Risk assessment and due diligence
This section examines the concepts of risk assessment and due diligence, and gives guidance as to how an organisation may undertake these measures in a reasonable and proportionate manner (measure 11 of the Anti-Corruption Programme).
General guidance is given in this section, and there are four linked sections giving specific additional guidance on different categories of risk assessment. The organisation needs to adapt these general principles and guidance so that it implements a risk assessment and due diligence procedure which is suitable for its business and adequately deals with the corruption risk faced by the organisation.
As explained in What is corruption, GIACC uses the term "corruption" in the wider sense to include bribery, extortion, fraud, cartels, abuse of power, embezzlement, and money laundering. Consequently, the guidance in this section applies to all such criminal activity.
In this section, “business associate” means any party with which the organisation contracts or plans to contract, including but not limited to clients, customers, joint venture partners, consortium partners, contractors, consultants, sub-contractors, suppliers, vendors, advisors, agents, distributors, representatives and intermediaries (but excluding the organisation’s personnel).
What is risk assessment?
A risk assessment is a review conducted by an organisation which assesses the risks which the organisation may face in its activities, and whether the organisation’s policies and procedures are adequate to reduce those risk to an acceptable level. The risk assessment may look at a wide variety of risks, such as financial, commercial, political, technical, safety, quality, environmental, and corruption.
An assessment of the corruption risk may be carried out by an organisation as part of its overall risk assessment, or as a separate assessment looking specifically at corruption risk. The following guidance is looking only at corruption risk.
In this guidance, “acceptable” level of risk means that, taking account of the organisation’s policies and procedures, the risk of corruption appears to be sufficiently low that it is reasonable to allow the business relationship, transaction or project to proceed or continue.
What is due diligence?
Due diligence is the conduct by the organisation of enquiries on specific countries, transactions or projects, or business associates in order to learn more about them and the possible risks they may pose to the organisation. The results of the due diligence would be fed back into the relevant risk assessment.
Inter-relationship between risk assessment and due diligence
Risk assessment and due diligence are separate concepts, but they are related and work together. It is in principle possible to undertake a risk assessment without undertaking specific due diligence. For example, if an organisation is very familiar with the countries in which it works, and works with long-term well-known business associates, it may not need to undertake any specific due diligence when undertaking a risk assessment, as it is already aware of the critical points due to previous due diligence carried out. An organisation also will not normally need to undertake due diligence in relation to transactions, projects or business associates which are likely to pose a low corruption risk. However, in cases where the country, transaction or project, and/or business associate are new to the organisation, and/or may pose a more than low corruption risk, then some due diligence is likely to be necessary before the risk assessment can properly be completed.
While it is possible for a risk assessment to stand alone without due diligence, due diligence is essentially a tool only carried out in cases where the organisation is assessing risk, and needs further information in order to enable it properly to complete its assessment.
Inter-relationship between risk assessment and the organisation’s policies and procedures
The risk assessment should assess the possible extent of risk in principle, then factor in the organisation’s policies and procedures, and then assess the likelihood of the risk occurring. For example, the assessed risk of working in a country may be high, but the organisation may determine that, if it only works for clients with good controls over tendering and project management, and if the organisation implements strong controls over its supply chain and personnel, then it is unlikely that the risk will materialise. Therefore, a potentially high risk has been reduced to low risk due to the client’s and organisation’s controls.
When categorising risks into e.g. low, medium and high, the categorisation is based on the risk occurring in principle. Then, an increasing level of control is put on the risk categories, with the intent of reducing all categories to an acceptable risk.
If the assessed risk, even with the controls factored in, is still high, then the organisation can decide whether increased controls would reduce the risk to an acceptable level, or whether it is necessary for the organisation not to participate in the project or work with that business associate due to the risk being unacceptably high.
Purpose of risk assessment and due diligence
The purpose of the corruption risk assessment, and any due diligence carried out as part of the risk assessment, is not to eliminate all possible risk of corruption. The purpose is to identify, after making reasonable and proportionate enquiries and giving the issue appropriate consideration, whether the risk of corruption appears to be sufficiently low that it is reasonable to allow the business relationship, transaction or project to proceed or continue.
