about_icms

Components & Requirements

The ICMS Components and Requirements

fade-up
components-section
container
INTEGRITY COMPLIANCE MANAGEMENT SYSTEM
Circle All
Circle Outer Circle
Circle icons
fade-up
container

Integrity Policy and Code of Conduct

Component 1

The Integrity Policy (IP) and Code of Conduct (CoC) 

It formalises the company’s commitment to the highest integrity standards, the adoption of the ICMS, and specific probity and conduct expectations for its personnel, among others.

  • R1
    Establish an IP that covers the five core elements of the Sample IP
  • R2
    Establish a CoC that covers the 11 core elements of the Sample CoC

    Explanatory Note for R1 and R2:

    • The company may choose to:
      • establish its IP and CoC as separate documents, or integrate them into a single document; or
      • incorporate the 16 core elements (i.e. the five core elements of the sample IP and the 11 core elements of the sample CoC) across various corporate documents (e.g. policies, guidelines) under different titles.
    • The company may express the 16 core elements in its own language, with reference to the Sample IP and Sample CoC.
  • R3
    Communicate the integrity standards and requirements in the IP and CoC to directors and staff (as well as external stakeholders such as business partners, associates, suppliers, etc. where applicable) regularly through appropriate channels

    Explanatory Note for R3:

    • The company may select suitable channels / methods to regularly communicate the integrity standards and requirements to directors and staff. Examples include circulating the integrity standards and requirements to directors and staff, requiring acknowledgement of receipt and understanding of the IP and CoC, organising workshops on the integrity requirements, publishing newsletters to outline the integrity standards.
    • Where relevant, communication may also be extended to stakeholders (e.g. publicly disclosing the IP / CoC or key integrity standards and requirements on the corporate website), depending on the company’s operational context and stakeholder relationships.

Intergrity Capacity & Culture Building

Component 2

Integrity Capacity and Culture Building

It strengthens directors' and staff's knowledge through regular training, reinforcing their ethical conduct and the ICMS implementation. Combined with probity initiatives, it fosters a culture of integrity and promotes collaboration with government, law enforcement agencies (LEAs) such as the ICAC, regulators, business counterparts, etc. and other external parties to drive widespread adoption of integrity practices and uplift corporate governance across the private sector.

  • R4
    Provide regular integrity training for directors and staff based on their integrity risk exposure (including (i) training for directors, (ii) probity training for all staff, and (iii) thematic training for staff exposed to high corruption risks), and maintain records of all the training conducted

    Explanatory Note for R4:

    The company may determine the frequency, duration, format and content of the three types of training based on its integrity risk assessment (Component 3 below).

  • R5
    Cultivate an integrity culture by embedding ethical values into the corporate DNA through diverse and sustained efforts

    Explanatory Note for R5:

    The company may foster an integrity culture by implementing appropriate initiatives within one or more of the seven suggested dimensions. These dimensions are provided as guidance, whilst the scope and methods of the initiatives should be tailored to the company’s operational context and the existing culture.

    Seven suggested dimensions:

    • leadership commitment (e.g. setting the right tone from the top regarding the commitment to implement the IP / CoC),
    • transparency (e.g. publicly disclosing the IP / CoC or key integrity standards and requirements on the corporate website),
    • accountability (e.g. defining roles and responsibilities in implementing the ICMS in the IP / CoC),
    • capacity building (e.g. providing regular integrity training to directors and staff),
    • communication (e.g. staff suggestion schemes, ethics hotlines, integrity video series),
    • engagement (e.g. organising integrity workshops or sharing sessions), and
    • incentives (e.g. factoring integrity performance into promotion decisions).
  • R6
    Engage external stakeholders (e.g. government departments, regulatory authorities, law enforcement agencies (LEAs), industry peers, business counterparts) to advance collective action in preventing and combating corruption

    Explanatory Note for R6:

    • The company may engage two major categories of external stakeholders, namely (i) government / regulatory authorities / LEAs (e.g. the ICAC), and (ii) industry peers / business counterparts, through appropriate channels such as relevant public‑private partnerships, collaborative capacity building programmes, publicity campaigns, industry forums or initiatives, joint research projects.
    • The scope and methods of engagement should be tailored to the company’s operational context and the nature of its stakeholder relationships.

Intergrity Risk Management

Component 3

Integrity Risk Management

It identifies and assesses integrity risks at functional and procedural levels through structured assessments, highlighting the need for risk-mitigation control measures. Risk assessment outcomes and risk indicators inform the frequency of integrity training and aid in detecting corruption.

  • R7
    Identify and prioritise functional / business areas with material integrity risks (e.g. procurement) (i.e. functional integrity risk assessment)
  • R8
    Assess the integrity risks of work processes within the material-risk functional / business area(s) identified in R7, and devise risk-mitigation control measures (i.e. procedural integrity risk assessment)
  • R9
    Monitor the implementation of the risk-mitigation control measures to ensure continuous improvement

    Explanatory Note for R7, R8 and R9:

    The company may develop its own methodology (or adopt its existing risk management framework) for managing integrity risks taking into account its operational needs and sector-specific risk factors.

Corruption Detection and Reporting Mechanism

Component 4

Corruption Detection and Reporting Mechanism (CDRM)

It employs diverse methods to facilitate the discovery of irregularities (including corruption) and provides reporting channels facilitating prompt reporting of corruption to the ICAC and other criminal offences to other LEAs.

  • R10
    Devise measures for detecting corruption in the company's daily operations, including (i) detective controls, (ii) audits, and (iii) whistleblowing mechanisms

    Explanatory Note for R10:

    The company may adopt a range of measures to detect corruption in daily operations, taking into account its available resources and integrity risk assessment (see Component 3 above), including (i) detective controls (e.g. transaction monitoring, system access controls, exception reporting), (ii) internal or external audits, and (iii) whistleblowing mechanisms (e.g. hotlines, dedicated email addresses, online reporting portals).

  • R11
    Establish a corruption reporting policy or enhance its whistleblowing policy by covering the nine core elements of the Sample Corruption Reporting Policy

    Explanatory Note for R11:

    The company may express the core elements in its policy in its own language, with reference to the provided Sample.

  • R12
    Implement the CDRM covering detection of corruption and handling all reports timely and in confidence (including promptly reporting allegations or suspicion of bribery, corruption, fraud, deception, or other illegal activities to the ICAC or other LEAs as appropriate)

    Explanatory Note for R12:

    The company may select suitable channels / methods to communicate the operation of the CDRM to directors and staff (and external stakeholders when applicable), designate personnel to handle the irregularities detected, assess reports, and take appropriate follow-up actions (e.g. reporting corruption to the ICAC), and establish arrangements to monitor the CDRM’s ongoing operation.

ICMS Audit

Component 5

The ICMS Audit

It independently evaluates the compliance and effectiveness of the above four ICMS components, collects feedback, and identifies areas for continuous improvement.

  • R13
    Conduct periodic audits / reviews of the company's ICMS, covering all the four preceding components
  • R14
    Implement the recommendations arising from the audits / reviews for remediation of identified gaps and system enhancements
  • R15
    Monitor the implementation of the recommendations to ensure continuous improvement

    Explanatory Note for R13, R14 and R15:

    The company may determine the schedule for the ICMS audits / reviews, and leverage established internal audit frameworks / existing compliance procedures for conducting the audits / reviews. For example, the company may audit / review the implementation of Component 3 “Integrity Risk Management” as part of its existing risk assessment cycle.

Back to top

Request Service