The Necessary Steps Companies Need To Take In Conducting Anti-Corruption Risk Assessments
By Mohammed Ahmed and Robert Biskup
Introduction
A Resource Guide to the U.S. Foreign Corrupt Practices Act (“Guide”) was released on November 14, 2012 by the Criminal Division of the U.S. Department of Justice (“DOJ”) and the Enforcement Division of the U.S. Securities and Exchange Commission (“SEC”). The Guide, coupled with very large fines and penalties on some companies recently, is leading many organizations to revisit their existing anti-corruption compliance program and consider whether the program is effective and sufficient given today’s risks. A common area for strengthening is the anti-corruption risk assessment upon which the compliance program is desirably based. We set out below a practical, step by step process that we often recommend, and we describe how this process may be tailored to fit the organization’s structure and risk profile, incorporating the principles set out in the Guide.
One of the areas of emphasis in the Guide is for companies to maintain a compliance program that is tailored and risk-based. The Guide states that the amount of resources dedicated to an FCPA compliance program will depend on size, the specific business operations, the specific geography, and the specific areas of corruption risk. The Guide notes that risk assessments are a fundamental part of the process of tailoring an effective compliance program and that the SEC and DOJ will evaluate an organization’s risk assessment methodology when assessing an organization’s compliance program and determining the fines, penalties, or other consequences of FCPA violations. The Guide suggests that the level of effort involved in an anti-corruption risk assessment should be proportionate to an organization’s risk profile and that ranking corruption risks by some objective criteria (for example classifying the risks as either high, medium or low) is important to determining how much resources to allocate to different anti-corruption compliance program elements.The Guide also suggests that factors to consider when assessing corruption risk include industry, country, size, nature of transactions and amount of third party compensation.
Assigning Roles and Responsibilities
Before embarking on an anti-corruption risk assessment, it is important to determine what functional areas of the business will be involved in the risk assessment, and what their roles will be. A well-planned anti-corruption risk assessment will have clearly delineated roles and responsibilities that are well communicated and understood.
A critical feature to the effectiveness of an anti-corruption risk assessment is usually the visible support of senior executives and others charged with governance and program oversight, such as the board of directors, regarding the roles and responsibilities of the different stakeholders in the process. In general, this approach would be consistent with DOJ’s and SEC’s expectation of senior executive and board involvement in compliance programs.
The overall responsibility for the high-level oversight of the content and operation of an anti-corruption compliance program and risk assessment process should generally be that of those charged with governance at an organization; for example, a board committee designated with this role such as an audit committee, governance committee, or risk management committee.
Management then should generally be responsible for performing the risk assessment, reporting periodically to those charged with governance on the status and results of the anti-corruption risk assessment and on the implementation of any resulting risk mitigation action plans. Functions that might appropriately have responsibility for leading the anti-corruption risk assessment include compliance, legal, ethics, or risk management. Another effective strategy might be to have a committee of functions/individuals share leadership responsibilities, under the oversight of a board committee. Such a committee could consist of individual(s) from the senior management team such as those responsible for compliance, ethics, risk management, information technology, human resources or legal. It may be considered preferable for the internal audit function not to have responsibility for this process so as to preserve their independence and objectivity to test and audit the process.
Input from and participation by those employed in the business operations also plays a key role. For organizations having multiple operating units or facilities dispersed across geographic regions it is desirable to have local management take ownership of identifying and assessing corruption risks for their unit, working under the direction of leadership at corporate headquarters. This allows for individuals with specific local, business and industry knowledge compiling the risk assessment for each relevant segment based on parameter and guidelines provided by a centralized owner (typically from headquarters). The key is for the leading function to be highly vested and have appropriate influence across the organization.
The designated anti-corruption risk assessment owner(s) will typically engage with a wide range of stakeholders within the business operations. An effective anti-corruption risk assessment would likely include participation and input from personnel with knowledge of the organization’s operations that have exposure to corruption risks. In addition to members of senior management, these might include personnel in functions such as compliance, ethics, legal, internal audit, risk management, sales & marketing, procurement, shipping, accounting & finance, and human resources. It can be valuable to involve individuals at different levels within the organization, such as senior management, line management, and junior staff. Senior personnel often know how functions are supposed to operate while line management and more junior personnel may know how they differ in practice. It is also recommended to involve individuals from different locations and operating units if applicable.
The following is a model 5-step process for conducting an anti-corruption risk assessment.
Step 1: Identifying Corruption Risks and Schemes
In this step, the organization analyzes where its exposure to corruptions risks may be and might ask questions such as:
- where in our business processes is there exposure to corruption risks?
- what type of transactions and arrangements with government employees and third parties could result in creating a risk of FCPA violations?
