Combatting Corruption Through Compliance: Part 2: The Five Steps of a Risk Assessment

June 25, 2020
By: Scott Nance, Principal, Langley Compliance Consulting LLC*

Detecting and preventing corruption should be an integral part of any organization’s efforts in the battle against financial and economic crime.

Though we often think of corruption involving public officials, corruption also occurs at the commercial level. An effective anti-corruption compliance program should always seek to address both varieties of corruption. As with other areas of financial and economic crime, preventing corruption within an organization requires an effective and robust internal compliance system.

Similarly to the OFAC’s “Framework for Compliance Commitments”, the OECD handbook, the Department of Justice’s Guide to the FCPA, and the UN Practitioner’s Guide all identify the following as elements of an effective anti-corruption program.

  1. Commitment by Top Management;
  2. Risk Assessment;
  3. A System of Internal Controls;
  4. Periodic Testing and Audit; and
  5. Training

In this series on combatting corruption, each of the above components will be discussed and analyzed to provide tips on how your organization can best build an effective compliance system and ensure compliance with global anti-corruption laws.

In Part Two, we will explore the second of these components: Risk Assessment.

The Five Steps of an Effective Risk Assessment

To fight corruption, an organization needs to know what its risks of corruption are. The starting point for combatting corruption is assessing an organization’s vulnerabilities. Regulators typically require that compliance systems be risk-based. As such, a risk assessment is the foundation of any compliance system for combatting corruption.

The scope and nature of a corruption risk assessment depends upon the characteristics of the organization. No one size fits all. In general, however, every risk assessment will follow five steps.

  1. Establish the Risk Assessment Process

Establishing your organization’s risk assessment process will involve a number of tasks, such as: deciding who will conduct the assessment (personnel within the organization, outside consultants, or some combination of the two); specifying the methodology; creating a timetable; and setting how often the assessment will be performed. While one person or unit should have primary responsibility, gathering and analyzing the information needed will involve multiple functions within the organization, including Compliance, Risk Management, Legal, Internal Audit, Accounting, Finance, Procurement, Sales and Marketing, Supply Chain, Human Resources, Government Relations, Public Relations.

Ultimately, upper management should provide oversight of the process. As well as deciding who should conduct the assessment and approving the methodology, the oversight function also involves setting overall risk tolerance levels, evaluating the outcome of the assessment, and approving strategies for mitigation. For more information about Management Commitment, see Part One of this series.

  1. Identify the Risks

The risks from corruption can be legal, commercial and operational, and reputational. The legal risks are potentially the most important, as violation of anti-corruption laws can lead to fines, debarment from government contracting, and other consequences.

The risk assessment process should begin with a review of the anti-corruption laws that apply to the organization, including those of both its home country and the other countries in which it operates or does business. This allows the organization to determine its legal obligations. It is important to remember that the anti-corruption laws of some countries, such as the United States and the United Kingdom, may apply even to conduct by foreign companies. The U.S. Foreign Corrupt Practices Act, for example, applies to companies whose shares are listed on a U.S. stock exchange, even if the conduct in question does not involve any U.S. person or activity.

The risks of corruption an organization faces largely reflect the interplay of a number of factors, including its industry; business structure and processes; presence in the market; and the countries in which it operates. Different divisions or segments of the organization may face different risks. Not all risks are equal, and the risk assessment should devote more time and attention to the areas that appear to present higher risks.

  • Some industries present higher risks of corruption than others. Industries where the government is a major or predominant customer, such as defense goods, are an obvious example. Industries that are subject to heavy government regulation or approval may also be more prone to corruption. These include industries such as mining, energy, or telecommunications, where government permission to act is required, and where the investments can be quite large. In general, both political and commercial corruption may be more likely if the industry involves relatively few, very large sales, as the incentive to engage in corruption to make a sale may be greater.
  • Business structure and processes. The size and structure of an organization, and the manner in which it conducts business, has a direct impact on the risk of corruption. A large, decentralized organization, where divisions or foreign subsidiaries enjoy autonomy, may face higher risks of corruption. Risks may also vary by the type of operation, with export sales having a different risk profile from domestic sales, which may have a different risk profile from procurement. Similarly, the way the organization does business, such as through distributors rather than by direct sales, may increase risks. The risk is especially high where an organization uses consultants or agents to obtain or maintain business, as “consultants” are often a vehicle for corrupt payments.
  • Presence in the market. Whether a company is well established in a market, or is trying to enter or expand its presence, also affects risk. Companies that are new to a market, especially in a heavily regulated industry or one selling directly to the government, may be more likely to attempt to use corrupt methods to speed the process along.
  • Geography. Geography is a major risk factor for corruption. Some countries are simply more corrupt than others. Even within a country, some jurisdictions may be more prone to corruption. In the United States, for example, a company may be more likely to encounter requests for “favors” from a government official in New Jersey than in Virginia.
  1. Quantify the Identified Risk

It is necessary to assess risk not just qualitatively but also quantitatively, so that all aspects of the risk posed are understood.

In general, risk equals the probability of an event multiplied by its impact. Of course, there is no fixed way to quantify either probability or impact. The aim is to allow the comparison of relative risks, so that the organization can impose the appropriate measures.

To identify and quantify risk, it will be necessary to consult employees across the various functions, divisions, and subsidiaries. It may also be helpful to discuss this with business partners, if appropriate. For some types of risk, such as geographical risk, outside sources, such as Transparency International’s Corruption Perception Index, may be useful.

  1. Mitigate the Risk with Internal Controls

The goal of a risk assessment is to identify the risks of corruption so that the organization can develop measures to mitigate those risks. This involves the design and implementation of a system of internal controls, which will be the subject of Part Three of this article series.

  1. Calculate the Residual Risk

It is impossible to eliminate all risks of corruption. As part of the risk assessment process, it is worthwhile to estimate the residual risk after the organization has applied internal controls. At that point, the organization can decide to implement additional controls, or it may simply accept the residual risk.

This is a function of the organization’s overall risk tolerance, a tolerance upper management should establish. This too will be discussed in Part Three of this article series.

  1. Create an Action Plan

Once the risk assessment process is complete, the organization needs a plan to implement it. This will include designing and implementing internal controls, as well as the identification of residual risks. It should also include the other steps needed to address risk, including internal training; audit of the compliance system; communicating with stakeholders, including the public; and periodically renewing the risk assessment itself.

The action plan should also include assigning responsibilities for specific steps, allocating the necessary resources, setting a timetable, and providing for progress reports.

Additional Resources for Fighting Corruption

A robust risk assessment is so integral to fighting corruption that the United Nations Global Compact has devoted an entire guide to the subject. This guide provides many practical suggestions about the entire risk assessment process.

*Scott Nance is the Principal of Langley Compliance Consulting LLC, based in Washington, D.C., and the former Global Head of Sanctions Compliance for ING in Amsterdam. Scott is a member of the ACSS Editorial Task Force and the ACSS Certification Task Force.

Recent Articles