Beyond the Checkbox: Rethinking Anti-Bribery Management System Objectives

The Standard does not say objectives should be easy. It says they should be meaningful — genuinely connected to risk and capable of demonstrating whether the system is working.

An objective designed for the organisation as a whole — set at a comfortable global average — may mask serious underperformance in the markets that matter most.

OBJ-005 Level 1 Due Diligence Report Turnaround Time

Field

Content

Why This Field Exists

Relevant Risk

Delays in completing due diligence reports create pressure on business teams to proceed with third-party engagements before screening is complete, increasing bribery risk.

Every objective must be anchored to a specific, identified risk. This field forces the question: what bribery risk is this objective actually managing? Without it, objectives can drift toward process housekeeping that has no direct connection to risk.

Risk Reference

Linked to Risk BR-013 — Due Diligence Process Delay and Bypass Risk

The risk reference creates a traceable link from the objective back to the risk register. This is essential for audit purposes — it demonstrates that the objective programme is risk-driven, not activity-driven, and allows an auditor to verify that every material risk has at least one objective mapped to it.

Scope

Global

Defining scope as Global, Regional, or Local (with a specific country named) makes clear who is accountable and prevents global averages from masking poor performance in specific markets. A global objective may aggregate acceptable performance in low-risk markets with unacceptable performance in high-risk ones. Scope granularity is where accountability lives.

Objective Statement

Reduce the average turnaround time for Level 1 due diligence reports from 15 business days to 7 business days by Q3 2026.

The objective statement is the single sentence that captures what success looks like. It must include a baseline, a target, and a timeframe. 'Improve due diligence turnaround' is not an objective statement. 'Reduce average turnaround from 15 to 7 business days by Q3' is. The difference is accountability.

SMART — Specific

Level 1 DD reports must be completed within 7 business days of request submission. No exceptions without documented justification.

Specificity eliminates ambiguity about what is being measured and what counts as compliant. Vague objectives are not objectives — they are aspirations.

SMART — Measurable

Average number of business days between DD request submission and report completion, calculated monthly from the KYC system.

This field defines the metric. Not the target — the metric. Before setting any number, the organisation must confirm the data exists, is reliable, and can be extracted consistently. If you cannot measure it, you cannot manage it.

SMART — Achievable

Reduction is achievable through process streamlining, API integration with screening providers, and clearer intake requirements.

Achievability is not about making targets easy — it is about confirming that the organisation has the means to achieve the target if it invests the required effort. This field also forces a conversation about what changes are needed, not just what number is desired.

SMART — Relevant

Faster turnaround reduces commercial pressure to bypass due diligence and reinforces compliance as an operational enabler.

Relevance connects the objective back to the risk. A faster DD process is not just an efficiency gain — it directly reduces the risk that business teams circumvent screening because it is too slow. This field should make the anti-bribery logic explicit.

SMART — Time-bound

Baseline measured in Q1 2026. Target of 7 business days to be achieved by Q3 2026.

Without a timeframe, an objective cannot be failed. A timeframe creates a moment of reckoning — a defined point at which the organisation must assess whether it achieved what it set out to achieve and, if not, why.

How We Measure It

KYC system records request submission and report completion dates for every case. Monthly average turnaround calculated and broken down by region and DD type. Cases exceeding 10 business days reviewed for root cause.

This is the field most organisations skip. The measurement methodology is not a footnote — it is the mechanism by which the objective becomes real. It specifies the system, the frequency, the granularity, and the response when performance falls short. Without it, the metric exists in theory only.

Target

Average Level 1 DD report turnaround of 7 business days or fewer by Q3 2026.

The target is specific, numeric, and time-bound. Note that it is not 100% — it is an average, which reflects real-world variation while still creating meaningful accountability. Not all objectives should have a 100% target. Targets should reflect risk proportionality and operational reality.

Owner

Head of Due Diligence / Compliance Manager

Named ownership is non-negotiable. An objective without an owner is a wish. The owner is accountable for achieving the target, reporting performance at management reviews, and escalating where the target is at risk.

An objective without an action plan is a statement of intent. An objective with a numbered action plan is a management commitment.

OBJ-001 Third-Party EDD Coverage

Example

100% of new high-risk third parties complete enhanced due diligence before contract execution. Measured quarterly from the KYC system. Any shortfall triggers a 30-day root cause review.

OBJ-002 Employee Perception of Management Integrity

Example

Increase Q6 of the Annual Employee Survey (manager integrity) from 36% to 75% by year-end. Disaggregated by region, with regions below 60% subject to targeted culture improvement plans.

OBJ-003 Anti-Bribery Training Completion Rate

Example

95% of in-scope employees complete mandatory training by 31 December. Monthly LMS reports with two-stage escalation at 60 and 90 days overdue.

OBJ-004 Gifts Pre-Approval vs Expense Claim Matching

Example

Fewer than 5% of government-related G&E Workday submissions have no matching Kissflow pre-approval reference. Quarterly reconciliation with individual review of all unmatched claims.

OBJ-005 Level 1 DD Report Turnaround Time

Example

Reduce average Level 1 DD turnaround from 15 to 7 business days by Q3. Monthly KYC system data. Root cause review for all cases exceeding 10 days.

OBJ-006 Compliance SLA — Response to Issues

Example

95% of Tier 1 issues responded to within 3 business days; 100% of Tier 2 within 7. Case management system tracks all escalations with automated SLA alerts.

OBJ-007 Speak Up Investigation Resolution Time

Example

Reduce average investigation closure time from 94 to 60 calendar days. Quarterly NAVEX data, disaggregated by investigation type and region.

OBJ-008 ISO 37001 Internal Auditor Certification

Example

100% of compliance and internal audit team members with ABMS responsibilities hold current ISO 37001 auditor certification by 31 March. Certification register maintained and reviewed monthly.

OBJ-009 Manager-Led Integrity Sessions

Example

100% of people managers deliver two structured integrity sessions with their teams during the year. Session completion records submitted to HR and tracked quarterly.

OBJ-010 DD Report Quality — Error and Omission Rate

Example

Reduce DD report error rate from 22% to below 8% by year-end. Quarterly QA review of a random 15% sample of completed reports against a standardised checklist.

OBJ-011 Annual Controls Testing Programme

Example

100% of planned ABMS controls tests completed by 30 November. 100% of findings have corrective actions assigned within 30 days. Controls testing tracker reviewed monthly.

OBJ-012 ASP Due Diligence Completion — Africa & APAC

Example

100% of active Administrative Services Providers in Africa and Asia Pacific have a completed, current due diligence file by Q2. Regional scope reflects elevated ASP risk in these markets.

OBJ-013 Conflicts of Interest Declaration Rate

Example

90% annual COI declaration completion rate by 31 December. 100% of declared conflicts assessed within 30 days of declaration. Monthly completion reports from COI system.

OBJ-014 Background Check Completion Before Start Date

Example

100% of new hires in high-risk roles and jurisdictions complete background screening before their employment start date. Quarterly HR system comparison of check completion and start dates.

OBJ-015 Speak Up Awareness — Africa (Regional)

Example

Increase the percentage of Africa-region employees correctly identifying the Speak Up channel from 41% to 70% in the Annual Employee Survey. Mid-year pulse check to assess progress.

OBJ-016 Management Review Input Quality and Timeliness

Example

100% of management review input reports submitted on time and complete for all four 2026 reviews. Submission compliance tracked by the CCO and reported as a standing agenda item at each review.

OBJ-017 Annual Bribery Risk Assessment Refresh

Example

Risk assessment refresh completed and approved by Top Management by 31 March. ERM integration confirmed by 30 April. Evidence filed in the ABMS document management system.

