Introduction
This checklist provides in-house counsel and compliance professionals with guidance on how to conduct a corruption risk assessment (CRA) to prevent bribery as part of a corporate compliance program.
Risk assessments are an essential risk-based tool that form part of a compliance program based on the requirements set forth in the US Foreign Corrupt Practices Act of 1977 (FCPA), while effectively managing an organization’s risk. These procedures help an organization identify various legal and regulatory risks during the course of business and provide an opportunity for it to improve its response to its corporate risk profile.
The checklist addresses the following steps:
- Prepare and implement your corruption risk assessment process;
- Maintain your corruption risk assessment process; and
- Assess other corporate risk areas or provisions.
The checklist is presented as a list of requirements that you can tick off as they are addressed. At the end of the document, there are explanatory notes and specific notes corresponding to the relevant step(s) in the checklist.
The checklist can be used in conjunction with the following How-to guides: How to protect your company from violations of the United States Foreign Corrupt Practices Act and How to protect your organization from third party liability under the FCPA, and Checklists: What to include in an FCPA compliance program, Charitable and political donations and gifts, travel, entertainment compliance and FCPA due diligence of third-party intermediaries.
Step 1 – Prepare and implement your corruption risk assessment process
| No. | Task |
|---|---|
| 1.1 | Ensure there is an overall FCPA compliance program for your organization as part of enterprise risk management (ERM) |
| 1.2 | Identify all risks associated with a potential third-party intermediary or business proposition |
| 1.3 | Identify overall corporate compliance risks |
| 1.4 | Assess methods of addressing areas of potential risk |
| 1.5 | Analyze the probability and severity of each risk |
| 1.6 | Rank and focus risks: high, medium and low |
| 1.7 | Map risks to current internal controls and assess effectiveness of internal controls |
| 1.8 | Design or improve and implement risk mitigation measures |
Step 2 – Maintain your corruption risk assessment process
| No. | Task |
| 2.1 | Assign responsibility to personnel and devote compliance resources |
| 2.2 | Document and store CRA steps and conclusions |
| 2.3 | Create risk-based audit plan based on results of CRA |
| 2.4 | Implement periodic and continuous monitoring |
Step 3 – Assess other corporate risk areas or provisions
| No. | Task |
| 3.1 | Assess compliance with any gifts, travel, hospitality or entertainment policies |
| 3.2 | Assess charitable and political donations |
Explanatory notes
General notes
Organizations should determine the level of risk associated with a transaction, business partner, business sector or industry, foreign jurisdiction or other area of risk, by developing a risk-ranking methodology to properly focus its resources. The level of risk allocated to the transaction will determine what mitigating measures or internal controls to implement.
Quantifying and cataloging risk ensures compliance resources are allocated to the areas of greater risk. Should an FCPA violation occur, the United States Department of Justice (DOJ) and the US Securities and Exchange Commission (SEC) will consider the organization’s compliance program and the risk assessment procedures when determining levels of appropriate sanctions.
If your organization has a well-designed compliance program that properly focuses its resources on high-risk areas, the DOJ and SEC may impose less severe sanctions for a violation. On the other hand, failure to perform a risk assessment or take appropriate measures to mitigate a high level of risk will negatively factor into the DOJ and SEC’s determinations.
Vigorous and active risk assessment programs show that an organization is making a good faith effort to prevent and avoid corrupt practices. There is no single method for creating and maintaining an effective risk assessment program. Risk assessments should be tailored to an organization’s specific circumstances and business needs. Organizations should conduct risk assessments on a regular, periodic schedule, and also, ‘as needed’ to address the changing nature of the business.
