This statement is made in accordance with Section 54 of the Modern Slavery Act 2015 (the Act) as it applies to Sophos Limited, a commercial organisation that carries on business in the UK, supplying goods and services and having a total annual turnover of £36 million or more, and all entities in the Sophos Group plc global structure (together Sophos, or the Group). This statement sets out the steps that have been taken during the financial year to 31 March 2017 to ensure that modern slavery is not taking place in the Sophos Supply Chain and in any part of our own business.
The statement has been signed by Nick Bray, a Director of Sophos Limited and Chief Financial Officer and Executive Director of Sophos Group plc, and published on our website www.sophos.com, with a clear link on the homepage.
During 2016, the Group adopted the Sophos Group Anti-Slavery and Human Trafficking Policy (the Policy) and prioritised the establishment and implementation of effective systems and controls, reflective of Sophos commitment to acting ethically, transparently and with integrity in all of our business dealings and relationships.
During 2017, the Group has primarily focused on training, monitoring and the ongoing enforcement of the Group’s systems and processes in order to maintain high standards and to continually improve Sophos ability to effectively manage the risk of modern slavery, including any instance of hidden labour exploitation, taking place anywhere in our own business or in any of our supply chains.
Our structure and business model
Sophos is a leading global provider of cloud-enabled enduser and network security solutions, offering organisations end-to-end protection against known and unknown IT threats through products that are easy to install, configure, update and maintain. The Group’s products are sold through our relationships with more than 30,000 channel partners who deliver to more than 300,000 sales representatives and 150,000 sales engineers. Sophos has approximately 3,000 employees and although headquartered in the UK, it has 52 offices and a number of threat assessment labs and product development centres around the world, including in Asia Pacific, Europe, the Middle East and North America.
Sophos saw significant growth in the number of channel partners and customers during the financial year and our current approach remains effective. As the business continues to grow however, we will continue to monitor our effectiveness, as discussed later in the statement and make adjustments to our approach to ensure it remains proportionate.
The Group’s supply chain in this context consists of approximately 9,000 organisations made up of hardware manufacturers and suppliers, logistic fulfilment centres responsible for the distribution of our products, procurement vendors and recruitment and employment agencies from whom Sophos employees may be sourced (each a Supplier and together the Sophos Supply Chain). Sophos also has close working relationships with works councils in a number of overseas jurisdictions representing the interests and rights of our employees.
We consider that the principal areas in which Sophos faces risks related to slavery, include:
- the Sophos Supply Chain and outsourced activities and in particular those Suppliers located in overseas jurisdictions identified through our human development risk index management tool as higher risk, in accordance with the principles set out by Transparency International, the Global coalition against corruption;
- recruitment in our own business, particularly recruitment through agencies; and
- any Supplier that is identified through the Human Trafficking Risk index (the HTR Index) an assessment tool established by Transparency International, the Global coalition against corruption. The HTR Index provides Sophos with insights into where potential human trafficking may exist using external corporate databases with more than 250 million records and incorporates data from the International Labor Affairs Bureau and the U.S. Department of State. The HTR Index creates an automated, repeatable, closed-loop process to proactively monitor the Sophos Supply Chain for potential human trafficking violations.
Our governance and policies
The Sophos Group plc Board (the Board) has overall responsibility for ensuring the Policy complies with our legal and ethical obligations, and that all those under our control comply with it.
The Risk and Compliance Committee (the RCC), a sub-committee of the Board’s Audit and Risk Committee provides oversight with regard to the implementation of the Policy and monitoring of risks and issues raised through the Sophos Whistleblowing Policy. The Policy sits alongside the existing Sophos Anti-Corruption and Bribery Policy and the Sophos Whistleblowing Policy, and is available at https://investors.sophos.com
The Policy was rolled out to the Group’s employees and the Sophos Supply Chain during the year on a risk assessed basis, primarily focussing on high-risk business functions such as Facilities, HR, Procurement and Supply Chain, and high-risk Suppliers identified via the means set out above. Any breach of the Policy would result in disciplinary action, and potential dismissal for an employee, and the likely termination of our relationship with a Supplier.
