10. Risk management
This chapter provides a commentary on the principle of risk management contained within the OECD Recommendation of the Council on Public Integrity. From both the government-wide and institutional perspectives, the chapter explores how public sector organisations can tailor policies and practices to effectively manage integrity risks, conduct risk assessments and sustain a control environment that safeguards public integrity. It also emphasises the need for coherent procedures to respond to potential fraud or corruption, including protocols for reporting, follow-up and investigations. The chapter also considers the critical role of internal audit functions in relation to managers in government, focusing on their added value of providing independent, objective assurance for effective internal control and integrity risk management. The chapter highlights key challenges and leading practices, such as articulating value-driven internal control policies, conducting periodic risk assessments that link to objectives, and creating feedback loops to monitor and evaluate activities.
In public sector organisations, having an internal control system and risk management framework in place is essential for any public integrity strategy. Effective internal control and risk management policies and processes reduce the vulnerability of public sector organisations to fraud and corruption, while ensuring that governments are operating optimally to deliver programmes that benefit citizens. Furthermore, these policies and processes help to ensure value for money and facilitate decision making. Firmly established, they help governments balance an enforcement-focused model with more preventive, risk-based approaches.
Internal control and risk management cover a range of measures to prevent, detect and respond to fraud and corruption. These include policies, practices and procedures that guide management and staff to fulfil their roles in safeguarding integrity by adequately assessing risks and developing risk-based controls. Mechanisms for responding to cases of corruption and breaches of integrity standards are equally critical for an integrated internal control system.
In light of this, the OECD Recommendation on Public Integrity calls on adherents to “apply an internal control and risk management framework to safeguard integrity in public sector organisations, in particular through:
a. ensuring a control environment with clear objectives that demonstrate managers’ commitment to public integrity and public-service values, and that provides a reasonable level of assurance of an organisation’s efficiency, performance and compliance with laws and practices;
b. ensuring a strategic approach to risk management that includes assessing risks to public integrity, addressing control weaknesses (including building warning signals into critical processes) as well as establishing an efficient monitoring and quality assurance mechanism for the risk management system;
c. ensuring control mechanisms are coherent and include clear procedures for responding to credible suspicions of violations of laws and regulations, and facilitating reporting to the competent authorities without fear of reprisal” (OECD, 2017[1]).
Internal control and risk management support public sector organisations in achieving a wide range of policy goals and objectives. The principle on risk management focuses on aspects of internal control and risk management in the context of preserving integrity and combating corruption in the public sector. Governments must ultimately tailor their approach to their respective legal, regulatory and cultural contexts. This involves embedding integrity objectives into existing internal control and risk management policies and practices. It also entails adapting international standards and concepts for internal control and risk management to local realities and the public sector, including standards and guidance produced by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the International Organization for Standardization, the Institute of Internal Auditors (e.g. the “Three Lines of Defence” model) and the International Organization of Supreme Audit Institutions (INTOSAI).
An internal control system is an integrated component of a public sector organisation’s operations. From the perspective of public integrity, internal control and risk management consist of the policies, processes and actions for managing risks of fraud, corruption and abuse (hereafter collectively referred to as integrity risks). The following are critical components of an internal control system designed to safeguard integrity:
an effective control environment1 and integrity risk management.
a tailored approach to risk management and assessing integrity risks.
monitoring and evaluation of integrity risk management.
coherent and responsive procedures within the internal control and risk management framework.
an internal audit function that provides independent, objective assurance and advice to strengthen internal control and integrity risk management.
These components rely on a range of actors at the government-wide, institutional and individual levels for effective implementation. For instance, standard-setters for public sector organisations can ensure that government-wide internal control and risk management policies are coherent and harmonised, as discussed below. At an institutional level, internal control and risk management policies and processes provide reasonable assurance to management that the organisation is achieving its integrity objectives and managing its risks effectively. The components of internal control and risk management are also present on an individual level: many standards call for public officials’ personal commitment to integrity and adherence to codes of conduct.
10.2.1. An effective control environment and integrity risk management
In public sector organisations, the control environment serves a wide range of financial, budgetary and performance objectives. It consists of a set of internal control standards, processes, and structures across an entity (Committee of Sponsoring Organizations of the Treadway Commission, 2013[2]). Beyond ensuring compliance with legislation, standards and other requirements, the control environment and the processes it comprises contribute to good governance and help public sector organisations deliver results to citizens in an effective and efficient manner. In the context of the principle on risk management, the control environment reflects the objectives, policies and people that help to institutionalise a system of integrity, ethical decision making and risk management.
Government-wide considerations for an integrity-driven control environment
A variety of public sector organisations share responsibility for government-wide implementation of internal control and risk management. These organisations include the centre of government (CoG), audit institutions, central harmonisation units, and anti-corruption bodies. In particular, they: 1) set and harmonise internal control standards and policies, 2) provide guidance and tools, 3) evaluate government-wide efforts to safeguard integrity, and 4) co-ordinate and standardise practices for reporting and responding to suspected integrity breaches for the public sector as a whole. For instance, in the United States the supreme audit institution, the Government Accountability Office (GAO), leads the standard-setting process for internal control and risk management in collaboration with a council of experts, and publishes the Standards for Internal Control in the Federal Government (U.S. Government Accountability Office, 2014[3]) as well as a framework of leading practices for fraud risk management in government (U.S. Government Accountability Office, 2015[4]). The Office of Management and Budget (OMB) complements the work of the GAO with policies and guidance for implementation. This includes a document (OMB Circular No. A-123) that describes management’s responsibility and requirements related to internal control and risk management in the federal government, with an explicit reference to assessing fraud risks (U.S. Office of Management of Budget (OMB), 2016[5]). In France, all public entities (state administrations, local authorities, public institutions and semi-public companies) are legally required to carry out risk assessments, regardless of their size. As such, public entities must list all the processes related to their activities, such as recruitment and public procurement, and assess the associated integrity risks (Box 10.1).
Two fundamental principles of public internal control standards among European Member States are: 1) public internal control is based on the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the International Organization of Supreme Audit Institutions (INTOSAI), and 2) every Member Country should have a function within government of co-ordination and harmonisation of internal control and audit for all public entities. Therefore, even though there are a variety of internal control systems in the Member States, they all have a government organisation playing the role of central internal control harmonisation.
