Compliance in Nammo is led by the the Chief Compliance Officer (CCO) who has the responsibility for the design and implementation of the Compliance Program. This includes the design, planning and monitoring of the anti-bribery and corruption (ABC) communication and training.
Responsibility and Reporting
The CCO reports operationally to the SVP Legal and Compliance. The CCO meet with the Chief Executive Officer (CEO) minimum on a quarterly basis to present and review status on activities and discuss strategic and operational topics. The CCO present status of compliance activities to the Group Management on a regularly basis, and to the Board of Directors once every year or more frequent if needed.
Compliance matters can be reported directly to the CEO if neededm and directly to the Board of Directors on special occasions.They are also part of the monthly reports at Group level and to the Board of Directors.
The Compliance Mandate is divided into three areas based on the Group’s risk assessment: Anti-bribery and corruption, Export and trade regulations and Responsible business and sustainability. These are the foundation of the Group Compliance Program.
Tone from the top
To a large extent compliance begins with the Board of Directors and the Group Management setting the proper tone for the rest of the company. Managers and employees take their cues from corporate leaders. To ensure that such high-level commitment is reinforced and implemented by middle managers and throughout the rest of the organization, commitment of the top leaders is vital for Nammo. Further, a strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, the Company´s senior managers shall inspire middle managers to reinforce those standards and the middle managers shall encourage employees to strive to attain those standards throughout the organization. A culture of transparency is also vital for Nammo where employees shall also be encouraged to speak up and report any misconduct.
The Group Management shall regularly communicate throughout the global organization the importance to conduct business responsibly, provide guidance and emphasize on Nammo’s strong commitment to compliance and ethical behavior and the company’s policy on zero tolerance of corruption.
It is the responsibility of the CCO to secure the implementation, monitoring and improvement of the Compliance Program.
The Board of Directors is responsible for the governance and oversight of the Compliance Program. The Board of Directors shall review and evaluate the Program at least annually.
The Chief Executive Officer (CEO) is accountable to the Board of Directors for ensuring implementation and management of Nammo´s Compliance Program. Specifically, this includes ensuring that a compliance culture is promoted within Nammo and that its employees adhere to policies and directives.
The Site Managers are responsible for ensuring effective implementation and maintenance of the Compliance Program within its respective unit and that the employees adhere to the associated systems and guidelines. Site Managers, in consultation with CCO, are responsible for ensuring that adequate resources for an effective accomplishment of the Compliance Program are allocated.
Site Managers are also responsible for the regular reporting of the status of controls, compliance breaches and their improvement to the CCO.
Each employee of Nammo has the responsibility to ensure that their activities on behalf of Nammo comply with all applicable laws and regulation as well as with Nammo´s policies and procedures.
Policies and Procedures
Nammo’s Ethical Code of Conduct is a corner stone upon which the Compliance Program is built. The Code concerns all Nammo Group employees, as well as members of the Board of Directors of Nammo and its subsidiaries and any third party acting on behalf of the company. The Code is under revision and a new version is expected early in early 2020.
The Anti-Corruption Manual is also under revision and will be merged into the future new version of the Ethical Code of Conduct. The reporting procedure described in the Anti-Corruption Manual has been updated to align with the new procedure to raise concerns in Nammo, as described below under "Allegations and Investigations."
The Group’s corporate governance framework, the Nammo Management System, covers all steering documents such as the directives, procedures and instructions at Group level. These documents are periodically reviewed and, as appropriate, updated to effectively mitigate compliance risks.
Through the Nammo Management System, the Group has a formalized annual process for risk management. The risk assessment process and the evaluation of the steering documents is a continuous process throughout the year and the status is reported to the Board of Directors on a regular basis, minimum once a year. The group CEO conducts quarterly individual business review meetings with the business units. These meetings are a vehicle for scrutiny of the business units performance. Risk assessment is one of the significant items addressed in these meetings and some areas are mandatory such as; compliance, financial, health/environment/security & safety, human resources, operational, reputational and corruption risks.
