GIACC.WEBSITE.RISKASSESSMENT.ORGANISATION


Organisation Corruption Risk Assessment

This section forms part of GIACC’s guidance on Risk Assessment and Due Diligence.  It examines Organisation Corruption Risk Assessment (i.e. the overall corruption risk facing the organisation).

See the following separate web-pages for further guidance on categories of specific risk assessment:

The Organisation Corruption Risk Assessment is intended as an overview document. It is a tool to help management, in a logical and focused manner, examine the overall corruption risks facing the organisation, and assess whether the organisation’s policies, procedures and controls are adequate to deal with these risks.  This risk assessment will examine, for example, by way of overview, the corruption risks posed by the size and structure of the organisation, the countries in which the organisation operates, the type of work or projects that the organisation undertakes, and the types of business associates it works with.

There is no specific model of risk assessment which must be used.  The organisation should create an assessment model which best suits its purposes.  In the case of an organisation undertaking only one type of work in one low risk country with a small number of low risk business associates, the assessment may be quite simple.  In the case of an organisation working in many countries, with many different types of work and many categories of higher risk business associates, the risk assessment is likely to be more complex.

This risk assessment exercise is not meant to be an extensive or over complex exercise.  Nor are the results of the assessment necessarily going to be proven to be correct (e.g. a transaction assessed as low risk may turn out to have involved corruption).  The exercise is designed as a helpful tool to assist the organisation assess and control its corruption risk.

The following provides an example of how an organisation may undertake the Organisation Corruption Risk Assessment.  

(1) How to undertake an Organisation Corruption Risk Assessment

(1.1) Define the corruption risks which are being examined

These are the corruption risks which the organisation assesses that it may face in its business.  The risks being examined include the risk of corruption being perpetrated by or on behalf of the organisation, and against the organisation.  These risks would normally include:

  • Bribery:
    • By the organisation:  Where the organisation, or someone (e.g. personnel or a business associate) acting on behalf of or for the benefit of the organisation, pays a bribe.
    • Against the organisation: Where someone (e.g. a business associate) pays a bribe to personnel of the organisation.
  • Extortion:
    • By the organisation:  Where the organisation, or someone (e.g. personnel or a business associate) acting on behalf of or for the benefit of the organisation, extorts a payment or action out of another party (i.e. by a threat of violence, or by deliberately refusing to produce something to which the other is entitled).
    • Against the organisation: Where someone (e.g. a business associate, a government official or a gang member) extorts a payment or action out of the organisation or its personnel (i.e. by a threat of violence, or by deliberately refusing to produce something to which the other is entitled).
  • Fraud:
    • By the organisation:  Where the organisation, or someone (e.g. personnel or a business associate) acting on behalf of or for the benefit of the organisation, commits fraud against another party.
    • Against the organisation: Where someone (e.g. a business associate) commits fraud against the organisation.
  •  Cartels:
    • By the organisation:  Where the organisation, or someone (e.g. personnel or a business associate) acting on behalf of or for the benefit of the organisation, involves the organisation in a cartel.
    • Against the organisation: Where someone (e.g. a business associate) participates in a cartel against the organisation.
  • Embezzlement:
    • By the organisation:  Where the organisation, or someone (e.g. personnel or a business associate) acting on behalf of or for the benefit of the organisation, steals money or assets from another party.
    • Against the organisation: Where someone (e.g. personnel or a business associate) steals money or assets from the organisation.
  • Money laundering:
    • Where the organisation, or someone (e.g. personnel or a business associate) acting on behalf of or for the benefit of the organisation, moves the proceeds of crime through its bank account in circumstances that would make this a criminal offence for the organisation or its personnel.

The organisation could determine in its risk assessment that some types of corruption pose a lower risk to the organisation (whether in terms of frequency or outcome) than others.  The organisation does not expressly need to deal with every type of corruption in every section.  The prime intent of the risk assessment is to identify what types of corruption pose more than a low risk to the organisation, so that these risks can be dealt with appropriately.

(1.2) Select risk evaluation criteria

These are the bands of assessed corruption risk which help the management assess what types and levels of control to impose on those risk areas so as to reduce the risk to an acceptable level.  For example:

  • 3 tier criteria such as “low risk”, “medium risk”, “high risk”; or
  • 5 tier criteria such as “very low risk”, “low risk”, “medium risk”, “high risk”, “very high risk”.

GIACC uses 3 tier criteria in this guidance.

(1.3) Assess the corruption risks posed by the size and structure of the organisation, and by the organisation’s personnel

A large organisation can pose a higher corruption risk than a small organisation, as there are many more personnel in the organisation who could act corruptly.  Control can be more difficult in a larger organisation.

An organisation with numerous subsidiaries or divisions, and/or which has a high level of delegation of management authority, can pose a higher corruption risk than an organisation with a centralised management structure, as the organisation needs to rely on the managers with delegated authority to make ethical decisions.

