Just in time for a New Year’s review of ethics and compliance programs, a trio of international organizations has published the Anti-Corruption Ethics and Compliance Handbook for Business. The joint publishers (Organisation for Economic Cooperation and Development, U.N. Office on Drugs and Crime, and the World Bank) developed the handbook to serve as a practical tool for companies seeking compliance advice from one source.
The handbook is divided into several sections, one of which provides an overview, summarized below, of how companies can assess their risk in order to develop an effective anti-corruption ethics and compliance program.
Why assess risk? As the handbook states, the primary objective of a risk assessment is to better understand the risk exposure so that informed risk management decisions can be made. The steps below outline a structured approach to conducting a risk assessment, as described in the handbook.
Step 1: Establish the process
Ask such questions as:
- Who owns the process and who are the key stakeholders?
- How much time will be invested?
- What type of data will be collected, and how?
- What internal or external resources are needed?
- What framework will be used?
Step 2: Identify the risks
Ask such questions as:
- Where in our business processes is there exposure to corruption risks?
- What types of transactions and arrangements with government employees and third parties could result in creating corruption risks?
- What locations where we do business pose a greater corruption risk than others?
Step 3: Rate the inherent risk
To allocate resources efficiently:
- Rate the probability that each identified risk might occur (high, medium, low or some other rating scale).
- Rate the corresponding potential impact of each occurrence.
Step 4: Identify and rate mitigating controls
Map existing controls and mitigating activities to each identified risk.
- Differentiate between scheme-specific and general controls, and between preventative and detective controls.
- Assess whether the identified controls are commensurate with the probability and potential outcome of misconduct.
- Assess whether the identified controls are functioning as per policy or process.
Controls include such activities as anti-corruption policies and procedures, tailored training, whistleblower ethics hotlines, annual anti-corruption audits, and more.
Step 5: Calculate the residual risk
Residual risk is the extent of risk remaining after considering the risk reduction impact of the previously identified mitigating controls. Use the assessment of residual risk to assess whether existing controls are effective and proportionate to the level of inherent risk.
Step 6: Develop an action plan
If the residual risk for each potential threat is greater than the risk tolerance set by management and approved by those charged with governance, develop a risk response plan.
The handbook reminds us that there is more to do after completing a risk assessment. It is important, if not essential, to document the results, link the results to other compliance program elements, and remember that risk assessment is an ongoing process.
We will address other sections of the Anti-Corruption Ethics and Compliance Handbook in future blog posts. Feel free to contact Ethical Advocate to discuss related information or to review your ethics hotline program.
OECD-UNODC-World Bank. Anti-Corruption Ethics and Compliance Handbook for Business, November 28, 2013. http://www.oecd.org/corruption/Anti-CorruptionEthicsComplianceHandbook.pdf