OBJ-018 Internal Audit Corrective Action Closure Rate

Example

90% of internal audit corrective actions closed within agreed timeframes by year-end. Actions overdue by more than 30 days escalated to the CCO. Quarterly tracker review.

OBJ-019 Anti-Bribery Culture Score — Papua New Guinea

Example

Improve PNG compliance culture survey score from 52% to 72% by year-end. Country-specific scope reflects elevated risk in this jurisdiction. Results disaggregated by team and location within PNG.

OBJ-020 Sanctions Screening Coverage Rate

Example

100% sanctions screening coverage across all in-scope counterparty categories by Q3. Quarterly system-generated coverage report. Gaps addressed within 30 days of identification.

OBJ-021 G&E Policy Breach Rate — India

Example

Reduce government-related G&E policy breaches in India from 18 per quarter to fewer than 4 by Q4. Local scope reflects elevated risk. Quarterly Kissflow/Workday reconciliation with individual breach follow-up.

OBJ-022 Investigation Quality Audit Score

Example

Average investigation quality score of 80% or above across a random 30% sample of 2026 investigations. Independent annual audit using a standardised quality assessment rubric.

OBJ-023 Business Associate Code of Conduct Acknowledgment

Example

100% of active high-risk and medium-risk business associates have a signed Code of Conduct acknowledgment by 30 June. Business associate acknowledgment register reviewed quarterly.

OBJ-024 Top Management ABMS Training

Example

100% of Top Management complete a tailored ABMS responsibilities briefing by 30 June. New appointments complete within 60 days. Attendance register maintained and filed in the ABMS document system.

OBJ-025 Anti-Bribery Training Comprehension Score

Example

Average post-training assessment score of 80% or above by year-end. Minimum 70% pass mark required for individual completion to be recorded as compliant. Monthly LMS data by region and business unit.

An objectives register that shows the organisation measuring the things that matter is significantly more valuable in a mitigation argument than one that records a series of easily completed process activities.

OBJ-001 Third-Party Enhanced Due Diligence Coverage

Relevant Risk

Inadequate screening of third parties operating in high-risk jurisdictions creates exposure to bribery conducted by or through business partners.

Risk Reference

Linked to Risk BR-012 — Third Party Bribery Risk

Scope

Global

Objective Statement

Ensure that 100% of new third-party relationships classified as high-risk are subject to enhanced due diligence screening prior to contract execution.

SMART Breakdown

Specific

Enhanced due diligence must be completed before any high-risk third party is onboarded — no exceptions.

Measurable

Percentage of high-risk third parties onboarded during the year who completed EDD prior to contract signature, as a proportion of all high-risk third parties onboarded.

Achievable

The due diligence process and risk classification methodology are already in place; this objective sets a compliance floor for their consistent application.

Relevant

Directly linked to the identified bribery risk associated with third-party relationships in higher-risk markets.

Time-bound

Measured quarterly, reported at each management review, with full-year performance assessed at year-end.

How We Measure It

Compliance team extracts a quarterly report from the KYC/due diligence system showing all third parties onboarded in the period, filtered by risk classification. The number completing EDD prior to contract execution is divided by the total number of high-risk third parties onboarded. Any shortfall triggers a root cause review and corrective action within 30 days.

Target

100% completion prior to contract execution for all high-risk third parties.

Owner

Chief Compliance Officer

Action No.

Action

Owner

Due Date

Status

AP-001-01

Map all active third-party relationships and apply risk classification methodology to identify the full high-risk population

Compliance Manager

Q1 2026

AP-001-02

Configure KYC/due diligence system to flag and block onboarding of high-risk third parties where EDD has not been completed

Systems / Compliance

Q1 2026

AP-001-03

Establish quarterly reporting template extracting EDD completion rates by risk tier and region

Compliance Manager

Q1 2026

AP-001-04

Report EDD completion performance at each quarterly management review

CCO

Ongoing

AP-001-05

Implement root cause review process for any shortfall, with corrective action required within 30 days

CCO

Ongoing

OBJ-002 Employee Perception of Management Integrity

Relevant Risk

A compliance culture that is not genuinely embedded at the leadership level increases the risk that bribery is normalised or overlooked in day-to-day business decisions.

Risk Reference

Linked to Risk BR-021 — Anti-Bribery Culture and Tone at the Top

Scope

Global

Objective Statement

Increase the percentage of employees who agree that managers in the company are trustworthy and act with integrity (Question 6 of the Annual Employee Survey) from 36% in 2025 to 75% by end of 2026.

SMART Breakdown

Specific

Question 6 of the Annual Employee Survey is the defined measurement instrument. The target is an increase from 36% to 75% in a single year.

Measurable

Percentage of employees responding positively to Q6 of the Annual Employee Survey, tracked year-on-year.

Achievable

Achievable given planned manager-led integrity sessions, leadership re-induction into the ABMS, and increased communications activity in 2026.

Relevant

Employee perception of leadership integrity is a leading indicator of whether the ABMS is genuinely embedded.

Time-bound

Annual survey to be completed by Q3 2026, with results reviewed at year-end management review.

How We Measure It

Results extracted from the Annual Employee Survey platform by the HR function. Q6 responses are disaggregated by region, business unit, and seniority band. Year-on-year comparison presented at the annual management review. Regions scoring below 60% are subject to a targeted culture improvement plan.

Target

75% positive response rate on Q6 by end of 2026 (up from 36% in 2025).

Owner

Chief Compliance Officer / Chief People Officer

Action No.

Action

Owner

Due Date

Status

AP-002-01

Analyse 2025 survey results by region and function to identify lowest-scoring areas

HR / Compliance

Q1 2026

AP-002-02

Design and deploy manager-led integrity session programme for all-hands and monthly team meetings

Compliance Manager

Q1 2026

AP-002-03

Deliver ABMS re-induction programme for all managers appointed in 2025 and early 2026

CCO

Q2 2026

AP-002-04

Issue targeted internal communications reinforcing leadership integrity expectations in lowest-scoring regions

Compliance / Communications

Q2 2026

AP-002-05

Run Annual Employee Survey and extract Q6 results by region and business unit

HR

Q3 2026

AP-002-06

Present Q6 results and year-on-year comparison at year-end management review

CCO

Q4 2026

OBJ-003 Anti-Bribery Training Completion Rate

Relevant Risk

Employees who have not completed mandatory anti-bribery training may be unaware of their obligations, increasing the risk of inadvertent or deliberate bribery.

Risk Reference

Linked to Risk BR-008 — Employee Awareness and Training Gap

Scope

Global

Objective Statement

Achieve a minimum 95% completion rate for mandatory annual anti-bribery training across all in-scope employees by 31 December 2026.

SMART Breakdown

Specific

All employees in scope for mandatory anti-bribery training must complete the assigned module by the year-end deadline. A 5% tolerance accommodates planned absences, new starters, and leave.

Measurable

Percentage of in-scope employees who have completed the mandatory anti-bribery training module, tracked monthly.

Achievable

The training module is already deployed via the LMS. The objective focuses on improving completion discipline and follow-up.

Relevant

Training completion is a foundational control in the ABMS and a direct mitigant to the employee awareness risk.

Time-bound

Monthly completion rates monitored throughout the year. Final compliance measured at 31 December 2026.

How We Measure It

LMS generates a monthly completion report by business unit, region, and employee category. Non-completions are escalated to line managers at 60 days overdue, with a second escalation to the relevant GM at 90 days. Final year-end completion rate reported at Q4 management review.

Target

95% of all in-scope employees complete mandatory anti-bribery training by 31 December 2026.

Owner

Compliance Manager / HR

Action No.