High-risk Market Evaluation
On a case-by-case basis before responding to request for quotations from medium and high risk countries the sales and marketing organization shall follow an internal risk evaluation procedure addressing in particular product, user, end-user, human rights, country, trade and corruption risks. A separate risk evaluation team from the corporate level of the Group will evaluate the final risk according to a defined process before any conclusion to proceed.
Training and Communication
In the Nammo Group all subsidiaries are responsible of educating and training their local employees. Within the compliance program the ethics & anti-bribery and corruption training, along with regulatory trade training, are subjects handled at corporate level. Nammo has established three annual rolling training programs to mitigate risk of anti-corruption.
- E-learning to raise awareness on ethics and IT security. A new exercise is distributed every month to all employees who have access to company computers in their local language. It reaches around 1750 employees out of 2400. Employees without access to company computers are to receive their training from their immediate manager. The e-learning exercises is a requirement for all external sales representatives and the external board members. A monthly report keep track on the completion level and encourages the managers to follow up their employees. An annual survey at the end of the year confirm that the awareness program was highly appreciated among the employees, and the overall completion rate stands at around 88%. Topics covered included the following:
- Nammo Ethical Code of Conduct – annual sign off
- CEO Fraud and False Internal e-mails (information security)
- Gifts and Invitations
- Ransomware - What is it? (information security)
- Our Supply Chain
- Traveling on Behalf of Nammo
- The Address Behind The Link (information security)
- Corruption and Bribery
- Impartiality and Conflicts of Interest
- Infor.Sec.Month 2019 (1/2) - Incidents Happen - How do we react?
- Info.Sec.Month 2019 (2/2) - Information Security At Your Department
- Professional Secrecy in Confidential Matters
- Managing Bullying and Harassment
- Post Survey Evaluation
- Dilemma training is a workshop training for teams from middle management employees in high-risk positions. IT is also a requirement within the 100 Day Program for newly acquired companies. Four high-risk teams had the dilemma training in 2018. The Dilemma training will become an annual requirement to all employees in high-risk positions from 2020 including all management teams. Nammo has developed an in-house Dilemma Bank with around 30 different dilemmas covering areas of culture, finance, business ethics, procurement and personal conduct.
- Red Flag Fraud awareness training is a tailor made training for the administration and middle management at each subsidiary. During 2018 three countries and 8 production entities received training. Target groups are all administrative functions at the entity. (Sales, finance, contract, procurement, supply-chain, r&d, management). After completed training, corrective actions are defined and will be subject for review. The Red Flag training is optimal if repeated in a three-year cycle.
In general each subsidiary support their employees educational development within necessary regulatory training. During 2018 Nammo held two regulatory training programs at Group level. One training program for key employees concerning the new EU regulation on GDPR (General Data Protection Regulation). One training program with focus on the International Traffic in Arms Regulation (ITAR) for relevant Nammo employees in Europe. All together around 280 employees completed the corporate regulatory training program. Nammo will continue to develop a strategic training program to ensure that employees in key position have the right knowledge and education to perform their job according to national and regulatory requirements.
Third Party Management
Clearly, relationships with third parties such as joint-venture partners, suppliers, sub-contractors, consultants, agents/sales representatives, distributors and even customers may constitute compliance risks. Nammo is therefore concerned to secure the establishment and implementation of a firm and risk-based due diligence process with respect to the selection and use of its business partners.
Depending on the type of business partner the degree of the due diligence may vary based on the relevant country or countries involved, the role of the business partner, size and nature of the transaction, and historical relationship with the third-party.
Establishment of Joint Ventures and offset agreements with Industrial Partners are handled at Group level through the Business Development Department. Our Due Diligence is done according to the same procedure as we do when onboarding sales representatives. The due diligence procedure is handled by Legal & Compliance at Group level.
Nammo conducts initial risk-based anti-bribery and corruption evaluations of all potential Joint Venture partners before down-selection of a partner. For the selected partner a full risk-based anti-bribery and corruption due diligence is performed in accordance with the company processes involving the legal and compliance departments. Nammo anti-bribery and corruption clauses are included in JV contracts.
