This section forms part of GIACC’s overall guidance on Risk Assessment and Due Diligence. It examines Country Corruption Risk Assessments.
See the following separate web-pages for guidance on other categories of risk assessment.
These Country Corruption Risk Assessments can be stand-alone assessments, or can be a sub-section of, or be incorporated into, the Organisation Corruption Risk Assessment.
There is no specific model of risk assessment which must be used. The organisation should create an assessment model which best suits its purposes.
Corruption is more wide-spread in some countries than in others. In some countries, corruption may rarely be encountered. At the other extreme, in some countries, corruption is so endemic that it may be impossible to operate without encountering corruption. Operating in high risk countries will inevitably require greater precautions.
Therefore, before the organisation works in any country in which it is not currently working, management needs to be satisfied, after making reasonable and proportionate enquiries, and after giving the issue reasonable and proportionate consideration, that the risk of corruption posed by the country appears to be sufficiently low that it is reasonable to allow the business relationship, transaction or project to proceed.
In some countries, there could be a materially higher risk of corruption in one part of the country than in another part. This distinction would need to be identified in the risk assessment.
These country risk assessments are focusing on the overall risk posed by the country (e.g. the extent to which there is widespread corruption in government permit issuing, or extensive police roadblocks where payments are demanded to proceed). The risks posed by specific projects or business associates are dealt with separately (e.g. in the project or business associate risk assessments).
If the organisation’s home base is the country in question, then the organisation is likely to have a high degree of awareness of the possible types and level of corruption which may be encountered. It is more difficult for an organisation based in one country to assess the risk in another country.
The type of business that the organisation is proposing to undertake will have an impact on the extent of its enquiries, and the decisions it makes as a result. For example, if the organisation’s business merely involves selling some goods from its home country to an organisation based in a high corruption risk country, and its contractual obligation is merely supply FOB with payment by letter of credit (i.e. if the organisation does not need to visit the high risk country, has no interface with government officials in that country, has no business associates in that country, no activities in that country, and no payment risk), then the organisation will probably be able to proceed with the project despite the high country risk, as it is unlikely that any corrupt actions in that country will impact on the organisation or its scope of supply. At the other extreme, the organisation may be tendering to construct a project in that high risk country, which involves it tendering in that country and, should it win the contract, constructing the project and shipping equipment and materials to and within that country, with significant interface with government officials, police etc. In this case, the organisation’s risk is probably high. Many projects will fall in between these two extremes.
In relation to each country in which it proposes to undertake transactions or projects, the organisation should undertake a Country Corruption Risk Assessment. This should examine the level of corruption in that country, the types of corruption most commonly encountered, and whether, taking into account the organisation’s policies, procedures and controls, the organisation is likely to be able to deal adequately with the corruption risks in that country. If the organisation is not familiar with operating in that country, the organisation should undertake specific due diligence on that country so that it has sufficient information in order to be able to make a reasonable decision on the risk in that country.
These Country Corruption Risk Assessments could be undertaken in several different ways, depending on the organisation’s specific requirements:
The organisation is only likely to need to undertake a separate Country Corruption Risk Assessment if the Organisation Corruption Risk Assessment has identified the corruption risk in that country as being more than low.
Examples of the types of country-specific corruption risks which the organisation should examine and assess include:
As the 4th to 10th bullet points above are only relevant if a corrupt event has occurred, then the organisation may consider that legal advice on these aspects only needs to be obtained after the event. This would save legal costs which may never need to be incurred. However, in this case, the organisation needs to be reasonably confident that it can obtain advice quickly. The organisation may therefore believe that it is safer to obtain advice on all these aspects in advance.
For more guidance on these issues, see Dealing with Corruption: Organisations.
The outcome of the above process is likely to be:
Upon completion of the risk assessment and due diligence process in relation to a specific country, an appropriate manager of the organisation should confirm in writing that, taking into account all issues revealed by the risk assessment and due diligence, it is reasonable from a corruption risk perspective for the organisation to work in that particular country.
The organisation may choose to impose an additional level of management approval for higher risk countries (e.g. Chief Executive approval may be required for working in medium risk countries, and Board approval for working in high risk countries).
This overall process of risk categorisation and due diligence can be referred to as the Country Corruption Risk Assessment.
The overall outcome of the country corruption risk assessment process should be that the organisation has implemented a reasonable and proportionate process for assessing whether, taking into account its own controls, and other relevant factors in relation to the country, the risk of corruption in relation to the country appears to be sufficiently low that it is reasonable for the organisation to work in that country.
A Country Corruption Risk Assessment should be undertaken prior to the organisation committing to proceed with any business relationship, transaction or project in that country. The risk assessment should be updated annually, and in the event that any material change in the nature of the country’s risk becomes evident.
The country corruption risk assessments and related due diligence need to be documented. They do not need to be documented in full detail (i.e. spreadsheets, summaries, bullet points and cross references to other documents can be used). However, a risk assessment should be in sufficient detail that a third party reading the risk assessment will understand the risks and assessments made. For example: if the manager writing the risk assessment leaves the organisation, will the replacement manager understand the assessment; or, if there is a criminal investigation, is the risk assessment sufficiently clear that the investigators will understand that the organisation did undertake a reasonable and proportionate assessment?
In larger organisations, it is important that these risk assessment and due diligence records are accessible by all relevant personnel, so as to avoid duplicated assessments and due diligence. These records could be made available either on the organisation’s intranet or in hard copy.
See the following separate web-pages for guidance on other categories of risk assessment.
Return to main Risk Assessment and Due Diligence page.
Updated on 10th April 2020
© GIACC