Scope of risk assessment
Corruption risk assessment procedures implemented by the organisation should be designed to enable the organisation to assess:
- the risk of corruption in relation to its existing and proposed activities; and
- whether its policies and procedures are adequate to reduce those risks to an acceptable level.
Risk assessment can be undertaken at different levels.
- It can be an overview risk assessment which looks in general terms at the risks faced by the organisation in relation to its overall activities.
- It can be a specific risk assessment which examines in sufficient detail a specific country, transaction or project, and/or business associate.
It is normally a combination of the above, with an overview risk assessment being undertaken, and specific risk assessments being undertaken on higher risk countries, projects and business associates.
Categories of risk assessment
There are four main categories of risk assessment (see separate linked pages for further guidance on each category):
Organisation corruption risk assessment: which examines the general overall corruption risks facing the organisation’s business (an overview risk assessment).
Country corruption risk assessment: which examines the general types and level of corruption risks which could be encountered in each country in which the organisation is undertaking, or proposes to undertake, transactions or projects.
Project corruption risk assessment: which examines the types and level of corruption risks which could be encountered in relation to a specific project or transaction which the organisation is undertaking, or proposes to undertake.
Business associate corruption risk assessment: which examines the types and level of corruption risks which could be encountered in relation to a specific category of business associate, or a specific business associate.
The manner in which the organisation undertakes these risks assessment depends on the size and complexity of the organisation and the nature of its work.
If the organisation’s activities are relatively straightforward and similar across its business, and it permanently works in one or a few countries, uses the same pool of business associates with which it is familiar, and undertakes relatively routine repeat work, then it may be adequate for the organisation to undertake one overall Organisation Corruption Risk Assessment, which it may be adequate to perform annually. The overall country, project and business associate risk will be assessed as part of the Organisation Corruption Risk Assessment.
If the organisation’s activities are more complex, or vary across its business, or it works in many different countries, uses a wide variety of business associates, or undertakes varying types of transactions or projects which may pose differing corruption risks, then it may be better for the organisation to undertake an annual Organisation Corruption Risk Assessment which presents an overview of the organisation’s risks, and in addition have separate assessments for countries, projects and business associates which pose more than a low corruption risk. A summary of the separate assessments can be fed into the annual Organisation Corruption Risk Assessment.
If the organisation works on a few major projects in different countries, and uses specific business associates for those projects, then it may be adequate for the organisation not to have separate country and business associate risk assessments, but to amalgamate the country, business associate and project risk into specific Project Corruption Risk Assessments. It would then have one annual Organisation Corruption Risk Assessment, and a few specific Project Corruption Risk Assessments on its major higher risk projects. A summary of the separate project assessments can be fed into the annual Organisation Corruption Risk Assessment.
In relation to business associates, the organisation may choose to undertake an annual risk assessment of business associates by category (i.e. divide them into high, medium and low risk categories according to factors such as the size of their work, likely inter-relationship with clients or government officials etc.), and then only undertake specific Business Associate Corruption Risk Assessments on any business associates which pose more than a low corruption risk.
Therefore, the organisation needs to determine how it can most effectively assess its corruption risks in a reasonable and proportionate manner, and then adapt its risk assessment procedures accordingly.
When should due diligence be undertaken?
The above sections refer to the different types of risk assessment. When should due diligence be undertaken to support these risk assessments? It is likely to be unreasonable and disproportionate for the organisation to conduct due diligence on all its countries, projects and business associates, whether or not they are likely to pose a corruption risk. The GIACC programme therefore suggests that the organisation should undertake a risk assessment on its overall business (Organisation Corruption Risk Assessment), and that this risk assessment would look at countries, projects and business associates by category, and would identify which categories carry more than a low corruption risk. Appropriate due diligence would then be undertaken on all countries, projects and business associates which the risk assessment has identified as having more than a low corruption risk.
