Sophos Anti-Bribery And Anti-Corruption Code Of Conduct
It is our policy to comply with all laws, rules and regulations governing bribery and corruption
in all the countries in which we operate.
The purpose of this code of conduct is to set out the values, principles and responsibilities
Sophos adheres to and expects from all of our employees, partners, distributors, resellers,
advisors, consultants, contractors, agents and other intermediaries representing us with
regard to bribery and corruption.
All directors and employees are required to comply with this code. This code also applies to
all persons with whom Sophos is associated with such as, but not limited to: partners,
distributors, resellers, advisors, consultants, contractors, agents and other intermediaries
Compliance with this code is a mandatory requirement.
ARTICLE 1: PROHIBITION OF BRIBERY AND CORRUPTION
Sophos does not participate in any form or bribery or corruption.
It is our policy to comply with all laws, rules and regulations governing bribery and corruption
in all the countries in which we operate. Acts of corruption and bribery are increasingly being
made illegal throughout the world and penalties for breaching those laws are severe.
Sophos will deal with any instance of suspected bribery or corruption seriously. Any actual
instance will result in disciplinary action against those involved, up to and including
termination of employment or contract, and reporting of those persons to relevant regulatory
and criminal authorities. Sophos will support those authorities in any prosecution brought
against those persons. Sophos operates a zero tolerance policy toward bribery and
corruption, no matter what.
This policy extends to all of our business dealings and transactions in all countries in which
Sophos and/or our subsidiaries and associates operate. Local custom and practice is never
a justification for departing from this policy.
You will never be penalized for compliance with these policies and procedures, even if
Sophos loses business or money as a result. If you have concerns or suspicions about
anyone’s conduct or instances where there may be non-compliance with these policies, it’s
important you report them quickly to allow those concerns and suspicions to be promptly
investigated and responded to.
Each of us must take personal responsibility for abiding with this policy. This includes our
most senior managers and directors.
If you have such suspicions and you don’t report them, you could face disciplinary action up
to and including termination of your employment. It really is that serious.
Sophos will routinely assess the risks of becoming embroiled in bribery and corrupt
practices. Based on such assessments we will take action. Please be prepared for updates
and adjustments to the anti-bribery code that we adopt.
Under UK law, bribery and corruption is punishable by imprisonment, fines and if the
company is found to have taken part in corruption it could be excluded from tendering for
Government contracts and face untold damage to its reputation.
If any instance of bribery or corruption is identified, Sophos will take remedial and
disciplinary steps immediately. For the avoidance of doubt, if bribery or corruption is
established, we shall seek legal advice with a view to dismissing any employee involved and
our responsibilities to refer such matters to the authorities for them to deal with under law.
Bribery and corruption is an unwelcome feature of business and public life in many
countries. Sophos encourages and supports our employees to make decisions in line with
our stated position on bribery and corruption. Sophos may drive a hard bargain when it is in
our interests, but we are committed to acting professionally, fairly and with integrity.
Sophos prohibits bribery and corruption at all times and in any form, whether direct or
indirect, including through agents, partners and other intermediaries.
Bribery is the offering, promising, giving or accepting of any undue monetary or other
advantage to or by another person such as but not limited to:
* a public official, at national, local or international level;
* a political party, party official or candidate; and
* a director, officer, employee or agent of another organization or an individual in order to
obtain or retain a business or other advantage other than by legitimate and proper means.
Corruption includes solicitation of a bribe, whether or not coupled with a threat if the demand
Sophos presumes that any ‘kick back’ (in cash or in kind) to government officials is a
Any payment or other advantage made to any other person which is not fully and
properly recorded in the terms of the contract by which we do business with them or
otherwise approved by the Legal Department shall be presumed by us to be a bribe.
Sophos also presumes that the engagement of intermediaries such as agents,
subcontractors, consultants or other third parties to channel payments to government
officials or to channel unauthorized payments to any other party (or their relatives, friends
or business associates) is a bribe.
No Sophos employee will ever suffer demotion, penalty or other adverse consequences for
refusing to pay bribes even if such refusal may result in Sophos losing business.
