We want employees to demonstrate exemplary conduct in all their business interactions because they feel personally connected to, and accountable for, our reputation. Creating this culture requires a robust risk and compliance programme.
Risk management, internal control, and compliance and ethics are all led by a central team, managed by our Global Risk and Compliance Director, who reports to the Group Finance Controller and directly to the Audit Committee on all control, compliance and ethics matters.
Our global team develops the strategy, methodology and core materials to support the implementation of our risk agenda and the control, compliance and ethics programme in our markets and functions.
The Diageo Executive Committee oversees these programmes through the Audit and Risk Committee, with an agenda covering the three pillars of risk, internal controls, and compliance and ethics. Markets determine how best to implement the programme, based on their local assessment of risk and what will work for their employees, in the context of local and international laws and regulations.
Our global programme aims to create an exemplary compliance environment, and an ethical framework to ensure that Diageo always does business with integrity. Our framework includes:
Organisational leadership and culture
Our leaders and managers are at the front line in engaging our people in our Code and policies and in helping them to make the right decisions. We have developed specific training for our general managers and people managers, designed to give them an opportunity to share experiences with their colleagues and to understand their responsibility for risk, controls and compliance. This will help them lead their teams in a way that sets a clear tone from the top and act as role models to employees in remaining faithful to our purpose and values.
Standards and procedures
To ensure our global policies are relevant and up to date, we review them at least once a year and check they are accessible and available to all so that employees understand what is expected of them. We work with a team of subject matter experts to manage the policies and standards, and offer support and advice to our markets to help them embed these effectively. See our Codes and policies section.
Working with our business partners
We're committed to establishing good working relationships with our partners and ensuring that they adhere appropriately to our principles. We have comprehensive programmes to manage various potential risks posed by our business partners. These include anti-money laundering checks, our 'Know Your Business Partner' anti-corruption due diligence programme, credit risk assessments, and our Partnering with Suppliers programme. As our business expands through mergers and acquisitions, it is important to ensure that we embed our principles in new business units, and we are consistent in our approach to non-compliance issues.
Great risk management drives better commercial decisions, creating a growing, resilient and sustainable business. Our risk management global standard requires all markets and functions to perform two risk assessments at least annually: first, a general assessment of business risk, to consider the operational, financial, and reputational risks of running the local business; second, a compliance risk assessment, to consider risks concerning human rights, bribery and corruption, anti-money laundering, and all other relevant laws and regulations, as well as our own Code, policies and standards – and to ensure that mitigation plans for the most significant risks have been established. Markets are then responsible for reviewing their risk assessments and progress against the mitigation plans at their local risk management committee meetings.
Annual certificate of compliance
The annual certificate of compliance (ACC) is an important measure of the effectiveness of our compliance and ethics programme. It includes questions that are designed to confirm that managers have fulfilled their duties with regard to compliance, and have read and understood our Code and the global policies most important to their roles. It requires people managers to confirm that they have had conversations with their direct reports about our Code, and about the policies that are most important to their respective roles.
Training and communications
We have a global framework for compliance training which is tailored by markets to best meet their specific needs. When an employee joins Diageo, he or she must, within 30 days, complete training about our Code, which covers key areas including human rights and anti-corruption, and explains how to report breaches and where to get help and advice. Each market has a training plan covering our key policies, which they deliver through locally organised, risk-based training. We encourage training to be brought to life through workshops, tailored training sessions and communications. We've also been giving further training to controls, compliance, and ethics managers and 'ambassadors' on the necessary function-specific and leadership capabilities for their roles.
Monitoring, auditing, and reporting
Our business units provide regular updates to our global risk and compliance team, which monitors adherence to our risk and compliance programme. Significant concerns are reported quarterly to our Executive and Audit Committees.
In addition, our internal audit team provides independent assurance of local adherence to our programme, as well as of how well risks are being managed. They also report quarterly to our Executive and Audit Committees. We expect anyone who comes across a breach of our Code to report it promptly, either to their manager, or to a member of the controls, compliance and ethics, human resources or legal teams, or through SpeakUp, our confidential whistleblowing service. Suppliers can also use SpeakUp to raise concerns with us.
Reported breaches are recorded on a central database, and overall statistics and significant matters are then reported quarterly in summary format to our Executive and Audit Committees. The database also allows us to identify business or policy areas that may need specific training or other interventions. To help employees be better prepared to avoid breaches by learning from others' mistakes, we routinely share examples of breaches that have recently occurred.
Controls assurance and risk management 'CARM'
Our internal control environment is evolving continually to meet an ever-changing environment. CARM is our internal control programme, where we assess, test, and report on the effectiveness of internal controls across our company. This enables us to meet our obligations under Sarbanes-Oxley and 2013 COSO Internal Control-Integrated Framework.
The CARM risk and control framework brings together all aspects of risk, ranging from financial to operational to reputational risk. All markets and functions are required to understand their risks and reflect them through their control activities, to certify annually whether their internal controls are operating effectively, and to remediate any weaknesses quickly.
Response to breaches, enforcement, and continuous improvement
All identified breaches of our Code and policies are taken very seriously, and investigated appropriately where action is required. Our response to proven breaches varies depending on the severity of the matter. Wherever possible, we look to improve our culture through training, coaching, and performance and talent management processes.
However, there are also disciplinary consequences of breaches of our Code or policies. Any actions by employees that violate certain aspects, for example our provisions on responsible drinking, could result in the termination of their contract. Further details about breaches and our response can be found in our Annual Report.
12 August 2016
We’re constantly looking for ways to strengthen our culture of integrity to help our people make the right choices.READ MORE...
29 June 2015
In a high-performing business, people must deliver results. READ MORE...