How to Conduct a Risk Assessment in Anti-Bribery and Corruption Prevention

Assessing risks is key to creating and implementing an effective compliance program. A risk assessment helps your company identify risks, determine priorities, and develop policies and procedures to address the risks. The more a company understands its bribery risks, the more effective the policies and procedures to prevent bribery will be.

In this article, we will walk you through the steps of a risk assessment. That said, this is not meant to be a comprehensive guide, and it is best practice to consult outside counsel, as well as have cooperation from your board and upper management, before conducting a risk assessment for your company.

Components of an Effective Risk Assessment
An effective risk assessment will contain the following components:

1.       It will involve the people needed to guarantee a complete overview of the risks the business faces.

2.       It takes into account all activities that may have a risk for bribery

3.       It avoids preconceived ideas about the effectiveness of controls, as well as the integrity of third parties or employees.

4.       It identifies risks, then describes them in detail.

5.       It evaluates the bribery risks by likelihood and impact.

6.       It prioritizes bribery risks.

7.       It is documented to show that an effective risk assessment was completed.

8.       It is performed regularly, not just once.

9.       It is communicated to aid in the creation of proper procedures, policies, and controls.

Benefits of Risk Assessment

Compliance with laws and regulations might be the main reason for risk assessment, but it is not the only one. Carrying out a risk assessment, then implementing policies and procedures to address the risks, is also good for business. It enhances the reputation of your company and makes you more trustworthy.

It also:

1.       Provides a detailed overview of high risk areas. This overview helps companies create procedures, policies, controls, and training to deter and prevent corruption.

2.       Helps a company focus on its activities and relationships that pose the highest risk.

3.       Determines the level of due diligence that will be needed for third parties.

4.       Helps the company see where there might be excessive controls for a low risk area. It makes the company more efficient.

The Risk Assessment Process

A risk is the possibility an event will occur and will negatively impact the achievement of objectives. A company should always state its objectives before doing a risk assessment. The objectives bring to life what a company wants to accomplish using its compliance program; therefore, making it clear the risks it needs to assess. Only your company can set its objectives. However, some broader objectives are listed below.

  •          Keeping the company in line with ethical standards
  •          Maintaining and enhancing the reputation of the company
  •          Complying with all laws and regulations
  •          Creating and maintaining good relationships with government and business partners
  •          Meeting ethical compliance requirements that are set forth by customers


    Risk Tolerance

    Interested in learning more? Why not take an online Global Anti-Corruption and Bribery course?

    Another thing a company should do before starting a risk assessment is to define its risk tolerance. The risk tolerance is also known as the risk appetite. Risk tolerance can be defined as the level of variation between performance to the achievement of objectives. While most companies take a zero-tolerance approach to bribery risks, zero tolerance means that the company does not permit acts of bribery under any circumstances and takes action on any such acts. It also means companies are taking reasonable steps to eliminate such risks.

    Responses to Risks

    The purpose of a risk assessment is not only to identify the risks a company faces, but to also prepare the company to respond to any given risk. Different companies may decide on different responses to each risk. That said, there are four basic categories of response, as included below.

  •          Reduction. The implementation of controls, procedures, and policies are put into place to reduce risks.
  •          Avoidance. The company decides to quit an activity or exit a market in order to avoid the risk completely
  •          Acceptance. The company decides to treat the risk as a cost of doing business.
  •          Sharing. The company shares the risk. This may include outsourcing, joint ventures, and insurance.

    A company should never accept risk, because it opens them up to liability when laws and regulations are broken. Avoidance may be the right choice for the company if a market is so overcome with corruption that the risk is too great. However, a company cannot decide to avoid every market if it wants to stay in business. Sharing will not work for a company when it comes to bribery, because you can't insure against it or free yourself from liability simply because a business partner is guilty of bribery, but not you. Reduction is typically the correct response to risk.

    The Different Levels of Risk

    In order for a risk assessment to be effective, your company must be able to distinguish between the different levels of risk.

  •          An inherent risk is a risk before the effect of any controls that are put into place. It is also the level of risk if all controls fail.
  •          A residual risk is the level of risk with all controls in place and working effectively.
  •          A control risk is the risk that a control will fail to detect a corrupt act.

    It is impossible for a company to reduce its risk level to zero unless it chooses avoidance as a response to risks. For that reason, all companies should consider inherent risks in their risk assessment. It would be nice to say that a company has controls in place for every risk that exists, but that is simply not possible. A company must think of where inherent risks might exist by asking itself what adverse events could happen if there were no controls in place. By doing this, all risks are more effectively determined. A company can then decide what controls need to be in place. It should never be assumed there are controls in place to mitigate a risk. Assume there are not.

