This section examines the concepts of risk assessment and due diligence, and gives guidance as to how an organisation may undertake these measures in a reasonable and proportionate manner (Measure 11 of the Anti-Corruption Programme for Organisations).
General guidance is given in this section, and there are four linked sections giving specific additional guidance on different categories of risk assessment. The organisation needs to adapt these general principles and guidance so that it implements a risk assessment and due diligence procedure which is suitable for its business and adequately deals with the corruption risks faced by the organisation.
As explained in What is Corruption, GIACC uses the term “corruption” in the wider sense to include bribery, extortion, fraud, cartels, abuse of power, embezzlement, and money laundering. Consequently, the guidance in this section applies to all such criminal activity.
In this section, “business associate” means any party with which the organisation contracts or plans to contract, including but not limited to clients, customers, joint venture partners, consortium partners, contractors, consultants, sub-contractors, suppliers, vendors, advisors, agents, distributors, representatives and intermediaries (but excluding the organisation’s personnel).
A risk assessment is a review conducted by an organisation which assesses the risks which the organisation may face in its activities, and whether the organisation’s policies and procedures are adequate to reduce those risk to an acceptable level. The risk assessment may look at a wide variety of risks, such as financial, commercial, political, technical, safety, quality, environmental, and corruption.
An assessment of the corruption risk may be carried out by an organisation as part of its overall risk assessment, or as a separate assessment looking specifically at corruption risk. The following guidance is looking only at corruption risk.
In this guidance, “acceptable” level of risk means that, taking account of the organisation’s policies and procedures, the risk of corruption appears to be sufficiently low that it is reasonable to allow the business relationship, transaction or project to proceed or continue.
Due diligence is the conduct by the organisation of enquiries on specific countries, transactions, projects, or business associates in order to learn more about them and the possible risks they may pose to the organisation. The results of the due diligence would be fed back into the relevant risk assessment.
Risk assessment and due diligence are separate concepts, but they are related and work together. It is in principle possible to undertake a risk assessment without undertaking specific due diligence. For example, if an organisation is very familiar with the countries in which it works, and works with long-term well-known business associates, it may not need to undertake any specific due diligence when undertaking a risk assessment, as it is already aware of the critical points due to previous due diligence carried out. An organisation also will not normally need to undertake due diligence in relation to transactions, projects or business associates which are likely to pose a low corruption risk. However, in cases where the country, transaction, project, and/or business associate are new to the organisation, and/or may pose a more than low corruption risk, then some due diligence is likely to be necessary before the risk assessment can properly be completed.
While it is possible for a risk assessment to stand alone without due diligence, due diligence is essentially a tool only carried out in cases where the organisation is assessing risk, and needs further information in order to enable it properly to complete its assessment.
When initially categorising the corruption risks (e.g. into low, medium and high bands), the organisation should categorise them based on the possibility of the risk occurring in principle (i.e. without factoring in the effect of the organisation’s policies and procedures). For example, working in a country where corruption is perceived as being widespread may be categorised as high risk.
The risk assessment should then factor in the organisation’s policies and procedures, and then assess the likelihood of the risk occurring and the likely severity of the outcome. For example, the assessed risk of working in a country may be high, but the organisation may determine that, if, in accordance with its procedures, it only works for clients with good controls over tendering and project management, and if the organisation implements strong controls over its supply chain and personnel, then it is unlikely that the risk will materialise, and that, if it does, the outcome can be suitably mitigated. Therefore, a potentially high risk has been reduced to low or low-medium risk due to the client’s and organisation’s controls.
The organisation should take account of the findings of its risk assessment, and ensure that a higher level of control is implemented over higher risk categories, with the intent of reducing all categories to an acceptable risk.
If the assessed risk, even with the organisation’s policies and procedures factored in, is still high, then the organisation can decide whether increased controls would reduce the risk to an acceptable level, or whether it is necessary for the organisation not to participate in the project, or not to work with that business associate, due to the risk being unacceptably high.
The purpose of the corruption risk assessment, and any due diligence carried out as part of the risk assessment, is not to eliminate all possible risk of corruption. The purpose is to identify, after making reasonable and proportionate enquiries and giving the issue appropriate consideration, whether the risk of corruption appears to be sufficiently low that it is reasonable to allow the business relationship, transaction or project to proceed or continue.
Corruption risk assessment procedures implemented by the organisation should be designed to enable the organisation to assess:
Risk assessment can be undertaken at different levels.
There are four main categories of risk assessment (see separate linked pages for further guidance on each category):
Organisation Corruption Risk Assessment: which examines the general overall corruption risks facing the organisation’s business (an overview risk assessment).
Country Corruption Risk Assessment: which examines the general types and level of corruption risks which could be encountered in each country in which the organisation is undertaking, or proposes to undertake, transactions or projects.
Project Corruption Risk Assessment: which examines the types and level of corruption risks which could be encountered in relation to a specific project or transaction which the organisation is undertaking, or proposes to undertake.
Business Associate Corruption Risk Assessment: which examines the types and level of corruption risks which could be encountered in relation to a specific category of business associate, or a specific business associate.
The manner in which the organisation undertakes these risks assessment depends on the size and complexity of the organisation and the nature of its work.
