Ideas & Debate

Companies ripe for own assessment of graft risk

corruption

At present, as in the past, corruption continues to make headlines. FILE PHOTO | NMG

Summary

  • It is against this backdrop that the Ethics and Anti-Corruption Commission (EACC) issued performance contract guidelines for the financial year 2018/2019.
  • These guidelines apply to all ministries, departments and agencies (MDAs) — including State corporations, public universities and other tertiary institutions.
  • Under the terms of the EACC’s 2018/19 guidelines, all MDAs are required to conduct Corruption Risk Assessments (“CRAs”) afresh within the first quarter of the financial year.

At present, as in the past, corruption continues to make headlines. The difference, of late, is that the government is making some effort to deal with the crime; it appears that there is political will to deal with scandals as they arise.

It is against this backdrop that the Ethics and Anti-Corruption Commission (EACC) issued performance contract guidelines for the financial year 2018/2019. These guidelines apply to all ministries, departments and agencies (MDAs) — including State corporations, public universities and other tertiary institutions. Under the terms of the EACC’s 2018/19 guidelines, all MDAs are required to conduct Corruption Risk Assessments (“CRAs”) afresh within the first quarter of the financial year.

A corruption risk assessment has been broadly defined by the United Nations Global Compact as the variety of mechanisms that organisations use to estimate the likelihood of particular forms of corruption within themselves and in external interactions, and the effect such corruption might have.

Typically, a CRA would take the form of a review of an organisation’s policies (on paper and in practice!), processes and practices with a view to identifying weaknesses that may present opportunities for corruption to occur. Such an assessment should not be conducted in isolation. Care must be taken to understand the environment in which the organisation operates, and which people and/or entities it deals with.

Why is a CRA necessary? In a similar fashion to other types of risk assessments, CRAs are necessary because simply having an anti-corruption policy provides little or no protection from corruption-related problems. The formulation of an anti-corruption policy may well represent a “tick-the-box” approach to corruption prevention. A CRA, however, is the next important step in the process of preventing corruption because it identifies which processes are prone to risk and should, if effective, develop an action plan to mitigate against these risks.

A good CRA will have the following elements. First, it will identify the universe of corruption-related risks in an organisation. In the public sector, these may include (for example and typically) the procurement process in an organisation or the processes by which such licences as are compulsory for businesses to operate are issued.

Risk identification may well benefit from the use of another tool: the corruption perception survey. These are surveys that are conducted on an organisation’s staff and key stakeholders (such as important customers, suppliers, and those entities/bodies to which the organisation reports) with the aim of assessing the view of the employees and key stakeholders regarding the nature and prevalence of corruption in the organisation. Indeed, EACC’s 2018/19 guidelines recognise that corruption perception surveys have the capacity to contribute to corruption risk assessments.

Risk identification is followed by a ranking of the risks based on a combination of the likelihood of the risk to crystallise as well as the potential impact should the risk in fact crystallise.

Lastly, anti-corruption controls should then be developed to mitigate against each risk, and these controls should be implemented in order of priority.

Although EACC guidelines apply to the public sector, there is a growing realisation that corruption in Kenya is not limited to the public sector. The need for CRAs, therefore, is not limited to the public sector alone. It is prudent for multinational organisations falling under the ambit of the Foreign Corrupt Practices Act (FCPA) of the United States or Britain’s Bribery Act (2010) to conduct CRAs for the same reasons outlined above.

Kenya’s own Bribery Act (2016), which criminalises the giving and receiving of bribes, states that private entities commit an offence simply when they fail to prevent bribery (which failure the Act defines as occurring when a person associated with the entity bribes another person). Further, the Act prescribes that individuals found guilty of violations under the act who are directors in a company be disqualified from holding the position of director in that or any other company in Kenya for a period of not more than 10 years. These are far-reaching consequences, and it is only prudent for companies to conduct corruption risk assessments and mitigate against the risks so identified.

Conducting risk audits

So who should conduct such assessments? Chief risk officers need to devote time and attention to the effective conduct of CRAs.

The internal audit department may also conduct these assessments. Often though, organisations can benefit from having an independent and objective adviser with experience of having conducted such reviews across a broad spectrum of organisations and/or of having investigated corruption itself.

This approach lends itself to a more thorough and impartial identification of risks and a dispassionate development of effective mitigations.

Hitherto, it appears that the EACC’s methods of dealing with corruption have been mostly reactive, rather than proactive or preventive.

In this sense, EACC’s 2018/19 guidelines are a welcome step in the direction of corruption prevention. It is hoped that MDAs will comply with the guidelines, and that the private sector will borrow a leaf from this forward-thinking approach.