    Identifying Risks

    The first step in the risk assessment process is to identify and characterize the risks your company faces. It is crucial that each risk is understood by all concerned and to match the risk to controls in order to mitigate it. The policies and procedures you develop will be based on addressing these risks.

    Start to identify the risks your company faces by giving comprehensive answers to the following basic questions.

    1.       What does your company do as a business?

    2.       What business operations or markets does your company operate in that are different from each other and present different risks?

    3.       What interactions with the outside world does your company have when performing business activities?

    4.       Who does your company interact with?

    5.       What interactions does your company have with local or federal government? Public officials?

    6.       What do you need from third parties for your company?

    7.       What intermediaries do you use when working with third parties?

    8.       Taking into account where your company does business, are there customs or practices in those areas that expose you to risk?

    Categories of Risk

    There are not any official risk categories; however, there are basic categories of risk for which most businesses are exposed. When identifying the risks your company faces, it can be helpful to consider these categories to better help you identify risks your company faces.

    1.       The Transaction Risk. Compelled giving is a requirement for some U.S. businesses doing business overseas. Some countries will require a charitable donation in order for the U.S. company to maintain or obtain business by a foreign government official. For example, a U.S. company may be required to donate a certain percentage of profits from the contract to a charitable organization in that country. While this is legal in some countries, it may not be FCPA compliant.

    If your company is compelled to make donations to a charitable organization in another country, remember that it they are still payments made in order to maintain or obtain a contract. Make sure a foreign government official or other decision maker does not hold a position of authority at the charity. In addition, make sure the donation is consistent with your company's pattern of charitable giving, make sure to record the transaction as 'compelled giving' in your books, and note who made the request for the donation and how it was made.

    The donation should not be the tool used to obtain or maintain a contract either. Never pay to get contracts or benefits from a foreign government official.

    2.       The Business Partnership Risk. If you are going to partner with any other business, you want to make sure that the company has an adequate compliance program in place. If a foreign government requires you to rely on a third party, you also want to be sure that these companies are compliant. Your company might be held liable if a business partner engages in bribery and corruption. You will want to be sure to insure that they are compliant.

    3.       The Sector Risk. You must also consider the industry or industries in which your company is involved or will be doing business. Has the U.S. government stated that an industry is under scrutiny? Are they investigating the industry? What corruption risks are there with the industry?

    4.       The Country Risk. What is the perceived level of corruption in a country where your company does or seeks to do business? You can use the "Transparency International Corruption Perceptions Index". You will also want to identify the connection between areas where there is explosive market growth and corruption.

    Evaluating the Risks

    Companies have finite resources. While there are a range of risks associated with a business, such as financial, operational, and legal, you want to target your risk management efforts to risks that will have the most adverse impact on your company and the achievement of its objectives.

    To help determine which bribery risks are most significant, evaluate and prioritize risks using the steps below.

    1.       Bribery vs. other risks. Compare your company's bribery risks to other risks to determine the significance of each.

    2.       Bribery risk vs. another bribery risk. Once you have identified your bribery risks, you can determine the priority of each bribery risk.

    3.       Business department or market risk. In addition to comparing bribery risks, you can also determine the risks of bribery in different areas of your business - or in different markets.

    Evaluate risks based on their likelihood of occurrence or the impact a risk would have on your company.

    Mapping Risks to Controls

    Once you have identified and evaluated the risks, you can them map risks to controls. You may already have some controls in place that can be used as anti-bribery controls, such as segregation of duties. You may even have one control controlling more than one risk. No matter what, it is important that you take time to analyse how any control you put into place will mitigate a risk. For example, a control that includes an approval process for payments is great. But if the only step in the approval process is documentation for the payment, is that enough? The control may not question why a payment is being made. You want to make sure each control does the job it needs to do in mitigating the risk.

    Gap Analysis

    The identification of risks that do not have any - or adequate-- controls is called gap analysis. You can identify gaps by determining which risks do not have controls. On the other hand, you may have controls that do not address any specific risk, but instead are simply good practice controls for anti-corruption and bribery laws. All controls should be mapped to risks and vice versa.

    Documenting the Risk Assessment

    A risk assessment needs to be documented. A documented risk assessment can be also be communicated, discussed, and used as part of a company's compliance program. That is not to mention that it can be extremely helpful in proving your company has taken the appropriate steps to prevent bribery and corruption. Risk identifications and evaluations should be documented, as well as any other part of your risk assessment.