Therefore, the organisation needs to determine how it can most effectively assess its corruption risks in a reasonable and proportionate manner, and then adapt its risk assessment process accordingly.
The separate web-pages on organisation, country, project and business associate corruption risk assessment referred to above give suggestions on how these different assessments may be implemented. However, in all cases, the organisation should adapt this guidance to its own business, and develop a risk assessment process which best suits its structure, business model and corruption risks.
The above sections refer to the different types of risk assessment. When should due diligence be undertaken to support these risk assessments? It is likely to be unreasonable and disproportionate for the organisation to conduct due diligence on all its countries, projects and business associates, whether or not they are likely to pose a corruption risk. The GIACC programme therefore suggests that the organisation should undertake a risk assessment on its overall business (Organisation Corruption Risk Assessment), and that this risk assessment would look at countries, projects and business associates by category, and would identify which categories carry more than a low corruption risk. Appropriate due diligence would then be undertaken on all specific countries, projects and business associates which fall within the categories which the risk assessment has identified as having more than a low corruption risk.
The results of the due diligence would be fed back into the risk assessment.
Due diligence should as far as possible be carried out before the organisation enters into the relevant contract or commitment, as if it is carried out later than this point, the organisation may find that the risk has already occurred or that it has entered into contractual commitments which make it difficult to mitigate the risk.
If the organisation identifies any situation which changes an assessed risk from low to a higher risk category, then the organisation should as soon as possible undertake appropriate due diligence on the relevant activity, project or business associate.
The organisation should periodically update its due diligence on ongoing activities, projects and business associates. The organisation needs to determine how frequent the update should be so as to keep the assessed risk sufficiently up to date. In some cases, it may be necessary to update the due diligence at least annually, and this would seem to be appropriate for high risk areas. In the case of medium risk areas, the organisation may deem it appropriate to update the risk assessment once every two years.
Adequate due diligence is an important mechanism for preventing corruption. It can identify a potentially corrupt situation, and will enable the organisation either to take appropriate preventive measures, or to avoid involvement with the potentially corrupt party or project altogether. For example:
In all of the above cases, the due diligence has alerted the enquiring organisation to a possible corruption risk. Merely identifying the existence of the risk does not mean that the factors identified are necessarily true or that the corruption risk will occur. However, the organisation needs to give careful consideration to the risk, and to the likely effectiveness of its policies and procedures to prevent this risk. The organisation should only proceed with the transaction if it believes that the risk of corruption is sufficiently low that it is a reasonable business decision to proceed.
Due diligence should be tailored to the extent of the risk. Application of effective due diligence is largely a matter of good training and judgment. Due diligence cannot be so thorough and expensive that it results in a business relationship or project not being cost effective. All risk cannot be avoided. The aim of due diligence is a reasonable and proportionate level of enquiry into the specific aspect to enable a decision to be made as to whether the corruption risk is sufficiently low for it to be a reasonable business decision to proceed or continue with a project or business relationship.
Specific guidance on carrying out due diligence is given in the relevant risk assessment sections linked to at the bottom of this page.
The cost of the risk assessment and any associated due diligence should be proportionate to the size of the relevant transaction or project so as to make it cost effective.
Where the risk assessment establishes that the organisation’s existing policies and procedures are not adequate to reduce the assessed corruption risks to an acceptable level, the policies and procedures should if possible be improved so that they can reduce the assessed risks to an acceptable level. This improvement in relation to these higher risk aspects could, for example, include putting in place additional supervision, requiring a more senior level of management approval over appointments, work done or payments, or requiring additional signatures on approvals. Alternatively, if feasible, the transaction or project could be re-structured so as to result in a lower risk to the organisation. This re-structuring could for example involve the organisation changing a higher risk success fee based payment structure for an agent to a lower risk day rate payment basis, or adapting the project scope of work so that the organisation does not have responsibility for higher risk project activities.
Where the risk assessment in relation to a specific transaction or project establishes that the policies and procedures, even if improved, are unlikely to be adequate to reduce the assessed risks to an acceptable level, the organisation should:
Examples of situations where an organisation may assess that it is unable to reduce the assessed risks to an acceptable level, and the consequent actions it may take, are as follows
The procedure for undertaking these risk assessments and due diligence (i.e. the types of risk assessment and due diligence, when they will be carried out, and by whom) should be documented by the organisation.
The organisation should also appropriately document the actual risk assessments and due diligence carried out.
The risk assessments and due diligence should be prepared by, or under the supervision of, the compliance manager, or other appropriate manager.
The Organisation Corruption Risk Assessment should be approved annually by the organisation’s board.
If the organisation undertakes specific Country Corruption Risk Assessments, Project Corruption Risk Assessments and/or Business Associate Corruption Risk Assessments, then these should be approved by the compliance manager, or other appropriate manager.
Copies of the risk assessments and due diligence should be available to all relevant personnel. This could be achieved by placing them on the organisation’s intranet (i.e. a private website which only the organisation’s personnel can access), or by making them available by e-mail or in hard copy
See the following separate pages for further guidance on risk assessment and due diligence on the following categories:
Most recent update on 10th April 2020
Page first published on 1st May 2008