Global Anti-Bribery Guidance

Risk assessment is the foundation for the design of an effective anti-bribery programme. It is a continuing procedure which gives a company a systematic and prioritised view of where the significant inherent bribery risks lie. The results of risk assessments are used to design the controls to mitigate the prioritised bribery risks. The process is critical as the information gained through risk assessment will shape the design of the anti-bribery programme and ensure through repeated risk assessments that the design is always valid and being improved. Most large companies will have well established risk assessment procedures and anti-bribery programmes and therefore the process described in this section of the portal should be viewed as a means of gap analysis and continuous improvement.

A best practice risk assessment procedure gives a company a systematic and objective view of bribery risks

All companies face bribery risks to some degree but companies cannot be sure if they have they have taken the appropriate risk approach and designed the right controls if they do not know the scale of the risks, where the risks lie, how bribery can take place, which are the largest risks for the company and what makes bribery risks more likely.

Risk assessment is a methodology to be undertaken by all sizes of companies and the difference lies in scale and depth of the process. The common guiding principles for risk assessment are:

• Methodical: It is a systematic and recurring procedure.
• Vigilance: It demands brainstorming, open mindedness and vigilance to be alert to risks.
• Completeness: It covers the whole of the activities of the company.
• Focused: Resources are not infinite and the focus should be on the real, most significant, risks.

Six stages are identified for the anti-bribery risk assessment process:

1. Ensure top level commitment and oversight: Top level commitment is key to effective risk management. The board and senior management provide leadership and commitment to drive adequate and continuing risk assessment and ensure the process does not falter or lose quality.

2. Plan, scope and mobilise: The planning stage prepares the ground for the risk assessment process. A planning team should consider the following aspects: appointing the project lead, defining stakeholders, allocating team responsibilities, identifying information sources drafting plan for risk assessment, communicating plan and requirements to those involved in the exercise.

3. Gather information:  Create a comprehensive catalogue of inherent bribery risks to which the company could plausibly be exposed by virtue of the nature and location of its activities.

4: Identify the bribery risks: The objective of this stage is to identify and examine the activities and risk factors that could increase the company’s exposure to bribery risk.

5. Evaluate and prioritise the risks: The risk evaluation stage analyses and prioritises the forms of bribery identified in stage 3 taking into account the risk factors in stage 4. Common practice is to apply two variables to prioritise risks: likelihood of occurrence and the potential adverse impact.

6. Use the output of risk assessment: The results of risk assessments are applied to a review of the anti-bribery programme and the extent to which existing controls need modification or additions. 

Examples of guidance from authorities

The risk assessment approach is one of the key areas enforcement agencies look at in a bribery investigation. There are clear messages from authorities on the importance of risk assessment

UK Bribery Act:  Ministry of Justice Guidance

The commercial organisation assesses the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it. The assessment is periodic, informed and documented.

US Foreign Corrupt Practices Act: DoJ/SEC Resource Guide

Assessment of risk is fundamental to developing a strong compliance program. . One-size fits all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin . . . ‘DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area.

Brazil: Guidelines for private companies, Office of the Comptroller 2015

The structuring of an Integrity Program depends not only on the company profile analysis but also on an assessment of risks that takes into account the characteristics of the markets in which the company operates (local culture, level of government regulation, corruption case history). The assessment must take into consideration mainly the likelihood of perpetration of frauds and acts of corruption within public bidding processes and procurement, and the impact of these wrongful acts on the company’s activities. The rules, policies and procedures to prevent, detect and remedy the commission of any undesirable acts will be based on such identified risks.  The mapping of risks must be periodic, so that new risks can be identified, whether arising out of changes to the statutes in force or the issuance of new regulations, or out of internal changes in the company, such as entering new markets or business areas or opening new branches.

Pointer: Do not ignore passive bribery risk

Where the company or persons connected with it give a bribe, this is generally termed ‘active bribery’ and when an individual receives or acts on the expectation of receipt of a bribe, it is called ‘passive bribery.’ Active and passive bribery are distinct risks. Both are of concern to any company. Attention is commonly given by companies to active bribery but passive bribery risk must not be overlooked. Passive bribery takes place most often in contracting and procurement fraud, when employees accept kickbacks for awarding contracts. As shown by the Petronas scandal, the consequences of passive bribery can be very serious.  Passive bribery can occur in other functions such as recruitment, sponsorship or allocating services or supplies where goods or raw materials are in high demand and short supply. 

Aim: To obtain leadership support and commitment to drive an effective risk assessment process.

