This section forms part of GIACC’s overall guidance on Risk Assessment and Due Diligence It examines business associate corruption risk assessments.
See the following separate web-pages for guidance on other categories of risk assessment.
These business associate corruption risk assessments can be stand-alone assessments, or can be a sub-section of, or be incorporated into, the Organisation Corruption Risk Assessment
For the purposes of this section “business associate” means any party with which the organisation contracts, including but not limited to clients, customers, joint venture partners, consortium partners, contractors, consultants, sub-contractors, suppliers, vendors, advisors, agents, distributors, representatives and intermediaries (but excluding the organisation’s personnel).
An organisation may have a large number and wide variety of types of business associate which may vary significantly according to their size, the type of interaction they have with the organisation, and the corruption risk they pose. The organisation needs to implement reasonable and proportionate procedures for risk assessment and due diligence in relation to its business associates so that it can assess the corruption risk posed by business associates.
At one end of the risk spectrum, the potential risk could be high (for example, where the business associate is a joint venture or consortium partner, a major supplier, or an agent, and where these parties have a large scope of work or contract price, and are working on a project in a high corruption risk country, and have an inter-relationship with the organisation’s client or government officials). At the other end of the spectrum, the risk may be low (for example where the business associate is a low value supplier in a low corruption risk country with no inter-relationship with the organisation’s client or any government officials).
There is no specific model of risk assessment which must be used. The organisation should create an assessment model which best suits its purposes.
The following is a suggested method of dealing with these issues which can be adapted by an organisation to suit its own requirements. This method involves:
- undertaking a risk assessment by categorising business associates into risk bands by reference to selected objective criteria;
- then applying different levels of due diligence and controls to these business associates according to those criteria.
(1) Categorising business associates by risk criteria
The following suggested categorisation selects three risk categories, low, medium and high. A more sophisticated banding could be selected by an organisation; for example, low, low-medium, medium, medium-high, and high risk categories.
Note that these are suggestions only, and should be adapted by the organisation to suit its requirements.
For the purposes of this guidance, “Services” means any products, equipment, materials, work or services.
(1.1) High risk business associates
A Business Associate which falls within any of the following categories should be treated as high risk:
- A client or customer which is likely to purchase Services from the organisation in aggregate in excess of [$: High risk value threshold] per annum.
- Any joint venture or consortium partner of the organisation.
- A sub-contractor, supplier, consultant, agent, distributor or intermediary which is likely to supply Services to the organisation in aggregate in excess of [$: High risk value threshold] per annum.
- A sub-contractor, supplier, consultant, agent, distributor or intermediary appointed by the organisation which is likely, due to the nature of its Services, to be in direct contact with decision-making representatives of the organisation’s customer or client or a relevant government department during tender or contract performance.
- A sub-contractor, supplier, consultant, agent, distributor or intermediary which is paid by the organisation on a success fee basis.
- Any business associate specifically declared by the organisation as high risk.
(1.2) Medium risk business associates
A Business Associate which falls within any of the following categories should be treated as medium risk:
- A client or customer which is likely to purchase Services from the organisation in aggregate of between [$: High risk value threshold ] and [$: Low risk value threshold] per annum.
- A sub-contractor, supplier, consultant, agent, distributor or intermediary which:
- is likely to supply Services to the organisation in aggregate of between [$: High risk value threshold] and [$: Low risk value threshold] per annum, and
- will not be in direct contact with decision-making representatives of the organisation’s customer or client or relevant government department during tender or contract performance, and
- is not paid on a success fee basis.
- Any business associate specifically declared by the organisation as medium risk.
(1.3) Low risk business sssociates
A Business Associate which falls within the following category should be treated as low risk:
- Any business associate which does not fall into the high risk or medium risk categories.
- Organisations which provide:
- sale of airline tickets on airlines’ standard booking conditions
- hire of cars or taxis on car or taxi hire companies’ standard booking conditions
- hotel bookings on hotels’ standard booking conditions
- restaurant meals, coffee, sandwiches, drinks
All above suggested values are in aggregate. If two or more contracts are likely to take the Business Associate above the limit, it should be dealt with in the higher risk category.
The organisation should insert values into the value boxes which it believes appropriately reflect the relevant risk thresholds. The organisation could apply different values to different countries (i.e. in a low risk country, the value bands may be higher than in a high risk country).
