Anti-Bribery & Corruption — Module 1 of 4

Hospitality

When a client's invitation blurs the line between networking and inducement — three days before a contract decision.

Your Role

Alexa Reeves

Compliance Manager, Meridian Engineering Pty Ltd

Two years into the role. You were hired to build the compliance programme from scratch — the policies exist, the training is planned, but it hasn't been truly tested yet. Today, it will be.

Meridian Engineering Pty Ltd has grown from 280 to 600 employees in four years, driven by international project wins in infrastructure and energy.

The Gifts & Hospitality Policy requires pre-approval for hospitality above A$950. During active tenders or contract renewals, the threshold drops to A$475.

David Mercer, Business Development Director, brought in A$34M of contracts last year. He is Meridian's most commercially important employee. You report to Helen Carr, CFO.

Before You Start

How This Works

This is a decision-driven scenario. You'll face real decisions — and your choices shape how the story unfolds.

+3 Best practice — the response a compliance expert would choose

+1 Reasonable but incomplete — you're on the right track

−2 Risky or non-compliant — learn why this path creates problems

Tip: Highlighted text like Criminal Code s.70.5A is clickable — tap to read the legal reference in full.

Portrait of David Mercer, Business Development Director

Tuesday, 4:47 PM

Narrator

You're heading to the kitchen when David Mercer catches you in the corridor. Just back from London — suit jacket over one arm, looking relaxed. He mentions it almost as an afterthought.

David Mercer

Alexa — good timing. Quick one. I was at the Grand Final over the weekend. Corporate box, Haldane's invite. Took Jenny from proposals. Spectacular match — a Magpies-Cats grand-final showdown. Anyway, just thought I'd mention it. Should I log it somewhere?

You

David, the Haldane contract renewal is next week.

David Mercer

Exactly. That's why the relationship matters. Look, this isn't a brown envelope, Alexa. It's tennis. Everyone does it.

Tuesday, 5:10 PM

Back at your desk

You pull up the details. The picture is worse than you thought.

Detail	Value
Event	AFL Grand Final — MCG Corporate Box
Date	Saturday, 5 July
Host	Haldane Infrastructure (client)
Estimated value per person	~A$4,800 (hospitality package incl. champagne, lunch, afternoon tea)
Meridian attendees	David Mercer (BD Director) + Jenny Ashworth (Proposals Manager)
Total estimated value	A$9,500
Haldane contract renewal decision	Wednesday, 9 July — 4 days after the event
Pre-approval obtained?	No
Gifts register entry?	None
Policy threshold (active contract period)	A$475 — exceeded by 20×

The hospitality exceeds your policy threshold by a factor of twenty. Accepted during an active contract renewal. No pre-approval, no register entry.

Your phone buzzes. Helen Carr: "David mentioned the Grand Final thing. Come see me first thing tomorrow."

Portrait of Alexa Reeves, Compliance Manager

Tuesday, 5:25 PM. The facts: A$9,500 of hospitality, ten times the policy threshold, accepted during an active contract renewal with no pre-approval. David sees no problem. Helen wants a meeting tomorrow. The next 12 hours decide whether this is a policy breach or criminal exposure.

What is your first action?

Your choice

Log, notify, and brief Helen

Log the hospitality retrospectively, require David to disclose to Haldane's compliance team, and brief Helen fully. Under Criminal Code s.70.5A, 'adequate procedures' means reactive logging and disclosure at minimum.

Your choice

Log it and have a quiet word with David

Enter it retrospectively in the gifts register, have a private word with David about pre-approval. No need to involve the client or escalate beyond Helen. Proportionate for what is essentially a paperwork failure.

Your choice

No action needed - it's corporate hospitality

The Criminal Code doesn't prohibit reasonable hospitality. David is right - this is how relationships work. Escalating damages his trust and risks the client relationship.

Wednesday, 8:15 AM — Helen's Office +3

You

Helen, I've logged the Grand Final hospitality. A$9,500, contract-renewal window, no pre-approval. I've drafted a disclosure letter for David to send to Haldane's compliance team.

Helen Carr

A letter to their compliance team? That's a bit much. We don't want Haldane thinking we're accusing them.

You

It's transparency, not accusation. If we stay silent and questions surface later, silence looks worse than the hospitality.

Helen Carr

And if David pushes back?