Action

Owner

Due Date

Status

AP-003-01

Confirm full list of in-scope employees and synchronise with LMS enrolment data

HR / Compliance

Q1 2026

AP-003-02

Set up monthly automated LMS completion reports disaggregated by region and business unit

LMS Administrator

Q1 2026

AP-003-03

Establish escalation protocol for employees overdue at 60 and 90 days

Compliance Manager

Q1 2026

AP-003-04

Issue reminder communications at 90-day and 30-day intervals before year-end deadline

Compliance / Communications

Ongoing

AP-003-05

Report monthly completion rates to management and flag underperforming regions for intervention

CCO

Ongoing

OBJ-004 Gifts Pre-Approval vs Expense Claim Matching Rate

Relevant Risk

Employees bypassing the gifts pre-approval process by submitting expenditure through expense reimbursement systems undermines the effectiveness of the gifts and entertainment control.

Risk Reference

Linked to Risk BR-015 — Gifts and Entertainment Control Circumvention

Scope

Global

Objective Statement

Reduce mismatched government-related G&E claims — where Workday reimbursement submissions have no matching Kissflow pre-approval reference — to fewer than 5% of total submissions by year-end 2026.

SMART Breakdown

Specific

Expenditure on government-related gifts and entertainment must flow through the Kissflow pre-approval process. Claims submitted via Workday without a matching Kissflow approval reference are flagged as non-compliant.

Measurable

Percentage of Workday G&E claims with no matching Kissflow pre-approval reference, tracked quarterly through a reconciliation exercise.

Achievable

Data from both systems is already available. Matching can be performed quarterly as a manual or automated reconciliation exercise.

Relevant

Directly addresses the control effectiveness gap identified in the gifts and entertainment approval process.

Time-bound

Quarterly reconciliation. Year-end target assessed at Q4 management review.

How We Measure It

Compliance team reconciles Kissflow pre-approval data against Workday government G&E reimbursement claims quarterly. Unmatched claims are expressed as a percentage of total claims and reviewed individually. Escalation where breach is suspected.

Target

Fewer than 5% of government-related G&E Workday submissions have no matching Kissflow pre-approval reference by Q4 2026.

Owner

Compliance Manager / Finance

Action No.

Action

Owner

Due Date

Status

AP-004-01

Design and document the quarterly reconciliation process between Kissflow and Workday for G&E expenditure

Compliance / Finance

Q1 2026

AP-004-02

Make the Kissflow pre-approval reference field mandatory in the Workday G&E submission form

Systems / IT

Q1 2026

AP-004-03

Run first reconciliation covering Q4 2025 data to establish baseline mismatch rate

Compliance Manager

Q1 2026

AP-004-04

Issue guidance to all employees on the requirement to obtain Kissflow pre-approval before incurring G&E expenditure

Compliance

Q1 2026

AP-004-05

Escalate unmatched claims for individual review and take corrective action where breaches are identified

CCO

Ongoing

AP-004-06

Report quarterly mismatch rate at each management review

CCO

Ongoing

OBJ-005 Level 1 Due Diligence Report Turnaround Time

Relevant Risk

Delays in completing due diligence reports create pressure on business teams to proceed with third-party engagements before screening is complete, increasing bribery risk.

Risk Reference

Linked to Risk BR-013 — Due Diligence Process Delay and Bypass Risk

Scope

Global

Objective Statement

Reduce the average turnaround time for Level 1 due diligence reports from 15 business days to 7 business days by Q3 2026.

SMART Breakdown

Specific

Level 1 DD reports must be completed within 7 business days of the request being submitted.

Measurable

Average number of business days between DD request submission and report completion, calculated monthly from the KYC system.

Achievable

Reduction is achievable through process streamlining, API integration with screening providers, and clearer intake requirements.

Relevant

Faster turnaround reduces commercial pressure to bypass due diligence and reinforces compliance as an operational enabler.

Time-bound

Baseline measured in Q1 2026. Target of 7 business days to be achieved by Q3 2026.

How We Measure It

KYC system records the date and time of DD request submission and report completion for every case. Monthly average turnaround calculated and broken down by region and DD type. Cases exceeding 10 business days reviewed for root cause. Performance reported at each quarterly management review.

Target

Average Level 1 DD report turnaround time of 7 business days or fewer by Q3 2026.

Owner

Head of Due Diligence / Compliance Manager

Action No.

Action

Owner

Due Date

Status

AP-005-01

Audit the current Level 1 DD process to identify bottlenecks and redundant steps

Compliance Manager

Q1 2026

AP-005-02

Establish baseline average turnaround using Q4 2025 KYC system data

Compliance Manager

Q1 2026

AP-005-03

Implement standardised intake form to ensure complete information is provided at submission

Compliance

Q1 2026

AP-005-04

Explore and implement API integration with Refinitiv to automate screening data retrieval

Systems / Compliance

Q2 2026

AP-005-05

Set individual case SLAs within the KYC system with automated alerts at 5-day and 7-day thresholds

Systems

Q2 2026

AP-005-06

Report monthly average turnaround times at management reviews

CCO

Ongoing

OBJ-006 Compliance Team SLA — Response to Escalated Issues

Relevant Risk

Slow response by the compliance function to issues raised by the business creates uncertainty, erodes confidence in the programme, and may allow bribery risks to go unaddressed.

Risk Reference

Linked to Risk BR-022 — Compliance Function Responsiveness

Scope

Global

Objective Statement

Achieve 95% of Tier 1 issues responded to within 3 business days, and 100% of Tier 2 issues within 7 business days, by Q2 2026.

SMART Breakdown

Specific

Tier 1 issues (urgent / potential breach) must receive a substantive compliance response within 3 business days. Tier 2 issues (guidance, low-risk queries) within 7 business days.

Measurable

Percentage of Tier 1 and Tier 2 issues receiving a substantive response within the defined SLA windows, tracked monthly from the case management system.

Achievable

SLA tracking is achievable through the compliance case management system.

Relevant

Compliance responsiveness directly affects the willingness of the business to raise concerns — a key cultural health indicator.

Time-bound

SLA tracking commences Q1 2026. Target performance level to be achieved by Q2 2026 and maintained thereafter.

How We Measure It

Case management system records date and time of issue receipt and first substantive response for all escalations. Monthly SLA performance reports disaggregated by issue tier, region, and team member. Breaches reviewed with corrective action where systemic patterns emerge.

Target

95% of Tier 1 issues responded to within 3 business days; 100% of Tier 2 issues within 7 business days.

Owner

Chief Compliance Officer

Action No.

Action

Owner

Due Date

Status

AP-006-01

Define and document the Tier 1 / Tier 2 issue classification framework with illustrative examples

CCO

Q1 2026

AP-006-02

Configure case management system to record receipt time and trigger SLA countdown on all incoming escalations

Systems / Compliance

Q1 2026

AP-006-03

Set up automated SLA alerts to notify the responsible officer at 50% and 80% of the SLA window

Systems

Q1 2026

AP-006-04

Generate and review monthly SLA performance report at compliance team meetings

CCO

Ongoing

AP-006-05

Review SLA breaches quarterly and implement process or resource changes where patterns emerge

CCO

Ongoing

OBJ-007 Speak Up Investigation Resolution Time

Relevant Risk

Prolonged investigation timelines reduce confidence in the Speak Up mechanism, may expose the organisation to continued harm, and risk losing critical evidence.

Risk Reference

Linked to Risk BR-019 — Whistleblower Programme Effectiveness

Scope

Global

Objective Statement

Reduce the average time to close Speak Up investigations from 94 days in 2025 to 60 days by end of 2026, while maintaining investigation quality standards.

SMART Breakdown

Specific

All Speak Up investigations must be progressed actively from the date of triage approval to closure. Target average closure time is 60 calendar days.