In addition, Member States and their public institutions share consistent standards derived from the same international internal control and risk management practices. The standards have explicit provisions concerning internal control and risk management against fraud in the management of EU funds.
Source: (European Commission, 2015[6]).
Lack of clarity from the central level about how to institutionalise internal control and risk management can lead to a perception that the integrity objectives, and the internal control and risk management activities that support them, are separate from other strategic and operational objectives. The CoG, as well as other bodies with government-wide responsibilities, can play a critical role in helping public sector organisations to overcome this challenge by providing unified standards, policies and guidance. They can also help raise awareness about the value of internal control and risk management for decision making and achieving organisational goals.
Institutional and individual considerations for an integrity-driven control environment
Personnel at all levels of the organisation have roles and responsibilities in managing fraud and corruption risks (Committee of Sponsoring Organizations of the Treadway Commission, 2016[7]). This can be recognised in organisational policies, procedures and guidance for internal control and risk management, or may be articulated as a stand-alone integrity policy. Whether articulated across different policies or within a stand-alone integrity policy, such policies should not serve as a checklist to comply with minimum standards. They should be comprehensive and tailored to each organisation, with relevance to current and emerging integrity risks. Essential elements of policies to promote an effective control environment within public sector organisations can include:
reference to the values and principles of integrity as well as standards of personal conduct that underpin the organisation, and to what they mean in practice
statement of the organisation’s anti-fraud and anti-corruption objectives, with explicit linkage to how internal control and risk management activities serve these objectives
description of the alignment between integrity objectives and the organisation’s other policies and tools (i.e. code of conduct, code of ethics)
definition of fraud and corruption, with illustrative examples of actions that are deemed corrupt or fraudulent
identification of staff to whom the policy applies, taking into consideration temporary staff and volunteers
clearly defined roles and responsibilities for internal control and risk management related to fraud, corruption, waste and abuse
communication to employees on how to report suspected wrongdoing, the internal and reporting channels available to them, and the procedures to be followed
identification of enforcement measures, and description of how suspected forms of wrongdoing will be investigated.
Management has the primary responsibility of creating and maintaining a control environment that emphasises integrity and sets a positive tone. Moreover, high-level commitment helps raise awareness of integrity risks and helps to improve implementation of control activities. Management can include the leaders or groups of individuals (e.g. boards or committees) responsible for the design, implementation and monitoring of internal control and risk management policies and practices. Moreover, management should demonstrate its individual commitment to integrity (for more, see Chapters 1 and 6). Through codes of conduct and codes of ethics, management can communicate its expectations concerning integrity conduct, as well as the organisational values that enable individuals to personally demonstrate ethical behaviour. These codes define the basic standards of behaviour for public officials, and can be the basis for management to evaluate adherence to ethics codes and enforce them through disciplinary measures if needed (for more, see Chapter 4).
Some public sector organisations designate an entity for managing integrity risks. The dedicated entity could be a committee, a team or an individual, depending on needs. For instance, in some organisations, the entity is a committee that helps to oversee, co-ordinate, monitor and evaluate risk management activities across the organisation. In other cases, organisations nominate integrity risk managers, or establish task forces that are responsible for delivering on integrity objectives within the control environment. The mandate and size of the organisation (including the number of programmes and employees and the resources) and the complexity of risks help to determine if a dedicated entity would be beneficial. Regardless of the approach, it is essential that the entity or function has direct reporting lines to senior management, given the latter’s overall responsibility for integrity risk management.
10.2.2. A tailored approach to risk management and assessing integrity risks
Tailoring involves adapting risk management activities to the unique conditions of a public sector organisation, and implementing risk assessments and controls that are fit for purpose. Integrity risks vary by sectors and organisations, and therefore it is critical that public sector organisations calibrate their guidance, tools and approaches to their specific objectives, environment and contexts. This is crucial given that many of the standards for internal control and risk management that governments have adapted were originally developed with the private sector in mind. The CoG, line ministries and individuals responsible for risk management all play a role in this tailoring process, which is reflected below in discussions from both the government-wide and institutional perspective.
Targeted government-wide support for integrity risk management and assessments
Targeted guidance and tools can support governments in orienting their internal control and risk management activities towards integrity risks, by linking those activities with broader programmatic goals. They can also support communication strategies that ensure that internal control and risk management go beyond financial control and compliance checks. For example, in 2010 the Treasury Board Secretariat in Canada developed a Framework for the Management of Risk to guide deputy heads of government departments in implementing risk management practices across all levels of their organisation. The French Anti-Corruption Agency (AFA) has published guidelines to help public and private legal entities meet certain anti-corruption and integrity requirements, including carrying out risk assessments. AFA has also developed specialised technical guides, for example for officials in charge of public procurement. In addition to these general guidelines, AFA provides tailored support to public or private actors wishing to streamline their integrity risk management procedures. Sector-specific guidance, focusing on high-risk areas like procurement or health, along with relevant co-ordination mechanisms and reporting tools, can help to overcome capacity gaps (Box 10.2).
In Estonia, the government’s 2013-2020 Anti-Corruption Strategy recognises shortcomings in domain-specific corruption prevention and risk mitigation, and provides actions to remedy these challenges. It stipulates that the ministry responsible for the specific area in question (e.g. health or the environment) should also be responsible for implementing subject-specific corruption prevention measures. To target high-risk areas, the government of Estonia established domain-specific anti-corruption networks. Each ministry has a corruption prevention co-ordinator who is meant to manage the implementation of the anti-corruption policy in the relevant ministry and its area of government. The co-ordinators form the anti-corruption network – the network convenes annually around four to five times. The network also includes representatives from police, civil society, parliament, the state audit office and other stakeholders who are invited, depending on the topic chosen. There is also a network of healthcare authorities to discuss developments in their respective areas, as well as issues to resolve.
Source: (Estonian Ministry of Justice, 2013[8]).