You

He will. But Criminal Code s.70.5A holds the company liable without adequate procedures. We have a policy. We need to enforce it.

Why This Was Defensible

Logging, client-side disclosure, and a CFO briefing build the documentation trail Criminal Code s.70.5A demands. Adequate procedures aren't written policies. They're enforced ones. Under Adequate Procedures element 1: 'Risk assessment', the response must be proportionate to risk. A$9,500 three days before an A$8M decision is material.

Wednesday, 8:15 AM — Helen's Office +1

You

Helen, I've logged the AFL Grand Final event in the gifts register. A$9,500 total, no pre-approval. I've spoken to David about the pre-approval requirement.

Helen Carr

Good. And David?

You

He understands. Says it won't happen again.

Helen Carr

Fine. Let's move on.

The Gap in This Approach

You've created a register entry, which is better than nothing. But a retrospective log without disclosure to the client leaves a gap. If Haldane's own compliance team later discovers the hospitality during their audit, Meridian will be asked: "You knew about this and said nothing?" Under Adequate Procedures element 6: 'Monitoring and review', adequate procedures require not just recording but reviewing and acting on hospitality that exceeds thresholds. A verbal warning with no documented follow-up means, if this happens again, you have no evidence that David was told — which weakens your Criminal Code s.70.5A defence.

Wednesday, 8:15 AM — Helen's Office −2

Helen Carr

Alexa, what's your read on the Grand Final?

You

Standard corporate hospitality. David's done it for years. The Criminal Code doesn't prohibit reasonable hospitality.

Helen Carr

Reassuring. I didn't want to overreact.

Narrator

The Criminal Code (Cth) doesn't prohibit hospitality. But you've missed the word reasonable. A$9,500 three days before a procurement decision isn't reasonable. And by not logging it, you've ensured no record exists that Meridian even knew - exactly the gap s.70.5A 'failure to prevent foreign bribery' (Sept 2024) was built to close.

The "Everyone Does It" Trap

Criminal Code s.141.1 criminalises giving anything of value to induce improper performance. Hospitality doesn't need to be a "brown envelope" to qualify. The Adequate Procedures guidance (2024) is clear: value and timing are the strongest indicators, and this event scores high on both. Inaction fails the most basic s.70.5A test - you knew and did nothing.

Wednesday, 11:30 AM

Pattern in the register

You're reviewing the gifts register when you find something you didn't expect.

Three months ago, Meridian hosted Haldane's procurement team at a State of Origin rugby league match at ANZ Stadium — corporate tickets worth A$3,400. Logged by David as 'client relationship event', pre-approved by his line manager (not compliance). The same Rob Langley from Haldane attended.

This isn't a one-off. It's a pattern. Two hospitality events, same client, same procurement contact, within a single contract cycle. Combined value: A$13,000.

Your policy says hospitality above A$950 during an active contract renewal requires board notification. Helen has already asked you to keep this 'proportionate' — she doesn't want it going to the board.

Activity — Listen & Decide

David follows up after the meeting. Listen to his pitch before deciding what to do.

David Mercer — follow-up call

Press play to listen

Listen to the audio to unlock your choices.

Your choice

Accept, but first get Helen to authorise it in writing so there’s a paper trail.

Your choice

Decline, and log David’s approach in the gifts register as an offered (not accepted) item.

Your choice

Decline and self-report the offer to the AFP as a precaution.

Your choice

Accept and attend — you’ll log it in the register the next day to keep records clean.

Activity — Gifts & Hospitality Register

Log the Criterion Restaurant dinner accurately. Every field matters — a wrong value here could mean this entry doesn’t trigger the compliance flag it should, or that a defensible event gets escalated unnecessarily.

Received from

Description

Estimated value

Active tender / renewal?

Pre-approval obtained?

Helen calls you in. She's read your review. "Taking this to the board turns a manageable situation into a crisis. They'll panic. David will feel ambushed. We could lose the contract over optics. I'm not asking you to bury it. I'm asking you to be proportionate."

How do you handle the escalation?

Your choice

Follow the policy - notify the board

Policy is clear: hospitality above A$950 during an active contract requires board notification. A$13,000 across two events with the same procurement contact isn't borderline. Under Adequate Procedures element 6, selective enforcement is worse than no policy.

