How-to guide: How to identify and assess bribery and corruption risk (UK)

Introduction

This How-to guide outlines steps to take to support the systematic identification of bribery and corruption risks within an organisation. It is aimed at in-house lawyers and compliance professionals in organisations of all sizes and all sectors in the UK.

Ensuring compliance with the requirements of the Bribery Act 2010 (BA 2010) is a legal obligation. It is crucial to know its scope to understand its impact on your organisation. Under the BA 2010, it is an offence to pay or receive a bribe, and companies and partnerships will also commit an offence where a bribe is paid on their behalf.

Carrying out a bribery risk assessment will enable your organisation to develop and tailor the anti-bribery and corruption (ABC) policies and procedures it needs to design a successful ABC compliance framework (ABC Framework).

This How-to guide provides guidance on how to identify and manage your organisation’s exposure to the BA 2010. It incorporates practical tips, examples and guidance issued by the UK government to aid your compliance.

This guide covers the following:

Overview
Identifying bribery risk
Common risk areas
Assessing bribery risk

It can be used in conjunction with How-to guides: Understanding the Bribery Act 2010 offences, Understanding penalties for breach of the Bribery Act 2010 and How to prevent bribery and corruption and Checklist: Anti-bribery and corruption risk assessment.

Section 1 – Overview

The first step in a bribery risk assessment is to understand how the relevant legislation will impact your organisation. It is therefore a key requirement to be aware of the scope of the BA 2010. This exercise will provide you with the required building blocks to create and conduct an ABC risk assessment (ABC Risk Assessment). As a result, you will clearly understand what preventative controls you will need to incorporate into your ABC Framework.

See How-to-guide: How to prevent bribery and corruption.

1.1 Scope of the BA 2010

The BA 2010 applies to the whole of the UK. It also covers bribery committed outside the UK if a person has a close connection with the UK. (For example, this covers British citizens and companies incorporated under any laws of the UK.)

The BA 2010 creates four offences:

bribing another person (Section 1 offence or active bribery);
being bribed (Section 2 offence or passive bribery);
bribery of a foreign public official (Section 6 offence or bribing a foreign public official); and
failure by a commercial organisation to prevent bribery by associated persons. These are persons providing services for or on behalf of your organisation and includes employees as well as contractors or intermediaries (Section 7 offence or failure to prevent).

For more information, see How-to guides: Understanding the Bribery Act 2010 offences and Understanding penalties for breach of the Bribery Act 2010.

1.2 How to conduct a bribery risk assessment

A risk assessment will allow your ABC procedures to be effectively scoped by measuring BA 2010 risk against identified risks. Once identified, activities that carry a risk of bribery can be measured on a scale (eg of 1 to 5) in order to provide data and metrics on the likelihood of bribery risk to various areas of your organisation. The main steps in a risk assessment are therefore:

identify bribery risks
measure bribery risks on a scale of 1 to 5
map bribery risks to a business or function

Your organisation can use this process to determine what preventative controls are reasonable and appropriate for the sector of business in which your organisation operates in order to address or mitigate against risk of bribery. This process also allows your organisation to prioritise addressing the risks that it faces, starting with those of highest risk or likelihood and once these are addressed your organisation can then move to those of lesser risk or likelihood of occurrence.

See Checklist: Anti-bribery and corruption risk assessment.

Section 2 – Identifying bribery risk

2.1 Why is identification of bribery risk important?

Having in place policies, procedures and processes to address the risk of bribery is important in order to mitigate against the risk that bribery takes place.

In addition, it will be a full defence to the section 7 offence of failing to prevent bribery committed by associated persons for an organisation to prove that despite a particular case of bribery it nevertheless had adequate procedures in place to prevent persons associated with it from bribing.

Accordingly, it is of critical importance to identify and assess bribery and corruption risk in order to protect your organisation to the fullest extent possible against the risk of breaching the BA 2010.