Having categorised its business associates into the above risk categories, the organisation can then adapt its controls on its business associates in accordance with the above risk categories. In particular, it is likely to be reasonable for the organisation not to impose specific anti-corruption controls (e.g. undertaking due diligence, and ascertaining whether the business associate has implemented anti-corruption controls) in relation to low risk business associates. Note, however, that these low risk business associates would still be expected to fall within the organisation’s routine financial and commercial controls (e.g. requiring an appropriate level of manager(s) to appoint these low risk business associates, approve their work done, approve their payments etc.).
(2) Due diligence on business associates
If the organisation has categorised its business associates into risk categories as suggested above, it can then implement graded due diligence procedures on its business associates according to these risk categories.
If the risk categories have been set at reasonable levels, then it is probably reasonable that:
- extensive due diligence, including an interview process, is undertaken in relation to high risk business associates;
- less extensive due diligence, but no interview process, is undertaken in relation to medium risk business associates; and
- no due diligence or interview process is undertaken in relation to low risk business associates.
The following guidance suggests the due diligence procedures which could be implemented according to these categories. The actual type and extent of due diligence undertaken by the organisation will depend on factors such as the ability of the organisation to obtain information, the cost of obtaining information, and the extent of the possible corruption risk posed by the relationship.
Note that some of the enquiries recommended below specifically encompass corruption issues, but others are wider, and will overlap with the organisation’s financial, commercial and technical checks on business associates. Therefore, it is most efficient for the organisation to institute a due diligence procedure which encompasses all necessary ethical, commercial, financial and technical checks on business associates as part of the same procedure and which is undertaken at the same time.
(2.1) High risk business associates
(2.1.1) Due diligence
Undertake the following due diligence on the high risk business associate:
- Establish whether the business associate has a reputation for corruption or similar criminal conduct, or has been investigated, convicted, sanctioned or debarred for corruption or similar criminal conduct.
- Identify the names of:
- the business associate
- the key owners or shareholders of the business associate (e.g. those that own more than % of the business associate)
- directors of the business associate
- personnel of the business associate who will be responsible for management of the relationship with the organisation
This information could be obtained by requiring business associates to complete a questionnaire containing this information before they are appointed by the organisation.
- Require the business associate to certify to the organisation that the business associate and the organisations and persons listed above:
- have not been investigated, convicted, sanctioned or debarred for corruption or similar criminal conduct
- do not have any direct or indirect links to the organisation’s customer or client or to a relevant government official which could lead to corruption. (This confirmation will only be possible where a specific project(s) has been identified).
- Undertake internet search of these names against key words, such as: “corruption”, “bribery”, “fraud”, “cartel”, “money laundering”, “prosecution”, “investigation”, “debarred”, “criminal”. These searches can use both public search engines and publicly available debarment lists of local or multilateral institutions, such as the World Bank. Some organisations sell compliance screening software programmes or services which link to all applicable databases.
- If there is evidence of corrupt actions, the organisation should ascertain as far as possible the facts of the case, and what steps the business associate has taken to ensure no future recurrence. As organisations which have been sanctioned for corruption may be required by the relevant sanctioning authority to implement monitored anti-corruption programmes, it is not necessarily the case that an organisation sanctioned for corruption is continuing to act corruptly or cannot be worked with. On the contrary, such an organisation may have implemented stringent anti-corruption controls. Conversely, if no evidence of previous corrupt action emerges, this does not mean that the organisation is not corrupt, as very few cases of corruption have been prosecuted internationally. However, the purpose of the enquiries is to ascertain as far as possible the facts, and what steps the business associate is taking to prevent recurrence.
- Establish whether the business associate is a legitimate business entity. This can be verified by requiring the business associate to supply copies of e.g. corporate registration documents, annual filed accounts, and tax identification number. This helps reduce the risk that the business associate is a sham company set up for corrupt purposes.
- Establish whether the business associate has the qualifications, experience and resources needed to conduct the business for which it is being contracted. This can be verified by requiring the business associate to supply e.g. details of its previous projects, clients it has worked for, equipment, factories, number of personnel, quality and other certifications. This helps reduce the risk that the business associate is a sham company set up for corrupt purposes, or is being put forward to undertake services for corrupt reasons when it does not have the capability to provide such services.
