Introduction
This checklist provides guidance on how to conduct a risk assessment to prevent bribery and corruption in an organisation and comply with the requirements of the Bribery Act 2010 (BA 2010). It is aimed at in-house lawyers and compliance professionals in organisations of all sizes and all sectors in the UK.
Under the BA 2010, it is an offence to pay or receive a bribe, and companies and partnerships will also commit an offence where a bribe is paid on their behalf. Having an adequate anti-bribery and corruption compliance framework in place is important in the prevention and detection of bribery. Carrying out a risk assessment will enable your organisation to develop and tailor the anti-bribery and corruption (ABC) policies and procedures it needs to design a successful ABC compliance framework (ABC Framework).
This checklist can be incorporated as part of an overall risk management framework, forming part of your organisation’s code of conduct or as a stand-alone ABC risk management framework.
The checklist addresses the following steps:
- Assigning ownership and scoping the risk assessment of your organisation
- Identifying and evaluating business risk
- Assessing risk and embedding your risk assessment in your organisation
- Ongoing review of your organisation's bribery risk assessment
The checklist is presented as a list of requirements that you can tick off as they are addressed. At the end of the document there are explanatory notes, and specific notes corresponding to the relevant step in the checklist.
The checklist can be used in conjunction with How-to guides: Understanding the Bribery Act 2010 offences, Understanding penalties for breach of the Bribery Act 2010, How to identify and assess bribery and corruption risk and How to prevent bribery and corruption in your organisation; as well as the Checklists: Anti-bribery and corruption procedures, Gifts and hospitality and Charitable and political donations.
Step 1 - Assigning ownership and scoping the risk assessment of your organisation
| No. | Task name |
| 1.1 | Appoint top-level management to take ownership of the risk assessment project |
| 1.2 | Appoint a business function to oversee implementation of the project |
| 1.3 | Allocate appropriate project resources and budget in line with the size and nature of the organisation |
| 1.4 | Update your current risk assessment documentation or develop a stand-alone anti bribery risk assessment |
| 1.5 | Determine the risk assessment scope and priorities |
| 1.6 | Consider active bribery risk |
| 1.7 | Consider passive bribery risk |
| 1.8 | Consider risk of bribing a foreign public official |
| 1.9 | Consider risk of bribery by associated persons |
| 1.10 | Consider risk of liability due to senior managers |
| 1.11 | Document your bribery risk methodology |
| 1.12 | Document your methodology for inclusion or exclusion of business units |
| 1.13 | Arrange an independent review of the scope of your risk assessments, and document its results |
Step 2 - Identifying and evaluating business risk
| No. | Task name |
| 2.1 | Identify internal and external information sources |
| 2.2 | Consider if your organisation operates within a specialised field |
| 2.3 | Consider if your organisation operates in the public sector |
| 2.4 | Identify and consider the mechanisms used for business sales |
| 2.5 | Identify and consider the mechanisms used for marketing promotions and business development |
| 2.6 | Consider Transparency International’s guidance on the risk factor of the country your organisation operates in |
| 2.7 | Consider the types of transactions undertaken by your organisation |
| 2.8 | Consider how business opportunities generally arise |
| 2.9 | Consider how business partnerships generally arise |
Step 3 - Assessing risk and embedding your risk assessment in your organisation
| No. | Task name |
| 3.1 | Assess and categorise each risk identified using a scale of likelihood or highest risk |
| 3.2 | Consider any established procedural controls |
| 3.3 | Consider the failure of established procedural controls |
| 3.4 | Consider the risk of an adverse event |
| 3.5 | Test your risk assessment |
| 3.6 | Finalise your risk assessment |
| 3.7 | Ratify your risk assessment |
| 3.8 | Implement version control tracking on your risk assessment |
| 3.9 | Maintain proportionate and transparent documentation |
Step 4 - Ongoing review of your organisation’s bribery risk assessment
| No. | Task name |
| 4.1 | Allocate appropriate budget annually to a review of the risk assessment |
| 4.2 | Monitor and reassess the risks at least annually or when the risks change |
| 4.3 | Revisit scope annually |
| 4.4 | Ensure ongoing access to relevant data |
| 4.5 | Ensure regular independent audits |
| 4.6 | Engage senior management in decision making |
Explanatory notes
General notes
This checklist can help provide your organisation with the implementation tools needed to scope anti-bribery and corruption risk assessment. The identification of ‘red flags’ is used to manage against the risks of bribery and corruption remaining undetected and becoming systemic within your organisation.
