Guidance Show
4.1 IntroductionRisk assessment is the foundation for the design of an effective anti-bribery programme. It is a continuing procedure which gives a company a systematic and prioritised view of where the significant inherent bribery risks lie. The results of risk assessments are used to design the controls to mitigate the prioritised bribery risks. The process is critical as the information gained through risk assessment will shape the design of the anti-bribery programme and ensure through repeated risk assessments that the design is always valid and being improved. Most large companies will have well established risk assessment procedures and anti-bribery programmes and therefore the process described in this section of the portal should be viewed as a means of gap analysis and continuous improvement.
All companies face bribery risks to some degree but companies cannot be sure if they have they have taken the appropriate risk approach and designed the right controls if they do not know the scale of the risks, where the risks lie, how bribery can take place, which are the largest risks for the company and what makes bribery risks more likely. Risk assessment is a methodology to be undertaken by all sizes of companies and the difference lies in scale and depth of the process. The common guiding principles for risk assessment are:
A best practice risk assessment procedure gives a company a systematic and objective view of bribery risks. This enables the company to:
4.2 Six Stages of a Risk Assessment ExerciseSix stages are identified for the anti-bribery risk assessment process: 1. Ensure top level commitment and oversight: Top level commitment is key to effective risk management. The board and senior management provide leadership and commitment to drive adequate and continuing risk assessment and ensure the process does not falter or lose quality. 2. Plan, scope and mobilise: The planning stage prepares the ground for the risk assessment process. A planning team should consider the following aspects: appointing the project lead, defining stakeholders, allocating team responsibilities, identifying information sources drafting plan for risk assessment, communicating plan and requirements to those involved in the exercise. 3. Gather information: Create a comprehensive catalogue of inherent bribery risks to which the company could plausibly be exposed by virtue of the nature and location of its activities. 4: Identify the bribery risks: The objective of this stage is to identify and examine the activities and risk factors that could increase the company’s exposure to bribery risk. 5. Evaluate and prioritise the risks: The risk evaluation stage analyses and prioritises the forms of bribery identified in stage 3 taking into account the risk factors in stage 4. Common practice is to apply two variables to prioritise risks: likelihood of occurrence and the potential adverse impact. 6. Use the output of risk assessment: The results of risk assessments are applied to a review of the anti-bribery programme and the extent to which existing controls need modification or additions.
4.2.1 Stage 1: Ensure Top-Level Commitment and OversightAim: To obtain leadership support and commitment to drive an effective risk assessment process. Top level commitment is key to effective risk management. The board and senior management should provide leadership and commitment to drive adequate and continuing risk assessment and ensure the process does not falter or lose quality. This commitment is a facet of top level communication and culture described elsewhere in this portal but specific reference is made here to emphasise its role in ensuring the risk assessment process is given appropriate attention and resources. Full leadership commitment requires the following aspects:
4.2.2 Stage 2: Plan, Scope and MobiliseAim: To plan the risk assessment process and individual risk assessment exercises so they are implemented efficiently and effectively. In this stage, form a planning team. The team should consider the following aspects:
4.2.3 Stage 3: Gather InformationAim: Gather sufficient information to identify how bribery could occur. An information gathering stage is required to map out the forms of bribery that could be a risk for the company. Scoping and brainstorming Before gathering information, broad consideration should be given to the forms of bribery that might occur in the company’s activities and where they might occur. The scope should be explicit that it covers both activeand passive bribery. Desktop research Desktop research is an effective starting point for gathering information. It can provide a range of information and also help guide the process of obtaining original information through interviews and surveys. External and internal resources can be used including:
Get different perspectives A comprehensive bribery risk assessment needs to look at the business and activities of the organisation in the round and draw upon multiple perspectives, from leadership to those working on the front line. Those conducting the risk assessment must ask themselves where they will obtain the necessary information and insight to identify all relevant risks. A combination of approaches for gathering information can be used and in smaller companies one or more meetings might suffice. Sources of additional information on bribery risks include:
Assess the quality of the information The value of the information obtained will depend on the degree to which the informant buys in to and understands the purpose of the exercise and the nature of bribery risk itself. Those gathering the information should consider whether it is both complete and reasonable based on their own understanding of the business. Those responsible for the conduct of the risk assessment process should use their expectations scoped in the planning stage about likely areas of risk to evaluate and challenge the input they are receiving. Address threats to the information gathering process While the company may approach the risk assessment process with commitment and thoroughness, the following threats could affect the review and should considered when planning the information gathering:
4.2.4 Stage 4: Identify the Bribery RisksAim: Create a comprehensive risk register of inherent bribery risks, risk factors and bribery schemes to provide the basis for evaluation of risks in stage 5. Designing the registerCataloguing risks requires identifying activities subject to bribery risks and the related risk factors. For instance, bidding for public contracts is an activity likely to be vulnerable to bribery and the risk is heightened if it takes place in a country known to have high levels of corruption. This could be exacerbated if it is in a sector known to be vulnerable to bribery. Thus the company needs to identify, based on information gathered in the previous stages, which of its activities could be subject to bribery risks and what are the risk factors that could make bribery more likely. The sections below look at the three aspects: activity, risk factors and channels for bribery. In this stage the company designs and populates a comprehensive risk register which captures and organises the information gathered in the previous stage 3. The register will provide the basis for the next stage of assessing and prioritising the identified risks. The aim here is to record the main forms of bribery risk that the company could be exposed to as broad evaluations and not related to particular contracts or third party relationships.
