Introduction
Since 2018, the OECD has been carrying out the OECD South East Asia Anti-Corruption and Business Integrity (SEACAB) Project1The SEACAB Project is part of the OECD Anti-Corruption & Integrity Project, an initiative financed by the United Kingdom’s Prosperity Fund., which aims to promote business integrity in the region, including by strengthening businesses’ awareness of, and ability to mitigate, corruption risks. The Project is delivered in collaboration with key partners and projects in the region. Among the activities being carried out under the auspices of the SEACAB Project are: (i) regional thematic workshops and collective action events, (ii) capacity building, (iii) regional reports on anticorruption trends and corruption risk assessments.
This last deliverable, launched under the name “Self-Evaluation Tool for Corruption Risk Assessment Processes”, is an interactive tool designed specifically for small and medium-sized enterprises (SMEs)2SMEs is a company with less than 250 employees., whether they are operating in Southeast Asia or in other regions. This approach was chosen, in order to support companies in implementing corruption risk assessments throughout MNE supply chains.
This tool is designed sufficiently broad such that it accounts for the diversity of SMEs, which may vary considerably in their characteristics, and that the proposed tool has the adequate length and complexity that it does not require large amounts of time and human resources, which is important from the viewpoint of SMEs. Therefore, this is not an exhaustive tool, and it is designed to be quick and clear, providing at the end of the questionnaire a list of sources of information that SMEs could use to improve their corruption risk assessments, depending on their score.
This Self-Evaluation Tool for Corruption Risk Assessment Processes builds on key topics found in national and international corruption risk standards. It may be used by SMEs to identify areas of potential improvement in established corruption risk assessment processes.
The Self-Evaluation Tool for companies does not constitute any kind of certification of corruption risk assessment processes. Nor does it attest as to whether a company meets any applicable national legal requirements. The tool is also without prejudice to the views of OECD members and other members of the OECD Working Group on Bribery.
What is a Corruption Risk Assessment?
A risk assessment is a mapping process to assess the risks to the achievement of company objectives. Specifically, a corruption risk assessment aims to detect and measure the areas and activities at risk of non-compliance with national legislation and relevant international standards and good practices in the anti-corruption field. The corruption risk assessment should cover all types of domestic and international business transactions and operations a company undertakes, consider the business context and environment in which the company operates, and the country and/or regions in which these activities occur. A corruption-risk assessment process cannot ignore the integrity and reputation of third parties engaged on behalf of the company3This is a well-established expectation in international business conduct standards for example. For more information, please visit the OECD RBC guidelines cover the supply chain and business relationships., as they may also be exposed to corruption-related risks.
A corruption risk assessment is not a static and once-off process. On the contrary, it should be an on-going and proactive activity that provides the basis for updating and refining a company’s corruption-related internal controls and anti-corruption programmes (where applicable). It allows companies to tailor mitigating policy responses to specific, identified corruption risks4OECD Greece-OECD Project: Technical Support on Anti-Corruption, Greek Industry Corruption Risk Review and Risk Assessment Guidelines. Furthermore, publishing information about the company’s corruption-risk management processes and, where possible, the results of a tailored corruption risk assessment sends a clear and powerful message to stakeholders, clients, third parties and regulators that the company takes corruption seriously and is committed to preventing, reducing and tackling its occurrence5OECD Greece-OECD Project: Technical Support on Anti-Corruption, Greek Industry Corruption Risk Review and Risk Assessment Guidelines.
A corruption risk assessment process comprises the identification, analysis and evaluation of the risk of defined categories of corruption.6https://rm.coe.int/eccd-cra-methodology-proposal-en/168098f194#:~:text=A%20CRA%20is%20a%20(diagnostic,as%20%E2%80%9Cco%2Dordinated%20activities%20to
Why is the Self-Assessment Tool for Corruption Risk Assessment Processes useful for your company?
Assessment of corruption risks is fundamental to mitigating disruptions, to the achievement of financial and non-financial objectives and for ensuring that corruption-related controls are fit for purpose. Furthermore, it is another factor that law enforcement authorities evaluate when assessing a company’s compliance program.
A risk management process enables companies to identify areas of risk that could produce disruptions and problems in their regular activities and address them early and effectively. In the context of anti-bribery and corruption compliance, a corruption risk assessment is often a mandatory component for any effective compliance programme. Indeed, many countries have included this as a legal requirement in their anticorruption laws and regulations for companies. For example, Chile has established the obligation under article 4 of Law 20.3937https://www.bcn.cl/leychile/navegar?idNorma=1008668 for companies to adopt a prevention model that includes a risk assessment. In Europe, France8https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000033558528/ and the UK9UK has provided guidance around the parameters of a risk assessment. The UK Ministry of Justice (MOJ), in Principle III of the Six Principles of an Adequate Procedures compliance program, discusses risk assessment. It mandates that a company should assess “the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it.” Further, a risk assessment should be performed on a periodic basis, it should be reasoned and it should be documented. From this risk assessment, a company should then be able to “promote the adoption of risk assessment procedures that are proportionate to the organisation’s size and structure and to the nature, scale and location of its activities.” UK Bribery Act 2010. among other countries have also included this as a legal requirement for companies operating in their markets and abroad. In the US, the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have released specific FCPA guidance for companies to understand the potential legal risks associated with doing business in foreign countries within the context of the FCPA and take steps to implement and update their compliance programs.10https://www.justice.gov/criminal-fraud/fcpa-resource-guide In Southeast Asia, Thailand has enacted legislation and issued guidance for private business to assess and manage corruption risks.11https://www.nacc.go.th/abas/upload/download/guidelines_en.pdf
An effective corruption risk assessment process enables each company to identify and to focus its efforts and resources to better address corruption. This assessment process not only reduces the risks of diversion of assets through corruption and significant criminal penalties and legal fees for the company, but also reduces costs as resources allocated to compliance efforts can be more accurately estimated. At the same time, there will be a cost reduction from finances being channeled to more effective controls that target priority risks and those that fall beyond the company’s risk tolerance.
Objective of the Indicator
The Self-Evaluation Tool for Corruption Risk Assessment Processes is intended for SMEs that already have anti-bribery and corruption compliance programmes based on previous corruption risk assessment of their businesses. With this tool, we are not intending to help companies to build their corruption risk assessment processes from scratch, but to help them identify any weaknesses of their assessment process and to understand its level of maturity of their assessment methodology in order to improve said processes. This will allow companies to better invest their resources while improving their procedures to develop a culture of integrity, while reducing costs and time and, most importantly, their risk of corruption.
Tips for use
When carrying out an evaluation of existing corruption risk assessment processes, companies should ask several employees to participate in the evaluation. For example, if a compliance manager does the evaluation, eliciting other viewpoints, such as those from an audit colleague or a legal colleague, could help further understand the maturity/situation of the organisation. Staff involved in bidding for government contracts, and in choosing suppliers of products and services, may also offer valuable insights about potential to improve corruption risk assessment processes.
Methodology
The Self-Evaluation Tool for Corruption Risk Assessment Processes is based on a benchmarking of international and national standards that have been tested with OECD and private sector experts.
This list of international standards is not exhaustive but includes some of the most frequent elements referred to in international and national guidance.