Top level commitment is key to effective risk management. The board and senior management should provide leadership and commitment to drive adequate and continuing risk assessment and ensure the process does not falter or lose quality. This commitment is a facet of tone from the top described elsewhere in this portal but specific reference is made here to emphasise its role in ensuring the risk assessment process is given appropriate attention and resources.  Full leadership commitment requires the following aspects:

• Provide board oversight: The board or a board committee should be responsible for oversight of the risk assessment process. Board and board committee members will need appropriate levels of understanding of bribery risks – board briefings and training will contribute to this.
• Assign responsibilities: Responsibilities for anti-bribery assessments should be assigned clearly with overall responsibility given to a senior executive.
• Allocate appropriate resources: The board should ensure allocation of the necessary resources to conduct effective continuing risk assessment. This is more than a matter of simply appointing the right person to carry out the task. The risk assessment process requires the allocation of time, potentially from a number of people. In a large, multi-national company, this may be a substantial number of people, who are called upon to provide information and generally contribute to the process. The board should review regular reports on the implementation of the risk assessment process including information about key risks and their mitigation and any residual risks.
• Set control objectives: Setting control objectives is a precursor to the risk assessment process. A failure to recognise how a broad range of business objectives might be affected by bribery risk is likely to result in an underestimation of the significance of bribery as a risk. Examples of control objectives that could be threatened by bribery include:
  • Maintenance and enhancement of corporate reputation
  • Compliance with the company’s values and with applicable laws and regulations
  • Revenue, profitability and share value targets.
• Decide the risk approach: The board should approve the company’s risk approach (‘risk tolerance’). The COSO Framework states that risk tolerance can be defined as: ‘. . . the acceptable level of variation in performance relative to the achievement of objectives. Risk approach is thus linked to attainment of control objectives and should be considered when establishing the objectives. The risk approach will vary depending on the nature of the risk. For many business risks, it is legitimate and quite normal for different companies to have varying positions on the level of tolerance of the same risk.
• Balance to other risks: Companies are faced with many types on risks and decisions on risk approach will need to be balanced within the overall context of risks facing the company.

Can bribery risk be reduced to zero?

When designing their anti-bribery programme companies face a critical decision in knowing where to draw the line on the risks to be mitigated. The UK Bribery Act has a strict corporate liability provision, making the company liable for bribery by employees or third parties providing it with services. However, companies cannot practically reduce risks of bribery to zero and must compromise by focusing attention and resources proportionate to identified significant risks. This applies to bribery as much as any other aspect of corporate risk management. There will always remain some residual risk as a result of a combination of:

• The decision in the risk approach to manage a risk down to an acceptable level but not to seek to eradicate it completely;
• The inherent fallibility of people and the controls they operate; and
• The remaining risk that those responsible for the operation or oversight of controls may deliberately seek to undermine or circumvent them for some reason (sometimes referred to as the risk of ‘management override’).

Aim: To plan the risk assessment process and individual risk assessment exercises so they are implemented efficiently and effectively.

In this stage, form a planning team. The team should consider the following aspects:

• Bribery scope: The company will need to make sure it has a good idea of the types of bribery risk and where these lie. It should use this knowledge to set out expectations for the risk assessment process, the type of information required and to design the process.  
• Organisational scope: Risk assessments can be structured at different levels. They can be at global and regional levels, and also by business division, and crucially, activity. Reasons for structuring can be to spread the costs of risk assessments or to address specific concerns or opportunities.
• Organisational buy-in: Support will be needed across the company for the aims of the risk assessment process as it may place demands and even concerns on people across many functions as well as third parties.
• Appropriate resources: Adequate resources will be needed for the risk assessment process and the backing of the board and senior management will be crucial in this. Further resources may have to be sought if the risk assessment reveals levels of risks that demand more extensive work.
• Sources of information: Good sources of information on bribery risks should be identified. Those who contribute information to the risk assessment should be capable of providing a reasonably comprehensive overview of the business and its bribery risk profile.
• Learning for future risk assessments: Risk assessment is a continuing and iterative process and the allocated resources may need adjusting as experience is gained.
• Roll-out: Consideration should be given to how risk assessment will be rolled out and then carried out on a continuing basis realistically in time, geography and resources across the company’s activities and third parties.
• Documentation of the risk assessment process: During the planning stage, it should be decided how the risk assessment will be documented.  This is to provide a reference for future risk assessments and for any reviews and discussions on the risk assessment approach. Importantly, documentation will provide evidence to authorities in the event of an investigation on the adequacy of the company’s risk assessment process. A risk register may be used, which records information gathered and the sources, description of the bribery risk, the assessment and rating of the risk and the measures and controls to mitigate risks.

