Why mapping corruption risk is important ?
It is important for three reasons:
1.1 Mapping corruption risk for efficient compliance
The first reason is because compliance is efficient only if it is tailored to the organization’s specific corruption risk.
If corruption risks are not evaluated sufficiently, underestimated or overestimated, a compliance program will not be effective.
If underestimated, corruption risks will not be properly mitigated.
Overestimating corruption risk with a view to implementing a very sophisticated compliance program leads – paradoxically – to the same result: the risk will not be properly mitigated. Why? People who have to follow compliance rules will quickly discover that it is overly bureaucratic, and they will find ways to bypass compliance processes or to apply them only partially.
Mapping corruption risks, without underestimating or overestimating them, is essential for a well-implemented compliance program. And it will be well implemented only if people find it legitimate. They will only find it legitimate if it is tailored to the business organization.
1.2 Mapping corruption risk to define appropriate resources
The second reason is because compliance needs appropriate resources.
Underestimating corruption risks leads to inappropriate resources being devoted to compliance.
Overestimating corruption risk with the hope that it will result in a higher budget from management is equally misguided. Overestimating corruption risk will not convince Top Management who will undoubtedly challenge the information. It is counterproductive to be perceived as an “arsonist firefighter. ” Overestimation will only impact negatively on the legitimacy of the compliance function.
1.3 Mapping corruption risk to allocate resources efficiently
The third reason is that – as for every support function – the resources allocated to compliance should be used in the most efficient way.
For top managers as well as for operations, compliance is first and foremost a cost, even in organizations where everyone agrees that compliance matters.
A well-designed corruption risk mapping ensures that resources are focused where risks are high and balances prevention policies (ex-ante) and detection actions (ex-post). These two dimensions – prevention versus detection – are two considerations that should be weighed when designing an efficient corruption risk mapping as described below.
2. How to map corruption risk for efficient compliance
An efficient corruption risk mapping exercise should approach corruption from different angles in order to draw different consequences. The four angles listed below will help compliance officers with what is needed to mitigate the risk in an appropriate manner, either at the organizational level or at the business processes level.
2.1 Combining a global and a local risk mapping
It is relatively easy to carry out a global evaluation of corruption risk by disaggregating the turnover of the organization by:
- Country, according to the Transparency International Corruption Perceptions Index
- Type of clients: administration, business or consumers. Clearly corruption risk will be higher in Bto1, than in BtoB, which will be higher than in BtoC
- Sector of activity, according to Transparency International Sector Index
Rating each of these three indicators with high, medium or low corruption risk, will give an indication of the appropriate allocation of resources.
However, it is not because an organization has a high corruption risk at a global level that the corruption risk will be high in every country or operation.
A global approach is a first step but should be reinforced at the local level by considering the specificities of business processes. This will facilitate an understanding of where corruption risks really are, and where compliance rules should really be implemented and controlled.
Applying the same compliance rules throughout is often a mistake when the organization is present in many countries, has different types of operations or is active across business sectors.
Only such a disaggregated approach of both corruption risk and compliance program implementation will guarantee that the overreaching imperative of zero tolerance in corruption is understood and applied throughout. When compliance is perceived as an unnecessary burden in low risk sectors, those operating in high risk sectors will be more likely to ignore their compliance obligations.
2.2 Associating local managers with the risk mapping
My experience shows that when local managers i) understand a risk and ii) appreciate the usefulness of preventive tools they adopt them readily.
The difficulty with corruption is that it takes different forms: from a bribe paid directly, to the selection of an inappropriate business agent, to an undue invitation of a prospect or the hiring of an employee linked to a client’s family …At the local level, involving all the directors in charge of the entity’s day-to-day management with the risk mapping exercise has proven to be extremely useful. Each department manager will understand his responsibility and role in the implementation of the compliance program. Such a risk mapping exercise might require an hour of collective training upstream to ensure that everyone has the same understanding of corruption risk.
2.3 Using the risk mapping for prevention as well as for detection
Risk mapping indicates where corruption risks are high and therefore what kind of preventive actions need to be designed and implemented.
The exercise helps to identify which type of employees should be trained, and what type of content should be included in the training. It will also help to identify which tools are needed e.g. due diligence questionnaires, and those who will have to apply them e.g. managers working with sales agents, etc.
But the risk mapping should also help to identify what kind of controls should be implemented to ensure that corruption risks are properly mitigated. In a very decentralized organization, the compliance program will also be naturally decentralized, but this decentralization will require centralized and regular control processes.
A risk mapping exercise will ensure a sound balance between prevention and detection tools whose combination will ensure a robust compliance program.
The drafting group of the ISO 37001 decided, in its very first meeting, to add a specific requirement on bribery risk mapping in section 4 of the standard.
Section 4 of every ISO-related Management System requires the organization to describe the context in which it operates: mainly its business operations, the stakeholders’ expectations and the applicable laws and rules.
The ISO 37001 drafting group considered very early that with respect to an Anti-Bribery Management System, Section 4 of the standard should be complemented by a specific section on “bribery risk assessment” (4.5), a section which moreover relies on detailed guidance (Clause A.4).
In other words, the ISO 37001 drafting group experts considered that a solid Anti-Bribery Management System needed comprehensive corruption risk mapping… and the exercise is referenced in all requirements throughout the standard to ensure that prevention and detection tools are adequate to mitigate the identified risks.
There is no efficient compliance program without a well-designed corruption risk mapping.