Circle is a unique initiative launched in May 2005 in Sao Paulo, Brazil at the recommendation of the Latin American Corporate Governance Roundtable, a network of public officials, investors, non-governmental institutes, stock exchanges and associations as well as others interested in corporate governance improvements in the region. The Companies Circle bring together a group of leading Latin American companies who have adopted good corporate governance practices in order to provide private sector input into the work of corporate governance regional development and to share their experiences with each other and other companies in the region and beyond. The Companies Circle is sponsored by IFC and it is supported by the Organisation for Economic Co-operation and Development (OECD). For more information, visit www.ifc.org/ companiescircle TABLE OF CONTENT

I. INTRODUCTION...... 1

II. ETHICAL PRINCIPLES...... 2

a) Code of Ethics...... 2 a.1) Content...... 2 a.2) Procedures...... 3

III. THE COMPLIANCE FUNCTION...... 4

a) The regulatory Environment ...... 4 b) Responsibilities...... 4 c) Rationale...... 5 d) Structure...... 5 d.1) Conglomerates and Subsidiaries...... 6 d.2) Independence...... 7

IV. EFFECTIVE COMPLIANCE PROGRAMS...... 7

a) Communication Practices...... 8 b) Manuals...... 9 c) Awareness Evaluation...... 10

LATIN AMERICAN COMPANIES CIRCLE I. INTRODUCTION The objective of this paper is to share a set of good practices for companies in Latin America toconsider in developing, implementing This paper comprises a set of recom- or improving their ethical guidelines and compli- mendations related to ethical principles and the ance policies and practices. This paper does not corporate compliance function. While ethics assume that all Companies Circle members will and compliance alone do not, and cannot, con- follow all of these practices; nor does it suggest stitute a comprehensive corporate governance that all companies should follow all the sug- system in a company, they do comprise two gested practices — each company is unique and critical components of such system. This paper needs to take into consideration its own individ- is based on discussions and input from, as well ual situation, needs and circumstances (such as as on responses to a questionnaire on compli- local laws and regulations, ownership patterns, ance distributed among, member companies history and culture, market practices, and the re- of the Compliance and Ethics Working Group quirements of its relevant stakeholders (whether (the “Working Group”) of the Latin American local or foreign, governmental or private)). The Companies Circle (the “Companies Circle”). The Companies Circle considers this paper as a ‘living’ Companies Circle is a group of Latin American document which may be updated from time to firms that have demonstrated leadership in time to reflect changing realities, as well as to advocating for corporate governance improve- draw attention to developments in the corporate ments in companies throughout Latin America, governance field. and which seek to practice advanced corporate governance themselves. This initiative is support- Ethical conduct is key to a company’s ed by the Swiss State Secretariat of Economic reputation and its own good standing. Unethical Affairs (SECO) as part of the Latin America and acts may not only tarnish the image or brands the Caribbean (LAC) Corporate Governance of an entire group of companies, but could also Program. The Companies Circle is composed result in severe legal consequences, including the of 13 companies: Los Grobo (Argentina); Algar, imposition of penalties and even the liquidation CPFL Energia, Embraer, Natura, and Ultrapar of the affected company. It is therefore imper- (Brazil); Grupo Argos and ISA (Colombia); Florida ative that a company ensures that its personnel Ice & Farm Co. (Costa Rica); Gentera (Mexico); abide by clear ethical guidelines and are subject Buenaventura, Ferreycorp, and Graña y Montero to sanction in the event of non-compliance. (Peru). Sound compliance programs are also The Working Group is chaired by Graña y highly important, not only for the purposes of Montero and its members comprise Algar, CPFL adherence to applicable laws, standards and reg- Energia, Grupo Argos, ISA, Florida Ice & Farm Co. ulations, but also in assessing the effectiveness and Ferreycorp. Drafting support for this paper of a company’s control system, and mapping was provided by Luis Mariano Enriquez, Santiago and mitigating the various risks relevant to a Chaher, Magdalena Rego Rodriguez and Oliver sustainable business operation. In certain cases, Orton from IFC. This paper is based on feedback major transactions may even be cancelled, and from Working Group members and does not profits reduced, as a result of compliance-related necessarily represent IFC’s or the World Bank concerns and, therefore, it is in every company’s Group’s views on these matters. In addition, this interest to pursue best practices regarding com- paper does not intend to cover all aspects related pliance. Other benefits of a sound compliance to ethics or compliance as it is solely intend- program come in the form of increased trust, ed to provide a general overview of suggested credibility and reputation both within the com- practices. pany itself as well as externally, which in turn can generate additional business opportunities, and ultimately enhanced profit