Notes on specific requirements
Step 1 - Prepare and implement your corruption risk assessment process
1.1 Ensure that there is an overall FCPA compliance program as part of your organization’s enterprise risk management (ERM)
Before beginning a full risk assessment analysis, ensure that your organization has an overall FCPA compliance program in place as a part of enterprise risk management. Enterprise risk management involves the overall security processes used to achieve business objectives. Risk assessments work hand-in-hand with the compliance program to ensure that measures are in place to address the risk, improve the overall program, and get the most use out of an organization’s resources. A comprehensive risk assessment is considered an aid to a more complete compliance program, particularly when paired with due diligence provisions (see Checklist: FCPA due diligence of third-party intermediaries) and effective risk mitigation of known risks. A risk assessment alone will not prevent FCPA violations. If you are in need of an FCPA compliance program for your organization, please see Checklist: What to include in an FCPA compliance program and How-to guide: How to protect your company from violations of the United States Foreign Corrupt Practices Act.
1.2 Identify all risks associated with a potential third-party intermediary or business proposition
The first step in conducting a risk assessment is to identify and recognize the types or areas of risk associated with a potential third-party intermediary or business proposition. Types of risk include:
- country of operation;
- history of corruption in a business sector or industry;
- transactional risks (financial transactions in particular carry a high risk); and
- business partnership risks (depending on the partner’s anti-corruption policies).
1.3 Identify corporate compliance risks
First, identify all corporate compliance risks within your organization by gathering information and interviewing stakeholders.
Once a general CRA is developed, a tailored CRA should be conducted for specific areas of risk, such as those involving complex and continuous foreign transactions or autonomous business partners who operate on behalf of your business, such as sales marketing agents. Identification focuses on recognizing the risks to your organization and prioritizing them appropriately. For example, if your business operates on a global scale, but primarily in southeast Europe, it would be prudent to heavily audit financial records in Europe.
A thorough identification process will also involve reviewing internal policies and procedures, past audit reports, and any incident logs related to compliance breaches. Furthermore, staying informed about evolving regulatory landscapes, both domestically and internationally, is crucial for anticipating emerging risks. Engaging with legal counsel and compliance experts can provide valuable insights into potential areas of vulnerability that might otherwise be overlooked.
1.4 Assess methods of addressing areas of potential risks
- Ascertain length of contract or project. The longer the contract or project, the more potential for corrupt behavior due to the familiarity with the area and comfortability of those transactions.
- Determine the degree of intermediary interaction with government agencies and officials. Identify interactions made by your organization, whether through an employee or a third party, with government officials (including those at state-owned enterprises) so that you can identify any areas in need of continuous monitoring and mitigation of risk. For more information on the risks associated with interaction with government officials, see Checklist: Charitable and political donations and gifts, travel, entertainment compliance.
- Determine geographical location of operation or agreement. If your organization is operating in or entering into agreements in foreign jurisdictions, you should consider factors such as political stability, economic stability, political systems, banking structures, tax implications and other relevant factors as part of your risk analysis.
Although it can seem daunting at first, especially if your business is new to international markets, a good rule of thumb is to begin with the areas where your organization primarily operates and continue through interactions in order of their monetary effect on your business.
Example 1
You enter into a contract with an organization from Lebanon. Lebanon is undergoing a political crisis and considered to be politically unstable. Contracting with this organization from Lebanon would bring a higher risk rating than with a company from Canada, for example, because there would be a higher chance of engaging in corrupt behavior under the FCPA.
Example 2
You enter into a contract with an organization from Nicaragua. Nicaragua is not economically stable. Contracting with an organization there would bring a higher risk rating because it may be more likely to accept bribes out of monetary necessity.
You can further evaluate risk associated with location by evaluating the Transparency International Corruptions Perception Index.
See also Checklist: FCPA due diligence of third party intermediaries.
1.5 Analyze the probability and severity of each risk
Once each risk is identified, the probability and severity of each risk should be analyzed.
- Probability is determined by the number of times that risk has the chance of happening. For example, on a scale of unlikely, rarely, likely, or recurrent.
- Severity is determined by the impact and affect the risk would have on your organization. For example, on a scale of insignificant, moderate, significant, or devastating.
- Consider using a risk matrix to visually represent the intersection of probability and severity, allowing for a quick overview of high-priority risks. Also, incorporate quantitative data where possible, such as financial loss estimates for severity or historical frequency of incidents for probability, to make the analysis more robust.
