Country Corruption Risk Assessment


This section forms part of GIACC’s overall guidance on Risk Assessment and Due Diligence.  It examines Country Corruption Risk Assessments.


These Country Corruption Risk Assessments can be stand-alone assessments, or can be a sub-section of, or be incorporated into, the Organisation Corruption Risk Assessment.


There is no specific model of risk assessment which must be used.  The organisation should create an assessment model which best suits its purposes. 



1.  Reason for Country Corruption Risk Assessments


Corruption is more wide-spread in some countries than in others. In some countries, corruption may rarely be encountered.  At the other extreme, in some countries, corruption is so endemic that it may be impossible to operate without encountering corruption.  Operating in high risk countries will inevitably require greater precautions.


Therefore, before working in any country, management needs to be satisfied, after making reasonable and proportionate enquiries and giving the issue reasonable and proportionate consideration, that the risk of corruption posed by the country appears to be sufficiently low that it is reasonable to allow the business relationship, transaction or project to proceed or continue. 


In some countries, there could be a materially higher risk of corruption in one part of the country than in another part.  This distinction  would need to be identified in the risk assessment.


These country risk assessments are focusing on the overall risk posed by the country (e.g. the extent to which there is widespread corruption in government permit issuing, or extensive police roadblocks where payments are demanded to proceed).  The risk posed by specific projects or business associates are dealt with separately.


If the organisation’s home base is the country in question, then the organisation is likely to have a  high degree of awareness as to the level of this type of corruption.  It is more difficult for an organisation based in another country to assess the risk.


The type of business the organisation is undertaking will have an impact on the extent of its enquiries, and decisions it makes as a result.  For example, if the organisation is based in another country, and it’s business merely involves selling some goods from its home country to an organisation based in a high corruption risk country, and its contractual obligation is merely supply FOB (i.e. if the organisation does not need to visit the high risk country, has no interface with government officials in that country, has no business associates in that country and no activities in that country), then the organisation will probably be able to proceed with the project despite the high country risk, as it is unlikely that any corrupt actions in that country will impact on the organisation or its scope of supply.  At the other extreme, the organisation may be tendering to construct a project in that high risk country, which involves it tendering in that country and, should it win the contract, constructing the project and shipping equipment and materials to and within that country, with significant interface with government officials, police etc.  In this case, the organisation’s risk is probably high.  Many projects will fall in between these two extremes.



2.  How to undertake Country Corruption Risk Assessments


In relation to each country in which it proposes to undertake transactions or projects, the organisation should undertake a Country Corruption Risk Assessment.  This should examine the level of corruption in that country, the types of corruption most commonly encountered, and whether, taking into account the organisation’s policies and procedures, the organisation is likely to be able to deal adequately with the corruption risks in that country.  If the organisation is not familiar with operating in that country, the organisation should undertake specific due diligence on that country so that it has sufficient information in order to be able to make a reasonable decision on the risk in that country.


These Country Corruption Risk Assessments could be undertaken in several different ways, depending on the organisation’s specific requirements:

  • as separate Country Corruption Risk Assessments (one for each country), with an overview consolidated into the Organisation Corruption Risk Assessment;

  • as one separate Country Corruption Risk Assessment document, with different countries forming sub-sections of this document, and with an overview consolidated into the Organisation Corruption Risk Assessment.

The organisation is only likely to need to undertake a separate Country Corruption Risk Assessment if the Organisation Corruption Risk Assessment has identified the corruption risk in that country as being more than low.


Examples of the types of country-specific corruption risks which the organisation should examine and assess include:

  1. What ranking does the country have on Transparency International's Corruption Perceptions Index?  Although this index reflects perceptions only, and is not necessarily accurate, it is widely regarded as successfully identifying on a broad level the extent of corruption in that country.  Many organisations allocate risk bands (e.g. low, medium, high) to countries according to their numerical ranking on TI’s CPI.  The organisation’s decision making process may be adjusted according to those bands.  For example a higher level of due diligence and more senior management approval may be required in relation to projects in, or business associates from, the countries in the higher risk bands.
  2. Is the organisation or any business associate likely to encounter demands for facilitation payments (e.g. to obtain visas, work permits, customs clearance)?  If so, in what circumstances?  How easy is it to resist these demands?  What is the best way to react to them?
  3. Is the organisation or any business associate likely to encounter demands for payments with accompanying threats to safety (e.g. by police at road blocks who extort money, or from site gangs who demand “protection money”)?  If so, in what circumstances?   How easy is it to resist these demands?  What is the best way to react to them?
  4. Is the organisation or any business associate likely to encounter demands for bribes to win work, or obtain certificates or payments?  If so, in what circumstances?  How easy is it to resist these demands?  What is the best way to react to them?

