Sophos Anti-Bribery And Anti-Corruption Code Of Conduct

It is our policy to comply with all laws, rules and regulations governing bribery and corruption in all the countries in which we operate.

The purpose of this code of conduct is to set out the values, principles and responsibilities Sophos adheres to and expects from all of our employees, partners, distributors, resellers, advisors, consultants, contractors, agents and other intermediaries representing us with regard to bribery and corruption.

All directors and employees are required to comply with this code. This code also applies to all persons with whom Sophos is associated with such as, but not limited to: partners, distributors, resellers, advisors, consultants, contractors, agents and other intermediaries representing Sophos.

Compliance with this code is a mandatory requirement.

ARTICLE 1: PROHIBITION OF BRIBERY AND CORRUPTION

Sophos does not participate in any form or bribery or corruption.

It is our policy to comply with all laws, rules and regulations governing bribery and corruption in all the countries in which we operate. Acts of corruption and bribery are increasingly being made illegal throughout the world and penalties for breaching those laws are severe.

Sophos will deal with any instance of suspected bribery or corruption seriously. Any actual instance will result in disciplinary action against those involved, up to and including termination of employment or contract, and reporting of those persons to relevant regulatory and criminal authorities. Sophos will support those authorities in any prosecution brought against those persons. Sophos operates a zero tolerance policy toward bribery and corruption, no matter what.

This policy extends to all of our business dealings and transactions in all countries in which Sophos and/or our subsidiaries and associates operate. Local custom and practice is never a justification for departing from this policy.

You will never be penalized for compliance with these policies and procedures, even if Sophos loses business or money as a result. If you have concerns or suspicions about anyone’s conduct or instances where there may be non-compliance with these policies, it’s important you report them quickly to allow those concerns and suspicions to be promptly investigated and responded to.

Each of us must take personal responsibility for abiding with this policy. This includes our most senior managers and directors.

If you have such suspicions and you don’t report them, you could face disciplinary action up to and including termination of your employment. It really is that serious.

Sophos will routinely assess the risks of becoming embroiled in bribery and corrupt practices. Based on such assessments we will take action. Please be prepared for updates and adjustments to the anti-bribery code that we adopt.

Under UK law, bribery and corruption is punishable by imprisonment, fines and if the company is found to have taken part in corruption it could be excluded from tendering for Government contracts and face untold damage to its reputation.

If any instance of bribery or corruption is identified, Sophos will take remedial and disciplinary steps immediately. For the avoidance of doubt, if bribery or corruption is established, we shall seek legal advice with a view to dismissing any employee involved and our responsibilities to refer such matters to the authorities for them to deal with under law.

Bribery and corruption is an unwelcome feature of business and public life in many countries. Sophos encourages and supports our employees to make decisions in line with our stated position on bribery and corruption. Sophos may drive a hard bargain when it is in our interests, but we are committed to acting professionally, fairly and with integrity.

Sophos prohibits bribery and corruption at all times and in any form, whether direct or indirect, including through agents, partners and other intermediaries.

Bribery is the offering, promising, giving or accepting of any undue monetary or other advantage to or by another person such as but not limited to:
* a public official, at national, local or international level;
* a political party, party official or candidate; and
* a director, officer, employee or agent of another organization or an individual in order to obtain or retain a business or other advantage other than by legitimate and proper means.

Corruption includes solicitation of a bribe, whether or not coupled with a threat if the demand is refused.

Sophos presumes that any ‘kick back’ (in cash or in kind) to government officials is a bribe.

Any payment or other advantage made to any other person which is not fully and properly recorded in the terms of the contract by which we do business with them or otherwise approved by the Legal Department shall be presumed by us to be a bribe.

Sophos also presumes that the engagement of intermediaries such as agents, subcontractors, consultants or other third parties to channel payments to government officials or to channel unauthorized payments to any other party (or their relatives, friends or business associates) is a bribe.

No Sophos employee will ever suffer demotion, penalty or other adverse consequences for refusing to pay bribes even if such refusal may result in Sophos losing business.