Organisations with no specialist risk assessment expertise may find it difficult to identify risks. In these circumstances, your organisation could consider any, or a combination of, the following:

seeking advice from specialist external counsel
seeking advice from UK diplomatic services and government organisations such as the Department for Business and Trade;
consulting general country assessments undertaken by local chambers of commerce, relevant non-governmental organisations and sectoral organisations;
seeking advice from industry representatives; and/or
following up any general or specialist advice with further independent research.

2.2 Mechanisms for identifying bribery risk

In addition to conducting a risk assessment, there are a number of ways in which potential bribery risk might be identified and which organisations should pay careful attention to, these include:

employees
complaints
investigations
audits/internal reviews

Each is dealt with briefly in turn below.

2.2.1 Employees

Employees who are aware of the application of anti-bribery laws, your organisation’s stance against all forms of bribery and the standards they will be required to uphold will be an important tool for identifying bribery. Employees should receive training that allows them to identify the risk of bribery in a number of situations and to understand what to do in the event that they suspect that bribery is being given, offered or received either by someone within the organisation or by a person associated with your organisation. Secure and confidential means of internally reporting concerns will help employees to feel confident about raising concerns.

2.2.2 Complaints

Complaints may come from third parties such as customers, distributors or even suppliers. Employees responsible for managing third party relationships should be alive to the possibility of such complaints (in whatever form they are made, noting that they may not be formal in nature) and be aware of the procedure for escalation within your organisation.

2.2.3 Investigations

The process of being investigated by a regulator (whether related to bribery or not), will likely involve a review of a large amount of documentation and may also involve interviews with staff. The nature of the process means that wrongdoing which is not the subject of the investigation may come to light. It is prudent to stay alert to the possibility of bribery even when not the primary focus of an investigation.

2.2.4 Audits/internal reviews

Internal reviews, whether formal audits or less formal reviews of processes or contracts, may turn up evidence of bribery risk or breaches. Even if the review is unrelated to bribery matters (for example, a review primarily aimed at competition matters), organisations should be mindful of any compliance matters arising from audits.

In order to be effective, an internal review should be conducted with the oversight and sponsorship of top-level management and appropriate resources (time, money and people) will need to be dedicated to the process.

Section 3 – Common risk areas

No policies or procedures will be capable of detecting or preventing all bribery. Identification of risks is important because this will allow your organisation to take a risk-based approach to anti-bribery procedures, placing the greatest focus and effort on those risks where procedures will have the greatest impact.

An internal review should be conducted which seeks to identify and assess bribery risks that your organisation might be exposed to by virtue of its business activities and their location.

Whilst the risks that organisations face will vary depending on their specific business activities, the scope of the BA 2010 means that there are some types of business activity where there are common areas of risk. These risks can be divided into external and internal factors and are detailed below.

3.1 External risk factors

There are five broad groups of commonly encountered ‘external risk factors’. These are detailed further below.

3.1.1 Country risk

This is evidenced by:

perceived high levels of corruption
an absence of effectively implemented anti-bribery legislation and
a failure of the foreign government, media, local business community and civil society effectively to promote transparent procurement and investment policies

3.1.2 Sectoral risk

Some sectors are higher risk than others. Higher risk sectors include the:

extractive industries and
large-scale infrastructure sector.

3.1.3 Transaction risk

Certain types of transaction give rise to higher risks, for example:

charitable or political contributions
licences and permits and
transactions relating to public procurement.

3.1.4 Business opportunity risk

Such risks might arise in projects:

with a high value
involving many contractors or intermediaries
not apparently undertaken at market prices or
which do not have a clear legitimate objective

3.1.5 Business partnership risk

Certain relationships may involve higher risk, for example:

the use of intermediaries in transactions with foreign public officials
consortia or joint venture partners and
relationships with politically exposed persons where the proposed business relationship involves, or is linked to, a prominent public official

3.2 Internal risk factors

The Serious Fraud Office (SFO) has identified common internal risk factors which may increase the level of risk within your organisation. These include:

deficiencies in employee training, skills and knowledge
a bonus culture that rewards risk-taking
a lack of:
- clarity regarding gifts and corporate hospitality and promotional policies and procedures
- clear financial controls and
- a clear message or tone from top level management

3.3 Activities and risk factors that could increase exposure to bribery risk

There are various activities and risk factors that could increase your organisation’s exposure to bribery risk. These are explored below.