Institutional integrity risk management and assessments
The policies, processes and tools for carrying out integrity risk assessments will vary by organisation and depend on its size, the volume of investment it receives, and whether the organisation functions within a high-risk sector (i.e. health, infrastructure). For instance, a public sector organisation may carry out a stand-alone assessment of integrity risks or incorporate integrity objectives into its organisation-wide risk assessments to promote efficiency. Nonetheless, risk management policies and assessment processes share similar features across organisations. Risk management policies should be linked to objectives and include, among other things, descriptions of proposed risk treatments, resource requirements, responsibilities, performance measures and reporting and monitoring requirements (Crime and Corruption Commission, 2018[9]). Moreover, as described below, risk management and assessments generally involve a multi-step, iterative process of establishing the context, assessing and treating risks, and ensuring ongoing monitoring, communication and consultation (International Organization for Standardization, 2018[10]).
Establishing the context for managing integrity risks
Understanding the internal and external context is a key step for public officials when first assessing the drivers and potential impediments to achieving integrity objectives. The internal context includes – but is not limited to – strategic objectives, the governance structure, roles, employee skill sets, operational tools (e.g. data and information systems), culture and internal guidelines. The external context may include legal and policy frameworks, external stakeholders, and political, social and economic realities that underline specific types of integrity risks or response mechanisms. This context forms the basis for designing and improving policies, strategies and objectives for managing and assessing integrity risks, since neither internal nor external settings are static.
Various strategic planning tools can be useful starting points for evaluating the context and defining the scope of the risk assessment process. For instance, tools such as decision tree and “fishbone” diagrams, process and influence maps, and the “PESTLE” method (Political, Economic, Social, Technological, Legal and Environmental factors) can facilitate analysis while promoting engagement among stakeholders. Government-wide or department-level risk registers can be a useful input for establishing context, as illustrated in Box 10.3.
The Health Service Executive develops risk registers in order to manage its risks and to obtain a high-quality overview of the services’ risk status at a certain point in time. A powerful tool for risk tracking, the risk register outlines the overall system of risks and the status of risk mitigation actions.
Each line manager is responsible for developing a risk register in their area of responsibility. Once completed, the register is shared with all employees of the entity in a clear and comprehensible manner, while taking into consideration their level of training, knowledge and experience. An action plan is the critical part of a risk register. This addresses the additional controls required to reduce the risk to a satisfactory level. Supplementary controls that cannot be managed at the service level should be transferred to the next level of management.
HSE acknowledges that for various reasons, not every risk can be eliminated. Consequently, at any stage of the process it may be decided to “live with” or accept a certain level of risk. When a risk cannot be entirely eliminated, it must be recorded in the risk register along with a list of controls aiming to reduce it to an acceptable level. These risks will then be monitored on a regular basis. Four elements have been identified as prerequisites for developing a sound risk register:
1. Availability of risk expertise – Staff supporting the process need suitable training and education.
2. Use of approved support materials and tools – To ensure consistency throughout the process, a number of approved documents and tools are to be used when developing a register.
3. Commitment and ownership – Visible commitment from senior management, which can promote buy-in among stakeholders to ensure quality and sustainability.
4. Availability of site support – Administrative support is required for organising workshops and overall co-ordination.
Since risk assessments involve a dynamic process, risks and their control measures should be continuously reviewed, monitored and revised where necessary.
Source: (Irish Health Service Executive, 2018[11]).
Establishing the context also requires identifying roles and responsibilities and establishing a team for assessing integrity risks across an organisation. Although there are dedicated roles and functions within public sector organisations to address integrity risks, risk management requires the involvement of a number of actors. For instance, line managers, risk managers and internal auditors (i.e. the first, second and third lines of defence2, respectively) all play critical roles to ensure that risk management and internal control advance organisational goals and objectives.
Throughout the entire process, there should be mechanisms in place to ensure the collection of all relevant inputs and communication of findings and results. Having them, organisations can better integrate risk management into their operations and promote ownership of the risk assessment process. In Lithuania for example, the law on prevention of corruption includes a methodology for corruption risk analysis. The methodology specifies that numerous sources should be consulted when conducting the analysis, including findings from audits and staff and social surveys (OECD, 2015[12]).
The extent of integration of risk management into the organisation is another critical feature of the internal context. The policies and practices for internal control and risk management are most effective when they are part of the organisation’s overall strategy and operations in support of concrete goals and objectives. Precisely how this integration occurs will vary by organisation. However, the process can include the creation of linkages between risk management and the policies and processes for strategic planning, monitoring activities and evaluation. For instance, in the United Kingdom, HM Revenue and Customs uses its monthly Performance Report to measure progress against objectives and to identify areas of performance requiring further action. A Performance Committee, along with “Performance Hubs,” discusses relevant data and considers key risks to the achievement of goals. Specifically, they review various departments’ risk registers and integrate information and insights on risks into their evaluation of current and existing performance (National Audit Office, 2011[13]).
Identifying and analysing integrity risks
Risk assessments are iterative processes that allow an organisation to understand the enablers and barriers to its objectives, based on an analysis of inherent3 and residual4 risks. A clear linkage to objectives is key in order to guide those involved in scoping the risk assessment, and ensuring they do not overload the process and the resulting risk registers with information. Ultimately, the results of the risk assessment should be useful for decision making, and tying specific objectives to risks (as opposed to the other way round) can help organisations stay focused on the risks that matter. Corruption and fraud risk assessments can be stand-alone exercises or embedded into an organisation’s risk assessment activities, recognising the interlinkages among different risk categories, such as strategic, operational, financial, compliance and reputational risks.5
There is no universal approach for conducting integrity risk assessments, and in fact tailoring them to the needs of an organisation is key. In general, organisations can assess specific risks, risk factors6, or a combination of both. Specific risks are the relevant corruption or fraud schemes that can have an impact on organisational objectives. Assessing such risks is discussed in more detail below. Risk factors also link to objectives, but they refer to the characteristics of the organisation’s policies, procedures or activities that, when assessed and scored, can highlight high-risk areas of operations and subsequently shape priorities. For instance, the complexity of procedures can be a risk factor that can make it harder for an organisation to conduct effective oversight and prevent fraud or corruption.