Sophos recognizes that demands for bribes to be paid may be accompanied by threats to
personal safety. These should be rare, but if you are subjected to an immediate threat to
your safety, you may put your personal well-being first even if this means that you make a
payment that would contravene this Code. However, you must immediately report all of the
circumstances of the threat and the payment to Sophos’ General Counsel. If a threat is
made but you have time to notify our General Counsel before making any payment to avoid
the harm to your person, then you should do so.
ARTICLE 2: SCOPE
Every employee and every person associated with Sophos’ business is covered by
this Code of Conduct and our Anti-Bribery Program.
This policy applies to all of Sophos’ business units and extends to all our majority owned
business dealings and transactions in all countries in which we or our subsidiaries and
associates operate. This policy applies in all countries in the world regardless of local
practice and custom.
This Policy applies to all staff, officers, directors, and employees (including contractors and
temporary workers) in our business worldwide. It applies to our agents, partners, resellers,
distributors, consultants, contractors, advisors, other intermediaries and any other third
parties acting on our behalf or representing Sophos. All activities carried out on Sophos’
behalf must be compliant with this policy regardless of local laws or culture.
Sophos operates a policy of individual accountability. We are each accountable for
compliance with this policy.
Agents, Distributors, Consultants and Other Third Parties
Whenever Sophos engages or retains an agent, partner, reseller, distributor, marketing
consultant or other third party in connection with any business being sought, we will
investigate to determine the reputation, beneficial ownership, professional capability and
experience, financial standing and credibility of such person and the record of such person's
adherence to applicable laws in our own and other countries.
Any concerns that such investigation may bring to light must be reported to our General
After Sophos engages with a third party, you have a responsibility to continue monitoring on-
going activities and to report your concerns to our General Counsel. If you know or
reasonably believes that a contravention of this Policy has been, is being or may be made
you must report it to our General Counsel and in appropriate circumstances prevent the
payment or promise of payment from occurring.
Each time Sophos acquires any business as a going concern, the due diligence associated
with the proposed acquisition shall include investigation of the acquisition target's
compliance with the Bribery Act 2010 and related laws and regulations.
Similarly, whenever we decide to undertake business with a joint venture partner, we will
conduct a review of the prospective joint venture partner or partners in order to determine
the reputation, beneficial ownership, professional capability and experience, financial
standing and credibility of the prospective joint venture partner and the history of such
prospective joint venture partner's compliance with the Bribery Act 2010 and related laws
Persons or entities who provide goods or services to Sophos or on our behalf must meet our
standards and abide by our policies and codes of conduct with regard to bribery and
corruption or else they should expect to have their contracts terminated and we will actively
seek to recover any losses we may suffer as a result.
Sophos has developed standard form clauses for inclusion in our trading contracts dealing
with bribery and corruption which, in essence, enable us to terminate contracts if bribery is
established. Unless otherwise approved in writing by Sophos’ Legal Department, all
contracts with partners, resellers, distributors, consultants, and other third parties must
include our standard anti-bribery clauses.
You will be offered compliance training to ensure that you understand your responsibilities
with regard to our zero-tolerance approach to bribery and corruption. Depending on role, the
nature length and the frequency of such training may vary. Attendance at not less than one
such training session each year shall be required.
Failure to comply with this Policy will be grounds for termination or other disciplinary action.
Any questions concerning this Policy may be addressed to Sophos’ General Counsel.
Administration of the Policy and Code
Sophos’ General Counsel or another member of our Legal Department will conduct the
day-to-day administration and enforcement of this Code and Policy. Sophos’ Board retains
the ultimate responsibility for ensuring that we all comply with the zero-tolerance approach to
bribery and corruption.
Employees, joint-venture partners, advisors, consultants, contractors, agents and other
intermediaries representing us are encouraged to raise concerns about any instance of
malpractice at the earliest possible stage. Sophos’ ‘whistleblowing’ policy may be relevant
and is drawn to your attention.