- Establish whether and to what extent the business associate is taking adequate steps within its own organisation to prevent corruption. This can be verified as far as reasonable by requiring the business associate to supply details of its anti-corruption programme. While the presence of an anti-corruption programme is no guarantee against corruption, the fact that the organisation has gone to the time and trouble of developing a programme is a useful positive indicator. This assurance can be further enhanced if the organisation can provide proof of implementation of such a programme by a third party certification (e.g. to ISO 37001). In order to establish the above, the organisation can take the following steps:
- Ask the business associate whether or not it has a written anti-corruption policy. If yes, ask the business associate to provide a copy of such policy.
- Ask the business associate whether or not it has implemented a formal anti-corruption programme designed to ensure that the business associate complies with the anti-corruption policy. If yes, ask the business associate to provide a summary of the key components of this programme.
- Ask the business associate whether or not its anti-corruption programme has been certified by an independent third party. If yes, ask the business associate to provide a copy of the certification.
- Obtain references on the business associate: Obtain formal or informal references from third parties about the business associate’s ethics and performance. This could be obtained by talking to the relevant embassy of the organisation’s home country located in the business associate’s country, and /or by talking to other overseas or local organisations that may have knowledge of the business associate. While written references are preferable, many people will not be willing to give written references, so oral opinions can be obtained, and the manager of the organisation which obtained these oral references should make a written note of the comments received.
- Undertake any necessary follow-up enquiries: Follow up appropriately on any unusual or suspicious search results, either in writing to the business associate, and/or by further due diligence, and/or during interview (2.1.2 below), and/or by retaining third-party experts to assist in the due diligence process.
A suitably senior manager of the organisation should meet in person a suitably senior representative of the business associate, and discuss as follows:
- Explain to the business associate the organisation’s anti-corruption policy and programme and the importance of compliance with the policy and programme. Explain in particular that any corruption is likely to be a breach of applicable laws, with severe criminal, financial, contractual and reputational consequences.
- Obtain explanation and evidence from the business associate of what policies and procedures it has in place to prevent corruption. If it has no formal policies and procedures, how in practice does the business associate avoid corruption?
- Obtain oral assurance from the business associate that it will have a zero-tolerance of corruption policy on the relevant project and in all its dealings with the organisation.
- After the interview, the organisation’s manager should consider whether she/he is satisfied with the understanding, content and genuineness of the explanation and assurance given by the business associate representative. The organisation’s manager should undertake any reasonably appropriate follow-up enquiries.
- In the case of the business associate, “suitably senior” means a person with the authority to provide the requested explanations and assurances and to ensure that the assurances are implemented.
(2.2) Medium risk business associates
(2.2.1) Due diligence
Undertake the following due diligence on the business associate. The organisation may accept a lower level of detail than in relation to high risk business associates:
- Establish whether the business associate has a reputation for corruption or similar criminal conduct, or has been investigated, convicted, sanctioned or debarred for corruption or similar criminal conduct (as per high risk a) above).
- Establish whether the business associate is a legitimate business entity (as per high risk above).
- Establish whether the business associate has the qualifications, experience and resources needed to conduct the business for which it is being contracted (as per high risk above).
- Establish whether and to what extent the business associate is taking adequate steps within its own organisation to prevent corruption (as per high risk above).
- Undertake any necessary follow-up enquiries (as per high risk above).
The organisation may determine that an interview process is not necessary for medium risk business associates.
(2.3) Low risk business associates
Undertake no due diligence or interview process.
(3) Factors in undertaking due diligence
The level of detail investigated during the due diligence can vary according to different types of business associate and the risks posed by the business associate. The suggested categorisation above into high, medium and low risk is quite a broad categorisation and the actual risk posed by e.g. two different business associates assessed as high risk can in practice be different. So, judgment needs to be used in undertaking the due diligence. For example:
- From the perspective of the organisation’s potential criminal and financial liability, business associates pose a higher corruption risk to the organisation when they are acting on the organisation’s behalf or for its benefit than when they are providing services, or supplying equipment and materials, to the organisation. For example, an agent involved in assisting an organisation obtain a contract award could pay a bribe to a manager of the organisation’s customer to help the organisation win the contract, and so could result in the organisation being responsible for the agent’s corrupt conduct. As a result, the organisation’s due diligence on the agent should be as comprehensive as possible. On the other hand, a supplier selling equipment or material to the organisation and which has no involvement with the organisation’s customer is less likely to be able to pay a bribe on the organisation’s behalf, and so the level of due diligence on the supplier could be lower.
