Disclosure LibraryPractitioner guidance for every reporting disclosure
Home Disclosure Library GRI GRI 205 GRI 205-1
GRI 205: Anti-corruption · 2016
Disclosure GRI 205-1

Operations assessed for risks related to corruption

Practical guidance for preparing this disclosure. Use this card to identify datapoints, verify claims and organise supporting evidence. For exact requirements, always refer to the official GRI source.

Dr Ross Kurinko, GRI Certified Trainer
Reviewed by Dr Ross Kurinko · GRI Certified Trainer LRA educational guidance · Not issued or endorsed by GRI
To prepare this disclosure
Disclosure focus

This disclosure asks an organisation to explain how much of its business has been checked for corruption risk. In practice, it is about the scope of the assessment: which parts of the organisation, which locations, and which activities were reviewed, and whether that review covers the whole business or only selected areas.

The practical focus is on coverage and completeness rather than on describing anti-corruption policies in general. A useful response makes clear the proportion of operations assessed, any parts left out, and why those exclusions existed, so readers can judge how representative the risk review is across the organisation.

This LRA educational guidance supports disclosure preparation. For the exact requirements, always refer to the official GRI source.

Before you start

A quick mental checklist before you prepare this disclosure — tick each as you settle it.

Preparation

Key datapoints to prepare

Datapoint What to capture Evidence hint Owner
Operations reviewed The total number of operations that were included in the corruption risk review for the reporting period, using the same operation list and scope as the underlying assessment. Risk assessment register, scope list, internal audit or compliance review papers, and any consolidation schedule showing the final count. Risk / Compliance
Operations coverage rate The share of operations covered by the corruption risk review, calculated from the same assessed-operation count and the total operation population for the period. Risk assessment summary, population denominator from operations inventory or management reporting, and the calculation sheet used to derive the percentage. Risk / Compliance
Corruption risk findings The significant corruption-related risks identified by the assessment, described in plain business terms and aligned to the final risk register or assessment output. Completed risk assessment, risk register, workshop notes, and sign-off papers showing the final set of material findings. Risk / Compliance
+ Show GRI 205-1 sub-elements (LRA working checklist)

How to prepare it

1Set the reporting boundary first: list the operations you will include in this corruption-risk review, and make sure the same scope is used for both the count and the percentage.
2Agree what qualifies as an assessed operation before you start counting. Use one clear internal rule so the total number and the share of operations are built from the same population.
3Gather the source records that show the review was carried out, such as risk assessment outputs, internal registers, or other supporting files that let you verify each operation included in the scope.
4Prepare the reported figures and narrative together. State the total number of operations reviewed, calculate the percentage of the full scope, and describe the main corruption-related risks found through the assessment.
5Record any exclusions, scope changes, or reclassifications that affect the figures. Explain why an operation was left out or moved, so a reviewer can follow how the final numbers were built.
6Check the draft against the source evidence and the official reporting guidance before sign-off. Confirm the figures, wording, and scope all match the underlying records and that nothing material has been omitted.
Request the data

Request the corruption risk assessment results

Translate the disclosure into an internal business question — then adapt it to your organisation's own language.

Which parts of the business have been checked for corruption risk, what share of the total does that cover, and what material corruption risks came out of the review?

Use your organisation’s own terms first, then map them to the reporting line. For example, if you talk about sites, branches, entities, business units, markets or contracts internally, use those labels in the request and in the returned table before translating them into the reporting view. This is a possible LRA training template; adapt this to your organisation and check the official source before sign-off.

Weak request

Please provide the GRI 205-1 data for operations assessed for risks related to corruption, including the total number, percentage, and significant risks.

Why it fails: It uses framework language that may not match how the business tracks the work, and it does not tell the owner which internal population, source, or naming convention to use. That makes it harder to return a clean, auditable dataset.

Better request

Please send the latest corruption risk review summary for [period] using your own labels for sites, branches, entities or other units. Include the total in-scope population, the number reviewed, the percentage covered, any material corruption risks found, and the source reference for each line.

Formal email template
Subject: Data request for corruption risk review coverage

Hi [name],

Could you please send over the latest summary of the business areas reviewed for corruption risk for [period]?

Please use your own internal labels for the units covered, then include a short mapping if needed. We need:
- the total number of in-scope units reviewed;
- the total number of in-scope units in the population used for the calculation;
- the percentage reviewed;
- any material corruption risks identified in the review;
- the source or file reference for each item.

If you have more than one source, please note which one is the primary basis and any exclusions.