Sophos will establish feedback procedures in order to maintain accurate records to provide
assurance that we are effective in countering bribery and corruption. Any employee or other
person to whom this Policy is directed who suspects a violation of this Policy may occur, or
believes that a violation has taken place, must immediately advise his or her supervisor or
the Sophos’ General Counsel.
Failure to so report is a disciplinary matter and will be dealt with accordingly. Disciplinary
action may include the immediate termination of employment or of any business agreement
Any form of discrimination, retribution or retaliation against anyone who has, in good faith,
reported a possible violation of this Policy or refused to participate in activities that violate
this Policy is prohibited and will be treated as a serious disciplinary matter.
Sophos’ board will review the implementation of this policy to test its adequacy and
effectiveness from time to time and shall make improvements as appropriate. Any material
non-compliance shall be reported to shareholders in the Annual Report.
ARTICLE 3: RESPONSIBILITY
Every one of us must take individual responsibility for complying with this Code.
Sophos’ board of directors will ultimately oversee the implementation and enforcement of
this Policy, although the board will seek advice from professionals and delegate tasks to
officers and others within our organization as appropriate.
Sophos’ audit committee or other body with similar responsibility will conduct regular
independent reviews of compliance with this Policy and recommend corrective measures or
improvements as necessary.
Each employee of Sophos must read, be familiar with, and strictly comply with this Policy
which shall be available on-line and in hard copy via our HR function. Training on all
applicable laws and regulations shall be compulsory upon joining the organization and from
time to time by way of refresher and up-date.
Laws, regulations and contractual requirements are subject to change, which could require
revision to this Policy. All personnel to which this Policy is applicable shall keep themselves
current with any such changes and shall comply with such changes regardless of whether or
not the changes have been incorporated into any given version of this Policy.
ARTICLE 4: RAISING CONCERNS AND SEEKING GUIDANCE
Sophos expects you to report suspicious activity without delay and without
We know that our staff and representatives are not experts in the law and this Code is
designed to help you recognize situations that might be of concern.
This Code requires you to raise your concerns promptly if you have a sense that something
unethical or untoward is going on involving Sophos’ business. If you try to look the other
way so as to avoid being witness to bribery or corruption, you may find yourself in
contravention of this Code and the law.
Failure to report a concern may result in the termination of your employment. You may do so
in accordance with the Whistleblowing Procedures set out below in order to preserve your
anonymity. If you are unsure what to do or if you have doubts but do not want to get yourself
or anyone else into trouble, you should notify our General Counsel who will consult with you
on a confidential basis.
It is always better to notify your concerns rather than keep them to yourself. If there is an
innocent explanation, then this can be established by our General Counsel. If for any reason
you do not wish to speak with our General Counsel then you should consult the
Whistleblowing Procedures which will set out the names and contact details of others within
Sophos with whom you can discuss matters on a confidential basis. (Please refer to Article 9
below for Sophos’ revised Whistleblowing Procedures.)
If you are offered a financial or other advantage or if you suspect that someone within
Sophos is or is about to offer an improper financial or other advantage, you MUST report this
to our General Counsel without delay.
ARTICLE 5: PAYMENTS TO THIRD PARTIES
All payments made by the business must be above board, transparent and proper. No
payments may be made as a subterfuge for bribery.
It is contrary to this Code to offer, promise, authorize, pay or give, either directly or indirectly,
to any other person (whether a government official or not) any financial or other advantage in
order to secure an improper advantage, to obtain or retain business, or direct business to
any other person or entity.