The Policy recognises the Group’s responsibilities under the Act, and applies to the Sophos Supply Chain and to all persons working for us or on our behalf in any capacity, including employees at all levels, directors, officers, agency workers, seconded workers, volunteers, interns, agents, contractors, external consultants, third-party representatives and business partners.
All those subject to the Policy are encouraged to raise concerns about any issue or suspicion of modern slavery in any part of our business or supply chains or those of any current or potential Suppliers, at the earliest possible stage. The Sophos Whistleblowing Policy is in place to enable employees to confidentially report matters of concern directly to their line manager or their designated HR manager. Where appropriate, such matters may be brought directly to the attention of the Senior Independent Director and the Chairman of the Audit and Risk Committee, each of whom are independent Non-Executive Directors.
The Group is committed to ensuring no one suffers any detrimental treatment as a result of reporting in good faith their suspicion.
Ongoing assessment of risk
The potential for non-compliance with the Act is assessed as part of the Group’s risk management process. Sophos undertakes this risk assessment with input from external advisers, Dechert LLP. The assessment criteria applied include, business function and geography, together with the principles set out by Transparency International. Each Supplier is also assessed against their HTR Index, a further means of identifying where potential human trafficking may exist using external corporate databases with more than 250 million records, as set out in more detail earlier in this statement.
The formal process for identifying, evaluating and managing significant risks faced by the Group is overseen by the RCC, in association with the work performed by the Internal Audit and Risk Management function. The RCC provide the business with a framework for risk management, upward reporting of significant risks and policies and procedures.
The Group takes a two pronged approach to risk identification: (i) a bottom-up approach at the business function level; and (ii) a top-down approach at the senior leadership team level. All identified risks are assessed against a pre-defined scoring matrix and prioritised accordingly. Any risks identified in the bottom-up approach deemed to be rated as higher risk are escalated in line with pre-defined escalation procedures for further evaluation.
Suppliers: we take one or more of the following actions in respect of each Supplier:
- we ensure that we can account for each step of our hardware manufacturing processes and that we know who is providing the hardware to us that we resell. This is done by using BOMcheck. BOMcheck is an industry-wide regulatory compliance tool which is offered by ENVIRON, and identifies companies that are part of the Sophos extended supply chain that supply components for our hardware products to our immediate Suppliers. Once identified, these companies are then run through our human trafficking index management tool. This provides the business with extended supply chain information and data sources, to support our modern slavery controls;
- we inform our Suppliers that we are not prepared to accept any form of exploitation in their business or any part of their supply chain by publishing our policy and statement on our website. All Suppliers make an annual Sophos Code of Conduct declaration. This declaration includes the identification of all parties that supply products to our Supplier to ensure extended supply chain information is known by Sophos and integrated into our management control processes;
- we complete Live Monitoring on all companies in the Sophos Supply Chain, and any anti-corruption or modern slavery changes for a specific Supplier will trigger an immediate review and business investigation, together with identifying specific risk indicators and categories;
- our standard supply chain contract templates and contracts that we negotiate with high-risk Suppliers contain anti-slavery provisions which prohibit Suppliers and their employees and sub-suppliers from engaging in modern slavery; and
- we conduct regular risk assessments of our Sophos Supply Chain. In cases of high-risk, we audit the Supplier and, as appropriate, we require them to take specific measures to ensure that the risk of modern slavery is significantly reduced.
Recruitment: we take the following actions:
- we always ensure all staff have a written contract of employment and that they have not had to pay any direct or indirect fees to obtain work;
- we always ensure staff are legally able to work in the country in which they are recruited;
- we check the names and addresses of our staff (a number of people listing the same address may indicate high shared occupancy, often a factor for those being exploited);
- we provide information to all new recruits on their statutory rights including sick pay, holiday pay and any other benefits they may be entitled to;
- if, through our recruitment process, we suspect someone is being exploited, the HR department will follow our reporting procedures; and
- we conduct due diligence checks on any recruitment agency that we use to ensure that it is reputable and conducts appropriate checks on all staff that they supply to us.
