This section forms part of GIACC’s guidance on Risk Assessment and Due Diligence. It examines Organisation Corruption Risk Assessment (i.e. the overall corruption risk facing the organisation).
See the following separate web-pages for further guidance on categories of specific risk assessment:
The Organisation Corruption Risk Assessment is intended as an overview document. It is a tool to help management, in a logical and focused manner, examine the overall corruption risks facing the organisation, and assess whether the organisation’s policies, procedures and controls are adequate to deal with these risks. This risk assessment will examine, for example, by way of overview, the corruption risks posed by the size and structure of the organisation, the countries in which the organisation operates, the type of work or projects that the organisation undertakes, and the types of business associates it works with.
There is no specific model of risk assessment which must be used. The organisation should create an assessment model which best suits its purposes. In the case of an organisation undertaking only one type of work in one low risk country with a small number of low risk business associates, the assessment may be quite simple. In the case of an organisation working in many countries, with many different types of work and many categories of higher risk business associates, the risk assessment is likely to be more complex.
This risk assessment exercise is not meant to be an extensive or over complex exercise. Nor are the results of the assessment necessarily going to be proven to be correct (e.g. a transaction assessed as low risk may turn out to have involved corruption). The exercise is designed as a helpful tool to assist the organisation assess and control its corruption risk.
The following provides an example of how an organisation may undertake the Organisation Corruption Risk Assessment.
These are the corruption risks which the organisation assesses that it may face in its business. The risks being examined include the risk of corruption being perpetrated by or on behalf of the organisation, and against the organisation. These risks would normally include:
The organisation could determine in its risk assessment that some types of corruption pose a lower risk to the organisation (whether in terms of frequency or outcome) than others. The organisation does not expressly need to deal with every type of corruption in every section. The prime intent of the risk assessment is to identify what types of corruption pose more than a low risk to the organisation, so that these risks can be dealt with appropriately.
These are the bands of assessed corruption risk which help the management assess what types and levels of control to impose on those risk areas so as to reduce the risk to an acceptable level. For example:
GIACC uses 3 tier criteria in this guidance.
A large organisation can pose a higher corruption risk than a small organisation, as there are many more personnel in the organisation who could act corruptly. Control can be more difficult in a larger organisation.
An organisation with numerous subsidiaries or divisions, and/or which has a high level of delegation of management authority, can pose a higher corruption risk than an organisation with a centralised management structure, as the organisation needs to rely on the managers with delegated authority to make ethical decisions.
Is the organisation reasonably confident, taking into account its size, structure and personnel, that:
Some locations are regarded as a higher corruption risk than others. In particular, a country may have weak government controls and little enforcement, resulting in a high level of day-to-day corruption which could impact on the organisation. For example, it may be difficult to get equipment through customs, or to obtain government permits and approvals, without paying facilitation payments. Higher risk locations can also lead to higher risk projects and business associates (see separate sections below). Some countries can experience higher levels of corruption in one city or region than in others.
Is the organisation doing business in any locations where corruption is regarded as more than a low risk
Transparency International’s Corruption Perceptions Index or equivalent can be used to assist in this assessment. Locations with more than a low risk of corruption may be deemed by the organisation as “medium” or “high” risk, which may result in the organisation imposing a higher level of controls in relation to activities by the organisation in those locations. For example, an organisation may determine that:
Some sectors may pose a higher level or different type of corruption risk than others (for example, in some locations, one sector (e.g. road construction) may be regarded as less well-controlled and as a result more corrupt than another sector (e.g. power generation). The organisation may assess that a higher level of control or approval is necessary in relation to any identified higher risk sector.
If the organisation has carried out separate specific Country Corruption Risk Assessments, then a summary of these assessments can be included in this section of the Organisation Corruption Risk Assessment.
See Country Corruption Risk Assessment for further guidance on this aspect.
