Introduction
This checklist suggests steps to take in order to prevent bribery and corruption in your organisation and avoid violation of the Bribery Act 2010 (BA 2010). It is aimed at in-house lawyers and compliance professionals in organisations of all sizes and all sectors in the UK.
Under the BA 2010, it is an offence to pay or receive a bribe, and companies and partnerships will also commit an offence where a bribe is paid on their behalf. A key part of any bribery prevention exercise involves identifying, managing, designing and embedding controls that correlate to the risks arising from BA 2010 activities within your organisation.
This checklist can be incorporated as part of an overall risk management framework, forming part of your organisation’s code of conduct, or as a stand-alone ABC Framework.
The checklist addresses the following steps:
- Assessing the adequacy of your ABC procedures
- Preparing, implementing and communicating an effective ABC policy
- Implementing and embedding ABC procedures
- Ongoing governance and compliance
The checklist is presented as a list of requirements that you can tick off as they are addressed. At the end of the document there are explanatory notes, and specific notes corresponding to the relevant step in the checklist.
The checklist can be used in conjunction with How-to guides: Understanding the Bribery Act 2010 offences, Understanding penalties for breach of the Bribery Act 2010, How to identify and assess bribery and corruption risk and How to prevent bribery and corruption as well as the Checklists: Anti-bribery and corruption risk assessment, Gifts and hospitality and Charitable and political donations.
Step 1 – Assessing the adequacy of your ABC procedures
| No. | Task name |
| 1.1 | Identify relevant top-level management to sponsor the implementation of the ABC Framework |
| 1.2 | Allocate appropriate resources and budget for the project |
| 1.3 | Use your ABC risk assessment to identify ‘gaps’ in ABC procedural controls |
| 1.4 | Consider whether established ABC procedural controls are practical and effective |
| 1.5 | Consider independent oversight of procedural controls (internal or external) |
Step 2 - Preparing, implementing and communicating an effective ABC policy
| No. | Task name |
| 2.1 | Decide which function owns the ABC policy |
| 2.2 | After reviewing the BA 2010, associated guidance and your ABC risk assessment, draft your ABC policy |
| 2.3 | Ensure that the wording and length or complexity of the ABC policy is appropriate |
| 2.4 | State how the ABC policy will be enforced |
| 2.5 | Keep a version control tracking record |
| 2.6 | Test, finalise and ratify the ABC policy |
| 2.7 | Publish and implement the ABC policy |
| 2.8 | Prepare a formal statement for top-level management to communicate |
| 2.9 | Use targeted communications and permanent signposts to enshrine the ABC policy |
Step 3 – Implementing and embedding ABC procedures
| No. | Task name |
| 3.1 | Review/implement procedural controls relating to facilitation payments |
| 3.2 | Review/implement procedural controls related to the provision of gifts and hospitality |
| 3.3 | Review/implement procedural controls related to charitable and political donations |
| 3.4 | Review/implement procedural controls related to third party associated persons |
| 3.5 | Review/implement procedural controls related to employees |
| 3.6 | Review/implement procedural controls related to whistleblowing |
| 3.7 | Review/implement any other procedural controls which might be necessary or desirable to mitigate the risks identified in your risk assessment |
| 3.8 | Establish a practical route map to embed procedural controls |
| 3.9 | Test, finalise and ratify your procedures |
| 3.10 | Roll out training to staff |
Step 4 - Ongoing governance and compliance
| No. | Task name |
| 4.1 | Assess the ABC policy, controls and procedures regularly |
| 4.2 | Monitor industry developments from verified sources |
| 4.3 | Investigate incidents holistically and consider other unlawful conduct |
| 4.4 | Document actions taken when misconduct is identified |
| 4.5 | Provide information on incidents to top-level management |
| 4.6 | Continuous commitment to embody principles of BA 2010 by top-level management |
| 4.7 | Ensure transparent engagement with internal or external auditors |
| 4.8 | Survey staff to ensure clarity and understanding of the need for compliance with your organisation’s policies and procedures. |
Explanatory notes
General notes
This checklist incorporates steps to follow to implement procedures within your organisation that will mitigate the risk of violation of the BA 2010. The BA 2010 applies to any organisation that is incorporated or trades in the UK. It covers bribery committed by the organisation, or on its behalf, anywhere in the world. It creates four offences:
- bribing another person (Section 1 offence or active bribery);
- being bribed (Section 2 offence or passive bribery);
- bribery of a foreign public official (Section 6 offence or bribing a foreign public official); and
- failure by a commercial organisation to prevent bribery by associated persons. These are persons providing services for or on behalf of your organisation and includes employees as well as contractors or intermediaries (Section 7 offence or failure to prevent).
