This section forms part of GIACC’s overall guidance on Risk Assessment and Due Diligence  It examines project corruption risk assessments.

See the following separate web-pages for guidance on other categories of risk assessment.

• Organisation Corruption Risk Assessment
• Country Corruption Risk Assessment
• Business Associate Corruption Risk Assessment

These project corruption risk assessments can be stand-alone assessments, or can be a sub-section of, or be incorporated into, the Organisation Corruption Risk Assessment.

There is no specific model of risk assessment which must be used.  The organisation should create an assessment model which best suits its purposes.

(1) Reason for Project Corruption Risk Assessments

The corruption risk may be considerably higher for an organisation on some projects than on others.  The project corruption risk is normally influenced by a combination of factors:

• The country in which the project is being undertaken.  The corruption risk is likely be higher when the project is located in a higher risk country than in a lower risk country (for example, in a higher risk country, demands for bribes to win contracts or to obtain government approvals and permits may be frequently encountered).
• The nature of the organisation’s work and services on the project.  The risk may be at the lower end of the spectrum where the organisation is undertaking services in respect of which it is easier to control the corruption risk (e.g. supply of equipment ex-works, or design services), or where the services in the project country will not involve any interface with potentially corrupt officials.  The risk may be at the higher end of the spectrum if the organisation is undertaking significant on-site work, and/or interacting with government officials.
• The nature of its business associates.  The risk is likely to be at the lower end of the spectrum if the organisation is working for a client with a good ethical reputation and with good controls, and is only appointing a few business associates with limited scopes of work and good ethical reputations.  The risk is likely to be at the higher end of the spectrum if the organisation is working for a client with a poor ethical reputation and poor controls, and is appointing agents, joint venture partners, or sub-contractors of poor or unknown ethical standards.

Therefore, even if the project is located in a high corruption risk country, the actual risk faced by the organisation may be low if it is undertaking no in-country work, or is working with a client and other business associates of high ethical integrity and strong controls.

The corruption risks on some projects may be so severe that the organisation determines that it is unable to work on that project as it cannot be reasonably satisfied that it will be able to avoid corruption in its business dealings on that project. 

Therefore, before working on a project, management needs to be satisfied, after making reasonable and proportionate enquiries and giving the issue reasonable and proportionate consideration, that the risk of corruption posed by the project appears to be sufficiently low that it is reasonable to allow the organisation to work on that project.

(2) How to undertake Project Corruption Risk Assessments

If the organisation’s projects are reasonably routine and are repeated, so that the organisation will encounter similar corruption risks on all its projects, then the organisation may take account of these risks as part of its overall assessment of project risk in the Organisation Corruption Risk Assessment without needing to undertake separate project corruption risk assessments.

However, if an organisation enters into projects which due to their size, nature or location may pose different types of corruption risk according to the project, and if these risks are more than a low level, then it may be advantageous to the organisation to undertake separate Project Corruption Risk Assessments for each such project.  It may be possible to group together projects by category into the same assessment.  An overall summary of the results of these specific project assessments can then be consolidated into the Organisation Corruption Risk Assessment.

Examples of the types of project-specific risk which the organisation could examine include the following.  Note that the following format is a suggested method only.  The organisation should adapt, expand and/or merge the categories according to its own requirements.

(2.1) Country risks

• If a separate Country Corruption Risk Assessment has dealt with these issues, then a brief summary with a cross reference to the country assessment can be made to avoid duplication.
• Appropriate due diligence should be undertaken on the country unless the organisation is familiar with working in that country.  The due diligence would be designed to identify and enable risk assessment of the following issues:
  • Is the organisation or any business associate likely to encounter demands for facilitation payments in relation to the project (e.g. to obtain visas, work permits, customs clearance)?  If so, in what circumstances?  How easy is it to resist these demands?
  • Is the organisation or any business associate likely to encounter demands for payments with accompanying threats in relation to the project (e.g. from police road blocks, or gangs on site?  If so, in what circumstances?  How easy is it to resist these demands?
  • Has the organisation had any specific corruption issue before in this country?  What were the circumstances?  How was it resolved?
  • Does the country have any specific laws which need to be taken account of which are wider in effect than the organisation’s home country laws (e.g. duty to report corruption, prohibition on entertainment of public officials).

