Assessing corruption risks to comply with international anti-bribery legislation

Risk is an inherent part of a business. It refers to the uncertainty, potential loss, or adverse outcomes a company may face due to its business activities. Businesses may encounter a variety of risks, including operational, behavioural, strategic, financial, legal, and reputational. However, there is one risk that encompasses all of these – corruption*.

Bribery and corruption can disrupt business operations with multiple negative consequences. Corruption often results from failing internal processes and systems or poor human resources management which, in turn, can lead to unethical behaviour, decreased productivity, employee errors or misconduct.

However it occurs, corruption undermines trust and confidence in institutions, creates an uneven playing field for businesses, and can lead to poor strategic decision-making and misallocation of resources. 

The penalties of corruption

Paying bribes to secure contracts or gain other advantages leads to increased business costs, prosecution risks, and reduced profits. It can divert resources that could be used more productively elsewhere and creates a competitive disadvantage for those companies unwilling to engage in corrupt practices. 

From a legal perspective, the consequences of corruption can be severe, including criminal fines, disgorgement of profits, prison sentences for individuals involved in bribery and debarment from participating in government contracts or other business opportunities. 

Finally, corruption can damage a company’s reputation and lead to a loss of trust from customers, partners, and other stakeholders. The reputational issues can significantly impact the company’s ability to do business. In some cases, reputational damage can be challenging to overcome and result in long-term consequences for a company’s success.

Begin with an anti-corruption risk assessment

So where should an organisation start if it wants to prevent corruption from occurring? GoodCorporation advises its clients to begin with a risk assessment in order to accurately identify and prioritse the corruption risks it faces. Any company that fails to conduct a robust and specific bribery risk assessment cannot be confident that its anti-corruption programme addresses its corruption risks sufficiently.

Assessing corruption risks involves identifying potential risks and evaluating their likelihood and impact. Risk assessment can help businesses prioritise risks and develop strategies to mitigate or eliminate the negative consequences mentioned above. 

UK and US guidance on anti-corruption procedures

Even though the U.K. Bribery Act (UKBA) and the U.S. Foreign Corrupt Practices Act (FCPA) do not explicitly require a corruption risk assessment, both need effective and adequate procedures for businesses to prevent bribery and corruption. 

The U.K. Ministry of Justice published Guidance on the factors that should be considered when determining whether a company has such procedures. These factors include:

  • The nature, scale, and complexity of the organisation’s business.
  • The organisation’s external and internal environment, including its relationships with persons who perform services for or on behalf of the organisation.
  • The organisation’s policies and procedures concerning bribery.
  • The top-level commitment of the organisation to preventing bribery.
  • The resources, training, and support are available to staff to prevent bribery.
  • The communication (including the reporting) of the organisation’s policies and procedures on bribery.
  • The monitoring and review of the effectiveness of the organisation’s policies and procedures on bribery.

The Guidance includes five main categories of external risks that organisations may encounter: country risk, sectoral risk, transaction risk, business opportunity risk, and business partnership risk.

Country risk includes corruption and lack of transparent procurement and investment policies in a foreign government. Sectoral risk is the higher risk involved in specific industries, such as extractive industries and large-scale infrastructure. Transaction risk is present in certain transactions, such as charitable or political contributions, licenses and permits, and transactions related to public procurement. Business opportunity risk may arise in high-value projects involving multiple contractors or intermediaries. It also affects projects that are not conducted at priced at market rates or need a clear, legitimate purpose. Business partnership risk may involve higher risk relationships, such as those with intermediaries in transactions involving foreign government officials, groups or businesses working together, and connections with individuals holding political power. 

A Resource Guide to the FCPA clarifies the requirements for companies to establish robust internal controls and procedures to prevent and detect corrupt practices. It could include conducting risk assessments to identify potential areas of vulnerability to corruption and implementing measures to mitigate those risks.

The U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC), which are responsible for enforcing the FCPA, have stated that companies that have effective compliance programmes, including risk assessment and internal controls, are less likely to violate the FCPA and may be eligible for more favourable treatment in the event of a violation. Therefore, it may be advisable for companies subject to the FCPA to conduct risk assessments as part of their compliance efforts.

The Guide explains that assessing risk is essential for creating an effective compliance programme and that the DOJ and SEC consider it when evaluating a company’s compliance programme. Universal compliance programmes often fail because they allocate resources appropriately and may need to focus more on high-risk areas.

A company that spends too much time on low-risk issues, such as modest entertainment and gift-giving, rather than addressing more significant risks, like large government bids or questionable payments to third parties, may be seen as having an ineffective compliance programme.

On the other hand, a company with a comprehensive, risk-based compliance programme implemented in good faith, even if it doesn’t prevent an infraction in a low-risk area, will likely be credited by the DOJ and SEC.

However, if a company fails to prevent an FCPA violation in a high-risk, economically significant transaction due to a lack of sufficient due diligence. In that case, it may receive reduced credit based on the quality and effectiveness of its compliance programme.

A company’s risk for FCPA violations should be considered when determining the appropriate level of compliance procedures, such as due diligence and internal audits. The right level of due diligence will depend on various factors, including the industry, country, size, and nature of the transaction, and the method and amount of third-party compensation.

The DOJ and SEC will consider whether and to what extent a company analyses and addresses the specific risks it faces when evaluating its compliance programme.

Key steps to an effective anti-corruption risk assessment

Step 1: Create a risk assessment plan to define the scope of the risks to be assessed, including the documents to be reviewed, stakeholders to interview, business activities, areas of operation and a suggested timeline. Guidance documents such as GoodCorporation’s Framework on Bribery and Corruption can be used as a checklist for the key areas to include.

Step 2: Conduct a gap analysis to Identify any areas of weakness and vulnerabilities in the organisation’s anti-corruption controls and processes, including areas lacking oversight or inadequate management.

Step 3: Analyse the data from stakeholder interviews, internal reports, financial data, and policy reviews to identify potential corruption risks and areas for improvement.

Step 4: Use the document review and stakeholder interviews to create a risk map, with high risks clearly prioritised. The risk map should also include the recommendations to address the identified risks including new policies, employee training, and engagement with outside experts.

Step 5: Develop a system for on-going monitoring to review progress against the recommendations to ensure effectiveness and keep the organisation’s risk profile under review.

Step 6: Communicate the risk assessment results to all relevant parties, including employees, management, and board members.

Step 7: Regularly update the anti-corruption risk assessment to address emerging risks and ensure their relevance and effectiveness.

GoodCorporation conducts anti-corruption risk assessments to help its clients identify their possible corruption risks, specific to the nature and location of their operations. Our anti-corruption risk assessments are tailored to the needs of an organisation and can be conducted at group or local level as required. Anti-bribery risk assessments should be carried out periodically, but especially in response to any significant changes to the nature or scope of the organisation. However, getting this right can be a hard, our anti-corruption benchmark shows that developing adequate processes to properly assess corruption risks is proving to be a challenge with 40% of the ABC risk assessment procedures assessed by GoodCorporation found to be inadequate.


* Although bribery is a form of corrupt practice, the U.K. Bribery Act 2010 specifically addresses it. In this article, I have intentionally separated bribery from other types of corrupt practices when relevant.