Having an effective anti-bribery and corruption compliance framework (ABC Framework) in place which consists of policies and procedures will help to mitigate the risk that bribes are offered or accepted by your organisation.
It is a defence to the section 7 BA 2010 offence of failure of a commercial organisation to prevent bribery that the organisation had in place adequate procedures designed to prevent associated persons from bribing. In order to establish such a defence, the organisation would need to show that on the balance of probabilities (ie, it is more likely than not) that it had adequate procedures in place to prevent bribery by associated persons.
You therefore need to consider what procedures are appropriate for your organisation. This will depend on the risks faced. See How-to guide: How to identify and assess bribery and corruption risk and Checklist: Anti-bribery and corruption risk assessment.
Notes on specific requirements
Step 1 – Assessing the adequacy of your ABC procedures
Step 1 of the checklist considers the results obtained from a risk assessment and can help you give further detailed consideration to the actions that will be taken to identify, manage and prevent BA 2010 risk.
1.1 Identify relevant top-level management to sponsor the implementation of the ABC Framework
Your organisation’s top-level team (including senior business executives from your organisation such as the chief operations officer (COO), the chief finance officer (CFO) and the chief executive officer (CEO)) is responsible for providing an adequate budget and sponsoring the implementation team.
1.2 Allocate appropriate resources and budget for the project
Consider whether you will need to bring in contract staff to manage/implement the project. You may also identify further costs during the project which there should be an allowance for.
1.3 Use your ABC risk assessment to identify ‘gaps’ in ABC procedural controls
Use your ABC Risk Assessment and map relevant procedures and controls to identify gaps which should be plugged to prevent ABC risk in your organisation.
See Checklist: Anti-bribery and corruption risk assessment.
1.4 Consider whether established ABC procedural controls are practical and effective
If your organisation already has ABC procedural controls, consider whether those procedures are referred to, followed in practice, reviewed and regularly updated and whether these have been effective in preventing bribery issues. If not, deficiencies should be identified and remedied as part of the process of implementing procedures.
1.5 Consider independent oversight of procedural controls (internal or external)
Consider the adoption of the ‘four-eyes principle’. This is a procedural control requiring any activity by an individual within your organisation that involves a material bribery risk (as per your risk assessment) to be controlled (reviewed, double-checked) by a second independent and competent individual. You must therefore consider whether your organisation’s decision-making needs enhancing. Other considerations include the introduction of delegation of authority procedures, separation of functions and the avoidance of conflicts of interest. Do you have examples in your organisation of staff reviewing and checking their own work? This practice creates a conflict of interest. If your organisation is not large enough to support multiple layers of staff, consider an external auditing resource to carry out an independent review on a regular basis.
Step 2 – Preparing, implementing and communicating an effective anti-bribery and corruption policy
Step 2 of the checklist is a list of items to consider when preparing your ABC policy or updating an existing policy. It lists practical steps which you can tick off when completed.
2.1 Decide which function owns the ABC policy
Your ABC policy should be incorporated as part of your organisation’s standard compliance documentation. This might be as a stand-alone document, or incorporated into a wider code of conduct, ethics policy, compliance manual or employee handbook. Responsibility for maintenance of the ABC policy and ABC Framework should be allocated to a function within your organisation.
2.2 After reviewing the BA 2010 associated guidance and your ABC risk assessment, draft your ABC policy
Your ABC policy should clearly articulate your organisation’s commitment to bribery prevention. It should ensure that your organisation:
- complies with its legal responsibilities
- can demonstrate effective management and accountability
- provides clear conduct guidelines for staff and
- clearly establishes its beliefs, positions or values.
It should be appropriate to the level of risk your organisation faces. It therefore should be tailored to your organisation but at a minimum would be likely to cover:
- your organisation’s commitment to preventing bribery
- your organisation’s approach to reducing and controlling the risks of bribery and
- rules about mitigating specific bribery risks such as accepting gifts, hospitality or donations
See an example of the UK government’s Homes & Communities Agency ABC policy here. You can find further examples of ABC policies online.
2.3 Ensure that the wording and length or complexity of the ABC policy is appropriate
Use your risk assessment to guide you on how much descriptive detail to include. This will make the objectives of your ABC policy clear to those tasked with drafting implementation procedures. For example, the ABC policy will determine if gifts and hospitality above a certain monetary threshold are prohibited or if pre-approval from line management is required etc.