Another example of a risk factor is the extent of a contractor’s reliance on subcontractors or third parties, since many governments engage contractors routinely to procure goods and services. Each risk factor can be weighted to suit the priorities of the organisation, and scored according to predetermined criteria. For example, an organisation may score the third-party reliance risk factor, as shown in Table 10.1 below. Developing criteria for other risk factors is also possible, such as budget size, extent of programme impact on stakeholders, susceptibility to fraud, or volume and type of audit recommendations received.
When assessing specific risks as opposed to risk factors, assessments commonly distinguish between inherent and residual risks. For such assessments, an organisation would first analyse inherent risks, i.e. risks assessed in the absence of control measures. For example, as an initial step, an organisation would assess the likelihood and impact of all potential fraud schemes related to employees’ use of government-issued travel or credit cards. The organisation can use numeric scores (e.g. 1 to 5) to assess likelihood and impact, or they can use classifications (e.g. low, medium and high). Both likelihood and impact scores can be linked to specific criteria to facilitate the assessment. For instance, an organisation assessing procurement risks might use contract values or frequency to measure impact and categorise very high risks (score of 5) versus very low risks (score of 1). When going through the risk assessment process, organisations would repeat this scoring process to assess residual risks.
Residual risk refers to risk exposure after applying mitigation measures. In the previous example, this would include a second phase of analysis of the identified inherent risks, including a revised determination of the likelihood and impact of fraud risks given control measures, such as procedures for limits placed on the credit cards. As discussed in the next section, the organisation would then take into account its residual risk relative to risk criteria (i.e. tolerances7), before determining whether to make changes to control activities. When analysing both inherent and residual risks, it is important that organisations avoid the common pitfall of identifying and analysing controls or consequences instead of risks that could undermine the achievement of objectives.
To support qualitative forms of risk analysis, organisations can draw from a variety of sources. Analysing audit outcomes, interviewing employees, undertaking control risk assessments and conducting Strengths, Weaknesses, Opportunities and Threats (SWOT) gap analyses are common methods for identifying potential risks. Other techniques can include consulting the country’s or the organisation’s risk register, if one exists, to identify ongoing trends or schemes that are indicative of fraudulent or corrupt activity. Moreover, risk assessments are a team effort. It can be useful to engage employees across the organisation to provide different perspectives, as well as validate the results. Managers and frontline employees – those who are directly responsible for operations or service delivery, such as a contract manager in direct contact with suppliers or a health official who interacts with beneficiaries – can have different perceptions of the likelihood and impact of risks. Frontline employees can be in a better position than managers to identify emerging risks.
Using quantitative techniques and data analytics can also help to identify potential fraud and corruption in a range of areas where governments tend to collect reliable and valid data. This includes public works projects, procurement, payroll, social services, health benefits and employment services. However, quantitative approaches can be resource-intensive, and often require specialised skills and investments in IT infrastructure, software and training. Before heavily investing in quantitative or data-driven approaches to assessing risks, institutions can consider cost-benefit analyses and opportunities to pilot new approaches.
Organisations that effectively assess risks tailor the process to their own environment and perform assessments regularly, although the frequency with which different entities conduct risk assessments will vary. Box 10.4 illustrates how authorities in the Slovak Republic undertake fraud and corruption risk analysis.
In the Slovak Republic, authorities responsible for implementing operational programmes (OP) under the ESI Funds have dedicated risk management procedures that provide the basis for risk assessment. In accordance with the procedures, risk management consists of five interconnected phases, among which risk assessment is included (see Figure 10.1). An important element of this process is the feedback loop, illustrating the iterative nature of risk assessments and continuous learning from monitoring activities.
The first phase is to identify potential risks that may negatively affect the achievement of the OP objectives; these are sorted into either a comprehensive or a selected risk catalogue. Included are fraud and corruption risks. The risks are then analysed and evaluated based on their significance and probability of occurrence using risk matrices, which help determine the overall risk level. Fraud and corruption risks with an overall risk level higher than 4 are designated by the risk assessment team as significant and critical. Subsequently, risks are sorted into their respective risk catalogues, where a shortlist is devised for critical risks. The risk management procedures for each OP set out the appropriate risk treatment following identification and assessment.
Source: Presented by representatives from the Ministry of Environment of the Slovak Republic in Bratislava, February 2019.
Risk evaluation and a strategy for mitigation
After identifying and assessing integrity risks, including inherent and residual risks, the next step is to determine whether and how to respond. This phase entails evaluating the results of the risk analysis against specific risk criteria (i.e. tolerances), and then refining the organisation’s strategy for mitigating risks. “Risk criteria” refers to the level of risk an organisation is willing to accept. In effect, tolerances are criteria that act as thresholds to facilitate decision making and ensure controls are effective and proportionate.
Managers should determine these criteria upfront before conducting risk assessments. Boards, audit committees and managerial leadership can all be involved in defining the risk criteria to ensure they are defined as objectively as possible and in line with organisational policies, regulations and objectives. “Zero tolerance” for corruption and fraud is not a useful risk criterion. Admittedly, this message can serve as a guiding principle and help to promote a risk-aware culture. However, among other unintended consequences, it can also have a chilling effect on the risk assessment process if the zero tolerance culture creates a reluctance among managers to provide candid input about perceived risks in their area of operations. Unlike zero tolerance statements, context-specific risk criteria have more practical implications for assessing and adapting control activities.
Identifying and acting on all fraud and corruption risks is unrealistic. Risk criteria should be set at a level where an organisation wants to fully understand an issue and ensure mitigation measures are in place (Fountain, 2015[15]). Risk criteria help managers decide whether to accept, avoid, reduce or share the risk. If control measures are effective in keeping the risk at or below the threshold set by the risk criteria (e.g. processes where risks of internal fraud are less than a specified financial value), then accepting the residual risk could be the most effective and resource-efficient course of action. If it is determined that control activities fail to mitigate risks to the acceptable level, then managers should either avoid, reduce or share the risk.
