A Guide for

Anti-Corruption
Risk Assessment

About the United Nations Global Compact

The United Nations Global Compact is a call to companies everywhere to voluntarily align their operations
and strategies with ten universally accepted principles in the areas of human rights, labour, environment and
anti-corruption, and to take action in support of UN goals and issues. The UN Global Compact is a leadership
platform for the development, implementation and disclosure of responsible corporate policies and practices. Launched in 2000, it is largest corporate sustainability initiative in the world, with over 12,000 signatories based in 145 countries.
Acknowledgements
The Global Compact Working Group on the 10th Principle appointed a Task Force on Anti-Corruption Risk
Assessment to create a guidance document for small, medium and large companies on how to understand
and conduct anti-corruption risk assessments as a key element of their compliance programmes.
This guide was created by the Anti-Corruption Risk Assessment Taskforce, which included anti-corruption
experts, non-governmental organizations and business practitioners:
Members of the Task Force (in alphabetical order):
4n6-factory: Peter Jonker
NYSE Governance Services, Corpedia: Erica Salmon Byrne,
Deloitte Touche Tohmatsu Limited: James H. Cottrell (Co-Chair), Mohammed Ahmed (Co-Chair)
Laureate Education Inc.: Mark Snyderman
Nexen Energy ULC (a subsidiary of CNOOC Limited): Karen Schonfelder (Co-Chair)
Peter Wilkinson Associates: Peter Wilkinson
The Red Flag Group: Robert Leffel
Transparency International: Susan Cote-Freeman
UN Global Compact: Olajobi Makinwa, Donna Chung, Moramay Navarro-Perez
Extensive consultation was conducted to ensure the usefulness and content of the Risk Assessment Guide.
We would like to specially thank the following:
Hong Kong Institute of Certified Public Accountants
Organization for Economic Co-operation and Development (OECD), Anti-Corruption Division
Petroleo Brasileiro SA Petrobras
Rabobank Group
Spain Global Compact Local Network
UN Office on Drugs and Crime (UNODC)
World Economic Forum - Partnering Against Corruption Initiative (WEF PACI)
The UN Global Compact Office would like to thank Deloitte Touche Tohmatsu for their leading effort in
coordinating the development of this guide
Disclaimer
This publication is intended strictly for learning purposes. The inclusion of company names and/or examples
does not constitute an endorsement of the individual companies by the United Nations Global Compact Office.
The material in this publication may be quoted and used provided there is proper attribution.
Copyright 2013
United Nations Global Compact Office
Two United Nations Plaza, New York, NY 10017, USA
Email: [email protected]

Table of Contents
A. About This Anti-Corruption Risk Assessment Guidance
B. Introduction and Background
B.1 Anti-Corruption Risk Assessment
B.2 Forms of Corruption
B.3 Influence on the Overall Anti-Corruption Compliance Programme
B.4 Personnel Typically Involved
B.5 Overall Responsibility and Leadership
B.6 Participants

C. Establish the Process

C.1 Introduction
C.2 Understanding the Issue
C.3 Planning

D Identifying Risk Factors, Risks, and Schemes

D.1 Data Collection
D.2 Identify the Risks
D.3 Corruption Risks in Specific Processes
D.3a Procurement
D.3b Sales
D.3c Import and export of goods
D.3d Government interaction
D.3e Political support
D.3f Security protocols
D.3g Social programs
D.3h Charitable contributions and sponsorships
D.4 Corruption Risks in Specific Countries
D.5 Industry Risks
D.6 Items to Include in a Risk Register

E. Rating the Probability and Potential Impact of Each

Corruption Scheme

8
10
10
12
13
15
15
15

18
18
19

22
22
24
24
24
25
25
26
26
26
26
26
26
27
28

30

E.1 Rating Probability of Occurrence

E.2 Rating Potential Impact of Occurrence
E.3 Rating Methods
E.4 Calculation of Inherent Risk
E.5 Who Should Be Involved in Inherent Risk Calculations?
E.6 When and How to Perform Inherent Risk Calculations
E.7 Including Inherent Risk Ratings in the Risk Register

30
31
31
31
32
32
32

F. Identifying Mitigating Actions, Controls, and Processes

34

F.1 Entity-Level vs. Scheme-Specific Controls

F.2 Preventative vs. Detective Controls
F.3 Anti-Corruption Control Mapping Frameworks
F.4 Including Mitigating Controls in the Risk Register

35
35
36
37

G. Rating Mitigating Controls and Processes

G.1 Internal Document Review and Evaluation
G.2 Live Interviews
G.3 Compliance and Control Environment Surveys
G.4 Focus Groups and Workshops
G.5 Who Should Be Involved in Control Risk Rating Calculations?
G.6 Inclusion of Control Risk Rating in Risk Register

H. Calculating Residual Risk

H.1 Including Residual Risk in the Risk Register

I. Corruption Risk Response Plans

I.1
I.2
I.3
I.4
I.5

Comparison of Residual Risk to Risk Tolerance

Potential Responses to Residual Risks That Exceed Risk Tolerance
Corruption Risk Response Plan
Content of Response Plan
Leadership Buy-In

J. Summarizing and Reporting the Results of an Anti-Corruption

Risk Assessment
J.1 Heat Maps
J.2 Preparing a Summary Report

Appendices Index
Appendix 1. UK Ministry of Justice Guidance to the Bribery Act
Appendix 2. Sample Sensitive Country Analysis Tool
Appendix 3. Sample Anti-Corruption Risk Assessment Interview and

Survey Topics
Appendix 4. Corruption Red Flags
Appendix 5. RESIST Methodology: Scenarios
Appendix 6. Sources for Analysing the Risk of Corruption by Country
Appendix 7. Sample Probability Scoring Matrix
Appendix 8. Sample Potential Impact Scoring Matrix
Appendix 9. Sample Multi-Factor Probability Scoring Matrix
Appendix 10. Sample Multi-Factor Potential Impact Scoring Matrix
Appendix 11. Sample Weighted Average Potential Impact and Probability

Rating Method
Appendix 12. Sample Qualitative Scale for Determining Inherent Risk
Appendix 13. Sample Quantitative Approach to Assessing Inherent Risk
Appendix 14. Examples of Anti-Corruption Controls
Appendix 15. Sample Scoring Matrix for Control Rating
Appendix 16. Sample Detailed Ratings Criteria for Control Rating
Appendix 17. Sample Qualitative Scale for Determining Residual Risk
Appendix 18. Sample Approach to Determining the Corruption Risk

Response Plan
Appendix 19. Sample Anti-Corruption Risk Assessment Summary Report

38
39
39
39
39
39
40

42
43

44
44
44
44
45
46

48
48
49

50
51
52
53
54
55
56
57
57
58
59
60
60
61
61
63
64
70
71
72

Welcome Message from Georg Kell

New and tougher anti-corruption regulations along with vigorous enforcement by

regulators continue to emerge worldwide. Yet, there is no shortage of scandals and
unethical practices resulting in the erosion of trust and confidence in business.
More than ever before, investors are acknowledging that corruption can negatively
impact value and pose financial, operational and reputational risks to their investments. It is, therefore, of critical importance for enterprises to arm themselves with
robust anti-corruption measures and practices as part of their corporate sustainability
strategy. Assessing risks is a crucial step to implement corporate sustainability successfully, decrease the exposure to various risks and avoid costly damages. It is clear that
good compliance starts with a comprehensive understanding of a companys corruption
risks.
The Global Corporate Sustainability Report 2013 shows that only 25% of UN Global
Compact business participants conduct anti-corruption risk assessments, and there are
substantial differences in implementation levels among large and small companies. A
Guide for Anti-Corruption Risk Assessment aims to help companies of all sizes. The UN
Global Compact has developed this Guide to help companies of all sizes address this
implementation gap and to provide them with the knowledge to assess their exposure
to corruption risks through a systematic, comprehensive and practical step-by-step
process.
Enterprises that are proactive, well-equipped, knowledgeable and take action on
anti-corruption can strengthen their brand while doing business with integrity.
I urge all businesses to take the necessary steps to strengthen their compliance
programmes and improve their efforts to deter corruption. A Guide for Anti-Corruption
Risk Assessment helps lead the way.

Georg Kell
Executive Director
United Nations Global Compact Office

Foreword by Barry Salzberg

Corruption impacts all aspects of society, often resulting in tremendous inefficiencies

and creating obstacles to growth. Organizations increasingly want to better understand
and manage their exposure to corruption as they work to navigate regulatory challenges and grow their operations. This how to guide highlights principles that organizations can use to identify, evaluate, and mitigate the corruption risks they face.
Anti-corruption efforts are important to the Deloitte1 global network of member
firms, and our organization continues to be committed to promoting stronger governance, compliance, and risk management globally. Im pleased to congratulate the
United Nations Global Compact on the publication of this valuable resource, and Im
proud Deloitte has been part of such an important initiative. Im confident the valuable insights in this guide will help organizations around the world continue to fight
against corruption and win.

Barry Salzberg
Global CEO
Deloitte Touche Tohmatsu Limited

1. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its
network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a
detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.
com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries

A.

About this Anti-Corruption Risk Assessment

Guidance

The promulgation of regulatory guidance on the importance of an effective anti-corruption

compliance programme has been steady and significant over the last few years, and has
garnered media attention given the size of the fines some enterprises have paid. That media
attention has, in turn, led to increased focus from management, board members and investors alike on corruption-related risks impact on stock value, company reputation, employee
morale, and the people of the impacted countries. Effective assessment and mitigation of an
enterprises corruption risk has been an element of many recent settlements with regulatory
agencies. It is highlighted in both the OECDs Good Practice Guidance on Internal Controls,
Ethics and Compliance2, and the Guidance issued to accompany the UK Bribery Act. It is also a
critical element of the UN Convention against Corruption, including the 10th Principle of the
UN Global Compact.
The need for risk assessment and the approach outlined in this document is consistent
with the assess step of the UN Global Compact Management Model framework3. This step
allows an enterprise to identify risks that can affect its performance and reputation from
nonalignment with the 10 Principles of the Global Compact.
Increasingly, companies across the world receive more lenient treatment in bribery
prosecutions as an affirmative defense for the quality of their anti-corruption programmes
in the event of employee misconduct. One key component of an effective programme is the
assessment of the anti-corruption risk facing a given enterprise. Though much of the available
regulatory guidance is instructive and highlights the importance of effective risk assessment,
it fails to provide a how-to of such an assessment.
This document provides information on that how-to. This is challenging as the proper
scope of a risk assessment will change from enterprise to enterprise depending on a variety of
factors, including industry, size, geographic reach and scope, etc. Thus, this document seeks
to provide a practical, step-by- step guidance on how to conduct an anti-corruption risk assessment without being prescriptive, and while remaining industry neutral and location agnostic.
The following sections include background on anti-corruption efforts, the importance
of effective risk assessment and the potential uses of an assessments results. These sections
can help guide internal discussions that takes place before a risk assessment is conducted.
Along those lines, the reader will find a series of principles that can be adopted. We have also
organized a six-step process that can be followed to establish a risk assessment: establish the
process, identify the risks, rate the risks, identify mitigating controls, calculate remaining
residual risk, and develop an action plan.
Not every principle will apply equally to all enterprises. There may be some that are not
suited to your enterprise, particularly if you are a small or medium sized enterprise; if so,
move on to the next principle discussed. Also included are appendices, which may be used as
a guide in internal discussions over the conduct of an assessment; they are not intended to
be all-encompassing, and each risk assessment must be tailored to each enterprise. We have
endeavored to identify where and when the size of an organization impacts the principle
discussed. One of the key principles of conducting such an undertaking is that the level of effort dedicated to the risk assessment process should be commensurate with the size, nature of
operations and locations of your enterprise.

2. http://www.oecd.org/daf/anti-bribery/oecdantibriberyrecommendation2009.htm
3. UN Global Compact Management Model: Framework for Implementation, issued by UN Global Compact
http://www.unglobalcompact.org/docs/news_events/9.1_news_archives/2010_06_17/UN_Global_Compact_Management_Model.pdf

Lastly, in the interest of providing readers with practical, user-friendly material, we have
provided checklists in the appendices of this document. Please note that these appendices
should be used as a guide and nothing more the checklists are not intended to be allencompassing and do not cover nuances for different industries; each risk assessment ought to
be tailored to your enterprise.

The GLOBAL COMPACT management model

COMMIT
Leadership commitment to mainstream
the Global Compact principles into strategies and
operations and to take action in support of broader
UN goals and issues, in a transparent way

ASSESS
Assess risks, opportunities
and impacts across
Global Compact issue areas

COMMUNICATE
Communicate
progress
and strategies,
and engage
with stakeholders
for continuous
improvement

MEASURE
Measure and monitor impacts
and progress towards goals

DEFINE
Define goals,
strategies
and policies

IMPLEMENT
Implement strategies and policies
through the company and across
the companys value chain

10

B.

Introduction and Background

Corruptiondefined broadly as the abuse

of entrusted power for private gain4 is
an insidious problem affecting the lives of
millions around the world. Not surprisingly,
corruption has been an increasing focus of
national governments, international institutions, and the private sector. Enforcement
of anti-corruption laws has risen sharply,
including the imposition of huge fines
against enterprises, and prison sentences for
offending corporate executives. In addition,
international financial institutions and
export credit agencies increasingly are setting anti-bribery requirements and barring
or penalizing enterprises that participate in
corruption.
To avoid the costs of corruption, and to
preclude participation in this destructive
conduct, enterprises need to have effective
anti-corruption programmes. Such programmes will include key elements such
as: an explicit and public anti-corruption
commitment that generally arises from the
leadership of the enterprise; relevant policies
and procedures, controls, training and communication, and reporting mechanisms; and
regular auditing and monitoring.5 In many
jurisdictions, the existence of an effective anti-corruption compliance programme serves
as a mitigating factor, if not a complete defense, in prosecution and other law enforcement decisions.6 These programmes, while
of benefit to the enterprise, can be costly
in both time and money. The key for those
charged with promoting ethics and compliance is to direct resources to the specific
threats faced by that enterprise and where
they are likely to have the greatest effect in
reducing corruption. This will be different
for every enterprise because every enterprise
has a different risk profile and resources.
Each enterprise also needs at least some version of its own anti-corruption programme.7

B.1 Anti-Corruption Risk Assessment

Preventing and fighting corruption effectively
and proportionately means understanding
the risks an enterprise may face. Enterprises
selling large infrastructure projects to governments have a very different risk profile than
those selling consulting services to other businesses, and different still than an enterprise
that runs retail operations. Those that have
most of their operations in Latin America
may not see the same forms of corruption as
those building a business in Southeast Asia.
Large enterprises with significant global
presence face risks not confronted by smaller
enterprises just entering a market. These risk
profiles are all highly relevant to establishing an effective anti-corruption programme;
an effective programme may not be possible
without conducting a periodic and meaningful anti-corruption risk assessment.
Anti-corruption risk assessment, broadly
defined, encompasses the variety of mechanisms that enterprises use to estimate the
likelihood of particular forms of corruption within the enterprise and in external
interactions, and the effect such corruption
might have. Effective risk assessment means
understanding the enterprise. It means
asking questions broadly, understanding
the environments in which it operates, and
understanding who the enterprise is dealing
with, in both the public and private sector. It
also means understanding how various anticorruption programmes and controls are
working in the enterprise, and their effect
on risks. Only then can the enterprise direct
compliance resources to their best use.
Effective anti-corruption risk assessment
should not be an isolated, one-time event.
Continually deploying resources in the most
effective manner requires a current and
accurate understanding of the risks. For
many enterprises, this will mean annual

4. UNODCs An Anti-Corruption Ethics and Compliance Programme for Business: A Practical Guide
5. See generally UN Global Compact 10th Principle Reporting Guidance; Transparency International Business Principles for Countering Bribery.
6. See, e.g., UK Bribery Act, section 7(2); U.S. Federal Sentencing Guidelines Manual 8B2.1.
7. The UK Ministry of Justices first principle for adequate procedures to prevent bribery is that A commercial organizations procedures to
prevent bribery [should be] proportionate to the bribery risks it faces and to the nature, scale and complexity of the commercial organizations
activities. Ministry of Justice, Bribery Act 2010 Guidance, p.21 (emphasis added).

