A risk assessment is a critical first step in developing an anti-corruption compliance framework that is effective at preventing and detecting criminal conduct. The risk assessment forms the foundation of the program. Its results help provide direction towards those higher risk activities that need to be prioritized, and why.
US enforcement authorities will evaluate a company’s risk assessment process and end product when assessing a company’s compliance program. The US Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have explained, “One-size-fits-all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low-risk markets and transactions to the detriment of high-risk areas.” In other words, without undertaking the risk assessment exercise, a company does not have an informed basis for applying limited compliance resources.
The UK’s Ministry of Justice has described the purpose of a risk assessment as follows:
Procedures should be proportionate to the risks faced by an organisation. . . . A risk-based approach will . . . serve to focus the effort where it is needed and will have most impact. A risk-based approach recognises that the bribery threat to organisations varies across jurisdictions, business sectors, business partners and transactions.
Corrupt activity risks can potentially arise in a variety of ways. Certain basic inquiries help frame the overall analysis: where the company is located, who it conducts business with, what industry it operates in, and the types of transactions it undertakes. This blog addresses the first of these factors: location.
The first part of evaluating your geographical risk is, quite simply, to understand where you operate – both in business and legal terms. From a business perspective, consider the physical location of persons, property, clients/customers, suppliers, and other interests, as well as any other geographical contacts – both from a direct and indirect (e.g., joint venture, partnership, or investment) viewpoint. From a legal perspective, seek to understand the ways in which your company may be connected (in the eyes of applicable law) to a place - for example, determining whether the presence of a bank account or the placement of a phone call may subject the company to unintended legal risk exposure. Don’t assume anything about your company’s activities throughout the world; instead, contact and involve those in the field to obtain and apply a knowledgeable view of the facts and circumstances that inform this “where you operate” inquiry.
The second part is to evaluate the likelihood that an infraction (whether criminal conduct or a violation of your compliance policy) will occur in a given area. This requires an assessment of the following:
- How much business you are actually doing in each area. More extensive business operations such as having agents or company personnel resident within the country create more opportunities for corrupt conduct.
- The type of business being conducted in each country. We will address this further in a later post, but the basic point, using potential Foreign Corrupt Practices Act (FCPA) exposure, for example, is that the more interactions your company may have with the government (including state-owned enterprises) in a particular country, the more opportunities there are for corruption to occur.
- The risk of corruption in that particular country or area. Transparency International’s Corruption Perceptions Index (CPI) can help you understand the perceived differences in levels of corruption between different countries. Resources such as the World Bank’s Ease of Doing Business index can also provide insights in how easy or difficult it is to register a business, obtain licenses, and conduct similar business activities – thus providing insights on the temptation to pay bribes to speed the process along. You may also want to consult local law and media reports to understand how well anti-bribery legislation and public procurement laws have been implemented in the country as well as to evaluate public awareness of (or apathy towards) corruption, using resources such as the Business Anti-Corruption Portal.
With an informed view of relative risk among various locations based on the above process, your company’s customer base – to be discussed next week – is the next component of the risk assessment analysis.
Adapting Your TPRM Program to Internal and External Change
How an Ethical Culture Can Drive Better Business Performance
Building Trust and Engagement in the Investigations Process