• Ethical
  • Platform
  • Use Cases
  • About us
  • Contact us
  • Blog

Login

Book Demo

Pauline Blondet, June 23 2023

A Guide to Launch and Run a Pragmatic Corruption Risk Assessment 🚀

Anyone who ever launched a corruption risk assessment and experienced some level of post traumatic stress disorder afterwards? I have, and I am sure I am not alone in this case. In this Friday Mood Post we explore the pitfalls of running a corruption risk assessment in your organization, and a few ideas to make this exercise a success without jeopardizing your mental health.

Risk Assessment is a tough exercise

I was working in a very decentralized group with +70  business units, in risky countries. We defined a solid methodology, a  robust questionnaire to collect the right level of information for our corruption risk assessment, worked with our network of E&C correspondents, as well as with a reputable law firm to analyze the results and help us provide recommendations to the business and trackable mitigations measures to enable our progress over time.

This was all supposed to be perfection on earth, however it took us more than one year to complete, cost us gigantic amounts in lawyer fees, and drowned us under mountains of information that we had a hard time handling properly and in due time, making it really difficult to identify actionable and measurable insights and measures, all of the above leaving me with some level of disorder regarding risk assessments in general. 

Some pitfalls can be:

Risk Assessment is not an option

A solid risk assessment is indeed the cornerstone on which an anti-corruption program should be based. And yet so many seem to stumble upon this exercise.

To craft good preventing measures, we do need to assess, map and understand our corruption risks in all our Business Units. This is the first pillar of our risk based approach as, most probably, we do not face the same risk in our Danish service entity as in this joint venture in Thailand we just created with a local well connected tycoon to distribute our heavily regulated products! It’s also for us, as an Ethics & Compliance function, one of the best ways to get to really know our business in depth if we run it well. 

Below a few key essentials to remember, as required by the FCPA, UKBA, and Loi Sapin 2 (AFA - Presentation of various regulatory frameworks for promoting business integrity across the world - May 2023):

There are as many risk assessments methodologies as there are organizations

We could write several books about the specifics of the methodologies that can be used to craft and deploy your risk assessment, and we will go into a high level pragmatic proposal afterwards. What one should remember is that beyond the concepts of assessing likelihood and impact and identifying mitigation measures and actions to keep track of, each company does it quite differently. 

So, if you are starting the exercise, or rethinking your methodology: chillout, there is not one truth out there (even though some claim otherwise). The purpose of the exercise is to monitor and proactively address our risks as an organization, the 'how-we-will-get-there' varies quite significantly.

In developing our latest Risk Assessment solution at Upright Solutions, hand in hand with many Ethics & Compliance Teams in various organizations, we realized that there are as many approaches as there are companies, a few examples of which include: 

A proposed pragmatic approach

To navigate the complexities and avoid the pitfalls that can come with launching a risk assessment in your organization, you will find below a few ideas:

Define your scope, objectives & team

Understand the legal frameworks: the risk assessment can be linked to a framework, for example the Loi Sapin 2 and anti-corruption regulations in France, AFA recommendations and so on. We want to study the frameworks we are looking at, and infuse them in our understanding, so that we can define risks that we will want to assess. For example, risks for the compliance topic "anti-corruption" include facilitation payments, sponsorships and donations, interactions with government, license process, cash payments, gifts and entertainment etc.

Get support from the top: we want top management to sponsor the exercise for sure, and direct the message with respect to all the entities that will actually have to spend some time and resources contributing to the exercise. 

Be clear on the objective of the exercise: here, the pitfall is to lose ourselves in the perfect methodology or theoretical and - potentially - pseudo-scientific discussions about gross and net risks and so on. We need to be precise and clear: what is the exercise about? It is about identifying and prioritizing the risks we face so that we know where to act and when. It is and should be an actionable exercise. The output should be an action plan with key actions in important areas, prioritized on a roadmap, rather than sophisticated risk calculations.  Better to define a simple framework and try it out to then adjust it for next time and learn from it than creating the perfect state of the art scientific methodology that will not be practical and effective.

Agree on a recurrence for the exercise: it’s heavy, so don't be too ambitious.

Scope is key: here, a classic pitfall is to want to run the assessment in all our organization immediately, especially if we have never run this comprehensive exercise in this given organization before. Unless we have a giant team and unlimited resources at our disposal, this is a guarantee for all your correspondents and ambassadors to hate the process, and for the central team to be swamped with unmanageable results. Hence, a lot of resources for limited actionability of the exercise. My fifty cents is to start with a few key Business Units as a Pilot to collect feedback on your methodology and process, learn and adjust. Then proceed with waves so that you are not swamped with the exercise and the analysis of the results.