1.6 Rank and focus risks: high, medium and low
Next, rank and focus the risks, using a general scale of high, medium, and low.
Depending on the size of your organization and the number of risks that are identified, you may opt to use a wider scale to assess probability, severity, and level of risk (i.e., a one to ten scale rather than simply high, medium, and low).
Figure 1 illustrates the relationship between probability and severity and how the two factor into risk ranking. Using a chart like this can help establish the importance of risks and focus your organization's resources accordingly.
Figure 1
1.6.1 High risk
High risks have both a high level of severity and a high probability of occurring. The more severe risks with the highest probability of occurring are an overall high-risk activity, party or transaction. Most of your organization’s resources and focus should be allocated to combating high risk.
1.6.2 Medium risk
Medium risks fall between high risk and low risk. Medium risks could be those with a high probability, but whose severity is low, or vice versa.
1.6.3 Low risk
Low risks have both low severity and low probability of producing a violation. It is still important to mitigate low risks, but they are, of course, the lowest tier of concern.
1.7 Map risks to current internal controls and assess the effectiveness of the internal controls
Once the areas of risk are identified, the next step is to implement internal controls or mitigation measures. Reaction focuses on the consequences, elimination, or mitigation of risk. After the risks are identified, they should be ranked according to severity and probability. It is a good idea to map them to current internal controls. Determine whether the risk can be directly mitigated by your organization’s existing internal policies and procedures, such as your FCPA compliance policy or another policy. By linking the risks to the controls, your organization is better able to take the necessary steps to effectively mitigate or eliminate risk.
Once the risks are mapped to internal controls, assess their overall effectiveness. Do the policies and procedures your organization has implemented (if any) help mitigate the risk? Consider the applicability of the policy to the identified risk and adjust the policy accordingly. If internal controls are present and sufficient to mitigate or eliminate the risk, then no further analysis is needed. If no internal controls are present or they are not sufficient to mitigate or eliminate the risk, then you must design or improve and implement risk mitigation measures.
Example 1
You have a proposed five-year contract. As discussed in step 1.3 above, this could be considered a risk because longer relations with a group or within an area could lead to more comfort, thus increasing the chance of a corrupt payment being made. When reviewing your internal policies, you find no policy restricting the length of contracts. Consider implementing a new policy that limits all contracts to three years.
Example 2
You have a proposed contract with an intermediary who has personal ties to foreign officials in the country where the project is to be performed. Although having personal ties to foreign officials alone is not sufficient to create a violation, as discussed in step 1.3 above, this could be considered a risk because a closer relationship with foreign officials increases the possibility of an FCPA violation. When reviewing your internal policies, you find a provision in the organization’s due diligence policy that prevents it from entering contracts where an intermediary has a close relationship with a foreign official if the concern cannot be mitigated. Mitigation may require financial audits of all actions taken by the intermediary on your behalf, or limiting the dealings of the intermediary to those not associated with any foreign official connection.
Depending on the situation, either existing policies protect the business against the situation in the proposed contract example and nothing more needs to be done, or the policy addresses the issue of relationships between foreign officials and intermediaries but does not directly eliminate or mitigate the risk posed. In the former, the policy covers and protects against an FCPA violation. In the latter, however, your organization would need to either adjust the policy to specifically prevent contracts between a specific intermediary and a specific country, or implement mitigation measures to alleviate the concern.
Example 3
Your organization intends to engage a third-party who has a cousin in the government procurement office related to the sale of services your organization provides. To avoid the appearance of unethical conduct, the organization may insert a provision into its third-party agreement with, and obtain a certification from, the third party confirming that it will not discuss the opportunity or leverage the relationship in order to win the contract.
For further information on fact patterns and details on cases that were subject to enforcement action, see Related Enforcement Actions: 2024.
This concludes the implementation of the corruption risk assessment process.
