Country Corruption Risk Assessment

This section forms part of GIACC’s overall guidance on Risk Assessment and Due Diligence.  It examines Country Corruption Risk Assessments.

See the following separate web-pages for guidance on other categories of risk assessment.

These Country Corruption Risk Assessments can be stand-alone assessments, or can be a sub-section of, or be incorporated into, the Organisation Corruption Risk Assessment.

There is no specific model of risk assessment which must be used.  The organisation should create an assessment model which best suits its purposes. 

(1) Reason for Country Corruption Risk Assessments

Corruption is more wide-spread in some countries than in others. In some countries, corruption may rarely be encountered.  At the other extreme, in some countries, corruption is so endemic that it may be impossible to operate without encountering corruption.  Operating in high risk countries will inevitably require greater precautions.

Therefore, before the organisation works in any country in which it is not currently working, management needs to be satisfied, after making reasonable and proportionate enquiries, and after giving the issue reasonable and proportionate consideration, that the risk of corruption posed by the country appears to be sufficiently low that it is reasonable to allow the business relationship, transaction or project to proceed. 

In some countries, there could be a materially higher risk of corruption in one part of the country than in another part.  This distinction  would need to be identified in the risk assessment.

These country risk assessments are focusing on the overall risk posed by the country (e.g. the extent to which there is widespread corruption in government permit issuing, or extensive police roadblocks where payments are demanded to proceed).  The risks posed by specific projects or business associates are dealt with separately (e.g. in the project or business associate risk assessments).

If the organisation’s home base is the country in question, then the organisation is likely to have a high degree of awareness of the possible types and level of corruption which may be encountered.  It is more difficult for an organisation based in one country to assess the risk in another country.

The type of business that the organisation is proposing to undertake will have an impact on the extent of its enquiries, and the decisions it makes as a result.  For example, if the organisation’s business merely involves selling some goods from its home country to an organisation based in a high corruption risk country, and its contractual obligation is merely supply FOB with payment by letter of credit (i.e. if the organisation does not need to visit the high risk country, has no interface with government officials in that country, has no business associates in that country, no activities in that country, and no payment risk), then the organisation will probably be able to proceed with the project despite the high country risk, as it is unlikely that any corrupt actions in that country will impact on the organisation or its scope of supply.  At the other extreme, the organisation may be tendering to construct a project in that high risk country, which involves it tendering in that country and, should it win the contract, constructing the project and shipping equipment and materials to and within that country, with significant interface with government officials, police etc.  In this case, the organisation’s risk is probably high.  Many projects will fall in between these two extremes.

(2) How to undertake Country Corruption Risk Assessments

In relation to each country in which it proposes to undertake transactions or projects, the organisation should undertake a Country Corruption Risk Assessment.  This should examine the level of corruption in that country, the types of corruption most commonly encountered, and whether, taking into account the organisation’s policies, procedures and controls, the organisation is likely to be able to deal adequately with the corruption risks in that country.  If the organisation is not familiar with operating in that country, the organisation should undertake specific due diligence on that country so that it has sufficient information in order to be able to make a reasonable decision on the risk in that country.

These Country Corruption Risk Assessments could be undertaken in several different ways, depending on the organisation’s specific requirements:

  • as part of the Organisation Corruption Risk Assessment
  • as separate Country Corruption Risk Assessments (one for each country), with an overview consolidated into the Organisation Corruption Risk Assessment;
  • as one separate Country Corruption Risk Assessment document, with different countries forming sub-sections of this document, and with an overview consolidated into the Organisation Corruption Risk Assessment.

The organisation is only likely to need to undertake a separate Country Corruption Risk Assessment if the Organisation Corruption Risk Assessment has identified the corruption risk in that country as being more than low.

Examples of the types of country-specific corruption risks which the organisation should examine and assess include:

