Until recently, many global companies likely felt little need to conduct anti-corruption risk assessments. But that has changed dramatically, due in part, to the OECD’s 2010 good practice anti-corruption standards, which deemed risk assessment to be the foundation for designing all other anti-corruption compliance measures; in part, to a similar emphasis on risk assessment in the UK Ministry of Justice’s guidance regarding adequate compliance procedures under the Bribery Act; and partly, to a much greater emphasis by the US Department of Justice on risk assessment in cases brought recently under the Foreign Corrupt Practices Act.
But while expectations in this area have soared, the understanding of what organizations should actually do to assess anti-corruption risks is best described as uneven. For this reason, I thought that a brief primer on the topic might be of help.
First, too many organizations view anti-corruption risk assessments solely as a means to prioritize audits. This is inconsistent with the above-described notion of risk assessment being foundational to the compliance program as a whole. Rather, an effective anti-corruption risk assessment should entail gathering information not only for helping with audits but also for, among other things:
- Designing or revising all relevant policies – e.g., concerning providing gifts, entertainment and travel to government officials/employees of state-owned enterprises; charitable contributions and community support payments; retaining and managing third-party intermediaries; and due diligence in M&A/JV formation/investment.
- Devising anti-corruption training and other communications (including, as appropriate, for third parties).
- Establishing optimal anti-corruption management/governance approaches at various levels of the organization – board, senior management, the ethics/compliance function, finance, HR, logistics, in business units and/or geographies, and among those who manage JV’s.
(Note: this is by no means an exhaustive list.)
Second, given the uses to which anti-corruption risk assessment should be put, it is imperative that organizations identify not only the likelihood and potential impact of a violation (which nearly all assessments do), but also the foreseeable causes of such risks – such as pressures (internal/external); temptations (incentive approaches); culture (not only geographic, but also organizational and possibly industry), among others. Of course, one source of risk is an inadequate anti-corruption compliance program – and so any risk assessment should include some element of program assessment (and note that independent of the part they play in risk assessments, program assessments are encouraged in the OECD, UK and US standards).
Third, given the need to obtain this sort of “cause” information, conducting interviews should be the principal methodology of assessing corruption risk. Surveys and focus groups can play a part in this, too, but obtaining the type of qualitative information that only interviews can provide is essential to effective risk assessments.
Finally, while some aspects of risk assessment must have an enterprise-wide dimension (e.g., corporate-wide training, the tone at the top), many anti-corruption risks are really “local” in nature. Note that local for these purposes has not only a geographic element but also many others – e.g., focusing on the potential for corruption in buying and selling specific types of goods and services, weighting risks in specific logistical and administrative functions, among other things.