- The level of influence which the organisation has over its business associates also affects the extent of due diligence which the organisation can reasonably undertake.
- It may be relatively easy for an organisation to require its agents and joint venture partners to provide extensive information about themselves as part of a due diligence exercise prior to the organisation committing to work with them, as the organisation has a degree of choice over whom it contracts with in this situation.
- It is likely to be more difficult for an organisation to require a customer or client to provide information about themselves or to fill in due diligence questionnaires. This could be because the organisation would not have sufficient influence over the client or customer to be able to do so (for example where the organisation is involved in a competitive tender to provide services to the customer). In this case, the organisation will probably not be able to obtain this information direct from the client, but should undertake as much due diligence as is reasonably practical in the circumstances (i.e. through on-line checks). It should note on its due diligence record of the client, or this category of client, that it has been unable to undertake these types of enquiries.
Due diligence is not a perfect tool. The absence of negative information does not necessarily mean that the business associate does not pose a corruption risk. Negative information does not necessarily mean that the business associate poses a corruption risk. However, the results need to be carefully assessed and a rational judgement made by the organisation based on the facts available to it. The overall intent is that the organisation makes reasonable and proportionate enquiries about the business associate so as to form a reasonable judgment on the level of corruption risk which the organisation is exposed to if it works with the business associate.
(4) Outcome of the Business Associate Corruption Risk Assessment and due diligence
The outcome of the above suggested process is therefore:
- the categorisation of all business associates into risk categories (e.g. high, medium, low)
- a due diligence process being undertaken in relation to all medium and high risk business associates.
Upon completion of the risk assessment and due diligence process in relation to a specific medium or high risk business associate, an appropriate manager of the organisation should confirm in writing that, taking into account all issues revealed by the risk assessment and due diligence, it is reasonable from a corruption risk perspective to appoint the particular business associate, and that the business associate has been approved by the organisation for appointment.
The organisation may choose to impose an additional level of management approval for high risk business associates (e.g. chief executive approval may be required to appoint a high risk business associate in a medium risk country, and board approval to appoint a high risk business associate in a high risk country).
This overall process of risk categorisation and due diligence can be referred to as the Business Associate Corruption Risk Assessment.
The overall outcome of the Business Associate Corruption Risk Assessment process should be that the organisation has implemented a reasonable and proportionate process for assessing whether, taking into account its own controls, and other relevant factors in relation to business associates, the risk of corruption in relation to the business associate(s) appears to be sufficiently low that it is reasonable to proceed or continue to work with the business associate(s).
(5) Inter-relationship of the Business Associate Corruption Risk Assessment with other controls
GIACC has suggested in its Anti-Corruption Programme for Organisations that this risk assessment of business associates by risk categories as explained above can be used as the basis for imposing other required controls over business associates. For example, it is suggested that Measure 12 Implementation of Anti-Corruption Measures by Controlled Organisations and Business Associates and Measure 14 Contract Terms only need to be implemented in relation to medium and high risk business associates.
(6) When to undertake Business Associate Corruption Risk Assessments
- The Business Associate Corruption Risk Assessment for medium and high corruption risk business associates should be undertaken prior to the organisation committing to work with the business associate.
- The risk assessment should be repeated:
- at reasonable intervals while the business relationship is on-going (e.g. every two or three years); and
- in the event that any material change in the nature of the business associate’s risk becomes evident.
(7) Documenting the Business Associate Corruption Risk Assessments
The Business Associate Corruption Risk Assessments need to be documented. They do not need to be documented in full detail (i.e. spreadsheets, summaries, bullet points and cross references to other documents can be used). However, they should be in sufficient detail that a third party reading the risk assessments will understand the risks and assessments made. For example: if the manager writing a risk assessment leaves the organisation, will the replacement manager understand the assessment; or, if there is a criminal investigation, is the risk assessment sufficiently clear that the investigators will understand that the organisation did undertake a reasonable and proportionate assessment?
In larger organisations, it is important that these risk assessment and due diligence records are accessible by all personnel who may wish to appoint these business associates, so as to avoid duplicated due diligence. Therefore, the process and outcomes could be made available on a searchable part of the organisation’s intranet.
(8) Other categories of risk assessment
See the following separate web-pages for guidance on other categories of risk assessment.
Return to main Risk Assessment and Due Diligence page.