11

risk assessments. Others may complete the

reviews less frequently, depending on their
risk profiles and resources. There also may
be triggering events such as entry into new
markets, significant reorganizations, mergers, and acquisitions that will create opportunities and incentives for refreshing the risk
assessment. While it may not be necessary
to conduct a comprehensive risk assessment
more often than annually or even biannually, it is imperative to monitor continuously
the riskier aspects of the enterprise and to
remain vigilant for those events, relationships, and interactions that may increase or
create new risks.
It is the business of every enterprise to
understand and respond to the myriad risks
it faces, including not only the variety of
compliance and regulatory risks, but also
the operational, competitive, and financial
challenges that management confronts
every day. For many enterprises, it will make
sense to coordinate these risk assessment
efforts. Whether this means aligning various assessments to the relevant regulatory
environment, or aligning all risk assessment
though a broader Enterprise Risk Management effort, the enterprise will benefit from
some level of risk assessment coordination.
Coordinated risk assessments save time and
money and avoid risk assessment fatigue.
For example, it should be possible to use
consistent definitions and methodologies to
estimate inherent and residual risk across
different risk assessments.
Nonetheless, while anti-corruption risk
assessment may be aligned with other risk
assessment efforts, it will be beneficial for
many enterprises to maintain anti-corruption risk assessment as a stand-alone endeavor, given the particular objectives and focus
of such an assessment.
Risk assessment is not referenced specifically in the international anti-corruption
conventions or national anti-corruption legislation, though it is a requirement in certain
stock exchange and corporate governance
regulations and is discussed in some important guidance documents. One anti-corruption convention with related risk assessment
guidance is the Organization for Economic

Cooperation and Development (OECD)

Convention on Combating Bribery of
Foreign Public Officials in International
Business Transactions (OECD Anti-Bribery
Convention). In 2010, the OECD adopted the
Good Practice Guidance on Internal Controls,
Ethics, and Compliance.8 The Guidance is
intended to serve as non-legally binding
guidance on establishing effective internal
controls, ethics and compliance measures to
prevent and detect foreign bribery. It recommends that these measures be developed on
the basis of a risk assessment addressing the
individual circumstances of an enterprise
and that risks should be regularly monitored,
re-assessed, and adapted as necessary.9
The US Foreign Corrupt Practices Act of
1977 (FCPA) and the UK Bribery Act of 2010
are considered to be the most prominent
national laws on bribery. Guidance has been
issued related to both laws that include
reference to risk assessment. The US Department of Justice (DOJ) and US Securities and
Exchange Commission (SEC) published
A Resource Guide to the Foreign Corrupt
Practices Act in 2012, which notes risk assessments are a fundamental part of the compliance programme and that the SEC and DOJ
will evaluate an enterprises risk assessment
when assessing an enterprises compliance
programme. This guidance suggests enterprises should avoid a one-size-fits-all approach to an anti-corruption risk assessment
since the level of effort should be proportionate to an enterprises risk profile and that
identifying risks by level (e.g., high, medium
or low) is key to determining the resources to
allocate to different anti-corruption compliance programme elements. The guidance
also suggests that factors to consider when
assessing corruption risk include industry,
country, size, nature of transactions and
amount of third party compensation.
When the UK Bribery Act was passed in
2010, enterprises were concerned by some
of the potential uncertainties in the Act
and requested that the government provide
clarification. In response, the UK Ministry
of Justice published Guidance to the Bribery
Act in April 2011. The Guidance set out six
principles, including one for Risk Assess-

8. Adopted as an integral part of the Recommendation of the OECD Council for Further Combating Bribery of Foreign Public Officials in
International Business Transactions of 26 November 2009 http://www.oecd.org/dataoecd/5/51/44884389.pdf OECD Principles of Corporate
Governance OECD Guidelines on Corporate Governance of State-Owned Enterprises
9. Section A, Good practice Guidance

12

ment, which the government considered

should inform the procedures to be put in
place by commercial enterprises wishing to
prevent bribery. Principle 3, Risk Assessment,
states: The commercial organization assesses the nature and extent of its exposure
to potential external and internal risks of
bribery on its behalf by persons associated
with it. The assessment is periodic, informed
and documented. The full text for Principle
3 is given in Appendix 1. Also in the UK, the
British Standard 10500, Specification for an
Antibribery Management Systems (ABMS),
states that an enterprise should implement
procedures to enable it to assess the risk of
bribery in relation to its activities and also
whether its policies, procedures and controls
are adequate to reduce those risks to an acceptable level.
While other global codes and regulations
do not address anti-corruption risk assessment specifically, they do emphasize the importance of performing risk assessments as
an enterprise. For example, the South Africa
Stock Exchange issued the King III report,
emphasizing that risk management should
be seen as an integral part of the enterprises
strategic and business processes. The Australian Standard 8001-2008 on Fraud and Corruption Control stresses the need to control
the risks of fraud and corruption and assigns
this governance obligation to an enterprises
controllers. Similarly, the principles put
forth by the UK Corporate Governance Code
published by the Financial Reporting Council
(FRC) includes the following: The board is
responsible for determining the nature and
extent of the significant risks it is willing to
take in achieving its strategic objectives. The
board should maintain sound risk management and internal control systems.10

B.2 Forms of Corruption

In designing an anti-corruption programme,
the enterprise should define what it understands to be corruption and its various
forms, as this will provide the reference for
the risk assessment process. Transparency In-

ternational defines corruption broadly as the

abuse of entrusted power for private gain,
but corruption can show itself in many ways.
Some of the main forms are described below.
Bribery: This is the offering, promising,
giving, accepting, or soliciting of an advantage as an inducement for an action, which
is illegal, unethical, or a breach of trust or
to refrain from acting.11 Bribery can be a
financial or in-kind undue advantage that
can be paid directly or through intermediaries. The enterprise should consider the
most prevalent forms of bribery in its risk
assessment, including kickbacks, facilitation payments, gifts, hospitality, expenses,
political and charitable contributions,
sponsorships, and promotional expenses.
Brief descriptions of some of these risks are
given below:
Kickbacks: These are bribes fulfilled
after an enterprise has awarded a
contract to a customer. They take place
in purchasing, contracting, or other
departments responsible for decisions to
award contracts. The supplier provides
the bribe by kicking part of the contract
fee back to the buyer, either directly or
through an intermediary.
Facilitation payments: These are typically small payments made to secure or
expedite the performance of a routine
or necessary action to which the payer
is entitled, legally or otherwise. They
present concerns for entities as often
payments are extorted in circumstances
such as obtaining release of perishable
goods from customs or seeking entry at
the immigration desk.
Charitable and political donations,
sponsorship, travel, and promotional
expenses: These are legitimate activities for entities but can be abused by
being used as a subterfuge for bribery. It
should be noted that under the foreign
bribery offences of many countries (in
particular countries that are Party to the
OECD Anti-Bribery Convention), there
are risks attached to such transactions
where it could be judged that an advantage has been given to a Foreign Public
Official to obtain or retain business.

10. UK Corporate Governance Code (FRC June 2009), Section C Accountability

11. Business Principles for Countering Bribery (Transparency International 2009), OECD Anti-Bribery Convention, Art. 1; UN Convention
against Corruption, Art. 15-16

13

Conflict of interest: A conflict of interest occurs where a person or entity with

a duty to the enterprise has a conflicting
interest, duty, or commitment. Having a
conflict of interest is not in itself corrupt,
but corruption can arise where a director, employee, or contracted third party
breaches the duty due to the entity by acting in regard to another interest.12
Collusion: This can take various forms,
of which the most common include bidrigging, cartels, and price-fixing:
Bid rigging: The way that conspiring
competitors effectively raise prices in situations where purchasers acquire goods
or services by soliciting competing bids.
Essentially, competitors agree in advance
who will submit the winning bid on a
contract let through the competitive
bidding process. As with price fixing (see
below), it is not necessary that all bidders participate in the conspiracy.13
Cartels: A secret agreement or collusion
between enterprises to commit illicit
actions or fraud. Typically this will involve price fixing, information sharing,
or market rigging by setting quotas for
production and supply.
Price fixing: An agreement among
competitors to raise, fix, or otherwise
maintain the price at which their goods
or services are sold. It is not necessary
that the competitors agree to charge
exactly the same price, or that every
competitor in a given industry join the
conspiracy. Price fixing can take many
forms, and any agreement that restricts
price competition may violate applicable
competition laws.
Revolving door: This is corruption linked
to the movement of high-level employees
from public sector jobs to private sector
jobs and vice versa. The main concerns
relate to how the practice by an enterprise
can compromise the impartiality and
integrity of public office. For enterprises,
there may be risks in discussing or promising future employment to public officials
or using former public officials as board
members, employees, or consultants.

Patronage: Favouritism in which a person

is selected, regardless of qualifications,
merit, or entitlement, for a job or benefit
because of affiliations or connections.
Illegal information brokering: The brokering of corporate confidential information obtained by illegal methods.
Insider trading: Any securities transaction made when the person behind the
trade is aware of non-public material information, and is hence violating his or her
duty to maintain confidentiality of such
knowledge.14
Tax evasion: The illegal non-payment of
tax to the government of a jurisdiction to
which it is owed by a person, enterprise,
or trust who should be a taxpayer in that
place.15

B.3 Influence on the Overall Anti-Corruption Compliance Programme

As discussed earlier, a good anti-corruption
risk assessment serves as the base upon
which a robust programme is built or maintained. This section will highlight key questions a good risk assessment will ask about
critical programme components. Repeat risk
assessments should be used to measure the
progress of initiatives like enhanced training programmes or communication efforts
and to further develop and refine the overall
programme.

Written standards and policies

Key questions for an effective risk assessment
regarding an enterprises written standards
include:
Do our policies accurately reflect our risks
and provide the necessary guidance for our
employees?
Do we have the right policies in place? Do
we need to translate our policies into additional languages as a result of the countryrisk identified in our assessment?
An enterprises written standards should,
first and foremost, be tailored to meet the
needs of the enterprise. The standards should
also be accessible to the target population,

12. UNCAC Article 12, clause 2 (e)

13. http://www.justice.gov/atr/public/guidelines/211578.htm
14. US Securities Exchange Commission, 2000, Rule 10b5-1
15. The Tax Justice Network, http://www.tackletaxhavens.com/Cost_of_Tax_Abuse_TJN_Research_23rd_Nov_2011.pdf

14

both literally and linguistically. The risk

assessment process can help those companies
that may not have formal policies in place
determine where best to formalize guidance;
for those companies that have policies in
place, the results of the anti-corruption risk
assessment may point to key action items.
For example, if the assessment reveals that
the policy is not translated into all the applicable local languages, is difficult to locate,
and is written at an elevated grade level, an
obvious immediate action item should be to
revise the policy to make it easier to read,
translate it into all the high-risk languages
(at least), and properly communicate how to
locate the policy.

Training plans and communication

efforts
Training, like almost every other aspect of
an effective anti-corruption compliance programme, must be targeted, and based on the
risk profile of the company. Key questions
answered by an effective risk assessment
about an enterprises training plan include:
Are there particular subsections of our
employee base (e.g., mid-level managers)
that need additional training? What about
mid-level managersdo they need additional training?
Have we measured the quality and thoroughness of the training materials or
tested employee retention of the subject
matter?
What will the frequency and timing of
these trainings be?
Risk assessment results can assist enterprises
in improving the quality of existing training,
and for those smaller enterprises, they can
help identify the at-risk populations that are
in critical need of training. In addition, effective communication efforts have a significant
role to play in the overall success of an anticorruption programme, as noted in much
of the available regulatory guidance. The
results of the anti-corruption risk assessment
could be used to plan out the next 18 months
of communication efforts, with a particular
emphasis on utilizing those mechanisms
likely to reach the highest risk audiences.
Particular attention should be paid to the
timing of these efforts, utilizing the information gathered in the assessment regarding
key risk periods.

Monitoring and auditing activities

Key questions answered by an effective risk
assessment about an enterprises monitoring
and auditing activities include:
As part of the follow-up on key identified risks, are there changes that need to
be made to our monitoring and auditing
activities?
Do we need additional technologies or
processes to make this stage of our programme more robust?
The information gathered during the risk assessment should play a role in advancing the
enterprises ongoing monitoring efforts. For
example, a weakness in travel and expense
reporting controls revealed by the risk assessment might lead to the need for an online
travel and expense reporting system with
more robust functionality, including manager reminders or pop outs regarding the
enterprises travel and expense policy. The
prioritization of risks resulting from the risk
assessment can be used to determine which
controls to test and with what frequency.

Third party communication, contract

terms and provisions and due diligence
Finally, key questions answered by an effective risk assessment about an enterprises
third party controls include:
Has our assessment identified key third
party risks that are not addressed by our
current due diligence process?
Is our contract language adequate to protect our enterprise? How are we currently
communicating with our third parties?
Each aspect of the enterprises interactions
with its third parties could be evaluated in
light of the risk assessments results, particularly how a third party is chosen, what
representations and warranties are placed
in the contract, and how the enterprises
expectations of behaviour are communicated
to the third party. The risk assessment will
also often allow an enterprise to risk rank
its third parties, concentrating its diligence
efforts on the highest risk entities and maximizing the mitigation effect for the expenditure associated with diligence.

15

B.4 Personnel Typically Involved

Before embarking on an anti-corruption risk
assessment, it is important to determine
who would be involved and what their roles
would be. A well-planned anti-corruption
risk assessment would have clearly delineated roles and responsibilities that are clearly
articulated and understood.
A critical feature to the success of an
anti-corruption risk assessment is usually
the buy-in of senior executives and others
charged with governance such as the board
of directors regarding the roles and responsibilities for the different stakeholders in the
anti-corruption risk assessment. Without
such high-level support, risk assessments
can lose momentum, avoid or inadequately
deal with certain issues, or have their quality
impaired by other executives and managers
choosing not to participate.

B.5 Overall Responsibility and

Leadership
The overall responsibility for the anti-corruption risk assessment should be that of those
charged with governance at an enterprise,
such as the board of directors or equivalent
oversight body (including trustees, advisors, overseers, etc.), or a board committee
designated with this role (including an
audit committee, governance committee,
or risk management committee). For the
anti-corruption risk assessment, the board of
directors should understand the corruption
risks impacting the enterprise and also the
enterprises plan to mitigate and remediate
such risks. The board has an important role
in driving the risk assessment and could
challenge and stimulate managements process. Non-executive directors can also contribute to ensuring that the enterprise gives
adequate attention to corruption related
risks and has appropriate measures in place
including risk assessment. The audit or ethics
committee should obtain periodic updates
from management on the anti-corruption
risk assessment process and also review and
approve, if appropriate, the final results of
the risk assessment. Once the risk assessment process has been completed, the audit
committee should assign the internal audit
department (or other designated personnel/

external party) to monitor and test the key

controls identified to mitigate corruption
risks. For enterprises that do not have a
board of directors or a committee charged
with governance, the overall responsibility could be given to individual(s) from the
senior executive leadership team.
Management should be responsible for
performing the risk assessment, reporting
periodically to those charged with governance on the status and results of the
anti-corruption risk assessment and on the
implementation of any resulting risk mitigation action plans. Qualified individuals
should carry out the risk assessment process
and management should consider whether
involvement of external experienced professionals is necessary. Historically, in certain
enterprises, internal audit functions have
often led the performance of anti-corruption
risk assessments, but it is increasingly accepted that performing an anti-corruption
risk assessment should be a management
function and that the internal audit function should remain sufficiently independent
to be able to perform objectively its role of
evaluating key internal controls. Functions
that might appropriately have responsibility
for leading the anti-corruption risk assessment include compliance, legal, ethics, or
risk management. However, the input from
those involved in operations play a key role,
and for larger enterprises it is desirable to
have operating units or regions take ownership of performing anti-corruption risk
assessment activities for their local unit and
region. The key is for the leading function to
be most vested and have appropriate influence across the enterprise. Another successful strategy might be to have a committee
of functions/individuals share leadership
responsibilities. For enterprises that do not
have dedicated functions for these areas, the
leadership could be given to individual(s)
from the senior management team such as
those responsible for compliance, ethics risk
management, or legal.

B.6 Participants
The designated anti-corruption risk assessment owner(s) will typically engage with a
wide range of stakeholders. A successful anticorruption risk assessment would include

16

participation and input from personnel with

knowledge of the enterprises operations
that have exposure to corruption risks. In
addition to members of senior management,
these might include personnel in functions
such as compliance, ethics, legal, internal
audit, risk management, sales and marketing, procurement, shipping, accounting and
finance, and human resources. It can be
valuable to involve individuals at different
levels within the enterprise, such as senior
management and junior staff. Senior personnel often know how functions are supposed
to operate while more junior personnel may
know that they operate in practice. It is also
recommended to involve individuals from
different locations and operating units if applicable. In certain industries, geographies,
or organizational structures, other functions
may also be important, such as a development function responsible for building new
facilities in locations with a high risk of bribery to obtain required government permits
and approvals.
A good strategy is to have operating unit/
regional location ownership of the anticorruption risk assessment. In this approach,
each operating unit/regional location will
be responsible for performing the risk assessment related to its segment. This allows
for individuals with specific local, business
and industry knowledge compiling the risk
assessment for each relevant segment based
on parameter and guidelines provided by a
centralized owner (e.g., from headquarters).
Once input from each of the designated segments is received, it would be consolidated
by the centralized owner to provide an overall enterprise view together with segment
specific view of corruption risks.
Where favorable relationships exist,
enterprises may solicit information about
corruption risks from third parties, potentially including key suppliers or customers.
Internal audit personnel from those third
parties may be a valuable source of information relating to potential corruption risks
in transactions between their entity and
the enterprise that is the subject of the risk
assessment. In any case, legal counsel should
be consulted before attempting to establish
such communications to manage legal risks.

Below there is more specific information

of potential roles and responsibilities of some
common participants in the anti-corruption
risk assessment process; there may be other
functions relevant to your enterprise depending on size, industry and location. The below
assumes the broadest of governance, operational, and control functions. However, it is
recognized that certain enterprises will have
much fewer of these functionsor the functions may be imbedded in another function.
Compliance Function
The compliance and ethics function can
contribute to the identification of risks by
highlighting violations of anti-corruption
laws that have occurred in the past in the
enterprise or at other enterprises in the
same industry or operating in the same
geographical risk areas. The compliance
function may also assist in the identification of existing anti-corruption compliance controls and programmes in place to
mitigate corruption risks.
Risk Management Function
Even if it is not the lead/owner, the risk
management department can ensure consistency in approach between the anti-corruption risk assessment and other risk assessment initiatives at the enterprise, such
as enterprise risk management. The risk
management department can also draw
from the results of other risk assessment
initiatives, which may be leveraged in the
anti-corruption risk assessment process.
Legal Function
The legal function can support the process by identifying the anti-corruption
laws in the relevant geographical areas
and highlighting how such laws may be
violated. The legal function can also provide information about interactions with
government departments and officials to
obtain permits and other approvals plus
the policy for including anti-corruption
representations and clauses in contracts.
While an anti-corruption risk assessment
is typically not something that needs to be
done under attorney-client privilege, there
could be instances where an enterprise may
choose to use such privilege. In such cases
the legal department would need to be
involved in designing the anti-corruption

17

risk assessment protocols. Lastly, protocols

around handling and communicating any
new revelations of actual violations of anticorruption law discovered during the risk
assessment process should be discussed and
cleared with the legal department prior to
commencing the exercise.
Internal Audit Function
The internal audit function can aid management by facilitating the anti-corruption
risk assessment process, such as by conducting interviews or surveys, researching
risk and control information sources, or
facilitating managements self-assessment
meetings. The internal audit function
could evaluate the effectiveness of managements anti-corruption risk assessment
process and also incorporate the results of
the risk assessment into its auditing and
monitoring plan. The internal audit function can draw from its experience, any
past history of corruption at the enterprise
or other similar enterprises, and from any
relevant results of previous internal audits
to identify appropriate risks and controls
to be considered.
Accounting and Finance Function
The accounting and finance function can
provide valuable information risks relating to account reconciliation process for
high risk general ledger accounts, miscellaneous suspense accounts, petty cash,
calculation of commissions and travel,
interactions with government officials
for areas such as income tax, and entertainment expenses. The accounting and
finance function can be particularly helpful in identifying financial controls that
mitigate corruption risks.
Procurement Function
The procurement function can provide
relevant information about the procurement process, including risk areas such
as bid-rigging and selecting third parties
that are not at arms length, and can also
provide the relevant policies and controls
as well as insight into any past incidents
involving kickbacks or bribery. In addition,
the procurement function can provide
information about new vendors in the
past year and financially large contracts
executed during the year.

Sales and Marketing Function

The sales and marketing function can
provide information about relevant topics
such as gifts and entertainment expenses,
sales commissions, interactions with
custom officials for export of goods, past
incidents of offers of kickbacks or bribery
by sales staff, side agreements, and the use
of third parties and agents for sales.
Supply Chain
The supply chain group can provide valuable information relating to approaches of
bribery or kickbacks from potential suppliers and the nature of the enterprises relationship with any third parties involved in
the supply chain. For certain enterprises,
the supply chain group could be integrated
into the overall risk assessment management process.
Human Resources Function
The human resources function can provide
information about tone at the top, any
disciplinary matters for anti-corruption
related violations and the employee background checks process.
Corporate Affairs Function (Public
Relations)
The corporate affairs or public relations
function is taking on an increasingly
important role in view of the reputational
risks and market damage that can come
from corruption incidents.

The remainder of this Guide will present practical

guidance and a series of tools to aid business leaders and compliance practitioners in conducting
the most efficient and effective anti-corruption
risk assessments within their enterprise.

18

C.
1. Establish
the process

Establish the Process

2. Identify the
risks

3. Rate the
inherent risk

4. Identify and
rate mitigating
controls

5. Calculate
residual risk

6. Develop
action plan

C.1 Introduction

C.2 Understanding the Issue

In this chapter, the different elements of an

anti-corruption risk assessment are described
together with an approach for conducting an
assessment. The objective of this section is to
provide a structured approach to conducting
an anti-corruption risk assessment at an enterprise by following the steps outlined above.
Since every enterprise has a different
exposure to corruption risks, the steps
outline a generic approach, using common
corruption risks and schemes as illustrations,
and suggest different ways to identify and
evaluate risks.

A firm understanding of corruption risks,

schemes, and potential legal consequences is
a prerequisite for a sensible risk assessment.
Therefore it is useful to raise awareness with
key stakeholders involved in the process.
A kick-off workshop prepared by the legal,
risk management, compliance, or internal
audit departmenteither facilitated by external anti-corruption specialists or notmight
be considered to explore the corruption risks
in more detail.
The objective of the meeting is to address
the topic of corruption, acknowledge that the
enterprise might be exposed to corruption
risks and identify the steps to explore the
corruption risk exposure.

SAMPLE AGENDA KICK-OFF WORKSHOP

10

Introduction: welcome, introduction participants, meeting objective

30

Exploring the topic: facts and figures on corruption in presentation including corruption
cases in industry or countries the enterprise is active in, changes in the legal environment.

40

Discussion on specific topics / risks: Could it happen to our enterprise?

Facilitation payments
Working with Agents
Gifts and entertainment
Etc.

10

Brainstorm on additional enterprise specific risks

30

Next steps: identify follow-up actions, responsibilities and timeline

TIP: Via the UNGC website http://thefightagainstcorruption.unglobalcompact.org links http://www.

unglobalcompact.org/ and http://www.unodc.org/ you can find examples of realistic corruption situations.
The eLearning clips can be used in the kick-off session to address topics related to gifts and entertainment,
facilitation payments, mysterious middlemen, and insider information.

19

C.3 Planning
A one or two hour brainstorm is a good practice for a corruption risk assessment, but a
robust assessment typically involves multiple
activities to identify its risk exposure, including questions like:
Who owns the process and needs to be
involved?
How much time will be invested in the
process (planning including milestones,
deliverables, decision dates)?
How is data going to be collected?
What internal and external resources are
needed?
What additional analysis should be made?
What methodology is going to be used?

Objectives, stakeholders, and resources

A corruption risk assessment could be
carried out for a number of reasons. These
should be considered in the planning stage
to assist in designing an assessment that can
achieve the underlying objectives. In general,
the primary objective is to better understand
the corruption risk exposure of the enterprise so that informed risk management
decisions may be taken. Other objectives
might include:
Setting the agenda or priorities for the
anti-corruption activities;
Defining an action plan or Key Performance Indicators (KPIs) for anti-corruption
initiatives;
Measure progress or effectiveness of previous anti-corruption initiatives;
Raising awareness for corruption risks
with key stakeholders involved in the
process; and
Monitor the development of corruption
risks, analyse trends.

Establishing risk tolerance

It is valuable to determine the risk tolerance level early in the anti-corruption risk
assessment process, involving either the
Board of Directors or those charged with
governance (such as the Audit Committee). A
number of major incidents of corruption in
the past have involved situations where, with
hindsight, management was taking on more
corruption risk than those charged with
governance knew and would have considered
tolerable. Establishing the risk tolerance up
front can help to make the evaluation of
residual risks a relatively straightforward

and objective exercise. If risk tolerance is not

explicitly determined up front, there is the
potential that management will rationalize
existing levels of corruption risks as acceptable, thereby undermining the purpose and
value of the anti-corruption risk assessment.
Participants may raise difficult questions relating to risk tolerance, for example:
How is it possible for management to say
that it has a certain tolerance or appetite
for corruption risk, when management may
also be claiming to have zero tolerance for
corruption? A simple answer to this is that
corruption prevention is an imperfect art, so
some level of corruption risk is unavoidable,
even though management may be completely
committed to avoiding corruption and to
standing by its claim to have zero tolerance
for acts of corruption. In evaluating corruption risks, management considers whether
the level of risk for each corruption scheme
is within managements risk tolerance or risk
appetite for corruption risks.
In addition to larger enterprises, the
concept of risk tolerance is very important for
small- or medium-sized enterprises since such
enterprises typically have limited resources
and are not able to invest in all the best in
class anti-corruption practices and controls.
Establishing a risk tolerance will allow such
enterprises to have a means to identify which
risks are most critical and important for them
to focus on and allocate scarce resources.

Risk registers
During the planning stage of the anti-corruption risk assessment, it is important to determine how the risk assessment will be documented. A common and practical approach
is to identify and document each risk factor,
risk, and scheme individually and include in
a spreadsheet or word document as part of a
risk register. This risk register would also
be used to document the ratings for each risk
and scheme as well as the programmes and
controls that mitigate each risk. During the
risk identification stage of a corruption risk
assessment, there are benefits to identifying
detailed information for each scheme, such
as potential parties who may perpetrate the
scheme (both from within the enterprise
or by third parties). In addition, if there is
more than one programme/control mitigating a scheme, the risk register would capture
the different programmes and controls that
mitigate the scheme.

20

For larger enterprises, the risk register can

be compiled by location and/or operating unit.
The advantage of doing it by location and/or
operating unit is that the ratings and controls
can be tailored, as the same risk may have
different level of exposure for an enterprise
depending on the country/region it is being
perpetrated and on the operating unit. This
way, local management in a region or operating unit can get a view of their corruption risk
exposure tailored for their location or operating unit. If the risk register is done by location
and/or operating unit, an enterprise-wide
view can still be achieved by consolidating the
results of the individual location/operating
unit risk assessments and summarizing an
enterprise-wide view of the corruption risks

impacting the enterprise. When consolidating the results, enterprises that have different
ratings for the same schemes can average the
ratings from each location or operating unit
to come up with one consolidating rating
enterprise-wide for each scheme.
The detailed information included in the
risk register can assist the enterprise as it
prepares heat maps of its potential corruption exposure areas and summary results of
the risk assessmentsee section D for more
details on summarizing and reporting the
results of an anti-corruption risk assessment.
An illustration of a sample risk register
template is below:

21

Location/ Region: Country A

Business Unit: Unit XYZ
Corruption Risk Factor

Local business climate

Corruption Risk

Bribery of a government
official to secure, retain or
influence an improper business
decision

Corruption Scheme

a) Potential improper payments to customs officials to

facilitate processes related
to importation of goods or to
clear the import of goods that
are illegal

b) Potential improper payments to tax authorities to

secure the reduction or elimination of tax liabilities

c) Potential improper payments to government officials

to secure a desired piece of
property or favourable lease
terms

Probability

Medium

Medium

Medium

Potential Impact

High

High

High

Inherent Risk

High

High

High

Anti-Corruption
Controls

Global Anti-Corruption
Policy and Procedures
including specific content on
payments to customs

Global Anti-Corruption
Policy and Procedures
including specific content on
payments to tax authorities

Anti-corruption training for

employees that is tailored
for select regions and key
functions

Anti-corruption training for

employees that is tailored
for select regions and key
functions

Global Anti-Corruption
Policy and Procedures
including specific content
on payments to government
officials for property leases

Global whistleblower
hotline

Global whistleblower
hotline

Annual anti-corruption audits on payments to custom

officials in select regions/
countries

Annual anti-corruption
audits on payments to tax
authorities

Control Risk Rating

Effective

Effective

Effective

Residual Risk Rating

Low

Low

Low

Anti-corruption training for

employees that is tailored
for select regions and key
functions
Global whistleblower
hotline
Annual anti-corruption
audits on interaction/transactions with government
officials to secure property
lease

22

D.
1. Establish
the process

Identifying Risk Factors, Risks, and Schemes

2. Identify
the risks

3. Rate the
inherent risk

4. Identify and
rate mitigating
controls

When planning an enterprise-wide corruption risk assessment, careful consideration

should be given to the stakeholders involved
in the process. As outlined in Personnel
Typically Involved in Section B, a variety of
stakeholders could contribute to this exercise.
As involving more people will involve more
resources and time, this also leads to the question how the process can be set up in an efficient way. This section explores the principles,
techniques, and practices that can help an
enterprise identify risk factors (i.e., why would
corruption occur at your enterprise?) and risks
and schemes (i.e., how would corruption be
perpetrated at your enterprise?).

D.1 Data Collection

There are different ways to collect data and
information on why and how corruption
risks may occur at an enterprise. In this
section, we introduce these methods and
discuss their pros and cons.

Desktop research
Desktop research offers a great starting point
for an anti-corruption risk assessment. Both
external and internal resources should be
considered. Internal reports from the Internal Audit department on compliance risks,
non-compliance cases, and common corruption risks can be used for this purpose.
Another internal source is analysing a log
of past corruption cases and the allegations
from the whistleblower hotline, which could
identify types of risks. In addition, background checks of third parties (for example,
suppliers and agents), due diligence reports
of acquisitions, and evaluations of tendering reports, all offer a head start. External
sources offering country profiles on corruption or industry- specific corruption cases are
worth considering as well.

5. Calculate
residual risk

6. Develop
action plan

In addition to readily available reports, an

enterprise can utilize additional analyses using financial data that provides sales figures
and commissions paid to agents to compile a
country/location sensitivity analysis tool. See
Appendix 2 for a sample sensitivity analysis
tool.
Also, an analysis of the spending on
entertainment, gifts, and hospitality by the
country or operating unit could be considered. Internal audit functions often download data relating to a particular operating
unit from enterprise-wide accounting and IT
systems for analysis. This can identify areas
of heightened risk that may be subjected to
deeper scrutiny using other methods. The
same process can be applied to gathering
data related to potential corruption risks.
Lastly, analyzing the key third parties
(such as agents, JV partners, and contractors)
in high-risk countries or regions, plus areas
where an enterprise has interactions with
governments or government officials, can
also help to identify where corruption risks
may exist.

Interviews
Interviewing key stakeholders can be an
effective method to get an overview of the
corruption risks at an enterprise. First,
various corporate staff functions (such as
compliance, legal, risk management, internal audit, human resources, procurement,
security, and any investigations unit) may
offer valuable insights at a high level. Line
management (country, regional, or local),
who are dealing with operational risks on a
day-to-day basis, can often provide additional
insights arising from geographic and operational experience. The owners of certain processes may be able to identify process-specific
issues. For example, the head of sales can be
requested to outline the sales process and
practices in different countries or the head of

23

procurement can present a walk-through of

the tendering process. The views of external
stakeholders (such as Board of Directors, suppliers, clients, external auditors, investigators, local authorities, major shareholders or
institutional investors, and even journalists)
could also be considered.
Interviews may allow for more detail
than surveys or desktop review and offer
the opportunity to ask additional questions,
exploring risks in more detail. Interviews
may be conducted one-on-one or in small
groups as long as individual insights will not
be excluded due to dominant personalities or
group dynamics.
Refer to Appendix 3 for sample interview
topics and questions.

Surveys and self assessments

A survey can be an efficient tool to collect
views on corruption risks from both employees and external parties, particularly if logistics allow it to be conducted online. Surveys
are a valuable tool when collecting views
from managers and employees in different
countries and functions. Next to identification of the risks, the survey methodology
also helps to raise awareness for the topic of
corruption. Surveys as a tool on their own
pose significant advantages, including:
Insignificant deployment cost: Depending
on the mode of delivery, surveys can be
relatively inexpensive to administer.
Ease of deployment: The enterprise has
flexibility during the development phase to
decide how the survey should be administered, i.e., online, in-person, via e-mail, etc.
Standardization: The questions can be
standardized to allow for uniformity,
which aids measurement and interpretation of results.
A self-assessment tool is an additional
resource for risk identification, particularly
in enterprises with different locations and
operating units. It requires that risks be identified and compiled by relevant individuals
within the enterprise (in larger enterprises,
this could be done by the operating units
with oversight from the corporate office) in
order to create a risk register from the information received. One of the many benefits of
a self-assessment tool is that it provides a customized set of corruption risks driven largely
by knowledge, attitude, and processes of the
local business operating environment. This

ensures that the operating environments

of an enterprises key segments (such as
operating units) are considered rather than
developing a set of generic and standardized
risks at the corporate level and pushing them
down to the operating units.
A survey can be utilized as a self-assessment for (divisional or regional) management
as well by asking where they see corruption
risks in their operations. When considering a
survey, good preparation is key, as there are
some potential conflicts:
Knowledge: The term corruption is interpreted differently around the globe. In
some countries, a business gift can be an
act of corruption under applicable criminal laws whereas in some countries such
a gift may not be understood as an act of
corruption.
Data quality: Asking a country manager for
his or her top five corruption risks might be
perceived by a country manager as a corporate fishing expedition that may lead to an
undesirable request for more controls and
reporting lines. This perception may impact
the country managers responses.
Analysis: Open questions could be valuable in some situations, but often lead to
increased work in the analysis, potentially
in many different languages.
In Appendix 3 you will find an example of
topics and questions that could be addressed
in a survey or self-assessment.

Workshops, brainstorm sessions, or

focus groups
Using workshops or brainstorm sessions to
explore corruption risks can be an effective
and efficient way to collect views from different stakeholders. Discussing the different
views on risks helps to build understanding.
A workshop could cover multiple steps in
the anti-corruption risk assessment process.
It could begin, for instance, in a risk room
format, taking the participants through
the stage of defining and discussing risks,
evaluating probability and potential impact,
and resulting in an agreed upon risk profile
tailored to the enterprise. It could continue
further and develop an action plan to mitigate risks. One way of identifying potential
corruption risks could be by asking each
participant the question: If you would try
to be corrupt, which method would you use
and how would you do so?

24

Another way to explore the enterprises

corruption risk exposure at the level of an
individual process is to first map the processes (e.g., procurement or sales) in detail,
then walk through them with a team of
experts and look for opportunities to breach
the process. In doing so, participants may
identify red flags, potential corruption risks
or schemes, and controls to mitigate them.

D.2 Identify the Risks

Below we define and provide examples of
risk factors and corruption risks in specific
processes.
Risk factors are reasons why corruption
may occur at an enterprise based on its environment, including the nature of its operations and locations. One way to illustrate risk
factors is to look at Donald Cresseys Fraud
Triangle16, which defines three elements and
conditions (risk factors) that allow for fraud
to occur: Pressure, Opportunity, and Rationalization. Although this triangle was developed in relation to fraud risks, it can also
be utilized in identifying corruption risk
factors. When applying the Fraud Triangle to
assessing the risk of corruption, the following elements should be taken into account:
A perceived financial pressure, or incentives (e.g., pressure to meet client expectations, financial targets, sales targets);
A perceived opportunity to commit an
act of corruption with a low likelihood of
detection (e.g., monitoring/controls that
are perceived to be ineffective, or very
complex corporate structure);
Rationalization or Attitudes (e.g., history
of illegal practices at the enterprise, such
as, competitors pay bribes, no one will find
out, if I dont do this Ill lose the contract
and my job, low staff morale)

Once an enterprise understands its risk factors,

it can then identify what type of risks and
schemes may exist given those factors. These
risks and schemes would represent examples
of where and how corruption may occur at
the enterprise. In order to conduct a thorough
corruption risk assessment it is helpful to
distinguish between corruption risk factors,
corruption risks, and corruption schemes.
Example:
One corruption risk factor might be the political climate in a country. This might lead to
several corruption risks, such as the customs
authority requesting a bribe. This corruption
risk then might lead to different corruption
schemes, including cash payments, gifts, or
other gratuities.
Another corruption risk factor might be
the practices of competitors to illegally gain
market share, whereby an enterprise may feel
that the only way to compete in a country or
region is to do the same as its competitors in
bribing government officials to gain business advantage. Refer to Appendix 4 for a list
of corruption red flags and http://www.acfe.
com/fraud-resources.aspx for the Association
of Certified Fraud Examiners (ACFE) 2012
Report to the Nations on Occupational Fraud
and Abuse for a list of behavioural red flags.
In the next paragraphs, selected common
corruption risks related to specific processes,
countries, and industries are identified. Refer
to Appendix 5 for examples of specific corruption risk areas.

D.3 Corruption Risks in Specific

Processes
In this section, we show some examples of
specific processes that are vulnerable to corruption and deserve extra attention when
performing an anti-corruption risk assessment for your enterprise.

PRESSURES

D.3a Procurement
For most enterprises, the procurement or
sourcing function is crucial to their business.

RATIONALIZATION

OPPORTUNITY

16. The Fraud Triangle was developed on hypothesis originated

by Donald Cressey, an American penologis, sociologist, and
criminologist who made innovative contributions to the study of
organized crime and white-collar crime. Source: http://www.acfe.
com/fraud-triangle.aspx

25

When buying products or services from vendorsespecially when the vendor depends
heavily on the contractthere are some common corruption risks to look out for:

Bribes and kickbacks

Individual employees in the procurement
function (or their managers) might be offered a bribe or kickback by the vendor in exchange for obtaining business. This bribe can
either be in cash, or could involve anything
of value, such as: gifts, travel, non-standard
meals and entertainment, use of credit cards,
or cash transfers disguised as loans. But
procurement employees could also solicit for
a bribe, for example by offering to agree to
pay a premium price for goods or services in
return (refer to overbilling schemes).

Use of agents
When entering new markets, enterprises often
rely on agents or consultants to familiarize the
enterprise with the new country or region and
local business practices, or to introduce the
enterprise to potential customers. Usually the
agent works on a commission basis, receiving
a percentage of the sales as a fee. Sometimes
agents secure contracts by sharing their fee
with personnel at the client side. Under anticorruption legislation like the FCPA and UK
Bribery Act, the enterprise hiring the agent
might be held responsible for this practice and
be subject to fines or penalties.
TIP: View The Mystery Middleman http://thefightagainstcorruption.unglobalcompact.org and http://
www.unodc.org/ on the UNGC website.

Overbilling schemes

Gifts and lavish entertainment

Overbilling is a financial fraud scheme

whereby an enterprise receives higher than
normal invoice prices that will be paid
because the person approving the invoices is
involved in the scheme. The invoice approver
may have already been paid a bribe or it may
be that the vendor is just being used as a vehicle to transfer cash that will be eventually
paid back to the procurement officers.

Customary gifts, meals and entertainment

are considered acceptable in many countries.
Cultural differences make it sometimes difficult to decide what is the right thing to do.
Sales managers might be expected to bring
exclusive personal gifts that may be costly, or
pay for business dinners and late night entertainment. This situation can easily become a
slippery slope, making it difficult to prevent
payments that cross the line between permissible practices and bribery. When the enterprise is not aware about local customs, the
competition is fierce, or significant business
opportunities are involved, the enterprise
might feel pressure to accept the situation
and participate in practices that violate laws
or regulations in one or more jurisdictions.

Bid-rigging and price-fixing

During tender/proposal/bidding situations,
several vendors might join forces and compromise the tendering process by agreeing
on who will offer the lowest price in order to
win the project. In return, the other vendors
participating in the bid-rigging scheme will
offer the lowest price in tendering situations
for other projects.
This risk increases when there are only a
few suppliers that are able to deliver the service (i.e., an oligopoly in highly specialized
sector) or when the project is expensive and
the vendor must make a sizeable investment
to win the project (e.g., for large infrastructure projects).
D.3b Sales
The schemes mentioned under the Procurement section above could also apply to the
sales processes. In addition, some of the following corruption risks should be considered:

TIP: View The Unwelcome Gift or The Arrangement http://thefightagainstcorruption.unglobalcompact.org and http://www.unodc.org/ on the UNGC
website.

D.3c Import and export of goods

Payments for customs clearance or

transporting goods
When importing or exporting goods, government officials at the customs office might
solicit for a bribe (or help customers that
offer bribes first). Especially when there
is time pressure to speed up the clearance
(perishable goods, fines for late delivery, etc.)
the customs clearance official might exploit
the situation.

26

When transporting goods in certain

geographies, local officials or militias may
demand a fee to permit vehicles carrying
the enterprises goods or personnel to use a
particular route or to pass a checkpoint, even
if all official visas or permits are in order.
Such payments are common in many
countries, although they may be prohibited
by law or regulation for the payer to offer or
make or for the payee to request or receive.

companies, which are mandated by law to

provide such a service, may request bribes
over the regular government stipulated fee.
In addition, private third party security
companies may put an entity at risk if that
security company acts unethically or violates
corruption laws while acting on behalf of an
enterprise.
D.3g Social programs

TIP: View To Pay or not to Pay http://thefightagainstcorruption.unglobalcompact.org and http://

www.unodc.org/ on the UNGC website.

D.3d Government interaction

Doing business often involves government
interaction. Examples of interactions with
government entities or officials include having a government-owned client and a government-owned partner, dealing with customs
officials, and obtaining permits, visas, or licences (e.g., to form a legal entity; to conduct
business; to produce, import, transport, or
deliver certain goods and services; to build a
production facility or other premises; to own
or operate a vehicle; to hire local or foreign
staff; or to have the enterprises foreign staff
reside and work in-country, etc.).
When the permit, visa, or license is critical and an enterprise does not have alternatives, the risk of bribery, kickbacks, or extortion is common in certain locations.
D.3e Political support
In some countries, national or local government officials might ask for a voluntary
contribution to a political party once a
permit is given or a construction project is
granted. Although not necessarily illegal
under local laws, this could be interpreted as
an improper payment in violation of many
countries foreign bribery laws.
D.3f Security protocols
In certain countries, an enterprise might be
required to have in-country security for its
employees in response to security risks posed
in certain countries. The local police force
or government affiliated third party security

Other situations may arise where government officials pressure companies/contractors to assist with local infrastructure projects or social programs, which are directly
affiliated with certain politicians, political
parties, or their interests.
D.3h Charitable contributions and
sponsorships
Charitable contributions and sponsorship of
events and conferences may also pose risks
for funding bribes. Often times the enterprise does not realize the bribe. Contributions to charities that are actually linked to
corrupt activities or are clandestine money
laundering vehicles may potentially expose
an enterprise to violations of corruption laws
in certain countries. Sponsorship of conferences organized or attended by government
entities or officials may also potentially expose an enterprise to violations of corruption
laws in certain countries.
TIP: View The Strange Letter http://thefightagainstcorruption.unglobalcompact.org and http://www.
unodc.org/ on the UNGC website.

Below, we provide some principles, techniques, and practices that an enterprise can
use to identify risk factors, risks, and schemes:

D.4 Corruption Risks in Specific

Countries
When an enterprise is operating in numerous regions, its risk exposure could grow.
Some countries are known or perceived
to be more corrupt than others, and as a
consequence, the risk exposure varies. The
Corruption Perception Index (CPI) compiled
by Transparency International offers a good

27

starting point (see http://www.transparency.

org/research/cpi/overview) to assess an enterprises risk exposure.
The table in Appendix 6 includes several
sources for analysing the risk of corruption
by country.
The sources in the appendix identify the
corruption risk the enterprise faces across

the globe. If the enterprise conducts business in countries with a low CPI score, this
is a reason for extra care. By mapping the
significance of the operations (e.g., in terms
of revenues, employees, or offices) and the
CPI (or BPI) score, one could identify the most
vulnerable operations.

Sample summary of country risk factors for a hypothetical enterprise

Country

CPI Score

Revenues
(% of total)

# Offices

# Staff

Overall Risk
Exposure

Country A

95

2%

Low

Country B

94

10%

50

Low

Country C

88

5%

10

Low

Country D

78

30%

10

400

Low

Country E

71

20%

70

Low

Country F

43

10%

50

Medium

Country G

39

5%

10

Medium

Country H

36

10%

300

Very High

Country I

24

5%

High

Country J

19

3%

High

The table shows the enterprise operates in

different countries with different exposures
to corruption risk. Given the size of the revenues in country H and the low CPI score, the
corruption risk is higher. Both country J and
country A have a rather small contribution
to the overall revenues (2 and 3% respectively), yet the distinction between the CPI scores
is notable: Country J has a poor track record
when it comes to corruption. Note that the
enterprise does not have an office or people
in Country J, perhaps because it works with
agents or distributors there.

Bribe Payers Index

Since 1999, Transparency International has
been monitoring and ranking the worlds
wealthiest countries by the propensity of their
firms to bribe abroad, and looking at which
industrial sectors are the worst offenders. The
Bribe Payers Index is based on the views of
thousands of senior business executives from
developed and developing countries. Of the
28 wealthiest countries, the enterprises with
their headquarters in country A and country

C are perceived to bribe the least, whereas

enterprises from country H and country I
are most likely to offer bribes. See http://bpi.
transparency.org/bpi2011/ for the table on the
Bribe Payers Index.

D.5 Industry Risks

While some corruption risks may apply
across many or all industries, others may
be more industry-specific. As discussed in
Anti-Corruption Risk Assessment in section B, depending on the industry sectors in
which or with which the enterprise conducts
business, the likelihood of corruption risks
becoming actual incidents of corruption may
vary considerably.
The breakdown by industry of corruption cases as a percentage of all cases can
be found in the ACFEs 2012 Report to the
Nations on Occupational Fraud and Abuse
http://www.acfe.com/fraud-resources.aspx.
While this study is not intended to be a
statistically reliable survey and corruption

28

cases will typically form a smaller proportion of total fraud cases in the population
of all fraud cases, the variation in results
between industries for the same measure is
broadly consistent with the experience of
anti-corruption specialists.
TIP: When identifying industry specific corruption
risks for your sector (or the sectors your business
partners are active in), an analysis of media reports
could be considered. What major corruption schemes
have been discovered in the recent past in the sector?
Which parties were involved? Does your enterprise or
business partner have ties here as well? Etc.

D.6 Items to Include in a Risk Register

Each risk factor, risk, and scheme could be
documented individually in a risk register.
See below an example of documenting one
corruption risk that has three schemes associated with it in the risk register.

29

Location/ Region: Country A

Business Unit: Unit XYZ
Corruption Risk Factor

Local business climate

Corruption Risk

Bribery of a government official

to secure, retain or influence an
improper business decision

Corruption Scheme

a) Potential improper payments

to customs officials to facilitate
process related to importation
of goods or to clear the import of
goods that are illegal

Probability
Potential Impact
Inherent Risk
Anti-Corruption
Controls
Control Risk Rating
Residual Risk Rating

b) Potential improper payments to tax authorities

to secure the reduction or
elimination of tax liabilities

c) Potential improper payments to government officials

to secure a desired piece of
property or favourable lease
terms

30

E.
1. Establish
the process

Rating the Probability and Potential Impact of

Each Corruption Scheme
2. Identify the
risks

3. Rate the
inherent risk

4. Identify and
rate mitigating
controls

In order to allocate resources efficiently

and effectively to an enterprises identified
corruption risks and the associated schemes,
one good practice is to rate both the probability that each scheme might occur and
the corresponding potential impact of that
occurrence. The aim is to prioritize the
responses to these corruption risks in a logical format based on a combination of their
probability of occurrence and their potential
impact.
There is some subjectivity to the assessment of probability and potential impact and
the ratings will be influenced by the experience and backgrounds of the assessment team
members. On occasion, the assessment may
reflect a dominant viewpoint or a level of bias,
conscious or unconscious, which renders the
results not credible to an objective third party
or anti-corruption specialist. Intervention and
remediation may then be necessary. An objective facilitator can help to avoid investing
substantial time and effort in an assessment
without achieving valid results.

E.1 Rating Probability of Occurrence

The probability of each identified corruption
scheme should be assessed without consideration of the controls in place at the enterprise. In other words, picture the enterprise
where opportunities for perpetrating the corruption scheme are plentiful because of the
absence of a sufficient control environment.
With this backdrop, how likely is it that the
corruption scheme would be carried out?
Management should consider the probability
of the corruption scheme being perpetrated
by an individual or group of individuals
acting collusively. Under this framework,

5. Calculate
residual risk

6. Develop
action plan

it is recommended that the assessment of

probability be couched as the probability
of the event occurring within the next 12
months. This timeframe should be adjusted
as necessary to fit the characteristics of the
enterprises corruption risk management
objectives.
Some of the factors to consider when
estimating the probability of each corruption
scheme include:
The nature of the transaction or process
to which the scheme relates (e.g., whether
there is any interaction with government
officials);
Incidents of the corruption scheme occurring in the past at the enterprise;
Incidents of the corruption scheme in the
enterprises industry;
The local corruption culture and environment in the region where the scheme
would be perpetrated;
The number of individual transactions
related to the scheme;
The complexity of the scheme and the
level of knowledge and skill required for
execution;
The number of individuals needed to perpetrate the scheme; and
The number of individuals involved in
approving or reviewing the process or
transaction related to the scheme.
For enterprises with multiple locations and
operating units, the probability of each corruption scheme may vary among different
locations and operating units. For example,
bribery of a government official for customs
clearance may be more likely in certain
countries and less likely in others.

31

E.2 Rating Potential Impact of

Occurrence
The process of assessing the potential impact
of a corruption scheme is carried out in a
similar manner to the process for probability. The assessment team should evaluate the
magnitude of the potential impact for each
particular corruption scheme. Typically, this
consideration of potential impact covers a
wide range including financial, legal, regulatory, operational, and reputational damage.
Some of the factors to consider when
estimating the potential impact of each risk
or scheme include:
Impact of past incidents of the corruption
scheme at the enterprise, if any;
Impact of incidents of the corruption
scheme at other enterprises;
Potential amounts of fines or penalties;
The opportunity cost arising from regulatory restrictions on the enterprises ability
to operate or expand;
Impact on operations such as interruption in the enterprises ability to transport
goods or obtain permits or other required
approvals;
Potential impact on financial statements;
Impact on recruitment and retention of
employees;
Impact on retention of customers and
future revenues;
For enterprises with multiple locations or
operating units, the potential impact of each
scheme may vary among different locations and business units. For example, some
operating units at a commercial enterprise
may sell small value goods to individual
consumers that are bought from retail stores,
while another business unit may sell mostly
or entirely large value goods to institutions,
including governments.

E.3 Rating Methods

There are many different ways to rate and
communicate the probability or potential
impact of each corruption risk or scheme. A
simple qualitative scale could be used to judiciously classify each schemes probability or
potential impact as either (i) high, medium,
or low, or (ii) very high, high, medium, low,
and very low. Alternatively, a quantitative

scale, with scores applied judiciously to each

scheme, could be used. Examples of both
three-point and a five-point scoring matrices
are illustrated in Appendices 7 and 8.
Particularly in rating potential impact,
some enterprises prefer to define each category as a range of potential values; others
may use a set of definitions from standards
or guidance commonly used to quantify
other types of risk.
Certain enterprises, particularly those that
are larger and are able to allocate appropriate resources for this exercise, may prefer to
include more criteria for their scoring matrices. As an alternative to the above matrix,
another option may be to include definitions
of certain factors in order to provide more
structure to those assessing the ratings. In
rating probability, these could include percent
chance of occurrence, status of actual case(s)
of the scheme, and complexity of the scheme;
in rating potential impact, they could include
reputational impact, financial impact, regulatory impact, impact on customers, and impact
on employees. See Appendices 9 and 10 for
examples of these approaches.
As an additional option for larger enterprises, which may seek a more advanced
rating method, an enterprise can weigh certain of these factors more than others when
determining the overall score, such as in the
example in Appendix 11.

E.4 Calculation of Inherent Risk

Combining the probability and potential
impact assessments for each corruption
scheme results in an assessment of inherent
corruption risk. The inherent risk represents
the overall risk level of each scheme without
consideration to existing controls. It is these
areas where mitigating controls will likely
be most important in mitigating corruption
schemes.
There are many different ways to determine the inherent risk of each corruption
scheme. The inherent risk can be determined
qualitatively as a factor of the probability and potential impact assessments. For
example, a probability of high and potential
impact of low may result in an overall inherent risk of medium. An example of a qualitative scale for determining inherent risk is
included in Appendix 12.

32

A quantitative scale can also be used. As

an example of a simple quantitative scale,
refer to the scoring formats in Appendices
7 and 8, where each identified corruption
risk has a numeric probability score and
numeric potential impact score. The sum of
these two scores can be used to calculate an
inherent corruption risk score.
Corruption Risk Probability Score
+ Potential Corruption Risk Impact Score
Inherent Corruption Risk Score

A
B
C

Using the 15 quantitative scale in Appendices 7 and 8, an example of how inherent risk can be determined quantitatively is
included in Appendix 13.

E.5 Who Should Be Involved in

Inherent Risk Calculations?
One of the keys to an effective risk assessment process is to have the right individuals
scoring the probability and potential impact
of each corruption scheme. It is important to
involve only those individuals who are familiar with the transaction or process impacted
by each scheme, including process owners.
In cases where the views of more than one
individual are sought, an average of the score
could be taken. Involving multiple people
(each responsible for areas relevant to them)
can help to reduce the effect of individual
biases that could otherwise skew the results.
One of the roles of an anti-corruption
risk assessment owner or project manager
could be to assess the reasonableness of
the raw scores designated by the relevant
parties and make suggestions for questioning or re-evaluating any ratings that appear
questionable. Protocols for estimating the
ratings (including who should be involved)
and questioning or proposing any reevaluation of ratings should preferably be
determined up front as part of the overall
anti-corruption risk assessment policy and
procedure. This can help to avoid one or
more individuals inappropriately overriding
the judgments of people closest to the risks
in an attempt to produce a result that is
convenient rather than accurate.

E.6 When and How to Perform

Inherent Risk Calculations
The process to determine the level of inherent risk can be done at the same time as the
identification of risks and schemes discussed
in the previous section, or as a separate step.
Regardless, inherent risk ratings should be
discussed after all the risks and schemes
have been identified, so they will not hamper
the risk identification process.
There are several organizational approaches for assessing inherent risks. One is
to have workshops or group meetings, either
for the relevant functions or for individuals
who will be responsible for the preliminary ratings of probability and potential
impact for a group of risks and schemes.
During these sessions, participants can be
asked to rate each corruption scheme either
anonymously or openly. This may be done
by discussing each scheme to arrive at a
consensus rating, or by having each participant individually rate each scheme (either
openly or anonymously) and then calculating
the groups average score for each scheme.
Another approach is to use online surveys,
where participants are asked to provide a
rating for each risk via intranet or email. For
this option, a designated person should be
assigned to coordinate the survey and collate
the results. A third option is for the person
responsible for coordinating the risk assessment to meet with each participant, obtain
their scores and then calculate an average
inherent risk score for each scheme. A fourth
option is for the person responsible for the
risk assessment to make a preliminary assessment of the risk ratings themselves, and
then provide it to the relevant process owners and functions to review and amend if
necessary. One danger of this last approach is
that the initial scores provided may bias the
responses of participants and lead to a result
that is a reflection of one persons view.

E.7 Including Inherent Risk Ratings in

the Risk Register
The overall assigned probability, potential
impact, and inherent risk ratings for each
risk or scheme can be included in the risk
register as follows:

33

Location/ Region: Country A

Business Unit: Unit XYZ
Corruption Risk Factor

Local business climate

Corruption Risk

Bribery of a government
official to secure, retain or
influence an improper business
decision

Corruption Scheme

a) Potential improper payments to customs officials

to facilitate process related
to importation of goods or to
clear the import of goods that
are illegal

b) Potential improper payments to tax authorities

to secure the reduction or
elimination of tax liabilities

c) Potential improper
payments to government
officials to secure a desired piece of property or
favourable lease terms

Probability

Medium

Medium

Medium

Potential Impact

High

High

High

Inherent Risk

High

High

High

Anti-Corruption Controls
Control Risk Rating
Residual Risk Rating

34

F.
1. Establish
the process

Identifying Mitigating Actions, Controls, and

Processes
2. Identify the
risks

3. Rate the
inherent risk

4. Identify and
rate mitigating
controls

Anti-corruption controls are unique, as they

go far beyond the typical transaction-level
controls that are most frequently designed
to prevent financial errors. For purposes of
this discussion, all risk mitigating efforts,
activities, controls, and processes instituted
or taken by the enterprise are referred to as
anti-corruption risk mitigating controls.
Mapping controls and other mitigating
activities to each corrupt activity or scheme
is important because the controls should
be commensurate with the probability and
potential outcomes of misconduct. Once the
inherent risk is determined for each identified
scheme, the risk assessment can proceed with
identifying and cataloguing risk mitigating
controls and processes that are in place.
For many large, global enterprises, this is
often a multi-stakeholder, cross-functional,
and cross-border effort. While some controls
operate enterprise-wide as part of the overall
control environment, many others are
embedded in business processes owned by individual functions, including sales, procurement, and logistics, or by the management of
operating units associated with a particular
geographic area or business segment. Some
controls may be of a financial nature or
owned by the finance function (e.g., travel
expense report approval or vendor invoice
payment authorization); others may fall
under the legal or compliance domain (e.g.,
contract language and review processes,
whistleblower hotlines), while still others
may belong to HR (e.g., employee background
checks), or business leaders (e.g., tone from
the top.) Therefore, identifying and cataloging controls, just like identifying corruption
risk factors and schemes described earlier, is
likely to involve a number of people within
the enterprise.
For smaller or medium sized enterprises,
the identification of controls can typically
be centralized to a select few key busi-

5. Calculate
residual risk

6. Develop
action plan

ness process owners. For such enterprises,

the programmes and controls may not be
documented formally and as such it would
be important to identify the individuals and
functions knowledgeable about existing controls in this area. Also, certain practices such
as segregation of duties and formal written
policies and procedures may not exist at such
enterprises due to resource constraints. It is
even more important for such enterprises
to identify mitigation that is currently in
practice or practical in nature, even if not
documented or best in class, as part of this
exercise. As discussed earlier, for smaller
and medium sized enterprises, an established risk tolerance level would be key in
determining the cost or benefit of and need
for additional investment in anti-corruption
procedures and controls.
Information about relevant controls can
be obtained through a variety of means.
While the review of control and process
documentation is the key step, this is often
supplemented by interviews and targeted
surveys with those stakeholders who can
help identify the appropriate controls.
In addition, during this step the team or
individual leading the anti-corruption risk
assessment effort could also verify with the
business process owners whether the mitigating controls and programmes identified are
indeed functioning as per the policy and
process. This verification can sometimes
bring to light certain procedures that may
be part of a written policy but have not been
put into practice.
In developing a list of documents to look at
and a list of individuals to interview, as well
as specific questions to ask, it may be helpful
to understand a number of possible control
classifications. Here are the most common:
1. General (entity-level) vs. scheme specific
(process-level) controls; and
2. Preventative vs. detective controls.

35

F.1 Entity-Level vs. Scheme-Specific

Controls
In documenting its controls, an enterprise
should differentiate between scheme-specific
controls and general (entity-level) anticorruption controls. Identifying controls at
the scheme level rather than only at the risk
level is important, as different schemes tend
to have different mitigating controls. Keep
in mind that one scheme can have several
mitigating controls, while a single control
can work with more than one scheme. Although keeping the controls tightly mapped
to the most likely corruption schemes is a
practical, common sense approach, experience indicates that this tends to lead the risk
assessment down a fairly granular path. To
avoid failing to see the proverbial forest for
the trees, one should be mindful of the big
picture and should not overlook more general controls, or factors that have an overall
impact on the risk reduction. Such controls
are often high level and may not necessarily
be specific to a particular scheme, or may not
even appear directly related to the scheme,
but their presence is nevertheless an important factor in the overall risk reduction.
Therefore, an anti-corruption risk assessment
process that only considers scheme-specific
controls may not be adequately robust and
would likely be more detailed and timeconsuming to prepare than one that focused
first on entity-level controls and supplemented these with scheme-specific controls where
needed to mitigate risk to an acceptable
level. There is a degree of overlap between
general and scheme-specific controls, with
some general controls also appearing within
a certain scheme, usually with a variation or
specificity. Taking note of those controls that
may fall into both categories is important in
order to ensure that such controls are evaluated from all relevant angles. For a list of
typical entity-level anti-corruption controls,
see Appendix 14.
Scheme specific controls may, naturally,
vary depending on the specific scheme and
other factors, such as geography of operation, the nature of products and/or services,
the types of customers and the business
model in question, the workforce composition, and the nature of other third parties
(such as intermediaries) involved, if any. See
Appendix 14 for examples of scheme-specific
controls.

F.2 Preventative vs. Detective Controls

While cataloguing the risk mitigating controls, it may be helpful to keep in mind the
purpose of such controls. Not all misconduct
is intentional. Some can be the result of
negligence or the lack of awareness. In such
situations, preventative controls, such as
clear policies, training, and communication,
play a key role in effective mitigation. On
the other hand, intentional misconduct is designed to evade detection. Preventative controls are important and generally effective
in preventing some potential acts of bribery,
particularly those that are of relatively small
scale or result from a lack of awareness, such
as those that fall into the grey area of excessive hospitality without an explicit corrupt
intent. However, preventative controls may
not be sufficient to discourage or deter a potential willful perpetratorand as the name
suggests, they are not generally designed to
function as detective controls.
While experience shows that the presence
of a strong body of preventative controls,
including strong ethical culture and compliance environment at the enterprise, are likely
to somewhat discourage willful perpetrators
from trying, even the most ethical enterprises
have the occasional case of a die-hard rotten
apple who will attempt to evade the system.
This is where detective controls come in. The
purpose of detective controls is to help detect
the wrongdoing, ideally at an early stage.
Detective controls and procedures desirably
include some that a perpetrator may not be
aware of, or may not reasonably expect. To
have a good corruption detection system,
identification of such controls requires a degree of strategic reasoning to anticipate the
behaviour of a potential perpetrator. Strategic
reasoning requires a skeptical mindset and
involves asking questions such as:
How might a perpetrator exploit weaknesses in the system of controls?
How could a perpetrator override or circumvent controls?
What could a perpetrator do to conceal
[a corrupt act]?17
Most identified controls can be labeled as
either preventative or detective, though some
may serve dual purposes. Cataloguing controls from this perspective will not only help
determine whether any potential gaps would
be better served by preventative or detective

36

controls, but will also help calibrate the risk

mitigation strategy and response plan in line
with the nature of actual or potential expected corruption misconduct. See Appendix
14 for examples of preventative and detective
anti-corruption controls.
Communicating information on some (but
not all) detective controls and communicating select anonymous information on enforcement or disciplinary actions to a broad
employee base (for larger enterprises) can
enhance their deterrent effect. Detective controls and procedures should desirably include
some that a perpetrator may not be aware
of or may not reasonably expect, which may
increase their effectiveness in detecting corruption. Therefore, some detective controls
should be known only to small group of
people within the enterprise (e.g., internal
audit) to minimize the risk of control evasion
by a willful perpetrator.
Small or medium sized enterprises may
not have the resources to implement some
of the above mentioned controls. For such
enterprises, one strategy could be to invest
in either a preventative or detective control
for its high inherent risk areas. The choice of
control would be done on a case by case basis
depending on available resources, potential
cost and risk levelin some instances, it may
be more practical to have only a detective
control and no preventative control for a corruption risk and vice versa.

F.3 Anti-Corruption Control Mapping

Frameworks
Anti-corruption risk assessment practitioners have a wide choice of frameworks that
can be used to catalogue and classify controls and other risk mitigating efforts. The
following six are the most commonly used:
1. The twelve elements of an effective anticorruption compliance programme from
the OECDs Good Practice Guidance on Internal Controls, Ethics, and Compliance;
2. The six principles of the UK Ministry of
Justices Guidance on the Bribery Act 2010;
3. The seven hallmarks for an effective compliance programme, as promulgated by the

U.S. Federal Sentencing Guidelines (FSG);

4. Thirteen steps in a corporate compliance
programme for FCPA, as set out by the
U.S. Department of Justice with regards to
multiple deferred prosecution agreement
and non-prosecution agreements;
5. The Business Principles for Countering
Bribery issued by Transparency International; and
6. UNODCs An Anti-Corruption Ethics and
Compliance Programme for Business: A
Practical Guide.
When identifying your anti-corruption risk
mitigation controls and processes, it may
be useful to start with general controls and
then narrow down to specific schemes. Using
the framework of the U.S. FSG hallmarks,
the inventory of general controls (entity-level
controls or control families) includes:
1. Programme structure and resources:
a formal anti-corruption compliance
programme, with defined structure,
ownership, authority, plan of activities,
and budget.
2. Programme oversight: reporting relationships and programme oversight by
relevant internal authorities.
3. Written standards: a code of conduct
and relevant policies.
4. Due care processes: employee background checks and third party initial due
diligence, segregation of duties, limits of
authority, contract review and approval
(vendors, customers), and compliance
provisions in third party contracts.
5. Training and communication: formal
training programs, periodic communication to the employees, availability of
guidance and resources to the employing,
and visible manager commitment (tone
from the top and the middle).
6. Monitoring and auditing: a whistleblower
system (hotline and other channels), an articulated non-retaliation position, gift and
entertainment tracking, expense approval
and reimbursement process, risk tier system, third party ongoing monitoring and
audit systems, corporate transaction and
expenditures audit, employee and vendor
performance evaluations, employee exit in-

17. T. Jeffrey Wilks and M.F. Zimbelman, Using Game Theory and Strategic Reasoning Concepts to Prevent and Detect Fraud, Accounting Horizons, Volume 18, No. 3 (September 2004). Quoted from Managing the Business Risks of Fraud: A Practical Guide, The Institute of
Internal Auditors et al.

37

terviews, culture of ethics and compliance

assessment or survey, and anti-corruption
programme periodic assessment.
7. Enforcement: misconduct investigation
and case management process, disciplinary process and communication, and
ethics and compliance incentives.

While entity-level controls are most suited

for classification according to one of the
above frameworks, most of the scheme-specific controls can also be tagged accordingly.

F.4 Including Mitigating Controls in the Risk Register

The mitigating controls for each risk or scheme can be included in the risk register as follows:
Location/ Region: Country A
Business Unit: Unit XYZ
Corruption Risk
Factor

Local business climate

Corruption Risk

Bribery of a government official to

secure, retain or influence an improper
business decision

Corruption
Scheme

a) Potential improper payments to

customs officials to facilitate process
related to importation of goods or
to clear the import of goods that are
illegal

b) Potential improper payments to

tax authorities to secure the reduction or elimination of tax liabilities

c) Potential improper payments to government officials to secure a desired

piece of property or favourable lease
terms

Probability

Medium

Medium

Medium

Potential Impact

High

High

High

Inherent Risk

High

High

High

Anti-Corruption
Controls

Global Anti-Corruption Policy and

Procedures including specific content on payments to customs

Global Anti-Corruption Policy

and Procedures including specific
content on payments to tax authorities

Global Anti-Corruption Policy

and Procedures including specific
content on payments to government
officials for property leases

Anti-corruption training for employees that is tailored for select regions

and key functions
Global whistleblower hotline
Annual anti-corruption audits on
payments to custom officials in
select regions/countries

Anti-corruption training for employees that is tailored for select

regions and key functions
Global whistleblower hotline
Annual anti-corruption audits on
payments to tax authorities

Anti-corruption training for employees that is tailored for select regions

and key functions
Global whistleblower hotline
Annual anti-corruption audits on
interaction/transactions with government officials to secure property
lease

Control Risk
Rating
Residual Risk
Rating

Once all the existing controls have been identified, categorized, and appropriately labeled and
cross referenced, the risk assessment process is ready to proceed to its next step: the control
risk rating.

38

G.
1. Establish
the process

Rating Mitigating Controls and Processes

2. Identify the
risks

3. Rate the
inherent risk

4. Identify and
rate mitigating
controls

Rating an enterprises risk mitigation

controls can be instrumental in determining residual risks. Before the control rating
can begin, enterprises must think about the
desired depth of the exercise, the criteria
used, the rating scale, and the data gathering
mechanisms available (e.g., surveys, interviews, document evaluation, etc.).
There are many different ways to rate and
communicate the effectiveness of mitigating controls. A simple qualitative scale could
be used to classify each set of controls that
mitigate a risk or scheme judgmentally as
either (i) effective/low risk, partially effective/medium risk or ineffective/low risk, or
(ii) very effective/very low risk, effective/low
risk, partially effective/medium risk, somewhat effective/high risk and ineffective/ very
high risk. Alternatively, a quantitative scale
with scores applied judgmentally to each
scheme could be used. Appendix 15 includes
an example of what the ratings criteria may
look like.
The end result of the control assessment
is typically a scorecard, where each control
is shown with a qualitative or numerical
quality score and underlying commentary.
Enterprises can use any rating scale deemed
reasonable, but a three-point scale is generally adequate.
The control assessment criteria can vary
greatly depending on the controls in questions, the desired level of depth for the assessment, and the experience of the anti-corruption risk assessment personnel. While some
controls may have just a few criteria used as
a basis for rating, it is not unusual to have as
many as several dozen distinct assessment
criteria per major control in a sophisticated,
in-depth assessment. Higher-level assessments
may well scale down the level of detail.

5. Calculate
residual risk

6. Develop
action plan

Appendix 16 includes samples of what a

very detailed ratings criteria may look like
for large, global enterprises in a comprehensive assessment of three areas: employee
anti-corruption training and communication; gifts, hospitality, and entertainment
tracking; and an anti-corruption policy.
Any type of scoring invites questions of
accuracy and objectivity. Detailed, fact-based
(rather than merely perception) criteria increases both. Using multiple types of sources
of information in the rating process also
helps to achieve greater accuracy and objectivity, as well as validating some of the data
and scores, particularly those with a qualitative or subjectivity bias. While the control
risk rating typically relies on the judgment
of individuals involved in the rating, for
enterprises that have performed independent
testing or auditing of anti-corruption controls, the results would have a strong bearing
on the control risk rating assigned (e.g., if the
test results reveal that a control is working
effectively, it would typically be given an effective or low control risk rating).
One approach to performing the rating
is for process owners to judiciously assign
a score based on qualitative considerations
(and this is an approach that most small or
medium sized enterprises would use). However, a more comprehensive approach could be
used in determining the control risk ratings
in the interest of adopting more structure,
objectivity, and accuracy to the process. Examples of sources and related data collection
mechanisms for the more comprehensive
approach are listed below.

39

G.1 Internal Document Review and

Evaluation
A great starting point and the source of data
for many control rating related questions. For
certain controls, the documents may include:
Forms and business process documentation (e.g., expense report form and approval process, third party due diligence
process and related forms);
Written standards;
Organizational charts;
Contract templates and samples;
Gift and entertainment tracking tool documentation;
Prior employee survey results;
Whistleblower statistics and misconduct
investigation case files;
Exit interview notes; and/ or
Internal, and external audit reports.

G.2 Live Interviews

Often used to supplement and validate data
received through documentation review,
live interviews can be an effective method of
obtaining additional, more detailed qualitative insight where the documents may not
provide a complete picture. When an enterprise lacks documentation, or has difficulty
obtaining or translating information, the
role of interviews will exponentially increase. The interview audience is usually the
key business process owners with knowledge
of the process and controls for the applicable area. These interviews can be either
combined with the interviews to identify
risks in step 2 of the process or can be done
separately.

G.3 Compliance and Control

Environment Surveys
If the number of people listed for live interviews is too large to handle and/or includes
a number of homogenous individuals (e.g.,
identical functions or roles in different
regions), enabling a degree of uniformity for
many questions, targeted online surveys can
be an effective alternative to at least some
live interviews and a good complement to a
mass employee survey (culture and knowledge assessment) and document evaluation.

This type of survey is usually a compliance and control environment assessment

given to key stakeholders in the anti-corruption programme, senior management,
and third parties. Such surveys are fairly
customized for the target audience in question and typically include a mix of multiple
choice and open-ended questions. The survey
typically asks the respondents opinion
about particular controls, processes, and risk
mitigation initiatives, and may or may not be
anonymous.
While a mass employee survey (either a
culture and knowledge assessment or a dedicated anti-corruption employee survey) for a
large enterprise can easily go to thousands or
even tens of thousands of respondents, compliance and control environment surveys
rarely exceed several hundred people even
for a large enterprise, and are often targeted
to less than a hundred respondents, usually
at a fairly senior level or in key positions.

G.4 Focus Groups and Workshops

Focus groups and workshops can be an
effective tool for conducting a thorough
examination into a particular topic or an issue for a control or process. Often prompted
by significant red flags or risk exposure in a
given market or region, this method of data
collection is often conducted in-situ with a
small audience of 510 people, either from a
single function (e.g., sales) or cross functionally in a given market (e.g., a country). Other
versions are single function (usually senior
level) globally, for example at a global compliance internal conference, or global sales
meeting. These focus groups and workshops
could be combined with those tasked with
performing risk identification and/or inherent risk ratings.

G.5 Who Should Be Involved in

Control Risk Rating Calculations?
It is important to involve only those individuals who are familiar with the control or process being rated, including process owners.
The views of more than one individual could
be sought for certain controls, in which case
an average of the score could be taken.

40

One of the roles of an anti-corruption risk

assessment owner or project manager could
be to assess whether the raw scores designated by the relevant parties are reasonable and
make suggestions for questioning or re-evaluating any ratings that appear questionable.
As in calculating the inherent risk, protocols
for estimating and questioning the ratings
should be determined up front, due to the
same concerns for arriving at a result that
accurately represents the enterprise.

G.6 Inclusion of Control Risk Rating in

Risk Register
The overall assigned control risk ratings for
each risk or scheme can be included in the
risk register as follows:

41

Location/ Region: Country A

Business Unit: Unit XYZ
Corruption Risk Factor

Local business climate

Corruption Risk

Bribery of a government official

to secure, retain or influence an
improper business decision

Corruption Scheme

a) Potential improper payments

to customs officials to facilitate
process related to importation
of goods or to clear the import of
goods that are illegal

b) Potential improper payments to tax authorities

to secure the reduction or
elimination of tax liabilities

c) Potential improper payments to government officials

to secure a desired piece of
property or favourable lease
terms

Probability

Medium

Medium

Medium

Potential Impact

High

High

High

Inherent Risk

High

High

High

Anti-Corruption
Controls

Global Anti-Corruption Policy

and Procedures including specific content on payments to
customs

Global Anti-Corruption
Policy and Procedures
including specific content on payments to tax
authorities

Global Anti-Corruption
Policy and Procedures
including specific content on
payments to government officials for property leases

Anti-corruption training
for employees that is
tailored for select regions and key functions

Anti-corruption training for

employees that is tailored
for select regions and key
functions

Global whistleblower
hotline

Global whistleblower
hotline

Annual anti-corruption
audits on payments to
tax authorities

Annual anti-corruption
audits on interaction/transactions with government
officials to secure property
lease

Effective

Effective

Anti-corruption training for

employees that is tailored for
select regions and key functions
Global whistleblower hotline
Annual anti-corruption audits on
payments to custom officials in
select regions/countries

Control Risk Rating

Residual Risk Rating

Effective

42

H.
1. Establish
the process

Calculating Residual Risk

2. Identify the
risks

3. Rate the
inherent risk

4. Identify and
rate mitigating
controls

After rating the internal controls that reduce

the risk of each corruption scheme, the next
step is to determine the level of residual risk.
Residual risk is the extent of risk remaining
after considering the risk reduction impact
of controls. Residual risk is a factor of the
inherent risk and control risk.
In spite of anti-corruption programmes
and their internal controls for mitigating
the risk of corruption schemes occurring,
it is usually still possible for such schemes
to occur. As a result, there will normally be
some level of residual risk for each corruption
scheme. A residual risk of zero is theoretically
possible for a particular corruption scheme,
but this would normally arise only if that
scheme were not relevant to the enterprises
operations, such as because it did not conduct
business in a particular country, in a particular industry, or in a particular way. The extent
to which the risk of a corruption scheme is
mitigated by internal controls depends upon
how well the controls are designed, implemented, and operating to effectively reduce
the risk of that particular corruption scheme.
Controls that are well designed to mitigate
risks arising from one or multiple corruption
schemes, that have been implemented appropriately, and which are operating effectively
in practice, may greatly reduce the risk arising from a particular corruption scheme.
The approach selected to determine the
residual risk of each corruption scheme
depends on the approach used to determine
inherent risk and the controls ratings. If a
qualitative scale, such as high/medium/low,
is used for the inherent risk and controls risk
ratings, then a similar scale can readily be
used for rating residual risk. For example, if
a scheme is rated as having a high inherent
risk and no effective controls were identified

5. Calculate
residual risk

6. Develop
action plan

to mitigate the risk arising from the scheme,

then the control risk rating would also be
high and the residual risk would remain
as high. On the other hand, should strong
controls be identified to mitigate the high
inherent risk scheme, the control risk would
be low and the residual risk would likely
then be determined to be low. The table in
Appendix 17 illustrates one example of such
a qualitative scale.
If a quantitative scale is used to determine
inherent risk and the control risk ratings,
then residual risk could be calculated as
inherent risk plus control risk or inherent risk
multiplied by control risk. Score ranges would
need to be assigned to determine whether the
residual risk is low, medium, or high.
The residual risk ratings will provide
management with an assessment of where
its greatest exposure to corruption risks may
exist. A high residual risk rating would mean
that a high-rated inherent corruption risk
is not substantially mitigated by controls,
leaving a residual risk that could seriously
impact the enterprise. A medium residual
risk would mean that either the corruption
scheme is inherently high risk and partially
mitigated by controls or inherently medium
risk and not substantially or not at all mitigated by controls. A low residual risk would
mean that either the corruption scheme is
inherently a low rated risk or is substantially
mitigated by controls.
Due to resource or cost concerns, certain enterprises may choose not to include
the calculation of residual risk explicitly
in their anti-corruption risk assessment
process. While not the optimum approach,
an anti-corruption risk assessment could
be performed with only a determination of
inherent risk along with identification of

43

mitigating controls. However, since management would still have to consider whether it
believed its corruption risks to have been adequately mitigated, they may still be making
implicit judgments about the level of residual
risk. An explicit assessment of residual risk
is more transparent and provides a working
tool that greatly facilitates open and candid
discussion between management and other
stakeholders such as those charged with gov-

ernance regarding the enterprises exposure

to corruption risks.

H.1 Including Residual Risk in the Risk

Register
The overall assigned residual risk for each
risk or scheme can be included in the risk
register as follows:

Location/ Region: Country A

Business Unit: Unit XYZ
Corruption Risk Factor

Local business climate

Corruption Risk

Bribery of a government
official to secure, retain or
influence an improper business
decision

Corruption Scheme

a) Potential improper payments to customs officials

to facilitate process related
to importation of goods or to
clear the import of goods that
are illegal

b) Potential improper payments to tax authorities to

secure the reduction or elimination of tax liabilities

c) Potential improper payments to government officials

to secure a desired piece of
property or favourable lease
terms

Probability

Medium

Medium

Medium

Potential Impact

High

High

High

Inherent Risk

High

High

High

Anti-Corruption
Controls

Global Anti-Corruption
Policy and Procedures
including specific content on
payments to customs

Global Anti-Corruption
Policy and Procedures
including specific content on
payments to tax authorities

Anti-corruption training for

employees that is tailored
for select regions and key
functions

Anti-corruption training for

employees that is tailored
for select regions and key
functions

Global Anti-Corruption
Policy and Procedures
including specific content on
payments to government officials for property leases

Global whistleblower
hotline

Global whistleblower
hotline

Annual anti-corruption audits on payments to custom

officials in select regions/
countries

Annual anti-corruption
audits on payments to tax
authorities

Control Risk Rating

Effective

Effective

Effective

Residual Risk Rating

Low

Low

Low

Anti-corruption training for

employees that is tailored
for select regions and key
functions
Global whistleblower
hotline
Annual anti-corruption
audits on interaction/transactions with government
officials to secure property
lease

44

I.
1. Establish
the process

Corruption Risk Response Plans

2. Identify the
risks

3. Rate the
inherent risk

4. Identify and
rate mitigating
controls

I.1 Comparison of Residual Risk to

Risk Tolerance
The residual risk of each corruption scheme
can be evaluated by an enterprise to determine whether a corruption risk response is
needed and, if so, the desired elements of
that plan. A key determinant of the response
plan is the enterprises level of risk tolerance
or risk appetite, which will vary depending
on the enterprise.
No further risk mitigation is required for
any corruption scheme that has a residual
risk within the risk tolerance set by management and approved by those charged with
governance. Management may choose to
implement additional risk mitigation if it
believes the cost-benefit can be an advantage,
but it is not essential.
For any corruption scheme that has a
residual risk greater than the risk tolerance
set by management and approved by those
charged with governance, action is necessary
to reduce the risk until it is within the risk
tolerance threshold. For these items, a corruption risk response plan is needed.

I.2 Potential Responses to Residual

Risks That Exceed Risk Tolerance
Historically, the most common response
to residual corruption risks was to implement enhancements to internal controls to
increase corruption risk mitigation. Leading
enterprises consider a broader range of potential actions to address residual corruption
risk, including:
Changing the scope of the enterprises
business, such as avoiding or stopping the
conducting of business in certain geographies, industry segments or markets

5. Calculate
residual risk

6. Develop
action plan

because the risk is considered impossible

to mitigate sufficiently and reliably.
Changing business processes or methods
so as to reduce or eliminate the area of
risk, such as switching from selling goods
CIF (cost, insurance, and freight) to Ex
Works, meaning that the buyer would
take ownership of the goods at the sellers
place of business and would be responsible
for transportation costs and for customs
clearance for international shipments.
This arrangement may eliminate the
sellers risks relating to potential bribery
of foreign government officials to obtain
customs clearance at the destination port.
Transferring risks to a third party through
contract terms.
Enhancing certain anti-corruption controls.
Proposing to those charged with governance an increase in the enterprises risk
tolerance sufficient to eliminate the need
for further action, if the business conditions and enforcement threat could reasonably justify a change.

I.3 Corruption Risk Response Plan

It should be noted that not all enterprises
have the same resources and funds at their
disposal to invest at an equal level in the
anti-corruption compliance programme.
Some enterprises may only want to address
programmes and controls for what they
deem to be the most significant exposure areas, while others may want to address more
the interest of maintaining a best in class
or most robust anti-corruption compliance
programme. While the need for a response
should be evaluated based on the enterprises
risk tolerance and resource constraints, both
of which will vary from one enterprise to an-

45

other, some approaches are often observed:

Corruption schemes that have a residual
risk of high typically exceed the enterprises tolerance for residual risk and are
likely to be earmarked for attention, as
this rating indicates a level of risk that
may pose a serious or potentially catastrophic threat to the enterprise.
Schemes that have residual risk of medium may or may not exceed the enterprises tolerance for residual risk so action
may or may not be required. Management
could analyse the inherent risk rating and
control risk rating to assess the sources of
risk and consider the feasibility of additional risk mitigation in determining
whether to take further action.
For corruption schemes that have a residual risk of low, an enterprise would
typically take no further action.
Some enterprises may choose to have a
response for high residual risk areas and
decide to take no action for medium or
low residual risk areas as part of the risk
tolerance strategy. Others may prioritize actions, with those addressing high residual
risk areas as the highest priority, followed
by medium and low residual risk areas.
In such cases, actions may be taken based on
the time and resources available, as well as
managements judgment.
For small and medium sized enterprises,
the corruption risk response plan is an
important tool to determine whether any
investment of resources is needed to mitigate
corruption risks and if so, then which areas
to allocate resources. Such enterprises can
use this response plan to determine which
of the various anti-corruption programme
elements (e.g., dedicated policies, training,
monitoring, etc.) do they need to implement
or enhance based on the risks. Smaller and
medium sized enterprises typically do not
have enough risk exposure to warrant robust
policies and controls in every anti-corruption
programme element and the results of the
anti-corruption risk assessment can be a
valuable tool for such enterprises to determine which, if any, of these elements they
want to implement or enhance.
An example of an approach to determining the corruption risk response plan is
illustrated in Appendix 18.

I.4 Content of Response Plan

Input on items proposed for inclusion in the
corruption risk response plan should come
from across the enterprise, including the
opinions of those functions and individuals responsible for implementing the action
items and those impacted by the potential
action items. It is important for the corruption risk response plan to be pragmatic
and selective, as there are endless internal
controls that could be put in place at every
enterprise. A good corruption risk response
plan will be selective and targeted based on a
structured, practical approach that efficiently and effectively reduces residual risks to
within the enterprises risk tolerance. Once
a risk response plan is drafted, it is typically
approved by the management responsible
for the anti-corruption risk assessment, with
oversight by those charged with governance.
Some of the features of a response plan
may include:
Description of each action item;
Implementation responsibility for each
action item;
Implementation timetable. While each
item is typically addressed within a twelve
month period (and some quite rapidly),
there could be situations where an enterprise chooses to implement certain corruption risk response plan items in the first
year with the remainder completed subsequently based on a prioritization scale. For
medium to longer-term timelines, select
milestones can be included in the corruption risk response plan.
Estimate of resources need to address each
action item, such as number of individuals, hours and budget.
It is desirable for one individual to be responsible for coordinating implementation
of the corruption risk response plan and for
reporting back to management and potentially those charged with governance. Implementation should be regularly monitored by
management with any necessary or appropriate amendments made by management and
approved by those charged with governance.

46

I.5 Leadership Buy-In

A critical issue for successful implementation of the corruption risk response plan is
usually the buy-in of senior executives, the
board of directors, the audit committee, or
others charged with governance. Without
such high-level support, implementation of
the response plan may stagnate as certain
functions or individuals may not provide the
requisite importance and attention to the
items in the response plan.

In addition, it would be beneficial for the

owner of the anti-corruption risk assessment
to articulate to the various stakeholders
involved why implementing the steps in the
response plan may benefit them both individually and as a group. One strategy is to
link the progress in completing the response
plan items with individuals and functions
goals and performance evaluation. Another
strategy is to involve the various stakeholders early in the anti-corruption risk assessment process and not wait until the response
plan needs to be implemented.

47

48

J.

Summarizing and Reporting the Results of an

Anti-Corruption Risk Assessment

J.1 Heat Maps

Anti-corruption risk assessments are often
documented using detailed spreadsheets or database templates such as a risk register. These
are convenient for recording information
related to many risks, but their output may
be voluminous, very detailed, and in small
printall factors that may make such reports
ineffective for communicating summary
results to management and those charged
with governance. A simpler way is needed to
summarize the most important information
on one sheet of paper and communicate it in a
manner that is quickly and easily understood.
Heat maps can effectively summarize the
results of the anti-corruption risk assessment
and present them in an impactful manner
to management and those charged with
governance. A corruption risk heat map shows
corruption risks identified by the enterprise,
placed according to their probability and
Figure D: Simple Heat Map Background

PROBABLE IMPACT

High

Medium

Low

Remote

Possible

Probable

PROBABILITY

A: Bribery of tax authorities

B: Bribery to obtain retail permits
C: Vendor bid-rigging
D: Kickbacks for sales orders

potential impact, on a background of multiple

colours, which represent different overall
levels of risk. Simple heat maps typically
have sections that are red, yellow, or green,
denoting high-risk, medium-risk, and lowrisk, respectively. More complex heat maps
use multiple shades of each colour to show
subtle variations of overall risk score. These
may better represent variations in individual
risk scores, but the simpler heat maps may be
quicker and easier for executives to comprehend. This may allow executives to spend less
time understanding the data and more time
in thoughtful discussion of key risk issues.
Heat maps can be used both to illustrate
a consolidated enterprise-wide view and to
illustrate views by location, business unit, or
function.
Figure D shows an example of a simple
heat map background before individual corruption risks are added.
To compile a simple heat map from a larger volume of data, an enterprise can group
particular corruption schemes to establish
one broad category score or rating for both
inherent risk and control risk. For example,
one corruption risk area may have several
schemes associated with it, and each scheme
may have different inherent risk and control
risk quantitative scores. In order to arrive at
one quantitative score each for inherent risk
and control risk, an enterprise can take the
average of the inherent risk and residual risk
scores of all the schemes for that risk. Alternatively, for a qualitative scale, an enterprise
can judiciously assign an overall inherent
risk and control risk rating for a risk with
several schemes that have different inherent
risk and control risk ratings, based on the
count of how many of the schemes are rated
High, Medium, or Low.
In an alternative and more holistic view,
one axis would denote inherent risk ratings
and the other axis would denote control risk
ratings. Each risk or scheme would be plotted
based on its inherent risk and control risk
rating or score. This view allows an enterprise
to view how each inherent risk is rated with
respect to the effectiveness of its mitigating

49

controls. Under the traditional model discussed previously, management is often biased
towards mitigating high-impact, high-likelihood events. However, if a risk is relevant to
the enterprise and is extremely high impact, it
should be addressed, regardless of probability.
It can therefore help highlight unlikely but
potentially devastating risks that senior management and those charged with governance
should focus on (so-called Black Swan events).
See Figure E for a sample of such a heat map.
As with all other aspects of the risk assessment process, the choice and design of
heat maps are also more effective if they are
built in consultation with different layers of
management and relevant stakeholders from
different functions, location, and business
units as applicable. Another important consideration is that the risks that the enterprise
is exposed to changes over time and so it is
important to update the heat maps on a periodic basis to understand the most pertinent
issues at that time.

J.2 Preparing a Summary Report

The anti-corruption risk assessment process
involves a variety of stakeholders in varying
levels of engagement to produce the final assessment. Similarly, users of the final assessment have different Control Risk High Low
High Inherent Risk interests and needs for the
results. While some personnel may be highly
interested in the granular detail of the assessment, senior executives and those charged
with governance may benefit from a summary
report. The summary would set out concisely
the procedures followed, key risks identified,
key mitigating controls, control gaps identified, and the responses planned to address
residual risks in a prioritized manner. This
summary report should stand on its own, but
may also aid the reader in navigating to more
granular information in other documentation.
To achieve these objectives, one recommended format of the summary report
would include the following sections:
Executive Summary;
Statement of Purpose and Objectives;
Summary of the Assessment Scope and
Risk Tolerance Level;
Summary of Approach and Work Steps;
Summary List of Stakeholders and Participants;
Key Corruption Risk Areas Identified;

Figure E:
High

Inherent
Risk Rating

A: Bribery of tax
authorities
B: Bribery to obtain
retail permits
C: Vendor bid-rigging
D: Kickbacks for sales
orders

Low
Low

Control Risk
Rating

Key Mitigating Controls;

Control Gaps Identified;
Response Plan;
Acknowledgements (thanking participants,
advisors, and other contributors); and
Appendices.
An executive summary, which should be no
longer than 12 pages, could include the
key risk areas, key controls, and key items
from the response plan. In addition, consider
including key statistics (e.g., the total percentage of high vs. medium vs. low inherent and
residual risks), overall observations, locations
and business units covered by the assessment.
Consider including selected summary
charts and graphics (such as heat maps) that
can be extracted from the detailed anti-corruption risk assessment, such as:
Highest inherent risk areas;
Highest residual risk areas;
High inherent risk areas that have low
residual risks;
Summary of controls that mitigate high
inherent risk areas;
Results illustrated by process, business
unit, or location;
Significance versus likelihood charts;
Inherent risk versus control risk rating
charts;
Inherent risk versus residual risk rating
charts.
Please see sample content of an anti-corruption summary report in Appendix 19.

High

50

Appendices Index

Number

Topic

Page No.

Appendix 1

UK Ministry of Justice Guidance to the Bribery Act

51

Appendix 2

Sample Sensitive Country Analysis Tool

52

Appendix 3

Sample Anti-Corruption Risk Assessment Interview

and Survey Topics

53

Appendix 4

Corruption Red Flags

54

Appendix 5

RESIST Methodology: Scenarios

55

Appendix 6

Sources for Analysing the Risk of Corruption by Country

56

Appendix 7

Sample Probability Scoring Matrix

57

Appendix 8

Sample Potential Impact Scoring Matrix

57

Appendix 9

Sample Multi-Factor Probability Scoring Matrix

58

Appendix 10

Sample Multi-Factor Potential Impact Scoring Matrix

59

Appendix 11

Sample Weighted Average Potential Impact and

Probability Rating Methods

60

Appendix 12

Sample Qualitative Scale for Determining Inherent Risk

60

Appendix 13

Sample Quantitative Approach to Assessing Inherent

Risk

61

Appendix 14

Examples of Anti-Corruption Controls

61

Appendix 15

Sample Scoring Matrix for Control Rating

63

Appendix 16

Sample Detailed Ratings Criteria for Control Rating

64

Appendix 17

Sample Qualitative Scale for Determining Residual Risk

70

Appendix 18

Sample Approach to Determining the Corruption Risk

Response Plan

71

Appendix 19

Sample Anti-Corruption Risk Assessment Summary

Report

72

51

Appendix 1. UK Ministry of Justice Guidance to the Bribery Act

Principle 3, Risk Assessment
The commercial organization assesses the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it. The assessment is
periodic, informed and documented.

Commentary
3.1 For many commercial organizations, this principle will manifest itself as part of a more
general risk assessment carried out in relation to business objectives. For others, its application may produce a more specific stand-alone bribery risk assessment. The purpose of this
principle is to promote the adoption of risk assessment procedures that are proportionate to
the organizations size and structure and to the nature, scale and location of its activities. But
whatever approach is adopted the fuller the understanding of the bribery risks an organization faces the more effective its efforts to prevent bribery are likely to be.
3.2 Some aspects of risk assessment involve procedures that fall within the generally accepted
meaning of the term due diligence. The role of due diligence as a risk mitigation tool is separately dealt with under Principle 4.

Procedures
3.3 Risk assessment procedures that enable the commercial organization accurately to identify and prioritize the risks it faces will, whatever its size, activities, customers or markets,
usually reflect a few basic characteristics. These are:
Oversight of the risk assessment by top-level management.
Appropriate resourcingthis should reflect the scale of the organizations business and the
need to identify and prioritize all relevant risks.
Identification of the internal and external information sources that will enable risk to be
assessed and reviewed.
Due diligence enquiries (see Principle 4).
Accurate and appropriate documentation of the risk assessment and its conclusions.
3.4 As a commercial organizations business evolves it is more susceptible to bribery risks and
hence it needs to increases its risk assessment. For example, the risk assessment that applies to a
commercial organizations domestic operations might not apply when it enters a new market in
a part of the world in which it has not done business before (see Principle 6 for more on this).

Commonly encountered risks

3.5 Commonly encountered external risks can be categorized into five broad groupscountry,
sector, transaction, business opportunity and business partnership:
Country risk: this is evidenced by perceived high levels of corruption, an absence of effectively implemented anti-bribery legislation and a failure of the foreign government, media,
local business community and civil society to effectively promote transparent procurement
and investment policies.
Sector risk: some sectors are higher risk than others. Higher risk sectors include the extractive industries and the large-scale infrastructure sector.
Transaction risk: certain types of transaction give rise to higher risks, for example, charitable or political contributions, licences and permits, and transactions relating to public
procurement.
Business opportunity risk: such risks might arise in high value projects or with projects
involving many contractors or intermediaries; or with projects which are not apparently
undertaken at market prices, or which do not have a clear legitimate objective.
Business partnership risk: certain relationships may involve higher risk, for example, the
use of intermediaries in transactions with foreign public officials; consortia or joint venture
partners; and relationships with politically exposed persons where the proposed business
relationship involves, or is linked to, a prominent public official.