- what locations where we do business are a greater corruption risk than others?
To avoid the “one-size-fits-all” approach that the Guide warns against[1], a company could collect relevant data and information on why and how corruption risks may occur at its organization. There are many different ways to do so. Desktop research offers a valuable starting point. Reports from the internal audit function on compliance risks, past incidents of noncompliance, and common corruption risks can be used for this purpose. Another source is analyzing a log of past corruption cases and the allegations from the organization’s whistleblower system, which could identify types of risks. External sources such as research on corruption cases or allegations in the industry and country profiles on are worth considering as well. In addition to readily available reports, an organization may be able to identify some potential risk hot spots by generating financial analyses such as the spending on entertainment, gifts, and hospitality by country or operating unit.
But ultimately, interviewing key stakeholders, and understanding the specific areas of potential direct and indirect interaction with government employees is generally the most effective method to get an overview of the corruption risks at an organization. Functions like legal, risk management, ethics and compliance, internal audit and procurement may offer valuable insights at a high level. In addition, leaders of business/divisions at the country, regional, or local level who are running the operations on a day to day basis can provide some of the most valuable insights arising from geographic and operational experience.
Surveys, including self-assessments, also can provide efficient methods to collect views on organization corruption risks. A survey can be an efficient tool to collect views on corruption risks from both employees and external parties, particularly if logistics allow it to be conducted online. Surveys are a valuable tool when collecting views from managers and employees in different countries and functions. A self-assessment survey requires that risks be identified and compiled by relevant individuals within the organizations. One of the many benefits of this tool is that it provides a customized set of corruption risks driven largely by knowledge, attitude, and processes of the local business’ operating environment, which is one of the principles highlighted in the Guide.
Using workshops or brainstorming sessions to explore corruption risks can be effective and efficient for collecting views from different stakeholders. The sessions can be designed to explore an organization’s corruption risk exposure at the level of an individual process by first mapping the process (e.g., procurement or sales) in detail, then walking through it with a team of specialists and looking for opportunities to breach the process, or obscure the nature of certain payables and expenses. In doing so, participants may identify red flags, potential corruption risks or schemes.
At the end of this step, the organization should generally have an inventory of potential corruption risks and schemes that are relevant to its business and operations, consistent with the Guide’s emphasis on considering risks that are tailored and specific to an organization’s business. Examples of specific corruption risk areas to consider in this step include bribes and kickbacks, bid-rigging and price-fixing, lavish gifts and entertainment, payments for customs clearance or transporting goods , obtaining permits, contributions to charities and sponsorship of events.
Step 2: Rating the Likelihood and Potential Impact (Inherent Risk)
The Guide highlights the importance of compliance programs being focused on areas of significant risk as opposed to too much focus on low risk areas.[3] One way to understand which corruption risks are higher than others at an organization is to determine the inherent risk levels. In order to allocate risk mitigation resources efficiently and effectively to an organization’s identified corruption risks, one good practice is to rate both the likelihood that each risk might occur and the corresponding potential impact of that occurrence. The aim is to prioritize the responses to these corruption risks in a logical format based on a combination of their likelihood of occurrence and their potential impact should they occur. There is some subjectivity in this assessment and the ratings will be influenced by the experience and backgrounds of the risk assessment team.
The likely occurrence of each identified risk should generally be assessed without the risk mitigation or controls currently in place at the organization. A question to ask here would be that, how likely is it that the corruption risk may occur without considering the control environment? For organizations with multiple locations and operating units, the probability of a given corruption risk or scheme may vary among different locations and operating units. For example, bribery of a government official for customs clearance may be more likely in certain countries and less likely in others.
The process of assessing the potential impact of a corruption scheme can be carried out in a similar manner. The risk assessment team should consider evaluating the magnitude of the potential impact for each particular corruption scheme. Typically, this consideration of impact covers a wide range of possible impacts including financial, legal, regulatory, operational, and reputational. For organizations with multiple locations or operating units, the potential impact of a given risk or scheme may vary among different locations and business units. For example, some operating units at a commercial organization may sell small value goods to individual consumers that are bought from retail stores, while another business unit may sell mostly or entirely large value goods to institutions, including governments.
There are many different ways to rate and communicate the likelihood or potential impact of each corruption risk or scheme. A simple qualitative scale can be used to judiciously classify each risk/scheme’s probability or potential impact as either high, medium, or low or quantitative scales (eg 1 to 5) may also be used. For either option, this is a process that requires judgment and hence should likely factor input from those closest to the relevant process. Factors to consider when assessing the ratings of each risk and scheme include number of incidents of the corruption scheme occurring in the past either at the company or in its industry, regional culture and business environment, nature and number of transactions, number of potential perpetrators, potential fines and penalties, reputational harm, potential financial impact, impact on operations and impact on potential customers and future revenues.