Team makes the dream real: surround yourself well to run the exercise. We want a cross-functional team, bringing together diverse perspectives, from legal to compliance to internal control, audit, finance, HR and other relevant departments. This also enables increased adoption of the process and promotes ownership of the findings. If teams involved have contributed to the project definition, they will be way less reluctant to participate in the completion and integrate the findings back into their operations. It is also a nice way to maximize your team.

Get it right on tooling: running such exercises in a repeatable way will require some level of tooling, to automate the sending out, the compilation of answers, the reminders, and most importantly to organize, handle and make sense of the huge amount of data that will be collected. Think about everything that can be automated in that process, so as to focus the time and energy of your limited team on what really matters: the analysis of the results and definition and prioritization of actions going forward. 

Develop your risk assessment methodology 

Develop your methodology, and adjust it to your organization on the ground, considering in particular:

Corruption risk indicators: do you have locations or businesses that by nature are at higher risk? For example, think of all the places where you need to interact with government officials to obtain and keep your license as a regulated business?

Assess likelihood and impact

Decide on the scoring system and the scale you want to use to create your risk matrix: 1-3 / 1-5 etc. Make sure for simplicity and beauty of your matrix that you use the same scale for likelihood and impact.

What other data will you need to support the exercise? Think of other information you may want to collect in the process to not only create your risk matrix, but to also collect quantitative and qualitative information.

Conduct the risk identification

Who’s your target in each Business Unit? Ideally, the exercise should engage employees on various levels in the organization. A nice way to maximize your impact and keep it simple for you as a central team is to designate one correspondent per Business Unit who will be responsible to hold a session with key members of that Business Unit on the ground to answer the risk assessment for this business unit. Make sure the Business Unit management commits to the risk assessment result and mitigation plan.

You have your team, your target, your methodology, now it is about running with it. And this is where one absolutely needs a tool to manage the sending, reminders, and collecting and consolidating of all results for your review. This does not prevent you from running sessions or interviews, but be sure to use technology to collect, review and amend the information collected, aggegrate it swiftly afterwards, thereby documenting all your effort in a repeatable and mangeable way. 

To understand this point better, simply run the maths in your head: imagine you want to evaluate 10 Risks in 30 BUs. And imagine that every Risk is evaluated by collecting 10 data points, i.e. 10 questions covering things like likelihood, financial impact, reputational impact, existing controls etc. This - very concise - risk assessment approach alone will yield 10x30x10 = 3,000 data points you'll have to consume, analyze and act upon once collected. Add to that 3-4 mitigation measures per risk per BU, and you'll know that Excel won't cut it, if you want to roll-out, get completed, review, send back, remind and aggegate all information swiftly, with an audit trail, and full documentation. Unless of course you don't mind getting mad along the way.

This is also the place where you identify risks that you didn't know about and that may be very specific to a Business Unit. I recommend to enable your Business Units to let you know of risks you may not have thought about from the ivory tower in the head office.

You also want the Business Units to let you know what they recommend doing to mitigate these risks, they often know better about the realities on the ground than the central team!

Evaluate and Prioritize Risks

Thanks to your carefully crafted risk map, enabling you for each risk to assess a likelihood score and an impact score, you will know very easily which risks or which Business Units require the most attention. This ranking will guide mitigation efforts to come. Everything that is in the top right corner of your map deserves prioritized attention of course.

Develop Mitigation Strategies and related controls

This step is about adopting measures to reduce the likelihood of the risk materializing. Consider preventive measures such as robust policies, enhanced due diligence for third parties, segregation of duties, controls, and effective reporting channels. I recommend using the business units to propose what mitigation measures they recommend and why, and document their effort. Here again, you will want to automate the tracking of the implementation of the mitigation measures in each Business Unit so that you know where you stand.

Document your findings

You have just created and run a process that enables the organization to be proactive in managing risks! You need to report on this, including in particular key areas of risk and high level action plan to your Compliance Committee and across your organization to increase awareness and further support to the actions that will need to be carried out in the organization. 

Keep it alive and keep going

The end of the main cycle is actually the beginning of the mitigation cycle. Now it’s about keeping track of all the actions that need to be carried out, some of them may take 2 years to implement. The name of the game is to keep track and stay focused on all the mitigation measures that will need to be implemented, with due dates and clear accountability. And of course, ensure to regularly review and update the risk assessment exercise to reflect changes in the organization's environment, faced regulations, and business operations. Learn from past experiences, incorporate lessons learned, and refine the assessment process accordingly.

I hope the above guide is helpful to keep your eyes on the prize as you define and get ready to run your corruption risk assessment, without PTSD or any other negative consequences.

Follow Upright Solutions Aps on Linkedin for more Ethics & Compliance content!


Written by

Pauline Blondet

Tags

Previous A comparative analysis of key frameworks to promote business integrity around the world 🌍
Next ✨ The Power of Diversity: Building and Sustaining Diverse Teams to Nurture a Strong Ethical Culture