Is the organisation reasonably confident, taking into account its size, structure and personnel, that:

  • the personnel it has appointed to key decision-making positions, or positions which are exposed to corruption, will comply with the organisation’s anti-corruption policy, procedures and controls, and are appropriately trained;
  • its subsidiaries, divisions and other business units have an appropriate level of anti-corruption controls in place;
  • the decision-making controls it has in place reflect the possible corruption risk (e.g. a higher level of approval required over higher risk transactions);
  • appropriate personnel have been appointed (e.g. compliance managers) to ensure that the organisation has implemented adequate anti-corruption controls (including within any independently managed subsidiaries or divisions).

(1.4) Assess the corruption risks posed by the locations and sectors in which the organisation operates or anticipates operating

Some locations are regarded as a higher corruption risk than others.  In particular, a country may have weak government controls and little enforcement, resulting in a high level of day-to-day corruption which could impact on the organisation.  For example, it may be difficult to get equipment through customs, or to obtain government permits and approvals, without paying facilitation payments.  Higher risk locations can also lead to higher risk projects and business associates (see separate sections below).  Some countries can experience higher levels of corruption in one city or region than in others.

Is the organisation doing business in any locations where corruption is regarded as more than a low risk

Transparency International’s Corruption Perceptions Index or equivalent can be used to assist in this assessment. Locations with more than a low risk of corruption may be deemed by the organisation as “medium” or “high” risk, which may result in the organisation imposing a higher level of controls in relation to activities by the organisation in those locations.  For example, an organisation may determine that:

  • A specific Country Corruption Risk Assessment should be carried out by the organisation in relation to any country it regards as medium or high risk; and
  • no project will be tendered for in:
    • a medium risk location without chief executive approval;
    • a high risk location without full board approval.

Some sectors may pose a higher level or different type of corruption risk than others (for example, in some locations, one sector (e.g. road construction) may be regarded as less well-controlled and as a result more corrupt than another sector (e.g. power generation).  The organisation may assess that a higher level of control or approval is necessary in relation to any identified higher risk sector.

If the organisation has carried out separate specific Country Corruption Risk Assessments, then a summary of these assessments can be included in this section of the Organisation Corruption Risk Assessment.

See Country Corruption Risk Assessment for further guidance on this aspect.

(1.5) Assess the corruption risks posed by the nature, scale and complexity of the organisation’s types of activities, projects and operations

Some projects or activities may be regarded as a higher corruption risk than others.  For example, it may be easier for an organisation to control corruption risk where:

  • it undertakes a small manufacturing operation in one factory than where it is involved in numerous large construction projects in several locations;
  • it supplies equipment ex-works than where it delivers its equipment to site and erects and commissions the equipment on site;
  • it undertakes all its own scope of supply than where it sub-contracts large portions of its scope of supply;
  • it has no interaction with government officials issuing permits, than where it is obliged e.g. to obtain customs clearance or work permits from government officials;
  • it does not use agents to identify potential business, than where it employs a number of agents in various countries on success fee commissions.

The organisation may undertake a large number of projects of similar risk, in which case it may be able adequately to assess its project risk in the Organisation Corruption Risk Assessment.  However, if the organisation undertakes a wide variety of projects or activities with differing levels of risk, it may need to assess project-specific risks.  For example, it may grade the projects in categories according to assessed risk (e.g. low, medium and high) and require that projects which are “medium” or “high” risk should have a higher level of control.  This risk grading could be based on factors such as the size of the project, the location in which it is being undertaken, and the organisation’s scope of work.  For example, an organisation may determine that:

  • a specific Project Corruption Risk Assessment should be carried out by the organisation in relation to any project it regards as medium or high risk; and
  • authority to tender for:
    • a medium risk project requires chief executive approval;
    • a high risk project requires full board approval.

If the organisation has carried out separate specific Project Corruption Risk Assessments, then a summary of these assessments can be included in this section of the Organisation Corruption Risk Assessment.

See Project Corruption Risk Assessment for further guidance on this aspect.

(1.6) Assess the corruption risks posed by the organisation’s existing and potential business associates

Some business associates may pose a higher corruption risk to the organisation than others.  The risk depends on many factors, including the ethics of the business associate, the level of anti-corruption controls the business associate has in place, the type of activity the business associate is carrying out, the size of the business associate’s scope of work for the organisation, and the location in which the business associate is carrying out its activities.  For example:

  • The organisation may have large numbers of clients / customers who purchase very low value products from the organisation, and who in practice pose a minimal corruption risk to the organisation.  In this case the organisation may deem these clients / customers low risk, and may determine that these clients / customers will not need to have any specific anti-corruption controls related to them.  Alternatively, the organisation may deal with clients / customers who buy very large value products from the organisation, and may pose a serious corruption risk (e.g. the risk of these clients demanding bribes from the organisation’s personnel in return for  placing orders etc.).  These types of clients / customers may be deemed e.g. as “medium” or “high” risk, and therefore require a higher level of anti-corruption control by the organisation.
  • Different categories of suppliers or sub-contractors can pose different levels of corruption risk.  For example, suppliers or sub-contractors with a very large scope of work, or who may be in contact with the organisation’s clients/customers or relevant government officials, may pose a “medium” or “high” corruption risk.  Some categories of suppliers or sub-contractors may be “low” risk, e.g:
    • suppliers of low quantities of low value items who have no interface with the organisation’s clients / customers, or with government officials relevant to the transaction;
    • purchases of airline tickets or hotel bookings on-line;
    • restaurant meals, taxis etc.