Systemic risks are events that can cause major disruption to the day-to-day activities of an organisation resulting in time consuming internal or external investigations, enforcement action, reputational risk and/or litigation.
There are many red flags which may warrant enhanced due diligence or careful review. These red flags can be identified by assigning a particular business activity a corresponding level of risk (for example, on a risk scale of 1 to 5). Established procedural controls for the identification and management of risks can be used to root out business activity systemic risks and aid in the implementation of a successful and effective ABC Programme.
Carrying out a risk assessment is also an important part of putting in place adequate procedures to prevent persons associated with the organisation from bribing another.
Notes on specific requirements
Step 1 - Assigning ownership and scoping the risk assessment of your organisation
Step 1 of the checklist considers the BA 2010 top-level team and the tasks involved in scoping out the implementation of the risk assessment project.
1.1 Appoint top-level management to take ownership of the risk assessment project
This task should be undertaken by senior business executives from your organisation such as the chief operations officer (COO), the chief finance officer (CFO) and the chief executive officer (CEO). This senior leadership team is responsible for setting the tone at the top and providing adequate budget and resources. The senior leadership team may or may not be part of the implementation team. The implementation team will work on the risk assessment project and implement the ABC Programme.
1.2 Appoint a business function to oversee implementation of the project
You should consider appointing a business unit or departmental senior executive (with sufficient seniority or authority) to sponsor the risk assessment work being undertaken by the implementation team. Remember to include support functions as well as business units, eg, the finance/accounts department, as part of the risk assessment.
1.3 Allocate appropriate project resources and budget in line with the size and nature of the organisation
Allocate appropriate project management resources and budget – this should reflect the scale of your organisation and the need to identify and prioritise all relevant BA 2010 risks. In considering resources, thought should be given to who will conduct the assessment. Depending on the nature and extent of the risk assessment, one factor that will go into that consideration may be the nature of any resulting documents and whether it might be desirable to structure the review in such a way as to be able to claim legal privilege over them.
1.4 Update your current risk assessment documentation or develop a stand-alone anti bribery risk assessment
If your organisation already has general risk assessment documentation it should be updated. Alternatively, you will need to design a specific stand-alone risk assessment template to identify all the areas within your organisation at risk of bribery and corruption.
1.5 Determine the risk assessment scope and priorities
Determine the risk assessment scope and priorities aligned to the nature, scale and complexity of the business unit or department. The risks identified in your ABC Risk Assessment should not be limited to cash payments. ABC risks may arise from an offer or transfer of anything of value. All the offences under the BA 2010 refer either directly or indirectly to the undefined term of a ‘financial or other advantage’. Likewise, it is important to ensure that your ABC Programme can identify both incoming (ie, receiving – for example in procurement) and outgoing (ie, giving – for example sales teams) risks of bribery. Hence, ABC risks should be scoped proportionately and appropriately.
1.6 Determine active bribery risk
Consider the risk of breaching the BA 2010 offence of bribing another person (active bribery under section 1). For instance, your business development function might have a higher risk level in this area if operating in a high-risk global emerging market.
1.7 Consider passive bribery risk
The BA 2010 creates an offence of being bribed (passive bribery under section 2). Consider all circumstances where there is a heightened risk of incoming bribery. For instance, your procurement function might be assigned a higher level of risk in this area when there is an ongoing competitive tender.
1.8 Consider risk of bribing a foreign public official
Section 6 of the BA 2010 makes it an offence to bribe a foreign public official with the intent to influence the foreign public official in their capacity as such and in doing so to obtain or retain business or an advantage in the conduct of business. Consideration should be given to the circumstances in which your organisation operates outside the UK and where it interacts with foreign public officials.
1.9 Consider risk of bribery by associated persons
An offence under section 7 of the BA 2010 can be committed by commercial organisations which fail to prevent persons associated with them from committing bribery on their behalf. An associated person is a person who performs services for or on behalf of an organisation, regardless of the capacity in which they do so. Consideration should be given to all of those persons who might be associated with your organisation as part of your risk assessment.
1.10 Consider risk of liability due to senior managers
Recent changes to corporate criminal liability (introduced by the Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023)) mean that an organisation will also be guilty of a section 1,2 or 6 BA 2010 offence where such an offence is committed by a senior manager acting within the actual or apparent scope of their authority.
The definition of ‘senior manager’ under section 196(4) of the ECCTA 2023 in relation to a body corporate or partnership means ‘an individual who plays a significant role in— (a) the making of decisions about how the whole or a substantial part of the activities of the body corporate or (as the case may be) partnership are to be managed or organised, or (b) the actual managing or organising of the whole or a substantial part of those activities’.