Personal safety
Sophos recognizes that demands for bribes to be paid may be accompanied by threats to personal safety. These should be rare, but if you are subjected to an immediate threat to your safety, you may put your personal well-being first even if this means that you make a payment that would contravene this Code. However, you must immediately report all of the circumstances of the threat and the payment to Sophos’ General Counsel. If a threat is made but you have time to notify our General Counsel before making any payment to avoid the harm to your person, then you should do so.

ARTICLE 2: SCOPE

Every employee and every person associated with Sophos’ business is covered by this Code of Conduct and our Anti-Bribery Program.

Universal application
This policy applies to all of Sophos’ business units and extends to all our majority owned business dealings and transactions in all countries in which we or our subsidiaries and associates operate. This policy applies in all countries in the world regardless of local practice and custom.

This Policy applies to all staff, officers, directors, and employees (including contractors and temporary workers) in our business worldwide. It applies to our agents, partners, resellers, distributors, consultants, contractors, advisors, other intermediaries and any other third parties acting on our behalf or representing Sophos. All activities carried out on Sophos’ behalf must be compliant with this policy regardless of local laws or culture.

Sophos operates a policy of individual accountability. We are each accountable for compliance with this policy.

Agents, Distributors, Consultants and Other Third Parties
Whenever Sophos engages or retains an agent, partner, reseller, distributor, marketing consultant or other third party in connection with any business being sought, we will investigate to determine the reputation, beneficial ownership, professional capability and experience, financial standing and credibility of such person and the record of such person's adherence to applicable laws in our own and other countries.

Any concerns that such investigation may bring to light must be reported to our General Counsel.

After Sophos engages with a third party, you have a responsibility to continue monitoring on- going activities and to report your concerns to our General Counsel. If you know or reasonably believes that a contravention of this Policy has been, is being or may be made you must report it to our General Counsel and in appropriate circumstances prevent the payment or promise of payment from occurring.

Acquisitions
Each time Sophos acquires any business as a going concern, the due diligence associated with the proposed acquisition shall include investigation of the acquisition target's compliance with the Bribery Act 2010 and related laws and regulations.

Joint Ventures
Similarly, whenever we decide to undertake business with a joint venture partner, we will conduct a review of the prospective joint venture partner or partners in order to determine the reputation, beneficial ownership, professional capability and experience, financial standing and credibility of the prospective joint venture partner and the history of such prospective joint venture partner's compliance with the Bribery Act 2010 and related laws and regulations.

Contract procedures
Persons or entities who provide goods or services to Sophos or on our behalf must meet our standards and abide by our policies and codes of conduct with regard to bribery and corruption or else they should expect to have their contracts terminated and we will actively seek to recover any losses we may suffer as a result.

Sophos has developed standard form clauses for inclusion in our trading contracts dealing with bribery and corruption which, in essence, enable us to terminate contracts if bribery is established. Unless otherwise approved in writing by Sophos’ Legal Department, all contracts with partners, resellers, distributors, consultants, and other third parties must include our standard anti-bribery clauses.

Training
You will be offered compliance training to ensure that you understand your responsibilities with regard to our zero-tolerance approach to bribery and corruption. Depending on role, the nature length and the frequency of such training may vary. Attendance at not less than one such training session each year shall be required.

Disciplinary procedure
Failure to comply with this Policy will be grounds for termination or other disciplinary action. Any questions concerning this Policy may be addressed to Sophos’ General Counsel.

Administration of the Policy and Code
Sophos’ General Counsel or another member of our Legal Department will conduct the day-to-day administration and enforcement of this Code and Policy. Sophos’ Board retains the ultimate responsibility for ensuring that we all comply with the zero-tolerance approach to bribery and corruption.

Employees, joint-venture partners, advisors, consultants, contractors, agents and other intermediaries representing us are encouraged to raise concerns about any instance of malpractice at the earliest possible stage. Sophos’ ‘whistleblowing’ policy may be relevant and is drawn to your attention.

