The Value of Assessing Corruption Risk
In order to have an efficiently running compliance programme that is able to detect corrupt practices, identifying where potential risks lie is key. A risk assessment is one of the most effective methods for accomplishing this, by offering a visual tool which can be used to help management understand their risk profile. Though not a new concept, assessing risk has taken on new importance after its inclusion in the ISO 37001 framework that was published in 2016. Besides being a requirement for an anti-bribery management system that is compliant for certification against this groundbreaking standard (and against international anti-corruption regulations), why else is a risk assessment important?
Assessing corruption risk for efficient compliance
Organisations that want to create an efficient compliance department need to tailor their system to fit their unique corruption risks. Properly evaluating these risks can be challenging, with the high stakes of rendering their programme ineffective if not done correctly.
If underestimated, corruption risks will not be properly mitigated. While overestimating corruption risks with a view to implementing a very sophisticated compliance programme leads – paradoxically – to the same result: the risk will not be properly mitigated. This tends to occur because the employees who have to follow these compliance rules will often quickly label them as overly bureaucratic, finding ways to bypass compliance processes or only partially apply them.
Assessing corruption risks, without underestimating or overestimating them, is essential for a well-implemented compliance programme. Efficient implementation only occurs when employees find the rules to be legitimate, which happens when they are tailored to the business organisation.
A risk assessment exercise will ensure a sound balance between preventative and detection tools whose combination ensures a robust compliance program.
Assessing corruption risk to define appropriate resources
Just like any other department in an organisation, compliance needs appropriate resources dedicated to it in order to properly accomplish its job. Underestimating corruption risks leads to inappropriate resources being devoted to compliance, while overestimating them with the hope that it will result in a higher budget from management is equally misguided. An overestimation will not convince top management, who will undoubedly challenge the information and might perceive the compliance team as “arsonist firefighters” moving forward.
A risk assessment exercise will ensure that proper funding is dedicated to the prevention of corruption throughout the business, increasing the trust that an organisation has for the legitimacy of the compliance function.
Assessing corruption risk to allocate resources efficiently
After properly defining the resources needed for compliance, it perhaps goes without saying that these resources need to be used in the most efficient way. For top managers as well as for operations, compliance is first and foremost a cost. This is the case even in organizations where everyone agrees that compliance matters.
A well-designed corruption risk assessment ensures that resources are focused where risks are high, balancing prevention policies (ex-ante) and detection actions (ex-post).
How to assess corruption risk for efficient compliance
An efficient corruption risk assessment exercise should approach corruption from different angles in order to draw relevant consequences. The three angles listed below will help compliance officers mitigate risk in an appropriate manner, either at the organisational level or at the business process level.
Combining a global and a local risk assessment
It is relatively easy to have a global evaluation of corruption risk by disaggregating the turnover of the organisation according to:
- Country- using Transparency International’s corruption perceptions index
- Type of clients- administration, business, or consumers. Corruption risk will be highest in B2A, followed by B2B, with B2C being the lowest
- Sector of activity- according to Transparency International’s sectoral index
Rating each of these three indicators as high, medium, or low corruption risk will give an indication of where to appropriately allocate the resources. However, it is not because an organisation has a high corruption risk at a global level that the corruption risk will be high in every country or operation. Organisations that are present in many countries, have different types of operations, or are active across business sectors can often fail to see this. This can result in the common pitfall of not tailoring or adapting the compliance rules to local specificities.
This is a testament to the fact that the global rating step needs to be reinforced at the local level, by considering the specificities of business processes. Performing this consideration will facilitate an understanding of where corruption risks really are, and where compliance rules have to be implemented and controlled. Failing to do this can often lead to compliance being perceived as an unnecessary burden in some low risk sectors, while simultaneously causing those operating in high risk sectors to more readily ignore their compliance obligations.
Only such a disaggregated approach to both corruption risk assessment and the compliance programme’s implementation will guarantee that the overarching objective of zero tolerance for corruption is understood and applied throughout.
Associating local managers with the risk assessment
When compliance teams take the time to help local managers both understand the risk and appreciate the usefulness of preventive tools, they tend to be more willing to adopt and continue to implement them.
The difficulty with corruption is that it takes different forms such as a bribe paid directly to the selection of an inappropriate business agent, an undue invitation to a prospect, the hiring of an employee linked to a client’s family, and many more. Combatting this at the local level by involving all the directors in charge of the entity’s day-to-day management in the risk assessment exercise has proven to be extremely useful. Each department manager will understand his or her responsibility and role in the implementation of the compliance programme. The amount of time it takes to perform such a risk assessment exercise is also minimal, potentially requiring only an hour of collective training upstream.
The benefit of incorporating local managers in a risk assessment exercise far outweigh the costs, ensuring that everyone in the organisation has the same understanding of corruption risk.
Using the risk assessment for prevention as well as for detection
As we’ve just covered, a risk assessment indicates where corruption risks are high, and therefore what kind of preventive actions need to be designed and implemented. However, a risk assessment is not only limited to detection, and should also be used to help identify what kind of controls should be implemented. This ensures that corruption risks are properly mitigated.
Performing the exercise will help compliance to identify which type of employees should be trained or what type of content should be included in the training. It will also help to identify which tools are needed (e.g. due diligence questionnaires) and those who will have to apply them (e.g. managers working with sales agents, etc.)
A risk assessment exercise will ensure a sound balance between preventative and detection tools whose combination produces a robust compliance programme.
Risk Assessment in ISO 37001
To emphasise the importance of bribery risk assessments in ISO 37001, it is noteworthy to mention that the drafting group decided in its very first meeting to make the process a requirement in the standard. They included it in chapter 4, which covers the requirement of an organisation to describe the context in which it operates: mainly its business operations, the stakeholders’ expectations, and the applicable laws and rules. (More can be read about this chapter in our previous blog post)
The drafting group also decided very early on that chapter 4 of the standard should be complemented by a specific section on “bribery risk assessment” (4.5), which would rely on detailed guidance (Annex A.4). In other words, these experts considered that a solid anti-bribery management system needed a comprehensive corruption risk assessment. The exercise is therefore referenced in all requirements throughout the standard, ensuring that prevention and detection tools are adequate and proportionate to mitigate the identified risks.
This reliance upon a well-designed corruption risk assessment exercise throughout the ISO 37001 standard, further highlights the importance that it has on creating an efficient anti-bribery management system.
Performing an effective bribery risk assessment exercise is key to properly defining and utilising resources in an efficient compliance programme. This can be done by effectively by communicating with local managers about their duty in the system and merging their exposure with a global approach. Once accomplished, your assessed risks can be used to both prevent and detect bribery. Your organisation will then be well positioned to adhere to the rest of ISO 37001’s chapters for creating an anti-bribery management system and attaining certification.
by Philippe Montigny
President, Certification & Impartiality Committees
For further information about risk assessments, be sure to watch our previous webinar: Bribery Risk Assessment from Good to Great. If you would like to learn more about how your risk assessment can be used in an ABMS framework, contact us by phone, email, or visit our website for more information. Follow us on LinkedIn, Facebook, or Twitter for updates about compliance certification, our business, and services.