A Guide to Launch and Run a Pragmatic Corruption Risk Assessment 🚀

Anyone who ever launched a corruption risk assessment and experienced some level of post traumatic stress disorder afterwards? I have, and I am sure I am not alone in this case. In this Friday Mood Post we explore the pitfalls of running a corruption risk assessment in your organization, and a few ideas to make this exercise a success without jeopardizing your mental health.

Risk Assessment = Trauma potential

I was working in a very decentralized group with +70  business units, in risky countries. We defined a solid methodology, a  robust questionnaire to collect the right level of information for our corruption risk assessment, worked with our network of E&C correspondents, as well as with a reputable law firm to analyze the results and help us provide recommendations to the business and trackable mitigations measures to enable our progress over time.

This was all supposed to be perfection on earth, however it took us more than one year to complete, cost us gigantic amounts in lawyer fees, and drowned us under mountains of information that we had a hard time handling properly and in due time, making it really difficult to identify actionable and measurable insights and measures, all of the above leaving me with some level of PTSD regarding risk assessments in general. 

Some pitfalls can be:

• Focusing on the perfect methodology and loosing the end goal of the exercise 
• Being too ambitious and underestimating the size of the beast
• Overloading your Central Ethics & Compliance Team
• Overloading the Business Units and creating resistance
• Not being able to handle all the responses
• People using the exercise as an audit rather than a risk assessment
• Not making sense of the results
• Not being able to prioritize actions and resources

Risk Assessment is not an option

A solid risk assessment is indeed the cornerstone on which an anti-corruption program should be based. And yet so many seem to stumble upon this exercise.

To craft good preventing measures, we do need to assess, map and understand our corruption risks in all our Business Units. This is the first pillar of our risk based approach as, most probably, we do not face the same risk in our Danish service entity as in this joint venture in Thailand we just created with a local well connected tycoon to distribute our heavily regulated products! It’s also for us, as an Ethics & Compliance function, one of the best ways to get to really know our business in depth if we run it well. 

Below a few key essentials to remember, as required by the FCPA, UKBA, and Loi Sapin 2 (AFA - Presentation of various regulatory frameworks for promoting business integrity across the world - May 2023):

• We need to run the exercise for all of our group entities, considering risk factors such as country risk and industry sector.
• The risk assessment exercise must enable us to evaluate and prioritize risks and finally come up with an action plan to ensure the prevention of such risks.
• And of course, our risk assessment exercise needs to be updated regularly, and ad hoc when necessary (for example in case of merger or opening of a new market).

There are as many risk assessments methodologies as there are organizations

We could write several books about the specifics of the methodologies that can be used to craft and deploy your risk assessment, and we will go into a high level pragmatic proposal afterwards. What one should remember is that beyond the concepts of assessing likelihood and impact and identifying mitigation measures and actions to keep track of, each company does it quite differently. 

So, if you are starting the exercise, or rethinking your methodology: chillout, there is not one truth out there (even though some claim otherwise). The purpose of the exercise is to monitor and proactively address our risks as an organization, the 'how-we-will-get-there' varies quite significantly.

In developing our latest Risk Assessment solution at Upright Solutions, hand in hand with many Ethics & Compliance Teams in various organizations, we realized that there are as many approaches as there are companies, a few examples of which include: 

• Likelihood and impact: first, while the majority of companies do use likelihood and impact, they use very different scales. Some companies work on risks with a scale of 1-5 some 0-3, some 1-5 on likelihood and € amount on impact.