Sophos will establish feedback procedures in order to maintain accurate records to provide assurance that we are effective in countering bribery and corruption. Any employee or other person to whom this Policy is directed who suspects a violation of this Policy may occur, or believes that a violation has taken place, must immediately advise his or her supervisor or the Sophos’ General Counsel.

Failure to so report is a disciplinary matter and will be dealt with accordingly. Disciplinary action may include the immediate termination of employment or of any business agreement or relationship.

Any form of discrimination, retribution or retaliation against anyone who has, in good faith, reported a possible violation of this Policy or refused to participate in activities that violate this Policy is prohibited and will be treated as a serious disciplinary matter.

Sophos’ board will review the implementation of this policy to test its adequacy and effectiveness from time to time and shall make improvements as appropriate. Any material non-compliance shall be reported to shareholders in the Annual Report.

ARTICLE 3: RESPONSIBILITY

Every one of us must take individual responsibility for complying with this Code.

Sophos’ board of directors will ultimately oversee the implementation and enforcement of this Policy, although the board will seek advice from professionals and delegate tasks to officers and others within our organization as appropriate.

Sophos’ audit committee or other body with similar responsibility will conduct regular independent reviews of compliance with this Policy and recommend corrective measures or improvements as necessary.

Each employee of Sophos must read, be familiar with, and strictly comply with this Policy which shall be available on-line and in hard copy via our HR function. Training on all applicable laws and regulations shall be compulsory upon joining the organization and from time to time by way of refresher and up-date.

Laws, regulations and contractual requirements are subject to change, which could require revision to this Policy. All personnel to which this Policy is applicable shall keep themselves current with any such changes and shall comply with such changes regardless of whether or not the changes have been incorporated into any given version of this Policy.

ARTICLE 4: RAISING CONCERNS AND SEEKING GUIDANCE

Sophos expects you to report suspicious activity without delay and without apprehension.

We know that our staff and representatives are not experts in the law and this Code is designed to help you recognize situations that might be of concern.

This Code requires you to raise your concerns promptly if you have a sense that something unethical or untoward is going on involving Sophos’ business. If you try to look the other way so as to avoid being witness to bribery or corruption, you may find yourself in contravention of this Code and the law.

Failure to report a concern may result in the termination of your employment. You may do so in accordance with the Whistleblowing Procedures set out below in order to preserve your anonymity. If you are unsure what to do or if you have doubts but do not want to get yourself or anyone else into trouble, you should notify our General Counsel who will consult with you on a confidential basis.

It is always better to notify your concerns rather than keep them to yourself. If there is an innocent explanation, then this can be established by our General Counsel. If for any reason you do not wish to speak with our General Counsel then you should consult the Whistleblowing Procedures which will set out the names and contact details of others within Sophos with whom you can discuss matters on a confidential basis. (Please refer to Article 9 below for Sophos’ revised Whistleblowing Procedures.)

If you are offered a financial or other advantage or if you suspect that someone within Sophos is or is about to offer an improper financial or other advantage, you MUST report this to our General Counsel without delay.

ARTICLE 5: PAYMENTS TO THIRD PARTIES

All payments made by the business must be above board, transparent and proper. No payments may be made as a subterfuge for bribery.

It is contrary to this Code to offer, promise, authorize, pay or give, either directly or indirectly, to any other person (whether a government official or not) any financial or other advantage in order to secure an improper advantage, to obtain or retain business, or direct business to any other person or entity.

