Risk assessments - Avoid binary urges
Rupert Evill
Reducing Integrity Risks for Investors, Mid-Caps & Scale-ups | Risk Assessments, Implementation, Training, Investigations | Author "Bootstrapping Ethics" | Advisor @Association of Corporate Investigators
Transparency International's 2020 Corruption Perception Index (CPI) is out. The publication prompts a mix of anticipation and anticlimax. In the past weeks, I've seen people posting about how:
- It paints an overly rosy picture of some developed markets (e.g., Denmark's money-laundering and corruption scandals in the banking sector juxtaposed with its joint first place).
- It doesn't change much - the runners and riders at each end of the table remain relatively static.
- TI using the publication's launch to lament a lack of overall anti-corruption progress.
These points all have validity. Many ethics & compliance teams use the CPI as a crucial (sometimes sole) component in the country risk part of the risk assessment. If that's you, you're wasting your money and probably misallocating resources.
Whenever I would present data to my Dad, he would reply with one of three phrases, "And...?", "So what?", or "Does it matter?"
And...?
Corruption risk does not exist in a void. Corruption loves company. Its besties include money laundering, conflicts of interest, fraud, bureaucratic opacity, and the weak rule of law. Corruption is on texting terms with modern slavery, trade sanctions, anti-competitive practices, constraints on press freedom, low sustainability, low human freedom and human development. Most of those factors have indexes too.
Last year we compiled all these indexes (from 2019 and 2020) and made some comparisons. Aggregating the scores to create an average, we then compared various indexes to spot outliers. The CPI broadly tracked the median as the table below (for Asia) showed.
So what?
So that suggests the CPI is accurate and helpful. Yes and no. It gives you a headline risk estimation, which can be wildly and widely misleading. Let me give some examples.
Regulatory focus
Regulatory enforcement is not constant or consistent. The video below - compiled using data from US authorities - shows how regulatory focus ebbs and flows over the past two decades. You may now be thinking, "Sure, but corruption and the FCPA are the big scary ones." Maybe true, for now. What about China's anti-competition crackdown, the FinCen files bringing money-laundering back to public attention, the Modern Slavery Acts (and other similar legislation), or sanctions (with Cuba, Iran, and Myanmar all in the news for different reasons)?
More importantly, what about the court of public opinion? Granted, if you're let's say, and oil and gas servicing company, you may not feel the gnawing of negative publicity as acutely as a fashion brand. However, with sustainability, the environment, discrimination, harassment, labour practices, anti-slavery, diversity, equity & inclusion, the sentiment is only heading one way.
We need to get away from obsessing about anti-bribery & anti-corruption being the linchpin of compliance.
Sector-focus
Some sectors are subject to greater regulatory oversight than others. Again, this is not static, as GDPR and the tech sector teaches us.
The guidance on practical risk assessments tells us to consider sector risk. So what? Most folks I speak to know their sectors like the back of their hands, but they lack frameworks to tease out risk. Consider some of these areas:
- Human rights: Have there been issues? Do not stop at blatant physical abuses, also consider your contribution in the devalued chain. For example, if you host personal data in repressive states and the authorities have or might ask for that data.
- State involvement: Is the state heavily involved in your sector (customer, overseer, participator)?
- Competitive landscape: How much, who, and how do you all behave?
- Environment: How much do you take and replenish? What are the impacts on the communities in which you work?
- Diversity: Pale, male, and stale? Where there's homogeneity, typically there are horrors.
- Labour: Who comprises your workforce? Do you know their working (and living) conditions, does it change? Again, this is not just a 'boots on the ground' risk; consider business process outsourcing, content moderation, and gig economy workers as times change.
- Money laundering: It's more of a risk for specific sectors, yet you'd be amazed how inconsistently that is recognised and reflected.
- Sanctions: Do they, have they, or might they focus on your sector?
- Protests & opposition: Is your sector one that draws opposition? A quick test might be, imagine telling a recent college graduate from a liberal arts school where you work.
Sub-regional focus
I live in a city-state - one of the most uniform (by design) and centrally-planned nations on earth. Even in Singapore, there are subtle regional variations. Now consider larger countries, is risk uniform across the nation? No.
Myanmar would be a topical example. The risk profiles differ between offshore oil & gas exploration in Yetagun (east, in the Gulf of Mottama), Shwe (offshore Rakhine State), and a slated refinery in the Magway Region. The same sector, different risks.
