Internal to External:

A Change in Approach to Risk Management

Global Fraud and Risk Report 2021/22 - Bribery and Corruption Risk

Global Fraud and Risk Report 2021/22 - Internal to External: A Change in Approach to Risk Management

John le Carre once wrote, “There’s only one thing worse than change and that’s the status quo.” Just because a business has seen success with internal audits and enterprise-wide risk assessments, it doesn’t mean it should simply rest on its laurels and consider its risk management strategy a job well done. While internal departmental structures and processes may experience slow, tectonic-like shifts, the external environment is far more turbulent.

Return to GFRR 2021/22

That’s why connecting the dots between internal controls and external scrutiny is crucial; because they move at different speeds, their integration has to be well nurtured and properly cultivated. Kroll’s own research suggests that nearly half (46%) of all organizations surveyed put lack of visibility over third parties as their number one vulnerability when it comes to managing bribery and corruption risk. With the best will in the world, this cannot be fixed by continually looking inward. These days, businesses need to see the wood and the trees; in other words, they need to have a tight grasp of their internal data as well as the ability to zoom out to the external environment.

The Unfortunate COVID-19 Catalyst

The pandemic is continually mentioned alongside the word “unprecedented,” but there are few words better able to describe its impact on businesses and the global economy. As demand for digital goods and services skyrocketed, the opportunities for bad actors to peddle their unethical practices also boomed. The Organisation for Economic Cooperation and Development (OECD) even put out an official warning in 2020 about the escalating risks of bribery and corruption specifically related to the pandemic.1 Dramatic shifts in supply chains, digital migration and customs controls were all cited as potential avenues of exploitation.

The pandemic has also put organizations under intense financial pressure, particularly those that had to close their doors or limit their service due to lockdown restrictions. Nobody can blame these businesses for putting preservation above all else, but with incidents of bribery and corruption regrettably on the rise, survival can come at a devastatingly high cost. If organizations felt they had a blind spot for third-party suppliers before the pandemic, they now probably feel like they’re fighting a losing battle. This signals all the more reason to equip themselves to tackle corruption early and fend it off at the gates–but how?

Stepping Outside of the Box

Thanks to cloud transformation and digitalization, supply chains are now more like entangled webs that are near-impossible to map and analyze. Nevertheless, the mantra “a chain is only as strong as its weakest link” holds firm and true. If businesses are to curb the ever-increasing threat of bribery and corruption, they must look beyond internal blanket control functions and off-the-shelf solutions.

To do so, businesses need board-level engagement, robust internal control frameworks tailored by department and the application of data-driven analytics to assess and identify risks as they emerge. This is only possible if a business is able to step outside of its own environment and close the gap between internal policies and external developments. It’s one thing to run internal controls and clamp down on unethical practices within an organization, but if a business doesn’t keep one eye on external threats it runs the risk of becoming complacent and set in its ways. This is difficult, but not insurmountable.

Beyond Compliance

Part of the problem here is that for too long businesses have gotten used to simply “getting by” on their current tools and processes to stay on the right side of a rapidly transforming compliance landscape. When regulations appear to change with the wind and new compliance obligations sprout up every month, any business could be forgiven for just doing what they have to do to keep up. That might be possible internally to a degree, but what about external risks? How can a business take ownership over risks that would otherwise be out of its control in order to mitigate them and improve its defensive posture?

Well, it can start by educating third parties. It’s a soft touch, and one that benefits both parties equally. If a business can pass on some of its wisdom to one of its long-term suppliers through training or “meeting the team” sessions, for example, that supplier will become less vulnerable, making it a stronger link in the chain. As a backup to this approach, businesses should also seek a “right to audit” clause in any supplier, distributor or third-party contract. This will at least give businesses some kind of jurisdiction over their supply chain should a risk or potential threat emerge, otherwise every third party becomes a blind spot during an assessment. An organization could also run local public records and social media reviews to get an indication of possible external risks that might impact third parties in their business chain, or take steps to understand their suppliers’ culture.   