Sophos therefore insists that:

a) any payment made to any person, such as an agent representative or intermediary, represents no more than an appropriate remuneration for legitimate services rendered by such person;

b) no part of any such payment is permitted to be passed on by the agent as a bribe or otherwise in contravention of this Policy;

c) in each contract with any partners, distributors, advisors, consultants, contractors, agents and/or other intermediary representing us, such representative must agree not to pay bribes or otherwise engage in any corrupt practice. We must reserve the right to terminate agreements with representatives if a bribe is paid or other corrupt practice undertaken;

d) each of our business units and all joint-venture partners, advisors, consultants, contractors, agents and other intermediaries representing us must maintain an accurate record of the names, terms of employment and payments to all persons who are retained by them in connection with transactions with public bodies, state or private enterprises. This record must be made available for inspection by us and our appointed auditors on demand;

e) no employee, joint-venture partner, advisor, consultant, contractor, agent or other intermediary representing us is permitted to engage in bribery or any form of unethical inducement or payment (including facilitation payments and ‘kickbacks’) and all such persons must avoid any activities that might lead to, or suggest, a conflict of interest with the business of the Company;

f) we uphold laws relevant to countering bribery and corruption in all the jurisdictions in which we operate, particularly laws that are directly relevant to specific business practices;

g) all agents, representatives and intermediaries must be properly vetted and due diligence undertaken on them to ascertain their fitness to represent us before we appoint them;

h) all payments should be approved in writing by a senior person in the business (your line manager) before making the payment;

i) receipts for payments should be obtained from the recipient; and

j) all payments must be accurately recorded through our normal accounting and financial procedures without any deception or disguise as the recipient’s identity or the purpose for the payment in question.

For the avoidance of doubt, so-called Facilitation Payments are prohibited. Sophos does not make Facilitation Payments (sometimes known as grease payments) of any kind. The bribery laws in other countries may not criminalize facilitation payments, but we do not condone the making of facilitation payments.

Sophos recognizes that in some parts of the world, Facilitation Payments may be sought in a business-as-usual fashion. Sophos will not pay them and we will not expect to be paid them. We insist that proper and thorough due diligence is undertaken on those with whom we do business and, in particular, any organization which represents our interests in any capacity or which supplies goods or services to us.

In Sophos’ business, we must keep and maintain accurate books and records in reasonable detail. We are subject to internal audit and controls. All payments must be properly recorded in our accounts and financial records. Recording such payments in any way which would conceal their true nature or which is contrary to applicable accounting standards is not permitted.

Payments of reasonable and bona fide expenses incurred in the proper course of our business are not prohibited by this Code when they are directly related to the execution or performance of a contract or other binding obligation.

ARTICLE 6: POLITICAL AND CHARITABLE CONTRIBUTIONS AND SPONSORSHIPS

Sponsorship, political and/or charitable contributions require prior authorization.

The presumption is that Sophos does not make any contributions to political parties, party officials and/or candidates. All requests for political contributions must be channeled through our General Counsel. We will only do so if our board of directors establishes in writing that it is in our interests to do so and then only upon satisfying itself that we are acting responsibly in accordance with all applicable laws and all requirements for public disclosure. No such political contributions may be used as a subterfuge for bribery.

Sponsorship or charitable donations might amount to bribery if not undertaken for the right and proper reasons. Sophos are not against sponsorship or charitable donations in all cases. As a business, Sophos is pleased to support deserving causes, but not in the expectation of any reward or influence in return. All requests for sponsorship must be channeled through our General Counsel in advance.

Similarly, any charitable contributions and sponsorships are not to be used as a subterfuge for bribery. Charitable contributions and sponsorships must be transparent and in accordance with applicable law. All charitable contributions and sponsorships must be approved by our General Counsel in advance.

If you are approached for a charitable donation, sponsorship or a political contribution (in each case, of any nature or description) you must inform those who approach you that there is an approval procedure which you are bound to follow and that you will be referring the matter to Sophos’ General Counsel for approval before responding.

If you wish to undertake charitable works or to seek sponsorship of a personal nature from your work colleagues, please notify our General Counsel in advance. We will not prevent genuine fund raising of a personal nature by our employees and associates provided it is clear that this is unrelated to our business.

If you make personal contributions to charity or to political organizations or if you engage in any form of sponsorship from your own funds, please make clear to all concerned that such activity has nothing to do with our business and that you are acting in your personal capacity outside of work. You must not use any resources of the Sophos for, or in support of your personal activities in this regard.