Step 2 - Maintain corruption risk assessment process
2.1 Assign responsibility to personnel and devote compliance resources
It is advisable to assign responsibility for risk management compliance to key employees, including teams from legal, compliance, auditing, human resources, finance, and management divisions. Ensure that these employees know their role in assessing risk and understanding corruption and bribery, perhaps through directed risk assessment and FCPA training. Additionally, ensure that your organization allocates sufficient budget and resources annually to complete a CRA.
2.2 Document and store CRA steps and conclusions
Documentation and storage of the steps taken during a CRA is important for two main reasons:
enforcement agencies take proper documentation into consideration as proof that a program exists; for example, where the DOJ released an Evaluation of Corporate Compliance Programs suggesting documentation in the investigation process; and
it allows your organization to track assessments for future use in the analysis of a certain transaction or party.
As further evidence that the charging agencies will take the existence of a compliance program into consideration, see A Resource Guide to the US Foreign Corrupt Practices Act, Second Edition, that was issued jointly by the DOJ and the SEC. This document lists the top 10 factors that are considered in whether to conduct an investigation, determining whether to charge a corporation, and negotiating a plea or other agreements. That list includes:
‘the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging or resolution decision;’ and
‘the corporation’s remedial actions, including any efforts to implement an adequate and effective corporate compliance program or to improve an existing one…’.
Some additional insight into the assessment being made by the Criminal Division in making an individualized determination of the effectiveness of a compliance program Is provided in Evaluation of Corporate Compliance Programs (Updated September 2024). In that document, the Justice Department states that there are three ‘fundamental questions’ a prosecutor should ask in evaluating a corporate compliance program:
Is the corporation’s compliance program well designed?
Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
Does the corporation’s compliance program work in practice?
2.3 Create a risk-based audit plan based on results of CRA
Create policies, whether standalone or within the overall FCPA compliance policy, that allow for a risk-based audit plan based on the results of the CRA.
Use the results of the CRA implementation completed in step 1 above, to establish the frequency and depths of audits. Use an internal audit where permitted, or an independent auditor to complete the independent review.
This is an important step because it provides for a continuous assessment of whether the risks are still present or have been effectively mitigated.
2.4 Implement periodic and continuous monitoring
Use your employees identified in step 2.1, above, to continuously monitor the implementation of risk mitigation measures.
Ensure that your organization has a procedure in place that provides for periodic re-assessment of risk to stay current with changes in law, transactions, and parties.
Risk assessment should be conducted as a regular part of business.
Step 3 - Assess other corporate risk areas or provisions
Your assessment of risk should include an assessment of the following areas.
3.1 Gifts, travel, hospitality and entertainment expenses
You should assess your organization’s compliance with any gifts, travel, hospitality, or entertainment policies. Such expenses are often the greatest area of concern. For example, if your organization allows management to send annual end-of-year gifts to clients and business relations, consider specifying a maximum monetary value of such gifts and which officials, if any, may not receive such gifts.
For further information, see Checklist: Charitable and political donations and gifts, travel, entertainment compliance.
3.2 Charitable and political donations
You should also assess charitable and political donations. Consider whether the charities or political organizations your business supports have the potential to influence foreign officials. Also consider whether a well-documented and publicized donation may alleviate such risk.
For further information, see Checklist: Charitable and political donations and gifts, travel, entertainment compliance.
Additional resources
Transparency Corruptions Perceptions Index Transparency International guide on the level of corruption based on country
FCPA Resource Guide DOJ and SEC Resources Guide to the US Foreign Corrupt Practices Act
Evaluation of Corporate Compliance Programs DOJ guidance updated in 2024 on evaluation of corporate compliance.
US Federal Sentencing Guidelines Chapter 8, part B: remedying harm from criminal conduct and effective compliance and ethics program.
Related Lexology Pro content
How-to guides:
How to protect your company from violations of the United States Foreign Corrupt Practices Act
How to protect your organization from third party liability under the FCPA
Checklists:
What to include in a FCPA compliance program
FCPA due diligence of third-party intermediaries
Charitable and political donations and gifts, travel, entertainment compliance
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.