2.4 State how the ABC policy will be enforced
The ABC policy should be enforced through disciplinary action. See Checklist: Carrying out a disciplinary process. This means you should describe the types of conduct viewed as unacceptable and not permitted by individuals (eg, accepting or giving bribes) along with the penalties for breaching internal policy (eg, disciplinary action) and the criminal law (eg, imprisonment and fines).
2.5 Keep a version control tracking record
This is a key part of your policy documentation housekeeping. Updates, amendments and annual reviews of the ABC policy should then be transparent and easy to retrieve. This will also assist you in the event of an internal or external request for historical information or previous versions of the policy.
2.6 Test, finalise and ratify the ABC policy
Ask someone from your assurance or audit function who was not involved in drafting the policy to read it and confirm it is clear and understandable.
Once tested, the policy should be finalised. It is important that all stakeholders (eg, senior management responsible for ABC risk) agree on its contents.
Because this is a strategic policy issue your organisation’s ABC policy should be ratified once finalised by top-level management, who are responsible for all policies and procedures within your organisation.
2.7 Publish and implement the ABC policy
It is easiest to send a copy (or a link to the copy) to staff via email. You could print and distribute hard copies too so that the policy can be accessed manually or publish it on an intranet. Members of your organisation who must comply with it should also indicate that they have read and understood the ABC policy. Include it as part of your organisation’s compliance manual or staff handbook.
2.8 Prepare a formal statement for top-level management to communicate
Communication of the ABC policy to staff is most effective if tailored to different audiences and made generally available (on a company intranet and/or internet site) and refreshed periodically. This message should come from top-level management.
2.9 Use targeted communications and permanent signposts to enshrine the ABC policy
Wherever appropriate, include hyperlink signposts and cross references to the policy so that it is easily accessible to business and support staff.
Step 3 - Implementing and embedding ABC systems and controls
Step 3 looks at practical steps which your organisation should consider as part of its overall management strategy and sets out at specific actions to take and consider in controlling and managing against BA 2010 risk.
If gaps in your procedural controls have been identified under Step 1 your organisation will need to implement new controls via manual or automated systems eg, corporate hospitality approval procedures, lists of approved charities for donations or internal financial control mechanisms (such as senior management invoice sign-off for payments made to business development consultants).
3.1 Review/implement procedural controls relating to facilitation payments
Unlike in some other jurisdictions, there is no exemption in the BA 2010 in respect of facilitation payments, which are unofficial payments made to public officials to secure or expedite the performance of a routine or necessary action (eg, product approval licences). They are sometimes referred to as 'speed' or 'grease' payments. Procedural controls might relate to the need to request official documentation concerning the payment (receipt or other documentation which confirms the legality of the payment) and/or processes for recording and reporting the payments.
3.2 Review/implement procedural controls related to the provision of gifts and hospitality
Gifts and hospitality expenditure that is reasonable, proportionate and made in good faith is recognised as an established and important part of doing business. The BA 2010 does not seek to prohibit or penalise this activity.
Procedural controls related to gifts and hospitality might include gatekeeper approval mechanisms and procedures for recording gifts and hospitality offered or received.
See further Checklist: Gifts and hospitality.
3.3 Review/implement procedural controls related to charitable and political donations
Many organisations provide charitable support to communities. However, there is an inherent risk that donations may be used for the purposes of bribery.
Procedural controls might include due diligence, gatekeeper approval mechanisms and procedures for recording details of donations.
See further Checklist: Charitable and political donations.
3.4 Review/implement procedural controls related to third party associated persons
The actions of associated persons can create liability under the BA 2010 for commercial organisations (under the section 7 offence of failure to prevent bribery by associated persons). It is a full defence to the section 7 offence that a commercial organisation had in place adequate procedures to prevent bribery. Accordingly, implementing procedural controls will be important in limiting exposure.
Due diligence procedures should be applied in respect of persons who perform or will perform services for or on behalf of the organisation. If there are no existing procedures, these should be implemented. If there are existing measures in place then the adequacy of these should be considered. The appropriate level of due diligence to prevent bribery will vary enormously depending on the risks arising from the particular relationship and therefore the ABC risk assessment should be used to assess the level of due diligence that might be required for a particular service provider. For example, a high level of due diligence will be required when establishing a business in a foreign market. You should strengthen due diligence procedures with third parties, including agents or partners and joint ventures. Depending on the size of organisation, this should be implemented into any supplier risk management process.