This is a possible LRA training template; adapt this to your organisation and check the official source before sign-off.

Thanks,
[preparer name]
Short Teams / Slack version
Hi [name] — could you share the latest corruption risk review summary for [period]? Please use your internal unit names, plus a quick mapping if needed. We need the count reviewed, the total in scope, the % covered, any material risks found, and the source link/file. Thanks.
Industry examples
Manufacturing

Context. A group with factories, warehouses and sales offices tracks risk reviews by site and legal entity.

Adapted request. Please share the corruption risk review summary for [period] across factories, warehouses and sales offices. Use your site and entity names, then add a mapping if needed. Include the total in scope, the number reviewed, the coverage percentage, any material corruption risks, and the source file or register ID.

Example response. Example synthetic response: 12 sites in scope; 9 reviewed; 75% coverage; material risks identified at 3 sites, mainly around customs brokers, gifts and hospitality, and local agent use; source references: RR-2025-01 to RR-2025-09.

Financial services

Context. A bank or insurer reviews branches, business lines and high-risk customer channels through a central risk register.

Adapted request. Please provide the corruption risk review summary for [period] across branches, business lines and high-risk channels. Use your internal channel and unit names first, then map them if needed. Include the total population, the number reviewed, the percentage covered, any material corruption risks identified, and the risk register reference.

Example response. Example synthetic response: 20 business units in scope; 18 reviewed; 90% coverage; material risks identified in 4 units, mainly around third-party introducers, public-sector clients, and cash-intensive customer activity; source reference: CRR-2025-Q4 register.

Draft your disclosure

Notes that turn data into a disclosure

LRA training templates — adapt them to your organisation, and check the official source before sign-off.

Method note

Explain which parts of the business were included in the corruption-risk review, how you counted each operation, and what you mean by a significant risk in your own assessment process.

Context note

Set out what the figures show about the reach of the review and the main corruption-related exposures found, so readers can see how broad the assessment was and where the key concerns sit.

Fluctuation statement

If the numbers moved materially from the prior period, note whether that was driven by changes in the number of operations reviewed, a wider or narrower review scope, or a different set of risks being identified.

Content index entry
GRI 205-1 Operations assessed for risks related to corruption — [location / page] / [notes]
Download Centre

Preparation tools & forms

Professional preparation tools for GRI 205-1 — free with an LRA Community membership. Register once (it's free) and every download unlocks, together with the Disclosure Library, templates and the LRA AI-assistant.

Free · Community members
Assurance readiness

For each claim, check the evidence

ClaimRiskEvidence to check
We counted the sites and business units we actually reviewed for corruption exposure, and we can show how that count was built up from the underlying population.An assurer will probe whether the count is complete, whether any sites were left out without a clear reason, and whether the same population was used consistently across the figure and any related narrative.Population list used for the review; inclusion and exclusion rules; working papers showing the count build-up; management sign-off on the final number; reconciliation to the source register or entity list.
We calculated the coverage percentage from the reviewed population against the full set of relevant operations, and the numerator and denominator can be traced back to source records.An assurer will check whether the percentage is mathematically correct, whether the denominator is the right one, and whether any rounding or late changes altered the result.Calculation sheet with formulae; source population records; evidence for any exclusions; rounding policy; version history showing any late updates; reviewer sign-off before publication.
We identified the material corruption exposures through a documented risk review, and we kept the supporting notes that explain why those issues were treated as significant.An assurer will test whether the risk review was actually performed, whether the identified issues are supported by evidence, and whether the wording overstates what the review found.Risk assessment methodology; completed risk registers or assessment templates; meeting notes or workshop outputs; supporting incident, audit, legal or control evidence; management review and approval records.
Before we published the figure, we checked the source data, challenged any unusual movements, and confirmed the final version matched the approved working papers.An assurer will look for weak data controls, unexplained changes between drafts, and a mismatch between the published figure and the underlying evidence pack.Pre-publication review checklist; data validation checks; variance analysis or reasonableness checks; draft-to-final change log; evidence of approval by the responsible owner; archived final pack.
We can show that the disclosed scope, calculations and conclusions were reviewed together, so the published statement reflects the same basis throughout.An assurer will probe for internal inconsistency between scope, numbers and narrative, and whether the final disclosure was assembled from different versions or assumptions.Cross-check of disclosure text against the calculation file and scope memo; version-controlled draft set; internal review comments and responses; final approval record; evidence that all referenced figures tie back to the same reporting basis.