(2.2) Project risks

• Is there any indication that the activity or project may be illegal or may involve a corrupt purpose?  For example, are there any indications that approvals for the project (such as planning, environmental, building approval etc.) have been obtained illegally?  Suspicious indicators could include:
  • A large commercial building being built in a residential area.
  • A road being built which seems disproportionate in scale to its purpose or the area it is serving.
  • An industrial plant being built in an area which is unusually far from the core resources needed for its production, of from good transport links.
  • Rumours in the market or in the press.

These unusual indicators do not necessarily mean that there is illegality or corruption.  The road or industrial plant may be being built in that location and to that specification as part of a regional growth plan, or the planning zones may be being changed as part of planning policy.  However, they can also indicate projects which are being illegally or corruptly built.

It may be difficult for the organisation to satisfy itself about the project’s legality, and the lower the organisation in the contractual chain, and the smaller the organisation’s scope of work, the more difficult it may be to find out any information of this nature.  It is suggested that:

• • If the organisation is playing a fundamental part in the activity or project (e.g. it is financing the project, or is the main contractor which is building it, or is the lead consultant which is designing it) then there is an obligation on the organisation to undertake reasonable enquiries so as to ascertain the legality of the project.  It could require to see copies of the relevant permits etc. for the project, and should satisfy itself as to their legality.
  • If the organisation is lower down the contractual chain (e.g. a sub-contractor or supplier), then it is unlikely to have the contractual power or status to be able to find out such information.  In this case it is suggested that the organisation should take reasonable steps to satisfy itself that nothing is obviously suspicious about the project.  If there are some obvious suspicions, it should make further enquiries of the organisation immediately above it in the contractual chain, and should be cautious about proceeding unless it can be reasonably satisfied.
• Define the scope of work of the organisation, and identify which aspects of this scope can lead to a higher or lower corruption risk.  For example:
  • supply of equipment FOB should have a lower risk of corruption in transportation and customs clearance than delivery to site;
  • provision of design services undertaken at home office should have a lower corruption risk than project management services provided on site.

(2.3) Business associate risks

• If a separate Business Associate Corruption Risk Assessment has  dealt with these issues, then a brief summary with a cross reference to the other assessments can be made to avoid duplication.
• In the following guidance, GIACC has suggested differentiating the business associates into three different categories:
  • the risk vertically up the contractual chain (with the client)
  • the risk horizontally across the contractual chain (e.g. with joint venture or consortium partners)
  • the risk vertically down the contractual chain (e.g. with sub-contractor, suppliers, consultants, agents, distributors and sales intermediaries).

(2.4) Client risks

• Appropriate due diligence should be undertaken on any client which is not already well-known to the organisation and which poses more than a low corruption risk to the organisation.  This should as far as reasonable be designed to ascertain:
  • What is the ethical reputation of the client? 
  • Does the client have anti-corruption controls in place in relation to the procurement and project management process?
• Are there any specific corruption risks which the client poses which need to be specifically addressed by any controls which are additional to the organisation’s standard controls?
• Does the organisation believe that it can win the project award from the client without corruption?
• Does the organisation believe that it can receive project approvals and payments from the client (work done, quality, variations, extension of time etc.) without corruption?

(2.5) Joint venture /consortium partner risk (if applicable)

• Appropriate due diligence should be undertaken on any joint venture / consortium partner which is not already well-known to the organisation.  This should as far as reasonable be designed to ascertain:
  •  What is the ethical reputation of the joint venture partner? 
  • Does the joint venture partner have anti-corruption controls in place which are equivalent to the organisation’s controls?  If not, what improvements are required to reasonably satisfy the organisation that the joint venture partner’s controls are adequate?
• Are there any specific corruption risks which the joint venture partner poses which need to be specifically addressed by any controls which are additional to the organisation’s standard controls
• Does the organisation believe that the joint venture partner will not participate in any corruption in relation to the project?