LATIN AMERICAN COMPANIES CIRCLE 1 II. ETHICAL PRINCIPLES (i) Compliance with Laws and Regulations – Given the material adverse effects deriving a) Code of Ethics from legal or regulatory violations, any company should be clear in requiring that all its personnel To concentrate and disseminate its ethi- act in compliance with applicable laws and regu- cal values and principles, the standard practice is lations. No transgression should be tolerated. for a company to have such values and principles documented in policies developed by the compa- (ii) Respectful Conduct – It is suggested that a ny. An effective code of ethics serves as a means code of ethics expressly require the existence and to mitigate reputational and legal risks associ- maintenance of a respectful workplace environ- ated with misconduct within a company. The ment and, conversely, it should include provisions effectiveness of a code of ethics is strengthened expressly prohibiting any type of harassment and by the existence of so-called whistleblowing and discrimination. monitoring procedures to assess whether the code is in fact being complied with or not. To re- (iii) Confidential Information – Company flect its importance in a company as a whole and personnel should properly handle confidential to adopt it as an internal corporate regulation, a information (particularly with respect to mate- code of ethics should be approved by the Board rial non-public information in the case of listed of Directors. Within the context of a conglom- companies), which should only be disclosed to erate, all wholly-owned subsidiaries comprising the market in strict adherence to applicable laws a company group should follow a single code and regulations. Client information should be of ethics as determined by the parent company maintained as strictly confidential. In justified (this code of ethics should also be approved by instances and only when prior consent has been the Boards of each subsidiary to ensure commit- previously provided by the respective client, its ment at the subsidiary level). information may be publicly disclosed (for example, when a transaction involving a client is Ultrapar stresses the need to differen- required to be disclosed to the market as a ma- tiate between two approaches commonly ad- terial event). opted in the development of a Code of Ethics: a principles-based code and a prescriptions-based (iv) Transparency and Disclosure of Information code. Principles-based codes often require – Employees (including management) and Board complementary policies and norms while pre- members should be required to communicate scriptions-based codes are more directive. One all information for public disclosure in an accu- advantage of principles-based codes is that they rate and truthful manner. Any public disclosure tend to encompass broader concepts, thus re- of information should be coordinated within the ducing the probability of relevant matters not company. Many companies have specific rules being considered. In addition, through supple- regarding communication with the media, in- mental policies and norms, the company can add cluding social media. It is suggested that the dis- new concepts and specific directions more readi- closure of information be concentrated in a sin- ly than in a prescriptions-based code. gle individual, who should be responsible before investors, regulators and the market for acting as the official voice of the company. The Board is a.1) Content responsible, in any event, for ensuring the company has a documented information disclosure While codes of ethics vary significantly in policy, and for overseeing its application. their scope, there are a number of common principles that should be provided for under such a code (v) Conflicts of Interests – As a general prin- for it to effectively set forth appropriate ethical ciple, employees should avoid potential conflict guidelines and address consequences for potential of interest situations and, in the event a poten- misconduct. It is recommended that a code of ethics tial conflicting situation does arise, a conflicted at least encompasses the following subject-matters employee should disclose this circumstance to :

