Presented at the MENA-OECD Business Integrity Training, 22-25 April, Kuwait. Organised by the MENA-OECD Investment Programme in cooperation with the IMF-Middle East Center for Economics and Finance
Organized by the MENA-OECD: Risk Assessment and Due Diligence in Anti-Corruption Compliance
1. Organized by the MENA-OECD
Investment Programme in cooperation
with the IMF-Middle East Center for
Economics and Finance
Kuweit
April 22, 2013
2. Iohann Le Frapper
As Vice-chair of ICC Corporate Responsibility and Anticorruption Commission
3. 1.- Interactive session
We all have part of the truth in matters of integrity
My contribution to this Training is based on compliance
practice and integrity standards
I am here to speak, to listen and to share: please interrupt me
for questions
There are the national and the international standards
There are worldwide norms (OECD and United Nations
Convention) which are recognized everywhere and good
corporate practice which is based on a vast experience
The anti-corruption standards are universal and each company
has to choose its prevention measures according to its culture,
its size, its resources, its industry, its business model, etc..
4. 2.- The Basics
The basic rules
a.- UNCAC, OECD, FCPA, UK Bribery Act
b.- The basic terminology:
economic fraud,
bribery and corruption,
various forms of corruption (national and international/public and
private/direct and indirect/mother company, subsidiaries and
affiliates/trading in influence),
Gifts, entertainment and hospitality, and
money laundering
5. 3.- Definitions
The term “corruption” covers many aspects of economic fraud
You can have
large and small corruption
“street corruption” and “office corruption”
corruption with money or other undue advantages
corruption with laundered money or clean money
corruption from a slush fund or from a regular stream
national/international, public/private, direct from a company or
indirect through an intermediary, mother company or subsidiary
and affiliates
active v. passive
trading in influence
6. 4.- Risk Assessment I
A company starts with a Risk Profile/Risk Assessment to identify and prioritize its
risks, esp. corruption.
Pro-active or crisis mode.
Risk assessment: cornerstone and critical initial step in designing an effective
compliance program.
It is the task of the highest body of the corporation (the Board or the owner) to
define the risks the corporation is ready to take on.
The basic approach of a risk assessment exercise:
identifying risks : scoping
measuring them, and
managing them.
Oversight by top-level management : from kick-off to final report
Prioritization of areas of highest risks: likelihood/frequency ? Potential impact?
As a result of such assessment, the company avoids focusing on false or minor
problems.
7. 5.- Risk Assessment II
Appropriate resources :Risk assessment with internal/external information sources
and resources.
Work plan : need to plan budget, level of activity (eg. interview list, document
review?) and timing.
Call upon operational people and experts: insurance people, Health, Safety,
Environment &Quality (“HSEQ”) people and lawyers
Typical risks to review : country, industry-specificities, transactions, business
opportunities, business partnership/joint venture ?
Identify precisely weak points/processes in the organization (e.g. where are you
dealing the most with cash?)
In which countries do you have business operations where the risk for fraudulent
activity is the highest?
Degree of business with government entities ?
Level of regulation of relevant industry ?
Which supply/marketing channel presents the most challenges?
Are your intermediaries/business partners a low or high risk for your company?
Gifts, hospitality and entertainment activities ?
8. 6.- Risk Assessment III
Gap analysis :address whether existing compliance program address identified risks
?
Consider ethical awareness survey or interviews to gather data from employees
about high-risks and knowledge of values and policies of the organisation.
Next stage : recommendations for design or improvement of internal controls
(remediation measures);
Strength of internal controls : ascertain how compliance program operates in
practice.
Purpose of risk-assessment is to educate senior managers, seek their input on
findings/report and get their buy-in for anti-corruption program (sponsor must be
one senior executive).
The risk assessment must be documented (to evidence, if needed, the bona fide of
anti-corruption program) and monitored;
Dynamic risk-assessment :regular reviews and updates needed to reflect external
developments, risk profile changes and lessons learned through action plan’s
implementation
9. 7.- Due Diligence
Before joining forces with a new partner, agent,
associate or even executive, you should make
checks on integrity, competence, reputation
You can do this in very different ways but it
should be
a continuous and sustainable method
leaving behind a paper trail, and
no “box ticking”
10. 8.-Adequate Procedures GuidanceUK Bribery Act.
Principle 3 :Risk Assessment
“The commercial organisation assesses the
nature and extent of its exposure to potential
external and internal risks of bribery on its
behalf by persons associated with it. The
assessment is periodic, informed and
documented”.
http://www.justice.gov.uk/downloads/legisl
ation/bribery-act-2010-guidance.pdf
11. 9.-Adequate Procedures GuidanceUK Bribery Act.
Commentary on Principle 3
“3.1 For many commercial organisations , this principle will manifest
itself as part of a more general risk assessment carried out in relation to
business objectives. For others, its application may produce a more
specific stand alone bribery risk assessment. The purpose of this
principle is to promote the adoption of risk assessment procedures that
are proportionate to the organisation’s size and structure and to the
nature, scale and location of its activities. But whatever approach is
adopted the fuller the understanding of the bribery risks an organisation
faces, the more effective its efforts to prevent bribery are likely to be.
3.2 Some aspects of risk assessment involve procedures that fall within
the generally accepted meaning of the term ‘due diligence’. The role of
due diligence as a risk mitigation tool is separately dealt with under
Principle 4.”
12. 10.-Adequate Procedures
Guidance-UK Bribery Act.
Procedures for Principle 3
“3.3 Risk assessment procedures that enable the commercial organisation accurately
to identify and prioritise the risks it faces will, whatever its size, activities, customers
or markets, usually reflect a few basic characteristics. These are:
• Oversight of the risk assessment by top level management.
• Appropriate resourcing – this should reflect the scale of the organisation’s business
and the need to identify and prioritise all relevant risks.
• Identification of the internal and external information sources that will enable risk
to be assessed and reviewed.
• Due diligence enquiries(see Principle 4).
• Accurate and appropriate documentation of the risk assessment and its
conclusions.
3.4 As a commercial organisation’s business evolves, so will the bribery risks it faces
and hence so should its risk assessment. For example, the risk assessment that
applies to a commercial organisation’s domestic operations might not apply when it
enters a new market in a part of the world in which it has not done business
before(see Principle 6 for more on this).”