ARTICLE 7: GIFTS, HOSPITALITY AND EXPENSES

Sophos only accepts or provides hospitality and gifts within pre-defined limits and never to secure any improper advantage or to influence a business decision.

Sophos recognizes that to refuse hospitality can cause offence, which is not the intention of this policy, and that in the ordinary course of business, hospitality is extended and accepted without amounting to a bribe.

Gifts, hospitality, and sponsorship may only be made and/or received in compliance with this Code. You are required to complete a written record of hospitality offered/received and any gifts received/declined, and/or speaker/author/non-executive fees received/declined.

The acceptance of corporate hospitality (other than refreshments offered in meetings held at business premises) requires prior approval from your Head of Department. You should only accept corporate hospitality if it is ethically, morally, socially and politically ‘correct’. Nothing should be accepted that brings you, your colleagues or our business into disrepute.

Hospitality, gifts or expenses which has ‘strings attached’ must be declined. If hospitality has as its intent or purpose an attempt to secure a business advantage or influence a decision (e.g. by creating a sense of obligation) then it must be declined.

High value corporate hospitality should be politely declined, unless there are compelling business reasons to accept such hospitality and such hospitality is approved by your Head of Department. In any event, approval prior to acceptance of corporate hospitality must be obtained from our General Counsel where the value of the hospitality exceeds £100.

From time to time, Sophos may notify spending limits applicable to hospitality and entertainment and you must abide by these rules from the date that they are introduced. Where you are responsible for relationships with customers and suppliers to our business, you may entertain people for bona fide purposes only. The value of such hospitality must be reasonable and proportionate. Lavish entertainment is not permitted by Sophos. Ordinary hospitality to meet customers, network with customers and improve relationships is unlikely to be a problem, but please be aware that extraordinary hospitality might be unlawful and contrary to this Code and the law.

If you offer or provide hospitality and you suspect that it has been misconstrued by the recipient as an inducement, you must report this to our General Counsel and appropriate steps must be taken to correct this misapprehension. You should make allowance for the possibility that acceptance of a gift or hospitality by the intended recipient is contrary to the recipients own rules and policies. You should, therefore, explain to the recipient that is perfectly acceptable to refuse your offer of a gift or hospitality and that, should the recipient prefer, attendance at an event you are running is open for acceptance on the basis that the recipient pays for himself/herself.

Hospitality in all cases must be reasonable in value, should be offered or accepted in good faith only in connection with Sophos’ business and should be lawful under applicable local law. Hospitality should be proportionate to the business portion of the event. The frequency of hospitality should be carefully monitored, as the cumulative effect of frequent hospitality may give rise to the appearance of impropriety. Hospitality must not be offered or provided in return for any favor or benefit or to influence improperly any official decision.

The test to be applied in all circumstances is whether the giving or receiving of any gift or entertainment is reasonable and justifiable. If the intention or effect of any gift or entertainment or other hospitality might create a real or perceived influence upon any person, then further guidance must be sought from our General Counsel before the giving or accepting of the same.

Under no circumstances may gifts, hospitality or entertainment be offered to or accepted from any person with whom we are in a competitive tender scenario (i.e. a contract is being awarded and we are bidding for or awarding that contract.)

Any form of gift or corporate hospitality offered by a tenderer participating in a competitive procurement exercise should be declined and the offer reported to the person in charge of such procurement process.

The offer or acceptance of gifts, hospitality or expenses must be limited to reasonable and bona fide expenditures, and must not improperly affect the outcome of any procurement or other business transaction or be capable of being reasonably construed as improperly affecting such outcome. Employees must declare and keep a record of hospitality or gifts offered and accepted, which will be subject to managerial review.

Care must be taken when being giving or being offered entertainment, gifts or hospitality from persons with whom there is no prior business relationship. All gifts, hospitality and entertainment offered to a foreign public official (no matter the value) must be approved in writing by our General Counsel in advance.