3.3.1 Associated persons, agents and intermediaries

Your ABC Risk Assessment will determine the levels of bribery risk your organisation faces. This will be largely determined by the type and nature of the persons associated with it (an offence under section 7 BA 2010 can be committed by commercial organisations which fail to prevent persons associated with them from committing bribery on their behalf).

When working with agents and intermediaries, your organisation needs to be alert to the relevant risk associated with each relationship. This may necessitate due diligence enquiries to enable the bribery risks to be identified and managed. Questions to consider might include:

is the agent/intermediary really required?
does the agent/intermediary have the required expertise?
are they interacting with or closely connected to public officials?
is the proposed pay reasonable and commercial?

Generally, more information is likely to be required from prospective and existing associated persons that are incorporated (eg companies) than from individuals. This is because, on a basic level, more individuals are likely to be involved in the performance of services by a company and the exact nature of the roles of such individuals or other connected bodies may not be immediately obvious. Accordingly, due diligence may involve direct requests for details on the background, expertise and business experience of relevant individuals. This information can then be verified through research and the following up of references, etc.

It is important to remember that your organisation’s employees are presumed to be persons associated with the organisation for the purposes of the BA 2010. Your organisation may wish, therefore, to incorporate in its recruitment and human resources appropriate due diligence.

3.3.2 Facilitation payments

Unlike in some other jurisdictions, there is no exemption in the BA 2010 in respect of facilitation payments, which are unofficial payments made to public officials to secure or expedite the performance of a routine or necessary action (e.g. product approval licences). They are sometimes referred to as 'speed' or 'grease' payments. Your ABC Framework must identify (and manage) bribery risk in relation to facilitation payments. This will likely involve a consideration of the jurisdictions and circumstances in which facilitation payments are more likely to be requested and from whom they might be requested.

3.3.3 Gifts and hospitality

Gifts and hospitality expenditure that is reasonable, proportionate and made in good faith is recognised as an established and important part of doing business. The BA 2010 does not seek to prohibit or penalise this activity. However, bribery risks relating to gifts and hospitality do need to be identified by your organisation. For instance, the more lavish the hospitality or expenditure (beyond what may be reasonable in the circumstances) then the greater the inference of bribery. The risk is that this expenditure is intended to encourage or reward improper performance or influence (especially in relation to a public official).

Lavishness is just one factor that needs to be considered in determining whether expenditure on gifts and hospitality is permitted. Generally, the full circumstances of each case need to be considered. Other bribery red flags include circumstances where the hospitality or expenditure is not clearly connected with a legitimate business activity or is concealed.

To identify bribery risks, the business should consider conducting an assessment of its dealings with business partners and foreign public officials, and in particular the provision of hospitality and promotional expenditure.

For further guidance on gifts and hospitality see Checklist: Gifts and hospitality.

3.3.4 Charitable donations

Many organisations provide charitable support to communities. However, there is an inherent risk that donations may be used for the purposes of bribery. Your ABC risk assessment and procedures therefore need to identify bribery risk in relation to donations.

Practical examples of bribery risk include those circumstances when a charity is not legitimate, or when a donation is given to a legitimate charity but for the purpose of improperly influencing a supporter or director of that charity.

For further guidance see Checklist: Charitable and political donations.

