Scope

The Compliance Reporting Policy applies to all stakeholders of PSU.

Purpose

The Compliance and Legal Office at PSU is committed to ensuring and demonstrating the highest standards of integrity. This commitment is a core value that is incorporated in the PSU’s code of conduct, and its underlying policies.

There may, however, be situations in which people do not uphold the standards of integrity defined in the Integrity Code. With this Compliance Reporting Policy, the Compliance and Legal Office provides a framework for a reporting procedure and channels for the reporting of any actual or suspected violation of our Integrity Code. The Policy describes what you should do if you suspect or observe such a violation. The structure of this Policy is as follows:

Procedure

The Code of Conduct covers a broad range of principles that are all equally important. PSU firmly believes and supports full transparency and a speak-up culture when it comes to the compliance with any of these principles. PSU expects all employees to report any actual or suspected violation of our Integrity Code and counts on all employees to do this as part of their commitment to our Integrity Code. Further, PSU strongly encourages third parties to report any actual or suspected violations.

It is highly important that actual or suspected violations are reported. This allows the Compliance and Legal Office to follow up and take all corrective actions that are appropriate to limit any potential impact on PSU, employees and/or third parties as far as possible. Below are a few, non-exhaustive examples of matters that need to be reported:

• Human rights violations
• Workplace-related issues (such as safety, harassment, and discrimination)
• Workplace theft/embezzlement
• Bribery or corruption
• Privacy breaches
• Security issues
• Accounting irregularities
• Environmental issues

If you make a report, you are expected to disclose all relevant information known to you in order to assist the Compliance and Legal Office in its response to, or investigation of, a complaint and to allow a proper assessment of the nature, extent and urgency of the matter. The Compliance and Legal Office expects that all concerns are made promptly, meaning as soon as reasonably possible in order to allow the compliance office to follow up on time.

1. Different Reporting Channels

In case you would like to file a report as an employee, there are several channels for doing so. The different channels are described below. The main principle is that PSU employees are expected to first file reports internally, through the channels mentioned in Par. 1.1 and 1.2. If that is not possible (or, for some reason, not desirable) and/or cannot reasonably be required, employees can make use of the Compliance and Legal office.

1.1 Direct report to your line manager

First of all, PSU believes that it contributes to a culture of transparency and trust to discuss any Integrity Code-related concern with your line manager. It expects all its employees to take any report and reporter seriously, keep it confidential and give proper and prompt follow-up if and as appropriate. A direct report to your line manager is not a requirement. You may not be comfortable doing so or there may be specific circumstances (for instance, if your report includes a concern about your line manager’s conduct) that determine that an alternative reporting channel is more suitable.

1.2 Direct report to the Senior Compliance and Legal Manager

You can make a report to the Senior Compliance and Legal Manager. For instance, if you are unable to resolve with your management or if the concern constitutes an immediate threat to PSU and/or the position of yourself or others. Complaints can be submitted to the Senior Compliance and Legal Manager directly in person, or by phone, e-mail or regular mail or by filing a complaint report to be sent to: complianceofficer@psu.edu.sa

2. The handling of reports

2.1 Protocol for investigating reports

The Compliance and Legal Office executes its investigations according to good investigative practices that are globally acceptable, regardless of the judicial process in operation. The main aspects of the report handling process are described below.

2.2 Initial assessment report and assignment

Reports are registered in a database. When a report is registered, the Senior Compliance and Legal Manager (or other person assigned by the Senior Compliance and Legal Manger) will perform an initial review of the report. Following the first review of a report, it may be decided to investigate it or to redirect it to another appropriate grievance channel.

2.3 Key investigation principles

If the Senior Compliance and Legal Manager decides to investigate a report, the purpose of an investigation is first and foremost to gather facts that are relevant to the alleged violation of the Integrity Code. These facts will allow the Compliance Office to perform an accurate assessment of the alleged violation, thereby minimizing the risk of wrongful disciplinary action against any person involved.