Sophos therefore insists that:
a) any payment made to any person, such as an agent representative or intermediary,
represents no more than an appropriate remuneration for legitimate services rendered by
b) no part of any such payment is permitted to be passed on by the agent as a bribe or
otherwise in contravention of this Policy;
c) in each contract with any partners, distributors, advisors, consultants, contractors, agents
and/or other intermediary representing us, such representative must agree not to pay bribes
or otherwise engage in any corrupt practice. We must reserve the right to terminate
agreements with representatives if a bribe is paid or other corrupt practice undertaken;
d) each of our business units and all joint-venture partners, advisors, consultants,
contractors, agents and other intermediaries representing us must maintain an accurate
record of the names, terms of employment and payments to all persons who are retained by
them in connection with transactions with public bodies, state or private enterprises. This
record must be made available for inspection by us and our appointed auditors on demand;
e) no employee, joint-venture partner, advisor, consultant, contractor, agent or other
intermediary representing us is permitted to engage in bribery or any form of unethical
inducement or payment (including facilitation payments and ‘kickbacks’) and all such
persons must avoid any activities that might lead to, or suggest, a conflict of interest with the
business of the Company;
f) we uphold laws relevant to countering bribery and corruption in all the jurisdictions in which
we operate, particularly laws that are directly relevant to specific business practices;
g) all agents, representatives and intermediaries must be properly vetted and due diligence
undertaken on them to ascertain their fitness to represent us before we appoint them;
h) all payments should be approved in writing by a senior person in the business (your line
manager) before making the payment;
i) receipts for payments should be obtained from the recipient; and
j) all payments must be accurately recorded through our normal accounting and financial
procedures without any deception or disguise as the recipient’s identity or the purpose for
the payment in question.
For the avoidance of doubt, so-called Facilitation Payments are prohibited. Sophos does not
make Facilitation Payments (sometimes known as grease payments) of any kind. The
bribery laws in other countries may not criminalize facilitation payments, but we do not
condone the making of facilitation payments.
Sophos recognizes that in some parts of the world, Facilitation Payments may be sought in a
business-as-usual fashion. Sophos will not pay them and we will not expect to be paid them.
We insist that proper and thorough due diligence is undertaken on those with whom we do
business and, in particular, any organization which represents our interests in any capacity
or which supplies goods or services to us.
In Sophos’ business, we must keep and maintain accurate books and records in
reasonable detail. We are subject to internal audit and controls. All payments must be
properly recorded in our accounts and financial records. Recording such payments in any
way which would conceal their true nature or which is contrary to applicable accounting
standards is not permitted.
Payments of reasonable and bona fide expenses incurred in the proper course of our
business are not prohibited by this Code when they are directly related to the execution or
performance of a contract or other binding obligation.
ARTICLE 6: POLITICAL AND CHARITABLE CONTRIBUTIONS AND SPONSORSHIPS
Sponsorship, political and/or charitable contributions require prior authorization.
The presumption is that Sophos does not make any contributions to political parties, party
officials and/or candidates. All requests for political contributions must be channeled
through our General Counsel. We will only do so if our board of directors establishes in
writing that it is in our interests to do so and then only upon satisfying itself that we are acting
responsibly in accordance with all applicable laws and all requirements for public disclosure.
No such political contributions may be used as a subterfuge for bribery.
Sponsorship or charitable donations might amount to bribery if not undertaken for the right
and proper reasons. Sophos are not against sponsorship or charitable donations in all
cases. As a business, Sophos is pleased to support deserving causes, but not in the
expectation of any reward or influence in return. All requests for sponsorship must be
channeled through our General Counsel in advance.
Similarly, any charitable contributions and sponsorships are not to be used as a subterfuge
for bribery. Charitable contributions and sponsorships must be transparent and in
accordance with applicable law. All charitable contributions and sponsorships must be
approved by our General Counsel in advance.
If you are approached for a charitable donation, sponsorship or a political contribution (in
each case, of any nature or description) you must inform those who approach you that there
is an approval procedure which you are bound to follow and that you will be referring the
matter to Sophos’ General Counsel for approval before responding.
If you wish to undertake charitable works or to seek sponsorship of a personal nature from
your work colleagues, please notify our General Counsel in advance. We will not prevent
genuine fund raising of a personal nature by our employees and associates provided it is
clear that this is unrelated to our business.
If you make personal contributions to charity or to political organizations or if you engage in
any form of sponsorship from your own funds, please make clear to all concerned that such
activity has nothing to do with our business and that you are acting in your personal capacity
outside of work. You must not use any resources of the Sophos for, or in support of your
personal activities in this regard.