LATIN AMERICAN COMPANIES CIRCLE 2 the company (notice is commonly provided to a a.2) Procedures person’s immediate superior, an appointed ethics officer or an ethics committee). For reference A code of ethics should be disseminated purposes, it is standard practice to include with- among and fully read by all company person- in a code of ethics a definition of the facts and nel, from Board members to junior employees. circumstances deemed to comprise a conflict of It should also be promptly presented and ex- interest situation and provide a non-comprehen- plained to all new employees. All company em- sive set of examples of situations constituting a ployees should be responsible for participating conflict of interest. Depending on the circum- in the dissemination of the code of ethics and stances of the company, it may also be appro- complying (and ensuring others comply) with priate to include provisions dealing with rela- the company’s internal ethical rules. Ongoing tionships with competitors, including formations orientation and training are highly recommend- of cartels for example which is a crime in many ed so as to ensure a full understanding of the jurisdictions. company’s ethical guidelines. As best practice, it is also suggested that a company’s code of eth- (vi) Government Relationships - A code of ics be publicly disclosed by the company in order ethics is recommended to provide for an hon- for its stakeholders and the general public to be est and transparent relationship with all levels informed as to the ethical principles to which of government (i.e. federal, state, municipal and the company adheres. While a sensitive issue regulatory agencies, etc.) and for these purposes, in some markets, some companies are actively it should include clear prohibitions on bribery and distributing their Codes of Ethics among their corruption. major clients.

(vii) Receipt and Delivery of Gifts – A code of Whistleblower mechanisms are a means ethics should include provisions governing both to enforce ethical principles within the company. the receipt and delivery of gifts. Gifts are recom- Personnel should be made aware that anyone mended to be rejected or avoided when their is entitled to file a report on a potential viola- value is such that it may have an impact on a tion to the code of ethics. Anonymity should business decision. Gifts lacking any real commer- be assured to complainants. It is recommend- cial value may be permitted. ed that the company informs its personnel on the specific sequence of steps for submitting a (viii) Use of Corporate Assets - The personal use complaint, including the scope of information of corporate assets by employees should be gov- required to be contained in a complaint and erned by a code of ethics, addressing at least the the different investigation and decision-making use of the company’s premises, automobiles, in- mechanisms. tellectual property rights and copyrights (including brands and commercial names), computers, Moreover, company personnel should be made telephone lines, and internet (in particular, e-mail fully aware of the resulting internal disciplinary accounts and other media) connections. It is also actions (and external consequences, including advisable for the company to clearly indicate that resulting sanctions) derived from non-compli- a responsible and exclusively company-related ance with the provisions set out in its code of use should be made of all its assets. ethics.

(ix) Other Commonly Found Provisions – To ensure an objective handling of complaints Certain codes of ethics also include references to on potential misconduct, an independent par- the management of related party transactions ty could be engaged to receive complaints (via (although these are often dealt with in greater face-to-face meetings, written messages, e-mail detail in other policies of the company), staff or phone) and channel these to the relevant conduct (such as non-use of drugs and alcohol), independent function within the company (the workplace safety, respect for work-life balance, ethics officer or internal auditor) and/or the ap- relationships with suppliers, quality of financial propriate corporate body (the ethics and audit information and whistleblowing.

