At the core of any anti-bribery compliance program is the assessment of risk: “Assessment of risk is fundamental to developing a strong compliance program . . . .”1 An entity must assess “the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it.”2 “The assessment [should be] periodic, informed and documented.”3 “A thorough understanding of its [bribery and corruption] risks is key if [an entity] is to apply proportionate and effective systems and controls.”4
Risk assessments should be based on “qualitative and relevant information.”5 The nature and scope of risk assessments should “be proportionate to the nature, scale and complexity of [a] firm’s activities.”6 Each entity’s risk assessment “is unique, depending on [its] industry, size, location, etc.”7 The focus should be on the likelihood of an individual or entity being subject to situations where a bribe or some form of corrupt act may be solicited or induced. The risk of being caught should never be part of the analysis.
Equally important is the management of risk: Consistent with the guidance issued by the U.S. Department of Justice and U.S. Securities and Exchange Commission in a publication entitled A Resource Guide to the U.S. Foreign Corrupt Practices Act (“FCPA Guide”),8 depending upon the degree to which particular facts and circumstances may increase risks, compliance procedures, such as due diligence, internal audits, and other appropriate measures, should be correspondingly adjusted to address the heightened risk.9
An entity should adjust its procedures and concentrate its resources as it identifies and re-assesses its exposure to potential external and internal bribery and corruption risks on its behalf. An entity should assess “where risks are greater and concentrate its resources accordingly.”10 In prioritizing its allocation of resources, an entity must consider the likelihood of prohibited conduct and the potential impact from such conduct.11
Delegation of Authority: Management of risk becomes impossible or, at most, ineffectual if individuals with the requisite authority to alter the allocation of resources are not part of the decision-making process. All too often, major corporations delegate decision-making authority to lower levels within the origination based solely upon monetary factors. They do not take into consideration the risks, particularly from a compliance perspective. What may not appear to be significant from a monetary perspective may have significant long-term implications, including monetary implications, if significant risks may be involved.
While it is neither feasible nor practical to have senior management involved in all decision, the matrix for delegating decision-making authority should not be based solely on a monetary threshold. Otherwise, consideration of risks and other qualitative factors will not be accorded the consideration that they are due. A scandal of any sort is likely to have serious implications affecting the well-being of an entity. The challenge is to develop ways of including the level of risk and other qualitative considerations into the matrix delegating decision-making authority. No doubt, this is an imperfect process. But the consideration of risk should never be ignored.
1U.S. Dep’t of Justice & U.S. Sec. & Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act (“FCPA Guide”), at 58 (Nov. 2012).
2Ministry of Justice, The Bribery Act 2010: Guidance about Procedures Which Relevant Commercial Organisations Can Put in Place to Prevent Persons Associated with Them from Bribery (“UK Bribery Act Guidance”), at 25 (2011) (U.K.).
4Financial Conduct Authority, Financial Crime: A Guide for Firms (“FCA Guidance”), pt. 1, at 15, ¶ 1.2 (Apr. 2015).
7OECD, UNODC & World Bank, Anti-Corruption Ethics and Compliance Handbook for Business (“OECD Handbook”), at 10 (2013).
8FCPA Guide, supra note 1, at 11.
9Id. at 58–59.
10FCA Guidance, supra note 4, pt. 1, at 16.
11OECD Handbook, supra note 7, at 11.