• Gross vs. net likelihood: some companies work with net likelihood only, asking their team members questions such as: “in light of all the measures we have, how likely is it that this risk will materialize?” Other companies calculate a gross likelihood before a net likelihood. They first ask about the risks faced generally; to then ask about the mitigation measures in place and their impact on the likelihood that the risk will materialize.
• Types of impact: some organizations are mostly interested in the financial impact of the risk materializing, while others want to measure reputational, legal, employment impact and so on, so that they can approach the risk from a variety of perspectives.
• Who participates in identifying risks: some organizations want to enable local businesses to identify their risks, thinking that it would be almost arrogant to think as the central Ethics & Compliance Team that we would be the only ones able to identify risks faced at a local level in our group. Others want to identify risks centrally only, as they believe that their field organization doesn’t always exhibit the right level of risk sensitivity, as they see “opportunities only”. Lastly, others propose a hybrid approach, where a few key risks are identified centrally while enabling the local teams to contribute on adding risks and informing the risk identification.
• What actions and measures should be taken: some organizations want to provide their business units with pre-defined mitigation measures, listing for them the usual policy refresher or training sessions, while others prefer that each business unit thinks about the recommended measures to address the risk at stake themselves. 

A proposed pragmatic approach

To navigate the complexities and avoid the pitfalls that can come with launching a risk assessment in your organization, you will find below a few ideas:

Define your scope, objectives & team

Understand the legal frameworks: the risk assessment can be linked to a framework, for example the Loi Sapin 2 and anti-corruption regulations in France, AFA recommendations and so on. We want to study the frameworks we are looking at, and infuse them in our understanding, so that we can define risks that we will want to assess. For example, risks for the compliance topic "anti-corruption" include facilitation payments, sponsorships and donations, interactions with government, license process, cash payments, gifts and entertainment etc.

Get support from the top: we want top management to sponsor the exercise for sure, and direct the message with respect to all the entities that will actually have to spend some time and resources contributing to the exercise. 

Be clear on the objective of the exercise: here, the pitfall is to lose ourselves in the perfect methodology or theoretical and - potentially - pseudo-scientific discussions about gross and net risks and so on. We need to be precise and clear: what is the exercise about? It is about identifying and prioritizing the risks we face so that we know where to act and when. It is and should be an actionable exercise. The output should be an action plan with key actions in important areas, prioritized on a roadmap, rather than sophisticated risk calculations.  Better to define a simple framework and try it out to then adjust it for next time and learn from it than creating the perfect state of the art scientific methodology that will not be practical and effective.

Agree on a recurrence for the exercise: it’s heavy, so don't be too ambitious.

Scope is key: here, a classic pitfall is to want to run the assessment in all our organization immediately, especially if we have never run this comprehensive exercise in this given organization before. Unless we have a giant team and unlimited resources at our disposal, this is a guarantee for all your correspondents and ambassadors to hate the process, and for the central team to be swamped with unmanageable results. Hence, a lot of resources for limited actionability of the exercise. My fifty cents is to start with a few key Business Units as a Pilot to collect feedback on your methodology and process, learn and adjust. Then proceed with waves so that you are not swamped with the exercise and the analysis of the results.

Team makes the dream real: surround yourself well to run the exercise. We want a cross-functional team, bringing together diverse perspectives, from legal to compliance to internal control, audit, finance, HR and other relevant departments. This also enables increased adoption of the process and promotes ownership of the findings. If teams involved have contributed to the project definition, they will be way less reluctant to participate in the completion and integrate the findings back into their operations. It is also a nice way to maximize your team.

Get it right on tooling: running such exercises in a repeatable way will require some level of tooling, to automate the sending out, the compilation of answers, the reminders, and most importantly to organize, handle and make sense of the huge amount of data that will be collected. Think about everything that can be automated in that process, so as to focus the time and energy of your limited team on what really matters: the analysis of the results and definition and prioritization of actions going forward. 

Develop your risk assessment methodology 

Develop your methodology, and adjust it to your organization on the ground, considering in particular:

Corruption risk indicators: do you have locations or businesses that by nature are at higher risk? For example, think of all the places where you need to interact with government officials to obtain and keep your license as a regulated business?

Assess likelihood and impact

Decide on the scoring system and the scale you want to use to create your risk matrix: 1-3 / 1-5 etc. Make sure for simplicity and beauty of your matrix that you use the same scale for likelihood and impact.