LATIN AMERICAN COMPANIES CIRCLE 3 committees) for it to investigate and adopt the b) Responsibilities respective resolution. The Board of Directors should be informed of potential violations to Compliance can be viewed as a means of the ethical requirements of the company and, if risk assessment, communication, and control. It is warranted by the materiality of a specific case, understood that effective compliance programs the Board itself should adopt the relevant res- will result in improved adherence to applicable olution. Furthermore the Board should be kept laws, external and internal regulations, policies, informed on a regular basis of complaints and codes of conduct, and rules, as well as mitiga- the procedures being taken by the company to tion of associated non-compliance risks. In Latin investigate and address such complaints. It is America, questionnaire respondents referred to recommended that the nature of the facts and compliance as a system of controls designed to individuals involved in a specific complaint be align company practices with various types of kept confidential. regulation. Florida Ice & Farm Co. described two levels of compliance: the first in accordance with Finally, to prevent a whistleblowing pro- external rules imposed on organizations, and the cedure from being abused (particularly from be- second based on internal structures and process- ing employed as a retaliatory measure), company es imposed in order to achieve compliance with personnel should also be informed of the result- existing external laws, rules, and regulations. ing disciplinary actions derived from the filing of false or misleading information. Anonymity of A well-developed compliance depart- those filing complaints should be assured. ment is responsible for the identification of, and alignment with, external regulations and the management of associated risks. Additionally, III. THE COMPLIANCE FUNCTION a compliance program may seek to prevent regulatory breaches as well as assess its own a) The Regulatory Environment performance. Consensus among questionnaire respondents is that the core responsibilities of Companies operating in different coun- a compliance function include identifying risks, tries and industries will be subject to varying laws detecting instances of regulatory violations, and and regulations. Many Latin American jurisdic- implementing controls to prevent regulatory tions do not require the establishment of a man- breaches. Grupo Argos refers to the tracking and datory compliance function. However, and by evaluation of compliance processes and the pro- way of example only, specific industry regulation motion of ethical company practices. (such as in the financial sector) may provide for the mandatory appointment of a qualified com- In Ferreycorp, ethical dilemmas are con- pliance officer. sidered first by reference to the company’s code of ethics, and the values the code represents. When a specific compliance function is Managers (and directors) will frequently also not required by law or regulation, the decision review cases of possible violation. Depending to develop a compliance department or function on the circumstances of the case, the Ethics is left to the individual company. In the absence Committee may elevate the issue to the Audit of such a requirement, it is still considered best Committee or the Board of Directors. practice for companies to establish a compliance function in order to enhance standards and mit- Ultrapar considers that a dedicat- igate risks. The consensus among questionnaire ed Conduct Committee, with independent respondents is that a compliance function is Chairman can be a useful addition as this can al- generally recommended regardless of whether or low the company to take a proactive rather than not a regulatory requirement exists. a reactive approach to how the company deals with ethics and conduct related issues.

LATIN AMERICAN COMPANIES CIRCLE 4 c) Rationale preventative management through risk indica- tors in the company’s various business units; (v) There are several reasons that should opportunity for identifying routine activities and motivate companies to establish a compliance for the centralization of certain such activities; program. Among them are improved reputation, and (vi) a single evaluation platform for all areas more effective use of resources, and improved of control (risk, compliance, audit and process information flow and communication. The rep- quality assurance). utation and credibility associated with a sound compliance system generates trust and offers In developing a compliance function, potential for stronger relationships with business companies should consider which factors will partners. Through alignment with regulations, lead to the desired results. Company size, indus- the compliance function will also offer a lens try, ownership structure, business operations, through which the company can learn more geographical location, and the legal and regula- about itself and develop better communication tory environment all influence what a best prac- practices both internally as well as externally. tice compliance function might look like. Each questionnaire respondent noted the importance Algar is of the view that business success, of tailoring compliance practices according to sustainability and business integrity go together. these factors in order to develop the optimal and The pursuit of excellence is connected to individ- most relevant programs. ual and collective commitment, with the highest level of ethics and adherence to laws, regulations Grupo Argos commented that a com- and policies relevant to the company’s activities. pany’s financial situation should be taken into In this context, Algar comments that the Board account in the development of a compliance of Directors and senior management must be program. Such considerations may impact a fully engaged and lead by example (as willingness company’s appetite for risk and, therefore, influ- to comply equates, to some degree, to gover- ence the decision as to whether to implement nance). The culture and high principles of the certain controls in specific areas. Algar suggest- business define the enabling environment for ed considering whether or not the benefits of a compliance. compliance practice outweigh the implementation costs, and how such decisions might affect Risk management has been described company image. as the central, justifying reason for a compliance function, especially for the purposes of Ferreycorp noted that a culture of lead- supporting long-term performance and the fu- ing-by-example, especially on the part of senior ture sustainability of the business. In particular, managers, plays a critical role in developing and ISA explained that compliance is important for ‘living’ a culture and value-system based on eth- companies operating in multiple countries with ical values. The company also commented that differing regulations. Grupo Argos’ response communication both within the company, as touched upon elements of ethics, market trust, well as to external stakeholders, through official competitive advantage, reputation, public con- company channels, plays an important role. fidence, and managerial competence as being important outcomes of successful compliance practices. d) Structure

