Mining giant Glencore’s 2023 bribery fine was one of the largest ever. £281 million for bribery in five African countries. The investigation revealed text messages, large cash withdrawals, and deliberately concealed payments indicating that Glencore paid bribes worth $29 million to secure access to oil. Company executives even flew to South Sudan with $800,000 in cash stuffed into briefcases to pay officials. From recording millions of dollars as ‘office expenses’ to chartering planes to ferry bribes, just how did Glencore fail to prevent bribery on an industrial scale?
How did the case come to light?
These corrupt actions were not the result of bad apples. Nor did they find out something was wrong and then self-report. Authorities were only able to bring a prosecution because of the confession of a single trader in charge of Glencore’s West Africa desk. He admitted bribing foreign officials, and lifted a lid on the wrongdoing.
“The scope of this criminal bribery scheme is staggering,” said US Attorney Damian Williams. “Glencore paid bribes to secure oil contracts. Glencore paid bribes to avoid government audits. Glencore bribed judges to make lawsuits disappear. At bottom, Glencore paid bribes to make money – hundreds of millions of dollars. And it did so with the approval, and even encouragement, of its top executives.”
What Glencore did wrong
The company’s guilty plea followed a decade of entrenched misconduct, where bribery and corruption were embedded in how business got done. The list of red flags reads like a compliance horror story:
- Sham contracts and fake invoices masked illicit payments.
- Cash withdrawals and vague expense categories like “office costs” were used to move bribe money.
- Executives signed off on bribes, including hand-delivering briefcases of cash to officials.
- Compliance was treated as an afterthought, with no meaningful oversight or enforcement in high-risk markets.
- Whistleblowing mechanisms were ineffective, and concerns went nowhere.
Perhaps most damningly, compliance risks were not taken seriously at a structural level. Risk assessments were either poorly done or not done at all. The company failed to assess the inherent risks of doing business in high-corruption jurisdictions, and had no systematic process to evaluate or document whether controls were in place to mitigate those risks.
By the time regulators caught on, the damage was staggering: over $100 million in bribes paid, dozens of compromised officials, and billions in ill-gotten gains.
This wasn’t a case of a good compliance programme that failed to catch a few bad actors. It was a case of no meaningful compliance culture at all. Leadership failed to set the tone, local teams operated with impunity, and internal checks were practically non-existent.
While Glencore has since taken extensive steps to rebuild, the scandal reveals what happens when a business treats risk assessments and compliance frameworks as box-ticking exercises, rather than operational necessities.
What businesses can learn: Building better risk assessments
The Glencore scandal is a stark reminder: risk assessments aren’t a box-ticking exercise. They’re the foundation of any serious compliance effort. A failure to understand and address corruption risks especially in high-risk jurisdictions can lead to catastrophic legal, financial, and reputational consequences.
So, what does a fit-for-purpose risk assessment actually look like in practice?
1. Establish a dedicated risk team
Glencore now has a standalone Risk Assessment and Monitoring team within its Corporate Compliance function. While most organisations don’t need this level of infrastructure, every business should assign clear responsibility for risk assessments—either to a dedicated individual or team with authority and resources.
2. Integrate local insights
Centralised registers are vital, but they won’t spot every local nuance. Glencore’s model involves regional compliance officers conducting their own assessments and feeding that back into a central system. Businesses should emulate this “top-down and bottom-up” approach, ensuring that frontline teams are consulted regularly and their insights recorded.
3. Link risks directly to controls
A robust assessment process should identify existing controls, analyse their effectiveness, and document gaps. Controls should be classified, assigned to owners, and regularly tested. Importantly, companies should calculate residual risk, what remains after controls are applied.
4. Standardise risk scoring
Glencore now uses “pre-designated” consequences to stop regional offices downplaying the impact of certain risks. This is a smart way to reduce subjectivity and enforce consistency across different regions or departments.
5. Use technology to manage the process
The company maintains a global system where all risk assessments are documented, monitored, and updated. This kind of central platform doesn’t need to be bespoke—plenty of compliance tools, including VinciWorks’ own risk management software, can help businesses log assessments, assign owners, and track mitigation.
6. Review and refresh regularly
Risks evolve, and so must your assessments. Glencore now requires regional teams to review and re-certify their assessments annually. Businesses should do the same, especially in sectors or geographies with elevated risk.
7. Escalate lessons to the top
Compliance leaders must have visibility across the whole organisation. Glencore’s central team now aggregates regional insights, audit results, and hotline data to develop a holistic view. This enables faster response to emerging threats and helps ensure the board has a realistic understanding of compliance risk.