Combining the likelihood and potential impact assessments for each corruption scheme will result in an assessment of the inherent corruption risk (for example, a scheme for which the likelihood is deemed ‘high’ and the impact is deemed ‘low’ typically results in an overall inherent risk of ‘medium’). The inherent risk represents the overall risk level of each scheme without consideration to existing controls. The assessment of inherent risk allows an organization to identify areas where mitigating controls will likely be most important in mitigating corruption risks and schemes. At the end of this step, the organization would generally have assessed the inherent risk for each corruption risk and scheme identified in step 1.
Step 3: Identifying Mitigating Controls and Processes
Once the corruption risks and schemes have been identified, the risk assessment team should consider undertaking the process of mapping existing controls to each risk and scheme. While some controls operate organization-wide as part of the overall control environment, many others are embedded in business processes owned by individual functions, including sales, procurement, and logistics, or by the management of operating units associated with a particular geographic area or business segment. Therefore identifying the mitigating anti-corruption controls may involve a number of individuals within an organization.
Information about relevant controls can be obtained through a variety of means. While the review of control and process documentation is typically a key step, this can be supplemented by interviews and targeted surveys with those stakeholders who can help identify the appropriate controls. In addition, during this step, the team or individual leading the anti-corruption risk assessment effort could also assess with the business process owners whether the mitigating controls and programs identified are indeed functioning as per the policy and process. It is common for several controls to be selected as mitigation for each risk and scheme as often times no one control can specifically mitigate the risk on its own.
At the end of this step, the organization would likely have identified relevant mitigating controls, if any, for each of the risks and schemes identified in step 1. Examples of mitigating controls and processes, including those highlighted in the Guide[4], include anti-corruption policy, anti-corruption trainings, whistleblower hotlines, third-party and pre-acquisition due diligence practices, monitoring of gifts and entertainment expenses, as well as specific policies and procedures governing interactions with government employees in all relevant areas.
Step 4: Assessing Residual Risk
Residual risk is the extent of risk remaining after considering the risk reduction impact of mitigating controls. In spite of anti-corruption programs and their internal controls for mitigating the risk of corruption schemes occurring, it is usually still possible for such schemes to occur. As a result, there will normally be some level of residual risk for each corruption scheme. The Guide highlights the fact that a compliance program that focuses disproportionate amount of time monitoring and controlling lower risk areas instead of those of higher risk may be ineffective. An assessment of residual risk is accordingly an important consideration as it can be used to assess whether existing controls are effective and proportionate to the level of inherent risk. As with inherent risk, there is an element of judgment involved in assessing the residual risk of each corruption risk/scheme.
To assess residual risk, an organization should analyze not just whether a mitigating control exists for a particular risk or scheme, but also, more importantly, the extent to which the control actually mitigates the risk or scheme. For example, for a corruption risk relevant to a particular country, a code of conduct and anti-corruption policy that is tailored to the culture and laws of the country and translated to the language of that particular country may be a more effective control than a generic global anti-corruption policy. Another example is the risk of bribery to customs officials: if one of the mitigating controls for this risk is anti-corruption awareness training, the effectiveness of this training in mitigating this risk would generally depend on the nature and content of the training including factors such as whether the training is generic anti-corruption material or whether there is content in the training that specifically addresses bribery to customs officials.
The approach selected to determine the residual risk of each corruption scheme would generally depend on the approach used to determine inherent risk and the controls ratings. If a qualitative scale, such as ‘high/medium/low,’ was used for the inherent risk, then a similar scale can readily be used for rating residual risk. For example, if a risk/scheme is rated as having a high inherent risk in step 2 and in step 3 no effective controls were identified to mitigate the risk arising from the scheme, then the residual risk likely would remain ‘high’. On the other hand, in step 3 should strong controls be identified to mitigate a risk or scheme that was in step 2 designated as ‘high’ inherent risk, the residual risk would likely then be determined to be ‘low’.
Step 5: Corruption Response Plan
The residual risk of each corruption scheme can then be evaluated by an organization to determine whether a corruption risk response is needed and, if so, the desired elements of that plan. As the Guide says, the goal does not have to be for a company to prevent every single violation but instead it may focus on areas of higher inherent risk.The response plan can help an organization determine whether updates need to be made to the ‘risk-based’ approach to the compliance program that the Guide recommends, with particular attention to whether additional resources need to be allocated to higher risk areas. A key determinant of the response plan is the organization’s level of risk tolerance or risk appetite, which will vary from organization to organization.