Your choice

Propose a documented compromise

Skip the board if David sends a written disclosure to Haldane, both events get a full compliance review note, and David signs a written policy acknowledgement. Defensible paper trail without board alarm.

Your choice

Defer to Helen - she's the CFO

Helen hired you and says this is proportionate. She knows the board dynamics and the commercial relationship. Going over her head damages the working relationship you need.

Thursday, 10:00 AM — Boardroom +3

Helen Carr

For the record, I think this is disproportionate. But Alexa has a point about the policy.

You

The combined hospitality with Haldane totals A$13,000 during an active contract renewal. Our policy requires board notification above A$950. I'm not suggesting anyone acted in bad faith — I'm asking the board to note the disclosure and confirm next steps.

Helen is unhappy, but she hasn't overruled you. The board receives the disclosure professionally. One non-executive director — a former regulator — notes that this is exactly how adequate procedures should work.

Why Enforcement Matters More Than Policy

The Criminal Code s.70.5A defence requires 'adequate procedures.' Courts and the AFP look at whether procedures were followed in practice, not just whether they existed on paper. Selectively ignoring your own escalation threshold — even at the CFO's request — creates a precedent that undermines every policy you've written. Under Adequate Procedures element 6: 'Monitoring and review', monitoring and review means the policy is enforced when triggered, not just when convenient.

Wednesday, 3:30 PM — Helen's Office +1

You

Helen, I won't take it to the board — yet. But I need three things: David sends a written disclosure to Haldane's compliance team, both events get a full compliance review note on file, and David signs a written acknowledgement of the pre-approval policy.

Helen Carr

That sounds reasonable. I'll talk to David.

You

One more thing. If anything similar happens again — with any client — it goes to the board automatically. I need that commitment from you.

Helen Carr

Agreed. Let's close this out.

The Proportionality Judgment

Adequate Procedures element 1: 'Risk assessment' says procedures must be 'proportionate to the bribery risks faced.' Your compromise creates documentation, which is positive. But bypassing your own board notification threshold means a future auditor or prosecutor may ask: 'What was the real threshold?' The documented safeguards partially mitigate this — but they don't fully replace the governance step your policy requires. You've created a precedent that the board notification rule is negotiable.

Wednesday, 3:30 PM — Helen's Office −1

You

You're right, Helen. I'll keep this at our level. The register entry is there, David knows the policy. I don't think we need to escalate further.

Helen Carr

Good call. Sometimes proportionate means knowing when not to make a mountain out of a molehill.

Narrator

Helen is relieved. The board never learns that A$13,000 of hospitality was exchanged with a client during a live A$8M contract renewal. Your policy says board notification is required above A$950. You've now created a documented case where the policy wasn't followed — and the reason was your boss told you not to.

Independence of the Compliance Function

If the Compliance Manager doesn't follow the compliance policy, the policy has no credibility. Under Adequate Procedures element 5: 'Third-party due diligence', staff must believe the company's anti-bribery procedures are real. When the compliance function makes exceptions on request, the message to the organisation is clear: the rules are optional. The Criminal Code s.70.5A defence is significantly weakened when 'adequate procedures' existed only on paper.

Thursday, 3:00 PM

David Mercer

David is in your office. He's not hostile — but he's not happy.

"Alexa, I've been at Meridian for twelve years. I've built relationships that keep 600 people employed. I've never taken a bribe, I've never offered one, and I resent the implication that a day at the footy makes me corrupt."

"If compliance is going to question every client dinner, every event invitation — good luck getting anyone in BD to tell you anything in future. They'll just stop reporting."

He's not wrong about the reporting risk. If people stop telling you about hospitality because they're afraid of the consequences, you'll have no visibility at all. The question now: what do you put in place so this doesn't happen again?

Friday, 10:00 AM. The immediate situation is contained. Now you need to recommend something to the CFO and the board to prevent recurrence. David's warning about people 'stopping reporting' is real. Whatever you propose has to feel like a business enabler, not policing.

What do you recommend?

Your choice

Mandatory pre-approval, training, and board reporting

(1) mandatory pre-approval above A$475 via a 90-second form, (2) annual scenario-based training, (3) quarterly board reporting. Integrates Adequate Procedures elements on risk, due diligence, and monitoring.

Your choice

Update the register and send a policy reminder

Require pre-approval above A$950 in the register, send a company-wide reminder, raise it at the next all-hands. Raises awareness without new bureaucracy.