Some projects or activities may be regarded as a higher corruption risk than others. For example, it may be easier for an organisation to control corruption risk where:
The organisation may undertake a large number of projects of similar risk, in which case it may be able adequately to assess its project risk in the Organisation Corruption Risk Assessment. However, if the organisation undertakes a wide variety of projects or activities with differing levels of risk, it may need to assess project-specific risks. For example, it may grade the projects in categories according to assessed risk (e.g. low, medium and high) and require that projects which are “medium” or “high” risk should have a higher level of control. This risk grading could be based on factors such as the size of the project, the location in which it is being undertaken, and the organisation’s scope of work. For example, an organisation may determine that:
If the organisation has carried out separate specific Project Corruption Risk Assessments, then a summary of these assessments can be included in this section of the Organisation Corruption Risk Assessment.
See Project Corruption Risk Assessment for further guidance on this aspect.
Some business associates may pose a higher corruption risk to the organisation than others. The risk depends on many factors, including the ethics of the business associate, the level of anti-corruption controls the business associate has in place, the type of activity the business associate is carrying out, the size of the business associate’s scope of work for the organisation, and the location in which the business associate is carrying out its activities. For example:
The organisation might conclude that specific anti-corruption controls do not need to be implemented in relation to these low risk suppliers.
In practice, the organisation may have numerous prospective and actual business associates, and it would be unreasonable and disproportionate for the organisation to have to carry out detailed risk assessments on every business associate. It is therefore common for organisations to develop risk-based categories of business associates (e.g. low, medium and high risk) and to place business associates into these categories according to objective criteria (e.g. value of work, likely interface with client, type of payment etc.). Having developed these categories, the organisation may then determine that any business associate which falls into the medium or high risk category would need to be subject to additional controls. High risk business associates would be expected to be subject to a higher level of control than medium risk. For example, an organisation may determine that all medium and high risk business associates need to be approved by the organisation before a contract is entered into with them, and need to have a reasonable level of monitoring during contract performance. This pre-contract approval may, for example require:
A record should be retained of the approval and monitoring of the medium and high risk business associates. This record could be in the form of a Business Associate Corruption Risk Assessment A summary of these assessments can be included in this section of the Organisation Corruption Risk Assessment.
See Business Associate Risk Assessment for further guidance on this aspect.
The risk factors described above inter-relate. For example:
Therefore, this section of the risk assessment is designed as a concluding overview. It should consider whether, taking into account the combination of all its standard controls, and any specific controls implemented in relation to medium and high risk countries, projects and business associates, the organisation’s overall control environment is likely to be adequate to reduce the corruption risks facing the organisation to an acceptable level.
It is very unlikely that the Organisation Corruption Risk Assessment will identify that the organisation’s policy and procedures are perfect. Identification of weaknesses and required improvements are an inevitable and on-going part of any management programme. Therefore, the assessment should identify and make recommendations in relation to any identified weaknesses or required improvements in the organisation’s anti-corruption policy and procedures. For example, the risk assessment may identify that the organisation has not yet implemented:
The risk assessment would therefore identify these weaknesses, and recommend that appropriate rectification steps are taken by a specified date. In the meantime, the organisation should pay closer attention to those areas of risk as a result of these identified weaknesses.
The intended outcome of the assessment is to give reasonable assurance to the organisation that the organisation’s overall control environment is likely to be adequate to reduce the corruption risks facing the organisation to an acceptable level.
The Organisation Corruption Risk Assessment should be undertaken at annually, and be repeated in the event that any material change in the nature of the organisation’s business is undertaken.
The Organisation Corruption Risk Assessment needs to be documented. It does not need to be documented in full detail (i.e. spreadsheets, summaries, bullet points and cross references to other documents can be used). However, it should be in sufficient detail that a third party reading the risk assessment will understand the risks and assessments made. For example: if the manager writing the risk assessment leaves the organisation, will the replacement manager understand the assessment; or, if there is a criminal investigation, is the risk assessment sufficiently clear that the investigators will understand that the organisation did undertake a reasonable and proportionate assessment?
See the following separate web-pages for further guidance on categories of specific risk assessment.
Return to main Risk Assessment and Due Diligence page.
Updated on 10th April 2020
© GIACC