Depending on the results of your ABC risk assessment and due diligence, it may be appropriate to implement procedural controls to address bribery risks. This could include, for example, contractual controls and rights. Contractual arrangements with third parties will be more robust if they contain clauses that allow for on-site or off-site audits to evaluate ABC risks. For instance, allowing for the review of a third party’s ABC procedures in relation to gifts and hospitality.
See further Checklist: Conducting third party due diligence and managing third party bribery risk.
3.5 Review/implement procedural controls related to employees
According to Ministry of Justice guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing (Guidance), a commercial organisation’s employees are presumed to be persons ‘associated’ with the organisation for the purposes of the Bribery Act and therefore bribery committed by them could lead to a breach of section 7 BA 2010. The organisation may wish, therefore, to incorporate in its recruitment and human resources procedures an appropriate level of due diligence to mitigate the risks of bribery being undertaken by employees. This due diligence should be proportionate to the risk associated with the post in question. In addition, to mitigate risk concerning employees, procedural measures should be considered such as firming up terms of engagement and employment contracts so that they reflect a commitment to zero tolerance of bribery. Define in detail the basis of remuneration, including expenses. Review disciplinary procedures and communicate in training, awareness campaigns and staff documentation the disciplinary processes and sanctions for breaches.
In addition, recent changes to corporate criminal liability (introduced by the Economic Crime and Corporate Transparency Act 2023) mean that an organisation will also be guilty of a section 1,2 or 6 BA 2010 offence where such an offence is committed by a senior manager acting within the actual or apparent scope of their authority.
See further How-to guide: Understanding the Bribery Act 2010 offences.
Unlike the section 7 BA 2010 offence, there is no defence available to an organisation that it had in place adequate procedures to prevent such conduct. However, whilst not a defence, having procedural controls in place is an important part of a risk management strategy. Procedural controls may help an organisation to limit risk through prevention or, failing prevention, through early identification and as potential mitigating factors in the event of investigation and/or prosecution. Procedural controls should include:
- audits to identify who within the organisation might be considered to be a ‘senior manager’. As there is currently little guidance on this it may be prudent to seek support from specialist external counsel in this regard;
- audits to identify which parts of the organisation might attract higher levels of bribery risk (eg, sales or procurement teams) and as a result where enhanced procedural controls might be required;
- for ‘senior manager’ roles, take measures to set out and clarify the scope of the role and the acts that the role is authorised to undertake, these should be regularly reviewed and audited and appropriate oversight over the role should be maintained;
- for existing employees considered to be ‘senior managers’, assess whether there have been any issues that have arisen in the past that might suggest an enhanced level of risk that should be mitigated (for example, previous involvement in misconduct);
- for potential new employees who might be considered to be ‘senior managers’, conduct checks and due diligence as part of the recruitment process, see Checklist: Employment law considerations during a recruitment process;
- for all employees considered to be ‘senior managers’, consider the need for enhanced and regular training on bribery (note that the full range of offences for which a company might be held liable through this new identification doctrine is wider than just bribery offences, but the scope of this guide is limited to bribery only) and also whether those in senior management roles should be required to confirm annually that they are not aware of any circumstances that might give rise to the risk of liability for the organisation (or to disclose the same); and
- for all employees, ensure that anti-bribery training is provided on a regular basis and that employees understand how to recognise and report suspected misconduct that could lead to liability for the organisation (see below section 3.6).
3.6 Review/implement procedural controls related to whistleblowing
One way to identify suspected misconduct is through procedures put in place to allow for internal reporting of identified or suspected bribery. Internal reports can allow:
- for timely internal investigation
- for misconduct to be terminated and therefore exposure limited and
- your organisation to seek timely specialist legal advice
It is in your organisation’s best interests to encourage internal whistleblowing so that any allegations can be investigated internally and possibly self-reported rather than the SFO learning of the allegations directly from a whistleblower.
Procedures should be in place which allow for secure and confidential reporting of actual or suspected misconduct. This may take the form of a reporting hotline.
3.7 Review/implement any other procedural controls which might be necessary or desirable to mitigate the risks identified in your risk assessment
Depending on your ABC risk assessment, there may be other procedural controls which are necessary or desirable to mitigate the risk of bribery.
