As the pressure to curb corruption has grown, so too has the demand for “corruption risk assessments,” efforts to predict what form corruption in a public agency or private firm is likely to take and what can be done to reduce if not to eliminate it. In the private sector risk assessments have been fueled by national laws that reduce penalties for corruption violations if a firm has a risk management program in place. In the public sector risk assessments help assure citizens that their money is not being stolen and provide an agency leader unlucky enough to be at the helm when a corruption scandal breaks at least a partial defense to charges of incompetence or venality.
Public sector assessments come in several varieties: those which examine the risks faced by a single organization, say the Albanian tax agency, others which assess risks in a publicly-funded program, for example a de-forestation project in the Democratic Republic of the Congo, and still others which consider overall risk in a sector with a large public presence such as water or education. While public sector assessments are almost always readily available, private sector assessments are not, presumably for proprietary or competitive reasons. What is available on private sector risk assessment are hundreds (thousands?) of tomes advising firms on how to conduct a risk assessment — often written by those looking to assess the corruption risks a corporation faces for a fee.
A Google search for “corruption risk assessment” produced 300,000 hits, one for “assessing corruption risks” 48 million! I won’t pretend to have read even a representative sample of the reports or “how to” manuals, but the many I have read so far have been a disappointment.
The low quality of the “how to” literature is particularly surprising given the fees that are no doubt being charged assessing the risks companies confront. With rare exception the risk assessment guides counsel would-be clients to draw up a laundry list of corruption risks and then an equally long list of “mitigation measures.” Better than nothing, I suppose, and perhaps enough to help firms’ whose corruption controls fail escape or mitigate liability for the actions of employees and agents. But the term “risk” suggests some differentiation based on the likelihood a form of corruption will occur together with some estimate of the harm it would cause, thus providing guideposts for prioritizing risk reduction measures.
One of the only private sector risk assessments guide I have found that takes this approach is that published in late 2013 by a task force of the UN Global Compact, a UN-private sector partnership. Its Guide for Anticorruption Risk Assessment explains that firms need to estimate both the likelihood its employees will commit different types of corrupt acts and what the effects of each would be. Also valuable is its advice to firms to use a two-pronged test when assessing the chances its employees will become involved in corruption: 1) the pressures they face, say to meet a manager’s expectations or a client’s demands, and 2) the opportunities they have to violate anticorruption laws based on the controls to which they are subject.
Where the report could be strengthened is in its recommendations for assessing risks. It suggests that firms use Transparency International’s Corruption Perception Index to assess country risk and rely on reports of past violations to analyze the risks of different forms of corruption. The overall risk of corruption in a country is such an amorphous concept that it is not clear what value there is to even trying to measure it — let alone using the CPI to do so. And as Malcom Sparrow explained many years ago, the record of past violations is an uncertain guide to current vulnerabilities. More often than not it is the large, complex frauds where losses are greatest that go undetected. The guide might also have borrowed from the economic literature on collusion which teaches what industry characteristics increase the risk of bid rigging or cartelization.
Perhaps because the assessments are public, thinking on how to improve public sector risks assessments has advanced in the last few years with the Council of Europe, Transparency International, and most recently U4 offering assessments to improve these assessments. Clearly a subject for a future post.