Pointer: Risk Assessment as Excellence Management

See risk assessment as not only a means of identifying risks to be countered but as part of excellence management – how the anti-bribery programme can bring benefits to the company with more effective business processes, strengthening the third party management, and advancing the company’s reputation for integrity.

Aim: Gather sufficient information to identify how bribery could occur.

An information gathering stage is required to map out the forms of bribery that could be a risk for the company.

Scoping and brainstorming

Before gathering information, broad consideration should be given to the forms of bribery that might occur in the company’s activities and where they might occur. The scope should be explicit that it covers both active and passive bribery.

Desktop research

Desktop research is an effective starting point for gathering information. It can provide a range of information and also help guide the process of obtaining original information through interviews and surveys. External and internal resources can be used including:

• Public domain and open source information
• Past experience of bribery issues
• Past assessments, if any
• Experience brought by board members and employees from other companies.
• Country and market insights from management and employees in different countries. Market insights include knowledge about local culture and business practices, customer and competitor behaviour, knowledge of local laws and regulations from the in-house legal team or local management; and whistleblowing or similar reports
• Due diligence repots on third parties
• Reports from use of advice and speak up lines
• Findings from internal audit
• Allegations reports
• Investigation reports
• Findings from compliance reviews
• Employee opinion surveys

• Looking forward to expected changes in sources of business revenue

Get different perspectives

A comprehensive bribery risk assessment needs to look at the business and activities of the organisation in the round and draw upon multiple perspectives, from leadership to those working on the front line. Those conducting the risk assessment must ask themselves where they will obtain the necessary information and insight to identify all relevant risks. A combination of approaches for gathering information can be used and in smaller companies one or more meetings might suffice.

Sources of additional information on bribery risks include:

• Workshops, brainstorming, focus groups, departmental meetings.
• Internal interviews with staff and line management, employees working in vulnerable areas.
• External interviews with professional advisers, stakeholders, experts, NGOs, trade associations, embassies.
• Questionnaires sent out to business units, functions and third parties requiring answers to standard questions or to complete a risk assessment template.

Assess the quality of the information

The value of the information obtained will depend on the degree to which the informant buys in to and understands the purpose of the exercise and the nature of bribery risk itself. Those gathering the information should consider whether it is both complete and reasonable based on their own understanding of the business. Those responsible for the conduct of the risk assessment process should use their expectations scoped in the planning stage about likely areas of risk to evaluate and challenge the input they are receiving.

Address threats to the information gathering process

While the company may approach the risk assessment process with commitment and thoroughness, the following threats could affect the review and should considered when planning the information gathering:

• Overconfidence about the effectiveness of current anti-bribery controls.
• Operating on a culture of trust or ‘family’ and assuming trust will not be breached.
• Accepting current practices – ‘it has always been done this way’.
• Resistance from managers and employees – ‘implying there could be bribery is a personal affront’.
• Other factors unconnected to the review which create resistance or suspicion.

Aim: Create a comprehensive risk register of inherent bribery risks, risk factors and bribery schemes to provide the basis for evaluation of risks in stage 5.

Designing the register

Cataloguing risks requires identifying activities subject to bribery risks and the related risk factors. For instance, bidding for public contracts is an activity likely to be vulnerable to bribery and the risk is heightened if it takes place in a country known to have high levels of corruption. This could be exacerbated if it is in a sector known to be vulnerable to bribery. Thus the company needs to identify, based on information gathered in the previous stages, which of its activities could be subject to bribery risks and what are the risk factors that could make bribery more likely. The sections below look at the three aspects: activity, risk factors and channels for bribery.

In this stage the company designs and populates a comprehensive risk register which captures and organises the information gathered in the previous stage 3. The register will provide the basis for the next stage of assessing and prioritising the identified risks. The aim here is to record the main forms of bribery risk that the company could be exposed to as broad evaluations and not related to particular contracts or third party relationships.

The Three Dimensions of Bribery Risks

• Activity: The activity vulnerable to bribery, for example, bidding for a public contract.
• Risk factor: An external or internal circumstance that could make it more likely that bribery will occur; for example, the country of operation.
• Bribery scheme:  The way in which a bribe benefit - financial or non-financial - is transmitted. For example, bribery through gifts and hospitality. 

Vulnerable activities

The register should record the activities identified as vulnerable to bribery. A list of activities where bribery commonly can take place, with examples, is given below.

