A Risk Assessment Process for Addressing Third Party Bribery Risks: Art or Science?

Fikret Sebilcioğlu
  • Fikret Sebilcioğlu          CFE, CPA, TRACE Anti-Bribery Specialist         
  • Managing Partner
  • Internal Controls&Forensic
  • E-mail to Fikret

In identifying, segmenting, mitigating and monitoring bribery risks associated with third parties and using relevant data to design proportionate due diligence is critical to the third party anti-bribery framework.

Using the same risk assessment process for all third parties in the same way will dilute resources and divert focus from the highest risk third parties and may result in inadequate supervision or unethical behaviour that damages the company.

A third party risk assessment process allows companies to develop a proportionate approach. This enables companies to identify and respond appropriately to higher risk third parties. The process is aimed at understanding the risk factors associated with third parties to the extent necessary so that proper categorisation and proportionate risk mitigation could be performed.

The steps set out below focus on third party risk, drawing upon TI-UK’s publication “Diagnosing Bribery Risk” which gives a comprehensive description of anti-bribery risk assessment methodology:

  1. Plan and scope
  2. Gather information about third party risks
  3. Identify general risk factors
  4. Establish risk categories for different types of third parties and other risk criteria
  5. Define the process for mitigating identified third party risks

Plan and scope

The alignment of third party bribery risk assessment should be made with other risk areas such as sustainability, labour etc. The scope should also be decided regarding lower tier third parties, such as sub-contractors.

Gather information about third party risks

Obtaining necessary information is vital to assess bribery risks properly. Based on the industry and types of third parties used, the information will help understand fraud schemes including bribery that the company may face.

Key information sources could be (a) internal documentation, such as due diligence records, whistleblowing reports and audit reports (b) internet research on reports of bribery law enforcement or (c) anti-corruption consultants. In addition, interviews should be held with key third parties operating in high risk jurisdictions and industry to evaluate their attitudes regarding due diligence, monitoring and audits as well as any cultural considerations associated with the subject of bribery and corruption.

Identify general risk factors

Third party bribery risk is the risk of offering, paying or receiving a bribe through an intermediary or any third party acting on the company’s behalf, exposing the company to potential legal and reputational damage. Therefore, comprehensive understanding and analyses as to “what could go wrong from the third party bribery risk perspectives” is very important.

Some examples of risk factors posed by third parties are:

  • Interaction with public officials
  • Reliance on lower tier third parties
  • Authorisation to represent the company
  • Operations in countries with high levels of corruption
  • Operations in sectors vulnerable to corruption
  • Provision of critical services
  • Dependence on critical licenses to operate
  • Unusual payment demands, methods or amounts

It is noteworthy that bribery risk exists within victim companies where corrupt third parties are used by corrupt company employees as channels to route bribes. The reality is that the top 10 FCPA settlements have all involved bribery instigated from within companies and channelled through third parties, including through consultants, agents and joint venture partners.

Establish risk categories for different types of third parties and other risk criteria

This step connects the risk assessment process to the due diligence process for assessing individual third parties. Each type of third party used by the company is assigned to a risk category considering the risk factors associated with this type of third party. The most common framework is to use three levels of risk - high, medium and low. The purpose of this task is to stratify third parties to focus attention on those of highest risk so that it is possible to manage the resources during the due diligence process.

Define the process for mitigating identified third party risks

After the third party bribery risk profile is understood, how these risks could be mitigated best should be decided considering the tailoring actions for certain types of third party and for specific risk factors.

Considering the fact that what we are doing at the end of the day is a decision-making activity, I would like to ask and evaluate if a risk assessment process for addressing third party bribery risks is art or science.

I believe that those stated above lean more to the “science” side, i.e. risk analysis and decision-making based on objective, quantitative measures. Well, is there any “art” side or in another way “skill” side of the process? In my opinion, when it comes down to risk assessment, an analysis and decision-making of seasoned professionals based on intuition, expertise and a holistic view of the organization appear to be as much important as science aspects.

Personally, I think it is best to have a mixture of both. It is certain that a scientific and a structured approach is needed to analyse and calculate risks. In addition to this, insight and imagination is also needed when thinking about what the future might bring, and of course you still need that human logic and instinct to make the right decisions in the given circumstances.