Skip to main content.

Business ethics: stress-testing with risk management


Our client, an international resources business with a listing in London, was subject to the UK Bribery Act 2010. They asked us to help them review their compliance with their business Code of Conduct, to provide broad assurance about their business ethics as well as specific guidance about their compliance with the Act.

The UK Serous Fraud Office provides some of the simplest and most useful definitions of bribery and fraud:

  • Bribery is the giving or receiving something of value to influence a transaction
  • Fraud is an act of deception intended for personal gain or to cause a loss to another party.

The following quote we heard recently provides an example of the pressures under which companies and their managers may find themselves:

We heard an interesting tale yesterday from one of the project managers about their efforts to gain a relatively minor permit.

Over about 9 months, each time a request for information and paperwork was met, an even more demanding one would be issued, building up to 1,500 drawings for a minor facility, each of which had to be certified with an ink signature by Government-qualified engineers, but the permit still hasn't been issued. The game is to keep pushing until the applicant asks how this matter can be resolved, and then ask for an administration fee. Because the company is determined to maintain its policy on graft they are sticking to their guns and simply complying with each request.

They have a plan to break the deadlock, but it will require an agreement with the Government to establish a single administrative framework so they just have one big regulator to deal with and can make any dealings transparent.

Legislative background

Many international businesses have their own Codes of Conduct. In addition, working with partners and Governments is the subject of international legislation and conventions that apply to many business activities around the world. Some of them we have encountered include:

  • UK Bribery Act 2010
  • US Foreign Corrupt Practices Act 1998
  • South African Prevention and Combating of Corrupt Activities Act 2003
  • OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, 2010
  • United Nations Convention Against Corruption 2004.

The UK Bribery Act has particular relevance to UK-listed companies, because it applies to all their business dealings, including those subsidiaries and joint ventures over which the company has effective control. It applies to dealings with both the private and public sectors and irrespective of where in the world they are conducted. In particular, the Act addresses:

  • Offering, promising, giving or requesting a bribe
  • Agreeing to receive or take a bribe
  • Bribing of a foreign public official
  • Failure by a commercial organisation to prevent bribery.

Failure by a commercial organisation to prevent bribery is a new corporate offence. It is very broad in scope, and it includes facilitation payments as well as bribes. A company may be liable if it fails to prevent bribes given, received or requested by any employee, working anywhere in the world, and by any company agent.

Both an individual involved in bribery and the company may be subject to severe penalties. Fines for the company may be unlimited, and individuals may face up to 10 years in jail. Bribery or perceptions of bribery may also have adverse impacts on a company’s reputation, its ability to conduct business and its share price.

Background to the case study

The company has a history of ethical behaviour and a strong code of ethics, but a new Act provided an opportune time to check the effectiveness of controls and, where necessary, improve them.

A risk management approach was used, compatible with the company’s ERM process, itself based on the international standard ISO 31000, Risk management – Principles and guidelines.

The level of risk was expected to vary across the company, depending on the geographical location in which each business division is located and nature of its operations. This meant that risks and their consequences and likelihoods had to be analysed as they might arise in specific divisions. In particular, although a common list of risks was developed, the controls, the risk analysis and the treatments were specific to individual divisions.


The Code of Conduct addresses five broad areas of application of the business principles (Figure 1), and provides specific guidance within each one. All aspects of the Code of Conduct are of major importance for the business.

Figure 1: Typical topics covered in a business code of conduct

Typical topics covered in a business code of conduct

A series of risk assessment workshops was planned, with different business functions and geographic divisions. The key elements for structuring the workshops were based on the five topics in Figure 1; selected items are shown in Table 1.