ARTICLE 7: GIFTS, HOSPITALITY AND EXPENSES
Sophos only accepts or provides hospitality and gifts within pre-defined limits and
never to secure any improper advantage or to influence a business decision.
Sophos recognizes that to refuse hospitality can cause offence, which is not the intention of
this policy, and that in the ordinary course of business, hospitality is extended and accepted
without amounting to a bribe.
Gifts, hospitality, and sponsorship may only be made and/or received in compliance with this
Code. You are required to complete a written record of hospitality offered/received and any
gifts received/declined, and/or speaker/author/non-executive fees received/declined.
The acceptance of corporate hospitality (other than refreshments offered in meetings held at
business premises) requires prior approval from your Head of Department. You should only
accept corporate hospitality if it is ethically, morally, socially and politically ‘correct’. Nothing
should be accepted that brings you, your colleagues or our business into disrepute.
Hospitality, gifts or expenses which has ‘strings attached’ must be declined. If hospitality has
as its intent or purpose an attempt to secure a business advantage or influence a decision
(e.g. by creating a sense of obligation) then it must be declined.
High value corporate hospitality should be politely declined, unless there are compelling
business reasons to accept such hospitality and such hospitality is approved by your Head
of Department. In any event, approval prior to acceptance of corporate hospitality must be
obtained from our General Counsel where the value of the hospitality exceeds £100.
From time to time, Sophos may notify spending limits applicable to hospitality and
entertainment and you must abide by these rules from the date that they are introduced.
Where you are responsible for relationships with customers and suppliers to our business,
you may entertain people for bona fide purposes only. The value of such hospitality must be
reasonable and proportionate. Lavish entertainment is not permitted by Sophos. Ordinary
hospitality to meet customers, network with customers and improve relationships is unlikely
to be a problem, but please be aware that extraordinary hospitality might be unlawful and
contrary to this Code and the law.
If you offer or provide hospitality and you suspect that it has been misconstrued by the
recipient as an inducement, you must report this to our General Counsel and appropriate
steps must be taken to correct this misapprehension. You should make allowance for the
possibility that acceptance of a gift or hospitality by the intended recipient is contrary to the
recipients own rules and policies. You should, therefore, explain to the recipient that is
perfectly acceptable to refuse your offer of a gift or hospitality and that, should the recipient
prefer, attendance at an event you are running is open for acceptance on the basis that the
recipient pays for himself/herself.
Hospitality in all cases must be reasonable in value, should be offered or accepted in good
faith only in connection with Sophos’ business and should be lawful under applicable local
law. Hospitality should be proportionate to the business portion of the event. The frequency
of hospitality should be carefully monitored, as the cumulative effect of frequent hospitality
may give rise to the appearance of impropriety. Hospitality must not be offered or provided in
return for any favor or benefit or to influence improperly any official decision.
The test to be applied in all circumstances is whether the giving or receiving of any gift or
entertainment is reasonable and justifiable. If the intention or effect of any gift or
entertainment or other hospitality might create a real or perceived influence upon any
person, then further guidance must be sought from our General Counsel before the giving or
accepting of the same.
Under no circumstances may gifts, hospitality or entertainment be offered to or accepted
from any person with whom we are in a competitive tender scenario (i.e. a contract is being
awarded and we are bidding for or awarding that contract.)
Any form of gift or corporate hospitality offered by a tenderer participating in a competitive
procurement exercise should be declined and the offer reported to the person in charge of
such procurement process.
The offer or acceptance of gifts, hospitality or expenses must be limited to reasonable and
bona fide expenditures, and must not improperly affect the outcome of any procurement or
other business transaction or be capable of being reasonably construed as improperly
affecting such outcome. Employees must declare and keep a record of hospitality or gifts
offered and accepted, which will be subject to managerial review.
Care must be taken when being giving or being offered entertainment, gifts or hospitality
from persons with whom there is no prior business relationship. All gifts, hospitality and
entertainment offered to a foreign public official (no matter the value) must be approved in
writing by our General Counsel in advance.
