Query

Which tools are available to monitor the effectiveness of corruption risk mitigation measures as well as developments within one specific risk area (apart from internal compliance and risk management systems)?

Understanding corruption risk management

The concept of risk management and its associated techniques (including in the corporate, financial and technological sphere) dates back to at least the 1950s (Dionne 2013). While the purpose of risk management is to provide a reference framework that enables organisations to handle risk and uncertainty, there is, somewhat surprisingly, a relative paucity of literature designed to assist aid agencies to manage corruption and integrity risks (Dionne 2013; Johnsøn 2015).

Corruption risk

While the precise conceptualisation of corruption risk tends to differ somewhat from tool to tool (McDevitt 2011), for the purpose of this Helpdesk answer it can be defined as conditions favouring the development, realisation and proliferation of corrupt practices.Corruption risk thus represents the likelihood of corruption emerging from the vulnerabilities present in a given system or process, typically in conjunction with a consideration of its possible impact (Georgiev 2013). Corruption risk is therefore sometimes expressed as a combination of the degree of its probability and its potential impact or cost (Sharma, Sengupta and Panja 2019). Moreover, a distinction between internal and external corruption risks ought to be understood. Internal corruption risks focus on potential corrupt behaviours emerging from an organisation’s infrastructure, policies and procedures. External corruption risks in organisations are those presented by partner management systems along with those emerging from the broader external environment in which the organisations operate (Hart 2016).

It should be noted that, during the identification and assessment of corruption risks, a strictly legalistic approach to corruption is not generally recommended as specific practices within an organisation may be identified as corrupt even if they are technically legal, especially in countries where the legal definition of corruption is narrow, for example, where it is restricted to bribery (Terracol 2015).

Corruption risk management

Corruption risk management is an (public or private) institution’s policy and practice to identify, assess, and mitigate internal and external corruption risks in its activities (OECD 2016). The institution could utilise project management methodology to systematically reduce the likelihood and impact of corruption on project outcomes or continuously monitor emerging risks. It works at the junction of external risks, such as fraudulent partner organisations and background societal corruption, and internal practices related to administrative processes and vulnerable delivery mechanisms (IACC 2015; Jenkins 2016). Corruption risk management systems do not end with identifying potential vulnerabilities but also extend to finding appropriate mitigation measures and responses to rectify them (IACC 2015).

When it comes to monitoring corruption risks (in the public and private sector), there are various approaches, models and conceptual frameworks. There remains, however, a wide-ranging agreement across the literature that, instead of arbitrarily adhering to a specific template, the solution is to find a contextually suitable model and develop a bespoke approach suited to the task at hand (IACC 2015; Jenkins 2016).

When done well, corruption risk management accommodates an agency’s rules and processes in response to realistic estimations of the possible corruption problems an activity may encounter, and can thereby reduce risks that negatively affect the desired development outcomes (Hart 2016).

Corruption risks in the context of development programmes

With corruption being one of the largest constraints on development, corruption risks are often treated differently to other risks when it comes to development programmes because of the moral dimension of corruption and costly reputational risks for the organisation (Menocal 2015; OECD 2016; Zamaitat & Rafat 2017). This holds especially true as perceptions of and tolerance for corruption risk may differ depending on perspectives (Menocal 2015). For example, while a minor fraud case in a project implemented by an aid agency may not have a large impact on the average citizen in a developing country where grand corruption makes headlines regularly, it may, however, result in substantial reputational risk for the agency (Johnsøn 2015; Menocal 2015).

Recognising that aid can become another resource that ends up being exploited by corrupt actors, there is a wide-ranging consensus that international development agencies ought to strive for a sound understanding of the political economy of the countries and contexts in which they operate to effectively manage corruption risks (Mungiu-Pippidi 2015; OECD 2016). Hart (2016) opines that, for development agencies, ignoring corruption risk is “ill-advised at best, and at worst it can endanger an agency’s objectives, credibility, and legitimacy”.