Measurable

Average number of calendar days from triage decision to investigation closure, calculated from the NAVEX case management system quarterly.

Achievable

Reduction is achievable through a structured investigation methodology, improved investigator competency, and triage to eliminate speculative cases.

Relevant

Faster, high-quality investigations strengthen reporter confidence, reduce ongoing risk exposure, and demonstrate organisational commitment.

Time-bound

Baseline from 2025 NAVEX data. Target of 60-day average to be achieved by Q4 2026.

How We Measure It

NAVEX generates a quarterly case management report showing average days from triage decision to closure for all investigations closed in the period. Cases exceeding 90 days subject to mandatory escalation review. Reported at each management review, disaggregated by investigation type and region.

Target

Average investigation closure time of 60 calendar days by Q4 2026 (down from 94 days in 2025).

Owner

Head of Investigations / CCO

Action No.

Action

Owner

Due Date

Status

AP-007-01

Extract 2025 baseline investigation closure data from NAVEX and identify top causes of delay

Head of Investigations

Q1 2026

AP-007-02

Develop and implement a structured investigation methodology with defined milestones and stage gates

Head of Investigations

Q1 2026

AP-007-03

Implement formal triage process to filter unsubstantiated reports before formal investigation commences

Compliance / Legal

Q1 2026

AP-007-04

Configure NAVEX to flag cases exceeding 60 days for mandatory management review

Systems

Q2 2026

AP-007-05

Report average investigation closure time quarterly at management reviews

CCO

Ongoing

OBJ-008 ISO 37001 Internal Auditor Certification

Relevant Risk

Internal audits conducted by individuals without formal ISO 37001 competency may fail to identify nonconformities and give false assurance about ABMS effectiveness.

Risk Reference

Linked to Risk BR-024 — Internal Audit Competency Gap

Scope

Global

Objective Statement

Achieve 100% ISO 37001 certified internal auditor status across all members of the compliance and internal audit team responsible for ABMS audits by 31 March 2026.

SMART Breakdown

Specific

Every individual with assigned ABMS internal audit responsibilities must hold a current ISO 37001 internal auditor certification. No ABMS audit may be led by an uncertified auditor after 31 March 2026.

Measurable

Percentage of team members with assigned ABMS audit responsibilities who hold a current ISO 37001 internal auditor certification.

Achievable

The majority of the team is already certified. Remaining members are enrolled or in progress.

Relevant

Certification directly strengthens the competency and credibility of the internal audit function.

Time-bound

100% certification to be achieved by 31 March 2026.

How We Measure It

Compliance team maintains a certification register recording name, certification date, certification number, and renewal date for each team member. Register reviewed monthly and presented at Q1 2026 management review.

Target

100% of team members with ABMS audit responsibilities hold current ISO 37001 internal auditor certification by 31 March 2026.

Owner

Chief Compliance Officer

Action No.

Action

Owner

Due Date

Status

AP-008-01

Identify all team members with assigned ABMS internal audit responsibilities

CCO

Q1 2026

AP-008-02

Confirm enrolment of all uncertified team members in an accredited ISO 37001 internal auditor certification programme

CCO / HR

Q1 2026

AP-008-03

Create and maintain a certification register tracking status for all relevant team members

Compliance Manager

Q1 2026

AP-008-04

Confirm 100% certification achieved and update register accordingly

CCO

31 March 2026

AP-008-05

Establish renewal tracking to ensure certifications do not lapse

Compliance Manager

Q2 2026

OBJ-009 Manager-Led Integrity Sessions

Relevant Risk

Anti-bribery culture communicated only through formal training channels fails to embed at the team level, where day-to-day behavioural norms are set by line managers.

Risk Reference

Linked to Risk BR-021 — Anti-Bribery Culture and Tone at the Top

Scope

Global

Objective Statement

Ensure that 100% of people managers conduct at least two structured integrity sessions with their direct reports in a team setting during 2026.

SMART Breakdown

Specific

Every people manager must deliver a minimum of two integrity sessions during 2026 using a structured format and agenda provided by the compliance function.

Measurable

Number of managers who have delivered two or more integrity sessions as a percentage of the total people manager population, tracked via session completion records.

Achievable

Session materials and agenda guides will be developed and provided by the compliance team to reduce preparation burden.

Relevant

Manager-led sessions create direct, team-level dialogue about integrity — a more powerful cultural tool than formal e-learning.

Time-bound

First session by Q2 2026. Second session by Q4 2026. Compliance reported at year-end management review.

How We Measure It

Managers submit a brief session completion record — date, team, approximate attendee numbers — to HR following each integrity session. HR compiles a completion tracker updated quarterly. Results reported at each management review.

Target

100% of people managers complete two integrity sessions with their direct reports by Q4 2026.

Owner

CCO / Chief People Officer

Action No.

Action

Owner

Due Date

Status

AP-009-01

Develop structured integrity session agenda, prompt cards, and facilitation guide for managers

Compliance Manager

Q1 2026

AP-009-02

Communicate the requirement to all people managers with clear expectations and timelines

CCO / CPO

Q1 2026

AP-009-03

Create session completion submission form for managers to record delivery confirmation

HR

Q1 2026

AP-009-04

Compile and review quarterly completion tracker; follow up with non-completing managers

HR / Compliance

Ongoing

AP-009-05

Report completion rates at Q2 and Q4 management reviews

CCO

Q2, Q4 2026

OBJ-010 Due Diligence Report Quality — Error and Omission Rate

Relevant Risk

Poor quality due diligence reports — including missed findings, incorrect entity profiles, and omitted sanctions checks — provide false assurance and may allow high-risk third parties to be onboarded without appropriate scrutiny.

Risk Reference

Linked to Risk BR-014 — Due Diligence Quality Assurance

Scope

Global

Objective Statement

Reduce the error and omission rate identified in QA reviews of completed due diligence reports from 22% in 2025 to below 8% by end of 2026.

SMART Breakdown

Specific

QA reviews of a random 15% sample of completed DD reports conducted quarterly. Errors include: incorrect entity profiled, missed adverse media, incomplete sanctions checks, missing required fields.

Measurable

Percentage of reviewed DD reports containing at least one material error or omission, calculated from quarterly QA reviews.

Achievable

Reduction is achievable through improved analyst training, a standardised report template, and a mandatory peer review step.

Relevant

Report quality directly determines whether due diligence is providing genuine risk intelligence or a false paper trail.

Time-bound

Baseline from 2025 QA reviews. Quarterly tracking with year-end target of sub-8% error rate.

How We Measure It

Compliance QA lead conducts quarterly review of a random 15% sample of all DD reports. Each report is scored against a standardised checklist. Error rate calculated as percentage of reviewed reports and reported at each management review.

Target

DD report error and omission rate below 8% by Q4 2026 (down from 22% in 2025).

Owner

Head of Due Diligence

Action No.

Action

Owner

Due Date

Status

AP-010-01

Design and implement a standardised DD report template with mandatory fields and completion checklist

Head of Due Diligence

Q1 2026

AP-010-02

Introduce mandatory peer review for all Level 2 and above DD reports before finalisation

Compliance Manager

Q1 2026

AP-010-03

Deliver targeted training for DD analysts on common error types identified in 2025 QA reviews

Compliance Manager

Q1 2026

AP-010-04

Implement quarterly QA review programme covering 15% random sample of completed reports

QA Lead

Q1 2026

AP-010-05

Report error rates and trend analysis at each quarterly management review

CCO

Ongoing

OBJ-011 Annual Controls Testing Programme Completion

Relevant Risk

Controls that are documented but not regularly tested may have degraded or failed without the organisation's knowledge, creating a gap between assumed and actual ABMS effectiveness.