Avoiding the risk involves ceasing the policy or operations linked to it. For instance, an institution may decide to prohibit employees from accepting small gifts from project partners, or it might terminate its relationship with a high-risk supplier, thereby removing the risk entirely. Some risks are unavoidable, such as the risk of falsified leave claims or the risk of fraudulent applications for government services. Reducing such risks involves adapting procedures and control activities to lessen their likelihood and impact. Finally, sharing the risk is more common in the business context, but it can also occur in the public sector. It typically entails taking some action to transfer the risk to a third party, like an insurance company, that can cover losses in the event the risk materialises.
Risk matrices, risk registries or simple Excel tables can be useful tools for documenting the results of risk assessments, as well as assessing interlinkages between risks and controls. For instance, Figure 10.2 illustrates one way to categorise risk scores and communicate required actions, as well as the roles and responsibilities of risk owners. Regardless of how they are documented, it is critical that the results of risk assessments reflect the acceptable level of risk based on predetermined criteria. Heat maps8 or other tools that convey scoring of the likelihood and impact of risks without also showing the level of risk management deemed acceptable have little value for decision making or adapting mitigation measures.
Note: this is for illustrative purposes only.
Risk matrices are one of several tools for relative risk ranking. An organisation may use absolute rankings as well, whereby it prioritises risks based on their numerical scores. Whatever the approach, it is critical for organisations to be aware of the biases that can affect the risk assessment scoring process, and put in place quality control processes over the risk assessment process itself. Indeed, managers may have incentives to minimise the perception that the activities they oversee are vulnerable to corruption and fraud risks. Alternatively, they may also exaggerate the risks in order to justify more investments for control activities, tools, training and other resources. Validation processes integrated into the risk assessment can help to minimise the influence of biases.
The documentation and communication of the results of the risk assessment will vary by organisation; however, there are common considerations regardless of context. First, risk registers or similar tools can be useful for ensuring an organisation’s ability to track risks over time, improve the risk assessment process and enhance integrity strategies. Web-based dashboards that visually depict and animate risks can also be powerful tools to facilitate decision making about mitigation measures. Second, while a detailed assessment can be a useful tool for managers and auditors, in the context of integrity risk assessments it can also consolidate sensitive information about institutional vulnerabilities to fraud and corruption. As part of the risk assessment planning process, organisations can consider and clearly communicate the controls over the process itself, including policies and procedures for information security, anonymity of stakeholders and use of results. This can help increase the comfort level of those involved and promote active engagement in the risk assessment process.
10.2.3. Monitoring and evaluation of integrity risk management
The monitoring and evaluation process is a key component of an overall risk management framework that can help organisations assess policies and practices for managing integrity risks and make changes as needed. This activity can take place at the government-wide level, focusing on systemic issues, or within a public sector organisation to enhance institutional risk management.
Systemic monitoring and evaluation
Evaluating government’s standards, policies and procedures for internal control and risk management is a critical function for organisations with government-wide responsibilities. Internal and external audit institutions, anti-corruption bodies and regulatory bodies often carry out such reviews, but the lead institutions may vary by country. Independent and comprehensive external evaluations assess the critical features of internal control and risk management policies, including the extent to which standards, policies and procedures address integrity risks, and the harmonisation of policies and clarity of roles and responsibilities in the control environment for managing integrity risks. For example, the Austrian Court of Audit (ACA) undertakes audits of entities’ corruption prevention systems, which includes assessing whether or not an entity has sufficient provisions in place to mitigate integrity risks. Such reviews can highlight system-wide deficiencies, allowing the government to improve internal control and risk management frameworks through a co-ordinated government-wide approach.
Organisation-specific monitoring and feedback
Operational, regulatory, technological, and numerous other changes can influence how effective an organisation’s fraud and corruption control measures are in addressing risks. Therefore, individual internal controls, risk management activities, and the internal control system as a whole should be regularly monitored to ensure that the framework is functioning correctly and controls are optimal. In this sense, monitoring activities assist organisations in continuously improving risk management and control processes: if monitoring activities uncover deficiencies, organisational leadership can oversee the timely improvement and correction of those deficiencies (Committee of Sponsoring Organizations of the Treadway Commission, 2016[7]). In the context of public integrity, active monitoring of the internal control and risk management framework can help improve the prevention and detection of potential or suspected cases of fraud, corruption, or abuse.
In line with relevant legislation or policies, individual organisations may determine how monitoring activities are undertaken, and how frequently. Ongoing evaluations are routine processes that monitor control activities on a real-time basis, while separate assessments may be carried out periodically by internal auditors or external parties. Information gathered from risk registers about known fraud and corruption schemes and high-risk areas can inform targeted monitoring activities by applying a risk-based approach to evaluation.
Institutions should clearly outline monitoring and evaluation activities in their integrity risk management policy, including roles and responsibilities. For example, in the Netherlands the Office for the Promotion of Public Sector Integrity (BIOS), the Integrity Office of the Municipality of Amsterdam, and the Netherlands Court of Audit jointly developed the IntoSAINT. This integrity self-assessment tool enables public sector organisations to evaluate their vulnerability and resilience to integrity violations, and provides recommendations on how to improve integrity management. IntoSAINT participants select the most vulnerable processes on the basis of an inventory of the primary and support processes of the assessed organisation, identifying the most significant integrity risks within those selected. These are combined with an assessment of cultural factors – such as awareness raising and the role of management – and the adequacy of system measures, i.e. measures intended to embed and consolidate integrity policies. The results, which come in the form of a report, provide insights on how well the existing integrity system is functioning. The results can be used by entities to update their integrity policies or as a starting point for the application of other, more in-depth risk analysis measures. Recognising the functionality of this tool, Poland has developed a similar integrity self-assessment that is distributed to line ministries.
Another example demonstrates how the Fraud and Corruption Control Policy of the Department of Justice and Attorney-General (DJAG) of Queensland, Australia assigns to a Fraud Control Officer (FCO) (placed in the Corporate Governance Unit of the Department) responsibility for actively improving the Department’s fraud risk and corruption framework. The FCO chairs the Fraud Risk Operational Group, which, among other responsibilities, monitors the framework by overseeing policy reviews, audit-related issues, complaints, training and compliance, and ensures that the fraud and corruption control framework undergoes a review biennially or more frequently if required (Department of Justice and Attorney-General, 2017[16]).