Cultural Cues

While often underrated and undervalued, company culture should be front and center of any strategy to curb bribery and corruption risk. Cultivating a culture of education, transparency and openness within a business and extending that to third parties where possible will give businesses an incredibly strong foundation on which to build out their future efforts. This will almost certainly involve some level of investment when it comes to communicating and instilling the company message throughout an organization. Some businesses may even choose to create sector-specific stakeholder groups that can work together in order to build the company message and spread it far and wide.

Given respondents’ concerns about third-party risk, these cultural checks may need to extend outside the organization. Businesses are increasingly conducting a culture check on a target company as part of an acquisition process or similar transaction to look for issues which might be hidden from public view.

This extends far beyond the “tone from the top” approach that businesses are used to taking internally. Instead, values and their accompanying messaging need to be formed on the ground with people that frequently represent the business and engage with third parties, and those third parties also need to be engaged and influenced. Only then will businesses be able to see an organic shift in culture and communication that in turn creates a “hostile environment” for bribery and corruption. 

Return to GFRR 2021/22


Connect with us

Tom Everett Heath
Tom Everett Heath
Global Head of Forensic Investigations and Intelligence
Forensic Investigations and Intelligence
Zoe Newman
Zoë Newman
Regional Managing Director, EMEA and Global Co-Head of the Financial Investigations Practice
Forensic Investigations and Intelligence
Howard Cooper is a Managing Director
Howard Cooper
Managing Director and Global Co-Head of the Financial Investigations Practice
Forensic Investigations and Intelligence
Tadashi Kageyama
Tadashi Kageyama
Regional Managing Director, Asia-Pacific
Forensic Investigations and Intelligence
Richard Plansky
Richard M. Plansky
Regional Managing Director, North America
Forensic Investigations and Intelligence
New York


Webcast Replay

Webinar Hosted by The Legal 500 – Kroll Global Fraud and Risk Report Results: Bribery and Corruption Risk

Sep 30, 2021

Global Risk

Research Summary: Bridging the Great Divide

Sep 13, 2021

by Tom Everett HeathZoë NewmanHoward CooperTadashi KageyamaRichard M.  Plansky

Global Risk

At Your Fingertips: Why Aren’t More Businesses Leveraging Data to Prevent Bribery and Corruption?

Sep 13, 2021

by Tom Everett HeathZoë NewmanHoward CooperTadashi KageyamaRichard M.  Plansky

Economic Outlook

The Debt Ceiling—This Time is Different

May 19, 2023



Kroll Named in the 2021 GIR 100 by Global Investigations Review

Nov 10, 2021

Press Release

Kroll Strengthens Digital Forensics and Incident Response Team in EMEA with Colin Sheppard

May 25, 2023

Press Release

Mahmoud Totonji Joins Kroll as Managing Director for Saudi Arabia

May 17, 2023

Press Release

Kroll Responder Recognized in 2023 Gartner Market Guide for Managed Detection and Response Services for the Third Consecutive Year

Mar 23, 2023


Financial Crime

Fraud and Financial Crime Report 2023 Breakfast Briefing

In-Person In-Person Jul 05, 2023 | in-person

Digital Forensics and Incident Response

Kroll at Infosecurity Europe 2023

In-Person In-Person Jun 20 - Jun 22, 2023 | in-person

Stay Ahead with Kroll

Forensic Investigations and Intelligence

Kroll’s forensic investigations and intelligence team delivers actionable data and insights to help clients across the world make critical decisions and mitigate risk.

Fraud, Corruption and Money Laundering

Global investigations to help clients identify wrongdoers, recover assets and seek legal remedies.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Compliance Risk and Diligence

Complying with anti-money laundering and anti-bribery and corruption regulations.

Security Risk Management

Helping clients anticipate and respond to a myriad of facility and employee security challenges.

Expert Services

Independent expert analysis, testimony, advice and investigations for complex disputes and projects.

Financial Services Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.


Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

M&A Advisory

Duff & Phelps is a leading middle-market M&A advisor.

Return to top