Thailand: Second Fundamental Element of Internal Control Measures under the National Anti-corruption Commission (NACC)’s Guidelines

In brief

In our previous article (link), we analyzed the first fundamental element under the NACC’s guidelines, which is “the companies’ internal control measures should be strong, visible policies and supported by top-level management to prevent bribery.” In this article, we will discuss the second fundamental element under the NACC’s guidelines, which is “the risk assessment to effectively identify and evaluate exposure to bribery.

Companies deal with government officials in different ways. Therefore, companies’ internal control measures may vary as a result of their specific characteristics in terms of size, organization, type, and nature of business operation. There is no one-size-fits-all for internal control measures.

Types of risk assessment that companies should take into consideration include both external and internal factors. Risks arising from external factors are, for example, companies’ business activities with government officials while those arising from internal factors may include a lack of cooperation from top-level management or a lack of communication or training on anti-bribery. If the assessment of risks of bribery covers both external and internal factors, companies will be able to prepare appropriate preventive measures or remedies for problems that may arise. However, companies should continue to revisit their control measures risk assessment from time-to-time in response to changes in the economic climate, business expansions or government projects.

Methods of risk assessment may consist of the following:

1. Plan preparation: The role of top-level management, at this stage, is to allocate human resources to be responsible for carrying out the risk assessments. The responsible persons can therefore plan appropriately for the risk assessment, e.g. determine the sources of information, templates for storing information or method of risk assessment, whether risks are high, medium or low.
2. Collection and analysis: Companies can collect information from outside and inside, e.g. report from internal examination, expense account, whistleblowing, case precedents, workshops, interviews or surveys of relevant persons.
3. Risk assessment: Bribery may take many different forms. Risk assessment may be grouped to identify risk factors, such as tender for government contracts, and to identify risk, such as facilitating payment.
4. Risk level assessment: This is the assessment of the potential risk of bribery. The assessment may be compared with case precedents or the consequences of the potential risk, such as the legal and reputational risks.
5. Collection of existing control measures and remaining risk assessment: This is to consider existing control measures to determine whether their efficiency is high, medium or low, and how much risk still exists in the remaining company activities.
6. Use information of risk assessment to arrange appropriate control measures and report: When companies know the remaining risks, companies should consider whether the control measures need to be updated and which parts should be developed first or later.

In the following article, we will examine the third principle of the fundamental elements, which is “enhanced and detailed measures for high-risk and vulnerable areas.”