(2.6) Sub-contractor / supplier / consultant / agent / distributor / sales intermediary risk (if applicable)

• List in this section all sub-contractors, suppliers, consultants, agents, distributor, sales intermediaries which the organisation intends to work with on the project, and which pose more than a low corruption risk to the organisation. (See analysis in Business Associate Risk Assessments in relation to risk-grading of business associates into low, medium and high risk.)  If necessary, answer the following questions separately for each listed business associate (unless they can be appropriately dealt with in groups).
• Appropriate due diligence should be undertaken on all these business associates which are not already well-known to the organisation and which fall into the more than low risk category.  (Note:  this may have been undertaken as part of the organisation’s routine pre-appointment procedures for business associates.)  This should as far as reasonable be designed to ascertain:
  • What is the ethical reputation of these business associates? 
  • Do these business associates have anti-corruption controls in place which are adequate to mitigate the corruption risks faced by the organisation as a result of working with these business associates.  If not, what improvements, if any, can be reasonably required?
• Is the organisation reasonably confident that any payments to be made by the organisation to any business associate in relation to the project will constitute reasonable payment for legitimate services?  (i.e. that the payments are reasonable market rate, and not inflated to an extent that they could constitute or conceal corrupt payments)?
• Was any business associate recommended by a government official or a client representative?  If yes, is the organisation reasonably confident that this recommendation was not for a corrupt purpose
• Has the due diligence revealed any connection between a) any business associate, or the owners/managers of the business associate, and b) any government officials or representatives of the client, and/or c) any of the organisation’s personnel?  If there is a connection, is the organisation reasonably confident that this connection is legitimate and will not lead to any corruption?
• Are there any specific corruption risks which these business associates pose which need to be specifically addressed by any controls which are additional to the organisation’s standard controls?
• Does the organisation believe that these business associates will not participate in any corruption in relation to the project?

(2.7) Personnel risks

• Have all the organisation’s personnel working in relation to the project who could face more than a low corruption risk as a result of their roles:
  • been appropriately vetted by the organisation;
  • received and signed the organisation’s anti-corruption policy
  • declared any potential conflict of interest;
  • received anti-corruption training appropriate to their roles?
• Are there any specific corruption risks which personnel pose which need to be specifically addressed by any controls which are additional to the organisation’s standard controls?
• Does the organisation believe that personnel will not participate in any corruption in relation to the project?

(2.8) Any corruption risk not dealt with in above sections

• Is there any specific corruption risk has not been covered in above sections?  If so, identify it and recommend how to deal with it.

(2.9) Conclusion to risk assessment

• Taking into account the issues raised in this risk assessment, if the organisation properly follows its anti-corruption procedures, is the risk of corruption believed to be sufficiently low that it is reasonable for the organisation to proceed or continue with the project?

(3) Outcome of the Project Corruption Risk Assessment

The overall outcome of the project corruption risk assessment process should be that the organisation has implemented a reasonable and proportionate process for assessing whether, taking into account its own controls, and other relevant factors in relation to the project, the risk of corruption in relation to the project appears to be sufficiently low that it is reasonable for the organisation to proceed or continue with the project.

(4) When to undertake Project Corruption Risk Assessments

The Project Corruption Risk Assessment should be undertaken prior to the organisation committing to proceed with the project.  The risk assessment should be repeated:

• annually for any project which spans more than one year from contract award; and
• in the event that any material change in the nature of the project’s risk becomes evident.

(5) Documenting the Project Corruption Risk Assessments and related due diligence

The project corruption risk assessments and related due diligence need to be documented.  They do not need to be documented in full detail (i.e. spreadsheets, summaries, bullet points and cross references to other documents can be used).  However, it should be in sufficient detail that a third party reading the risk assessment will understand the risks and assessments made.  For example:  if the manager writing the risk assessment leaves the organisation, will the replacement manager understand the assessment;  or, if there is a criminal investigation into the project, is the risk assessment sufficiently clear that the investigators will understand that the organisation did undertake a reasonable and proportionate assessment

(6) Other categories of risk assessment

See the following separate web-pages for guidance on other categories of risk assessment.

• Organisation Corruption Risk Assessment
• Country Corruption Risk Assessment
• Business Associate Corruption Risk Assessment

Return to main Risk Assessment and Due Diligence page.