Indeed, in recent years, the “do no harm” principle has gained substantial traction in the donor community, and encourages aid agencies to analyse the aggregate impact of their development activities within the target community, from project inception to closure. This includes due consideration of any effects of their work and presence on governance phenomena, such as whether donors unwittingly create new rent-seeking opportunities (Johnston & Johnsøn 2014). As result, over the past decade monitoring corruption risks (not just risk avoidance644d2bc366f6) is becoming a norm in development programming (Johnston & Johnsøn 2014; IACC 2015; Hart 2016; Jenkins 2016).

However, agencies often struggle to monitor corruption risks due to a variety of factors, including but not limited to, limited resources, absence of governance expertise, lack of clearly defined objectives of corruption risk management (CRM) and persistent institutional incentives to simply discount corruption risks (Hart 2016).

While totally eliminating the risk of corruption in development projects is often unrealistic, the rigorous use of risk management tools has the potential to greatly reduce graft and impropriety faced by development programmes (Jenkins 2016).

General tools for corruption risk assessment

While agencies have invested significantly in up-front analysis and various corruption monitoring and control regimes, most of the guidance focuses on the initial process of identify and categorising risk through the use of corruption risk assessments. Guidance on how to assess the effectiveness of an agency’s anti-corruption mitigation measures that have been applied to risks identified during the assessment phase is much more limited (Hart 2016).

Nevertheless, some tools and standards to suit the needs to various agencies have been developed, and a few of these are as follows.

United Nations Convention Against Corruption (UNCAC)

UNCAC urges parties to work towards implementing sound anti-corruption strategies and measures, among which CRM is addressed in following ways:

Each State Party shall (UNODC 2004):

1. enhance awareness of the risks of corruption inherent in the performance of public officials’ functions (Article 7),
2. take appropriate measures to promote transparency and accountability in the management of public finances, including effective and efficient systems of risk management and internal control (Article 9),
3. take such measures as may be necessary to enhance transparency in its public administration, including also publishing information on periodic reports on the risks of corruption in its public administration (Article 10).

Moreover, the Technical Guide to UNCAC recommends that States Parties should design a strategy to prevent corruption on the basis of a risk assessment that should be founded on relevant information or statistical data. The aim of risk assessment according to this Technical Guide is to prepare a report addressing the assessments and specific risks within vulnerable sectors, with consequential proposals to deal with them (UNODC 2009).

UN Global Compact. 2013. Guide for Anti-Corruption Risk Assessment

The Guide is based on anti-corruption conventions such as the United Nations Convention against Corruption (UNCAC) (2005) and Organisation for Economic Co-operation and Development (OECD) Good Practice Guidance on Internal Controls, Ethics, and Compliance (2010) (UN Global Compact 2013).

It outlines anti-corruption risk assessment involving the following steps mentioned below:

1. Establishing relevant planning processes, set objectives, engage stakeholders, and mobilise resources.
2. Exploring the principles, techniques, and practices that can help an enterprise identify risk factors. This includes data collection, such as through desktop research, interviews, surveys, workshops.
3. Rating the inherent risks of probability of occurrence (high, medium, low), as well as potential impact (high, medium, low). Temperature maps may also be used.
4. Identifying and rating mitigating controls by identifying different frameworks and rating measures (effective, partially and not effective).
5. Calculating residual riski.e. risk that remains after controls (measures) are taken into account.
6. Developing an action plan with a response to residual risks (current risks) which contains: i. action ii. responsible person iii. implementation timetable. iv. an estimate of resources need to address each action item, such as the number of individuals, hours, and budget.

For more details on risk assessment see: A Guide for Anti-Corruption Risk Assessment (2013) by UN Global Compact.

US AID. 2009. Anti-corruption Assessment Handbook

The proposed methodology by US AID is based on two overarching objectives – (i) developing a practical strategy by assessing the context of operation and understanding the problem; and (ii) making recommendations by diagnosing sectors and assessing program track records (Spector, Johnston and Winbourne 2009).

