DIAGNOSINGBRIBERY RISKGUIDANCE FOR THE CONDUCT OF EFFECTIVEBRIBERY RISK ASSESSMENTSupported by
Transparency International (TI) is the world’s leading non-governmental anti-corruptionorganisation. With more than 90 Chapters worldwide, TI has extensive global expertiseand understanding of corruption.Transparency International UK (TI-UK) is the UK chapter of TI. We raise awarenessabout corruption; advocate legal and regulatory reform at national and internationallevels; design practical tools for institutions, individuals and companies wishing tocombat corruption; and act as a leading centre of anti-corruption expertise in the UK.AcknowledgementsWe are grateful to the following for supporting this project throughout as members of the Expert Advisory Committee:Chandrashekhar Krishnan, Tamara Northcott, Simon Perry (PwC), Sam Tate and Ian Trumper. We would also like to thankPeter Wilkinson for his review of the text.This publication has been kindly supported by PricewaterhouseCoopers (PwC), a professional services firm providinga wide range of assurance, advisory and tax services. www.pwc.co.ukLead author:Will KenyonEditor:Robert BarringtonPublisher:Transparency International UKPublishedJuly 2013ISBN 978-0-9573410-1-2 2013 Transparency International UK. All rights reserved. Reproduction in whole or in parts is permitted providingthat full credit is given to Transparency International UK and provided that any such reproduction, whether in wholeor in parts, is not for commercial purposes or sold or incorporated in works that are sold. Written permission must besought from Transparency International UK if any such reproduction adapts or modifies the original content or forany copyright waiver.Disclaimer: Every effort has been made to verify the accuracy of the information contained in this document. Allinformation was believed to be correct as of June 2013. Nevertheless, Transparency International UK cannot acceptresponsibility for the consequences of its use for other purposes or in other contexts. Policy recommendations andbest practice guidance reflect Transparency International UK’s opinion. They should not be taken to represent theviews of those quoted or interviewed or of PricewaterhouseCoopers LLP (“PwC”) or members of the AdvisoryCommittee or their associated companies. Neither Transparency International UK nor PwC assumes any liability forthe information contained herein, its interpretation or for any reliance on it. The document should not be construedas a recommendation, endorsement, opinion or approval of any kind. This Guidance has been produced forinformation only and should not be relied on for legal purposes. Professional advice should always be sought beforetaking action based on the information provided. PwC is a limited liability partnership in the United Kingdom.
CONTENTS1.INTRODUCTION1.1 What type of organisation is this guide for?1.2 Scope and approach of this guide1.3 Legal and regulatory context1.4 How risk assessment fits into an anti-bribery programme333562.THE RISK ASSESSMENT PROCESS2.1 Theoretical foundations2.2 Overview of the risk assessment process2.3 Governance over the risk assessment process2.4 Seeking multiple perspectives2.5 Documentation88111213143.RISK IDENTIFICATION3.1 Planning the risk identification3.2 Key categories of risk1515194.RISK EVALUATION4.1 Purpose of risk evaluation4.2 Evaluation parameters4.3 Differentiating individual bribery risks4.4 Business unit or market-level risk32323235365.NEXT STEPS: USING THE OUTPUT OF THE RISK ASSESSMENT5.1 Mapping risks on to controls5.2 Gap analysis5.3 Remediation5.4 Follow-up, monitoring and enforcement5.5 Reporting393940404141ANNEX 1: BRIBERY RISK ASSESSMENT PROCESS CHECK LIST42ANNEX 2: RISK ASSESSMENT TEMPLATE - ILLUSTRATIVE DOCUMENTED EXAMPLE46ANNEX 3: RISK ASSESSMENT TEMPLATE INCLUDING CONTROLS MAPPING – ILLUSTRATIVE EXTRACT55ANNEX 4: GLOSSARY OF TERMS561
GOOD PRACTICE PRINCIPLES FOR BRIBERYRISK ASSESSMENTEffective risk assessment will:1Have the full support and commitment from the Board and othersenior management2Involve the right people to ensure a sufficiently informed and completeoverview of the business and its risks3Be comprehensive, taking account of all activities of the business whichmay create significant bribery risk4Avoid preconceptions about the effectiveness of controls or the integrityof employees and third parties, and therefore focus on inherent risk5Identify and describe bribery risks in appropriate detail6Evaluate bribery risks by reference to a realistic assessmentof likelihood and impact7Prioritise bribery risks to the extent that this is practical and meaningful8Be documented in such a way as to demonstrate that an effective riskassessment process has been carried out9Be regular, performed at appropriate intervals and otherwisein the event of significant changes affecting the business102Be communicated effectively, and designed in a way that facilitateseffective communication and the design of appropriate policies,programmes and controls