3.3.5 Political donations

Since the laws on contributions to political parties vary widely around the world, your organisation needs to identify this risk in its ABC Risk Assessment. In practice, your ABC Framework should be designed to identify and mitigate the bribery risks that political donations may be made (or may be perceived to be made) under section 1 or section 6 of the BA 2010 in order to:

improperly influence action
obtain business or
any other commercial advantage

Higher risk levels should be allocated where contributions are solicited, particularly by a public official.

For further guidance see Checklist: Charitable and political donations.

3.3.6 Actions of senior managers

Recent changes to corporate criminal liability (introduced by the Economic Crime and Corporate Transparency Act 2023) mean that an organisation will also be guilty of a section 1, 2 or 6 BA 2010 offence where such an offence is committed by a senior manager acting within the actual or apparent scope of their authority. Organisations should take steps to identify risk associated with these changes and take steps to mitigate risks of liability arising from the expansion of corporate criminal liability.

See further How-to guide: Understanding the Bribery Act 2010 offences and Checklist: Anti-bribery and corruption procedures.

Section 4 – Assessing bribery risk

4.1 Measurement of risk

Once bribery risks have been identified, the next step is to assess each risk in light of the specific business operations of your organisation and categorise each identified risk. This will help to prioritise your compliance efforts.

Activities can be categorised on a scale of likelihood or highest risk (eg, 1 to 5 or high/medium/low) in order to provide data and metrics on the relevant risk exposure of various areas of your organisation. Along with a consideration of the broad categories of bribery risk, your risk categorisation should consider:

whether there have been past incidences of bribery or suspected bribery and if so, in what circumstances these arose and what the impact was
the results of any compliance audits and any procedural gaps in your organisation’s compliance programme. If any potential bribery compliance issues or red flags were identified as part of any internal or external audits conducted in the past two to five years you will need to determine how these matters were dealt with and factor this into your bribery risk assessment. Likewise, if any internal reports or complaints flagged potential bribery compliance issues, this information must also be considered and factored in
the impact on the business if the risk materialises

This exercise can be time consuming but will pay dividends by allowing you to tailor the management of bribery risk in your organisation and focus your efforts on the areas that present the highest degree of risk.

4.2 Map to a business department or function

Different functions within your organisation will have different levels of exposure to bribery risk. The procedures that will be appropriate to manage risk will therefore not necessarily be the same across the whole of your organisation. In order to focus compliance efforts, risks should be mapped to different business departments or functions within your organisation.

4.3 Use of the output of the risk assessment

Accurately scoping the BA 2010 and measuring your organisation’s risk will result in the application of a risk-based approach to the design of your ABC Framework. This will allow you to focus on your organisation’s highest risks i.e. those which are either most likely to occur or which will cause the most disruption should they materialise. Disruption will cost your organisation time, money and resources, along with any resulting reputational damage that may jeopardise stakeholder confidence, business relationships and sales income.

Once your ABC Framework reduces the risks identified with the highest risk levels, you can then move on to address lower risk activities.

It is critical that your ABC Framework is project managed and the risks are scoped correctly from day one to ensure your organisation’s ABC controls and procedures are appropriate. It is important to note, however, that a risk assessment is not a one size fits all, each ABC Risk Assessment will be different and tailored to the organisation’s size, nature and budgetary resources.

See How-to guide: How to prevent bribery and corruption.

4.4 Documentation and review

Accurate and appropriate documentation of the risk assessment and its conclusions should be maintained. The risk assessment should be reviewed and updated on a regular basis or when risks change (for example if your organisation decides to enter a new geographic market) in order to identify any new risks and ensure that risks are appropriately assessed and mitigated against.

Additional resources

It is important to continuously stay abreast of developments and to add to and update your risk identification procedures as needed. In respect of the BA 2010 there are several anti-bribery and corruption website resources to draw on including:

The UK government’s quick start guidance on the BA 2010 is here
The UK government’s guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing is here
The Serious Fraud Office
The Department for International Trade
The Organisation for Economic Co-operation and Development
Transparency International

Filed under

Topics

Laws

Bribery Act 2010 (UK)