Illustration: Storyset
It is fair to say that many – if not the majority of – public servants do their work diligently and honestly, to the best of their abilities – nevertheless, government departments and institutions remain at high risk for corruption. The same applies to the private sector, especially in its engagements with public entities.
The risk of corruption is ever-present in the awarding of contracts, the disbursement of social grants, the issuing of driving and vehicle licenses, and a host of other intersections between the public and government. In South Africa the public is well aware of the long-standing corruption that plagues these, and other, situations.
Risk assessment is a preventive step that seeks to assess a system or process for weaknesses which can be exploited by those wanting to engage in corruption, and also for the capability and effectiveness of the system or process in mitigating those risks. The diagnostic exercise can be organisation-wide, or targeted at specific areas, such as business associates or projects.
The UN Office on Drugs and Crime (UNODC), in its useful publication STATE OF INTEGRITY: A GUIDE ON CONDUCTING CORRUPTION RISK ASSESSMENTS IN PUBLIC ORGANIZATIONS, notes that the UN Convention against Corruption (UNCAC) requires states parties to have “effective and efficient systems of risk management and internal control” as a means for promoting “transparency and accountability in the management of public finances”. This is found in UNCAC Article 9, which deals specifically with public procurement and the management of public finances.
UNCAC also defines several types of corruption risks, including active and passive bribery, bribery in the private sector, money laundering, abuse of functions, and trading in influence, among others.
All of these forms of corruption ultimately result in an elite few benefiting and a majority suffering deprivation, with an accompanying loss of public trust or failure to carry out a mandate. Corruption risk management, therefore, can contribute to the enhanced delivery of services to citizens, reduce loss of revenue, or safeguard law enforcement operations and human security, says UNODC. This is especially important for public sector organisations, which do not have limitless resources. “It is therefore of key importance for the rule of law and sustainable development.”
And risk assessment is a valuable weapon in an anti-corruption or anti-bribery strategy, as a company or organisation will know where the risks lie and can act against their emergence. Risk assessment also involves determining the tolerance for that risk and how far an organisation will go to mitigate it. Cost-effective measures can then be designed specifically to mitigate all risks, or just specific or major ones.
“A best practice risk assessment procedure gives a company a systematic and objective view of bribery risks,” advises Transparency International UK (TI-UK).
Risk assessment and due diligence
Risk assessment is not to be confused with due diligence, which is when an entity conducts inquiries into specific countries, transactions, projects, or business associates with the aim of learning more about them and the possible risks they may pose. The results of the due diligence would contribute to the overall risk assessment, says the Global Infrastructure Anti-Corruption Centre (GIACC).
While the two concepts are separate but related and do work together, GIACC adds, it is in principle possible to undertake a risk assessment without undertaking specific due diligence.
“For example, if an organisation is very familiar with the countries in which it works, and works with long-term well-known business associates, it may not need to undertake any specific due diligence when undertaking a risk assessment, as it is already aware of the critical points due to previous due diligence carried out.”
Furthermore, if the corruption risk is known to be low in relation to certain transactions, projects, or business associates, an organisation will not normally need to undertake due diligence. But when the environment is new to the organisation and the business partners or country setup are unfamiliar or may carry a higher risk, then some due diligence is likely to be necessary, says GIACC, before the risk assessment can properly be completed.
“While it is possible for a risk assessment to stand alone without due diligence, due diligence is essentially a tool only carried out in cases where the organisation is assessing risk, and needs further information in order to enable it properly to complete its assessment.”
Determining the risks
For organisations, corruption risks may be found in factors such as business or strategic partners, suppliers, contractors and consultants, the sector or country in which the organisation works, the type of work it does, and its very size and structure.
These risks, says the U4 Anti-Corruption Resource Centre, may take the form of:
- Fiduciary risks (because of fraud or theft).
- Legal risks (when violating laws).
- Safety risks (increasing the likelihood of accidents or illness).
- Operational risks (viability to achieve objectives).
- Information risks (hiding or withholding important data).
- Reputational risks.
However, says UNODC, the success of the risk assessment depends very much on the intentions behind the exercise, and the involvement of both staff and management.
“The process … will only be effective if implemented with the genuine desire to detect and fix any real shortcomings identified within the organisation. It is most suitable for environments where the management of the organisation is convinced of the need to better manage corruption risks, and it will only be successful where the organisation’s leadership and staff are genuinely invested in the process.”
It is crucial to establish the scope of the exercise, for instance whether it will be comprehensive or targeted, before starting anything.
“In the case of an organisation undertaking only one type of work in one low risk country with a small number of low risk business associates, the assessment may be quite simple. In the case of an organisation working in many countries, with many different types of work and many categories of higher risk business associates, the risk assessment is likely to be more complex,” says GIACC.
UNODC also cautions against the use of external stakeholders in the process. “No one should know an organisation’s procedures and vulnerabilities better than those who work for it. A process led by staff from the organisation is the preferred course of action because it forces the organisation to identify and confront its own vulnerabilities, as well as the corruption risks those vulnerabilities create.”
The results, says Transparency International, can be presented in several ways, such as a corruption risk map which highlights key stages, actors and/or relationships in the process under analysis. Another visual tool is the corruption risk matrix which is often used to prioritize risks, or simply a table or checklist.
Stages of a risk assessment exercise
While the depth and complexity of a risk assessment will differ from organisation to organisation, depending on the scope and desired outcome, TI-UK identifies six stages in a typical risk assessment exercise.
- Ensure top level commitment and oversight: Top level commitment is key to effective risk management. The board and senior management provide leadership and commitment to drive adequate and continuing risk assessment and ensure the process does not falter or lose quality.
- Plan, scope and mobilise: The planning stage prepares the ground for the risk assessment process. A planning team should consider the following aspects: appointing the project lead, defining stakeholders, allocating team responsibilities, identifying information sources drafting plan for risk assessment, communicating plan and requirements to those involved in the exercise.
- Gather information: Create a comprehensive catalogue of inherent bribery/corruption risks to which the company could plausibly be exposed by virtue of the nature and location of its activities.
- Identify the bribery risks: The objective of this stage is to identify and examine the activities and risk factors that could increase the company’s exposure to bribery risk.
- Evaluate and prioritise the risks: The risk evaluation stage analyses and prioritises the forms of bribery identified in stage 3 taking into account the risk factors in stage 4. Common practice is to apply two variables to prioritise risks: likelihood of occurrence and the potential adverse impact.
- Use the output of risk assessment: The results of risk assessments are applied to a review of the anti-bribery/anti-corruption programme and the extent to which existing controls need modification or additions.
UNODC identifies seven steps:
- Establish the environment within which the organisation operates, including its mandates, functions, and stakeholders.
- Establish a working group to identify the potential corruption risks.
- Analyse and prioritise the risks.
- After reviewing the existing controls and determining the needs and feasibility of new controls, develop a mitigation plan or measures and determine the indicators with which to evaluate the impact.
- Implement the measures.
- Evaluate the impact of the measures, and make recommendations.
- Adjust the process, infrastructure, resources, and capacity.
“While every risk assessment is influenced and determined by an organisation’s culture and mission, the process articulated in this guide is a universal approach that can easily be adapted to every organisation’s needs,” concludes UNODC.
But whatever the methods used and however many steps it takes, a risk assessment is a valuable anti-corruption tool whose usefulness should not be underestimated.