• Sales and marketing: Bribes made to win orders or to gain insider information such as specification of tender specifications before they are released for tendering.
• Procurement and contracting: Contracts awarded to a supplier who then pays a kickback to reward the buyer who made the decision.
• Project management: On projects, the majority of the funds for paying a kickback have to be generated through the implementation of the project in ways such as rush orders, changes of specification, substitution of inferior materials.
• Supply chain management: Acceptance of bribes from suppliers and intermediaries, payment of bribes in logistics, obtaining regulatory approvals, port and canals clearances.
• Human resources::
  • Bribes paid to human resources employees or outsourcing contractors to influence recruitment, appointments, promotions and disciplinary actions.
  • Bribery of public officials to circumvent regulations related to human resources practices or quotas for local nationals or members of certain local tribes or communities.
  • Human resources is complicit with sales and marketing to favour employment of customers’ relatives.
  • Bribery of or by union officials.
• Corporate affairs: Undue political engagement, donations to politicians and political parties. Click here to go to the guidance on political engagement.
• Facilities and assets management:
  • Bribes received by employees for awarding contracts or providing access to facilities and assets.
  • Bribes paid to officials to obtain planning permission or supply of utilities.
  • Assets used to influence public officials.
• Financial functions: Bribes received for providing personnel and other information, or enable criminality such as data theft, fraud or robbery.
• Financial trading and services: Bribes received to steer recommendations for products and suppliers, insider trading.
• Mergers and acquisitions: Bribery to obtain insider information, provide favourable terms.
• Safety and quality management: Acceptance of bribes to falsify records or overlook non-compliance.
• Research and development: Bribery of researchers to falsify results or of officials to obtain regulatory approvals.
• Security: Bribery to circumvent the company’s security controls, or to provide information such as data on customers or research and technology information.
• Goods inwards: Bribes to falsify documentation such as falsely certifying goods received or to allow deliveries at the goods inward gate to jump the queue.
• Functions where regulatory licenses or critical services are required: Bribery of officials to obtain approvals or other services. Examples include research and development (testing and approval of drugs), telecommunications, casinos and lotteries, facilities management (water, power, building and plant planning approvals).

Risk factors

Risk factors are broad contextual factors which make bribery more likely to occur, such as country of operation. Once the company understands its risk factors, it can then assess how these affect risk relating to specific activities, such as procurement.

Commonly identified risk factors are described below:

Country risk

The starting point for many in considering country risk are Transparency International’s Corruption Perceptions Index (CPI) and the World Bank Governance Indicators. The CPI measures perceptions of corruption of public officials.  It does not measure country corruption nor corruption of the private sector. The risk score from the CPI is a good example of the limitation of a risk factor – it tells you something about the level of perception of risk, but nothing about the nature of the risk. Clearly, a proper consideration of country risk needs to go further. There may be a broad sense of the level of risk, but the risk score on its own does not explain why a particular country carries a higher risk, let alone how the risk might manifest itself or even whether the country score is relevant to the company’s particular activities.

Another factor to consider is that corruption happens in all countries, and so even a country that scores well on the CPI may present risks. A 2014 OECD Foreign Bribery Report analysed enforcement actions in 427 bribery cases and found that almost half involved bribery of public officials from countries with high (22%) to very high (21%) levels of development.^[1] Some of the largest bribery cases have involved bribery taking place in developed countries with low perceptions of corruption. The CPI should be only one guide and as the company as it progresses in experience of risk assessments it may develop its own country ratings.

Sector risk

Certain business sectors typically have been associated with higher levels of bribery risk than others. The OECD Foreign Bribery Report found that two-thirds of the foreign bribery cases occurred in four sectors: extractive (19%); construction (15%); transportation and storage (15%); and information and communication (10%).^[2] As with country risk, sector risk is an approximation of risk as a company in a high risk sector may well face low risk because of the particular circumstances of its business. Conversely, a company in a low risk sector should not be lulled into thinking of itself as low risk without proper analysis that this is really true.

Incentive

Activities with high value or critical significance such as award of a major infrastructure project, telecommunications licence, mining concession, regulatory or planning approval can create incentive for bribery.

Complexity

Complexity will often go hand in hand with higher transaction value. Complexity may arise because of the number of parties involved in a project, including consortium partners, sub-contractors, intermediaries or similar. The more third parties involved, the higher the risk that one or more of them could act in a manner which creates legal – or at least reputational – exposure for the company. Alternatively, complexity may relate more to the duration and/or number of phases of the project in question. The more complex the project itself in terms of inputs, interactions, phases and/or outputs, the greater the potential for breakdowns in accountability and control over expenditures at some point.

