Risk versus uncertainty
The first problem that most people encounter is that they are not always clear on what they mean by “risk”. A useful guide to thinking about what a risk looks like is to define a risk as something that may happen that you can quantify. Anything which is not calculable remains a pure uncertainty. This matches Donald Rumsfeld’s ideas of risks being “known unknowns” and uncertainties being “unknown unknowns”. The “unknown unknowns” by definition are not events which you can predict or manage so can only be dealt with on a wider scale by corporate management creating an organisation resilient enough to handle a variety of future shocks. Known risks, on the other hand, can be mitigated, managed or avoided – which is often squarely the role of compliance.
Third party risks
In the world of third parties, the two primary risks that corporations face are:
- the risk that one of their partners will breach laws or codes whilst acting on their behalf
- the risk that they don’t know enough about their partners, including who they are and whether they have already committed any acts that they should know about.
The second risk is relatively simple to manage by asking questions of your partners and conducting due diligence. These types of activities are necessary for managing part of your risk, but they should not be considered sufficient since they don’t help greatly with the first risk. The problem is that the first risk is far harder to manage because there is no way that you can predict the future.
Methodologies to predict risks
There are a number of methods which claim to help predict the future – anything from pure guesswork through to reading tea leaves. Of those there are only a few which have any rigor or substance to them. A regularly-used method is statistical sampling, which involves asking questions of a small group and extrapolating to a wider population. This is used widely to predict elections and is seen in some of the methods used by Transparency International to create the commonly-quoted Corruption Perceptions Index. The main problems with these types of predictions is that they are usually subject to a number of inherent biases (such as the choice of sample, the sample size and the questions chosen), they always contain margins of error (expressed as a percentage plus or minus), and they often are no more accurate than random chance.
There is also another method of prediction that had fallen out of favour but is now becoming more widely used: that of the Reverend Thomas Bayes. Bayesian probability is a method of mixing both old and new information to slowly progress towards a “truth”. In the case of the risk of a third party paying a bribe, the logic would be to start with your current opinion of the likelihood of the partner paying a bribe, then review any new information you have about the third party (possibly from a questionnaire or due diligence). This review will include two questions. Firstly, given the new information, what do you think the chance is that the third party will pay a bribe? Secondly, what is the chance that they won’t? Based on both of those chances you can conclude a new probability of that partner paying a bribe.
The primary benefit of a Bayesian approach over other methods is that it inherently understands that the prediction changes with the addition of knowledge (either general knowledge or knowledge specific to the partner). It also neatly accounts for the differences between the same information about different partners (for example, knowing that a partner is owned by a political official in China has less impact on your overall rating of that partner than knowing the same information about a partner in the United States (although the risk of the Chinese partner is likely to be higher for other reasons)).
The formula used for Bayes’ method is relatively simple, but does require data in order to input the various prior probabilities and understand the impact of new knowledge. Detailed information about third party bribery is hard to find because it is uncommon (in relation to the total number of partners and transactions) and generally confidential. Benchmarking and the sharing of anonymous information can help, as can expert knowledge of the field. “Big data”-type approaches of comparing transactions where bribery is known to have occurred against transactions where it is not known whether bribery occurred can be useful, but these approaches depend very much on identifying the correct criteria and spotting the signal rather than the noise (i.e. looking across the factors which are common to all cases of bribery and trying to filter out those aspects that are there purely by chance and those that are also present in the wider set of transactions).
What is your risk model?
Knowledge of how certain factors impact risk and of which criteria are relevant can be gained by building a model of how and why bribery occurs. While it is generally not the role of a lawyer to understand the socioeconomic reasons for a crime (other than in mitigation of sentencing), it is important for a compliance officer to consider them in the context of how to avoid them in the future. Understanding what causes people to pay bribes can help with both establishing a model of how to predict bribery and with the creation of programmes to prevent any bribery occurring (such as training, registers of conflicts etc.).
Once you have gathered enough information and applied it to your model of how bribery occurs, your next task is to communicate and act on the predictions. The problems here come in three main forms. Firstly, there is an issue with clearly describing the probability you have found. If you state that there is a ten percent chance of a partner paying a bribe many people will interpret that as a “low chance” and ignore it, as people often struggle to differentiate between the true meanings of “10%”, “1%” or “0.1%” in this context. Secondly, ten percent means that if you have 100 similar partners, ten out of those 100 will be corrupt. Is your business able to cope with such a result, or would that also be ignored? Finally, how do you know which ten of the 100 are corrupt, since you would surely be asked to take action?
So what have we learned about managing third party risks? Firstly, due diligence is necessary, but not sufficient, as it only covers the historical aspect of the risk. Modelling can help with predicting risk, but only if you have an accurate model and sufficient data. Finally, understand that the future is unknowable, so it is therefore wise to assume the worst and use your resources to put in place measures to reduce both the likelihood (controls) and the impact (monitoring).
About the author:
Andrew Henderson, Director of Solutions, The Red Flag Group, has been involved in the development and implementation of compliance risk assessments, developing compliance programmes for multinational companies and conducting due diligence background screening.