Table 1: Selected key elements



1.1: Health, safety & personal security

Health & safety; security agents, relationship with police

1.2: Fair treatment & equality

Equal opportunity; diversity (gender, race, disability); nepotism; grievances; career development

2.1: Fraud and theft

Theft; improper use; inaccurate reporting; credible assurance and governance

3.1: Government relations

Employment; financial assistance; donations to political organisations

3.3: Bribery

Public officials; approvals negotiations; facilitation payments; political parties; legislature; police; religious bodies; judiciary; media; NGOs; military

4.1: Community engagement

Community benefits; long-term sustainability

5.1: Natural environment

Environmental sustainability; long-term viability

Risk assessment

Risk identification started with an initial questionnaire, followed by a workshop with one division. Subsequent workshops with other units built on the previous work and the risk registers from earlier workshops.

Prior to each workshop, participants were invited to describe the three most important risks for each of the key elements, in the form:

[something happens] and leads to [an impact on our objectives].

These were consolidated into a draft register to enable the workshop to get off to a quick start.

The risk assessment was compatible with the company's ERM process and used the company’s corporate scales for:

  • Control effectiveness
  • Consequence ratings
  • Likelihood ratings
  • Level of risk
  • Potential exposure.

The workshops structure was based on a series of steps for each key element.

  • Review the risk register developed from the questionnaires, add more risks, and describe the causes, consequences and controls for each in detail.
  • For each risk, assess its control effectiveness, the impacts of the risk, given the controls, and the likelihood of that level of impact arising; use the consequence and likelihood ratings to generate a level of risk; and rate the potential exposure for the risk (the plausible worst case impact on the business arising from the risk where all active controls, including insurance and hedging contracts, are assumed to be ineffective), using the consequence scale.
  • Note the risk owner, the person responsible for ensuring the risk is treated appropriately.

Because the level of risk may vary across business divisions, depending on the geographical location and nature of the operations, the analysis of risks and their consequences and likelihoods were specific to each division. In other words, for each risk there was a set of ratings for each division, reflecting the division’s unique context, circumstances and jurisdiction.

Workshop outcomes and risk treatment

Table 2 summarises the 103 risks that were assessed for Division A, from the perspective of the controls, consequences and likelihoods for this division. This table shows the numbers of risks for each consequence and likelihood combination.

There was only one risk, in D3, that was rated High in the company's ERM process.

  • Risk 92, Our activities cause health, safety, and environmental impacts on local communities (e.g. dust, heavy metal contamination, noise, traffic, ...).

This risk must be interpreted carefully. The workshop discussion indicated that the primary area of impact was on the company's reputation with the community, and the assessment was based on perceptions and media coverage of operating activities rather than actual community and environmental damage. The controls for this risk were rated as Satisfactory.

Table 2: Summary of risks and ratings for Division A

1: Minor

2: Moderate

3: Major

4: Severe

E: Frequent















A: Rare





Table 3 summarises the areas for control improvement for a subset of the risks for Division D. The two risks rated as High but with poor or no controls are of particular interest.

Table 3: Areas for control improvement, Division D

Control effectiveness

Low risk

Medium risk

High risk

Poor or none




Requires improvement








The workshops identified many potential treatment actions to improve the control environment in the divisions. Most of the treatments were specific to individual divisions and the environments in which they operate, but a few were of more general, company-wide applicability. A selection is shown in Table 4.

Table 4: Selected treatment activities


Possible additional treatment actions


Ensure all agents are given our Code of Conduct, and that they acknowledge receipt in writing.


Liaise with internal audit to ensure there are targeted audits of payments and use of funds.

Contractors and suppliers

Ensure all contracts make compliance with our Code of Conduct mandatory.


Where contractors are required to take management roles, ensure a process is in place to modify the delegations of authority to an appropriate level for probity and transparency. (Contractor access to pricing information of competitors is a particular concern.)


Review the need for and investigate options for providing training to third parties (partners, contractors, suppliers, agents) in our Code of Conduct and our collective obligations under relevant legislation.


The risk management process provided a useful structure for reviewing the company's Code of Conduct systematically, in a way that was compatible with its ERM framework. It was simple and logical, and the ERM approach was familiar to personnel, so the workshop participants accepted it readily. The treatment actions were incorporated in the company's action tracking systems, just like any treatment actions flowing from a risk assessment.

International resources business
Public sector and government business
Mining and minerals processing
Services included:
Risk treatment
Risk assessment