Cash may not be given to any third party by way of hospitality or entertainment. Giving promotional items of nominal value such as coffee mugs, golf balls, calendars, or similar items displaying the company logo that are distributed for advertising or commemorative purposes and/or gifts of nominal value is generally permissible, but if in doubt, check with our General Counsel first.

You are only permitted to accept and keep gifts paid for by third parties of very low value such as umbrellas, pens, diaries and small branded items. Other gifts should be politely declined in the first instance, pending authorization in writing from our General Counsel.

Sophos does not intend to cause and offence to the person offering any such gift and you should make it clear that you have no option but to comply with this Code and that you will be pleased to accept the gift if Sophos’ General Counsel approves it. Any attempt to undermine the impartiality of our people by the offer of substantial gifts or other inducements should be reported to our General Counsel immediately.

There may be rare circumstances where declining the gift is likely to cause major offence (e.g. gifts from foreign dignitaries or religious leaders). In these circumstances the gift may be accepted and then donated to charity (with a record noted in the Gifts Register).

Sophos recognizes that you may receive unsolicited token gifts from marketing departments from time to time, such as calendars at Christmas. You should consider the impact of displaying or using these items on third parties who may understand the same to reflect a loyalty to one supplier.

Neither you nor any members of your family are permitted to receive 'personal' direct sponsorship from any third parties with whom Sophos is in business with.

As a general rule, Sophos does not pay for third parties’ travel or other expenses. If there is a legitimate reason to depart from this rule, you must obtain prior written approval from our General Counsel. Travel expenses offered to third parties should be reasonable in amount, should be offered in good faith only in connection with our business and should be lawful under applicable local law. Reimbursement of expenses requires reasonable proof of payment (e.g. a receipt) and wherever possible should be made directly to the service provider (for example, an airline) or the foreign government or agency involved and not to an individual.

Expenses should not go beyond what is reasonably necessary for the business purpose; for example, lavish accommodations, and expenses for spouses and children or side trips are strictly prohibited.

ARTICLE 8: DUE DILIGENCE

We only do business with people we have checked out.

Before doing business with any third party, you must check them out. Sophos needs to know that the third party is who they say they are. We need to know that the third party is not secretly representing somebody not disclosed to us. Sophos also needs to know that the third party shares our commitment to stamping out bribery.

Sophos must have a written contract with all third parties with whom we do business. This includes those who represent Sophos and/or provide services to us as well as those with whom we trade. We must undertake due diligence on all third parties before we enter into contractual relations.

You must assess the risks of doing business with each third party in advance of doing business. Based on such risk assessment, you must determine the level of due diligence to be undertaken on such third party - the greater the risk the more due diligence must be undertaken, but in all cases due diligence must be thorough and vigilant.

No relationship or association with any third party can commence without entering into a written contract, including provisions requiring the third party to comply with this Code and anti-bribery laws, policies and procedures in the country in which such third party operates and the law in the UK. Such contracts must also permit Sophos to verify compliance by auditing the third party from time to time.

(A third party includes any person, organization, firm or company other than Sophos and Sophos’ Group Companies]. In particular, any person, organization, firm or company who provides services to Sophos or engages in any business activity for us is a third party. Employees of Sophos Group Companies are not third parties for this purpose.)

ARTICLE 9: FINANCIAL RECORDING AND AUDITING

All financial transactions must be properly and fairly recorded.

Sophos complies with standard accounting practices and policies. Sophos is required to make and keep books, records and accounts which accurately and fairly reflect the business that we transact, and our assets and liabilities. Accordingly, however immaterial they may be, payments or gifts must be accurately recorded in our accounts.

All financial transactions must be properly and fairly recorded in appropriate books of account available for inspection by the board of directors, if applicable, or a corresponding body, as well as external auditors.

It is your responsibility to ensure that the payment made by Sophos to any third party is not a bribe and that each receiver is the proper and bona fide recipient of the payment in question. There must be no “off the books” or secret accounts. No documents should ever be issued which do not properly and fairly record the transactions to which they relate.