The risk assessment activities are divided into the early and in-country activities. The following figure showcases a flowchart of the anti-corruption assessment framework. For more details on the framework see: Anticorruption assessment handbook (2009) by US AID.

UNDP. 2018. Conceptual Framework for Corruption Risk Assessment at Sectoral Level

The United Nations Development Programme has developed a sector-based risk management process bases on the following steps (UNDP 2018):

1. Establishment of context and setting the criteria against which risks will be assessed.
2. Risk assessment including the identification of risks, the analysis of their “likelihood” and “impact”, as well as the evaluation of results. Such an exercise may be visualised in the form of risk heat maps.
3. Building on the outcomes of the risk assessment and focusing on treating the assessed risks by developing risk treatments. Such risk treatments act on possible results of a heat mapping exercise, which needs to be further prioritised based on the overall objectives and context (e.g. resources available). Respectively, concrete measures for risk mitigation need to be developed and translated into implementation.
4. Monitoring and review including review of the continuous accuracy of the outcomes gained from all previous steps, as well as focusing on the monitoring of the success of mitigation measures. This would include regular discussions around the risk heat map and to match the routinely identified and respectively assessed and prioritised risks with the best suitable actions. This would lead to the development of a “risk remedy” map.
5. Communication and consultation focused on sharing results with stakeholder arena to ensure transparency and support as well includes consultations as a way to also ensure on-going accuracy and general feedback.

For details on risk heat and risk remedy maps see: Conceptual Framework – Corruption Risk Assessment At Sectoral Level by UNDP.

International Organisation for Standardisation (ISO) standards

ISO 31000, risk management – guidelines, provides principles, a framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector. It however cannot be used for certification purposes, but it may be used to provide guidance for internal or external audit programmes (ISO 2020b). The Australian government is an example of a country applying the ISO 31000 standard.

ISO 37001 allows organisations of all types to prevent, detect and address bribery by adopting an anti-bribery policy, appointing a person to oversee anti-bribery compliance, training, risk assessments and due diligence on projects and business associates, implementing financial and commercial controls, and instituting reporting and investigation procedures (ISO 2020a).

Committee of Sponsoring Organisations of the Treadway Commission (COSO) standards

The updated COSO standard/methodology lists 17 principles which are to be implemented at theinstitutional level. They are as follows (McNally 2013):

Control Environment – 5 Principles

1. Demonstrating a commitment to integrity and ethical values.
2. Top management demonstrating independence and exercising oversight of the development and performance of internal controls.
3. The establishment of board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives by the management.
4. Demonstrating a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. Individuals are held accountable for their internal control responsibilities in the pursuit of objectives.

Risk Assessment – 4 Principles

1. Objectives are specified with sufficient clarity to enable the identification and assessment of risks relating to objectives.
2. Risks are identified and analysed across the entity as a basis for determining how the risks should be managed.
3. The potential for fraud in assessing risks to the achievement of objectives are considered.
4. Changes that could significantly impact the system of internal control are identified and assessed.

Control Activities – 3 Principles

1. Control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels are selected and developed.
2. General control activities over technology to support the achievement of objectives are selected and developed.
3. Control activities through policies that establish what is expected and procedures that put policies into action are deployed.

Information and Communication – 3 Principles

1. Generation of relevant, quality information to support the functioning of internal control.
2. Internal communication OF information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
3. External communication regarding matters affecting the functioning of internal control.

Monitoring Activities – 2 Principles

• Evaluations to ascertain whether the components of internal control are present and functioning are developed.
• Internal control deficiencies in a timely manner are evaluated and communicated to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

The COSO cube is as follows:

OECD Public Sector Integrity (framework for assessment)

According to the OECD methodology, the “assessment journey” starts with recognising which building blocks of an “ethic infrastructure” (the institutions, systems and mechanism for promoting integrity and preventing corruption in the public service) need to be assessed. Such an assessment may focus on separate specific measures and their interaction, in particular (Škrbec 2016):

• risks (analysing risks and reviewing vulnerable areas susceptible to corruption),
• specific policy instruments (assessing discrete integrity and corruption prevention measures),
• complex programmes (examining the interaction of combined policy instruments),
• elements of an organisational culture (reviewing values, behaviours and specific individual actions).