1. INTRODUCTIONThis guide is intended to help commercial organisations identify and evaluate the bribery risksto which their activities may expose them. It also explains how risk assessment fits into thedevelopment and maintenance of the organisation’s wider anti-bribery programme.Risk assessment is critical to the effective management of bribery risk. It has furthersignificance because law enforcement and regulators will look for evidence of a company’srisk assessment where they are called upon to investigate alleged bribery.The Business Principles for Countering Bribery state:1The Programme should be tailored to reflect an enterprise’s particular businesscircumstances and culture, taking into account such potential risk factors as size, businesssector, nature of the business and locations of operation The enterprise should analysewhich specific areas pose the greatest risks from bribery and design and implement itsProgramme accordingly.1.1 What type of organisation is the guide for?This document is necessarily generic and does not seek to address any particular size or typeof company, nor focus on any specific industry. It aims to guide the reader on the way in whichfactors such as size, industry, location and so on may have a bearing on the organisation’s riskprofile. The principles set out here are those which, to a lesser or greater extent, are applicablein all cases. There is no one-size-fits-all solution to risk assessment, nor indeed to any otheraspect of risk management. Users of this document must therefore form their own judgementon the extent to which a particular risk element is relevant to their organisation.1.2 Scope and approach of this guideThis guide is confined to the risk assessment process itself. The focus is on inherent risk, thatis the risk associated with a particular activity or attribute of a business before taking accountof any mitigating controls. This guide does not, except by way of brief illustration, cover thesubject of mitigating controls or, therefore, the residual or net risk.On risk evaluation and prioritisation, the guide takes a qualitative approach. This is becausethere are considerable practical difficulties associated with ascribing meaningful quantitativevalues to both the likelihood and the impact of a bribery event (except perhaps the size offinancial penalties, which is itself difficult to predict and may only represent a small proportionof the impact of such an event). Many organisations have developed quantitative approachesto the assessment of business risks of all kinds, some of which are quite sophisticated. Whilenot discouraging a quantitative approach, experience suggests that organisations may struggleto apply a meaningful quantitative approach to bribery risk. However, whether an organisationfollows a quantitative or qualitative approach, or a combination of both, the basic principlesthat underpin this guide will still apply.1 Business Principles for Countering Bribery, Transparency International, Berlin 2009, Section 3 (Development ofa Programme for Countering Bribery) paragraph 3.2 and section 4 (Scope of the programme).3
Benefits of effective bribery risk assessmentAs case studies 1 and 2 illustrate, there are both operational and commercial benefits toassessing risk. Meeting a regulatory requirement – important in itself – is by no meansthe only reason to carry out a bribery risk assessment. The potential positive benefits areconsiderable and include: Providing a realistic and comprehensive overview of key areas of bribery risk to assistwith the design of mitigating processes and controls, training and othercommunications, and monitoring and review activities; Focusing attention and effort on those business activities and relationships which areconsidered to be most risky; Enabling an organisation to recognise where there may be an excessive controlsburden in relation to relatively low risk activities and to reduce effort in those areasand/or redeploy resources where there is greater need; Helping to determine the level of risk-based due diligence that will be appropriate forparticular third parties, building on an informed appraisal of the risks associated withthe activities such parties are being asked to undertake; Identifying opportunities for efficiency, not only in controls but also in the underlyingbusiness activities themselves. For example, in considering third party risk arising fromthe use of intermediaries in particular kinds of commercial arrangement, somecompanies have concluded that they could reduce or even eradicate the use of suchintermediaries, thereby reducing both risk and direct cost; Supporting the promotion of risk awareness generally and a structured, informedapproach to ethical decision making in the organisation.Case study 1In the case of third parties, Company A found that, having assessed their universe ofexisting third parties: They had numerous third parties supplying a particular service with widely varyingcommercial terms. They have subsequently consolidated and reduced cost in this area; They were able to strengthen their negotiating position once the range of existingcommercial terms in place was better understood and to improve monitoring ofperformance; They were able to correct data errors in their master vendor list regarding out of datecontracts and payment terms; Cutting the number of third parties also reduced due diligence and other compliancecosts as well as helping to contain compliance risk.4