Risk Reference

Linked to Risk BR-025 — Control Testing and Assurance Gap

Scope

Global

Objective Statement

Complete 100% of the planned annual ABMS controls testing programme by 30 November 2026, with findings documented and corrective actions assigned within 30 days of test completion.

SMART Breakdown

Specific

All controls in the annual ABMS controls testing plan must be tested, documented, and have findings assessed within the defined timeframe.

Measurable

Percentage of planned controls tests completed by 30 November 2026, and percentage of identified findings with corrective actions assigned within 30 days.

Achievable

The controls testing plan is to be agreed in Q1 2026. Completion by 30 November allows 11 months of execution time.

Relevant

Regular, documented controls testing provides independent assurance of ABMS effectiveness and evidence of continuous improvement.

Time-bound

Full testing plan completion by 30 November 2026. Corrective action assignment within 30 days of each test.

How We Measure It

Controls testing tracker records the planned test, testing date, responsible tester, outcome, and corrective action status for each control. Reviewed monthly and presented at each management review.

Target

100% of planned controls tests completed by 30 November 2026. 100% of findings have corrective actions assigned within 30 days.

Owner

Head of Compliance Audit

Action No.

Action

Owner

Due Date

Status

AP-011-01

Develop and agree annual ABMS controls testing plan including scope, methodology, and responsible testers

Head of Compliance Audit / CCO

Q1 2026

AP-011-02

Build and maintain controls testing tracker with planned and actual test dates, outcomes, and action status

Compliance Manager

Q1 2026

AP-011-03

Schedule controls tests across Q1–Q3 2026 to avoid year-end bottleneck

Head of Compliance Audit

Q1 2026

AP-011-04

Review testing progress monthly and reallocate resources where slippage is identified

CCO

Ongoing

AP-011-05

Report testing completion rate and finding status at each management review

CCO

Ongoing

OBJ-012 ASP Due Diligence Completion Rate

Relevant Risk

Administrative Services Providers with connections to government represent a high-risk third-party category. Incomplete due diligence on this population creates direct bribery exposure.

Risk Reference

Linked to Risk BR-016 — Administrative Services Provider Bribery Risk

Scope

Regional — Africa and Asia Pacific

Objective Statement

Achieve 100% due diligence completion for all active Administrative Services Providers in Africa and Asia Pacific by Q2 2026, and maintain 100% completion for all new ASP engagements throughout the year.

SMART Breakdown

Specific

Every active ASP in Africa and Asia Pacific must have a current, completed due diligence file on record. New ASPs may not commence engagement until due diligence is fully completed.

Measurable

Percentage of active ASPs in scope with a completed and current due diligence file, as a proportion of the total ASP population in the defined regions.

Achievable

The existing ASP due diligence process is in place. The objective focuses on clearing the backlog and maintaining coverage.

Relevant

ASPs represent one of the highest-risk third-party categories given their direct interface with government.

Time-bound

Backlog cleared by Q2 2026. Ongoing 100% completion maintained for new engagements throughout the year.

How We Measure It

Compliance team maintains an ASP register for Africa and Asia Pacific recording entity name, engagement type, country, DD completion date, and renewal due date. Reviewed quarterly. Completion rate presented at each management review.

Target

100% of active ASPs in Africa and Asia Pacific have a completed, current due diligence file by Q2 2026 and throughout the year.

Owner

Regional Compliance Manager — Africa & APAC

Action No.

Action

Owner

Due Date

Status

AP-012-01

Compile complete register of all active ASPs in Africa and Asia Pacific

Regional Compliance Manager

Q1 2026

AP-012-02

Identify all ASPs with outstanding or expired due diligence and prioritise by risk level

Regional Compliance Manager

Q1 2026

AP-012-03

Complete outstanding DD for all backlog ASPs, starting with highest-risk

Due Diligence Team

Q2 2026

AP-012-04

Implement controls to prevent new ASP engagement commencing without completed DD

Compliance / Procurement

Q1 2026

AP-012-05

Review ASP register quarterly and report completion rate at management reviews

CCO

Ongoing

OBJ-013 Conflicts of Interest Declaration Rate

Relevant Risk

Undisclosed conflicts of interest among employees and managers create conditions in which bribery or corrupt decision-making may go undetected and unmanaged.

Risk Reference

Linked to Risk BR-007 — Conflicts of Interest and Undisclosed Relationships

Scope

Global

Objective Statement

Achieve a 90% annual conflicts of interest declaration completion rate across all employees in scope by 31 December 2026, and ensure 100% of declared conflicts are assessed and documented within 30 days of declaration.

SMART Breakdown

Specific

All in-scope employees must complete the annual COI declaration process. All declared conflicts must be reviewed and a documented assessment produced within 30 days.

Measurable

Declaration completion rate and percentage of declared conflicts assessed within 30 days, both tracked monthly.

Achievable

The COI declaration process is already in place. The objective sets a formal completion floor and a resolution timeline.

Relevant

Conflicts of interest management is a formal requirement under the ABMS internal control framework and a key culture indicator.

Time-bound

Annual declaration cycle closes 31 December 2026. Resolution of declared conflicts within 30 days throughout the year.

How We Measure It

COI declaration system generates a monthly completion report by employee, business unit, and region. Declared conflicts tracked in a separate register with assessment date and outcome. Both metrics reported at each management review.

Target

90% COI declaration completion rate by 31 December 2026. 100% of declared conflicts assessed within 30 days.

Owner

Chief Compliance Officer

Action No.

Action

Owner

Due Date

Status

AP-013-01

Open the annual COI declaration cycle and communicate to all in-scope employees

Compliance / HR

Q1 2026

AP-013-02

Set up monthly completion tracking report from the COI declaration system

Systems / Compliance

Q1 2026

AP-013-03

Establish a declared conflicts register and 30-day assessment workflow

Compliance Manager

Q1 2026

AP-013-04

Issue reminder communications to non-declaring employees at 60-day and 30-day intervals

Compliance

Ongoing

AP-013-05

Report declaration rate and conflict resolution performance at each management review

CCO

Ongoing

OBJ-014 Background Check Completion Before Start Date

Relevant Risk

Employees commencing employment before background checks are completed may be exposed to or create bribery risk before their suitability has been verified.

Risk Reference

Linked to Risk BR-009 — Pre-Employment Screening Gap

Scope

Global

Objective Statement

Ensure that 100% of new hires in high-risk roles and high-risk jurisdictions complete the required background screening process before their employment start date.

SMART Breakdown

Specific

No employee in a high-risk role or jurisdiction may commence employment until the required background check has been completed and results reviewed.

Measurable

Percentage of new hires in high-risk roles and jurisdictions for whom background check completion is recorded prior to start date.

Achievable

The background check process is in place. The objective tightens the requirement by making pre-commencement completion the standard.

Relevant

Pre-employment screening is a foundational ABMS control for identifying individuals who may pose a bribery or integrity risk.

Time-bound

Measured quarterly against all new hires in scope who started employment in the period.

How We Measure It

HR system records background check completion date and employee start date for all new hires in scope. Quarterly report generated comparing the two dates. Non-compliant cases flagged and subject to retrospective review. Results reported at each management review.

Target

100% of new hires in high-risk roles and jurisdictions complete background screening prior to employment start date.

Owner

Chief People Officer / CCO

Action No.