Four phases for corruption/integrity management are listed by the OECD: definition of the integrity framework; assessment and evaluation of the threats; application of the results; and follow-up and accountability. Thus, for the process of risk analysis, institutions ought to: map sensitive processes (e.g. procurement, promotion of staff members, etc.); map sensitive functions (typically staff-members with a responsible role); and identify the points where there is a significant vulnerability for integrity violations (Škrbec 2016).

While different methodologies (UNCAC, ISO 31000, COSO, OECD) and different ways (internal auditing, self-assessments) are used in countries and international organisations, all approaches have the same goal: to reach, promote and to maintain integrity within institution(s) through eliminating risks and vulnerabilities (Škrbec 2016).

Proposed approach to monitor external corruption risks

There are multiple approaches to monitor corruption risks, but in line with the principle of “no one size fits all”, much of the literature recommends that each organisation either develops its own bespoke tool or adapts existing methodologies to account for local contextual realities (IACC 2015). Whichever approach is taken, the key recommendation is to integrate it consistently across the entire project cycle (IACC 2015).

While the specific approach taken will vary, there are typically three major steps common to efforts to identify, track and curb corruption (Johnsøn 2015; Jenkins, Chêne, Laberge & Loekman 2018):

1. Risk identification: identifying specific types of corruption risk that are likely to affect the desired outcomes of the activity at hand
2. Risk prioritisation: understanding the severity of identified risks using a measure of probability and a measure of impact or magnitude
3. Risk mitigation and monitoring: taking steps to reduce the incidence and/or effect of the behaviours identified and assess the effectiveness of these measures

Risk identification

A key first step to any corruption management process is to conduct a mapping exercise to identify salient corruption risks. This is where conducting a value chain analysis can be useful.

The theory of a value chain comes from the private sector, where it refers to the idea that a company can be understood of in terms of the processes it relies on to generate profit. Lately, the concept of a value chain has been adopted in the public sector, where it refers to the chain of interconnected processes needed to deliver goods and services to citizens (Jenkins, Chêne, Laberge & Loekman 2018).

The value chain concept can also be applied to development assistance to describe the full range of activities needed to implement a programme, from designing the intervention logic at the policy making level through to the different phases of mobilising or procuring resources to produce goods and services, and finally to the delivery to the target community.

Value chains can be conceptualised in a number of ways. Cognisant of the need for each organisation to tailor standard approaches to its own use case, Jenkins, Chêne, Laberge and Loekman (2018) present a simplified model dividing a value chain into three broad levels:

• Policymaking level. At the policy formulation stage, external corruption risks to development programmes can be found both inside and outside of government. Inside the recipient government, senior public officials may distort donors’ policies or take actions that enable them or their neo-patrimonial networks to benefit at the expense of the public good. Outside of government, private firms and contractors may try to exert undue influence on the development or enforcement of regulations that can have an impact on development projects.
• Organisational level. When considering the management of organisational resources, such as personnel, goods, supplies and budgets, external corruption risks can take various forms, such as embezzlement of funds during procurement processes, or patronage and nepotism in licensing and hiring practices.
• Client interface/service delivery level. Finally, at the service delivery stage where citizens receive services, corruption risks often take the form of bribery or extortion. This type of petty corruption is usually perpetrated by low- and mid-level public officials in places such as hospitals, schools or police stations.

Here the principle is primarily to ensure that those designing risk management frameworks consider the full range of integrity challenges that extend from petty corruption all the way to the top, and the authors encourage development practitioners to adapt the model to their specific needs, whether country or sector specific (Jenkins, Chêne, Laberge & Loekman 2018). In this way, aid agency staff can ensure that their corruption mitigation efforts do not focus unduly on highly visible threats at the expense of tackling less obvious issues that may have a more profound impact on desired outcomes.