For corruption schemes that have a residual risk within the risk tolerance set by management and approved by those charged with governance, no further risk mitigation is normally required.
For corruption schemes that have a residual risk greater than the risk tolerance set by management and approved by those charged with governance, action is required to reduce the risk until it is within the risk tolerance threshold. For these items, a corruption risk response plan is needed.
Historically, a common response to residual corruption risks that exceed the risk tolerance level was to implement enhancements to internal controls, to increase corruption risk mitigation. Leading organizations consider a broader range of potential actions to address residual corruption risk, including:
- Changing the scope of the organization’s business, potentially including withdrawing from or avoiding expansion into certain geographic areas or lines of business
- Changing business processes or methods so as to reduce or help eliminate the area of risk, such as establishing a company-owned sales function for certain markets instead of relying on third party agents
- Transferring risks to a third party through contract terms, such as changing shipping terms from cif (carriage, insurance and freight to the customer’s location) to fob (free on board a ship at the seller’s location) such that the customer is responsible for customs clearance upon importation
- Proposing to those charged with governance an increase in the organization’s risk tolerance, based upon updated information
- Enhancing anti-corruption controls
Not all organizations will have the same resources and funds at their disposal to invest at an equal level in the anti-corruption compliance program. Some organizations may only want to address programs and controls for what they deem to be significant exposure areas, while others may want to address additional areas in the interest of maintaining a ‘best in class’ or more dynamic anti-corruption compliance program. The need for a response should generally be evaluated based on the organization’s risk tolerance and resource constraints.
The corruption risk response plan is an important tool to determine whether any investment of resources is needed to mitigate corruption risks and, if so, then to which areas to allocate resources. Organizations can use this response plan to help determine which of the various anti-corruption program elements (such as dedicated policies, training or monitoring) they may need to implement or enhance based on where their risks are. Many organizations may not have enough of a risk exposure to require extensive policies and controls in each anti-corruption program element; the results of the anti-corruption risk assessment can be a valuable tool to help organizations determine which, if any, of these elements they want to implement or enhance.
Using Heat Maps
Anti-corruption risk assessments are often documented using detailed spreadsheets or databases, sometimes called a risk register. These are convenient for recording information relating to many risks, but their output may be voluminous, very detailed, and in small print—factors that may make such reports ineffective for communicating summary results to management and those charged with governance.
Heat maps can be an effective tool to summarize and present the results of the anti-corruption risk assessment in an impactful manner to management and those charged with governance. A corruption risk heat map shows corruption risks identified by the organization, placed according to their likelihood and potential impact, on a background of multiple colors with each color representing a different overall level of risk. Simple heat maps typically have sections that are red, yellow, or green, denoting high-risk, medium-risk, and low-risk, respectively. Heat maps can be used both to illustrate a consolidated organization-wide view and also to illustrate views by location, business unit, or function. Some heat maps may offer more levels of risk and use more colors, but the additional complexity may reduce their effectiveness as a communication tool.
One note of caution: the segment in the top-left corner of this heat map represents risks with low likelihood of occurring but high potential impact. This is where “black swan” events with severe or potentially catastrophic impact would typically be placed on the map if they could be identified Some risk specialists believe that this top-left corner therefore deserves to be colored red and that risks in this segment merit additional risk mitigation or risk monitoring actions to help protect the organization. This is an evolving area of thinking so it may be premature to conclude on this point. However, such an approach may be beneficial, especially in organizations that face greater potential financial, reputational and regulatory consequences of FCPA violations.
Conclusion
As stated in the Guide, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” To help identify areas of risk, and avoid the one-size-fits-all approach that the Guide warns against, the risk assessment process should desirably get into the details on the nature of the business and possible governmental interactions on a business-unit-by-unit basis in each geography, and those details should generally include even seemingly routine and administrative interactions with government officials – areas that can easily fall off the compliance radar screen if not carefully understood. The risk assessment should generally have a methodology to rank and assess both inherent and residual risk, with and without consideration of the internal control environment. The process should generate clear outputs, program enhancement measures and monitoring initiatives that are tracked, analyzed and tested. And finally, the risk assessment process should generally be sustainable, in the sense that corruption, like other areas of risk, is never static and changes over time. The process should likely therefore be refreshed at regular intervals to help the compliance program keep pace with changes in the corruption risks of the company. By taking into account these factors, compliance and ethics officers can be more confident that the company’s anti-corruption compliance program is built on a strong foundation, in accordance with principles recommended in the Guide.
Author Information
Mohammed Ahmed is a senior manager at Deloitte Financial Advisory Services LLP. He may be reached at [email protected].
Robert Biskup is a director at Deloitte Financial Advisory Services LLP. He may be reached at [email protected].
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/ about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2013 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited