The ABC's of Risk Assessment

Wednesday, August 29, 2018 - 15:20

 

An anti-bribery and corruption risk assessment is vital for most companies. One size does not, however, fit all.

An anti-bribery and corruption (ABC) risk assessment is a crucial part of a company’s overall risk assessment program – one that ISO 37001 (anti-bribery management systems) says will “enable the organization to form a solid foundation for its anti-bribery management system.” Without an effective ABC risk assessment, a company can be exposed to significant risk. But despite its importance, there continue to be practical application questions, especially in industries that are not heavily regulated. These include issues like defining exactly what an ABC risk assessment is, understanding how it fits into the context of other compliance initiatives, and identifying leading practices to help a company begin the process. There’s no one-size-fits-all approach, but there are similar steps and concepts used by global organizations that have had ongoing success in executing ABC risk assessments. 

Clearly Define the Terms 

Clarifying the subject and scope of an ABC risk assessment at the outset allows all parties to understand the importance of the subject matter and what differentiates this particular risk assessment from others the company has undertaken. Different stakeholders define risk differently, based on their role within the company. As a result, they often assume bribery and corruption risks are adequately covered by the company’s other risk assessment processes, such as its enterprise, general compliance, fraud, or IT-security risk assessments. 

It should be made clear to stakeholders from the outset that an ABC risk assessment is a thorough, structured, and separate approach to identifying global government touchpoints, whether directly or indirectly, throughout any of the company’s business functions or departments.  

Include the Right Participants 

An ABC risk assessment should include stakeholders and key decision-makers from the corporate level, but it should not be limited to executives. The risks perceived by corporate employees do not necessarily match the actual bribery and corruption risks identified by employees who are more involved in the actual foreign locations. For example, corporate employees may not regard the licenses and permits required for a manufacturing location as high-risk, due to the relatively small dollar amount of such transactions. However, that same location may be paying significant off-the-book bribes in order to make sure it can maintain the permits and continue operations. Without the permit or license, manufacturing could be shut down, which could potentially be material to the company. In this example, the significant bribery and corruption risk associated with these low dollar value licenses and permits would not have been identified without local or regional representation during the ABC risk assessment process. 

Participation by employees in different areas of the business will help ensure adequate representation in all jurisdictions and locations that may interact with the government in any capacity, giving the company the best chance that no bribery or corruption risk is left uncovered. This may require some legwork up front, as it means identifying stakeholders who understand the company’s day-to-day interactions with local governments and those who have knowledge of government-owned entities in each jurisdiction where the company operates. 

However, if you go too far down the company ladder for input, it can be difficult to obtain timely responses, and the information that is collected may be overwhelming and onerous to analyze. An effective ABC risk assessment is one that balances these competing issues, and it may take several iterations of the process to figure out the appropriate balance. 

Consider Other Risk Assessments 

Due to the constantly evolving risk environment, many companies undertake multiple, simultaneous risk assessments with different areas of focus. Due to potential synergies between the ABC risk assessment and other risk assessments, including enterprise or compliance risk assessments, it can be tempting to roll these processes together and conduct them at the same time, especially in an effort to save time and money. 

However, there are several potential issues with pooling resources in this manner. First, other risk assessment processes may have different stakeholders and participants, depending on their scope. Second, the pooling of resources may diminish the significance of the ABC risk assessment. The nuances of bribery and corruption risks, especially the guidelines regarding interactions with state-owned enterprises (SOEs) and the controls required for third-party intermediaries, require specific training and a thorough understanding of the concepts. Finally, due to the potential legal risks that could be identified as a result of an ABC risk assessment, a company may want to perform it under the direction of counsel, in an attempt to maintain attorney-client privilege. In such situations, the ABC risk assessment should be clearly separated from other assessments.  

Choose the Best Leader 

An ABC risk assessment involves aggregating large amounts of data and different viewpoints into meaningful results, and finding the right individual or team to coordinate the responses can be difficult. Most organizations identify an ABC risk assessment coordinator from the internal audit, legal, compliance or finance department. The coordinator must have the organizational authority and standing to be able to break down barriers of access to potential silos of information. 

Bear in mind that stakeholders may struggle with a seemingly unending number of risk assessment surveys and process questions. People do not like feeling like they are revisiting the same discussions over and over again, especially if they are being pulled away from their daily responsibilities. Therefore, the coordinator must be willing to coordinate with the other teams that are also conducting risk assessments for the company, in order to avoid repeating questions in a way that could cause “compliance fatigue.” By spacing out the company’s various risk assessments and limiting the duplication of questions, a company can apply a fresh approach and receive valuable input for each of its assessments. The coordinator should be someone who is able to help define a coordinated effort to meet all of the company’s risk assessment objectives, not just those involving bribery and corruption. 

Keep in mind that the coordinator is only as good as his or her support structure. In particular, the coordinator should have the support of the project management office, as the project management office can help with making sense of the disparate data that gets collected. 

Learn Some Best Practices 

There are many places to find a general outline of an ABC risk assessment. The most comprehensive of these sources include the Organisation for Economic Co-operation and Development (OECD) Guidance, which dedicates several pages to ABC risk assessment in its Anti-Corruption Ethics and Compliance Handbook for Business, and ISO 37001. 

There is no one-size-fits-all approach to ABC risk assessments, but as noted in ISO 37001, “this bribery risk assessment exercise is not meant to be an extensive or overly complex exercise,” and “the results of the bribery risk assessment should reflect the actual bribery risks faced by the organization.”  

Ask Revealing Questions 

Bribery and corruption risks manifest themselves across the organization, including in specialized compliance areas that may not be readily known to everyone involved in the assessment. For example, the health, safety and environment (HSE) department can be an important area of information from a bribery and corruption risk perspective. However, HSE often sits in a separate silo from the company’s overall compliance efforts, and, as a result, it doesn’t always receive adequate compliance attention. 

The leader of the ABC risk assessment process does not have to be an expert in all areas of bribery and corruption risk, but he or she does need to have a working knowledge of potential risks and, perhaps more important, be able to probe and ask questions about government interactions among all of the different, and potentially siloed, departments or groups within the organization. 

A helpful tool for beginning any ABC risk assessment is a survey that asks a series of questions about the perceived potential for government interaction. This can be a cost-effective way to expand the base of participants in the assessment by connecting with employees all around the world to gather input on where the company is exposed to bribery and corruption risks. 

Even a well-designed survey can yield inadequate results if the people completing it don’t have a strong understanding of the topic. To address these concerns and provide the best environment for a robust ABC risk assessment process, training should be provided in a short window just before the assessment takes place. This training should reinforce key ABC risk concepts and company policies that are necessary for identifying and mitigating bribery and corruption risks. 

Foster an Open Culture 

Bribery does occur. It may be occurring in some form in your organization right now. If you are part of a global organization, it is likely that at least one of your employees has been approached about providing bribes. While this is an unfortunate reality of global business, the vast majority of employees want to do the right thing and are looking for the tools to address the issue of bribery when it arises. 

In-person training sessions that involve substantial dialogue about business issues that local employees might face can be one of the best tools in the risk assessment process. Open dialogue with those that are on the front lines helps to create a culture where employees understand that completely eliminating risk exposure isn’t expected or even possible. 

What is expected, however, is that each employee understands the serious nature of the issue and takes personal responsibility for identifying and reporting bribery and corruption risks they identify. Whether it be paying local utility officials to keep the lights on, paying local police to prevent a company vehicle from being impounded, or paying a fee to cut through red tape for licenses or permits, the company should help employees understand that it is OK to report instances of bribery and corruption risk exposure. These issues cannot be addressed if they are not brought to light. 

By encouraging employees to discuss the ways in which they can and already do mitigate bribery and corruption risks, companies can encourage positive behavior and foster a greater commitment to the process. The company may also get to leverage some of the information collected from these employees by sharing it with other regions and further strengthening the overall ABC program. 

Leverage Data Analytics 

Rather than talking about abstract principles, it is usually easier to talk about specific cases. By leveraging focused analytics, especially transaction testing in key risk areas such as sales agents, customs and logistics, licenses and permits, or consulting costs, a region or location can identify the different business relationships that may give rise to bribery and corruption risks. Assessing the volume of these transactions can also help as a company tries to determine the likelihood or impact of a specific risk. Adding an internal audit resource can add efficiencies to the process. 

Take Action 

Once the bribery and corruption risks are identified and weighted, the true work can begin. First, the team assigns responsibility for mitigating the identified risks. The risks can be separated into three categories based on the level of ownership: 

  • The corporate level (e.g., policies and procedures or monitoring) 

  • A regional level (e.g., specific items, including gifts and entertainment) 

  • The local level (e.g., procedures related to individual enterprise resource planning systems) 

Once responsibility is assigned, the company can execute the appropriate remediation steps and monitoring to address the risks. The ABC risk assessment process is designed to be repeated, but the frequency depends on the company’s specific ABC risk profile. Because the first assessment will be the most robust and comprehensive, future assessments can focus on any changes to the initially identified bribery and corruption risks, such as entering new markets, a change in the SOE customer base, new plant construction, etc. No matter the frequency, the completion of the initial ABC risk assessment marks the start of the planning process for the next iteration of the ABC risk assessment. To facilitate that future process, a company should centrally store documentation related to the risk assessment, including any information regarding events that take place between risk assessments that could impact the next version of the ABC risk assessment. 


Matt Dixon is a director in KPMG’s Forensic practice where he assists clients with global investigations, proactive compliance program assessments, including assessing anti-bribery and corruption risks, and litigation support. He is a certified public accountant, a certified fraud examiner, and he also holds a law license in the state of Indiana. 

Amanda Rigby is a principal in the Chicago office of KPMG, where she leads the U.S. Forensic network. She focuses on investigations, regulatory compliance and dispute advisory services. She is also the leader of the Chicago chapter of the KPMG Network of Women.