Case study 2Company B initially thought that the UK Bribery Act would require setting up acompletely new compliance organisation. However, having a detailed understandingof their higher risk areas and existing controls demonstrated to them that they couldeffectively embed anti-bribery risk management within their existing ComplianceGovernance framework.1.3 Legal and regulatory contextA good practice organisation will not approach its anti-bribery programme simply as a matterof legal compliance. It will seek to prevent bribery because this is the right thing to do.However, it is important to take account of the attitude of legislators, law enforcement andregulators around the world, as these certainly reinforce the importance of effective briberyrisk assessment and risk management.A commercial organisation operating internationally may find itself exposed to a number oflaws simultaneously. These include the laws of the country in which it is based, the laws ofan overseas country in which it is doing business, the laws of a third country into which itsbusiness may be exporting and possibly others – where the organisation has a secondary stockmarket listing for example.Organisationsoperatinginternationally mayfind themselvesexposed to thelaws of multiplecountries.Most countries around the world have anti-bribery legislation of some kind. The importanceof a comprehensive bribery risk assessment is underpinned by all the authoritative guidance onanti-bribery procedures, including the US Foreign Corrupt Practices Act (FCPA) Guidance, theUK’s Ministry of Justice (MoJ) Guidance, the Business Principles for Countering Bribery and TI’sAdequate Procedures Guidance.2 For example, the MoJ Guidance outlines six key elements ofan effective anti-bribery programme, which it refers to as the ‘six principles’. Principle 3, RiskAssessment, is summarised as follows:The commercial organisation assesses the nature and extent of its exposure to potentialexternal and internal risks of bribery on its behalf by persons associated with it. Theassessment is periodic, informed and documented.3Furthermore, all the other MoJ principles are in one way or another influenced by the need foran effective assessment of risk in order to fulfil the objectives of the relevant aspect of theoverall anti-bribery programme.The FCPA Guidance also contains clear messages about the importance of risk assessmentas a means of focusing anti-bribery efforts:Assessment of risk is fundamental to developing a strong compliance program. One-sizefits-all compliance programs are generally ill-conceived and ineffective because resourcesinevitably are spread too thin. Devoting a disproportionate amount of time to policingmodest entertainment and gift-giving instead of focusing on large government bids,questionable payments to third-party consultants, or excessive discounts to resellers anddistributors may indicate that a company’s compliance program is ineffective.2 A Resource Guide to the US Foreign Corrupt Practices Act, jointly issued by US Department of Justice (DoJ) and the USSecurities and Exchange Commission (SEC); Bribery Act 2010: Guidance to help commercial organisations prevent bribery,Ministry of Justice, London, 2011; The 2010 UK Bribery Act Adequate Procedures Guidance, Transparency International UK,London, 2010 (MoJ Guidance).3 MoJ Guidance, page 25.5
Law enforcementand regulatorypronouncementsconsistentlyemphasise theimportance of riskassessment.Alongside the UK’s MoJ Guidance, the UK’s Financial Services Authority (FSA) has to dateissued two reports detailing the scope and findings of thematic reviews in relation to theeffectiveness of anti-bribery programmes in two of its regulated sectors: insurance brokers4and investment banks.5 In both these reports, the FSA highlighted the importance of goodbribery risk assessment as a pre-requisite for effective anti-bribery controls. In practice, theFSA found a widespread lack of effective risk assessment, low levels of understanding of therisks, and significant gaps and weaknesses in anti-bribery controls.How does this Guide fit with existing risk assessment processes?Any specific methods, approaches or formats that are discussed or exemplified in thisdocument are intended to be illustrative rather than prescriptive. Many organisationshave their own established methodologies and documentation standards for theassessment of business risks g
anti-bribery procedures, including the US Foreign Corrupt Practices Act (FCPA) Guidance, the UK’s Ministry of Justice (MoJ) Guidance, the Business Principles for Countering Bribery and TI’s Adequate Procedures Guidance.2 For example, the MoJ Guidance outlines six key elements of an effective anti-bribery programme, which it refers to as the ‘six principles’. Principle 3, Risk ...