Risk assessment, as well as Opportunity Management as per ISO 37001:2016, is the basic foundation for the development and implementation of an effective anti-bribery programme. It is a live procedure which gives a company a systematic and hierarchical view of where the significant inherent bribery risks and opportunities of anti-bribery process lie. The results of these risk assessments are used to design the controls to mitigate or take contingency actions on the prioritised bribery risks. This process is strategic and critical as the information gained through risk assessment will shape the overall design of the anti-bribery management system and ensure through an ongoing risk assessment that the design is always valid and being improved. Many companies have some sort of a risk assessment procedures and anti-bribery programmes though not documented, and therefore the process as guided towards implementation and certification from Ascent WORLD is highly recommended.
Assessment of risks and opportunities of not giving Bribery- is fundamental to developing a strong compliance and implementation program- are generally to be conceived and made effective because resources and processes are to be effective and inevitably spread. Spending non-required time to policing small entertainment and gift-giving instead of focusing on larger government bids, non-relevant payments to third-party consultants, or passing on excessive discounts to customers, resellers and distributors may indicate that a company’s anti-bribery management program is ineffective.
Risk assessment is a basic methodology that can be undertaken by all sizes of companies based on the scale and depth of the process. The common guiding process principles for risk assessment may be:
- Methodical: It is a systematic and recurring procedure- repeat this process.
- Vigilance: It demands brainstorming, identification, understanding, open-mindedness, and vigilance to be alert to risks.
- Completeness: It covers all the activities and processes of the company- cash or kind or gifts.
- Focused: Resources and process assets are not infinite and the focus should be on the real, most significant (magnitude wise), risks.
Majorly companies face bribery risks to some degree or the other, but companies are not sure if they have they have taken the appropriate approach and designed the correct controls if they do not know the magnitude of the risks if such risks give rise to further risks, where the risks lie, how bribery can take place- in which process, which are the largest risks (magnitude wise) for the company and its personnel, regulatory risks, and what areas make bribery risks more likely.
6 STEPS OF A RISK ASSESSMENT EXERCISE DURING ISO 37001:
STEP 1: TO ENSURE TOP-LEVEL COMMITMENT AND OVERSIGHT
STEP 2: TO PLAN, SCOPE AND MOBILISE
STEP 3: TO GATHER INFORMATION WHEREVER POSSIBLE
STEP 4: IDENTIFY THE BRIBERY RISKS AND OPPORTUNITIES OF ANTI-BRIBERY
STEP 5: TO EVALUATE AND PRIORITISE THE RISKS
STEP 6: TO USE THE OUTPUT OF RISK ASSESSMENT TO DEVELOP OPERATIONAL CONTROLS
- Ensure top-level commitment and oversight: Top Management or all levels of Management’s commitment is key to effective risk management. The board and senior management, as well as all other Management levels, provide leadership and accountabilities to drive adequate and continuing risk assessment, and ensure the process does not falter or lose quality.
- Plan, scope and mobilize: The planning stage prepares the basics for the risk assessment process. A planning team(personnel may be internal or external) should consider the following aspects: appointing the project leader, defining interested parties and their needs and expectations, allocating team responsibilities and authorities, identifying information sources drafting a plan for risk assessment, communicating plan and requirements to those involved in the exercise. This can be done for process and personnel competence.
- Gather information: Create a comprehensive data of inherent/potential bribery risks to which the company could be exposed by virtue of the nature and location of its activities. Also, identify opportunities at areas where anti-bribery is there.
- Identify the bribery risks: The objective of this step is to identify and examine the activities and risk factors that could increase the company’s exposure to bribery risk. Identify Opportunities.
- Evaluate and prioritize the risks: The risk evaluation stage analyses (through various likelihoods and severities’ mechanisms) and prioritizes the forms of bribery identified in step 3 taking into account the risk factors in step 4. A common practice is to apply two variables to prioritize risks: likelihood/probability of occurrence and the potential adverse impact/severity.
- Use the output of risk assessment: The results of risk assessments are applied to review the anti-bribery programme to develop operational control procedures and programs and the extent to which existing controls need modification or additions.
Not to ignore passive bribery risk, if any it exists:
Where the company or its personnel (internal or external) connected with it give / or take a bribe, in whatever form, it maybe- this is generally termed ‘active bribery’ and when an individual does his job on the expectation that he will be receiving a bribe, it is called ‘passive bribery.’
Active and passive bribery are distinct risks and should be considered in such a way. Both are of concern to the organization. Attention is generally given by companies to active bribery only and they forget about passive bribery risk which definitely must not be overlooked. Passive bribery is a very common practice and most often in contracting and procurement fraud, and during when promoting sales through resellers or distributors or when employees accept kickbacks for awarding contracts. The consequences of passive bribery can also be very serious if not assessed and acted upon. Passive bribery can occur in any other functions such as recruitment, sponsorship, or allocating services or supplies where goods or raw materials are in high demand and short supply.