10.2.4. Coherent and responsive procedures within the internal control and risk management framework
Internal control within public sector organisations should contain clear procedures for responding to suspected violations of law, of processes, or the occurrence of integrity breaches. While the action needed can vary among organisations and may depend on size, function, and governance arrangements, the government can play an essential role in co-ordinating reporting of and responses to suspected integrity breaches across public sector organisations.
Ensuring coherence in how organisations respond to integrity breaches
A central body can establish standard protocols and mechanisms for reporting and responding to suspected integrity breaches. This approach can ensure that all public sector organisations have sufficient provisions in place to respond to corruption and integrity violations within their overall integrity strategy. It also reduces duplication and minimises gaps regarding the internal control and risk management framework across public sector organisations. The CoG or another responsible body can ensure that common procedures and criteria are used so that employees across the government and the general public can report suspicions of violations without fear of reprisal. For example, the CoG may develop provisions that require public sector organisations to establish separate lines of communication, such as hotlines. Clear reporting channels and the existence of coherent reporting mechanisms are key features of an effective internal control system.
Responding to integrity breaches within an organisation
While policies and guidance provided by the CoG support coherence, they may not always reflect the institutional context of all public sector organisations. As such, clear mechanisms can support these organisations in responding to potential integrity breaches or violations of law.
A primary way potential integrity breaches or violations of law may be detected is through employees. Public sector organisations can create a culture in which employees feel safe to come forward if they know about suspected integrity breaches (for more, see Chapter 9). There should be clear internal and external reporting channels in place for public officials, and individuals should receive sufficient protection when reporting suspected corruption or fraud. Policy measures should be in place within the organisation that stipulate what procedures are to be followed in the event of an employee reporting alleged misconduct, and which options are available to them. Staff may report suspicions of breaches to their line managers, human resources personnel, the organisation’s internal audit unit, or other designated personnel. Many public sector organisations have in place hotlines to facilitate anonymous reporting. Regardless of the form, clearly communicating how to report concerns facilitates implementation of reporting mechanisms.
When suspected fraud or corruption has been identified within an organisation, processes need to be in place that will trigger an appropriate response. These processes will depend on the nature and gravity of the alleged conduct. For example, minor complaints could be dealt with by management whereas more severe cases, particularly those where the alleged conduct may constitute a criminal offence, could warrant a full investigative response. The aims of any investigation need to be clearly defined in the integrity policy, and these aims should be adhered to throughout the internal investigation. Moreover, investigations should ensure that they comply with current legislation (criminal and employment) and investigative procedures.
Once an investigation has been undertaken, the findings need to be relayed to management. Organisations must then determine the action to be taken in response to the results. If an incidence of fraud or corruption has indeed taken place, corrective actions may range from disciplinary action to criminal referral. In the case of criminal referrals, any external reporting obligations should be laid out in the organisation’s integrity policy. In addition, management may adopt a “lessons learned” approach to cases of fraud and corruption following an investigation.
10.2.5. An internal audit function that provides independent, objective assurance and advice to strengthen internal control and integrity risk management
The added value of internal audit
The internal audit function examines the adequacy and effectiveness of public sector organisations’ internal control systems, procedures, governance arrangements, risk management processes, and performance of operations (The Institute of Internal Auditors, 2016[17]). Internal audit’s role is therefore expected to extend beyond compliance-oriented, rules-based approaches to assessing controls. This contemporary view of internal audit captures the broader value that the function can add to an organisation. Internal audit can contribute not only to the achievement of financial objectives and control of resources, but also to improved decision making and risk management in support of overall strategic and operational goals.
Internal auditors in public sector organisations play an important role in providing independent, objective assessments of whether public resources are being managed effectively to achieve intended results. Their objective, value-based insights and evidence can help public sector organisations better manage and assess integrity risks. Auditors are expected to evaluate the potential for fraud and how the organisation manages fraud risk (The Institute of Internal Auditors, 2016[17]). In practice, this involves identifying integrity risk factors in the course of internal audit work and assessing whether these risks are being managed effectively, even if the public sector organisation does not have formal integrity risk management programmes in place. For example, internal auditors can red-flag high-risk areas for integrity breaches such as third-party relationships, outsourced activities or procurement. Audit recommendations to improve the control environment in these high-risk operational areas can boost the organisation’s efforts to prevent and detect fraud and corruption.
However, internal auditors are not expected to be investigators. In fact, the same standards acknowledge that while internal auditors should have sufficient knowledge to evaluate fraud risk factors and the management of fraud risks within the organisation, auditors are not required to have the knowledge or expertise to take on an investigative role. Internal audit’s role with regard to investigations of suspected integrity breaches depends on a number of factors, such as the structure of the organisation and the availability of resources. For example, the Government Internal Audit Agency (GIAA) in the United Kingdom provides a distinct service line that advises public sector organisations on anti-fraud strategies and how to investigate suspected internal or supplier fraud. This specialist service is in addition to the core internal audit and assurance activities that the GIAA provides. In its annual report for 2018-19, the GIAA indicated that the work of the anti-fraud and investigations unit led to GBP 1 million of fraud detected and a further GBP 1 million of losses prevented across the public sector organisations that commissioned its services.
Internal auditors should also evaluate the effectiveness of the organisation’s objectives and activities relating to ethics, and the processes for promoting ethics and values. This can include, for example, assessments of the effectiveness of the governance structure in fostering a culture of integrity or audits of processes for handling whistleblowing. Internal audit’s periodic, risk-based assessments of these integrity risk factors can highlight areas with greater exposure to integrity breaches, allowing management to take corrective actions promptly. The French Anti-Corruption Agency (AFA) noted in its 2018 survey on the prevention of corruption in local government that in some public sector organisations, corruption prevention activities are explicitly included in the mandate of the internal audit function.
In addition to their contributions to the evaluation of integrity risk factors, internal auditors can play a critical role by assessing whether internal controls to manage integrity risks are operating effectively and efficiently, and by identifying areas for improvement. This can take the form of auditing or evaluating the effectiveness of components of integrity risk management, such as anti-corruption or anti-bribery programmes, or evaluating how well the components are working together. Risk-based audit selection can support internal auditors in determining how best to identify risks that are the most relevant for the organisation’s objectives, and in making decisions about what to audit based on predetermined risk criteria. This approach, unlike cyclical or incident-based approaches, can help auditors avoid the pitfalls of compliance-oriented approaches and overburdening managers with audits and controls.