Pointer

For larger companies, a GAP analysis might look at the ratios of control functions (compliance, legal) vs. risky functions (sales etc.) e.g. ratio of 100 sales staff to 1 compliance officer in a market known for corruption could raise concerns.

Aim:  Produce a prioritised list of bribery risks to be mitigated

The risk evaluation stage assesses and prioritises the bribery risks identified in the risk register prepared in stage 4. Common practice is to apply two variables to prioritise risks: likelihood of occurrence and the potential adverse impact. Depending on the nature of the risk in question, these variables may be expressed in either quantitative or qualitative terms, or a combination of both. A qualitative approach is generally more appropriate as bribery risks are difficult to quantify and it can be impractical to stratify them into more than a limited number of categories or levels. Also, using quantitative methods may give generate unwarranted confidence in the results.  A qualitative method using say a three level system of high, medium or low to indicate the likelihood will keep the expectations of those using the assessments within bounds.

Likelihood of bribery is essentially driven by the presence of risk factors. The likelihood rises depending on the significance and number of risk factors associated with a particular activity where bribery might occur. Some risk factors may apply to more than one - and possibly all - areas of risk. For example, a general culture of corruption in a particular location is likely to increase the bribery risk associated with many, if not all, business activities carried out in that location.

There is no right answer as to how to measure the accumulation of risk factors. Depending on the circumstances of each company and their existing approaches, possibilities might include:

• Taking the presence of any one or more specific risk factors as evidence of heightened risk;
• A simple count, with the greater number of risk factors indicating greater levels of risk;
• Giving each risk factor its own weighting such that some count for more than others.

See TI-UK’s Diagnosing Bribery Risk guidance for an illustrative risk assessment template in Annex 2.

The other dimension of risk assessment is adverse impact which is a measure of the potential adverse effect of the bribery event on the achievement of objectives. The company can factor in aspects such as the varying impact of active compared to passive bribery risk, the financial value or opportunity loss of transactions, the financial value of sanctions including fines and debarment risk or issues with other contracts if bribery is discovered. The range of fallouts from a bribery incident can be difficult to predict as it will likely have implications across a wide front, touching on financial, legal, regulatory, commercial and reputational aspects. As such the company may choose to grade impacts by a small number of levels such as low, moderate and severe.

Pointer: Additional to the company-wide risk assessment, consider carrying out risk evaluation on specific business units. This will provide a potentially useful view of which units or functions might need particular management focus, monitoring and review. This can also be helpful in targeting efforts in areas such as internal audit, training and/or identifying the need for specific additional policies and procedures to counter localised risks.

The output of the risk evaluation stage should be a comprehensive and up-to-date map of prioritised bribery risks across the company’s activities. A matrix can be produced which covers the following:

• Activity description
• Form of bribery: How and where it can happens, active or passive or both
• Where: Business units and functions including third parties
• Risk factors: Defined and assessed for their likelihood
• Bribery schemes: A description of how typically bribes are paid or received and the vulnerable company activity

Pointer: At this point, obtain a reality check on the outcome of the risk assessment process by convening experts to highlight risks from a top-down perspective. Also, convene a roundtable to bring together the relevant senior people within the company.

Aim: Design anti-bribery controls to mitigate the priority risks and then address any residual risks.

The results of risk assessments are now applied to a review of the anti-bribery programme and the extent to which existing controls need modification or additions. The design of controls will need to be balanced from a resource perspective. All companies face a range of significant risks across many issue areas and bribery risk mitigation must be balanced against the need to address key risks other than bribery. This means targeting bribery risk management efforts at those particular risks which are most likely to have a significant adverse impact on the achievement of business objectives.

Steps at this stage:

• Map: Once all the insights on bribery risks have been collected, structure and prioritise them.  Next assess them against existing controls to check that the risks are being mitigated. Data analytics, a risk matrix or ‘heat map’ can be used for this.
• Identify the gaps: Identify gaps in existing controls in terms of risks inadequately addressed or for which there are no adequate controls.
• Mitigate: Design and implement controls to mitigate the risks. The new controls should address identified gaps or modify existing controls. The controls can be specific to the identified bribery risk or general controls to strengthen the anti-bribery programme. It should also be considered that an anti-bribery programme does not operate in isolation but is part of a wider anti-corruption programme and may also rely on controls which address not only bribery risks but other risks. Examples are the code of conduct, communication, speak up and advice lines, training and controls over payment transactions.
• Improve: Amend or drop existing controls identified as no longer needed or inadequate.