As the pressure to curb corruption has grown, so too has the demand for “corruption risk assessments,” efforts to predict what form corruption in a public agency or private firm is likely to take and what can be done to reduce if not to eliminate it. In the private sector risk assessments have been fueled by national laws that reduce penalties for corruption violations if a firm has a risk management program in place. In the public sector risk assessments help assure citizens that their money is not being stolen and provide an agency leader unlucky enough to be at the helm when a corruption scandal breaks at least a partial defense to charges of incompetence or venality.
Public sector assessments come in several varieties: those which examine the risks faced by a single organization, say the Albanian tax agency, others which assess risks in a publicly-funded program, for example a de-forestation project in the Democratic Republic of the Congo, and still others which consider overall risk in a sector with a large public presence such as water or education. While public sector assessments are almost always readily available, private sector assessments are not, presumably for proprietary or competitive reasons. What is available on private sector risk assessment are hundreds (thousands?) of tomes advising firms on how to conduct a risk assessment — often written by those looking to assess the corruption risks a corporation faces for a fee.
A Google search for “corruption risk assessment” produced 300,000 hits, one for “assessing corruption risks” 48 million! I won’t pretend to have read even a representative sample of the reports or “how to” manuals, but the many I have read so far have been a disappointment.
The low quality of the “how to” literature is particularly surprising given the fees that are no doubt being charged assessing the risks companies confront. With rare exception the risk assessment guides counsel would-be clients to draw up a laundry list of corruption risks and then an equally long list of “mitigation measures.” Better than nothing, I suppose, and perhaps enough to help firms’ whose corruption controls fail escape or mitigate liability for the actions of employees and agents. But the term “risk” suggests some differentiation based on the likelihood a form of corruption will occur together with some estimate of the harm it would cause, thus providing guideposts for prioritizing risk reduction measures.
One of the only private sector risk assessments guide I have found that takes this approach is that published in late 2013 by a task force of the UN Global Compact, a UN-private sector partnership. Its Guide for Anticorruption Risk Assessment explains that firms need to estimate both the likelihood its employees will commit different types of corrupt acts and what the effects of each would be. Also valuable is its advice to firms to use a two-pronged test when assessing the chances its employees will become involved in corruption: 1) the pressures they face, say to meet a manager’s expectations or a client’s demands, and 2) the opportunities they have to violate anticorruption laws based on the controls to which they are subject.
Where the report could be strengthened is in its recommendations for assessing risks. It suggests that firms use Transparency International’s Corruption Perception Index to assess country risk and rely on reports of past violations to analyze the risks of different forms of corruption. The overall risk of corruption in a country is such an amorphous concept that it is not clear what value there is to even trying to measure it — let alone using the CPI to do so. And as Malcom Sparrow explained many years ago, the record of past violations is an uncertain guide to current vulnerabilities. More often than not it is the large, complex frauds where losses are greatest that go undetected. The guide might also have borrowed from the economic literature on collusion which teaches what industry characteristics increase the risk of bid rigging or cartelization.
Perhaps because the assessments are public, thinking on how to improve public sector risks assessments has advanced in the last few years with the Council of Europe, Transparency International, and most recently U4 offering assessments to improve these assessments. Clearly a subject for a future post.
I share your frustration with the existing information on risk assessment in the private sector. From what I’ve seen, there’s a lot of true-but-banal general advice (corruption risk is likely higher in Nigeria than in Canada, likely higher in certain industries like construction, etc.), and laundry risks of “red flags”, but not much that’s more sophisticated than that. Though as you say, much of this may be proprietary information, so perhaps the risk consultancy services have more sophisticated techniques that they choose not to disclose publicly. Perhaps. Or perhaps they’re just as much in the dark as the rest of us. Then again, maybe you and I are not giving them enough credit: It may be that even fairly simple risk assessment measures are not obvious to firm managers who don’t spend a lot of their time thinking about corruption issues. And a lot of the private sector risk assessment firms also perform due diligence of specific transaction partners, where it’s the factual information uncovered, not the general principles, that’s of greatest value.
By the way, though you focus on risk assessment, I think one could make similar complaints about “compliance programs” more generally. Lots of people talk about the need for a good compliance program and compliance & ethics training, firms put a lot of time and money into this, there are lots of consultants and law firms advertising assistance with the design of compliance programs — but it’s not obvious that anyone really has any good, solid information about what “works” with respect to promoting compliance (at least beyond the fairly obvious stuff, like that the firm should make it clear to employees that they’re not supposed to break the law, and management should make clear that they really mean it).