3.8 Establish a practical route map to embed procedural controls
Establish a written project plan and timeline to enable your organisation to embed the controls. This will include bespoke training, for example, on ABC procedures, how to spot red flags, where to escalate concerns etc. The project plan needs to identify milestones such as:
- gaps identified
- procedures drafted
- procedures finalised
- training rolled out to all employees
- collection of management information designed
- independent reviews scheduled (such as monitoring or audit assessments)
3.9 Test, finalise and ratify your procedures
Your organisation can do this in-house or outsource this service to a specialist professional adviser. It will depend on the complexity of the controls you are testing.
All relevant stakeholders within your organisation need to approve the procedures.
Ratification is when the procedure has been endorsed by the senior management team of your organisation and becomes a ‘live’ document.
3.10 Roll out training to staff
Staff should receive appropriate training which is tailored to their exposure to bribery risks (see also section 3.5 above). For example, top-level management and staff in business development, finance and human resources etc will need to know how to spot potential BA 2010 red flags relating to associated persons. Training should be pitched at an appropriate level and, to be effective, should contain relevant examples of misconduct.
Your risk assessment should enable you to identify critical accounting activities and high-risk business units and departments and therefore allow you to identify key employees and educate them on how to spot BA 2010 red flags.
Step 4 – Ongoing governance and compliance
Step 4 of the checklist considers how to respond to and manage the practical business-as-usual aspects of BA 2010 risks. It sets out steps to take in respect of maintaining an up-to-date ABC Programme.
4.1 Assess the ABC policy, controls and procedures regularly
You should reassess your ABC policy and ABC procedures annually (as a minimum) and/or when circumstances change, eg, if your organisation merges with another.
4.2 Monitor industry developments from verified sources
Draw on information from other organisations’ practices, for example relevant trade bodies or regulators might highlight examples of good or bad practice in their publications. In addition to regular monitoring, you might for example, track governmental changes in countries in which you operate, incidents of bribery or negative press reports.
4.3 Investigate incidents holistically and consider other unlawful conduct
Antitrust violations or whistleblower retaliation are examples of the types of misconduct that should be considered as part of an ABC investigation. It is important to note that violations of the BA 2010 are not always isolated incidents and may tend to infer a pattern of misconduct.
4.4 Document actions taken when misconduct is identified
Disciplinary action or remediation action should be taken, and documented, when misconduct is identified. Information obtained about misconduct that has arisen should be used to educate and understand how preventative procedures can be improved.
4.5 Provide information on incidents to top-level management
Provide information to top level management on the oversight of procedures, levels of compliance and incidents along with the provision of feedback. Ideally, this information should be reviewed at board level or by the relevant board committee (eg, risk or audit committee). It should include:
- periodic management information (eg, every quarter);
- relevant analysis (eg, internal audit findings);
- commentary on BA 2010 risks (eg, information on breaches or the findings of internal investigations); and
- changes to and effectiveness of controls and procedures
4.6 Continuous commitment to embody principles of BA 2010 by top-level management
For instance, if appropriate consider top-level management engagement with relevant associated persons and external bodies, such as sectoral organisations and the media, to help articulate your organisation’s policies and commitment to the BA 2010.
4.7 Ensure transparent engagement with internal or external auditors
Any areas in your organisation where financial controls are not transparent (eg, business development initiatives) need to be highlighted for extra scrutiny by independent reviewers.
4.8 Survey staff to ensure clarity and understanding of the need for compliance with your organisation’s policies and procedures
Your organisation’s communication about standards of conduct expectations needs to be socialised and understood. The message needs to come directly from top-level management. A sample survey of staff can help you understand if staff understand what is expected of them to ensure compliance with the BA 2010.
Additional resources
It is important to continuously stay abreast of developments and to add to and update your checklist as needed. In respect of the Bribery Act 2010 (BA 2010) there are several anti-bribery and corruption website resources to draw on, including:
- The UK government’s quick start guidance on the BA 2010 is here
- The UK government’s guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing is here
- The Serious Fraud Office
- The Department for International Trade
- The Organisation for Economic Co-operation and Development
- Transparency International
Related Lexology Pro content
How-to guides:
Understanding the Bribery Act 2010 offences
Understanding penalties for breach of the Bribery Act 2010
How to identify and assess bribery and corruption risk
How to prevent bribery and corruption
How to conduct an internal investigation into bribery allegations
Checklists:
Anti-bribery and corruption risk assessment
Gifts and hospitality
Charitable and political donations
Conducting third party due diligence and managing third party bribery risk
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.