52

3.6 An assessment of external bribery risks is intended to help decide how those risks can be
mitigated by procedures governing the relevant operations or business relationships; but a
bribery risk assessment should also examine the extent to which internal structures or procedures may themselves add to the level of risk. Commonly encountered internal factors may
include:
Deficiencies in employee training, skills, and knowledge;
Bonus culture that rewards excessive risk taking;
Lack of clarity in the organizations policies on, and procedures for, hospitality and promotional expenditure, and political or charitable contributions;
Lack of clear financial controls; and
Lack of a clear anti-bribery message from the top-level management.

Appendix 2. Sample Sensitive Country Analysis Tool

The table below shows a breakdown of revenue by country. In addition, the percentage of the
total sales done by agents or distributors and sales to governmental or state-owned enterprises
are given.

Country

CPI
score

Total
revenues
(in USD x
1000)

% Sales via
agents /
distributors

% Sales to
government
or stateowned
companies

Compliance
training
provided to
third parties

History of
corruption cases
(enterprise,
country,
industry)

Country A

95

10,000

20%

50%

No

No

Country B

94

5,000

50%

50%

No

No

Country C

88

3,000

100%

100%

No

No

Country D

78

60,000

10%

50%

No

Yes

Country E

71

30,000

0%

75%

No

No

Country F

43

5,000

60%

100%

Yes

Yes

Country G

39

12,000

60%

50%

No

Yes

Country H

36

9,000

100%

100%

Yes

Yes

Country I

24

25,000

90%

80%

No

Yes

Country J

19

3,000

80%

50%

Yes

Yes

53

When evaluating the overall exposure to corruption risks by country, the risk in Country I
might be higher than in other countries: of the total sales, 90% is sold via agents and 80% of
the clients are governmental or state-owned enterprises. Given Country Is poor track record
on corruption (CPI score 24 and a history of corruption cases) an additional analysis is worth
considering. The table below explores the sales by agent in more detail.
Country
Russia

Top 5 agents
/ distributors
(by revenue)

Total sales
by agent /
distributor (in
USD x 1,000)

% of total
sales to
governmental
clients

Total fee paid

to agents /
distributor (in
USD x 1,000)

Third party
agents /
distributors
screened?

Compliance
training provided to third
parties

Overall risk
(H / M / L)

Name A

10,000

80%

300

No

No

Name B

6,000

60%

100

No

No

Name C

3,000

20%

50

Yes

No

Name D

2,000

100%

100

Yes

No

Name E

1,500

10%

30

Yes

No

Explanation: Agents A and D are the most critical agents for the enterprise in Country I. A
large part of their sales relates to governmental or state-owned enterprises and the fees they
receive as a commission for their work are high compared to the other agents. The enterprise pays Agent A 300,000 USD per year for selling predominantly to government officials,
although no background screening was made or compliance training was provided.

Appendix 3. Sample Anti-Corruption Risk Assessment Interview and Survey

Topics
1. Introduction and Background
This portion of the interview will be used to introduce participants, discuss the purpose of
the assessment, and answer any preliminary questions about the assessment.

2. Country/Operating Unit Corruption Risk

a. Discuss any challenges, including allegations of potential corruption, facing the enterprise/operating unit due to a customers geographical location and/or perceived corruption.
b. Does the enterprise have any government customers? If yes, what percentage of overall
sales are these government customers?
c. Are there any countries, governmental customers, or commercial customers that present a
higher risk to the enterprise because of the country/government/customers perception of
being corrupt?

3. Interactions with Government Officials and Entities

a. Gain an understanding of the various government entities that the enterprise interacts with.
b. Consider actual or potential improper payments to government officials or commercial
customers (i.e., security, customs, facilitating payments).
c. Discuss the type of gifts, meals, entertainment, travel, or any other reimbursements provided to government customers, government officials, or their family members, if any.
d. Understand the challenges faced with securing government approvals, licences and permits.
e. Are facilitating payments (or grease payments) ever paid?

54

4. Use of Third Party Agents

a. If third party agents are used in the course of business, discuss roles, responsibilities, contracting terms, and payment mechanisms.
b. Discuss actual or possible corrupt payments made to government officials or commercial
customers through a third party.

5. Employees
a. Discuss the interviewees career path to include positions held with Government Bodies or
Political Organizations, if any.
b. Consider the sufficiency of training that is provided to the employees.
c. Discuss the employees role and interaction with other employees to understand segregation of duties and to prevent the facilitation of improper payments.

6. Supply Chain
a. Discuss the enterprises overall supply chain strategy including sourcing, logistics, etc.
b. Inquire if the interviewee is aware of any programme or mechanism that is designed to
scrutinize and track high corruption risk contracts and contractors.
c. Inquire about the policy and practice around assessing the reputation and integrity of suppliers.
d. Discuss the sufficiency of systems used to track and categorize supplier transactions.

7. Charitable Contributions and Political Donations

a. Discuss any charitable contributions and political donations, if any.

8. Minority and Majority Ownerships, Joint Ventures (JV) and M&A

a. Discuss due diligence procedures performed when entering into JV investments.

9. Other
a. Discuss whether the interviewee is aware of any inappropriate payments or allegations
concerning potential violations of anti-corruption laws.
b. Consider any instances where the interviewee may have been asked to perform functions
considered unethical or against the enterprises anti-corruption code.
c. Discuss the policy and practice around including anti-bribery language in contracts with
third parties.
d. In closing, the interviewee should be given the opportunity to share anything not previously discussed and permission to follow-up should be sought.
Note: Additional tailored topics would typically be discussed based on the function and area
of the interviewee/survey participant as well as the industry and risk profile of enterprise.

Appendix 4. Corruption Red Flags

Business in countries with a history of corruption;
Excessive reliance on third-party agents;
Unusual payment terms for agents;
Large or numerous cash payments;
Upfront or advance payments;
Request for payment to someone other than agent or vendor;
Payments to numbered accounts or to haven or other offshore banks;
Large charitable contributions in foreign countries;
Association between agent and foreign government;
Gifts lavishness, secrecy, inaccurate records; and/ or
Payments to countries or vendors with which the company has had no previous business
dealings.

55

Appendix 5. RESIST Methodology: Scenarios

In a bidding round, the terms of reference (including technical specifications) are biased to
favour one supplier or to exclude potential competitors

Intermediary offers company to win bidding upon payment of losers fee during pre-bidding
or bidding stage

Bribe solicitation for confidential information during pre-bidding or bidding stage

Kickback scenario: Your sales representative is offered hidden compensation by the customer or by an intermediary

A host country may impose or imposes a partnership with a designated local company that
may present high corruption risks

Client demands a last-minute closure fee to close a deal that is now too late to lose

A company complaining about an unfair procurement process is threatened with a spurious

criminal prosecution that will lead to a heavy fine

A local government agency demands a fee for technical approval of equipment

Newly-hired employees cannot obtain work permits unless an employment surcharge is paid

10

A local police officer requests a payment to allow an expatriate worker to cross an internal
border within a country

11

An employee of the state electricity company demands cash for connection to the grid

12

Long-awaited essential equipment is stuck in customs for clearance and only the payment of
a special fee can secure its prompt release

13

Perishable goods are held up in customs and will only be released if a cash payment is made

14

A tax inspector asks for a kickback in exchange for granting a discharge or accepting a
settlement in a tax dispute

15

A union leader demands payment to an employee welfare fund before allowing his/her members to unload a ship

16

A client asks your company to arrange and pay for a check-up at a prestigious hospital while
on a visit to your home office

17

A government official requests free product samples for private use

18

A government representative requests sponsorship for an activity linked to the private interests of high-level government officials

19

A financial services intermediary demands incentives over and above the regulated commissions and fees for referral of clients to financial product providers

20

A supplier offers a bribe to a contract manager to overlook out of spec or inferior goods or
services

21

A customer representative demands a fee that was not previously agreed as a condition to a
contract change

22

For a fee, a businessperson offers to help reinstate client progress payments that were
stopped for no apparent reason

(source: http://www.iccwbo.org/products-and-services/fighting-commercial-crime/resist/)

56

Appendix 6. Sources for Analysing the Risk of Corruption by Country

Source

Published by

Description

Web Link

Corruption
Perceptions
Index

Transparency
International

An annual survey ranking almost 200

countries by their perceived levels
of public corruption, as determined
by expert assessments and opinion
surveys.

www.transparency.
org

Bribe Payers
Index

Transparency
International

Evaluates the supply side of corruptionthe likelihood of firms from the

worlds industrialized countries to
bribe abroad

www.transparency.
org

Global
Corruption
Barometer

Transparency
International

A survey that assesses general public

attitudes towards and experience of
corruption in many countries.

www.transparency.
org

National
Integrity
System (NIS)
Surveys

Transparency
International

Present the results of NIS assessments in form of a comprehensive

analyses of the anti-corruption
provisions and capacities in a country,
including recommendations for key
areas of anti-corruption reform.

www.transparency.
org

Corporate
Reporting
Surveys

Transparency
International

Surveys published in 2009 and 2012

of corporate reporting and transparency on anti-corruption; also the
report Promoting Revenue Transparency: 2011 Report on Oil and Gas
Companies.

www.transparency.
org

Governance
Indicators

World Bank

Reports aggregate and individual governance indicators for 213 economies

over the period 19962010, for six
dimensions of governance including
control of corruption.

http://info.worldbank.org/governance/wgi/index.asp

Country
Profile

United Nations
Office on
Drugs and
Crime

Provides review reports, laws and

authorities information for countries.

http://www.unodc.
org/unodc/en/treaties/CAC/countryprofile/index.html

TRACK

United Nations
Office on
Drugs and
Crime

Central platform of Tools and Resources for Anti-Corruption Knowledge.

www.track.unodc.
org

57

Appendix 7. Sample Probability Scoring Matrix

Three-point Scoring Matrix for Identified Corruption Schemes

Score

Little probability of corruption activity

Some probability of corruption activity

High probability of corruption activity

Five-point Scoring Matrix for Identified Corruption Schemes

Score

Minimal probability of corruption activity

Little probability of corruption activity

Some probability of corruption activity

Considerable probability of corruption activity

Very high probability of corruption activity

Appendix 8. Sample Potential Impact Scoring Matrix

Sample Three-Point Potential Impact Scoring Matrix for Identified Corruption Schemes
Narrative categorization of corruption scheme potential impact

Score

Insignificant impact

Moderate impact

High impact

Sample Five-Point Potential Impact Scoring Matrix for Identified

Corruption Schemes

Score

Insignificant Impact

Minor Impact

Moderate Impact

Major Impact

Catastrophic Impact

58

Appendix 9. Sample Multi-Factor Probability Scoring Matrix

Probability

Quantitative

Status of Actual Case(s) of the

Scheme

Complexity

Very low
probability
of corruption
activity

< 10% chance

Root cause of incident

has been remediated
(reducing the chance of
repeat occurrence).

Very difficult to perpetrate even without

controls place.

Little
probability
of corruption
activity

10%25% chance

Root cause of incident

is in the process of being remediated.

Difficult to perpetrate
even without controls
in place.

Some
probability
of corruption
activity

26%50% chance

Incident has been

contained.

Moderately complex
to perpetrate without
controls in place.

Considerable
probability
of corruption
activity

51%75% chance

Incident is in the process of being contained.

Easy to perpetrate
without controls in
place.

Very high
probability
of corruption
activity

> 75% chance

Incident has been reported and is currently

under investigation.

Very easy to perpetrate

without controls in
place.

59

Appendix 10. Sample Multi-Factor Potential Impact Scoring Matrix

Potential
Impact

Reputation

Financial

Legal / Compliance

Stakeholders
Customers

Stakeholders
Employees

Insignificant
Impact

Minimal local
media attention quickly
contained,
short term
recoverability.

Financial impact
is < 5% of selected budget item
(e.g., revenue or
income).

Notice of violation/
warnings requiring
administrative action
and minimal penalties.

Minimal customer complaints

and recovery
costs.

Insignificant
impact on ___
Departments
ability to recruit
and retain employees.

Minor Impact

Local market
impact on
Departments
brand and
reputation.

Financial impact
is between 5%
and 10% of
selected budget
item (e.g., revenue or income).

Routine governing
body litigations subject to moderate fines
and penalties may be
subject to regulatory
proceedings and/or
hearings.

Minimal decline
in customer relationships and
some recovery
costs.

Some impact
on ___Departments ability
to recruit and
retain employees.

Moderate
Impact

Sustained
local press
coverage with
escalating
customer
implications.

Financial impact
is between 10%
and 20% of
selected budget
item (e.g., revenue or income).

Routine litigation
subject to substantial
fines or penalties,
subject to regulatory
proceedings and/or
hearings.

Loss or decline
of customer
relationships
and moderate
recovery costs.

Significant
impact on ___
Departments
ability to recruit
and retain top
performers.

Major Impact

National or
sustained
regional press
coverage with
long-term
damage to
public image.

Financial impact
is between 20%
and 30% of
selected budget
item (e.g., revenue or income).

Potentially a significant governing body

scrutiny, investigations subject to
substantial fines and
penalties, which may
include some criminal
charges, subject to
regulatory proceedings and/or hearings.

Strained key
customer
relationships
and significant
recovery costs
and threat to
future growth.

Major impact
on ___Departments ability
to recruit top
performers.

Catastrophic
Impact

Global Media
Coverage.

Financial impact
is > 30% of
selected budget
item (e.g., revenue or income).

Major scrutiny, investigations subject to

substantial fines and
penalties including
criminal charges,
and/or cease-and-desist orders, possible
regulatory action.

Loss of major
customer relationships and
serious threat to
future growth.

Sustained
impact on ___
Departments
ability to recruit
and retain top
performers.

60

Appendix 11. Sample Weighted Average Potential Impact and Probability Rating
Method
Determine the probability rating for each risk or scheme on a scale of 15 for each quantitative measure, the status of actual cases and the complexity for that risk or scheme, and then
calculate one overall probability rating by taking a weighted average of the three scores as
follows:
25% of the quantitative score;
50% of the status of actual cases of the scheme score;
25% of the complexity score.
Determine the potential impact rating for each risk or scheme on a scale of 15 for each
of reputation, financial, legal/compliance, customer, and employee impact for that risk or
scheme and then calculate one overall potential impact rating by taking a weighted average of
the five scores as follows:
30% of the reputation impact score;
30% of the financial impact score;
20% of the legal/compliance impact score;
10% of the customers impact score; and
10% of the employees impact score.

Appendix 12. Sample Qualitative Scale for Determining Inherent Risk

Probability

Potential Impact

Inherent Risk

High

Low

Medium

High

Medium

High or Medium

High

High

High

Medium

Low

Medium or Low

Medium

Medium

Medium

Medium

High

High or Medium

Low

Low

Low

Low

Medium

Medium or Low

Low

High

Medium

61

Appendix 13. Sample Quantitative Approach to Assessing Inherent Risk

Inherent Risk Level

Sum of Probability and Potential Impact Scores

Low

5 or less

Medium

67

High

89

While the above is a simple and often-used option to determine the inherent risk rating of
each corruption risk/scheme, certain enterprises, particularly those that are larger and able
to allocate appropriate resources for this exercise, may want to include additional factors,
such as weighted average calculations, in the interest of increasing the accuracy of the scores.
In the above example, equal weight is given to both probability and potential impact. An
alternative option would be to provide more weight to the potential impact than to probability in calculating inherent risk under the belief that the potential impact on the enterprise is
a greater driver of the need for management to mitigate corruption risks. For example in the
quantitative scale above, instead of adding the raw score of probability and potential impact,
60% of the potential impact score could be added to 40% of the probability score to arrive at a
weighted inherent risk score. The relative weighting of the two factors could be adjusted until
the result appropriately reflects managements overall judgment.

Appendix 14. Examples of Anti-Corruption Controls

1. Typical general entity-level anti-corruption controls:18
A formal anti-corruption compliance programme;
An Anti-Corruption or Compliance Committee mandated to review or receive updates on all
high-risk transactions;
Written standards (i.e., the code of conduct and anti-corruption and other related policies);
Anti-corruption training and communication for employees;
Tone from the top and the middle;
Employee background checks;
Whistleblower system;
Gift, entertainment, and hospitality request approval and tracking;
Conflict of interest certification/disclosure process;
Third-party contract provision on compliance;
A competitive bidding/selection process including RFP dissemination to prospective vendors
and proposal review;
Risk tier classification system for third parties;
Third party due diligence (in line with the designated risk tier);
Multiple levels of vendor contract approval or internal sign-off (e.g., requiring approval
from procurement, the legal and compliance functions, and local management);
Accounting controls on vendor invoice review, approval, and payment;
A process for travel and expense report review, approval, and reimbursement;
An employee culture of ethics and knowledge assessment;
Exit interviews;
Mandatory anti-corruption audits on regularly recurring basis; and
Mandatory rotation of key management level personnel in high risk locations.

18. Small or medium sized enterprises typically would not have some of these items due to resource constraints, non-applicability, and a
different risk profile.

62

2. Scheme-specific controls:19
(Including some that may be a scheme-specific version of an entity-level control)
A scheme involving using consultants/fixers as bribery conduits may include the following
mitigating controls and processes:
A process for documenting a business need for hiring a consultant;
Consultant due diligence/screening with specific aspects such as background check, screening against politically exposed persons (PEP) lists, a references and credentials check, prior
engagements, reputation, and a sample work product review (depending on the risk tier);
Consultant certification of compliance (initial and at periodic intervals, e.g., annually) such as
an anti-corruption policy acknowledgement and certification, a vendor code of conduct, etc.;
Anti-corruption training and communication activities targeted to the procurement
personnel involved as well as to the consultants hiring/ongoing management and to the
consultant him/herself;
Periodic consultant performance evaluations, actual work product review; and
Consultant fee/invoice analyses (does the invoice have an adequate level of detail, is the fee
reasonable, how does it compare with other similar vendors, is it commensurate with the
work product, is there a correlation between a consultant invoice and a particular government action that benefited the enterprise, etc.).
A scheme involving commercial enterprise sales reps providing potentially inappropriate
gifts, hospitality, and entertainment to prospects or customers may include the following20:
Periodic gift and entertainment training and communication targeted to sales personnel
and their managers;
Communication to customers about the enterprises gift, hospitality, and entertainment
policy;
Tone from the middle: communication to sales personnel from supervisors or market leadership;
Periodic (e.g., annual) anti-corruption policy acknowledgement or certification among sales
personnel and supervisors;
Mandatory use of the enterprises credit cards for any third party meals or other entertainment by sales personnel;
Sales representative rotation;
Customer survey/interviews; and
Hotline availability for customer personnel.

3. Preventative anti-corruption controls:21

Having a formal anti-corruption programme in place with defined structure, ownership,
reporting lines, and planned activities, and periodic measurement for effectiveness;
Written standards (code, anti-corruption policies);
Anti-corruption training and communication, including a resource library;
Tone from the top and the middle: visible senior and mid-level managements setting the
expectations;
A risk classification system for third parties, corporate locations, and business activities
(i.e., a tiered system whereby higher risk parties would be subjected to a more robust due
diligence and oversight than lower risk parties);
Due care and due diligence, including personnel background checks, third party initial due
diligence, policy certification/acknowledgement;
Gift, hospitality, and entertainment advance approval;
Segregation of duties;
Contract provisions on compliance with the law in general and anti-bribery specifically;
and

19. Small or medium sized enterprises typically would not have some of these items due to resource constraints, non-applicability, and a
different risk profile.
20. Small or medium sized enterprises typically would not have some of these items due to resource constraints, non-applicability, and a
different risk profile.