CPFL Energia commented that the ex- When seeking to define the structure of pected benefits of the compliance activity in- a compliance function, it is important to consider clude: (i) vision of the portfolio of processes in the broader corporate structure, in particular and the value chain; (ii) strategic action through the by way of example, whether or not the compa- monitoring process with a focus on the main ny is a large conglomerate with many branches risks of each business unit; (iii) appropriate allo- or subsidiaries. Another key question is wheth- cation of effort and prioritization of actions; (iv) er or not to separate the compliance function

LATIN AMERICAN COMPANIES CIRCLE 5 from other departments. This would most likely controls and risk management expertise are also depend on the applicable legal and regulatory considered an important plus. environment of the company as well as its own internal policies and procedures. Grupo Argos and ISA indicated that in order to avoid potential conflicts of interests, A compliance officer1 is suggested to be the compliance function should be independent appointed in complex companies, those present- of business activities and that there should be a ing significant levels of risk, and companies with reporting line to the Board (or to one of its com- operations in regions deemed as risky or unsta- mittees). According to CPFL Energia, the Chief ble. Most questionnaire respondents agree that Executive Officer (as it is the CEO’s role to assure it is a management decision to establish the or- the Board that the company, as a whole, is iden- ganizational structure for a company and thus to tifying, monitoring and fulfilling all its obligations) determine whether a compliance officer should has the ultimate responsibility for maintaining an be appointed or not. However, it was also sug- appropriate compliance model and to keep the gested that in the event that the Board believes Board (or its committees) aware of any material there is a need to have a compliance officer ap- compliance issues. Graña y Montero noted that pointed, it should instruct the company’s Chief in Peru the Compliance Officer that deals with Executive Officer accordingly. On a case-by-case anti money-laundering matters is required to re- basis, it should be evaluated whether a com- port directly to the Board. pliance officer should be appointed directly by the Board itself (as this would provide sufficient stature to this position within the company). If d.1) Conglomerates and Subsidiaries a nomination committee has been appointed to provide Board-level support, this committee Conglomerate enterprises with complex should be responsible for identifying, interview- internal structures are faced with the choice being and selecting a candidate and then making a tween implementing the compliance function on recommendation to the Board. a centralized basis at the parent company level or at each subsidiary individually. The method of Since a compliance officer requires a full applying compliance structures to a conglomer- understanding of applicable laws and regulations, ate and its subsidiaries will inevitably depend on it is commonly suggested that the appointed the industry, size of the conglomerate, and the person be a qualified lawyer. Given the academic size and location of the subsidiaries, among other and professional background of lawyers, this may factors. Grupo Argos responded that compliance make them more suitable than other profes- should initially be developed at the parent com- sionals in their understanding of the applicable pany level and then implemented consistently legal environment and regulatory framework. across all subsidiaries. However, Grupo Argos However, given the business context in which also considered that subsidiaries should also de- such position operates, an additional skillset is velop their own tailored compliance programs also considered highly advisable for compliance based on the parent level framework. Florida officers. Compliance officers are expected to Ice & Farm Co.’s view is that the solution to the have a good understanding of the company, its issue depends on the size and location of the business, its corporate governance, its internal subsidiaries. policies and knowledge of the overall business sector. An alignment with the company’s culture Implementing compliance in each sub- and values is additionally suggested by Algar. sidiary individually without a parent company Good communication skills are also considered framework may prove too costly, though it is highly relevant (most questionnaire respondents generally agreed among the respondent compa- were of the view that compliance officers should nies that there should be some degree of flexibil- be able to attend Board meetings so as to pres- ity at the subsidiary level. For CPFL Energia, the ent on material compliance matters). Internal parent company should implement a corporate model, which defines priorities and processes of

This refers to situations where a compliance officer is not required by applicable laws or regulations.