Action

Owner

Due Date

Status

AP-014-01

Define and document the list of high-risk roles and jurisdictions requiring mandatory pre-commencement background checks

HR / Compliance

Q1 2026

AP-014-02

Configure HR system to flag and hold start date processing for in-scope hires until background check is confirmed

HR Systems

Q1 2026

AP-014-03

Assess whether local provider alternatives are required where HireRight coverage is limited

CCO / HR

Q1 2026

AP-014-04

Generate quarterly report of new hires in scope and compare check completion dates to start dates

HR

Ongoing

AP-014-05

Report compliance rate at each management review and investigate any non-compliant cases

CCO

Ongoing

OBJ-015 Speak Up Awareness — Employee Survey Score (Africa)

Relevant Risk

Employees who are unaware of the Speak Up mechanism are less likely to report suspected bribery, reducing the effectiveness of one of the ABMS's most critical detection tools.

Risk Reference

Linked to Risk BR-019 — Whistleblower Programme Effectiveness

Scope

Regional — Africa

Objective Statement

Increase the percentage of employees in Africa who can correctly identify the Speak Up reporting channel in the Annual Employee Survey from 41% in 2025 to 70% by end of 2026.

SMART Breakdown

Specific

The specific survey question asking employees to identify the Speak Up reporting channel is the defined measurement instrument. Target is a 29 percentage point increase.

Measurable

Percentage of survey respondents in Africa who correctly identify NAVEX/Speak Up as the reporting channel.

Achievable

The NAVEX transition and associated relaunch communications provide a strong platform. Targeted regional campaign is planned.

Relevant

Africa is an elevated-risk region. Low awareness of the reporting mechanism in this region is a specific and material gap.

Time-bound

Annual survey results to be extracted by Q3 2026 and reviewed at year-end management review.

How We Measure It

Annual Employee Survey results for Africa extracted and filtered for the Speak Up awareness question. Percentage of correct responses calculated and compared to the 2025 baseline. Results disaggregated by country and business unit within Africa.

Target

70% of Africa-region employees correctly identify the Speak Up reporting channel by Q3 2026 Annual Employee Survey.

Owner

Regional Compliance Manager — Africa

Action No.

Action

Owner

Due Date

Status

AP-015-01

Design and deploy a targeted Speak Up awareness campaign for Africa using NAVEX launch materials

Regional Compliance Manager

Q1 2026

AP-015-02

Include NAVEX/Speak Up information in all-hands meetings, onboarding materials, and intranet pages for Africa

Regional Compliance / Communications

Q1 2026

AP-015-03

Conduct manager briefings in Africa to equip people managers to communicate Speak Up to their teams

Regional Compliance Manager

Q2 2026

AP-015-04

Run targeted mid-year pulse check in Africa to assess awareness levels before main survey

HR / Compliance

Q2 2026

AP-015-05

Extract and review Africa-region results from Annual Employee Survey

CCO

Q3 2026

OBJ-016 Management Review Input Quality and Timeliness

Relevant Risk

Management reviews conducted without complete, accurate, and timely inputs may fail to identify systemic weaknesses, leading to poor decisions and missed improvement opportunities.

Risk Reference

Linked to Risk BR-026 — Management Review Effectiveness

Scope

Global

Objective Statement

Ensure that 100% of management review input reports are submitted by designated owners no later than 10 business days before each scheduled management review meeting, for all four reviews in 2026.

SMART Breakdown

Specific

Each designated input owner must submit their report using the agreed template, covering required data points, no later than 10 business days before the review meeting.

Measurable

Percentage of required input reports submitted on time and in the required format, for each management review meeting during 2026.

Achievable

Deadline and template requirements are clearly defined and responsibility is assigned to named individuals.

Relevant

Quality and timeliness of management review inputs directly determines the quality of decisions made — a core ABMS governance control.

Time-bound

Measured at each of the four management review meetings in 2026.

How We Measure It

CCO records submission date and completeness assessment for each input report received before each management review. Late or incomplete reports recorded as non-compliant and reported as a standing agenda item at the review.

Target

100% of management review input reports submitted on time and complete for all four 2026 management reviews.

Owner

Chief Compliance Officer

Action No.

Action

Owner

Due Date

Status

AP-016-01

Confirm schedule of four management reviews for 2026 and communicate to all input owners

CCO

Q1 2026

AP-016-02

Define and distribute the standardised management review input template with required data fields

CCO

Q1 2026

AP-016-03

Set up automated deadline reminders to input owners at 20 and 10 business days before each review

Compliance Manager

Q1 2026

AP-016-04

Track and record submission compliance for each review and escalate persistent non-submission

CCO

Ongoing

OBJ-017 Bribery Risk Assessment Annual Refresh

Relevant Risk

A bribery risk assessment that is not kept current fails to reflect changes in the business environment, personnel, and operating context, creating gaps in the ABMS control framework.

Risk Reference

Linked to Risk BR-001 — Risk Assessment Currency and Accuracy

Scope

Global

Objective Statement

Complete the annual bribery risk assessment refresh by 31 March 2026, with all updated risks approved by Top Management and integrated into the ERM system by 30 April 2026.

SMART Breakdown

Specific

The full bribery risk assessment must be reviewed and updated annually. All risks must be reassessed for likelihood and impact and approved by Top Management.

Measurable

Binary: risk assessment refresh completed and approved by 31 March. ERM integration confirmed by 30 April.

Achievable

The risk assessment methodology is established and integrated with ERM. The objective sets a formal completion deadline.

Relevant

Currency of the risk assessment is foundational — all controls, objectives, and audit planning are derived from it.

Time-bound

Refresh completed by 31 March 2026. ERM integration confirmed by 30 April 2026.

How We Measure It

Completion evidenced by the signed and dated risk assessment document approved by Top Management, the updated ERM register entry, and management review minutes. Evidence filed in the ABMS document management system.

Target

Annual bribery risk assessment refresh completed and approved by 31 March 2026. ERM integration confirmed by 30 April 2026.

Owner

Chief Compliance Officer

Action No.

Action

Owner

Due Date

Status

AP-017-01

Initiate risk assessment refresh including interviews with key risk owners across business units

Compliance Manager

January 2026

AP-017-02

Update risk register to reflect new risks and changes in likelihood, impact, and business environment

Compliance Manager

February 2026

AP-017-03

Present refreshed risk assessment to Top Management for review and formal approval

CCO

March 2026

AP-017-04

Integrate updated risk ratings and risk owners into the ERM system

Compliance / ERM

April 2026

AP-017-05

File approved risk assessment and integration confirmation in the ABMS document management system

Compliance Manager

April 2026

OBJ-018 Internal Audit Corrective Action Closure Rate

Relevant Risk

Corrective actions from internal audit findings that are not closed on time indicate systemic non-compliance and allow identified ABMS weaknesses to persist.

Risk Reference

Linked to Risk BR-025 — Control Testing and Assurance Gap

Scope

Global

Objective Statement

Achieve a corrective action closure rate of 90% within the agreed timeframe for all findings raised in ABMS internal audits conducted during 2026.

SMART Breakdown

Specific

All corrective actions arising from ABMS internal audit findings must be closed within the agreed timeframe with documented evidence of implementation.

Measurable

Percentage of corrective actions closed on time with documented evidence, as a proportion of all corrective actions raised in 2026.

Achievable

Corrective action tracking is managed through the internal audit management system. The 90% target allows reasonable exceptions while maintaining accountability.

Relevant

On-time closure of corrective actions is a direct measure of the organisation's responsiveness to identified ABMS weaknesses.

Time-bound

Measured quarterly. Year-end target: 90% closed on time.

How We Measure It

Internal audit management system tracks all corrective actions raised, agreed response dates, actual closure dates, and closure evidence. Actions overdue by more than 30 days escalated to the CCO. Year-end closure rate reported at Q4 management review.

Target

90% of internal audit corrective actions closed within agreed timeframes by Q4 2026.

Owner

Head of Compliance Audit / CCO

Action No.