Vulnerable activitiesThe register should record the activities identified as vulnerable to bribery. A list of activities where bribery commonly can take place, with examples, is given below.
Risk factorsRisk factors are broad contextual factors which make bribery more likely to occur, such as country of operation. Once the company understands its risk factors, it can then assess how these affect risk relating to specific activities, such as procurement. Commonly identified risk factors are described below: Country riskThe starting point for many in considering country risk are Transparency International’s Corruption Perceptions Index (CPI) and the World Bank Governance Indicators. The CPI measures perceptions of corruption of public officials. It does not measure country corruption nor corruption of the private sector. The risk score from the CPI is a good example of the limitation of a risk factor – it tells you something about the level of perception of risk, but nothing about the nature of the risk. Clearly, a proper consideration of country risk needs to go further. There may be a broad sense of the level of risk, but the risk score on its own does not explain why a particular country carries a higher risk, let alone how the risk might manifest itself or even whether the country score is relevant to the company’s particular activities. Another factor to consider is that corruption happens in all countries, and so even a country that scores well on the CPI may present risks. A 2014 OECD Foreign Bribery Report analysed enforcement actions in 427 bribery cases and found that almost half involved bribery of public officials from countries with high (22%) to very high (21%) levels of development.[1] Some of the largest bribery cases have involved bribery taking place in developed countries with low perceptions of corruption. The CPI should be only one guide and as the company as it progresses in experience of risk assessments it may develop its own country ratings. Sector riskCertain business sectors typically have been associated with higher levels of bribery risk than others. The OECD Foreign Bribery Report found that two-thirds of the foreign bribery cases occurred in four sectors: extractive (19%); construction (15%); transportation and storage (15%); and information and communication (10%).[2] As with country risk, sector risk is an approximation of risk as a company in a high risk sector may well face low risk because of the particular circumstances of its business. Conversely, a company in a low risk sector should not be lulled into thinking of itself as low risk without proper analysis that this is really true. IncentiveActivities with high value or critical significance such as award of a major infrastructure project, telecommunications licence, mining concession, regulatory or planning approval can create incentive for bribery. ComplexityComplexity will often go hand in hand with higher transaction value. Complexity may arise because of the number of parties involved in a project, including consortium partners, sub-contractors, intermediaries or similar. The more third parties involved, the higher the risk that one or more of them could act in a manner which creates legal – or at least reputational – exposure for the company. Alternatively, complexity may relate more to the duration and/or number of phases of the project in question. The more complex the project itself in terms of inputs, interactions, phases and/or outputs, the greater the potential for breakdowns in accountability and control over expenditures at some point.
Legal risksThe legal and regulatory framework for jurisdictions in which the company operates can be seen as a risk factor to be accounted for. Broadly, anti-bribery approaches are quite similar across jurisdictions but there can be significant local variations which may bring risks and will require tailoring of policies and procedures. A notable example is China where the boundaries for laws can be hard to determine and also, the interpretation of laws by the authorities may be hard to predict. Third partiesMany of the major bribery scandals have involved the use of third parties, especially sales agents and consultants and many companies decide to no longer use sales agents because of their attached risks. As such, use of high risk forms of third parties should be included in the list of risk factors. Interaction with public officialsIn many countries, any dealing with government officials is likely to carry a higher level of risk. Laws that comply with the OECD Anti Bribery Convention, such as the UK Bribery Act and the FCPA, have explicit prohibitions on the bribery of foreign public officials. One of the challenges – which must be addressed as part of the risk assessment exercise – is to identify who is a government official. This may not be absolutely clear-cut in some countries where there is a degree of uncertainty about whether particular organisations belong in the public or private sectors. The risk assessment should identify the extent of government business or other interactions with the government such as licence or regulatory applications and where this is located to help determine the significance of the risk factor. Bribery schemesThis section identifies some of the ways in which bribery is given or received. When making its risk assessment the company should identify the vulnerable processes and address the prioritised processes with anti-bribery controls. The company should use an open minded approach and ask probing questions. A key question to ask at this stage is how could someone fraudulently get something of value, in order to pay a bribe, whether active or passive? For instance, an employee might agree an inflated fee for a sales agent to create room for bribery payments. Or a buyer might be complicit in approving rush orders to generate funds for kickbacks to be given for awarding the contract. Blindness to new forms of bribery is another risk. Sometimes, employees may initiate activities that they do not realise is bribery. An example is where banks provided internships for employees of senior Chinese officials. There are some activities which are particularly vulnerable to bribery schemes and these are listed below. Click on the activity to go to the section of the portal describing the activity risk and the anti-bribery controls.