Note that identified risks can be mapped to the different levels of the value chain throughout the processes of implementing corruption risk management (including identification, assessment, mitigation and monitoring) (Jenkins, Chêne, Laberge & Loekman 2018).

Risk prioritisation

After developing a list of corruption risks and categorising them by value chain level, the next step is to prioritise the most salient risks to the accomplishment of programme objectives. This is best done by evaluating the likelihood and impact of different risks through broad consultations with stakeholders and experts, as well as drawing on existing data and prior experience.

This may be done via an expert survey involving the target community, government partners, civil society organisations and, where appropriate, the private sector. However, if the tool is primarily designed as an internal means of monitoring external risks, the assessment may be conducted by a smaller internal team to avoid potentially corrupt players in the external environment “gaming” or otherwise undermining the monitoring system.

The objective is to prioritise the two or three most serious risks for each stage of the value chain for inclusion in the monitoring framework, which, as described below, can take the form of a dashboard.

For the purpose of this answer, an example of a risk assessment in the education sector (where a donor might have a programme goal of improving primarily education) is described. Outlined below is an illustrative table of the outcome of a risk assessment that has identified external corruption risks at various levels in the value chain that could impinge on a donor’s programme in the education sector.

Identifying anti-corruption measures

The next stage of the process involves matching each prioritised corruption risk with corresponding mechanisms believed to reduce the vulnerability to integrity threats. These anti-corruption measures may be identified using the same method as the risk assessment; in other words either through collaboration with experts and/or internally within
the aid agency, depending on the programme context. It ought to be noted that the highest scores should be evaluated for each value chain level so that no part of the value chain is neglected.

Illustrative table of anti-corruption measures (e.g.: in an education sector programme), where X is a donor’s predefined risk appetite.

Monitoring measures

The next phase is to consider which indicators would be best suited to track the identified risks. Since it is difficult to measure the incidence or risk of corruption directly, an alternative strategy is to measure the effectiveness of the anti-corruption safeguards paired with each prioritised risk as a proxy.

Jenkins, Chêne, Laberge and Loekman (2018) recommend identifying or developing a number of indicators for each selected anti-corruption measure. Ideally, these various indicators should draw on information produced by a range of different data providers, such as national statistics offices, government agencies, academics, civil society organisations, the media and the private sector. In addition, aid agencies are encouraged to include their own data where relevant.

Jenkins, Chêne, Laberge and Loekman (2018) further present a taxonomy of three different types of indicator that each anti-corruption measure should be assessed against: framework, progress and impact indicators.

Framework indicators

Framework indicators, also known as “input indicators”, aim to capture evidence on the existence (or absence) of “framework conditions” required for a sector or process to be well governed and free of corruption. For instance, framework indicators measure the quality of legal and policy frameworks in place, the existence of codes of conduct and sanction mechanisms, the size of budgetary allocations and the staffing capacity, among others. Essentially, framework indicators are a metric for whether anti-corruption safeguards are in place to minimise corruption risks.

They are usually objective indicators that draw on official laws and policies, and administrative data, though they can also be derived from expert assessments, for example, using objective scoring criteria.

Progress indicators

Progress indicators, also known as “activity or output indicators”, focus on actions taken to increase the quality of goods, services and processes, and make these more transparent and accountable. In other words, they measure the progress made in converting inputs into outcomes. Progress indicators, for instance, track the number of complaints received and addressed, changes in the absenteeism rate among civil servants, percentage cases of corruption successfully prosecuted, and so on. Progress indicators can thus be seen as a metric to gauge the governance performance of a programme’s implementation.

They are usually objective indicators that draw on administrative data.

Impact indicators

Impact indicators, also known as outcome indicators, measure long-term impacts arising from the inputs invested, the actions taken and the short-term outputs produced. Impact indicators could measure changes in the extent to which people have access to a given service, development outcomes, such as literacy rates, the increase in public trust in government and so on. Impact indicators are a metric of sector-specific outcomes and impacts (which may not be directly related to anti-corruption measures), as poor outcomes in programmes may be warning signs of hidden malpractices.