Evidence pack to prepare

Common reporting gaps

A percentage is stated without the underlying counts (numerator and denominator).The denominator — what the figure is a share of — is not explained.Partial scope is reported as if it were complete coverage.One-off activities are counted as if they were ongoing programmes.Boundary or period changes that move the figure are not flagged.Exclusions from the reported scope are not listed or explained.
Common gaps

Mistakes to avoid when collecting the data

Wrong owner, wrong source
The request goes to the compliance team or another central function, even though the assessment evidence sits with local managers, risk owners, or the people who ran the review.
Using framework language instead of business terms
The data call asks for the disclosure label rather than the organisation’s own names for sites, units, branches, or other parts of the business, so teams cannot tell what to include.
No clear boundary for what counts
The collector does not define which parts of the business are in scope, so some teams include every location while others only report the areas they personally manage.
Wrong period or cut-off basis
Different teams pull figures from different dates or review cycles, so the count and percentage do not reflect the same reporting window.
Mixing different counting bases
One source reports individual sites while another reports business units, and the numbers are combined even though they are not measured on the same basis.
Losing the original source labels
The team copies figures into a summary sheet but drops the source names, file references, or local identifiers that show where each assessed operation came from.
Combining populations that should stay separate
Operations that were reviewed under different methods, regions, or risk processes are merged into one pool, which hides how the assessment was actually carried out.
Missing evidence trail and sign-off
The dataset is saved without the underlying files, date stamps, or reviewer approval, so no one can later show how the figures were built or checked.

Where judgement is often needed

Set the reporting perimeter after acquisitions and disposals
Use the same cut-off date and group boundary you use for the rest of the report, then explain whether newly bought, sold, or closed sites are included in the count and percentage for the period.
Handle different local meanings of corruption risk consistently
Where country teams use different risk labels or control frameworks, map them back to one internal definition for this disclosure and note any local differences in how sites were judged.
Decide how to treat sites on the edge of scope
Be explicit about whether branches, joint arrangements, dormant entities, or very small locations are counted when they are operationally relevant to your risk review, and explain the rule you applied.
Choose the basis for the percentage and keep it stable
State clearly what the percentage is measured against, use the same denominator across the period, and explain any change in the basis so readers can compare like with like.
Separate completed reviews from planned reviews
Count only locations that have actually been reviewed in the period, and if you use estimates or a staged roll-out, say which figures are measured and which are projected.
Explain how you treated partial or combined reviews
If one review covered several sites, or one site was covered within a wider business review, describe how you allocated the result to the count so the total is not overstated.
Round numbers without distorting the picture
Apply one rounding rule across the disclosure, check that the rounded count and percentage still reconcile, and note any material effect from rounding.
Aggregate sensitive findings before sharing
If naming a site would create confidentiality or safety issues, group the result at a higher level, but still disclose the number of locations reviewed and summarise the significant corruption-related risks found.
Keep the risk list aligned to the review period
Report the significant corruption risks identified from the assessment carried out for the period, and explain if a risk was carried forward from an earlier review rather than newly found.
Examples

Illustrative examples

Synthetic, written by LRA — not from a company report, not text from any standard.

Illustrative (synthetic) example — Consumer goods manufacturing

We reviewed all 24 sites in scope for corruption exposure, which is 100% of our operations. That review found two locations with significant corruption risk, both in higher-risk procurement and customs activities.

Synthetic illustration only. Shows how to report the number of sites reviewed, the share covered, and whether any material corruption risks were found.

Illustrative breakdown of operations reviewed for corruption exposure (sites)
Reviewed and found no significant corruption risk22
Reviewed and found significant corruption risk2
Illustrative (synthetic) example — Transport and logistics

We assessed 15 of our 20 operating units for corruption exposure, equal to 75% coverage. One unit was flagged with a significant corruption risk, linked to third-party contracting and border-clearance activity.

Synthetic illustration only. Shows partial coverage, the proportion reviewed, and the count of significant issues identified.

Illustrative breakdown of operating units reviewed for corruption exposure (units)
Reviewed and found no significant corruption risk14
Reviewed and found significant corruption risk1
Company reports

How companies report GRI 205-1

Real reports where this topic is disclosed. These are report practice, not exact disclosure templates to copy.

