Since the Isle of Man Bribery Act (the "Act") came into force in mid-December 2013, we have been talking to an increasing number of clients about what is required to demonstrate 'adequate procedures' – the only defence to the corporate offence of failing to prevent bribery. The conversation usually starts with a request to write or review an anti-bribery policy with often the additional question of what limit should be set for gifts and entertainment to be recorded in the gifts register. When we enquire about whether a risk assessment has been done to underpin any policy, the answer is often in the negative and so, one must then wonder about how effective a high level policy would be to mitigate the actual risks that businesses face.

An anti-bribery policy can only be the end result of a risk assessment process. Furthermore it will only be meaningful and effective if it is based on the actual risks of bribery and corruption that have been identified during the risk assessment through a detailed analysis of the business and any counterparties. In some businesses, this does not have to be a complex process, but failure to carry out this risk assessment could bring serious consequences.

Principle Three of the guidance to the Act issued for consultation by the Department of Home Affairs makes clear the level of risk assessment which is anticipated for compliance purposes. An Isle of Man entity is expected to look both internally and externally to identify potential risk areas and to consider what mitigants, if any, might already be in place to manage these risks.

The five areas of external risk which a compliant business is expected to consider are country risk, sectoral risk, business opportunity risk, transactional risk and business partnership risk.

Country risk will encompass the countries in which the business has customers but it also needs to consider the countries in which counterparts operate (intermediaries, introducers, agents etc) as well as any countries which form part of the business' expansion plans. What a business is trying to identify here is whether it interacts with any countries where the risk of bribery and corruption is higher in order that appropriate procedures and controls can be put in place to mitigate these risks. Transparency International is a useful source of information on the risk of bribery and corruption in countries and this body publishes a range of indices which can assist.

Sectoral risk is about the sectors that the business is involved in and whether these attract a higher risk of bribery and corruption. Sectors such as the extraction industries, shipping, construction and major project works are considered to be amongst those with higher risks and again, Transparency International has published a wealth of information to assist businesses in this regard.

Transactional risk is about whether the business is involved with transactions which might carry a higher risk of bribery and corruption. Perhaps the business is known for its charitable contributions and work in the community – could a charitable contribution be a front for a payment of a bribe to a contractor who is involved in a particular charity and who will award the business to you if a donation is made? Is the business involved in applying for or indeed granting licences or permits which could lead to bribes being paid or requested for the necessary permissions to be granted – a particular risk if the country risk analysis has identified that the business is present in countries where bribery and corruption is rife.

Business opportunity risk requires analysis of how the business wins new work. If there is involvement in tendering, public procurement or layers of intermediaries and agents, the risk of bribes being requested or offered in order that new work is won could be higher. This risk area is closely connected with business partnership risk where the involvement of any political officials or those with influence should be examined to see if additional risks arise.

One might assume that bribery and corruption risk is something which exists purely outside of your business but there are a range of internal risks which also need to be examined.

A policy can often inform employees about what must be done, but a key risk area is whether a staff member has the requisite knowledge and skills to recognise bribery and corruption if it is happening in their area of the business. This risk will significantly increase if that staff member is in a country in which bribery and corruption is an integral part of the culture.

In today's economic environment, stretching targets and the lure of large bonuses for achieving them could increase the risk that a staff member is willing to circumvent any anti-bribery policy in order to win a lucrative piece of business. It is imperative, therefore, that in addressing 'adequate procedures', Isle of Man businesses examine remuneration structures and incentive packages to consider whether they are aligned with the organisation's anti-bribery and other ethics policies.

The area of gifts and corporate hospitality needs to be assessed in order to determine what controls a business needs to put in place to mitigate the risk that these could be used for the wrong purpose. The guidance on the Act makes clear that the intention is not to stop these important business development tools, but rather the emphasis is on ensuring that consideration is given to them in the light of the anti-bribery requirements. Would it be better to entertain a potential client in advance of winning business from them or after they have chosen to do business with you based on a transparent tender process?

Expenditure on gifts and hospitality needs to be backed up by strong financial controls so that expense claims have to be substantiated, petty cash has to be recorded and books and records have to properly reflect the nature of all payments made. Any internal risk assessment must consider the strength of these financial controls across the business in order to identify any areas where bribery may go unnoticed or unrecorded.

The very last internal risk area that is cited in the guidance is the lack of a clear anti-bribery message or policy from the senior management of the business. Without such a policy, employees and counterparts may not understand the importance that the business places on anti-bribery and corruption. It is clear though that to make this policy effective and for it to make sense to those to which it applies, it has to be specific to the risks that the business faces. 'Adequate procedures' will stem from this risk assessment and the anti-bribery policy, which will be at the centre of these procedures, can only be the end result of a well thought out and documented risk assessment process.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.