LATIN AMERICAN COMPANIES CIRCLE 6 control to be monitored by the subsidiaries. The V. EFFECTIVE COMPLIANCE parent company should also allocate responsibil- PROGRAMS ities within each subsidiary, and ensure periodic auditing processes to implement corrections, as Several components contribute to the necessary. Any finding in one subsidiary allows effectiveness of a compliance program. Many the parent company to adopt preventative ac- programs seek to be generally integrated into tions to improve processes and mitigate risks of corporate culture and operations, and to pro- not complying with any law/regulation/self–reg- mote a knowledge and understanding of the ulation within the whole group. In addition, Algar regulatory environment. Continuous monitoring indicated that the individual risks of the business practices and assessment of risks allow compli- units are the responsibility of each subsidiary, ance programs to improve and evolve to include which are discussed with the audit committee best practices. and, eventually, with the Board of Directors of the parent company. CPFL Energia indicated that the compliance function must have the full support and trust of senior management. Grupo Argos and d.2) Independence ISA included lists of specific components in their responses, such as: risk assessments, respect for As the compliance functions perform company values, self-audits, training programs oversight responsibilities, it is important to en- and communication plans, and documentation sure that this activity is conducted in an objective of internal controls. In addition, Grupo Argos manner and, specifically, without leading to any suggested the minimum content for a compli- conflict of interest situations. For this purpose, it ance program, which includes controls for whis- is common for a compliance function to be sep- tleblower lines, government interaction, data arated from other company departments. Grupo protection, and antitrust components, and the Argos commented that the most important sep- prevention of financial crimes and corruption. aration is the independence of the compliance function from commercial or purchase divisions Responses from Florida Ice & Farm Co. as the interaction between compliance responsi- and CPFL Energia touched on broader concepts bilities and day-to-day operations could result in of promoting trust and teamwork, knowledge of conflict of interest situations. regulations, and understanding the benefits and responsibilities of the compliance function. In ad- In cases of complex external obligations dition, CPFL Energia indicated that a continuous and internal structuring, it is often recommended process of education is important for the compa- that companies maintain separate compliance ny as a whole to educate responsible personnel and legal departments. Though cooperation and and thus allow them to understand applicable collaboration between the legal and compliance rules and to prevent breaches. ISA recommended functions is encouraged, the existence of sepa- the following policies be adopted by a company: rate and independent departments reduces the code of conduct/ethics; employment contracts potential for conflict of interest. Florida Ice & which include the obligation to comply with Farm Co. suggested that in highly regulated in- rules applicable to the company and sanctions dustries, a legal department should handle com- for non-compliance; a policy setting out the duty pliance functions. In the absence of legal depart- to report (incumbent on all employees, man- ment presence within a compliance department, agers and stakeholders) when there are doubts some measure of practical legal environment about compliance with a specific rule; and a knowledge is still needed. policy setting out obligations of stakeholders to comply with norms and regulations applicable