The results of the due diligence would be fed back into the risk assessment.
Due diligence should as far as possible be carried out before the organisation enters into the relevant contract or commitment, as if it is carried out later than this point, the organisation may find that the risk has already occurred or that it has entered into contractual commitments which make it difficult to mitigate the risk.
If the organisation identifies any situation which changes an assessed risk from low to a higher risk category, then the organisation should as soon as possible undertake appropriate due diligence on the relevant activity, project or business associate.
The organisation should periodically update its due diligence on ongoing activities, projects and business associates. The organisation needs to determine how frequent the update should be so as to keep the assessed risk sufficiently up to date. In some cases, it may be necessary to update the due diligence at least annually, and this would seem to be appropriate for high risk areas. In the case of medium risk areas, the organisation may deem it appropriate to update the risk assessment once every two years.
Why undertake due diligence?
Adequate due diligence is an important mechanism for preventing corruption. It can identify a potentially corrupt situation, and will enable the organisation either to take appropriate preventive measures, or to avoid involvement with the potentially corrupt party or project altogether. For example:
- A contractor is considering bidding for a contract to construct a building. It undertakes due diligence on its client (which is the building owner), and discovers that the major shareholder in the client is under investigation for a major fraud. If the shareholder did undertake this fraud and uses some of the proceeds of the fraud to finance the project, then the contractor would be being paid out of the proceeds of the crime, which could be money laundering. The contractor may therefore become involved in a money laundering transaction which could have potential criminal consequences for the contractor.
- A sub-contractor is considering bidding to a contractor to supply and install equipment on a project which the contractor is building for a public sector agency. The sub-contractor’s due diligence finds that the contractor was awarded the contract by the agency without competitive tender, even though the national procurement law applicable to that agency requires a competitive tender. There are rumours that the public sector agency managers routinely bypass tender procedures for corrupt reasons. If the contract was awarded in breach of tender procedures, it is potentially illegal, and could be terminated, leaving the sub-contractor at financial risk. If the contractor paid a bribe to win the contract, then the contract is illegal and could be terminated, and any payments from the contractor to the sub-contractor could be regarded as proceeds of a crime with possible money laundering consequences.
A contractor bidding to win a project in a country which has a reputation for high levels of corruption undertakes due diligence on the country’s customs and internal transport procedures, and finds that there is a high likelihood that it cannot get its equipment to site without having to pay bribes or facilitation payments. The contractor will not pay bribes, as it is illegal and against the contractor’s policy. The contractor cannot sub-contract the transportation unless the contractor has a reasonable level of certainty that the sub-contractor will not pay bribes (otherwise the contractor could be liable for the bribery by the sub-contractor). If no bribes are paid, the equipment may be materially delayed or may permanently be impounded. Unless the contractor can establish a legal mechanism to get the equipment through customs in a timely manner without bribery, the contractor may decide that it cannot in these circumstances bid for the contract.
In all the above cases, the due diligence has alerted the enquiring organisation about a possible corruption risk. Merely identifying the existence of the risk does not mean that the factors identified are necessarily true or that the corruption risk will occur. However, the organisation needs to give careful consideration to the risk, and to the likely effectiveness of its policies and procedures to prevent these risks, with the result that the organisation believes that the risk of corruption is sufficiently low that it is a reasonable business decision to proceed.
How extensive should the due diligence be?
Due diligence should be tailored to the extent of the risk. Application of effective due diligence is largely a matter of good training and judgment. Due diligence cannot be so thorough and expensive that it results in a business relationship or project not being cost effective. All risk cannot be avoided. The aim of due diligence is a reasonable and proportionate level of enquiry into the specific aspect to enable a decision to be made as to whether the corruption risk is sufficiently low for it to be a reasonable business decision to proceed or continue with a project or business relationship.
Specific guidance on carrying out due diligence is given in the relevant risk assessment sections linked to at the bottom of this page.
Cost of risk assessment and due diligence
The cost of the risk assessment and any associated due diligence should be proportionate to the size of the relevant transaction or project so as to make it cost effective.