Action

Owner

Due Date

Status

AP-018-01

Confirm all corrective actions from 2025 audits are logged with agreed closure dates

Head of Compliance Audit

Q1 2026

AP-018-02

Set up quarterly corrective action status report showing open, overdue, and closed items

Audit Management System Admin

Q1 2026

AP-018-03

Implement 30-day overdue escalation protocol to CCO for unresolved corrective actions

CCO

Q1 2026

AP-018-04

Review corrective action closure performance at each quarterly management review

CCO

Ongoing

OBJ-019 Anti-Bribery Culture Improvement — Papua New Guinea

Relevant Risk

Papua New Guinea is a high-risk operating jurisdiction. A compliance culture that is not actively managed and measured in this market increases the risk of bribery occurring or going unreported.

Risk Reference

Linked to Risk BR-021 — Anti-Bribery Culture and Tone at the Top / BR-017 — High-Risk Jurisdiction Exposure

Scope

Local — Papua New Guinea

Objective Statement

Improve the overall compliance culture score for Papua New Guinea in the Annual Employee Survey from 52% in 2025 to 72% by end of 2026.

SMART Breakdown

Specific

The culture score for PNG is the average positive response rate across designated culture-related questions in the Annual Employee Survey. Target is a 20-point improvement.

Measurable

Average positive response rate across culture questions in the Annual Employee Survey for PNG respondents, compared year-on-year.

Achievable

A targeted programme of manager-led integrity sessions, local compliance communications, and an active Speak Up relaunch provides a credible basis.

Relevant

PNG is a high-risk market where culture quality is a first-line defence against bribery.

Time-bound

Annual survey results by Q3 2026.

How We Measure It

Annual Employee Survey results for PNG extracted and average positive response rate across culture questions calculated. Results compared to 2025 baseline of 52% and disaggregated by team and location within PNG.

Target

PNG compliance culture score of 72% by Q3 2026 Annual Employee Survey (up from 52% in 2025).

Owner

PNG Country Manager / Regional Compliance Manager

Action No.

Action

Owner

Due Date

Status

AP-019-01

Conduct a diagnostic review of compliance culture in PNG including focus groups and manager interviews

Regional Compliance Manager

Q1 2026

AP-019-02

Design and deliver a targeted compliance awareness programme for PNG

Regional Compliance Manager

Q1 2026

AP-019-03

Ensure all PNG managers are re-inducted into the ABMS and briefed on their cultural accountability

CCO / PNG Country Manager

Q2 2026

AP-019-04

Deploy Speak Up relaunch communications specifically targeting the PNG workforce

Regional Compliance

Q1 2026

AP-019-05

Run Annual Employee Survey in PNG and extract culture question scores

HR

Q3 2026

AP-019-06

Report PNG culture score and year-on-year comparison at year-end management review

CCO

Q4 2026

OBJ-020 Sanctions Screening Coverage Rate

Relevant Risk

Failure to conduct sanctions screening across the full population of relevant counterparties creates legal and reputational exposure and undermines the completeness of the ABMS due diligence framework.

Risk Reference

Linked to Risk BR-011 — Sanctions and Financial Crime Risk

Scope

Global

Objective Statement

Achieve a sanctions screening coverage rate of 100% across all in-scope counterparty categories by Q3 2026.

SMART Breakdown

Specific

All employees (pre-employment), new third parties (pre-engagement), and existing high-risk and medium-risk third parties (annual rescreening) must have a current screening record.

Measurable

Percentage of in-scope counterparties with a current, completed sanctions screening record, calculated quarterly from the screening system.

Achievable

Screening tools and processes are in place. The objective focuses on ensuring complete coverage and up-to-date rescreening records.

Relevant

Sanctions screening sits at the intersection of ABMS and financial crime compliance obligations.

Time-bound

100% coverage to be achieved by Q3 2026 and maintained through year-end.

How We Measure It

Screening system generates a quarterly coverage report for each counterparty category, showing total in-scope population, number with a current record, and those overdue for rescreening. Reported at each management review.

Target

100% sanctions screening coverage rate across all in-scope counterparty categories by Q3 2026.

Owner

Head of Due Diligence / CCO

Action No.

Action

Owner

Due Date

Status

AP-020-01

Define and document the in-scope counterparty population by category and risk tier

Compliance Manager

Q1 2026

AP-020-02

Establish rescreening frequency requirements and configure system to flag overdue records

Systems / Compliance

Q1 2026

AP-020-03

Generate baseline coverage report and identify all counterparties with missing or expired records

Due Diligence Team

Q1 2026

AP-020-04

Complete screening for all backlog cases, prioritised by risk level

Due Diligence Team

Q2 2026

AP-020-05

Report quarterly coverage rate at management reviews and address gaps within 30 days

CCO

Ongoing

OBJ-021 Reduction in G&E Policy Breach Rate — India

Relevant Risk

A pattern of gifts and entertainment policy breaches indicates cultural non-compliance and creates direct bribery risk, particularly in government-facing markets.

Risk Reference

Linked to Risk BR-015 — Gifts and Entertainment Control Circumvention

Scope

Local — India

Objective Statement

Reduce the rate of government-related G&E policy breaches in India from 18 per quarter in Q4 2025 to fewer than 4 per quarter by Q4 2026.

SMART Breakdown

Specific

A G&E policy breach is any instance where G&E expenditure was incurred without a valid prior approval on record in the Kissflow system. India business unit is the specific scope.

Measurable

Number of G&E policy breaches identified per quarter in India, measured through the quarterly Kissflow/Workday reconciliation.

Achievable

Reduction achievable through targeted training, mandatory system controls, and visible disciplinary follow-through.

Relevant

India is a market where G&E-related bribery risk is elevated. A high breach rate is a specific and material control failure.

Time-bound

Quarterly measurement. Target of fewer than 4 breaches per quarter by Q4 2026.

How We Measure It

Quarterly Kissflow/Workday reconciliation for India identifies all G&E expenditure claims with no matching prior approval. Number of breaches per quarter tracked and trended. Each breach followed up individually. Reported at each management review.

Target

Fewer than 4 G&E policy breaches per quarter in India by Q4 2026 (down from 18 in Q4 2025).

Owner

India Country Compliance Manager / CCO

Action No.

Action

Owner

Due Date

Status

AP-021-01

Deliver targeted G&E policy training to all India employees focusing on the prior approval requirement

India Compliance Manager

Q1 2026

AP-021-02

Make Kissflow pre-approval reference mandatory in the Workday G&E submission form for India users

Systems / IT

Q1 2026

AP-021-03

Run Q1 2026 reconciliation to establish updated baseline breach rate

India Compliance Manager

Q1 2026

AP-021-04

Implement visible disciplinary follow-through process for identified breaches

India Country Manager / HR

Q1 2026

AP-021-05

Report quarterly breach rate at management reviews

CCO

Ongoing

OBJ-022 Investigation Quality — Annual Audit of Investigation Reports

Relevant Risk

Poorly conducted or insufficiently documented investigations may fail to identify the true cause or extent of a bribery concern, and may expose the organisation to legal challenge.

Risk Reference

Linked to Risk BR-020 — Investigation Quality and Consistency

Scope

Global

Objective Statement

Achieve a minimum average quality score of 80% across all ABMS investigations completed in 2026, as assessed through an annual independent quality audit.

SMART Breakdown

Specific

An independent quality audit of a random 30% sample of all ABMS investigation reports completed in 2026 is conducted annually using a standardised quality assessment rubric.

Measurable

Average quality score across audited investigation reports, expressed as a percentage of the maximum possible score on the rubric.

Achievable

Achievable with implementation of a standardised investigation methodology, investigator competency framework, and quality review before case closure.

Relevant

Investigation quality is a direct measure of whether the organisation is capable of detecting and responding to bribery.

