ZTE Chief Legal Officer's Letter to Its Board, Executives, Employees, Suppliers and Business Partners
ZTE Chief Legal Officer
19 February 2019, Shenzhen, China
- ZTE Corporation (0763.HK / 000063.SZ), a major international provider of telecommunications, and enterprise and consumer technology solutions for the Mobile Internet, today issued an open letter to its board, executives, employees, suppliers and business partners by its Chief Legal Officer Mr. Spencer Shen, sharing the company’s major insights on compliance.
According to Mr. Spencer Shen, the basic principle of ZTE's global compliance operation is to abide by business ethics, laws and regulations of the countries where the company operates its business. As a company listed on both the Shenzhen Stock Exchange and the Hong Kong Stock Exchange, compliance management is inevitable for ZTE, and also reflects over 30 years of experience accumulated by ZTE in corporate operation.
ZTE is committed to forming an efficient and organized compliance operation, embedding the compliance system into the whole business process, creating the integration of compliance and business, and establishing a first-class compliance management system in the industry based on its business practices, so as to turn compliance into a competitive business advantage.
The core value of compliance is business sustainability.
Business freedom is the natural hotbed to achieve business growth, and business sustainability is the prerequisite to achieve qualitative growth of business and ensure everlasting operation of the company. From the current internal and external driving forces for strict regulation and corporate governance, ZTE chooses business sustainability as the choice between business freedom and business sustainability. This determines that all regulations implemented by ZTE take business sustainability as the highest priority to ensure the lowest management cost and the highest efficiency under the premise of safe operation, so as to better protect the interests of ZTE’s customers, partners, shareholders, employees and stakeholders.
Compliance realizes the implementation of rules in specific businesses through the double cycle of business and management.
Compliance is a part of corporate governance. Both implicit and explicit meanings of compliance are very broad, as the term may relate to export control, anti-bribery, data protection, customs compliance, labor and employment compliance, etc. ZTE has strengthened its legal compliance team building, subdivided key risk areas, and supplemented experts. ZTE has increased its investment in compliance funds, constantly improved its compliance system for export control and fulfilled its compliance commitments.
Also, ZTE has explored a set of methods combined with its business practices, which constitute the core elements of ZTE's current entire compliance management system, namely, the formulation of reasonable rules, comprehensive training with no dead end, resolute execution and effective inspection.
At the same time, ZTE also introduced the PDCA cycle model into the compliance work, creating a double-cycle model of business and management, so as to enable ZTE compliance management to become a set of methods that can be tracked, executed, implemented and improved.
Three-year compliance strategy to facilitate compliance operations.
ZTE's strategic path will be divided into recovery period, development period and transcendence period. ZTE remains committed to abiding by compliance operations, creating value through compliance, and adhering to the principle of "respecting rules, keeping an open mind and doing things professionally". In particular, ZTE is committed to the following:
·In the recovery period: safeguard values, set the company's compliance red lines, and embed compliance into business processes to achieve compliance awareness in subsidiaries through top-down management.
·In the development period: ensure coordinated development, improvement of compliance rules, effective publicity and implementation, creation of compliance culture, promotion of implementation, strengthening of compliance inspection, and realization of closed-loop control.
·In the transcendence period: bring added value, set up a compliance benchmark, create a compliance brand, and commit to building a first-class compliance management system consistent with the company's business practices.
Meet the commercial sustainability of the industrial chain in the era of 5G.
The spirit of a contract is reflected in the possibility to realize a fine division of labor and industrial chain in human society, and it is also the possibility for the current global companies to gather hundreds of companies. Therefore, ZTE adheres to the credit system and does not damage the contractual relationship with any partner in the industrial chain.
ZTE pursues not only its own business sustainability, but also the business sustainability of its customers, suppliers and other business partners to ensure their safety in the process of cooperation with ZTE, and the sustainable and effective protection of their business relations and interests.
ZTE is committed to optimizing business efficiency and management cost under the premise of safety, making compliance the safety belt of employees and partners and escorting the enterprise along its journey. ZTE and its partners will join hands to create a better future, and win together!