Now, if you change the sector, the picture becomes starker. First, a telecoms operator facing demands to shut-down infrastructure to aid the Myanmarese military. Then a garment manufacturer facing worker walkouts and dealing with local Customs officials daily. Finally, a mine operator in an ethnic minority-controlled region.
Business model focus
How you do what you do is a massive determinant of risk. In regulatory guidance, this might be called business opportunity, business transaction, and business partner risk.
Continuing the Myanmar example, a beer manufacturer in a JV with a military-owned behemoth has different risks to consider than a construction firm bidding on multilateral-funded road projects, or a healthcare company servicing the market through a distributor with no physical presence. The same country still, very different risks.
Does it matter?
All these variations sound a lot of work to consider, so does it matter? Can't we pick the CPI as a rough indicator and roll with it? Sure, if you want to waste your money and maybe get fired.
Ethics and compliance that doesn't match your operational realities will fail. An accurate risk assessment is a bridge between compliance intention and effective implementation. When I see people starting with the compliance infrastructure before considering operational context and risk, I think of designing a home security system without considering where you live. You might get lucky, and the standard home security system will provide adequate protection. But you may also leave you and your family exposed, or be wasting a lot of money if your neighbourhood is plain vanilla.
An accurate risk assessment is a bridge between compliance intention and effective implementation.
Risk loves company
If you have some ethics and compliance issues, you can be sure you'll have others. I've seen a strong correlation between discrimination and harassment complaints with instances of fraud and corruption in previous risk assessments. Cultures that enable leaders to harass and discriminate do not deter them from other violations. 'Cooking the books', 'giving my college buddy that gig," or 'slipping a brown envelope', become normalised. Their unfortunate colleagues are unlikely to feel much loyalty and may drift into the rationalisation part of the fraud triangle. "They treat me like dirt," "they do it," and on.
Look beyond corruption.
Binary blinkers
Now comes the title, avoid your binary urges. When facing variables, binary terms can be comforting. For example, "Do we have government clients? Yes or no." Or, "Do we use third-parties in Market X? Yes or no." Binary answers will be misleading. Selecting an option from along a scale requires thought, and that then leads to three things:
- More accurate results.
- Divergence and differences of opinion become easier to spot and examine.
- People start thinking about risk.
Likert or not
Bringing all these elements of a risk assessment together need not be a gigantic task. We built a draft external risk assessment in a few days. The first test - to make sure it worked - was a fictitious Indonesian mine, 'based on real events'. The results illustrate the scattered risk profile you'd expect. Higher risk factors included state involvement in awards, bureaucratic corruption, human rights, environmental risks, discrimination, licenses and permits, and third-party interactions. Reading that list back, it is perhaps a statement of the obvious. However, testing those assumptions and documenting them is crucial.
In conclusion, by all means, start with the CPI as a point of departure, but don't stop there. Ideally, around 30 focused questions with input from a small sample from across the business should get you a very functional risk assessment. If you don't know where to start, ask (we have online and old-school excel versions of the assessment).
Compliance Leader | Code of Conduct | Investigation | Whistleblower Helpline | Anti-Bribery Corruption | Anti-Money Laundering
4 年Rupert, Thank you for sharing. I am also a promoter of compliance and this will be a great share with my colleagues. There is a disconnect between front-line workers and those who sit in a ivory tower. I am always looking for ways to bridge the gap. It would be great if we can collaborate. Cheers!
Global Head of Risk Management at Freshfields | #AuDHD neurodiversity inclusion advocate
4 年I get very nervous as soon as anyone suggests using the Transparency International CPI as a "measurement" of corruption in a country, in a risk assessment or really any other context. I know it serves an important advocacy purpose but part of me wishes they'd stop releasing the country rankings completely.
Financial Crime, Risk and Compliance Consultant | Lecturer in Law
4 年A thought provoking overview! I am due to run a counter corruption programme for clients in the London construction sector. You’ve given me a lot more to consider. Thank you!
I help organisations and people make great decisions under uncertainty | Founder of The Decision-Making Studio | Host of The Decision-Making Studio Podcast | Co-author of "Decision-Making in the Polycrisis Era"
4 年Great piece that makes an important and often overlooked and misunderstood aspect of all these risk indices - that they are starting points, not solutions. Context of course, is everything and you bring that together nicely. And of course, these - like any other types of risks - need to be assessed as a component of decision-making so that organisations can make quality choices and take the right courses of action.
(Former) Head of Exchequer Services (AR/AP/P2P)
4 年It would be welcome if legislation could move along with the compliance in AML, fraud etc... it seems far too many ( particularly corporates ) are getting away with a slap on the wrist.