4.2.5 Stage 5: Evaluate and Prioritise the RisksAim: Produce a prioritised list of bribery risks to be mitigated The risk evaluation stage assesses and prioritises the bribery risks identified in the risk register prepared in stage 4. Common practice is to apply two variables to prioritise risks: likelihood of occurrence and the potential adverse impact. Depending on the nature of the risk in question, these variables may be expressed in either quantitative or qualitative terms, or a combination of both. A qualitative approach is generally more appropriate as bribery risks are difficult to quantify and it can be impractical to stratify them into more than a limited number of categories or levels. Also, using quantitative methods may give generate unwarranted confidence in the results. A qualitative method using say a three level system of high, medium or low to indicate the likelihood will keep the expectations of those using the assessments within bounds. Likelihood of bribery is essentially driven by the presence of risk factors. The likelihood rises depending on the significance and number of risk factors associated with a particular activity where bribery might occur. Some risk factors may apply to more than one - and possibly all - areas of risk. For example, a general culture of corruption in a particular location is likely to increase the bribery risk associated with many, if not all, business activities carried out in that location. There is no right answer as to how to measure the accumulation of risk factors. Depending on the circumstances of each company and their existing approaches, possibilities might include:
See TI-UK’s Diagnosing Bribery Risk guidance for an illustrative risk assessment template in Annex 2. The other dimension of risk assessment is adverse impact which is a measure of the potential adverse effect of the bribery event on the achievement of objectives. The company can factor in aspects such as the varying impact of active compared to passive bribery risk, the financial value or opportunity loss of transactions, the financial value of sanctions including fines and debarment risk or issues with other contracts if bribery is discovered. The range of fallouts from a bribery incident can be difficult to predict as it will likely have implications across a wide front, touching on financial, legal, regulatory, commercial and reputational aspects. As such the company may choose to grade impacts by a small number of levels such as low, moderate and severe.
The output of the risk evaluation stage should be a comprehensive and up-to-date map of prioritised bribery risks across the company’s activities. A matrix can be produced which covers the following:
4.2.6 Stage 6: Use the Output of Risk Assesment
Aim: Design anti-bribery controls to mitigate the priority risks and then address any residual risks. The results of risk assessments are now applied to a review of the anti-bribery programme and the extent to which existing controls need modification or additions. The design of controls will need to be balanced from a resource perspective. All companies face a range of significant risks across many issue areas and bribery risk mitigation must be balanced against the need to address key risks other than bribery. This means targeting bribery risk management efforts at those particular risks which are most likely to have a significant adverse impact on the achievement of business objectives. Steps at this stage:
CONTINUE READINGWhat are some factors that influence ethical behavior for the salesperson?Individual Factors:
Gender: Reports or studies shows women are more ethical in them in their selling behaviour compared to men. Personal Values: Personal Values of a person largely affects ethics in salespersons behaviour. Many a time, salespersons learned values since childhood determines his behaviors on the field.
What issues challenge the ethical decision making of salespeople?Salespeople are especially vulnerable to unethical decision making, because they are subject to many temptations. These temptations are often motivated by offers from clients, competitors, company personnel, and suppliers, and may involve personal gain on the part of the salesperson.
Why do the employers of salespeople trust them to act in the firms best interests?Because salespeople's activities in the field cannot be closely monitored, their employers trust them to act in the company's best interests. When spending from their company's expense accounts, salespeople should act as though they are spending their own money.
Which of the following are considered unethical behaviors?Someone lies to their spouse about how much money they spent. A teenager lies to their parents about where they were for the evening. An employee steals money from the petty cash drawer at work. You lie on your resume in order to get a job.
|