There is no time like the present to refresh your organization’s bribery and corruption risk assessment.
Many organizations recognized that the COVID pandemic changed the risk and control landscape, and took the opportunity to revisit their compliance programs, at least from a distance.
The risk landscape has again shifted post-pandemic; the war in Ukraine, the changing economic environment, and the pressure to "play catch-up" in industries/markets hardest hit by the pandemic are all fresh risks to consider. The easing of pandemic-era restrictions means compliance teams have renewed access to people and data to fully assess their risks and understand whether compliance programs are still fit for purpose. If your organization is looking to refresh its bribery and corruption risk assessment or is undertaking one for the first time, here are some practical considerations.
The basics
There is no single approach to corruption risk assessment. Whether utilizing interviews, questionnaires, workshops, or some combination thereof, practicality and proportionality are key. That said, there are core tenets to effective risk assessment to bear in mind:
Gaining a holistic view of risk
A frequent question we hear from clients is how to strike the right balance between using qualitative and quantitative information to identify risk. Regulators expect organizations to incorporate both, and the more quantitative data a company generates, the higher the expectation is that the data will be used in managing corruption risk.[1] We view utilizing a mix of qualitative input from interviews and questionnaires alongside quantitative measures helps tell the story of risk and corporate culture that neither could do in isolation.
For instance, discussions with stakeholders outside headquarters are critical to understanding local culture, business risk, and operating context which is difficult to ascertain through questionnaires or a data-led exercise. Incorporating local perspectives can also identify external factors such as specific political or economic developments impacting the local risk environment. This can be complemented by analyzing accounting and operational data to identify trends, relationships, and business activities which present risks beyond those employees are aware of or willing to discuss.
Interviews and questionnaires are often the default but these approaches risk being one-dimensional and subjective. Many compliance teams find the use of accounting data costly, burdensome, or beyond their capabilities. If that is the case, consider what can be easily gathered from other sources, such as front-end system reports, management information packs, or internal audit data. For example, 2022 saw an increased emphasis on sanctions risk, and information obtained to comply with sanctions regimes such as client and supplier relationship data is also relevant and useful in understanding corruption risk exposure.
Assessing controls
A common pitfall in the risk assessment process is mapping global policies and procedures against risks without testing effectiveness. When supporting clients in assessing controls, we often find differing levels of awareness or appreciation for risk, local business norms, and risk appetite which create inconsistencies in how procedures are applied locally. We also frequently find assumptions that different parties are executing certain controls, when in fact no one is. These challenges are particularly relevant to consider when relying on questionnaires/management attestations to evaluate local controls.
Site visits across your entire global operation and control functions may not be feasible nor proportionate; however, consider a risk-based approach to ensuring controls over high-risk activities are thoroughly assessed. Organizations have also successfully leveraged internal audit teams by incorporating anti-corruption-specific testing in their routine audits to provide additional confidence.
Do not forget to consider important "softer" elements of compliance frameworks, which are difficult to assess remotely, i.e., management tone, the impact of employee incentives, or the attitude towards compliance.
Evaluating overall risk
Determining the level of risk an activity poses to the business requires judgment and calibration. Likelihood and impact considerations are typically used to maintain some objectivity; yet, however formulaic this sounds, a few common challenges persist:
- The wariness to evaluate activities as low or high-risk can result in a plethora of activities classed together with insufficient nuance to prioritize or allocate resources to address them.
- Downplaying significant risks, simply because they are infrequent. For example, acquisitions or joint ventures may be rare events, but they often have a significant impact in terms of new and emerging risks and potential changes to compliance culture.
- Making too simplistic of an assessment to determine the true impact or likelihood. As an example, many companies measure country risk singularly based on Transparency International’s Corruption Perception Index scores. This provides little insight into what generates risks within that market and can create a disproportionate number of "medium" results as global organizations often have little to no footprint in the highest corruption risk markets.
To address these challenges, we typically recommend organizations define their risk tolerances and what they consider impactful to the business before undertaking the assessment. This can prevent inconsistencies or bias from creeping in during the process. If results seem disproportionately high, medium, or low-risk, considering additional information or alternative weighting of risk factors can provide variation within larger pools of risk. Calibrating results in this way can ensure attention and resources are allocated to the most pressing concerns.
Risk assessment as an ongoing activity
It is important to follow up on agreed actions to ensure they have been implemented and to use interim business activities as an opportunity to re-evaluate risk. For example, changes to the business model, new strategic relationships, new projects/contracts, etc. are all opportunities for the board and management to consider the bribery and corruption risk profile and ensure the existing program is fit for purpose.
Today’s fast-changing business environment is generating emerging risks and potentially straining existing compliance programs. If COVID limited your ability to undertake an effective risk assessment, or the rate of change in your organization is presenting new compliance challenges, then there is no time like the present to consider a refresh.
[1] Further Revisions to Corporate Criminal Enforcement Policies, September 15, 2022 (justice.gov)
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.