Cash may not be given to any third party by way of hospitality or entertainment. Giving
promotional items of nominal value such as coffee mugs, golf balls, calendars, or similar
items displaying the company logo that are distributed for advertising or commemorative
purposes and/or gifts of nominal value is generally permissible, but if in doubt, check with
our General Counsel first.
You are only permitted to accept and keep gifts paid for by third parties of very low value
such as umbrellas, pens, diaries and small branded items. Other gifts should be politely
declined in the first instance, pending authorization in writing from our General Counsel.
Sophos does not intend to cause and offence to the person offering any such gift and you
should make it clear that you have no option but to comply with this Code and that you will
be pleased to accept the gift if Sophos’ General Counsel approves it. Any attempt to
undermine the impartiality of our people by the offer of substantial gifts or other inducements
should be reported to our General Counsel immediately.
There may be rare circumstances where declining the gift is likely to cause major offence
(e.g. gifts from foreign dignitaries or religious leaders). In these circumstances the gift may
be accepted and then donated to charity (with a record noted in the Gifts Register).
Sophos recognizes that you may receive unsolicited token gifts from marketing departments
from time to time, such as calendars at Christmas. You should consider the impact of
displaying or using these items on third parties who may understand the same to reflect a
loyalty to one supplier.
Neither you nor any members of your family are permitted to receive 'personal' direct
sponsorship from any third parties with whom Sophos is in business with.
As a general rule, Sophos does not pay for third parties’ travel or other expenses. If there is
a legitimate reason to depart from this rule, you must obtain prior written approval from our
General Counsel. Travel expenses offered to third parties should be reasonable in amount,
should be offered in good faith only in connection with our business and should be lawful
under applicable local law. Reimbursement of expenses requires reasonable proof of
payment (e.g. a receipt) and wherever possible should be made directly to the service
provider (for example, an airline) or the foreign government or agency involved and not to an
Expenses should not go beyond what is reasonably necessary for the business purpose; for
example, lavish accommodations, and expenses for spouses and children or side trips are
ARTICLE 8: DUE DILIGENCE
We only do business with people we have checked out.
Before doing business with any third party, you must check them out. Sophos needs to
know that the third party is who they say they are. We need to know that the third party is
not secretly representing somebody not disclosed to us. Sophos also needs to know that the
party shares our commitment to stamping out bribery.
Sophos must have a written contract with all third parties with whom we do business.
This includes those who represent Sophos and/or provide services to us as well as those
with whom we trade. We must undertake due diligence on all third parties before we
enter into contractual relations.
You must assess the risks of doing business with each third party in advance of
doing business. Based on such risk assessment, you must determine the level of due
diligence to be undertaken on such third party - the greater the risk the more due
diligence must be undertaken, but in all cases due diligence must be thorough and vigilant.
No relationship or association with any third party can commence without entering into
a written contract, including provisions requiring the third party to comply with this Code
and anti-bribery laws, policies and procedures in the country in which such third party
operates and the law in the UK. Such contracts must also permit Sophos to verify
compliance by auditing the third party from time to time.
(A third party includes any person, organization, firm or company other than Sophos
and Sophos’ Group Companies]. In particular, any person, organization, firm or company
who provides services to Sophos or engages in any business activity for us is a third
party. Employees of Sophos Group Companies are not third parties for this purpose.)
ARTICLE 9: FINANCIAL RECORDING AND AUDITING
All financial transactions must be properly and fairly recorded.
Sophos complies with standard accounting practices and policies. Sophos is required to
make and keep books, records and accounts which accurately and fairly reflect the business
that we transact, and our assets and liabilities. Accordingly, however immaterial they may
be, payments or gifts must be accurately recorded in our accounts.
All financial transactions must be properly and fairly recorded in appropriate books of
account available for inspection by the board of directors, if applicable, or a corresponding
body, as well as external auditors.
It is your responsibility to ensure that the payment made by Sophos to any third party is not a
bribe and that each receiver is the proper and bona fide recipient of the payment in question.
There must be no “off the books” or secret accounts. No documents should ever be issued
which do not properly and fairly record the transactions to which they relate.