  • What ranking does the country have on Transparency International’s Corruption Perceptions Index?  Although this index reflects perceptions only, and is not necessarily accurate, it is widely regarded as successfully identifying on a broad level the extent of corruption in that country.  Many organisations allocate risk bands (e.g. low, medium, high) to countries according to their numerical ranking on TI’s CPI.  The organisation’s decision making process may be adjusted according to those bands.  For example a higher level of due diligence and more senior management approval may be required in relation to projects in, or business associates from, the countries in the higher risk bands.
  • Is the organisation or any business associate likely to encounter demands for facilitation payments (e.g. to obtain visas, work permits, customs clearance)?  If so, in what circumstances?  How easy is it to resist these demands?  What is the best way to react to them?
  • Is the organisation or any business associate likely to encounter demands for payments with accompanying threats to safety (e.g. by police at road blocks who extort money, or from site gangs who demand “protection money”)?  If so, in what circumstances?   How easy is it to resist these demands?  What is the best way to react to them?
  • Is the organisation or any business associate likely to encounter demands for bribes to win work, or obtain certificates or payments?  If so, in what circumstances?  How easy is it to resist these demands?  What is the best way to react to them?
  • Are there any sectors which should be avoided due to an unacceptably high corruption risk?
  • Are there any differences in corruption risk between different relevant cities or regions in that country?
  • Has the organisation had any specific corruption issue before in this country?
  • What are the applicable legal principles which the organisation needs to take account of in its business?  An organisation may incur criminal liability for corruption under the law of its home country and under the law of the country in which the corruption takes place. If the organisation believes that there is more than a low risk that it may encounter potentially corrupt circumstances in a country, then it should obtain legal advice in relation to the law in both jurisdictions.  This will assist an organisation to avoid corruption and to deal more effectively with corruption should the organisation or any of its officers or personnel encounter corruption.  Advice should be obtained on the following, in relation to both jurisdictions:
    • The law and penalties in relation to corruption offences;
    • Whether there are any relevant statutory, regulatory, contractual or professional obligations and duties which could impact on the organisation’s policies.  For example, in some countries, there is a prohibition or limitation of entertainment of public officials or of the use of agents.
    • Whether it is a defence to bribery if it can be proved that a person paid a bribe only because there were threats of imminent harm to that person or another.
    • Whether it is an offence to fail to report corruption.
    • Whether there is protection from self-incrimination.
    • Whether there is protection for whistle-blowers.
    • Whether reporting of corruption may provide immunity from prosecution or mitigate any potential liability for corruption.
    • How reports of corruption may be made to the criminal authorities.
    • How records and witness statements of corrupt incidents should be made so that they are valid under the relevant law.
    • How a report of corruption should be made so as to avoid any risk of liability for defamation for the person making the report.

As the 4th to 10th bullet points above are only relevant if a corrupt event has occurred, then the organisation may consider that legal advice on these aspects only needs to be obtained after the event.  This would save legal costs which may never need to be incurred.  However, in this case, the organisation needs to be reasonably confident that it can obtain advice quickly.  The organisation may therefore believe that it is safer to obtain advice on all these aspects in advance.

For more guidance on these issues, see Dealing with Corruption: Organisations.

  • If the organisation follows its anti-corruption procedures, including in particular those relating to  business associates and projects, is the risk of corruption believed to be sufficiently low that it is reasonable for the organisation to work in this country.
  • Consider any specific anti-corruption controls, recommendations or advice which should be taken account of in this country which are additional to the organisation’s standard anti-corruption procedures.

(3) Outcome of the Country Corruption Risk Assessments

The outcome of the above process is likely to be:

  • the categorisation of the countries in which the organisation works into risk categories (e.g. high, medium, low)
  • a due diligence process being undertaken in relation to all medium and high risk countries.

Upon completion of the risk assessment and due diligence process in relation to a specific country, an appropriate manager of the organisation should confirm in writing that, taking into account all issues revealed by the risk assessment and due diligence, it is reasonable from a corruption risk perspective for the organisation to work in that particular country.

The organisation may choose to impose an additional level of management approval for higher risk countries (e.g. Chief Executive approval may be required for working in medium risk countries, and Board approval for working in high risk countries).

This overall process of risk categorisation and due diligence can be referred to as the Country Corruption Risk Assessment. 

The overall outcome of the country corruption risk assessment process should be that the organisation has implemented a reasonable and proportionate process for assessing whether, taking into account its own controls, and other relevant factors in relation to the country, the risk of corruption in relation to the country appears to be sufficiently low that it is reasonable for the organisation to work in that country.

(4) When to Undertake Country Corruption Risk Assessments

A Country Corruption Risk Assessment should be undertaken prior to the organisation committing to proceed with any business relationship, transaction or project in that country.  The risk assessment should be updated annually, and in the event that any material change in the nature of the country’s risk becomes evident.

(5) Documenting the Country Corruption Risk Assessments and related due diligence

The country corruption risk assessments and related due diligence need to be documented.  They do not need to be documented in full detail (i.e. spreadsheets, summaries, bullet points and cross references to other documents can be used).  However, a risk assessment should be in sufficient detail that a third party reading the risk assessment will understand the risks and assessments made.  For example:  if the manager writing the risk assessment leaves the organisation, will the replacement manager understand the assessment; or, if there is a criminal investigation, is the risk assessment sufficiently clear that the investigators will understand that the organisation did undertake a reasonable and proportionate assessment?

In larger organisations, it is important that these risk assessment and due diligence records are accessible by all relevant personnel, so as to avoid duplicated assessments and due diligence.  These records could be made available either on the organisation’s intranet or in hard copy.

(6) Possible resources

(7) Other categories of risk assessment:

See the following separate web-pages for guidance on other categories of risk assessment.

Return to main Risk Assessment and Due Diligence page.

Updated on 10th April 2020