Business ethics: stress-testing with risk management
Introduction
Our client, an international resources business with a listing in London, was subject to the UK Bribery Act 2010. They asked us to help them review their compliance with their business Code of Conduct, to provide broad assurance about their business ethics as well as specific guidance about their compliance with the Act.
The UK Serous Fraud Office provides some of the simplest and most useful definitions of bribery and fraud:
- Bribery is the giving or receiving something of value to influence a transaction
- Fraud is an act of deception intended for personal gain or to cause a loss to another party.
The following quote we heard recently provides an example of the pressures under which companies and their managers may find themselves:
Legislative background
Many international businesses have their own Codes of Conduct. In addition, working with partners and Governments is the subject of international legislation and conventions that apply to many business activities around the world. Some of them we have encountered include:
- UK Bribery Act 2010
- US Foreign Corrupt Practices Act 1998
- South African Prevention and Combating of Corrupt Activities Act 2003
- OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, 2010
- United Nations Convention Against Corruption 2004.
The UK Bribery Act has particular relevance to UK-listed companies, because it applies to all their business dealings, including those subsidiaries and joint ventures over which the company has effective control. It applies to dealings with both the private and public sectors and irrespective of where in the world they are conducted. In particular, the Act addresses:
- Offering, promising, giving or requesting a bribe
- Agreeing to receive or take a bribe
- Bribing of a foreign public official
- Failure by a commercial organisation to prevent bribery.
Failure by a commercial organisation to prevent bribery is a new corporate offence. It is very broad in scope, and it includes facilitation payments as well as bribes. A company may be liable if it fails to prevent bribes given, received or requested by any employee, working anywhere in the world, and by any company agent.
Both an individual involved in bribery and the company may be subject to severe penalties. Fines for the company may be unlimited, and individuals may face up to 10 years in jail. Bribery or perceptions of bribery may also have adverse impacts on a company’s reputation, its ability to conduct business and its share price.
Background to the case study
The company has a history of ethical behaviour and a strong code of ethics, but a new Act provided an opportune time to check the effectiveness of controls and, where necessary, improve them.
A risk management approach was used, compatible with the company’s ERM process, itself based on the international standard ISO 31000, Risk management – Principles and guidelines.
The level of risk was expected to vary across the company, depending on the geographical location in which each business division is located and nature of its operations. This meant that risks and their consequences and likelihoods had to be analysed as they might arise in specific divisions. In particular, although a common list of risks was developed, the controls, the risk analysis and the treatments were specific to individual divisions.
Context
The Code of Conduct addresses five broad areas of application of the business principles (Figure 1), and provides specific guidance within each one. All aspects of the Code of Conduct are of major importance for the business.
A series of risk assessment workshops was planned, with different business functions and geographic divisions. The key elements for structuring the workshops were based on the five topics in Figure 1; selected items are shown in Table 1.
Element |
Notes |
---|---|
1.1: Health, safety & personal security |
Health & safety; security agents, relationship with police |
1.2: Fair treatment & equality |
Equal opportunity; diversity (gender, race, disability); nepotism; grievances; career development |
2.1: Fraud and theft |
Theft; improper use; inaccurate reporting; credible assurance and governance |
3.1: Government relations |
Employment; financial assistance; donations to political organisations |
3.3: Bribery |
Public officials; approvals negotiations; facilitation payments; political parties; legislature; police; religious bodies; judiciary; media; NGOs; military |
4.1: Community engagement |
Community benefits; long-term sustainability |
5.1: Natural environment |
Environmental sustainability; long-term viability |
Risk assessment
Risk identification started with an initial questionnaire, followed by a workshop with one division. Subsequent workshops with other units built on the previous work and the risk registers from earlier workshops.
Prior to each workshop, participants were invited to describe the three most important risks for each of the key elements, in the form:
[something happens] and leads to [an impact on our objectives].
These were consolidated into a draft register to enable the workshop to get off to a quick start.
The risk assessment was compatible with the company's ERM process and used the company’s corporate scales for:
- Control effectiveness
- Consequence ratings
- Likelihood ratings
- Level of risk
- Potential exposure.
The workshops structure was based on a series of steps for each key element.
- Review the risk register developed from the questionnaires, add more risks, and describe the causes, consequences and controls for each in detail.
- For each risk, assess its control effectiveness, the impacts of the risk, given the controls, and the likelihood of that level of impact arising; use the consequence and likelihood ratings to generate a level of risk; and rate the potential exposure for the risk (the plausible worst case impact on the business arising from the risk where all active controls, including insurance and hedging contracts, are assumed to be ineffective), using the consequence scale.
- Note the risk owner, the person responsible for ensuring the risk is treated appropriately.
Because the level of risk may vary across business divisions, depending on the geographical location and nature of the operations, the analysis of risks and their consequences and likelihoods were specific to each division. In other words, for each risk there was a set of ratings for each division, reflecting the division’s unique context, circumstances and jurisdiction.
Workshop outcomes and risk treatment
Table 2 summarises the 103 risks that were assessed for Division A, from the perspective of the controls, consequences and likelihoods for this division. This table shows the numbers of risks for each consequence and likelihood combination.
There was only one risk, in D3, that was rated High in the company's ERM process.
- Risk 92, Our activities cause health, safety, and environmental impacts on local communities (e.g. dust, heavy metal contamination, noise, traffic, ...).
This risk must be interpreted carefully. The workshop discussion indicated that the primary area of impact was on the company's reputation with the community, and the assessment was based on perceptions and media coverage of operating activities rather than actual community and environmental damage. The controls for this risk were rated as Satisfactory.
1: Minor |
2: Moderate |
3: Major |
4: Severe |
|
---|---|---|---|---|
E: Frequent |
3 |
|||
D |
1 |
3 |
1 |
|
C |
5 |
24 |
8 |
|
B |
18 |
21 |
5 |
2 |
A: Rare |
10 |
1 |
1 |
1 |
Table 3 summarises the areas for control improvement for a subset of the risks for Division D. The two risks rated as High but with poor or no controls are of particular interest.
Control effectiveness |
Low risk |
Medium risk |
High risk |
---|---|---|---|
Poor or none |
0 |
2 |
2 |
Requires improvement |
1 |
1 |
1 |
Satisfactory |
0 |
0 |
1 |
The workshops identified many potential treatment actions to improve the control environment in the divisions. Most of the treatments were specific to individual divisions and the environments in which they operate, but a few were of more general, company-wide applicability. A selection is shown in Table 4.
Topic |
Possible additional treatment actions |
---|---|
Agents |
Ensure all agents are given our Code of Conduct, and that they acknowledge receipt in writing. |
Assurance |
Liaise with internal audit to ensure there are targeted audits of payments and use of funds. |
Contractors and suppliers |
Ensure all contracts make compliance with our Code of Conduct mandatory. |
Delegations |
Where contractors are required to take management roles, ensure a process is in place to modify the delegations of authority to an appropriate level for probity and transparency. (Contractor access to pricing information of competitors is a particular concern.) |
Training |
Review the need for and investigate options for providing training to third parties (partners, contractors, suppliers, agents) in our Code of Conduct and our collective obligations under relevant legislation. |
Summary
The risk management process provided a useful structure for reviewing the company's Code of Conduct systematically, in a way that was compatible with its ERM framework. It was simple and logical, and the ERM approach was familiar to personnel, so the workshop participants accepted it readily. The treatment actions were incorporated in the company's action tracking systems, just like any treatment actions flowing from a risk assessment.
- Client:
- International resources business
- Sector:
- Public sector and government business
- Mining and minerals processing
- Services included:
- Risk treatment
- Risk assessment