63

Incentives for proper conduct, ethics awards, and (to some extent) performance evaluations
with specific ethics and compliance provisions.
For many schemes, preventative controls could be augmented by detective controls, for the
purpose of early detection of misconduct (both intentional and unintentional).

4. Detective anti-corruption controls:22

Gift, hospitality, and entertainment tracking (after the fact);
Expense report audit;
Periodic third party monitoring (e.g., performance assessment, re-certification);
Whistleblower system, investigation process and case management;
Exit interviews;
Corporate audit, transaction audit, third party audit;
Employee culture of ethics and compliance assessment, particularly if it includes questions
about pressure to commit misconduct, actual policy violations, etc.; and
Customer, vendor, or third party survey or interview.

Appendix 15. Sample Scoring Matrix for Control Rating

Sample of 3-point scale scoring matrix for control rating
Qualitative Categorization

Numerical Categorization

Control Risk
Rating

Good/Effective

Low

Fair/Partially Effective

Medium

Poor/Ineffective

High

Sample of 5-point scale scoring matrix for control rating

Qualitative Categorization

Numerical Categorization

Control Risk
Rating

Excellent/Very Effective

Very Low

Good/Effective

Low

Fair/Neutral/Partially Effective

Medium

Poor/Somewhat Effective

High

Very Poor/Ineffective

Very High

21. Small or medium sized enterprises typically would not have some of these items due to resource constraints, non-applicability, and a
different risk profile.
22. Small or medium sized enterprises typically would not have some of these items due to resource constraints, non-applicability, and a
different risk profile.

64

Appendix 16. Sample Detailed Ratings Criteria for Control Rating

A. Anticorruption Training Scoring Matrix
#

Control Rating
Criteria

Score (mock/
sample scores
entered)

Weight (Very
important: 3, Important: 2, Less
important: 1)

Criteria Scoring Guide

Does the anti-corruption training target

relevant audiences?

All- 3, Some- 2, Few- 1

Is it provided in relevant languages?

All- 3, Some- 2, Few or No- 1

Is the anti-corruption
training mandatory?

Yes, for all- 3, Some employees- 2

No- 1

Is the training included

in the new employee
orientation or generally
conducted within 36
months of employment
start?

Yes, within 3 months- 3 36

months- 2, After 6 months- 1

Is the training conducted on a sufficiently

periodic basis?

Annual:- 3, Every 2 years- 2, Every

2+ years or No- 1

What is the quality of

training content?

Good- 3, Fair- 2, Poor- 1 Note: quality considerations may include: the

presence of key relevant topics,
tone at the top, interactivity, ease of
navigation, visual presentation, language level, clarity of content, etc.;
these criteria can either be formally
scored separately in order to arrive
at the score for content quality or
used as a qualitative guide for the
assessor, to help him or her assign
an accurate score to this content
quality criteria.

Does the training

include a written
acknowledgement or
policy certification
form?

Yes -3, No- 1

Does the training

include testing?

Yes -3, No- 1

Are the testing results

tracked and maintained?

Yes -3, No- 1

10

Is the completion of
training tracked and
are these records
maintained?

Yes -3, No- 1

11

What is the training

completion rate for the
target audience?

Over 66%- 3, 33%66%- 2, less

than 33%- 1

65

A. Anticorruption Training Scoring Matrix

#

Control Rating
Criteria

Score (mock/
sample scores
entered)

Weight (Very
important: 3, Important: 2, Less
important: 1)

Criteria Scoring Guide

12

Are there disciplinary

consequences for noncompletion of training?

Yes -3, No- 1

13

Is the completion
of training a part of
employee annual performance evaluation?

Yes -3, Some (e.g., managers only)2, No- 1

14

What is the quality of

the written training
plan?

Good- 3, Fair- 2, Poor- 1 Note: quality

considerations may include multiyear strategic and annual timelines,
stated goals/objectives, defined
target audiences, detailed curriculum, stated target completion rates,
planned frequency, modality of
delivery, roll out schedules, key performance indicators (KPIs), whether
the plan was developed in consultation with other functions, etc.

15

Is the training programme periodically

evaluated for performance effectiveness?

Yes, at least annually- 3, Every 23

years- 2, Every 3+ years or No- 1

16

Are the training

programme evaluation results used to
modify the training
programme scope?

Yes- 3, No- 1

17

What is the quality of the training programme performance

reporting?

Good- 3, Fair- 2, Poor- 1 Note:

quality considerations may include
whether the reports are adequately
complete/detailed, report KPIs,
regularly provided to the appropriate authority within the enterprise

18

What is the quality of

communication initiatives that accompany
formal training? (e.g.,
printed materials,
emails, videos, podcasts, blogs, intranet
resources, etc.)

Good- 3, Fair- 2, Poor- 1 (Note considerations may include coverage

of topics, language availability, frequency, tone from the top/middle,
clarity of content, and range of used
delivery vehicles)

19

Is the training
programme overall
adequate in creating
good awareness of
the subject-matter in
question among the
relevant employees?

TOTAL WEIGHTED SCORE (13 scale)

Yes- 3, Somewhat- 2, No- 1 (Note:

this is a checks and balances
question. The score here should be
consistent with the average scores
above. Considerations may include
employee/manager feedback, and/
or assessment by another party)
2.15

66

B. Gift, Hospitality, and Entertainment (GHE) Tracking Process Scoring Matrix

#

Control Rating
Criteria

Score (mock/
sample scores
entered)

Weight (Very
important: 3, Important: 2, Less
important: 1)

Criteria Scoring Guide

Does the enterprise

track gifts received by
its employees?

All, regardless of value- 3, Some

(e.g., above a value threshold)- 2,
No- 1

Does the enterprise

track entertainment/
hospitality provided to
its employees?

All, regardless of value- 3, Some

(e.g., above a value threshold)- 2,
No- 1

Does the enterprise

track gifts provided by
its employees to third
parties?

All, regardless of value or recipient3, Some (e.g., above a value threshold or provided to certain type of
recipients such as govt. officials)- 2,
No- 1

Does the enterprise

track entertainment/
hospitality provided by
its employees to third
parties?

All, regardless of value or recipient3, Some (e.g., above a value threshold or provided to certain type of
recipients such as govt. officials)- 2,
No- 1

Do GHE provided to
third parties require
advance approval?

All, regardless of value or recipient3, Some (e.g., above a value threshold or provided to certain type of
recipients such as govt. officials)- 2,
No- 1

If YES, to q5, does

such approval request
require review and
approval by compliance or legal function?
(i.e., who reviews and
approves employee
requests for GHE?)

2.5

Yes, for all requests; 12 approval

signatures including compliance
or legal are required- 3 Yes, for
requests above a certain threshold
or for specific types of beneficiary;
12 approval signatures needed,
including one from compliance;
other requests need one approval
signature (e.g., from ones supervisor)- 2.5 Yes, for requests above
a certain threshold or for specific
types of beneficiary; at least two
approval signatures needed, including one from compliance; for other
requests, no approval needed- 2
1.5: Only above a certain threshold
or for certain type of beneficiary,
with one approval signature (e.g.,
ones supervisor)- 1.5 No- 1

In the absence of formal advance approval

for GHE provided to
third parties, does
the tracking process
require retroactive
disclosure?

All, regardless of value -3, Some

(e.g., above a value threshold)- 2,
No- 1

67

B. Gift, Hospitality, and Entertainment (GHE) Tracking Process Scoring Matrix

#

Control Rating
Criteria

Score (mock/
sample scores
entered)

Weight (Very
important: 3, Important: 2, Less
important: 1)

Criteria Scoring Guide

In the absence of
advance approval (or
when approval was
not requested), does
the tracking process
require retroactive
disclosure for gifts and
entertainment received
by employees from
third parties?

All, regardless of value- 3, Some

(e.g., above a value threshold)- 2,
No- 1

Does the process or

tool require or allow
for checking the third
party against politically exposed party
(PEP) database?

Yes, required for all GHE- 3 Yes,

required for all GHE above certain
threshold, (or other criteria)
discretionary for others- 2.5 Yes,
discretionary regardless of the
criteria- 2 No- 1

10

Does the process

require for all gifts
and entertainment
provided to third parties by employees to
always be paid with the
enterprises funds (e.g.,
company credit card,
i.e., no personal expenditure is permitted
for business related
GHE to the enterprises
customers, vendors,
business partners,
service providers, and
other related parties).

Yes- 3 Some, but not all, or sometimes but not always- 2, No-1

11

The tracking process

is automated and easy
to use.

Yes -3, Somewhat- 2, No- 1

12

The tracking process

and related requirements have been
clearly communicated
to all relevant employees.

Yes- 3, Somewhat- 2, No- 1

13

The tracking process

allows for cumulative
tracking per gift and
entertainment recipient, provider as well as
his/her enterprise.

Yes- 3, Somewhat (e.g., gift given

but not received, gifts only but not
entertainment, some business units
but not others, etc.)- 2, No- 1

14

Is the tracking process

is enterprise-wide?

Yes- 3, Most of the enterprise- 2;

Smaller part of the enterprise- 1

68

B. Gift, Hospitality, and Entertainment (GHE) Tracking Process Scoring Matrix

#

Control Rating
Criteria

Score (mock/
sample scores
entered)

Weight (Very
important: 3, Important: 2, Less
important: 1)

Criteria Scoring Guide

15

Are there disciplinary

consequences for a
failure to follow the
established process?

Yes -3, Maybe- 2, No- 1

16

Are the tracking

process and associated tools periodically
evaluated for effectiveness?

Yes, periodically & with adequate

depth/scope- 3 Yes- infrequently
and/or limited scope- 2 No- 1

TOTAL WEIGHTED SCORE (13 scale)

2.35

C. Anticorruption Policy Scoring Matrix

#

Control Rating
Criteria

Score (mock/
sample scores
entered)

Weight (Very
important: 3, Important: 2, Less
important: 1)

Criteria Scoring Guide

Does the enterprise

have an anti-corruption
policy?

Yes, a single global policy or a combination of global and local policies3, Yes, local policies only where
needed- 2, Yes, local policies only in
some but not all exposed locations1.5, No (if no please answer no to
all the following questions)- 1

What is the policy

format?

Included in the code of conduct

plus a stand-alone (more detailed)
document(s)- 3, Included in the
code of conduct only- 1

Is the policy content

adequately and sufficiently comprehensive
(i.e., does the policy
address all pertinent
issues/topics with sufficient detail)?

Yes- 3, Somewhat- 2, No- 1 Note:

if the policy is only available as
a chapter in the code of conduct,
please consider whether the
content is comprehensive enough
to communicate the behavioural
expectations.

Is the policy language

clear, readable, and
consistent? Is it easy
to understand for an
average employee?

Yes- 3, Somewhat- 2, No- 1

Is the policy well organized and structured?

Yes- 3, Somewhat- 2, No- 1

69

C. Anticorruption Policy Scoring Matrix

#

Control Rating
Criteria

Score (mock/
sample scores
entered)

Weight (Very
important: 3, Important: 2, Less
important: 1)

Criteria Scoring Guide

What is the policy

position on facilitation
payments?

Not allowed, except in life threatening situations- 3, Generally not

allowed, except when prior written
permission has been given- 2.5,
Generally allowed, within defined
circumstances, with no prior
written permission needed- 1.5.
Allowed- 1 Undefined- 1 Varies
depending on location- 1.5

If different local policy

versions exist, are they
consistent with the
corporate policy, and/
or between themselves
in terms of standards,
content, and presentation?

2.5

Generally, yes- 3, Somewhat, but

some are more restrictive than the
general enterprise standard- 2.5
Somewhat but some are more
lenient than general enterprise
standard- 1.5, No- 1 N/A as we have
a single global policy- 3

Is the policy available

in languages where the
enterprise conducts
business?

Yes, in all or most countries where

the enterprise conducts business
including the key risk locations- 3,
In some but not all key risk locations- 2, No- 1

Is the policy easily accessible on the

enterprises intranet
by relevant employee
segments?

Yes- 3, Somewhat- 2 No- 1

10

Has the policy been

well communicated
to relevant employee
groups?

Yes- 3, Somewhat- 2 No- 1

11

Is there a policy
acknowledgement
process that involves
relevant employees on
a periodic basis (e.g.,
annually or every 23
years)?

Yes, all relevant employees- 3,

Some, but not all relevant employees- 2, No- 1

12

Is the policy periodically reviewed and

updated (e.g., every
23 years)?

Yes- 3 Some, but not all, or sometimes but not always- 2 No-1

TOTAL WEIGHTED SCORE (13 scale)

2.25

70

Note: The answers to the above questions should be made using the chosen rating scale (e.g.,
1 to 3 on a 3-point scale in the example above) with yes or no answers taking the extreme
values. In many cases however, there will be more nuance than a simple binary approach. A
simple or a weighted average of the criteria scores makes up the score for the given control.
Also, enterprises can use a smaller pool of questions to do these ratings and do not have to use
all the questions above.
An alternative option is to simplify the rating criteria. For example, the scoring matrix could
in theory be scaled down to a single criterion, e.g., do we provide anti-corruption training
to our employees? Yes- 3, No- 1. However, anti-corruption training programs vary greatly in
quality, from barely existent to very robust. Answering yes and awarding the maximum
three points based on having anti-corruption training even though it is poorly designed, badly
implemented, or operating ineffectively, could provide a false impression that misleads management, the board of directors and the audit committee or others charged with governance.
It may also create legal and regulatory exposures. For these reasons, a more refined evaluation
that considers the quality of design, implementation and operation is highly recommended.

Appendix 17. Sample Qualitative Scale for Determining Residual Risk

If Inherent Risk Is

And Control Risk Rating Is

Then Residual Risk Is

Normally

High

High

High

High

Medium

Either High or Medium

High

Low

Either Medium or Low

Medium

Low

Low

Medium

Medium

Either Medium or Low

Medium

High

Medium

Low

High, Medium or Low

Low

71

Appendix 18. Sample Approach to Determining the Corruption Risk Response

Plan
In this approach, four quadrants are identified based on the interplay between inherent risk
and control risk. Each quadrant has a default or predominant response. Controls that are
deemed effective or partially effective in mitigating low inherent risk items are classified as
No Major Concern. This indicates no additional investment in programmes or controls needs
to be made and that these risk areas are not included in any monitoring or auditing plan
(there may be opportunity to reallocate controls and resources dedicated to this area to other
areas). Controls that are deemed effective in mitigating high inherent risk items are classified
as Continuous Review, indicating that even though the mitigating controls are effective,
the continued effectiveness of the controls is very important given that they mitigating high
inherent risk areas These controls should be part of a continuous (e.g., quarterly) monitoring
programme. Controls that are partially effective or ineffective in mitigating low to medium
inherent risk items are classified as Periodic Review, indicating that even though the controls may not effectively mitigate the risks, since the risk level is not high these controls can
be part of a longer term (e.g., every two year) monitoring programme. Alternatively, the controls can be improved. Controls that are ineffective or partially effective in mitigating high
inherent risk items are designated as Active Management indicating that active remediation
of existing programmes and controls is recommended.
Appendix 18

Inherent Risk Rating

Continuous
Review
10

Active
Management

No Major
Concern

5
8

Periodic
Review

2
3

Control Risk Rating

Continuous Review: control is adequate, continue

monitoring of controls to confirm this, i.e., at least quarterly.
Active Management: risks where current treatment
options require preparation, active review and management
on an ongoing basis.
No Major Concern: risks where systems and processes
managing the risk are adequate. Consider excess or
redundant controls.
Periodic Review: control is not strong but risk consequence is not high. Options are to improve control or monitor
risk consequence to ensure it does not increase over time.

72

Appendix 19. Sample Anti-Corruption Risk Assessment Summary Report

Anti-Corruption Risk Assessment Summary
Categorized control identification workshops by specific regulations in concerned country.
Conducted 44 control identification workshops with individuals from different business units and
compliance departments around the world.
Top 5 risk categories:

Bribes to customs officials;

Political and charitable contributions;
Use of third party agents and contractors;
Travel and entertainment expenditure;
Commission and bonus paid to sales force;

Observations:
Of risk categories where inherent risks were identified, a range between 73%88% deemed high risk;
15%18% of the identified controls were deemed strong, 43%60% adequate, 21%42% weak;
Of those controls where residual risks were identified, 4% were high, 45% medium, 51% low;
An overall control observation: inadequate background checks on key personnel of agents and contractors;
Identified risks for which no controls or weak controls exist in certain markets:
Customers/suppliers are not screened on a periodic basis to identify politically exposed persons.
Requests for information from the relevant regulatory agency are not complied with in accordancewith the required timeframes.
Gifts to foreign government officials are not approved as per delegation of authority.
Travel advances provided to the employees are not settled in a timely manner.
Information is disclosed to unauthorized parties that the entity has formed a suspicion about a
person, entity, or transaction or reported a suspicious matter to a regulatory agency.
Compliance systems and controls are not current and are inadequate to comply with and adapt to
changes to specific regulations.
Risk Categories

Inherent Risk

Control Rating

Residual Risk

Client Identification

High

Partially Effective

Medium

VACS (Vendors, Agents,

Consultants, Suppliers)

High

Partially Effective

High

Intermediaries (High-Risk Vendors,

Agents, Consultants, Suppliers).

High

Partially Effective

High

Training

High

Effective

Low

Record Keeping

High

Effective

Low

Payments Monitoring & Reporting

of Meals, Gifts, Entertainment

High

Partially Effective

Medium

Inherent Risk

High

Medium

Low

Control Rating

Ineffective

Partially Effective

Effective

Legend

The Ten Principles of the

United Nations Global Compact
The UN Global Compact asks companies to embrace, support and enact,
within their sphere of influence, a set of core values in the areas of human
rights, labour standards, the environment, and anti-corruption:

Human rights
Principle 1
Principle 2

Businesses should support and respect the protection of

internationally proclaimed human rights; and
make sure that they are not complicit in human rights abuses.
Labour

Principle 3
Principle 4
Principle 5
Principle 6

Businesses should uphold the freedom of association and the

effective recognition of the right to collective bargaining;
the elimination of all forms of forced and compulsory labour;
the effective abolition of child labour; and
the elimination of discrimination in respect of employment
and occupation.
Environment

Principle 7
Principle 8
Principle 9

Businesses should support a precautionary approach to

environmental challenges;
undertake initiatives to promote greater environmental
responsibility; and
encourage the development and diffusion of
environmentally friendly technologies.
Anti-corruption

Principle 10

Businesses should work against corruption in all its forms,

including extortion and bribery.

Published by the United Nations Global Compact Office

Contact: [email protected]
September 2013