The organisation might conclude that specific anti-corruption controls do not need to be implemented in relation to these low risk suppliers.

  • Joint venture partners are likely to pose a medium to high risk, because the contractual structure will probably result in the joint venture partner having a direct interface with the organisation’s client/customer and the organisation being liable for the joint venture partner’s actions.
  • Agents, distributors, or intermediaries who assist the organisation obtain sales, and who are in contact with the organisation’s client/customer or government officials are likely to pose a “medium” or “high” corruption risk, particularly if they are paid on a commission or success fee basis.

In practice, the organisation may have numerous prospective and actual business associates, and it would be unreasonable and disproportionate for the organisation to have to carry out detailed risk assessments on every business associate.  It is therefore common for organisations to develop risk-based categories of business associates (e.g. low, medium and high risk) and to place business associates into these categories according to objective criteria (e.g. value of work, likely interface with client, type of payment etc.).  Having developed these categories, the organisation may then determine that any business associate which falls into the medium or high risk category would need to be subject to additional controls.  High risk business associates would be expected to be subject to a higher level of control than medium risk.  For example, an organisation may determine that all medium and high risk business associates need to be approved by the organisation before a contract is entered into with them, and need to have a reasonable level of monitoring during contract performance.  This pre-contract approval may, for example require:

  • For medium risk business associates:
    • Successful completion of a due diligence exercise on the business associate.
    • Enquiries into whether the business associate has implemented appropriate anti-corruption controls relevant to the transaction.
    • The approval of appointment by two senior managers in the organisation.
  • For high risk business associates:
    • An enhanced level of due diligence.
    • Successful completion of an interview process with a senior manager of the business associate.
    • The approval of appointment by the organisation’s chief executive.

A record should be retained of the approval and monitoring of the medium and high risk business associates.  This record could be in the form of a Business Associate Corruption Risk Assessment  A summary of these assessments can be included in this section of the Organisation Corruption Risk Assessment.

See Business Associate Risk Assessment for further guidance on this aspect.

(1.7) Assess the overall corruption risks facing the organisation based on the assessment of the above factors

The risk factors described above inter-relate.  For example:

  • The organisation may assess that a particular country and client are high risk, but because the organisation is undertaking a low risk scope of work, has no interface with government officials, and is working only with low risk business associates, that the risk of corruption is at an acceptable level.
  • The organisation may assess that in a high risk country, it is possible to work for specific low risk clients who have implemented strong controls over tendering and project management.

Therefore, this section of the risk assessment is designed as a concluding overview.  It should consider whether, taking into account the combination of all its standard controls, and any specific controls implemented in relation to medium and high risk countries, projects and business associates, the organisation’s overall control environment is likely to be adequate to reduce the corruption risks facing the organisation to an acceptable level.

(1.8) Assess any weaknesses or required improvements in the organisation’s anti-corruption policy and procedures

It is very unlikely that the Organisation Corruption Risk Assessment will identify that the organisation’s policy and procedures are perfect.  Identification of weaknesses and required improvements are an inevitable and on-going part of any management programme.  Therefore, the assessment should identify and make recommendations in relation to any identified weaknesses or required improvements in the organisation’s anti-corruption policy and procedures.  For example, the risk assessment may identify that the organisation has not yet implemented:

  • an appropriate training programme for managers who are responsible for medium and high risk projects; or
  • appropriate due diligence procedures for medium and high risk business associates.

The risk assessment would therefore identify these weaknesses, and recommend that appropriate rectification steps are taken by a specified date.  In the meantime, the organisation should pay closer attention to those areas of risk as a result of these identified weaknesses.

(2) Outcome of the organisation corruption risk assessment

The intended outcome of the assessment is to give reasonable assurance to the organisation that the organisation’s overall control environment is likely to be adequate to reduce the corruption risks facing the organisation to an acceptable level.

(3) When to undertake Organisation Corruption Risk Assessments

The Organisation Corruption Risk Assessment should be undertaken at annually, and be repeated in the event that any material change in the nature of the organisation’s business is undertaken.

(4) Documenting the Organisation Corruption Risk Assessment

The Organisation Corruption Risk Assessment needs to be documented.  It does not need to be documented in full detail (i.e. spreadsheets, summaries, bullet points and cross references to other documents can be used).  However, it should be in sufficient detail that a third party reading the risk assessment will understand the risks and assessments made.  For example:  if the manager writing the risk assessment leaves the organisation, will the replacement manager understand the assessment;  or, if there is a criminal investigation, is the risk assessment sufficiently clear that the investigators will understand that the organisation did undertake a reasonable and proportionate assessment?

(5) Other categories of risk assessment

See the following separate web-pages for further guidance on categories of specific risk assessment.

Return to main Risk Assessment and Due Diligence page.

Updated on 10th April 2020

© GIACC