Introduction – Current State
Across industries, compliance risk assessments continue to
trend up in priority, frequency, scope and sophistication.
Companies are equally conducting the work internally as
outsourcing, depending on mandates and staffing.
Bribery and corruption are often and can be more
manageable when covered as a stand alone risk, blended to
other risk projects, assessments and tools later.
In prior years, global E&C or legal depts may have felt a
distinct anti-corruption risk assessment wasn’t needed.
existence of the risk was known
understanding of the risk could be had by staying aware of
investigations and cases
Corruption and Bribery Risk
Recent standards of practice and guidelines increasingly
reference importance of conducting periodic risk
assessment as foundational to designing ethics and
compliance program controls.
Participating in or conducing risk assessment allows for the
business units and the service units to make a greater
The execution of the process reinforces understanding of how
business decisions impact risk profile and how compliance
program can mitigate business risk.
Risk assessment is a pre-curser to integrating compliance
Compliance Risk Cycle
Compliance Audit, Risk Assessment,
Do they overlap, how? What about frequency of each?
Compliance audit – review of data to test compliance with
approvals, limits, more transactional in nature. Frequency
is ongoing with certain annual priorities.
Compliance Risk Assessment – process of reviewing
specific conditions and events that may impact ability to
met compliance obligations.
Program Assessment – review of E&C program components
for completeness, best practices, implementation and
Set frequency of the above together and leverage the work
Risk Assessment Approach
Not every assessment process will look the same,
no culture and business or historical context is the same.
Focus on effectiveness, review / interview:
audit reports, hotline calls, investigations
Multiple employee per business and service unit.
Design and pilot a repeatable process that works.
Memorialize the final process and create templates for
Assess program effectiveness / relevant controls
simultaneously – for efficiency and completeness.
Don’t go back twice.
Risk Assessment Approach Continued
Cover risk and controls with each subject. Separate in
Key assessment component: Interviews – roll by
business organizational structure, region, product line
Talk with - Compliance, Legal, hr, audit, IT, Risk,
Finance, Procurement, Sales, Marketing, Sr.
Leadership? then business leaders for each unit.
Anticorruption Risk Assessment
High level goal is to discover:
What businesses, locations, employees, decisions, transactions…
offer greatest risk for violations of anti-corruption and anti-
bribery laws and other requirements.
Not necessarily always ranking this risk against other risks, but
ranking the risk in a way that allows you to apply controls in a
What steps should the company take to prevent employees or
third parties from directly or indirectly, offering, promising,
giving or demanding to obtain or retain business or other
Whether culture, policies, controls and actions make it clear that
corruption and bribery will not be tolerated and are effectively
designed and implemented.
Organize the approach so the results can be
interpreted to focus risk related to discrete products,
businesses, regions and job functions.
Maintain inquiry / assessment results sorted by the
above and output in the same fashion.
Consider external pressures per region and industry in
addition to information gained internally
Document Review and Interview Prep
Before rolling on to interviews where you will conduct most
of your inquiry, review as needed: company public filing
(yes, even on your own company), press releases, policies,
recent audits, relevant investigations reports, recent
enforcement actions in the risk area particularly if in your
industry, laws and proposed changes in law.
Customize interviews (as you go) for position level and for
business versus service units. Follow leads and items of
interest that develop in the interview. Always come back
and make sure your planned interview items have been
Schedule a follow up interview if more time is needed. Take
detailed notes or better yet bring a note taker or second
interviewer if at all possible.
Summarize your notes immediately after taking to
ensure you captured the essential points. Clarify as
needed with the interviewee via follow up.
Be prepared if you receive information that could
amount to an allegation that should be referred for
Make and verify initial findings as you go along. Build
your report incrementally. Fact check.
Inquire not only about (perceived) gaps but ideas on
how to better close them.
Gifts and Entertainment
Does your division entertain clients, regulators or other business partners?
Describe a few situations where your division provided gifts and entertainment.
Any interaction with sponsorships and charitable gifts?
Is event funding 100% internal? What budget does it come from? How are
funds paid or reimbursed? Who has approval authority. Are you aware if these
area have been audited?
In your area of operations are there cultural considerations that impact
entertainment and gifts? Describe and what are a couple of examples?
What is the purpose of gifts and entertaining in a business context?
Do you ask about the recipient’s gift restrictions if any?
Do you have a gifts and entertainment policy? What does it cover? Does the
code of conduct also address gifts and entertainment?
Are the rules the same for making gifts to or entertaining government officials?
Have you received training on the policy - what kind and when?
How would you know if someone was a government official?
Is third party travel for business and educational purposes addressed in these
policies? Who is responsible for compliance with these policies?
Is approval required for any gifts or entertainment, how do you obtain any
How do you control the use of:
subcontracts, purchase orders, cash payments, marketing funds,
multiple or offshore entities and consulting agreements
as a potential means of channeling payments to public officials,
to employees of business partners or to their relatives or business
How do you ensure that payment amount is appropriate for value
of services rendered?
Do you review the background of your intermediaries?
Are you able to determine if an intermediary is a government
At what point in the relationship and at what frequency do you
review third parties?
Which third parties do you review and what do you look at / for?
Internal Employee Compliance
How many third parties have paid bribes completely without the
knowledge, intentional ignorance or funds of the company that they
Never forget the first line of defense is the strength of your program
and culture within your own employee base.
Ask what is the background and qualification of key roles in high risk
business or regions? Review compliance performance and commitment
at appointment, annual performance view time and consider this
information during risk assessment. If controls are in place regarding
high risk appointment, be sure to note their existence.
Controls should have address tenure with company, reputation,
training, leadership qualities and legal and compliance support.
Can the key roles perform as needed in the environment assigned, have
you addressed specific challenges hat corruption will present in their
role and give hem tools to manage? Will the Sr. team walk away from a
deal if I cannot be done properly?
Other keys areas of inquiry you are checking?
Mitigating Corruption and Bribery Risk
• Risk awareness throughout the business leadership and those
interacting with the risk on the job
• Clear anti-corruption position and policies, supported by targeted,
relevant live and online training and supporting communication
• Business purpose required for engagement of third parties with
due diligence of third parties, periodically refreshed
• Sound contracting and enforcement of contractual legal and
• Audit and oversight, communication and monitoring
• Setting expectations, walking the talk, qualified staff in high risk
• Understanding the risks, local support and ownership of the risk
and mitigation through joint risk assessment and mitigation
planning and tracking