Time-bound

Quality audit of 2026 investigations to be completed by Q1 2027 and reported at the Q1 2027 management review.

How We Measure It

An independent reviewer conducts an annual audit of a random 30% sample of investigation reports. Each report scored against a standardised rubric covering: triage documentation, investigation plan, evidence collection, interviews, findings analysis, and corrective action. Average score calculated.

Target

Average investigation quality score of 80% or above across the audited sample for 2026 investigations.

Owner

Head of Investigations / CCO

Action No.

Action

Owner

Due Date

Status

AP-022-01

Develop standardised investigation quality assessment rubric covering all stages of the investigation process

Head of Investigations

Q1 2026

AP-022-02

Implement structured investigation methodology with defined milestones for all ABMS investigations

Head of Investigations

Q1 2026

AP-022-03

Introduce mandatory senior review and sign-off before investigation cases are closed

CCO

Q1 2026

AP-022-04

Conduct annual independent quality audit of 30% sample of 2026 investigation reports

QA Lead / External Specialist

Q1 2027

AP-022-05

Report quality audit results at Q1 2027 management review

CCO

Q1 2027

OBJ-023 Business Associate Code of Conduct Acknowledgment

Relevant Risk

Business associates who have not formally acknowledged the organisation's anti-bribery expectations are not contractually or culturally bound by the ABMS standards the organisation is required to enforce.

Risk Reference

Linked to Risk BR-012 — Third Party Bribery Risk

Scope

Global

Objective Statement

Achieve 100% signed acknowledgment of the Anti-Bribery Code of Conduct by all active high-risk and medium-risk business associates by 30 June 2026, and for all new business associates before commencement of engagement.

SMART Breakdown

Specific

Every active business associate in the high-risk and medium-risk categories must have a signed and dated Code of Conduct acknowledgment on file.

Measurable

Percentage of in-scope active business associates with a signed acknowledgment on file, as a proportion of the total high-risk and medium-risk population.

Achievable

The Code of Conduct and acknowledgment process are in place. The objective focuses on achieving complete documented coverage.

Relevant

Formal acknowledgment creates a clear record of third-party awareness of and commitment to the organisation's anti-bribery standards.

Time-bound

Backlog cleared by 30 June 2026. Ongoing 100% for new engagements from Q1 2026.

How We Measure It

Compliance team maintains a business associate acknowledgment register recording entity name, risk classification, acknowledgment date, and document reference. Reviewed quarterly. Completion rate reported at each management review. New engagements checked against register before approval.

Target

100% of active high-risk and medium-risk business associates have a signed Code of Conduct acknowledgment by 30 June 2026.

Owner

Head of Due Diligence / CCO

Action No.

Action

Owner

Due Date

Status

AP-023-01

Compile the full list of active business associates classified as high-risk or medium-risk

Compliance Manager

Q1 2026

AP-023-02

Identify business associates without a signed acknowledgment and prioritise outreach by risk level

Compliance Manager

Q1 2026

AP-023-03

Issue Anti-Bribery Code of Conduct and acknowledgment request to all outstanding business associates

Due Diligence Team

Q1–Q2 2026

AP-023-04

Implement a control to block new business associate approval where signed acknowledgment is not on file

Compliance / Procurement

Q1 2026

AP-023-05

Report quarterly acknowledgment coverage rate at management reviews

CCO

Ongoing

OBJ-024 Top Management ABMS Training Completion

Relevant Risk

Members of Top Management who are not adequately trained on the ABMS may fail to discharge their leadership and oversight responsibilities under ISO 37001, weakening governance at the highest level.

Risk Reference

Linked to Risk BR-021 — Anti-Bribery Culture and Tone at the Top

Scope

Global

Objective Statement

Achieve 100% completion of a tailored ABMS awareness and responsibilities briefing by all members of Top Management by 30 June 2026.

SMART Breakdown

Specific

Every member of Top Management must complete a tailored ABMS briefing covering their specific responsibilities under ISO 37001. Generic e-learning does not satisfy this requirement.

Measurable

Percentage of Top Management members who have completed the tailored ABMS briefing, as a proportion of the total Top Management population.

Achievable

Given the relatively small population of Top Management, 100% completion is achievable within the defined timeframe.

Relevant

Top Management has specific and non-delegable responsibilities under the ABMS. Adequate briefing is both a Standard requirement and a prerequisite for effective governance.

Time-bound

100% completion by 30 June 2026. New members appointed after this date must complete within 60 days of appointment.

How We Measure It

Compliance team maintains an attendance register recording each participant's name, role, and date of completion. Evidence filed in the ABMS document management system. Completion rate reported at Q2 2026 management review.

Target

100% of Top Management complete the tailored ABMS briefing by 30 June 2026. New appointments complete within 60 days of joining.

Owner

Chief Compliance Officer

Action No.

Action

Owner

Due Date

Status

AP-024-01

Develop a tailored ABMS briefing for Top Management covering their specific responsibilities under ISO 37001

CCO

Q1 2026

AP-024-02

Schedule and deliver the ABMS briefing for all current members of Top Management

CCO

Q1–Q2 2026

AP-024-03

Compile and maintain a Top Management briefing completion register

Compliance Manager

Q1 2026

AP-024-04

Establish protocol for briefing new Top Management appointments within 60 days of joining

CCO / HR

Q1 2026

AP-024-05

Report 100% completion at Q2 2026 management review and track ongoing compliance for new appointments

CCO

Q2 2026 and Ongoing

OBJ-025 Anti-Bribery Training Comprehension Score

Relevant Risk

Employees who complete mandatory anti-bribery training but do not understand the content remain unequipped to recognise and avoid bribery, providing false assurance through completion rates alone.

Risk Reference

Linked to Risk BR-008 — Employee Awareness and Training Gap

Scope

Global

Objective Statement

Achieve an average post-training assessment score of 80% or above across all employees completing the mandatory annual anti-bribery training module by 31 December 2026, with a pass mark of 70% required for individual completion to be recorded as compliant.

SMART Breakdown

Specific

The mandatory annual anti-bribery training module must include a post-completion assessment. A score of 70% is the minimum pass mark for an individual completion to count as compliant. Organisational average target is 80%.

Measurable

Average post-assessment score across all completions, and percentage of completions achieving the 70% pass mark, extracted from the LMS monthly.

Achievable

Assessment questions are already incorporated in the training module. The targets are challenging but consistent with an organisation with established ABMS awareness.

Relevant

Comprehension scores measure whether training is genuinely effective, not merely completed — a materially stronger indicator than completion rates alone.

Time-bound

Monthly LMS data. Year-end averages assessed at Q4 management review.

How We Measure It

LMS extracts monthly reports showing the distribution of post-assessment scores. Overall average score and percentage achieving 70% or above are the two key metrics. Employees failing the assessment must retake within 30 days. Regions with average below 70% subject to targeted awareness intervention.

Target

Average post-training assessment score of 80% or above by Q4 2026. Minimum 70% pass mark achieved by 95% of completions.

Owner

Compliance Manager / HR

Action No.

Action

Owner

Due Date

Status

AP-025-01

Review and update the post-training assessment to accurately test understanding of key ABMS concepts

Compliance Manager

Q1 2026

AP-025-02

Configure LMS to record individual assessment scores and flag fails for mandatory retake within 30 days

LMS Administrator

Q1 2026

AP-025-03

Generate monthly LMS report showing average scores and pass rate by region and business unit

LMS Administrator

Q1 2026

AP-025-04

Identify and implement targeted awareness interventions in regions consistently scoring below 70%

Compliance Manager

Ongoing

AP-025-05

Report average comprehension scores and pass rates at each quarterly management review alongside completion rates

CCO

Ongoing