Your choice

Note David's file and move on

The policy covers this. The problem was David. File a note recording the breach. If it recurs, you have a documented pattern. No need to change a policy that works on paper.

The following Monday, 9:00 AM +3

Helen Carr

Walk me through this.

You

Three components. A 90-second pre-approval form, auto-routed to compliance, 24-hour response. Annual scenario-based training. Quarterly board reporting on aggregate data and anything above threshold.

Helen Carr

David's going to hate the form.

You

He'll use it if it's 90 seconds and we approve most within 24 hours. If David had called before the Grand Final, we could have approved with conditions and had a clean file. Additional cost: roughly zero. The cost of not doing it is a Criminal Code s.70.5A prosecution we can't defend.

The Three Pillars of Adequate Procedures

Principle 1 (Proportionate Procedures): pre-approval calibrated to actual risk. Principle 5 (Communication and Training): scenarios teach the why, not just the what. Principle 6 (Monitoring and Review): quarterly board reporting makes the system self-correcting. Easy systems get used. Policing gets circumvented.

Friday, 2:00 PM +1

You

I've updated the register to require pre-approval above A$950 and drafted a company-wide reminder. I'll present the policy at the next all-hands.

Helen Carr

Sensible. Not too heavy-handed.

Narrator

The email goes out on Monday. 73% of staff open it. By Friday it's forgotten. Eight months later, another BD manager accepts an invitation to the Emirates Stadium from a contractor bidding on a subcontract. He doesn't pre-approve it — because he didn't read the email either.

Communication vs. Training

Adequate Procedures element 5: 'Third-party due diligence' distinguishes between 'communication' (telling people the policy exists) and 'training' (ensuring they understand and can apply it). An email achieves the first but not the second. If a similar breach occurs after the email, a prosecutor will ask: 'What did you do beyond sending an email?' If the answer is 'nothing,' your Criminal Code s.70.5A defence is weaker than before — because now you knew the system wasn't working and still didn't fix it.

Friday, 2:00 PM −2

You

I've drafted a note for David's personnel file documenting the policy breach. The policy already covers this — he just didn't follow it.

Helen Carr

Fair enough. These things happen.

Narrator

The note goes into David's file. David never sees it. No one else in the business learns anything from the incident. The pre-approval process remains a paragraph on page 7 of the employee handbook. The gifts register remains a spreadsheet that compliance reviews annually — retroactively, after the events have already happened.

Individual vs. Systemic Failure

Criminal Code s.70.5A holds the commercial organisation liable, not the individual employee. Even if David is personally at fault, Meridian's exposure depends on whether the company's procedures were adequate to prevent the conduct. A file note on one employee's record does not constitute monitoring, review, training, or procedural improvement. Under Adequate Procedures element 6: 'Monitoring and review', the company must show it reviews and updates its procedures in light of experience. This incident is experience — and nothing changed.

Six Months Later

The Reckoning

The Haldane contract was renewed — the hospitality didn't influence the outcome. But what happens next depends on the system you built.

Module complete. Continue when you're ready.

Your Result

/ 9

Your Decisions

Key Lessons

1. Hospitality isn't automatically a bribe. Value, timing, and proximity to a commercial decision are what the AFP examines first.

2. The s.70.5A defence needs enforced procedures, not written ones. A policy nobody follows isn't adequate.

3. Compliance that's easy to use gets used. A 90-second pre-approval form enables business. A 30-page manual is a filing exercise.

4. Risk assessment, due diligence, and monitoring work as a system: proportionate controls plus training on the why plus monitoring that catches patterns early.

Key Legal References

Criminal Code s.141.1

Bribing another person

Criminal Code s.70.5A

Failure to prevent

Adequate Procedures element 1: 'Risk assessment'

Proportionate procedures

Adequate Procedures element 5: 'Third-party due diligence'

Communication & training

Adequate Procedures element 6: 'Monitoring and review'

Monitoring & review

AFP Guidance

Hospitality approach

Ready to complete this module?

Take the 5-question knowledge check to record your completion.

Take the Module Quiz →

Module 2 of 4

Next: Grease

Equipment stuck at Accra port. A$16,000/day in liquidated damages. The customs official wants $2,000.

Complete the quiz, then launch Module 2.