Mandatory training has been rolled out to all existing Group employees and new joiners alike. Priority was given to the relevant high-risk business functions. Training was accompanied by a suite of internal communications and an online resource facility which is available to all Group employees. Refreshment of these materials will be ongoing.
Since November 2015, Sophos’ standard supply chain contracts have included modern slavery compliance provisions, and similar provisions are included in negotiated contracts with new high-risk Suppliers when first entering in to a business relationship with the Group. All existing high-risk Suppliers have entered in to contract amendments and are therefore, committed to full anti-bribery and modern slavery compliance.
Monitoring and performance review
Sophos engages an external compliance data provider on an ongoing basis, to audit the Sophos Supply Chain and keep it under review. Together with our external compliance data provider, the Group will monitor the performance of the Policy, together with the Sophos Anti-Corruption and Bribery Policy and the Whistleblowing Policy, and will maintain a watching brief on the compliance of all Suppliers through live monitoring tools. Any alert raised through this process will be subject to an internal review and where appropriate, a business investigation of the Supplier identified. During 2017, no material alerts have been raised by our external compliance data provider concerning any Supplier, including recruitment agencies.
All new Suppliers are subject to screening as part of the Group’s existing due diligence processes.
In the event an instance of slavery is identified in a business in the Sophos Supply Chain, the Group will require that immediate remedial action be taken, and provide appropriate support to that end. Should the Supplier ultimately fail to resolve the situation to the Group’s satisfaction, their contract would be terminated. During 2017, no instances of modern slavery were identified, and 25 cases were investigated. Following investigation, no further action was required in the Sophos Supply Chain.
Sophos has introduced key performance indicators (KPIs) to monitor how the Company manages and communicates the Policy and the potential impacts as well as specific concerns regarding modern slavery. These indicators were implemented in consultation with the RCC and the Internal Audit and Risk Management and Legal functions internally, as well as Sophos external compliance data provider.
Indicators used, include:
- Understanding the Sophos Supply Chain
- we can account for each step of our supply and distributor processes and we know who is providing goods and services to us;
- our level of communication and personal contact with the next link in our supply chain and their understanding of, and compliance with, our expectations.
- Code of Conduct and Statement of Compliance
- number/percentage of suppliers and distributors who have signed our Code of Conduct;
- number/percentage of suppliers and distributors who have provided a satisfactory ‘Statement of Compliance’ on their actions to prevent slavery and any concerns have been satisfactorily and promptly resolved;
- Assessment and screening
- number/percentage of new and existing suppliers and distributors satisfactorily screened using risk assessment tools and/or self-assessment questionnaires, including risk scoring and categorization.
- Reports on Concerns
- number of reported concerns of slavery (including if there were none);
- any material issues arising from implementation of the Policy were effectively escalated when the need arose;
- all concerns raised as a result of audits or allegations were promptly followed-up and resolved;
- how we responded to concerns raised or to issues found by screenings, assessments or audits and how we worked with suppliers and distributors to implement corrective action plans.
Performance against these indicators is covered in the quarterly reporting process to the RCC and also the Audit and Risk Committee as part of the Internal Audit and Risk Management reporting cycle.
As a business, we are focused on further expanding our KPIs as part of our continuous improvement process, in order to ensure effective management control mechanisms.
The Board do not believe that the Group’s KPIs for the financial year ending, 31 March 2018 make the business or the Sophos Supply Chain vulnerable to modern slavery. However, this will be kept under ongoing review, and reassessed each year.
The Group’s position and approach to managing our compliance with the Act continues to evolve. However, we continue to be pleased with the measures taken to date, and the processes in place to ensure this will be kept under regular and effective review, and our performance will be measured.
This statement is made pursuant to section 54(1) of the Act. The Board delegated approval of this statement on its behalf to the Chief Financial Officer of the Company, on 7 September 2017.
Director, Sophos Limited
Chief Financial Officer and Executive Director, Sophos Group plc
29 September 2017