The investigation will be conducted in a manner that is fair and responsible with respect to all parties involved. The Integrity Committee has oversight responsibility for ensuring that the report is investigated in an independent, proportionate, impartial and unbiased manner, focusing on fact-finding with due observance of applicable laws, regulations, industry codes and/or policies.

2.4 Confidentiality and privacy

All information in a report, including your identity or the identity of other persons involved in an inquiry or investigation, shall only be disclosed to those functions within PSU (i.e. the investigator(s), the respective Compliance Officer(s) and members of the Compliance and Legal Office) on a strict need-to-know basis. This means that information in a report will only be shared with those who require this information in order to ensure compliance with this policy and legal or regulatory obligations, or as input for subsequent judicial proceedings. PSU employees who participate in an investigation must keep the matter confidential. During an investigation, the Compliance and Legal Office will comply with the privacy rules and applicable laws, including data protection regulations to the extent an investigation includes processing of personal data.

2.5 Investigation methodology

Informing Employee(s) Involved

Prior to the start of an investigation, an investigator will inform employees that are subject to an investigation about the accusation (the suspected violation) and the purpose of the investigation. However, an investigator may decide that there is an overriding interest to delay such action. If the employees are not informed because of an overriding interest, they will be informed as soon as the overriding interest ceases to exist.

Communication

• All official communications should be done through an approved medium and will be recorded for office use and will follow the non-disclosure agreement.
• All records will follow the “Compliance Record Maintenance Policy” for their retention duration.
• Unrecorded reports and communications will not be processed.
• Records will be coming from multiple sources, including written and electronic (video, transcribed, or voice recording) ones.
• All stakeholders are eligible to communicate with the Compliance and legal manager for advice on processing their compliance issues.

Interim Actions

During an investigation, the Compliance and Legal Office may take certain interim actions, for instance, to limit further exposure or to safeguard evidence. This may involve suspension of employees to the extent legally permitted.

Investigation Methods

There are several investigative methods that may be used. A non-exhaustive list of common investigative methods:

• Review of records, files (both hard copy and digital) and other documentation
• Review of (PSU controlled) communication, such as e-mail correspondence
• Interviews
• Site visits

The investigation methods are subject to and with due observance of applicable laws and regulations and boundaries are also set by key investigation principles, such as proportionality.

For interviews, the principle of “fair hearing” will be observed, and the person being interviewed shall be given sufficient opportunity to give his/her view of the facts on which the report is based. The Compliance and Legal Office acknowledges that an employee suspected of involvement in a violation of the Integrity Code may need or want to consult an external (legal) advisor. Each employee involved in an investigation is expected to cooperate with the assigned investigator(s). “See Compliance Investigation Policy”. If an employee withholds relevant information, this constitutes a breach of confidence between the respective employee and PSU. A request to leave an interview will be granted and any form of non-cooperation will be documented by the sole investigator or the investigation team.

Reporting

After finalizing the investigation, the investigator will prepare an initial report detailing the steps taken during the investigation, the facts established and any conclusions drawn.

2.6 Closing of investigation

Distribution of report

After the closure of an investigation, a report may be disclosed to other persons, but only on a need-to-know basis, and in line with the confidentiality principle.

Informing reporter and subjected employees

The investigator will in principle inform the reporter of the main findings of the investigation, but only to the extent that this is relevant to his position. There may be circumstances in which no information or only very limited information can be provided to the reporter, including privacy reasons, commercial interests or the legal position of PSU. If and what information is shared with the reported is a case-by-case decision.

The Compliance and legal manager shall notify any person who is the subject of a report about the outcome and any corrective action that is to be taken as a result of the outcome of the investigation.

Corrective action

The findings of an investigation may result in any corrective actions. Corrective actions may take the form of disciplinary actions. Any such disciplinary actions shall be based on the principles of fairness, consistency and proportionality and with due observance of rules, regulations, policies of PSU and the Saudi (employment) laws. Corrective actions can also include additional measures, such as training, strengthening of internal controls, creation of additional policies or other measures that aim to promote or enhance a culture of compliance. See more in the “Disciplinary, Grievance and Disciplinary and Grievance Appeal Board policies.”