SCOTTISH ENTERPRISE CUSTOMER DUE DILIGENCE PROCEDURE (HUMAN RIGHTS) VERSION 1.0 EFFECTIVE DATE : March 4th 2019 CONTENTS 1. Introduction 2 2. What is Due Diligence? 2 3. Who is our Customer / when does this procedure apply? 2 4. Overview of Customer Due Diligence Procedure 3 1 SCOTTISH ENTERPRISE Customer Due Diligence Procedure 1. CONFIDENTIAL Introduction At Scottish Enterprise, we are committed to doing business in compliance with all applicable laws. As a publicly accountable organisation, we must ensure that our business is conducted in accordance with the highest standards of corporate governance. One particular area of concern for Scottish Enterprise when doing business is Human Rights. The UN Guiding Principles on Business and Human Rights are based on a framework of state responsibility to protect human rights; business responsibility to respect human rights; and the requirement for remedy for negative human rights impacts. Based upon guidance from the Scottish Government this procedure sets out how Scottish Enterprise will undertake appropriate due diligence on companies specifically in relation to their human rights record, before entering a business relationship with them. This includes an assessment of whether an individual or company, including any parent or subsidiary, has been associated with human rights abuses anywhere in the world. This procedure is intended to enhance, not supersede, existing due diligence checks undertaken by Scottish Enterprise. By following the procedure’s steps, we obtain the information required to make informed decisions prior to entering into business relationships. 2. What is Due Diligence? Due diligence is about understanding who we are dealing with and why we are getting involved. It means the taking of reasonable steps to understand who our customer is (and particularly, who controls them), how their activities are funded and why our assistance is required. It also helps us to understand the possible risks that the relationship could pose to our business and what we need to do to manage those risks. It involves the detailed examination of a company and its financial or project delivery record being carried out before becoming involved in a business relationship with it. The information obtained in this process is used to decide whether we want to engage in a business relationship or even a one-off transaction. Scottish Enterprise requires a clear and consistent approach to customer due diligence as an essential element of our risk management. Failure in this area can lead to severe reputational, operational and financial consequences 3. Who is our Customer / When does this procedure apply? Our customer is anyone we are doing business with – whether on an ongoing basis or a one-off transaction. In this procedure when we use the word “customer” we mean both potential customers, i.e. those we are not yet in a business relationship with OR companies with whom SE has an existing or previous business relationship who have initiated a further approach to SE and which could lead to a new business relationship being formed. This procedure will not be applied retrospectively. 4. Customer Due Diligence Procedure 2 SCOTTISH ENTERPRISE Customer Due Diligence Procedure CONFIDENTIAL For the purpose of this Procedure we define “business relationship” as any written relationship entered into between Scottish Enterprise and any company or a relationship where there is anticipated to be a substantive engagement of any format going forward. This will apply to all new and existing customers and partners which could result in SE providing new investment or funding by way of grants, loans, or equity. It also applies to SE entering into a commercial relationship with one or more third parties via e.g. a collaboration agreement, joint venture or memorandum of understanding (MoU) This latter area will require judgement based upon a risk-based approach. A business relationship does not need to include provision by SE of a particular product or financial assistance. Even where our assistance is limited to provision of account managed services (for example), the recipient of those services is classed as a customer and needs to meet our due diligence requirements prior to the start of our business relationship with them Exemptions:  Companies (UK and foreign owned firms) where t/o is not more that £10.2m, balance sheet total not more than £5.1m and average number of employees not more than 50. Please note requirement to consider thresholds per group status rather than single company status.  All companies where the expected investment from SE is less than £100K  UK Universities and other public sector organisations  Suppliers The nature and depth of There will be 3 levelsi to the due diligence:    due diligence to be undertaken Level 1 – applicable to all companies (excluding exemptions) and where the anticipated investment is between £100K and £2m Level 2 – applicable to all companies (excluding exemptions) and where the anticipated investment is between £2m and £5m Level 3 – applicable to all companies and where the proposed investment relationships exceeds £5m from the public sector The initiation of the due diligence is the responsibility of the account manager or project owner assigned as project lead by the account team or the senior responsible owner. Examples of where there is a requirement for due diligence include:      At the point where the customer makes a specific enquiry, e.g. in relation to a possible new grant application or new equity investment. For target account-managed businesses, this should take place before any discussion with the company regarding admission to Account Management. For prospective inward investors, this should be undertaken as part of the transition from P20 to P50 as set out in the inward investment guidance. (For inward international trade missions, it may be that this will be the first point of contact with a prospective inward investor and therefore no prior due diligence is required. However, it may be the case that one or more of the party has reached an engagement threshold where it will be necessary to undertake due diligence). For projects such as sector projects, where there is anticipated investment or a business relationship. For projects such as infrastructure projects, where there is anticipated investment or a business relationship. 