They can be both objective indicators (if they measure development outcomes) and subjective data (if they measure changes in satisfaction levels, or in levels of perceived corruption).

The value of combining different types of indicator and data sources

Governance and corruption are complex issues. A single indicator is not sufficient to obtain a comprehensive understanding of the state of affairs and to identify possible points of intervention. All indicators have weaknesses and are subject to bias in one form or another. By assessing each anti-corruption measure against a so-called “basket” of three to five different types of indicators, development practitioners can generate a more comprehensive picture of exposure to corruption. This approach can also mitigate the risks of making decisions based on misleading data by combining indicators so that they offer more than the sum of their parts.

This is because using multiple indicators allows for the triangulation of various data sources to see whether the indicators validate each other, and neutralise any perverse incentives sometimes embedded in indicators. For instance, it may be in the interest of governments to adopt shallow reforms or quick fixes to improve their indicator scores, without addressing the root cause of the governance failings. Including other indicators in a basket limits the risk that any given indicator has unintended or harmful impacts.

An illustration of what a corruption risk monitoring dashboard in the education sector could look like can be found on the following pages. For ease of presentation, the dashboard has been split across three pages, with each section of the value chain (policymaking, organisational resources and client interface) found below.

Using the indicator dashboard to monitor corruption risks

The use of indicator dashboards has a number of strengths when it comes to monitoring external corruption risks, particularly in the area of development assistance.

First, the approach involves producing a baseline against which the governance performance of a donor intervention can be measured diachronically. Once the most salient risks have been identified, prioritised and paired with an appropriate mitigation mechanism, the effectiveness of these safeguards is periodically assessed against a number of dimensions (framework conditions, progress metrics and broader impact). This method therefore provides a relatively reliable proxy for the magnitude of corruption risks facing a development programme over time.

Indeed, the tool has been designed with the need to regularly update the data in mind. To facilitate this process, development practitioners can match the indicators included in the dashboard with metrics built into a programme’s own monitoring, evaluation and learning framework.

Where a donor programme seeks to improve the quality of primary education, for instance, ex-ante political economy analysis might find that rampant teacher absenteeism and ghost workers could constitute a challenge to achieving the programme’s objectives. By embedding random site visits and user surveys into the programme design, the effectiveness of the anti-corruption safeguards can be dynamically assessed against the baseline over the lifecycle of the project.

In addition, the various indicators included in the monitoring framework should draw on existing sources of data as much as possible. Donor programmes could then commit to referencing relevant data regularly produced by other organisations, whether generated through audits, public expenditure tracking surveys, household surveys and so on. As such, the tool can be seen as a means of consolidating various existing and scattered data sources into one coherent format.

The objective should be to produce a relatively simple dashboard that is updated at least annually to provide programme managers with an at-a-glance understanding of the integrity risks their programme faces. Once baseline values have been established, a traffic light feature could be added to the dashboard to denote whether the programme’s exposure to corruption is increasing or decreasing.

Ultimately, the aim of the dashboard should be to provide a concise systematic overview of the key risks a donor intervention faces, the mitigation strategies the donor agency has put in place, as well as the monitoring framework it is using to track the effectiveness of these safeguards. The steps described in this Helpdesk answer, and further elaborated on in Monitoring Corruption and Anti-Corruption in the Sustainable Development Goals and Corruption, Data and the SDGs, thus provide a coherent roadmap to translate identified risks into specific indicators and manage corruption vulnerabilities.

In the final analysis, the tool can either be used for the internal monitoring of donors’ own operations or, where the political environment allows, as a programme of action to promote systemic reform in particular sectors. Indeed, when a donor intervention concludes, responsibility for maintaining the dashboard to monitor the health of anti-corruption safeguards in a particular area could be handed over to public agencies or local civil society groups, who may have already been involved in producing data included in the dashboard.