Sophos operates independent systems of auditing, through internal and external auditors, so as to identify any transactions which contravene this Policy. Sophos complies with all laws and regulations, including those prohibiting the deduction of any form of bribe payment from taxable income.

No attempt to disguise the sources of illegally obtained funds is permitted. Any attempt to do so is a disciplinary matter and dismissal is a possible outcome.

ARTICLE 10: CONFIDENTIAL REPORTING OF CONCERNS (WHISTLEBLOWING)

You must report suspicious activity. You will not be penalized after you do so.

Sophos is committed to conducting our business with honesty and integrity, and we expect all of our staff to maintain high standards. However, all organizations face the risk of things going wrong from time to time, or of unknowingly harboring illegal or unethical conduct. A culture of openness and accountability is essential in order to prevent such situations occurring or to address them when they do occur.

The aims of this policy are:

(1) To encourage staff to report suspected wrongdoing as soon as possible, in the knowledge that their concerns will be taken seriously and investigated as appropriate, and that their confidentiality will be respected.
(2) To provide staff with guidance as to how to raise those concerns.
(3) To reassure staff that they should be able to raise genuine concerns in good faith without fear of reprisals, even if they turn out to be mistaken.

This policy applies to all individuals working at all levels of the organization, including directors, officers, senior managers, employees, consultants, contractors, trainees, homeworkers, part-time and fixed-term workers, casual and agency staff and volunteers (collectively referred to as “staff” in this policy).

“Whistleblowing” is the disclosure of information which relates to suspected wrongdoing or dangers at work. This may include:
(A) criminal activity;
(B) miscarriages of justice;
(C) danger to health and safety;
(D) damage to the environment;
(E) failure to comply with any legal or professional obligation or regulatory requirements;
(F) financial fraud or mismanagement;
(G) negligence;
(H) breach of our internal policies and procedures;
(I) conduct likely to damage our reputation;
(J) unauthorized disclosure of confidential information;
(K) other workplace-specific concerns;
(L) the deliberate concealment of any of the above matters.
A whistleblower is a person who raises a genuine concern in good faith relating to any of the above. If you have any genuine concerns related to suspected wrongdoing or danger affecting any of our activities (a “whistleblowing concern”) you should report it under this policy.

This policy should not be used for complaints relating to your own personal circumstances, such as the way you have been treated at work. In those cases you should use Sophos’ Grievance Procedures or raise your concerns in accordance with other our other policies.

If you are uncertain whether something is within the scope of this policy you should seek advice from your local Human Resources Manager.

Sophos hopes that in many cases you will be able to raise any concerns with your line manager. You may tell them in person or put the matter in writing if you prefer. They may be able to agree a way of resolving your concern quickly and effectively. In some cases they may refer the matter to your local Human Resources Manager.

However, where the matter is more serious, or you consider that your line manager has not addressed your concern, or you prefer not to raise it with them for any reason, you should contact one of the following:

  • Your local Human Resources Manager,
  • Sophos’ General Counsel,
  • A member of Sophos’ Senior Management Team (SMT), or
  • A Director of Sophos.

Sophos will arrange a meeting with you as soon as possible to discuss your concern. You may bring a colleague or representative to any meetings under this policy. Your companion must respect the confidentiality of your disclosure and any subsequent investigation. Sophos will take down a written summary of your concern and provide you with a copy after the meeting. We will also aim to give you an indication of how we propose to deal with the matter.

Sophos hopes that staff will feel able to voice whistleblowing concerns openly under this policy. However, if you want to raise your concern confidentially, we will make every effort to keep your identity secret. If it is necessary for anyone investigating your concern to know your identity, we will discuss this with you.

Sophos does not encourage staff to make disclosures anonymously as proper investigation may be more difficult or impossible if we cannot obtain further information from you. It is also more difficult to establish whether any allegations are credible and have been made in good faith. Whistleblowers who are concerned about possible reprisals if their identity is revealed should come forward to their local Human Resources Manager Whistleblowing or one of the other contact points listed above and appropriate measures can then be taken to preserve confidentiality.