3 SCOTTISH ENTERPRISE Customer Due Diligence Procedure CONFIDENTIAL Once HR due diligence has been conducted and outcomes considered acceptable, that cover will have a lifetime of 3 years unless there has been an intervening breach. Where no such breach has come to SE’s attention, any further request for assistance during the 3 year period will not require any further due diligence. Where SE is aware that there has been a breach, this will be a factor to be considered in whether to progress discussions around the approach for further assistance. Level 1 This comprises a series of binary questions:  Is the company or its ultimate owner registered in one of the “Human Rights Priority” countries as shown in the most recent Human Rights and Democracy reports? YES/NO  Is the company or its ultimate owner listed on one of the following sites? Business and Human Rights Resource Centre YES/NO  Norges Investment Bank Excluded Companies Report, YES/NO  Are any of the company’s directors or shareholders (>10% shareholding) listed on the World Bank List of Ineligible Firms and Individuals YES/NO  Are any of the company’s directorsii or shareholders (>10% shareholding) flagged in Fame / Orbis as a Politically Exposed Person (PEP) on the LexisNexis World Compliance database? YES/NO  Does an internet search for articles / sites / news about the company and its directors in relation to Human Rights indicate any recent (<5 years) incidents that indicate there might be a reputational risk associated with the company or its directors? YES/NO Where outcome of level 1 is NO for all questions then the engagement with the customer can continue. In the case where there is a YES to any of the questions the decision to proceed or stop needs to be made at the Grade 2 Director level within the business unit of the account manager or project owner. All level 1 checks will be undertaken by EFRS To request a level 1 check, please email the company name to HRDD@scotent.co.uk The EFRS will provide a report within three working days. Level 2 This incorporates Level 1 assessment and is a more qualitative assessment that will require greater judgement. The level of scrutiny required to provide SE with a reasonable level of confidence that business relations with a potential customer would be acceptable varies depending on the exposure to risk presented by the customer’s circumstances and proposed transaction. As such, the level of our due diligence will vary depending on the risks which arise from each potential business relationship. As the customer is progressed through the due diligence process, the level of diligence to be conducted will be determined by our identification of, and response to, “red flags” (see further below). Similar to Level 1 assessments, the decision to proceed or not requires to be made by the appropriate Grade 2 Director. Advice can be obtained where required from the Head of Risk Management & Governance. The assessment will be summarised in the overall case or approval paper brought forward for approval, however, it is expected that normally the assessment will have been undertaken much earlier than around the point of approval. The assessment should include consideration of some or all of the following sources:  To assess the corruption risk rating of countries involved in the customer’s business, see the Transparency International Corruption Perceptions Index at: http://www.transparency.org/research/cpi/overview To assess whether the industry 4 SCOTTISH ENTERPRISE Customer Due Diligence Procedure CONFIDENTIAL within which operations are conducted is perceived as being high risk in terms of corruption exposure see the Transparency International Bribe Payers Index at: http://www.transparency.org/research/bpi/overview  To determine whether a country has a good political and human rights record, see the following link: https://freedomhouse.org/report-types/freedom-world  For guidance on conducting due diligence on supply chains for modern slavery purposes, the Chartered Institute of Procurement and Supply (CIPS) has produced the guidance found at the following link: https://www.cips.org/Documents/Knowledge/Procurement-Topics-and-Skills/4Sustainability-CSR-Ethics/Sustainable-and-Ethical-Procurement/Modern-DaySlavery.pdf. The UK Home Office has also produced guidance on assessment of supply chains for Modern Slavery purposes, found at the following link: https://www.google.co.uk/url? sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&cad=rja&uact=8&ved=0CB4QFjAAah UKEwjjobPyqYPJAhVDVxQKHQf4Bko&url=https%3A%2F%2Fwww.gov.uk %2Fgovernment%2Fpublications%2Ftransparency-in-supply-chains-a-practicalguide&usg=AFQjCNGRD8piH1pvPcuDteoSyksZU-EcNA. To assess whether the customer’s business sector is high risk for modern slavery purposes, see the following link which contains OECD guidelines which are divided by sector (currently (i) agricultural, (ii) extractive minerals, (iii) manufacturing, (iv) textile or garment industries) and which set out far-reaching recommendations to multinational enterprises dealing in these sectors: http://mneguidelines.oecd.org/.   Additionally, consideration should be given to the following where insights can be obtained :  Governance and Internal Control systems of the potential investor - does the organisation have policies or mechanisms in place that address its human rights obligations, e.g. through equalities or corporate social responsibility committees or programmes? Have steps been taken to improve its record and/or provide redress for any prior human rights issues?  Downstream Delivery - is there evidence that the organisation carries out its own due diligence checking on its partners, joint ventures, subsidiaries etc.? How does it monitor, evaluate and control the risk of existing projects? Is there a record of any human rights concerns of any subsidiary or partner organisation? Level 2 assessments will be undertaken by the project owner. If required the EFRS can provide a company profile showing group structure and ownership to help with assessment. Email HRDD@scotent.co.uk to request a company profile. Level 3 This is a bespoke assessment and will be commissioned by the project manager and generally be undertaken by a third party requiring full participation by the company. Similar to Level 1 and Level 2 assessments, the decision to proceed or not requires to be made by the appropriate Grade 2 Director. Again, the assessment will be summarised in the overall case or approval paper brought forward for approval. 5 SCOTTISH ENTERPRISE Customer Due Diligence Procedure CONFIDENTIAL Examples of Red Flags (not exhaustive list)         A company or individual who owns or controls it is identified as having committed a violation of Human Rights The company operates in a country subject to sanctions. The company deals with foreign national’s subject to trade sanctions. The company operates in a conflict-affected area. The company operates in an area known for corruption or terrorist sympathies The company’s supply chains are not transparent The customer’s business relates to (sources from or deals with) the extractive, minerals, agricultural, manufacturing, textile or garment industries (higher risk when dealing with these industries coupled with an international element – i.e. sourcing labour from abroad, purchasing supplies from factory/supplier abroad). The customer’s business involves dealing with foreign officials or third parties in a country with a low score on the corruption perceptions index (i.e. a high-risk country for corruption purposes). 6 i Where the business relationship is not one involving financial outlay by SE or where it may but it is too remote to anticipate any specific value, the due diligence levels are not directly applicable. In such cases, however, it will be for the project lead to decide which level or levels of due diligence are appropriate to meet the particular circumstances. ii “directors” means those individuals who are formally board members as opposed to those who may simply have “director” in their job title.