Components of a Compliance Risk Assessment

Notwithstanding the importance of compliance programs to companies, there is no one-size-fits-all formula to design the perfect anti-corruption compliance program. This is where compliance risk assessments come into the picture; a risk assessment is a critical first step in developing an anti-corruption compliance framework that is effective in preventing and detecting criminal conduct as they allow for the careful tailoring of procedures and policies that are proportionate to the risks a company or an organization might face.

Risk assessments allow for developing a compliance program with the right focus as risks vary depending on the business a company is conducting, where it is conducted it and with whom. They form the foundation of the program and their results help provide direction towards those high-risk activities that need to be prioritized. To help you on the way, this post identifies the five major components of risk assessments: your location, your customers, your interactions with foreign government officials, the business sector in which you operate, and your personnel.

1. Location - where your business activities are located: 

   The first part of evaluating your geographical risk is to understand where you operate – both in business and legal terms. From a business perspective, consider the physical location of any contact both from a direct (location, person, customer) and indirect (joint venture, partnership, or investment) viewpoint. From a legal perspective, seek to understand the ways in which your company may be connected (in the eyes of applicable law) to a place. This may be for example through a bank account. Contact and involve those in the field to obtain and apply a knowledgeable view of the facts and circumstances that inform this “where you operate” inquiry. The second part is to evaluate the likelihood that an infraction will occur in a given area. This requires assessing how much business you do in each area, the type of business conducted in each country, and the risk for corruption that a particular country or area may carry.

2. Customers – who are you doing business with: 

   Knowing your customers is a basic part of complying with anti-corruption laws. For instance, if your customers are government agencies, ministries, or state-owned companies, the customer representatives you deal with are likely “foreign officials” (or the equivalent) under the FCPA, UK Bribery Act, and other anti-corruption laws. The coverage of applicable persons is broad and includes government officers and employees, consultants and agents acting on behalf of foreign governments, employees of public international organizations (like the World Bank or UN), and officials and employees of state-owned enterprises. And even if they aren’t foreign officials, you could still face liability under private-to-private bribery laws that apply, such as the UK Bribery Act. It is also important to consider the facts and circumstances of your customers’ specific projects and the risks those transactions themselves present. Take also into consideration what the risk are that a particular customer may act unethically in a given tender or project.

3. How your company interacts with foreign government officials: 

   Doing direct business with a foreign government (e.g., by acting as the prime contractor on a large infrastructure project) is not the only way that a company can run afoul of laws that prohibit offering or providing bribes to foreign government officials, such as the US Foreign Corruption Practices Act (FCPA) or the UK Bribery Act (UKBA). When investing in a foreign country, several other routine business operations may involve government officials and present companies with a potential corruption risk. These may include; registering your company to do business, obtaining visas or any other permits, hiring local agents or other local third parties, and the list goes on. The critical point is that your business activities abroad will most certainly involve foreign government institutions in some form, even if you do not directly engage in government procurement activities. Doing business in any jurisdiction requires the involvement of government institutions from the ground up. Thus, identifying all of your company’s potential contacts with foreign officials, is crucial in allowing you to begin assessing which of these contacts present the highest corruption risks. Only a thorough risk assessment can then allow you to focus your compliance framework on policies, procedures, and controls aimed at preventing and detecting your company’s most risky government interactions.

4. Industry Risk - in which business sector do you operate: 

   Industry risk, or risk in the particular sector in which you operate, relates to all abovementioned areas (location, customer, interaction with government officials). Obviously, some industries carry higher corruption risks to investors than others; among these are resource extraction, pharmaceuticals and healthcare, infrastructure projects, defense, private equity and finance. Most of these sectors involve heavy interaction with government officials and some in highly corrupt countries. For instance, many countries rich in resources such as oil, gas, minerals, diamonds and timber suffer from weak governance and the absence of a strong rule of law environment leading to high corruption risks. Pharmaceuticals and healthcare is another sector heavily reliant on healthcare professionals, oftentimes state-employed, and health ministries. Infrastructure projects may involve helping foreign governments develop local infrastructure – often with financial contributions from multilateral development banks. Thus, companies not only run the risks of being held liable for corrupt acts, but also landing on debarment lists. While companies venturing into private equity and finance need to pay special attention to anti-money laundering laws and regulations. These are just a few examples of how industry specific corruption risks can arise.

5. Your company’s personnel:Assessing the risks that involve your company’s personnel is of particular significance, as a company’s personnel are those who are most exposed to corruption risks and at the same time they are the ones who are in the best position to mitigate those risks. Think about it: They are the ones who interact with government officials, putting them in an ideal position to be the recipients of bribe requests. Some may be operating with government officials from countries infamous for endemic corruption. They are the ones who sell your products or acquire business, putting them under the pressure of pursuing deals for the company at any cost and may be inclined to cut corners on compliance. A portion of your personnel is also responsible for overseeing financial transactions, including accounts payable, travel and entertainment, and petty cash accounts. Accordingly, they should receive training regarding the specific risks and situations they may encounter. Assessing who among your employees is exposed to risk and the extent of the risks is the sound way of conducting risk assessments, yet still, insufficient. Your personnel is also made up of senior management and other teams such as back office sales personnel and administrative staff. Senior management play a significant role in setting the tone at the top and establishing an appropriate culture of compliance. While back office personnel may well be in a position to detect corruption risks such as improper payments or sales methods. Your assessment should therefore carefully consider all types of personnel.