Please refer to the below part for the detailed Q&A:
Question 1: What changes has ZTE made to its compliance system since it received the Denial Order in 2018?
Answer: ZTE has changed and strengthened its compliance system from four aspects, namely the construction of its compliance culture, the investment of compliance resources, the building of its processes and system, and the improvement of professional competence.
·Construction of its compliance culture: The company further clarified that compliance is the strategic cornerstone of ZTE, and determined that all the rules of ZTE regard business sustainability as the highest priority. It aims to achieve the lowest management cost and the highest efficiency under the premise of safe operation. The company maintains a zero-tolerance attitude towards violations to better protect the interests of ZTE's customers, partners, shareholders, employees, and stakeholders. The Chairman of the Board and the President issued a statement to express their determination to build compliance; executives of the company signed the compliance responsibility certificate as the first person responsible for compliance matters in their respective fields. Senior management of the company undertakes compliance commitment on various occasions through methods including internal meetings, video, written documents, and ZTE Forum, to convey the determination and confidence of the company to build compliance to all employees. At the same time, the compliance culture should be strengthened through continuous training for all employees, active advocacy of supervision by all employees, internal reporting culture, and multi-directional external cooperation.
·Investment of compliance resources: ZTE continued to increase its compliance fund investments, to support monitoring team requirements, to strengthen cooperation with external law firms and consultants, and to optimize IT tools, such as GTS(Global Trade System), BPS(Business Partner Screening) and LCM(Legal & Compliance Management system). It also enhanced compliance risk assessment, promoted compliance governance for its subsidiaries, constantly improved the construction of its export control compliance system, and fulfilled ZTE's compliance commitments. At the same time, ZTE has made great adjustments and enhancements to the compliance-related human resources, optimizing the organizational structure:
·The company established a thorough compliance management system under the leadership of the Compliance Management Committee:
- Strengthened the professional team building of the Center of Expertise (COE), subdivided important risky areas, attracted more experts, and set up proper rules.
- Expanded full-time BU compliance teams, and built a bridge between COE departments and business units through a full coverage of full-time BU compliance teams.
- Set up Points of Contact (POCs) in business units. The combination of full-time BU compliance teams with POCs could realize top-down management in its subsidiaries, and deliver company’s compliance visions and policies to the marketing and sales team.
- At present, ZTE has more than 400 full-time legal and compliance employees, accounting for about 0.6 % of the total number of its employees, and about 400 POCs in business units.
·Processes and system construction: ZTE has enhanced the review and decision-making of major compliance matters and improved sorting of related rules based on business scenarios. By updating members of the Compliance Management Committee in accordance with the company's latest personnel arrangements, the company ensures that its senior executives are involved in compliance decision-making. This enables business leaders to be directly responsible for the compliance of the business under their jurisdictions. The formulation of company-level compliance policies, as well as the review and decision-making for major compliance matters that may cause serious impacts on the company's sustainable operation, becomes the regular work of the Compliance Management Committee. ZTE also has upgraded its business-related compliance processes and policies, built a pyramid-structured compliance rule system in which policies, regulations, and guidance are distributed from top to bottom, and embedded compliance checkpoints in specific business processes. Activation and optimization of IT systems, including but not limited to the LCM, GTS, ECCN(Export Control Classification Number), BPS, and Forensics Master systems, enables online processing of those compliance checkpoints, thus reducing or eliminating manual processing.
·Professional competence improvement: ZTE actively works with external top organizations, including Hogan Lovells, Price Waterhouse Coopers, and Deloitte, to deal with related compliance issues. At the same time, ZTE takes the initiative to improve its compliance capabilities, and enhances its ability to make and implement the rules and regulations. It is committed to establishing a best-in-class compliance system in accordance with ZTE's business practices.
Question 2: How's ZTE's export control compliance work going?
Answer: Export control compliance is the responsibility of all ZTE employees. ZTE now is taking various measures to improve its export compliance projects, creating value for ZTE and its business partners.