• Likelihood: typically people distinguish here between gross likelihood and net likelihood. The idea is that as a business unit you face some level of a risk materializing (gross likelihood), that is then mitigated in light of all the measures that are already in place to manage this risk (net likelihood). The difference between the gross and the net is the effectiveness of the mitigation measures in place. All you need to ask: how likely is this risk to materialize generally in this business unit (i.e. given the country it is located in, the nature of the services it provides etc), irrespective of all the measures we have in place (gross likelihood); and compare that evaluation with a follow-up question that aims at bearing in mind the already existing measures that have been put in place to prevent this risk from happening (net likelihood).
• Impact: how bad would it be if this risk materialized? Which impact do you care about as an organization? Just financial, or do you also want to collect some legal or reputational impact?

What other data will you need to support the exercise? Think of other information you may want to collect in the process to not only create your risk matrix, but to also collect quantitative and qualitative information.

Conduct the risk identification

Who’s your target in each Business Unit? Ideally, the exercise should engage employees on various levels in the organization. A nice way to maximize your impact and keep it simple for you as a central team is to designate one correspondent per Business Unit who will be responsible to hold a session with key members of that Business Unit on the ground to answer the risk assessment for this business unit. Make sure the Business Unit management commits to the risk assessment result and mitigation plan.

You have your team, your target, your methodology, now it is about running with it. And this is where one absolutely needs a tool to manage the sending, reminders, and collecting and consolidating of all results for your review. This does not prevent you from running sessions or interviews, but be sure to use technology to collect, review and amend the information collected, aggegrate it swiftly afterwards, thereby documenting all your effort in a repeatable and mangeable way. 

To understand this point better, simply run the maths in your head: imagine you want to evaluate 10 Risks in 30 BUs. And imagine that every Risk is evaluated by collecting 10 data points, i.e. 10 questions covering things like likelihood, financial impact, reputational impact, existing controls etc. This - very concise - risk assessment approach alone will yield 10x30x10 = 3,000 data points you'll have to consume, analyze and act upon once collected. Add to that 3-4 mitigation measures per risk per BU, and you'll know that Excel won't cut it, if you want to roll-out, get completed, review, send back, remind and aggegate all information swiftly, with an audit trail, and full documentation. Unless of course you don't mind getting mad along the way.

This is also the place where you identify risks that you didn't know about and that may be very specific to a Business Unit. I recommend to enable your Business Units to let you know of risks you may not have thought about from the ivory tower in the head office.

You also want the Business Units to let you know what they recommend doing to mitigate these risks, they often know better about the realities on the ground than the central team!

Evaluate and Prioritize Risks

Thanks to your carefully crafted risk map, enabling you for each risk to assess a likelihood score and an impact score, you will know very easily which risks or which Business Units require the most attention. This ranking will guide mitigation efforts to come. Everything that is in the top right corner of your map deserves prioritized attention of course.

Develop Mitigation Strategies and related controls

This step is about adopting measures to reduce the likelihood of the risk materializing. Consider preventive measures such as robust policies, enhanced due diligence for third parties, segregation of duties, controls, and effective reporting channels. I recommend using the business units to propose what mitigation measures they recommend and why, and document their effort. Here again, you will want to automate the tracking of the implementation of the mitigation measures in each Business Unit so that you know where you stand.

Document your findings

You have just created and run a process that enables the organization to be proactive in managing risks! You need to report on this, including in particular key areas of risk and high level action plan to your Compliance Committee and across your organization to increase awareness and further support to the actions that will need to be carried out in the organization. 

Keep it alive and keep going

The end of the main cycle is actually the beginning of the mitigation cycle. Now it’s about keeping track of all the actions that need to be carried out, some of them may take 2 years to implement. The name of the game is to keep track and stay focused on all the mitigation measures that will need to be implemented, with due dates and clear accountability. And of course, ensure to regularly review and update the risk assessment exercise to reflect changes in the organization's environment, faced regulations, and business operations. Learn from past experiences, incorporate lessons learned, and refine the assessment process accordingly.

I hope the above guide is helpful to keep your eyes on the prize as you define and get ready to run your corruption risk assessment, without PTSD or any other negative consequences.

Follow Upright Solutions Aps on Linkedin for more Ethics & Compliance content!