Industrial Partners and Offset
Nammo conducts initial risk-based anti-bribery and corruption evaluations of all potential Industrial Cooperation partners before down-selection of a partner in cases where Nammo is the obligor. For the selected partners a full risk-based anti-bribery and corruption due diligence is performed in accordance with the company processes involving the legal and compliance departments. Industrial Cooperation projects and partners are selected in accordance with Nammo business strategies. Nammo operates directly with authorities and potential partner companies and do not use offset agents or brokers.
Onboarding and renewal of sales representatives
For onboarding of sales representatives a strict and pre-defined due diligence process is well established at Group level.
To establish a new representative there is a six step procedure to follow: First there is a need for good strategic input such as a business and market plan. Secondly a presentation of a candidate short-list for selection. The third step is followed by a candidate report and a due diligence phase either done by Nammo or an external party depending on the country risk level. Verification of beneficial ownership is part of the due dilligence. The fourth step is to evaluate the due diligence and select the candidate. The fifth step is to agree on the terms & conditions of an agreement, including a list of required Nammo documents and processes to comply with such as i.e. the Ethical Code of Conduct, regular reporting and taking part in training. The sixth step is the renewal process to take place after the first year, and subsequently every second year if renewed. The quarterly reporting from both Nammo’s internal point of contact and the representative as well as conducting a due diligence to check for any changes in status of the representative are also part of the input to evaluate a potential renewal of agreement. The agreement includes the right to audit and termination if breach of agreement. Nammo representatives are compensated in a fair and transparent manner reflecting the work performed. Terms of compensation is clearly defined in the agreement and all payments are made and recorded in accordance with general accepted accounting principles. Representatives are under continuous monitoring throughout the lifecycle of the agreement.
The process of onboarding suppliers and subcontractors is done following a risk based evaluation. At larger entities in Nammo it is the procurement department who have the ultimate responsibility for onboarding and regular review of the most critical suppliers. In smaller entities without a procurement department the responsibility is managed by the procurement- and/or supply chain manager. A supplier can be classified as critical based on several criteria such as e.g. the size of the company, a geographic location, sole source, critical component etc. Suppliers are vetted on various lists, including sanctions lists and lists which identify red flags, including debarments. Additionally, suppliers receive an annual survey for a self-reporting of risks. Although the tool has various names throughout the Nammo Group, the local entities uses a source Selection Matrix which identifies how a supplier was chosen and has various criteria which are assessed. Also, after a supplier has been issued a Purchase Order from a Nammo site, the supply chain departments within Nammo work with their respective Quality Control/Assurance departments who go onsite with suppliers and perform audits and assessments.
In addition to the above the US Government requires suppliers to US contracts to register in the contractor registry, SAM. Suppliers must attest to Anti-Lobbying Verification, FAR 52.203-11 and 52.203-12, and certify compliance with FAR 52.209-5 which deals with embezzlement, theft, forgery, bribery, falsification or destruction of records, making false statements, tax evasion, violating Federal criminal tax laws, or receiving stolen property. Nammo does not have a global digitalized framework of onboarding its suppliers yet. Today this is done in a decentralized way, country by country. A common Group onboarding process is being defined for all business partners, including the adequate tools in 2020.
Allegations and Investigations
A central part of a robust compliance program is the implementation of a mechanism for the organization’s employees and external parties to report suspected or actual red flags and indications of misconduct or violations of the company’s policies or directives on a confidential basis and without fear of retaliation.
In Nammo, personal responsibility means to do the right thing. We expect our employees to always be honest, truthful and reliable, and act in accordance with our core values: Dedication, Precision and Care. As Nammo employees we are expected to report any conduct that we believe, in good faith, to be a violation of the Ethical Code of Conduct or the law. By reporting compliance concerns, we are helping to protect our business and reputation.