LATIN AMERICAN COMPANIES CIRCLE 7 to the company. Florida Ice & Farm Co. strong- Ferreycorp mentioned as well the need ly recommended the creation, disclosure and to consider environmental risks within the con- certification of a code of ethics and compliance text of the compliance function. The good image within the company that incorporates all stake- and reputation of the company is a precious as- holders. Graña y Montero recommended (i) the set that must be protected and preserved. adoption of a code of conduct/ethics that applies to the parent company and subsidiaries, (ii) the Ultrapar outlines very clearly the pillars of its establishment of an independent and confiden- compliance program, as follows: tial Ethics Hotline (with direct report to the Audit Committee especially regarding cases of possible — Governance: Committee of Conduct and fraud or bribery), (iii) the establishment of an Audit/Compliance Directorate Anticorruption Policy, (iv) the delivery of ongoing training, especially to the members of the board, —Directives: Code and Policies the CEO and other senior officers, (v) the conduct of periodic compliance-based audits, and — Controls Implementation: different types of (vi) ensuring the commitment of the company’s controls at various layers and with different main suppliers to follow the company’s ethics objectives and compliance standards. —Preventative actions related to directives and Algar recommended that a compliance controls: films, training sessions, town halls, program contemplate the following four basic orientation channels activities: (i) prevention (risk assessment, rules and policies, code of conduct, internal controls, —Monitoring: auditing; checks and balances; training and communication); (ii) detection of complaints channel non-compliance (audits, whistleblowing channels via web, email or phone), and the proper —Consequences Management handling of complaints; (iii) remediation - cor- rection of non-conformities (processes, training, employee profile adequacy); and, (iv) application a) Communication Practices of a policy of consequences/sanctions (in the event of intentional breaches). Clear and effective communication between employees, management, and the Board In order to identify situations in which is necessary for implementing a successful com- potential breaches might occur, it is recom- pliance program and for instilling ethical behavior mended that the compliance risk involved in throughout the company. Developing a plan for each area or department’s operations (including, information, inquiry, and feedback flow serves without limitation, its activities, products, services to streamline the compliance function. Various and other relevant aspects) be identified by the forms of media, such as newsletters, presenta- compliance department. Identification of compli- tions, email updates, and manuals, can be used ance risks is a joint responsibility of all company to open communication channels. A communi- personnel. While the primary responsibility for cation plan for compliance requirements is sug- identifying and consolidating these types of cir- gested. In particular, the use of various forms of cumstances should rest with the compliance de- communication media is necessary to increase partment, the process should be led by the com- awareness and promote a positive attitude to- pliance function and be jointly undertaken with wards compliance. In addition, companies also each of the company’s departments. Interviews, advocated for reminders through training and workshops and risk assessments could be con- education, awareness-building exercises, un- ducted for these purposes. Participation of per- derstanding, and ultimately results in satisfying sonnel or units who fully understand the applica- compliance obligations. ble processes is considered key.

LATIN AMERICAN COMPANIES CIRCLE 8 results so that informed and timely decisions can Information on the company’s scope of be made by senior management and, if applica- compliance responsibilities should be reported ble, Board-level committees and by the Board to, and discussed at, the audit committee (and of Directors itself. Reports should be discussed eventually the Board of Directors) in order to at the Compliance Committee meeting (or its improve directors’ knowledge and commitment. equivalent) at least on a quarterly basis. In the Most of the responding companies recommend- event of a material compliance incident (which ed that material compliance matters be notified may have an internal or external impact on the to the Board on a quarterly basis or immediately company, such as an impairment to its integrity, when warranted. Algar suggested that informa- damage to its reputation, legal or regulatory con- tion on material compliance matters be included sequences, financial loss, etc.), the Compliance within the report from the audit and risk man- Committee should reach a decision on whether agement committee(s). to disclose the event to its shareholders and external parties. The minimum content suggested for a report prepared by the compliance function ad- It is recommended that companies take dressed to the audit committee (and, eventually, into consideration that shareholders (and, to the Board of Directors) should include at least: (i) some extent, external parties) may be required a description of all relevant cases of non-com- to be notified when the incident is deemed as a pliance (including policy breaches and notifiable material event in accordance with applicable law. events); (ii) identification of deficient areas, po- In addition, the form of disclosure should also tential risk circumstances and areas for improve- be taken into consideration when deciding to ments; (iii) updates on risk mitigation actions; (iv) disclose. updates on ongoing compliance issues; (v) matters requiring notice to regulators; (vi) relevant Depending on the complexity or required material amendments to compliance obligations; level of specialization of a compliance matter, (vii) measurements of compliance performance; Algar recommended that a company consid- (viii) analysis of the compliance management er seeking external expert advice to assist it in system’s effectiveness, achievements and trends; properly evaluating the risks and potential im- (ix) compliance training actions; (x) results from pacts. Grupo Argos considered it crucial to have a audits and monitoring activities; and, (xi) re- process of action tracking in place. Management source requirements. should work to ensure that reporting is encouraged, an integrated procedure is communicated In the event that a compliance risk is to all employees, incidents are clearly commu- identified, it should be immediately reported to nicated, issues raised are addressed, remedial the Compliance Officer and the relevant depart- actions are implemented and lessons learned ment. If the compliance risk is assessed as signifi- are identified and then communicated. Ultrapar cant, the Compliance Officer should immediately stresses the need to have adequate internal report this matter to her/his supervisor. Both the communications support within the company, Compliance Officer and the supervisor should such as messages from the CEO, “town halls”, reach a conclusion regarding the best course of training sessions, films and e-learning/tutorials action and submit it in writing to the company’s by way of example. senior management and, if warranted by its materiality, to the audit committee and, eventually, to the Board of Directors itself. The Board should b) Manuals nevertheless regularly monitor compliance through internal controls. Compliance manuals are a form of communication media that allow companies to Grupo Argos recommended that a easily inform all parts of the organization of the Compliance Officer be responsible for collecting various standards, obligations, operations, risks, information, and analyzing, and communicating and monitoring practices associated with the

