The governing body should publicly and unequivocally state its commitment to implementing a culture of business ethics within the organisation. As the body ultimately responsible for the Compliance System, it shall regularly monitor its implementation and effectiveness.

Oversight and responsibility for the Compliance System should sit with a body or person with the appropriate authority and control, to supervise the effectiveness of the organisation’s internal controls.

The Compliance Officer, or the body that exercises these functions, must have autonomy and independence within the organisation, and the required materials and resources to adequately manage the Compliance System.

It is essential to identify and assess the risks of offences or misconduct arising from the organisation’s activities, including risks of fraud and corruption, competition law and modern slavery.

This analysis, which should be subject to periodic review and update, should consider the impact and probability of the potential occurrence of the risk analyzed, as well as the effectiveness of the mitigating controls.

The organisation must have internal rules and controls in place to prevent and mitigate the risks identified.

The organisation should provide its employees with policies, procedures and guidelines that establish the appropriate conduct expected within the organisation.

The Compliance System must ensure that employees are aware of the internal rules and controls in place.

Targeted training should be defined, considering the risks to which each person in the organisation is most exposed.

On a general basis, it is advisable to adapt both the method and channel used, selecting the most effective according to the particular characteristics of each case.

One of the key elements of a Compliance System is the existence of internal whistle-blower channels (ethics mailboxes) to report any irregular actions, or breaches of applicable legislation.

The confidentiality of both the reporting party (or anonymity if the applicable legislation allows for this) and the reported person, must also be guaranteed. The rights of all involved must be respected when investigations are carried out following a report being made.

The organisation should convey to employees its commitment not to retaliate against those who use these channels in good faith, and therefore take the necessary measures to prevent retaliation.

When an irregularity or unlawful act by an employee has been demonstrated, the appropriate disciplinary measures shall be applied, in accordance with the legislation in force.

The Compliance System must be audited, reviewed and verified, internally and/or externally, to ensure (i) it is up to date and adapted to the organisation’s own legislative and operational changes and (ii) its robustness and continuous improvement to prevent any breaches.