ZTE's senior executives are committed to advancing comprehensive export control compliance in the company. On July 26, 2018, Chairman Li Zixue and President Xu Ziyang released a statement to all ZTE employees, expressing the senior management's continuous and utmost determination to implement export control compliance. At the same time, they issued the latest 2018 export control compliance policies, and required all of the employees to sign a compliance certificate to ensure their compliance to all applicable export control laws and regulations.
·Enhancing the Investment of Resources in Export Control Compliance
ZTE has invested a large amount of resources in the field of export control compliance. Now, the Export Control Compliance Dept involves a Chief Export Control Compliance Officer, multiple Regional Export Control Compliance Directors working in China, Europe, Americas, and the Middle East region, and other directors, managers, supervisors, and support personnel working in China and other countries. Meanwhile, ZTE has established an efficient communication channel with external parties and has received wide support and guidance from external legal and consulting teams. ZTE plans to continuously increase the investment of these resources to ensure the company's export control compliance.
·Issuing the Export Control Classification Information
ZTE and its subsidiaries have released ZTE products' ECCN, subject to the export control of the United States. This ECCN list is released on the website of ZTE in both English and Chinese. Moreover, ZTE will continue to collect the ECCN and relevant classification information from its business partners to ensure the export compliance of the company's supply chains and distribution channels.
·Updated Export Compliance Manual
ZTE has released an updated and enhanced Export Compliance Manual. The manual is applicable to ZTE Corporation and its subsidiaries. ZTE will continue to improve and update the manual and will promote its export compliance projects in accordance with its business practices.
·Export Compliance Processes of ZTE Subsidiaries
With the assistance of external lawyers and consultants, ZTE's compliance team has reviewed and perfected the export control processes of its subsidiaries in China and around the globe.
·Export Compliance Training
ZTE and its subsidiaries have conducted export compliance training for all staff, including the export compliance awareness training and the training based on respective function. ZTE's own compliance team and employed external consultants are currently developing additional export compliance training courses, including the online training courses.
ZTE will continue to work on export compliance, develop and upgrade its export compliance projects, and work with the Special Compliance Coordinator and the Monitor to achieve the Company’s compliance goals.
Question 3: What's ZTE's progress made in its compliance work regarding anti-commercial bribery?
Answer: ZTE is always committed to high standards of ethics and integrity, complying with the anti-corruption and anti-bribery laws of the countries where our business is located, and eliminating any forms of corruption and bribery. With the support of the management and the continuous input of resources, ZTE keeps improving its anti-bribery compliance management system, and carries out risk assessment on the business regularly, as well as continues to optimize the risk assessment mechanism exactly based on the business situations, which ensure the comprehensive and accurate identification and control of the risks of bribery. Moreover, ZTE keeps optimizing the process design and enhancing IT construction to gradually realize the integrated management and control of the whole process. In addition, ZTE develops anti-bribery compliance courses for all employees and key positions to raise their awareness of anti-bribery compliance. Every year, ZTE audits and inspects the anti-bribery compliance management system regularly to monitor and evaluate the implementation of the anti-corruption policies.
Question 4: How’s ZTE’s progress made on its data protection compliance work?
Answer: ZTE complies with global applicable data protection laws and regulations, especially the General Data Protection Regulation (GDPR), and embeds data protection requirements into the processes of our business activities. The Compliance Management Committee of ZTE is the highest management body for the company's data protection compliance. In order to ensure the effective implementation of data protection requirements, ZTE has set up three lines for control and management: business units, compliance departments, and supervision units. According to the requirements of GDPR, ZTE appointed a data protection officer of the European Economic Area. ZTE introduced a data protection impact assessment methodology to evaluate some of our products and services. In the business scenarios where GDPR is applicable, ZTE has:
- Initially established a personal data dictionary to record personal data streams.
- Promulgated a series of data protection management specifications covering marketing, engineering services, IT, supply chain, R&D, human resources and other business areas to ensure that the entire process is regulated.
- Established a personal data leakage emergency response process.
- Established a data subject response process.
- Established a data retention and destruction system and gradually embedded it into the IT process.
Standardized and optimized the data protection requirements for the personal data processing activities of suppliers to whom GDPR applies and embedded the compliance requirements in the management process.