Corruption Risk Assessments: Am I Missing Something?

Surely one of most salutary developments to result from the intense focus on corruption over the past two decades is the growing use of corruption risk assessments by public and private entities alike.  Risk assessments were first employed in the 17th century to assess the likelihood a steam engine would explode and refined over the years to address risks as varied as the meltdown of a nuclear reactor or climate change.  A corruption risk assessment estimates the chances a government agency or private corporation will experience one or more types of corruption.  Just as assessing the risks of an engine explosion or reactor melt-down is an indispensable prerequisite for designing measures to mitigate if not eliminate these risks, a corruption risk assessment provides the critical information public and private sector decisionmakers need to design practicable corruption prevention programs.

A plethora of guides explaining how to conduct a corruption risk assessment are posted on the internet (examples for the public sector here and here; for the private sector here, here, and here).  All recite the standard method for assessing risks of any kind found in text books and government reports.  First, all conceivable forms of corruption to which the organization, the activity, the sector, or the project might be exposed is catalogued.  Second, an estimate of how likely it is that each of the possible forms of corruption will occur is prepared and third an estimate of the harm that will result if each occurs is developed.  The fourth step combines the chances of occurrence with the probability of its impact to produce a list of risks by priority.

The critical steps are the second and third.  If the estimate of where bribery is likely occur or its impact if it does occur is wrong, prevention efforts will not be properly targeted. That happened to the U.K. insurance firm Aon Limited.  Thinking bribery was more likely to occur in its U.K. operations than those overseas, it put the bulk of its enforcement efforts into preventing bribery in the U.K.  Because, as the U.K. financial regulator found, it “failed properly to assess … the higher risks presented by some of the countries in which [its overseas] divisions operated,” it thus spent little time overseeing its non-U.K. agents.  That mistake was costly.  When it was revealed that many non-U.K. agents had paid bribes, the U.K. Financial Services Authority, the U.S. Department of Justice, and Securities Exchange Commission all brought enforcement actions.

Given the importance of accurate estimates of bribery risk and impact to developing a corruption risk assessment, one would expect “how to” guides to explain ways to improve the accuracy of the estimates.  Especially since risk assessments in other areas do. Continue reading