LATIN AMERICAN COMPANIES CIRCLE 9 compliance function, and which are expected Management and employees operate from company personnel. Whether a compliance the company on a daily basis, and therefore manual is advisable or not would depend on should understand how to operate in compli- the complexity of the structure of the particular ance with the regulatory environment in which company. the business exists. Therefore, an evaluation Manuals should support larger compli- of applicable laws and regulation should be a ance programs, be widely distributed, and re- component of Board member and employee viewed, and approved by the Board and manage- evaluations. Grupo Argos emphasized that while ment bodies. ISA considered that a compliance management should identify and communicate manual can be a good tool for companies which relevant compliance requirements, it is recom- have not established clear corporate governance mended that the ultimate responsibility for de- rules or a code of ethics/conduct; but should termining, understanding and complying with not be required for companies with clear poli- applicable requirements lies with each employee. cies, procedures, functions and roles assigned, as In addition, CPFL Energia indicated that it is very companies already have many manuals in place important that employees have a continuous with which compliance is needed. process of education regarding the compliance environment, as applicable laws and regulations change from time to time. c) Awareness Evaluation In order to enhance compliance-related The company’s Board of Directors should communication, companies can maintain com- have in-depth knowledge of its compliance re- pliance knowledge standards throughout the sponsibilities. The main role of the Board with organization. This can be effected through rou- respect to compliance should be to ensure that tine examinations, tests, and/or audit processes the company is identifying, monitoring and to determine how well-informed employees and complying with all obligations applicable to it. management are on the regulatory environment According to CPFL Energia, one responsibility of in which the business operates and what internal the Board of Directors is to ensure an organi- compliance strategies and operations are uti- zation has a professional compliance function lized. Testing of this nature encourages an envi- and, in addition, the Board should monitor the ronment of well-educated internal stakeholders. compliance function’s performance regularly. ISA Workshops and case studies could also be used suggested that the Board’s role with respect to to diversify compliance knowledge assessment. compliance should include the approval of pol- Consensus among questionnaire respondents is icies and working plans, allocation of resources, that some form of periodic testing and/or audit follow-up on risks (and mitigating measures) and process is recommended for all employees since proposal of required improvements. Conducting day-to-day operations should align with compli- annual compliance training programs designed ance policies. specifically for Board members is also recommended. The corporate secretary should also provide support to the Board on compliance-related matters.

LATIN AMERICAN COMPANIES CIRCLE 10 IFC 2121 Pennsylvania Avenue Washington, D.C. 20433 Ifc.org/corporategovernance

Siehe auch Handbuch „Corporate Design der Schweizerischen Bundesverwaltung“ Kapitel „Grundlagen“, 1.5 / Schutzzone www . cdbund.admin.ch In partnership with:

February 2017