The potential positive benefits of doing a Risk Assessment (considering both Active and Passive bribery) are considerable and include (though not limited to only these following points): these points are generally recommended by Ascent WOLRD:
- Providing a documented, logical, realistic and comprehensive overview of key areas of bribery risk to assist with the design of mitigating and contingency processes and controls, training and other communications, and monitoring and review activities;
- Focusing the organization’s attention and efforts on those business activities/processes and relationships which are considered to be most risky (magnitude wise);
- Enabling an organization to identify where there can be an excessive and more controls burden in relation to relatively low-risk activities and to reduce the efforts there in those areas and/or deploy resources and controls where there is a greater need;
- Guiding to determine the magnitude of risk-based due diligence that is appropriate for particular 3rd parties, building on an informed appraisal of the risks and opportunities associated with the activities/processes are being asked to undertake;
- Identifying opportunities for efficiency-wherever possible and appropriate, not only during the identification of controls but also during the underlying business activities/processes. For example, in considering risks or opportunities arising from the use of intermediaries in particular kinds of commercial arrangement, companies might conclude that they can reduce or even remove the use of such intermediaries, thereby reducing both risk and direct/indirect costs;
- Supporting and guiding the promotion of risk awareness generally and a structured, informed approach by the entire organizational structure and process flow structure to ethical decision making in the organisation.
Responses to risk (for more comprehensive procedure as to how to do, please contact us- Ascent WORLD:
Before going through the risk assessment process, it is important to understand that the purpose of this risk assessment exercise is not simply to identify and measure risk for the sake of it (as many of the companies might feel- so they just do a copy-paste from Internet/google, etc), but to arm the organisation to understand and determine the appropriate response to a given risk. As an organisation might adopt different levels of risk tolerance to a range of risks, so they may also choose different responses to each of those risks.
M/s Ascent WORLD’s framework guidelines generally identify 4 basic categories of response, which it labels as follows:
- Acceptance of the Bribery Risk– in effect, treating the Bribery Risk and its potential consequences as a cost (direct/indirect) of doing business. This may be appropriate for Bribery Risks which are not critical to the achievement of key objectives and where the costs of mitigation might outweigh the benefits;
- Avoidance of the Bribery Risk – this is where an organisation decides to cease a particular activity or exit a market in order to eliminate the Bribery Risk completely. This is a drastic, but sometimes necessary, response to mission-critical Bribery Risks which cannot otherwise be mitigated;
- Reduction of the Bribery Risk– this encompasses the implementation of programmes, processes, and controls designed to reduce Bribery Risk to acceptable levels and is the standard response for many typical business Bribery Risks;
- Sharing of the Bribery Risk– this includes insurance, outsourcing, joint ventures, and other forms of business partnering.
Evaluation parameters (as per ISO 37001:2016 standard)
Established risk management models (as also ISO 37001 standard) has identified 2 key variables which play a role in the evaluation of risk:
- Likelihood (or probability) of occurrence;
Depending on the nature of the risk in question, these 2 variables are expressed in either quantitative or qualitative terms or a combination of both.
Please contact Ascent WORLD for conducting a thorough Anti-Bribery Risk Assessment for your organization.
USING THE OUTPUT OF THE RISK ASSESSMENT (guided by Ascent WORLD):
A detailed description of the steps as mentioned above that might be taken beyond the risk assessment process towards the full implementation of a proportionate, risk-based anti-bribery programme provides a high-level overview and some general pointers to the next steps (each of which is a big subject in its own right), giving a higher perspective on how the risk assessment might be taken forward. The 1st Step, however, is always to have a well-written documented Procedure.
Additionally, and following the process outlined above, the key next steps are:
- Planning and putting into action an appropriate response to the risk assessment, which involves: – Mapping risks on to existing controls- controls can be of 3 types:
Then Identifying gaps in existing controls in terms of risks not adequately addressed;
Designing and implementing appropriate remedial actions as might be necessary
- Follow-up, monitoring, and enforcement;
- Reporting to the Top Management
General Concept- The risk identification stage focuses on the identification of whether there actually is an inherent risk and excludes consideration of controls. Whereas, the risk evaluation stage, takes account of controls(mitigation, contingency, strategic) in a strategic and appropriate (for process-based) sense in that evidence of weaknesses or gaps in control may constitute one of a number of risk factors.
Once the risk assessment steps have been carried out, the specific controls exist to mitigate each identified risk be considered and documented.
In undertaking this exercise, the following points may be followed:
- All controls are of 3 types:
- Contingency (Plan B)
- Strategic (also encompassing Opportunities of not giving a Bribe)
- Some controls which already exist for other purposes may also be co-opted here as anti-bribery controls. These may need to be customized to some extent. Controls overpayment transactions would be an obvious example;
- When considering any control, it is to be disciplined in analyzing how the particular control is designed to mitigate the risk to which it is mapped. It is all too easy to assume, for example, that an existing approval process will prevent a corrupt payment. If such controls are focused merely on ensuring that certain documentation is in place, the fundamentals of why a transaction is happening and whether it makes sense or looks right may not be picked up;
- Certain controls might cover more than one bribery risk; indeed, some may cover many or all bribery risks. Effective communication (internal as well as external), training and awareness-raising programs, and similar SOPs/procedures might fall into this category. These may not be sufficient always to prevent acts of bribery but they are always an important element of the overall programme.
The actual risk mapping process will be some form of Risk Management Matrix with relevant mitigating controls- documented alongside the corresponding risks, and the Responsibilities, to include the actual status as the conclusion.
Read Latest Blogs