During 2018 we had 39 concerns reported within the following countries and categories, with the majority of the issues raised to HR relating to misconduct, alcohol abuse, harassment and bullying:
There were no corruption incidents or legal actions reported in 2018 related to Ethics and Anti-Bribery and Corruption. Two low-risk issues were reported to Compliance and the previous Ethics Committee.
How to raise concerns in Nammo?
Nammos procedure to raise concerns has been simplified and strengthened during 2019. In the month of November a new channel of last resort reporting will be rolled out in all European entities. All employees will receive the roll out material in their native language. The roll out starts first in Europe and will continue in the US as soon as all security and risk mitigations are approved.
The procedure to raise concern is supported by an external reporting channel called SpeakUp that can be accessed by phone or by web and with a specific country code. It facilitates the dialogue between the company and the reporting employee. The employees can report in their native language and the system is available 24/7. The employees can expect a response within 3-5 days.
All reports shall be handled in strict confidence. The system has an option to report anonymously. Nammo will not have access to the individuals identity and the system is both encrypted and GDPR compliant.
All reports through the system will be forwarded to the CCO of Nammo who will evaluate the severity of the cases. Low risk cases should preferably be handled locally. If cases are of high or severe risk the CCO will evaluate the report in cooperation with the Ethics and Integrity Council (EIC). If risk level or conflict of interest is evaluated too high the CCO and the EIC will establish an Investigation Response Team. The Response Team shall follow a detailed Investigation Response Plan. Below is a resumed overview of the six steps of the Investigation Response Plan. The Response Plan is divided into six steps, and each action taken during the process shall be appropriately documented.
Nammo expects its managers to emphasize the value of reporting compliance concerns promptly and foster an environment of open reporting. Nammo does not tolerate retaliation against any employee who raises a concern in good faith.
Third parties who would like to report concerns about Nammo are welcome to do so by contacting: firstname.lastname@example.org. This contact e-mail is also listed in our Supplier Conduct Principles and the Ethical Code of Conduct.
The proper handling of compliance risk involving a potential merger or acquisition (or divestiture) is vital to Nammo’s long term success. Conducting an effective compliance due diligence on Nammo’s M&A targets allow the company to evaluate more accurately each target’s value and allows for mitigation of compliance risks. Nammo follows a risk-based compliance due diligence process for its M&A activities. The process considers the risks related to specific business targets. Equally important as a proper due diligence of a target is the post-acquisition period with a prompt incorporation of the acquired company into our company’s internal controls and monitoring systems, including our compliance program. This is followed up within the 100-day post-acquisition program of necessary actions and learnings of the new family member.
Monitoring, reviewing, testing and improvement
The Compliance Program is evaluated, reviewed and tested internally on a continual basis with the purpose to improve its suitability, adequacy and effectiveness. Such evaluation and review include e.g. testing implemented controls (such as financial controls related to potential risk of corruption and trade compliance) and analyzing actual violations or clear circumventions of the company´s policies, directives or processes.
Also, Nammo may undertake employee surveys to a) measure its compliance culture and strength of internal controls, monitoring systems and communication routines, b) identify best practices, and c) detect new risk areas. The result of any evaluation and review of the Program, including recommendations for improvement, will be reported annually to the Group Management Team and the Board of Directors.
The Compliance Program shall be evaluated and assessed by a third party every third year and the result thereof shall be reported to the Group Management Team and the Board of Directors.
Internal review of every entity is an annually performance of the Compliance Team and reported to the Management Team and the Board of Directors.
During 2018 Nammo had two assessements by two different external parties. One was a fraud culture assessment as part of a PHD Study in the UK where the purpose was to assess the level of maturity of Nammo’s existing strategy and measures in place to mitigate fraud and corruption. The most significant consequence from the assessment's conclusions has been the establishment of an efficient and detailed Investigation Response Plan.
The second assessment was done by Deloitte. They performed a compliance maturity assessment that revealed several areas of low, medium and high risk where there was found to be room for improvement. All areas of improvement from the Deloitte compliance assessment are addressed in the Group Compliance Program and they are part of the improvement work moving forward.