  5. Are there any sectors which should be avoided due to an unacceptably high corruption risk?
  6. Are there any differences in corruption risk between different relevant cities or regions in that country?
  7. Has the organisation had any specific corruption issue before in this country?

  8. What are the applicable legal principles which the organisation needs to take account of in its business?  An organisation may incur criminal liability for corruption under the law of its home country and under the law of the country in which the corruption takes place. If the organisation believes that there is more than a low risk that it may encounter potentially corrupt circumstances in a country, then it should obtain legal advice in relation to the law in both jurisdictions.  This will assist an organisation to avoid corruption and to deal more effectively with corruption should the organisation or any of its officers or personnel encounter corruption.  Advice should be obtained on the following, in relation to both jurisdictions: 
      1. The law and penalties in relation to corruption offences;
      2. Whether there are any relevant statutory, regulatory, contractual or professional obligations and duties which could impact on the organisation’s policies.  For example, in some countries, there is a prohibition or limitation of entertainment of public officials or of the use of agents.
      3. Whether it is a defence to bribery if it can be proved that a person paid a bribe only because there were threats of imminent harm to him or another.
      4. Whether it is an offence to fail to report corruption.
      5. Whether there is protection from self-incrimination.
      6. Whether there is protection for whistle-blowers.
      7. Whether reporting of corruption may provide immunity from prosecution or mitigate any potential liability for corruption.
      8. How reports of corruption may be made to the criminal authorities.
      9. How records and witness statements of corrupt incidents should be made so that they are valid under the relevant law.
      10. How a report of corruption should be made so as to avoid any risk of liability for defamation for the person making the report.

As aspects d) to j) above are only relevant if a corrupt event has occurred, then the organisation may consider that legal advice on these aspects only needs to be obtained after the event.  This would save legal costs which may never need to be incurred.  However, in this case, the organisation needs to be reasonably confident that it can obtain advice quickly.  The organisation may therefore believe that it is safer to obtain advice on all these aspects in advance.

For more guidance on these issues, see Dealing with corruption: Organisations.

  1. If the organisation follows its anti-corruption procedures, including in particular those relating to  business associates and projects, and avoids any sectors listed in 5 above, is the risk of corruption believed to be sufficiently low that it is reasonable for the organisation to work in this country?
  2. Consider any specific anti-corruption recommendations or advice which should be taken account of in this country which are additional to the organisation’s standard anti-corruption procedures. 


3.  Outcome of the Country Corruption Risk Assessments


The result of the above process is likely to be:

  • The categorisation of the countries in which the organisation works into risk categories (e.g. high, medium, low).

  • A due diligence process and results in relation to all medium and high risk countries. This should include a written confirmation by an appropriate manager who has carried out the due diligence, or who has assessed the due diligence, that, taking into account all issues revealed by the due diligence, it is reasonable for the organisation to work in that particular country.

The organisation may choose to impose an additional level of management approval for higher risk countries (e.g. Chief Executive approval may be required for working in medium risk countries, and Board approval for working in high risk countries).


This overall process of risk categorisation and due diligence can be referred to as the Country Corruption Risk Assessment. 


The overall outcome of the country corruption risk assessment should be that the organisation has implemented a reasonable and proportionate process for assessing whether, taking into account its own controls, and other relevant factors in relation to the country, the risk of corruption in relation to the country appears to be sufficiently low that it is reasonable to proceed or continue working in that country.



4.  When to Undertake Country Corruption Risk Assessments


A Country Corruption Risk Assessment should be undertaken prior to the organisation committing to proceed with any business relationship, transaction or project in that country.  The risk assessment should be updated annually and in the event that any material change in the nature of the country’s risk becomes evident.



5.  Documenting the Country Corruption Risk Assessment and related due diligence


The country corruption risk assessment and related due diligence needs to be documented.  It does not need to be documented in full detail (i.e. spreadsheets, summaries, bullet points and cross references to other documents can be used).  However, it should be in sufficient detail that a third party reading the risk assessment will understand the risks and assessments made.  For example:  if the manager writing the risk assessment leaves the organisation, will the replacement manager understand the assessment;  or, if there is a criminal investigation, is the risk assessment sufficiently clear that the investigators will understand that the organisation did undertake a reasonable and proportionate assessment?


In larger organisations, it is important that these risk assessment and due diligence records are accessible by all relevant personnel, so as to avoid duplicated due diligence.  These records could be made available either on the organisation’s intranet or in hard copy).


6.  Possible resources


Business Anti-Corruption Portal

Transparency International Corruption Perceptions Index

Enquiries can be made with:

  • Local embassy

  • Business associations


7.  Other categories of risk assessment:


See the following separate pages for guidance on other categories of risk assessment.


Organisation Corruption Risk Assessment


Project Corruption Risk Assessment


Business Associate Corruption Risk Assessment


Return to main Risk Assessment and Due Diligence page.




Page first published on 15th February 2016

© 2019 GIACC