The results of internal audit activity can therefore support managers in aligning integrity risk management processes and controls with organisational objectives, so that these processes are helping to advance strategic goals and inform decision making. A number of free and fee-based frameworks and guidance are readily available on line to support internal auditors in evaluating integrity measures or anti-fraud programmes. In general, the frameworks and guidance provide insights for recommendations to improve both “hard” controls (i.e. policies, procedures, structure, etc.) and, increasingly, “soft” controls (e.g. culture, behaviour of management, tone at the top), all the while recognising the need for auditors to account for human behaviour, motivation and attitudes.
Internal auditors can play other critical roles to promote integrity within a public sector organisation. For instance, they can provide an independent, objective view of internal and external strategic, operational and reputational risks in order to sharpen management’s own risk assessments. In addition, the internal audit function can be an ally for management to advance a culture of integrity. This includes participation in awareness raising about risks, supporting capacity building (e.g. training and workshops), and contributing to value-based messages on integrity and good governance.
Drawing a line between internal audit and risk management
It is critical that internal auditors maintain their independence from the other so-called lines of defence, which include managers (first line) and risk managers (second line). These lines are often blurred when it comes to integrity risk management, in part because of the aforementioned standards that explicitly define a role for internal audit in assessing integrity risks. However, organisations should ensure that internal audit does not take on all responsibilities related to integrity risk management. “Second line” managers in functions such as financial control, quality assurance, compliance, and inspection units also have a key role to play. For example, advances in analytical techniques such as data mining and matching software can allow risk managers to monitor unusual financial transactions that could signal an integrity breach. Table 10.2 suggests ways to delineate the specific roles and responsibilities of internal auditors to avoid duplication or overlap with other lines of defence.
The specific role that the internal audit function will play concerning risk management, or more generally concerning prevention of fraud and corruption, is context-specific. Table 10.2 offers some guidelines relative to standards and good practices; however, in some countries the laws or policies offer few insights about the role of internal audit with such specificity, or at worst define a role that is seemingly contradictory to international standards and good practices. This can be remedied to some extent at the institutional level. The role of internal audit with regard to fraud and corruption prevention, or integrity risk management, needs to be clearly defined in policies or in relevant strategic documents and guidance, such as an audit charter. This policy document can clearly define the role of internal audit with regard to preventing and detecting fraud and corruption, including assessing the management of integrity risks, awareness raising, investigations, and reporting to senior management. As its mandate usually covers the processes and procedures of the organisation as a whole, internal audit is well placed to provide consolidated reporting on the management of integrity risks at the institutional level.
Internal audit functions in public sector organisations often have a relatively small number of staff and limited resources; co-ordination with other assurance providers on integrity risk management is therefore vital. Auditors can draw on the work of “second line” functions such as financial controllers or inspection units as well as that of supreme audit institutions, regulators and ombudsmen or equivalents that also have a role in evaluating the effectiveness of integrity risk practices. This may involve knowledge sharing on an informal basis, co-ordination on the timing of activities to minimise the impact on the area under review, or formal criteria for reliance on each other’s work. At the government level, a co-ordinated approach to reporting on integrity risk management can help to break down silos between public sector organisations, provide consistency in risk mitigation measures, and lead to better governance of integrity risks overall.
The challenges facing governments and public sector organisations differ to some degree when it comes to implementing internal control and risk management frameworks for integrity. Governments are at different stages of maturity in this respect, and therefore encounter different issues. However, there are common challenges that arise across countries. This section provides an overview of some of the difficulties that countries face, and ways they can overcome them to better safeguard integrity. The areas of focus are:
overcoming implementation gaps by moving beyond check-the-box approaches to risk management
ensuring that risk assessments and controls adapt to a changing risk environment
effectively co-ordinating with law enforcement and investigative bodies to enhance feedback loops and improve risk assessments.
10.3.1. Overcoming implementation gaps by moving beyond check-the-box approaches to risk management
A systematic approach – whereby risk management is clearly linked to organisational objectives, integrated into existing processes, and undertaken routinely – is vital for effective integrity risk governance within the public sector. This requires a strong legislative foundation accompanied by standards and policies, which provide the basis for internal control and risk management. While many countries have such provisions in place, there are often gaps in how governments and public sector organisations implement risk management processes. For example, some tend to view risk assessments as a compliance-oriented or check-the-box exercise, and as such undertake them on an ad hoc basis. Furthermore, senior management and other employees may perceive integrity risk management as a function that is beyond their role, deferring instead to internal auditors. To overcome these challenges and strengthen internal control and risk management practices across public sector entities, governments can do the following:
Assign clear responsibilities – Integrity policies can assign responsibilities for corruption risk management, or these provisions may be included in existing risk management policies as part of the control environment. In line with international standards and models (e.g. the Institute of Internal Auditors’ Three Lines of Defence), management should be responsible for identifying and managing risks, but each employee contributes to successful risk management within an entity. Alongside risk management functions, managers are responsible for the day-to-day managing of fraud and corruption risks – which includes ensuring that internal controls are in place and functioning – and more generally, for preventing and detecting fraud and corruption risks.
Increase capacity through training – Formalised, regular and ongoing training programmes enable the development of skills and capabilities regarding risk management. If resources are limited, training priorities should primarily target staff with direct responsibility for identifying and mitigating fraud and corruption risks. Trainers can use employee surveys, internationally recognised standards and consultation groups to identify training needs. Furthermore, regular training assessments help ensure that staff trainings take into consideration the particular fraud and corruption risks that occur in different entities. For more, see Chapter 8.
10.3.2. Ensuring that risk assessments and controls adapt to a changing risk environment
Systemic integrity risks can thrive in entities that do not regularly carry out assessments, as control activities may become ineffective relative to a dynamic risk environment. Corruption and fraud schemes constantly evolve, often in response to changes in controls. Moreover, in the most egregious cases, an ad hoc effort to manage and assess integrity risks may be a result of management overriding controls and detection tools. Therefore, it is critical that policies and frameworks for evaluating integrity risks stipulate assessment at regular intervals to provide a comprehensive and current picture of the organisation’s risk profile, as well as the effectiveness of controls.