Dealing with identified corruption risks
Where the risk assessment establishes that the organisation’s existing policies and procedures are not adequate to reduce the assessed corruption risks to an acceptable level, the policies and procedures should if possible be improved so that they can reduce the assessed risks to an acceptable level. This improvement in relation to these higher risk aspects could, for example, include putting in place additional supervision, requiring a more senior level of management approval over appointments, work done or payments, or requiring additional signatures on approvals. Alternatively, if feasible, the transaction or project could be re-structured so as to result in a lower risk to the organisation. This re-structuring could for example involve the organisation changing a higher risk success fee based payment structure for an agent to a lower risk day rate payment basis, or adapting the project scope of work so that the organisation does not have responsibility for higher risk project activities.
Where the risk assessment in relation to a specific transaction or project establishes that the policies and procedures, even if improved, are unlikely to be adequate to reduce the assessed risks to an acceptable level, the organisation should:
- in the case of an existing transaction or project, take steps appropriate to the risks and nature of the transaction or project to terminate, discontinue or withdraw from the transaction or project as soon as is practicable;
- in the case of a proposed new transaction or project, decline to continue with it.
Examples of situations where an organisation may assess that it is unable to reduce the assessed risks to an acceptable level, and the consequent actions it may take, are as follows
- The organisation assesses, in relation to a proposed project, that the use of a local agent or local joint venture partner constitutes a more than low corruption risk which the organisation has no reasonable likelihood of being able to control or minimise. The organisation may decide as a result to continue with the project, but not to use a local agent or joint venture partner. Alternatively the organisation may assess that it cannot reasonably trust the ethics of its preferred joint venture partner, so cannot appoint it as a partner, but it can seek alternative more trustworthy partners.
- The organisation assesses, in relation to a proposed project, that there is a strong indication that the client for which the organisation will be constructing a project obtained the planning permission illegally as a result of a bribe. Therefore, the project is likely to be an illegally obtained project, and project payments from the client to the organisation may constitute money laundering. In addition, the project could be terminated at any time by the government due to illegality. There is nothing that the organisation can do in relation to its policies and procedures to deal with this risk. Therefore, the organisation declines to bid for the project.
Documenting the risk assessments and due diligence
The procedure for undertaking these risk assessments and due diligence (i.e. the types of risk assessment and due diligence, when they will be carried out, and by whom) should be documented by the organisation.
The organisation should also appropriately document the actual risk assessments and due diligence carried out.
Responsibility and approval
The risk assessments and due diligence should be prepared by, or under the supervision of, the compliance manager, or other appropriate manager.
The Organisation Corruption Risk Assessment should be approved annually by the organisation’s board.
If the organisation undertakes specific Country Corruption Risk Assessments, Project Corruption Risk Assessments, and/or Business Associate Corruption Risk Assessments, then these should be approved by the compliance manager, or other appropriate manager.
Copies of the risk assessments and due diligence should be available to all relevant personnel. This could be achieved by placing them on the organisation’s intranet (i.e. a private website which only the organisation's personnel can access), or by making them available by e-mail or in hard copy.
Implementation checklist for Measure 11
- The organisation should identify the types of risk assessment that it will undertake.
- In relation to each type of risk assessment, the organisation should identify:
- who is responsible for undertaking it
- when it will be undertaken
- its format
- the categories of risk which will be included
- the level of detail
- who will approve / review it.
- The organisation should identify the types of due diligence that it will undertake.
- In relation to each type of due diligence, the organisation should identify:
- who is responsible for undertaking it
- when it will be undertaken
- how it will be undertaken
- the issues which it will seek to identify
- the level of detail
- any follow up questions / actions when the due diligence identifies issues of concern
- who will approve / review it.
Further risk assessment and due diligence guidance
See the following separate pages for further guidance on risk assessment and due diligence on the following categories:
Most recent update on 17th February 2016
Page first published on 1st May 2008
© 2016 GIACC