Sophos operates independent systems of auditing, through internal and external auditors, so
as to identify any transactions which contravene this Policy. Sophos complies with all laws
and regulations, including those prohibiting the deduction of any form of bribe payment from
No attempt to disguise the sources of illegally obtained funds is permitted. Any attempt to do
so is a disciplinary matter and dismissal is a possible outcome.
ARTICLE 10: CONFIDENTIAL REPORTING OF CONCERNS (WHISTLEBLOWING)
You must report suspicious activity. You will not be penalized after you do so.
Sophos is committed to conducting our business with honesty and integrity, and we expect
all of our staff to maintain high standards. However, all organizations face the risk of things
going wrong from time to time, or of unknowingly harboring illegal or unethical conduct. A
culture of openness and accountability is essential in order to prevent such situations
occurring or to address them when they do occur.
The aims of this policy are:
(1) To encourage staff to report suspected wrongdoing as soon as possible, in the
knowledge that their concerns will be taken seriously and investigated as appropriate,
and that their confidentiality will be respected.
(2) To provide staff with guidance as to how to raise those concerns.
(3) To reassure staff that they should be able to raise genuine concerns in good faith
without fear of reprisals, even if they turn out to be mistaken.
This policy applies to all individuals working at all levels of the organization, including
directors, officers, senior managers, employees, consultants, contractors, trainees,
homeworkers, part-time and fixed-term workers, casual and agency staff and volunteers
(collectively referred to as “staff” in this policy).
“Whistleblowing” is the disclosure of information which relates to suspected wrongdoing or
dangers at work. This may include:
(A) criminal activity;
(B) miscarriages of justice;
(C) danger to health and safety;
(D) damage to the environment;
(E) failure to comply with any legal or professional obligation or regulatory requirements;
(F) financial fraud or mismanagement;
(H) breach of our internal policies and procedures;
(I) conduct likely to damage our reputation;
(J) unauthorized disclosure of confidential information;
(K) other workplace-specific concerns;
(L) the deliberate concealment of any of the above matters.
A whistleblower is a person who raises a genuine concern in good faith relating to any of the
above. If you have any genuine concerns related to suspected wrongdoing or danger
affecting any of our activities (a “whistleblowing concern”) you should report it under this
This policy should not be used for complaints relating to your own personal circumstances,
such as the way you have been treated at work. In those cases you should use Sophos’
Grievance Procedures or raise your concerns in accordance with other our other policies.
If you are uncertain whether something is within the scope of this policy you should seek
advice from your local Human Resources Manager.
Sophos hopes that in many cases you will be able to raise any concerns with your line
manager. You may tell them in person or put the matter in writing if you prefer. They may
be able to agree a way of resolving your concern quickly and effectively. In some cases they
may refer the matter to your local Human Resources Manager.
However, where the matter is more serious, or you consider that your line manager has not
addressed your concern, or you prefer not to raise it with them for any reason, you should
contact one of the following:
- Your local Human Resources Manager,
- Sophos’ General Counsel,
- A member of Sophos’ Senior Management Team (SMT), or
- A Director of Sophos.
Sophos will arrange a meeting with you as soon as possible to discuss your concern. You
may bring a colleague or representative to any meetings under this policy. Your companion
must respect the confidentiality of your disclosure and any subsequent investigation.
Sophos will take down a written summary of your concern and provide you with a copy after
the meeting. We will also aim to give you an indication of how we propose to deal with the
Sophos hopes that staff will feel able to voice whistleblowing concerns openly under this
policy. However, if you want to raise your concern confidentially, we will make every effort to
keep your identity secret. If it is necessary for anyone investigating your concern to know
your identity, we will discuss this with you.
Sophos does not encourage staff to make disclosures anonymously as proper investigation
may be more difficult or impossible if we cannot obtain further information from you. It is
also more difficult to establish whether any allegations are credible and have been made in
good faith. Whistleblowers who are concerned about possible reprisals if their identity is
revealed should come forward to their local Human Resources Manager Whistleblowing or
one of the other contact points listed above and appropriate measures can then be taken to
If you are in any doubt you can seek advice from [our confidential counselling hotline or]
Public Concern at Work, the independent whistleblowing charity, who offer a confidential
helpline. Their contact details are at the end of this policy.