Public sector organisations need to monitor and test selected controls, particularly in areas facing higher risks, to verify that they are functioning effectively and are proportionate to the risks identified. Given the fact that multiple personnel and various departments are involved in risk mitigation measures, there needs to be clear communication of how to evaluate the effectiveness of controls in the relevant procedures and guidance. The testing of control quality provides evidence of how controls mitigate risks, and should be communicated to all risk owners.
10.3.3. Effectively co-ordinating with law enforcement and investigative bodies to enhance feedback loops and improve risk assessments
Across public sector organisations, co-ordination among multiple departments and ministries is vital for the referral of suspected fraud and corruption cases to law enforcement authorities and other relevant bodies. However, organisations often face difficulties in following up with authorities regarding the outcomes of reported fraud and corruption incidents. A lack of communication around prosecuted cases presents a significant challenge for entities when reviewing their controls and taking corrective action.
Improving feedback loops regarding prosecution and correction can enhance risk assessments, reinforce fraud and corruption deterrence and allow organisations to address control vulnerabilities more effectively, reducing the risk of similar incidences occurring in the future. One way to achieve this is to set up information-sharing workshops with the participation of law enforcement and investigative bodies, aimed at helping organisations to identify fraud and corruption trends, patterns and modes of operation.
References
[7] Committee of Sponsoring Organizations of the Treadway Commission (2016), Fraud Risk Management Guide, https://www.coso.org/Pages/Purchase-Guide.aspx (accessed on 17 February 2020).
[2] Committee of Sponsoring Organizations of the Treadway Commission (2013), Internal Control - Integrated Framework, https://www.coso.org/Pages/ic.aspx (accessed on 17 February 2020).
[9] Crime and Corruption Commission (2018), Fraud and Corruption Control - Best Practice Guide, https://www.ccc.qld.gov.au/publications/fraud-and-corruption-control-best-practice-guide (accessed on 17 February 2020).
[16] Department of Justice and Attorney-General (2017), Fraud and corruption control policy, https://www.justice.qld.gov.au/__data/assets/pdf_file/0020/534350/fraud-and-corruption-control-policy.pdf.
[8] Estonian Ministry of Justice (2013), Anti-Corruption Strategy 2013-2020, https://www.korruptsioon.ee/en/anti-corruption-activity/anti-corruption-strategy-2013-2020 (accessed on 24 January 2020).
[6] European Commission (2015), Public Internal Control Systems in the European Union, https://ec.europa.eu/budget/pic/lib/docs/2015/CD02PrinciplesofPIC-PositionPaper.pdf.
[15] Fountain, L. (2015), Raise the Red Flag: An Internal Auditor’s Guide to Detect and Prevent Fraud, The Institute of Internal Auditors Research Foundation.
[10] International Organization for Standardization (2018), ISO 31000:2018, Risk Management - Guidelines, https://www.iso.org/iso-31000-risk-management.html.
[11] Irish Health Service Executive (2018), Risk Management Support Tools, https://www.hse.ie/eng/about/qavd/riskmanagement/risk-management-documentation/risk%20management%20support%20tools%20.html (accessed on 17 February 2020).
[13] National Audit Office (2011), Managing risks in government, https://www.nao.org.uk/report/managing-risks-in-government/ (accessed on 17 February 2020).
[1] OECD (2017), OECD Recommendation of the Council on Public Integrity, OECD, Paris, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0435 (accessed on 24 January 2020).
[12] OECD (2015), Prevention of Corruption in the Public Sector in Eastern Europe and Central Asia, OECD Anti-Corruption Network for Eastern Europe and Central Asia, OECD, Paris, http://www.oecd.org/investment/anti-bribery/ACN-Prevention-Corruption-Report.pdf.
[17] The Institute of Internal Auditors (2016), International Professional Practices Framework (IPPF) – Standards and Guidance, https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx.
[18] The Institute of Internal Auditors (2009), The Role of Internal Auditing in Enterprise-Wide Risk Management, https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Role%20of%20Internal%20Auditing%20in%20Enterprise%20Risk%20Management.pdf.
[4] U.S. Government Accountability Office (2015), A Framework for Managing Fraud Risks in Federal Programs, https://www.gao.gov/assets/680/671664.pdf.
[3] U.S. Government Accountability Office (2014), Standards for Internal Control in the Federal Government, https://www.gao.gov/assets/670/665712.pdf.
[5] U.S. Office of Management of Budget (OMB) (2016), OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk, https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2016/m-16-17.pdf.
[14] Wright Jr., R. (2013), The Internal Auditors’ Guide to Risk Assessment, The Institute of Internal Auditors Research Foundation.
Notes
← 1. The control environment consists of the set of standards, processes and structures that provide the basis for carrying out internal control across an organisation.
← 2. In the Three Lines of Defence model, the first line of defence are operational managers that own and manage risks. The second line of defence are the functions that oversee risks, typically risk management and compliance functions. The third line of defence are internal audit functions that provide independent assurance that risk management processes are effective.
← 3. Inherent risks are risks that are assessed in the absence of control measures, i.e. before control measures have been applied.
← 4. Residual risk is the remaining risk level after applying mitigation measures.
← 5. Strategic risks are the likelihood of something happening that can affect the ability of an organisation to achieve its intended outcomes. Operational risks are the likelihood of something happening that will affect the ability of an organisation to achieve its objectives and produce outputs. Reputational risks refer to the potential for negative publicity, public perception or uncontrollable events having an adverse impact on an organisation’s reputation.
← 6. Risk factors are characteristics of an organisation’s environment, policies, procedures or activities that are associated with a high risk.
← 7. Risk tolerance is the level of risk that managers are willing to accept after implementing control activities. Defining risk tolerance helps to guide officials in their decisions to accept, reduce, avoid or share risks.
← 8. A heat map is a representation of the resulting quantitative and quantitative evaluations of the probability of risk occurrence and the impact on the organisation in the event that a particular risk is experienced.