GRI 205 Anti-Corruption
GRI 205 covers anti-corruption policies, risk assessment, training coverage, and confirmed incidents of corruption. As anti-corruption enforcement intensifies globally and CSRD ESRS G1 creates mandatory disclosure, GRI 205 remains the most widely used voluntary anti-corruption disclosure framework.
GRI 205 covers anti-corruption policies, risk assessment, training coverage, and confirmed incidents of corruption. 205-1 Operations assessed for risks related to corruption: Total number and percentage of operations assessed for corruption-related risks; significant risks identified through the risk assessment.
The three GRI 205 disclosures
205-1 Operations assessed for risks related to corruption: Total number and percentage of operations assessed for corruption-related risks; significant risks identified through the risk assessment. The anti-corruption risk assessment should cover: geographies (high-corruption-risk countries using Transparency International CPI); business activities (procurement, sales, government relations, M&A, third-party agents); and business relationships (joint ventures, distributors, agents in high-risk markets).
205-2 Communication and training about anti-corruption policies and procedures: Total number and percentage of governance body members, employees, and business partners who have received anti-corruption training; breakdown by region; percentage of governance body members and employees covered by the organisation's anti-corruption policies.
205-3 Confirmed incidents of corruption and actions taken: Total number of confirmed incidents of corruption; nature of incidents (public officials, business-to-business); actions taken (disciplinary, legal, contract termination); and public cases and their outcomes.
The progression from 205-1 (risk assessment) through 205-2 (training and communication) to 205-3 (outcomes) tells the complete anti-corruption programme story — from risk identification through controls to performance.
GRI 205 vs ESRS G1 — the detailed comparison
GRI 205 and ESRS G1 cover the same anti-corruption ground with slightly different framing and granularity.
GRI 205-1 (risk assessment) → ESRS G1-3 (prevention and detection): Both require disclosure of how corruption risks are identified and assessed. GRI 205-1 focuses on operations assessed; ESRS G1-3 focuses on the due diligence process for corruption prevention including internal controls.
GRI 205-2 (training) → ESRS G1-3 (training coverage): Both require training coverage metrics. GRI 205-2 additionally requires breakdown by region and separate disclosure for business partners (agents, distributors) — ESRS G1-3 is less granular on geographic breakdown.
GRI 205-3 (confirmed incidents) → ESRS G1-4 (incidents): Both require confirmed incident counts and status. GRI 205-3 additionally categorises incidents by type (public officials vs business-to-business) — useful for assessing bribery risk profile.
For CSRD companies also using GRI: collect ESRS G1 anti-corruption data first, then extract GRI 205 disclosures from the same dataset. The main addition for GRI 205 is the geographic breakdown for training (205-2) and the public official vs business-to-business categorisation for incidents (205-3).
Designing an assurance-ready anti-corruption programme
GRI 205 and ESRS G1 disclosures are meaningless without a genuine anti-corruption programme behind them. Assurers verify that the programme exists and that the metrics are accurate.
Risk assessment (205-1): Conduct a formal anti-corruption risk assessment at least annually — scoring operations by geography and activity for corruption risk. Use the Transparency International Corruption Perceptions Index, TRACE Matrix, and FCPA Resource Guide as references. Document the assessment, including how high-risk operations are identified and what enhanced controls apply.
Policy and code of conduct (205-2): Anti-corruption policy must be: written; board-approved; specific (not just general ethical principles); communicated to all employees and relevant business partners; and reviewed annually. Policy coverage must be quantified — percentage of employees covered, percentage of business partners with contractual commitment to comply.
Training (205-2): Training completion records must be maintained in an LMS or HR system that can produce a training completion report by employee category and geography. Training content must specifically address anti-corruption — not just general ethics. Include realistic scenario-based content. Annual refresher training for all in-scope staff.
Incident recording (205-3): All corruption allegations must be investigated and the outcome documented. The incident register must track: allegation type, investigation date, conclusion (substantiated/unsubstantiated), action taken, and case status. 'Substantiated' = the investigation found sufficient evidence to confirm the allegation — not all allegations.
Frequently asked questions
Do we include corruption incidents involving our suppliers in GRI 205-3?
GRI 205-3 covers confirmed incidents involving the organisation — its employees, governance body members, and agents acting on its behalf. Corruption incidents at supplier companies that are independent entities are not typically included in 205-3. Supplier corruption incidents may be relevant to GRI 414 (Supplier Social Assessment) or ESRS S2 if they constitute adverse human rights or governance impacts in the value chain.
How do we handle ongoing criminal investigations in GRI 205-3?
Disclose the number of confirmed incidents and note that some are subject to ongoing legal proceedings. Do not provide case-specific details for matters sub judice. The existence of ongoing investigations is itself a disclosure — stating zero confirmed incidents when investigations are ongoing is misleading. Legal review is essential before publishing any 205-3 narrative involving active proceedings.
What percentage of anti-corruption training coverage is considered adequate?
No minimum percentage is prescribed by GRI or ESRS. Best practice targets 100% of employees in roles with external financial authority (procurement, sales, government affairs, M&A) and 100% of all management-level employees. 100% of all employees is aspirational for large organisations but increasingly expected. Partial coverage below 80% without clear justification will attract assurer and investor scrutiny.