The aim of this policy is to provide an internal mechanism for reporting, investigating and
remedying any wrongdoing in the workplace. In most cases you should not find it necessary
to alert anyone externally.
The law recognizes that in some circumstances it may be appropriate for you to report your
concerns to an external body such as a regulator. It will very rarely if ever be appropriate to
alert the media. Sophos strongly encourages you to seek advice before reporting a concern
to anyone external. The independent whistleblowing charity, Public Concern at Work,
operates a confidential helpline. They also have a list of prescribed regulators for reporting
certain types of concern. Their contact details are at the end of this policy.
Whistleblowing concerns usually relate to the conduct of our staff, but they may sometimes
relate to the actions of a third party, such as a customer, supplier, service provider, partner
or distributor. The law allows you to raise a concern in good faith with a third party, where
you reasonably believe it relates mainly to their actions or something that is legally their
responsibility. However, Sophos encourages you to report such concerns internally first.
You should contact your line manager or one of the other individuals referred to in this Code
Once you have raised a concern, Sophos will carry out an initial assessment to determine
the scope of any investigation. We will inform you of the outcome of our assessment. You
may be required to attend additional meetings in order to provide further information.
In some cases Sophos may appoint an investigator or team of investigators including staff
with relevant experience of investigations or specialist knowledge of the subject matter. The
investigator(s) may make recommendations for change to enable us to minimize the risk of
Sophos will aim to keep you informed of the progress of the investigation and its likely
timescale. However, sometimes the need for confidentiality may prevent us from giving you
specific details of the investigation or any disciplinary action being taken as a result. Unless
specifically informed otherwise, you should treat any information about the investigation as
If we conclude that a whistleblower has made false allegations maliciously, in bad faith or
with a view to personal gain, the whistleblower will be subject to disciplinary action. If such
an allegation against an employee is upheld, that employee is likely to be dismissed without
notice or payment in lieu.
Although Sophos cannot always guarantee the outcome that you are seeking, we will try to
deal with your concern fairly and in an appropriate way. By using this policy you can help us
to achieve this.
If you are not happy with the way in which your concern has been handled, you can raise it
with one of the other key contacts identified in this policy. Alternatively, you may contact
Sophos’ General Counsel or our external auditors. Contact details are set out at the end of
Protection and Support for Whistleblowers
It is understandable that whistleblowers are sometimes worried about possible
repercussions. Sophos aims to encourage openness and will support staff who raise
genuine concerns in good faith under this policy, even if they turn out to be mistaken.
Staff must not suffer any detrimental treatment as a result of raising a concern in good faith.
Detrimental treatment includes dismissal, disciplinary action, threats or other unfavorable
treatment connected with raising a concern. If you believe that you have suffered any such
treatment, you should inform your local Human Resources Manager immediately. If the
matter is not remedied you should raise it formally using our Grievance Procedure.
Staff must not threaten or retaliate against whistleblowers in any way. Anyone involved in
such conduct will be subject to disciplinary action.
The Sophos board of directors has overall responsibility for this policy, and for reviewing
the effectiveness of actions taken in response to concerns raised under this policy. Various
officers of Sophos have day-to-day operational responsibility for this policy, and must ensure
that all managers and other staff who may deal with concerns or investigations under this
policy receive regular and appropriate training.
Sophos’ Human Resources Managers and General Counsel will review this policy from a
legal and operational perspective at least once a year.
All of Sophos’ staff are responsible for the success of this policy and should ensure that
they use it to disclose any suspected danger or wrongdoing. Staff are invited to comment on
this policy and suggest ways in which it might be improved. Comments, suggestions and
queries should be addressed to your local Human Resources Manager or to Sophos’
Any questions or concerns relating to this policy should be addressed to the
Sophos Legal Department: firstname.lastname@example.org .
Version January 2014