Consideration should be given to all of those persons who might be ‘senior managers’ as part of your risk assessment. See further How-to guide: Understanding the Bribery Act 2010 offences and Checklist: Anti-bribery and corruption procedures.
1.11 Document your bribery risk methodology
Document the risk assessment scope and priority methodology for the calculation of active and passive bribery risk. This should be maintained in accordance with applicable legal and regulatory standards and requirements on document retention.
1.12 Document your methodology for inclusion or exclusion of business units
To ensure your records are complete, document the methodology used for the inclusion or exclusion of business units or departments in your organisation’s risk assessment.
1.13 Arrange an independent review of the scope of your risk assessments, and document its results
Best practice under this task would be to carry out and document an independent review. This will highlight any inaccuracies or inconsistencies by challenging the risk assessment scope, priority and reasons for inclusion or exclusion of business units. If deemed proportionate and your budget permits, seek external verification of your ABC Programme’s effectiveness from a specialist consultant.
Step 2 - Identifying and evaluating business risk
Step 2 of the checklist addresses the key areas to be considered as part of the ABC Risk Assessment. It also assists in, and can help to identify and target areas for, further detailed consideration or enhanced procedures, and areas where action may need to be taken in the event that a BA 2010 risk materialises.
2.1 Identify internal and external information sources
Identify the available internal and external information sources to be gathered to enable each risk to be identified, analysed and assessed. Internal sources may be individuals, invoices, databases of non-standard contracts or terms of business, dispensation requests, vendor lists, customer records, whistle-blower reports, findings from investigations, audit findings etc. External sources may be country assessments conducted by organisations such as Transparency International, Government guidance, sectorial organisations etc. To assess the risk of bribery, risk identification should use the inherent risk factor – the risk before taking account of any mitigating controls.
2.2 Consider if your organisation operates within a specialised field
If your organisation operates within a specialised field (eg, infrastructure or construction), certain customers or types of customer engagements may be identified as subject to additional legal or reputational risks. These will merit a higher risk level allocated to them.
2.3 Consider if your organisation operates in the public sector
If your organisation is involved in the public sector, there is generally a higher risk level because your organisation will be required to interact with public officials, raising the possibility that a section 6 BA 2010 offence might be committed. In addition, the public sector is often characterised by tender processes which may mean that there is an increased risk of bribery to try and win tenders.
2.4 Identify and consider the mechanisms used for business sales
Consider the business negotiation mechanisms used for your business sales. For example, individually negotiated terms may lead to a higher level of risk than sales that are concluded on standard terms and conditions.
2.5 Identify and consider the mechanisms used for marketing promotions and business development
For example, you will need to consider whether you engage intermediaries, associates or third parties and assign a corresponding risk level to the arrangement. This is because your organisation may not have complete transparency over their business practices. The use of third parties also raises the risk of a breach of the section 7 BA 2010 offence.
2.6 Consider Transparency International’s guidance on the risk factor of the country your organisation operates in
You should consider the type of country risk your organisation faces. Reference to Transparency International’s data on country risk can provide guidance. You could also use third-party research materials about the country (eg, see the materials produced by the OECD). The assessment should include countries where your organisation’s business operations are directed or currently operational.
2.7 Consider the types of transactions undertaken by your organisation
For example, consider the characteristics of the types of transaction undertaken by your organisation (eg, bidding or tender processes).
2.8 Consider how business opportunities generally arise
For example, consider the risk factors of the mechanisms used and how business opportunities generally arise (eg, through third-party introductions where there is a risk that initial negotiations are not fully transparent).
2.9 Consider how business partnerships generally arise
Consider what mechanisms are used to achieve business partnerships, and whether this creates a higher level of risk (eg, are third-party introductions used where there is a higher risk that initial negotiations are not fully transparent?).
Step 3 - Assess risk and embed your risk assessment in your organisation
Step 3 of the checklist looks at practical steps your organisation should consider as part of its overall management strategy and identifies specific actions to take and consider when implementing your ABC Programme. Use this exercise to evaluate and address bribery risks to your organisation with a realistic assessment of likelihood and impact.
3.1 Assess and categorise each risk identified using a scale of likelihood or highest risk
Once bribery risks have been identified, the next step is to assess each risk in light of the specific business operations of your organisation and categorise each identified risk. This will help to prioritise your compliance efforts.
Activities can be categorised on a scale of likelihood or highest risk (eg, 1 to 5 or high/medium/low) in order to provide data and metrics on the relevant risk exposure of various areas of your organisation.