Aguas Andinas S.A.
Water Utilities · Chile · 2025
Open report →
Aguas Andinas S.A.’s 2025 Integrated Report includes coverage of operations assessed for risks related to corruption, as noted on page 283, and provides narrative details on risks and opportunities on page 91. However, the report does not include a percentage value for operations assessed for corruption risk. The narrative on page 91 offers some description of risks and opportunities but lacks specific quantified data related to the disclosure.
SD Guthrie formerly Sime Darby Plantation
Food Production — Agricultural · Malaysia · 2024
Open report →
SD Guthrie's Sustainability Report 2024 shows that 100% of its operations were assessed for corruption-related risks, with specific references to this assessment found on pages 6, 27, 29, and 31. The report also notes confirmed incidents of corruption and actions taken, with details mentioned on page 31. However, the report does not provide detailed quantitative data on the number of incidents or the outcomes of actions taken beyond these mentions, and the narrative on risk management is general without extensive elaboration on anti-corruption measures (p.2).
Hankook Tire & Technology
Tires · South Korea · 2025
Open report →
Hankook Tire & Technology's ESG Report 2024-25 provides coverage on operations assessed for risks related to corruption, with specific reference to pages 27-28 and a summary on page 79. The report also addresses risks concerning child labor and forced or compulsory labor in operations and suppliers, as noted on page 53 and referenced on page 78. However, the report does not provide any percentage values related to these risks, leaving quantitative measures unclear.
✓ LRA AI Assistant · Human-in-the-loop
Dr Ross Kurinko
Ask Study Studio AI assistant about this disclosure
Get a practical answer for your reporting context. Your first answer is free — create a free account to continue the conversation.
TryHow do I prepare GRI 205-1?What data do I need to collect?Where can I see a real-report example?What mistakes should I avoid?
1 free answer
Check your understanding

Scenarios to work through

A group has 12 operating sites. The risk team has completed corruption-risk reviews for 9 sites, and the remaining 3 are scheduled for next quarter.

QShould you report the count and share of sites already reviewed, or wait until every site has been covered?
Reveal model answer →

A business unit was screened for bribery exposure using a desktop review only, while another unit had a full workshop and interview process. Both were included in the risk register, but the evidence file does not show how each review was carried out.

QCan you include both units in the disclosure as assessed, or do you need to check whether the review method was sufficient to count them?
Reveal model answer →

A preparer has the total number of assessed operations and the percentage, but the risk team also identified two major exposure areas: customs-facing activities in one region and third-party agent use in another. The draft leaves these out because they are qualitative.

QShould the identified exposure areas be reported alongside the numbers, or can the disclosure stop at the count and percentage?
Reveal model answer →

A company has 20 operations in total. It assessed 14 during the year, but 4 of those 14 were reassessed after a control failure, and the team is unsure whether to count the reassessments again.

QHow should you treat repeat reviews when working out the total number and percentage of operations assessed?
Reveal model answer →
Framework references

Related framework references

How this disclosure maps across the major reporting frameworks.

GRI
GRI 205-1
within GRI 205: Anti-corruption
Open official source →
Primary
Related & explore
FAQ

Questions this page answers

For GRI 205-1, what data do I need to gather before I start drafting the disclosure?+
How do I work out the operations coverage rate for GRI 205-1 on this page?+
What counts as a corruption risk finding for the GRI 205-1 page, and how should I record it?+
Who should own the GRI 205-1 data collection and sign-off in practice?+
What should I put in the evidence pack for GRI 205-1 so it is assurance-ready?+
What are the five assurance claims I need to verify for GRI 205-1?+
What are the most common mistakes people make when reporting GRI 205-1 on this page?+
How do I use the Prep & Assurance workbook for GRI 205-1?+
What can I use the printable Library Card PDF for when drafting GRI 205-1?+
How do I turn the GRI 205-1 data into a draft disclosure on this page?+
Can I reuse the same GRI 205-1 data for ESRS G1 Business Conduct?+
More questions this page can help with
GRI 205-1 anti-corruption: what should I prepare before drafting the disclosure?GRI 205-1 operations reviewed and coverage rate: how should I document them?GRI 205-1 corruption risk findings: what evidence should I keep?GRI 205-1 assurance-ready evidence pack: what goes in it?GRI 205-1 common reporting gaps: what should I check before sign-off?GRI 205-1 workbook download: how do I use the prep and assurance file?GRI 205-1 library card PDF: what is it for?GRI 205-1 draft output: how do I write the narrative starter and content index line?GRI 205-1 anti-corruption disclosure: how do I assign ownership between ESG, HR and data owners?GRI 205-1 assurance claims: how do I test claim, risk and evidence before review?GRI 205-1 and ESRS G1 Business Conduct: can I reuse the same underlying data?GRI 205-1 from company reports: how can I use the linked examples without copying them?