If you are in any doubt you can seek advice from [our confidential counselling hotline or] Public Concern at Work, the independent whistleblowing charity, who offer a confidential helpline. Their contact details are at the end of this policy.

The aim of this policy is to provide an internal mechanism for reporting, investigating and remedying any wrongdoing in the workplace. In most cases you should not find it necessary to alert anyone externally.

The law recognizes that in some circumstances it may be appropriate for you to report your concerns to an external body such as a regulator. It will very rarely if ever be appropriate to alert the media. Sophos strongly encourages you to seek advice before reporting a concern to anyone external. The independent whistleblowing charity, Public Concern at Work, operates a confidential helpline. They also have a list of prescribed regulators for reporting certain types of concern. Their contact details are at the end of this policy.

Whistleblowing concerns usually relate to the conduct of our staff, but they may sometimes relate to the actions of a third party, such as a customer, supplier, service provider, partner or distributor. The law allows you to raise a concern in good faith with a third party, where you reasonably believe it relates mainly to their actions or something that is legally their responsibility. However, Sophos encourages you to report such concerns internally first. You should contact your line manager or one of the other individuals referred to in this Code for guidance.

Once you have raised a concern, Sophos will carry out an initial assessment to determine the scope of any investigation. We will inform you of the outcome of our assessment. You may be required to attend additional meetings in order to provide further information.

In some cases Sophos may appoint an investigator or team of investigators including staff with relevant experience of investigations or specialist knowledge of the subject matter. The investigator(s) may make recommendations for change to enable us to minimize the risk of future wrongdoing.

Sophos will aim to keep you informed of the progress of the investigation and its likely timescale. However, sometimes the need for confidentiality may prevent us from giving you specific details of the investigation or any disciplinary action being taken as a result. Unless specifically informed otherwise, you should treat any information about the investigation as confidential.

If we conclude that a whistleblower has made false allegations maliciously, in bad faith or with a view to personal gain, the whistleblower will be subject to disciplinary action. If such an allegation against an employee is upheld, that employee is likely to be dismissed without notice or payment in lieu.

Although Sophos cannot always guarantee the outcome that you are seeking, we will try to deal with your concern fairly and in an appropriate way. By using this policy you can help us to achieve this.

If you are not happy with the way in which your concern has been handled, you can raise it with one of the other key contacts identified in this policy. Alternatively, you may contact Sophos’ General Counsel or our external auditors. Contact details are set out at the end of this policy.

Protection and Support for Whistleblowers

It is understandable that whistleblowers are sometimes worried about possible repercussions. Sophos aims to encourage openness and will support staff who raise genuine concerns in good faith under this policy, even if they turn out to be mistaken.

Staff must not suffer any detrimental treatment as a result of raising a concern in good faith. Detrimental treatment includes dismissal, disciplinary action, threats or other unfavorable treatment connected with raising a concern. If you believe that you have suffered any such treatment, you should inform your local Human Resources Manager immediately. If the matter is not remedied you should raise it formally using our Grievance Procedure. Staff must not threaten or retaliate against whistleblowers in any way. Anyone involved in such conduct will be subject to disciplinary action.

The Sophos board of directors has overall responsibility for this policy, and for reviewing the effectiveness of actions taken in response to concerns raised under this policy. Various officers of Sophos have day-to-day operational responsibility for this policy, and must ensure that all managers and other staff who may deal with concerns or investigations under this policy receive regular and appropriate training.

Sophos’ Human Resources Managers and General Counsel will review this policy from a legal and operational perspective at least once a year.

All of Sophos’ staff are responsible for the success of this policy and should ensure that they use it to disclose any suspected danger or wrongdoing. Staff are invited to comment on this policy and suggest ways in which it might be improved. Comments, suggestions and queries should be addressed to your local Human Resources Manager or to Sophos’ General Counsel.

Any questions or concerns relating to this policy should be addressed to the Sophos Legal Department: legal@sophos.com .

Version January 2014