3.2 Consider any established procedural controls
Policies and procedures are sometimes referred to as systems and controls. A system and control can be described as a manual or automated procedural control for managing, commanding, directing or regulating behaviour. This task therefore requires you to consider any established procedural controls currently operating in your organisation, this might include staff training, gatekeeper approval mechanisms, registers of gifts and hospitality etc Have they been specifically designed to escalate and/or mitigate the risks you have identified? This exercise will also help you to identify any procedural control gaps. Procedural gaps may indicate a higher risk level for those areas where there is an absence of controls.
3.3 Consider the failure of established procedural controls
Consider the risk factor of failure of the established procedural controls currently relied on to manage the risks (eg, if invoices to business development consultants are paid without required supervisory approval, how serious would this be on a scale of 1 to 5?). A high impact on the business might merit a correspondingly high-risk level.
3.4 Consider the risk of an adverse event
Consider any residual risk. This task focuses on the risk of an adverse event after taking account of the mitigating effect of procedural controls. For example, this might be in circumstances where a procedural control uses reliance on an IT system to identify the risk. If the IT system malfunctions, will there be a residual risk that the failure is not identified and remediated immediately? If the residual risk is high, then a correspondingly high level of risk should be allocated.
3.5 Test your risk assessment
This can either be done internally or outsourced to a specialist. Ultimately, this is dependent on the complexity of your organisation and its ABC risks.
3.6 Finalise your risk assessment
You should send a draft of the completed risk assessment to the management team (in each business unit or department) responsible for overseeing the risk assessment for review and finalisation.
3.7 Ratify your risk assessment
Ratification is when the assessment of risks has been endorsed by the senior management team and it becomes a ‘live’ document.
3.8 Implement version control tracking on your risk assessment
This is a key part of your documentation housekeeping. Updates or amendments to ABC procedures need to be recorded. This will assist you in the event of an internal or external request for historical information or previous versions.
3.9 Maintain proportionate and transparent documentation
Maintain appropriate, accurate and transparent documentation of the risk assessment and its conclusions as well as the methods used for its distribution and escalation.
Step 4 - Ongoing review of your organisation’s bribery risk assessment
Step 4 of the checklist considers how to establish business as usual to manage the practical aspects of BA 2010 risks. The list largely considers steps to take in respect of maintaining an up-to-date and fit-for-purpose risk assessment.
4.1 Allocate appropriate budget annually to a review of the risk assessment
Allocate appropriate budget annually. This should reflect the scale of your organisation’s business and the need to identify and prioritise all existing, new and anticipated risks.
4.2 Monitor and reassess the risks at least annually or when the risks change
Monitor and reassess the risks at least annually or when the risks change, eg when your organisation enters a new market in a part of the world in which it has not done business before or before offering a new product or service.
4.3 Revisit scope annually
Ensure those areas excluded or scoped out of the risk assessment are revisited in the annual review or when circumstances change.
4.4 Ensure ongoing access to relevant data
Ensure the risk assessment owners or those in your organisation who are responsible for monitoring or auditing the risks have ongoing access to relevant data and information on identified ABC risks. This can be done locally or centrally by a dedicated team with access to a repository for ABC data. There is a wide rangeof possible internal and external monitoring mechanisms thatcan help provide insight into the effectivenessof your ABC Programme, ranging from investigations and internal controls to staff surveys and other detection measures. Any non-compliance identified should be remediated and control improvements implemented.
4.5 Ensure regular independent audits
Ensure the risk assessment scope, priority and reasons for inclusion/exclusion of risks is regularly and independently audited. Dependant on the size of your organisation, you may feel an external auditor is best placed to do this.
4.6 Engage senior management in decision making
To set the appropriate tone at the top, senior management should be provided with appropriate management information and reporting. This will enable their involvement in any relevant high-profile or critical decision making.
Additional resources
It is important to continuously stay abreast of developments and to add to and update your checklist as needed. In respect of the BA 2010 there are several anti-bribery and corruption website resources to draw on, including:
- The UK government’s quick start guidance on the BA 2010 is here
- The UK government’s guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing is here
- The Serious Fraud Office
- The Department for International Trade
- The Organisation for Economic Co-operation and Development
- Transparency International
Related Lexology Pro content
How-to guides:
Understanding the Bribery Act 2010 offences
Understanding penalties for breach of the Bribery Act 2010
How to identify and assess bribery and corruption risk
How to conduct an internal investigation into bribery allegations
How to prevent bribery and corruption
Checklists:
Anti-bribery and corruption procedures
Gifts and hospitality
Charitable and political donations
Conducting third party due diligence and managing third party bribery risk
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.