Presentation is loading. Please wait.

Presentation is loading. Please wait.

CORRUPTION RISK ASSESSMENT

Published byRoger Larocque Modified over 5 years ago

Similar presentations

Presentation on theme: "CORRUPTION RISK ASSESSMENT"— Presentation transcript:

1 CORRUPTION RISK ASSESSMENT
AN OVERVIEW January 2019 Implemented by Pilot project by National Centre for Governance, Integrity and Anti-Corruption (GIACC) TCC © 2018, ALL RIGHTS RESERVED

2 CONTENTS CORRUPTION RISK ASSESSMENT An Overview ABMS requirements
Managing uncertainty of corruption risk Overall process Risk assessment process – The 7-Steps Risk documentation 2

3 Corruption Risk Management (“CRM”) - Definition
"CRM is a management process which helps to identify structural weaknesses that may facilitate corruption, provides a framework for all staff to take part in identifying risk factors and treatments, and embeds corruption prevention within a well-established governance framework" Source: ICAC New South Wales 3

4 The objectives of CRM Use as a risk-based management tool for corruption prevention Corruption risk profile is developed and managed through a structured approach: Identification Measurement Control evaluation Monitoring Serve as an effective forum for healthy discussion on corruption prevention Accountability and responsibility for corruption prevention are defined 4

5 CRM Benchmark comparisons
4/29/2019 CRM Benchmark comparisons Developed in July 2015 by SPRM, in accordance with International risk management standards "A Guide for Anti-Corruption Risk Assessment" by UN Global Compact Office ISO 31000: Risk Management Principles and Standards ISO – Anti Bribery Management System

6 Continuous improvement
Corruption risk management – Overall approach Understand the context of organization Apply context to the strategic and operational management Stakeholders/ interested parties Level of integrity Internal factors External factors Establish Context Risk Assessment Monitoring & Reporting 7-Steps Risk Assessment Process Develop risk profile Develop risk action plans Continuous improvement Scanning the horizon - Monitor existing risks, emerging risks Monitor and evaluate risk action plans Risk Management Reporting

7 CRM in the context of ERM
Enterprise Risk Management Adapted

8 Risk management is about….
Common mindset of ERM… Risk management is about…. Managing Uncertainty Corruption risks ?? “If you knew what you know now in 2008, what would you have done differently in your business?”

9 The focus is on the effectiveness of
Enterprise Risk Management…… RISK MANAGEMENT…………. …………….. PREVENTION The focus is on the effectiveness of INTERNAL CONTROLS

10 To take risks you have to understand, embrace, and manage them
Integrating risk and controls Objectives Risk Control Internal Factors External Factors CHANGE To take risks you have to understand, embrace, and manage them

11 Definition of Corruption Risk
Corruption risk is the possibility (LIKELIHOOD) of corrupt practices can happen, and the effect (IMPACT) of corruption risk on the OBJECTIVES of an organization. - Adapted from ERM definition of risk

12 Where is corruption risk in the context of enterprise risk management
Enterprise-Wide Business Risk Financial Risk Hazard Risk Strategic Country Regulatory Tax Political Catastrophe Currency Policy Culture Operational Procurement Project management Quality IT Systems HR/ Labour Safety & environment Market Risk Price Risk (interest rate, equity, commodity) Physical hazard Property injury Fire Moral hazard Integrity Corruption Fraud Misconduct Compliance Regulatory Internal policies Laws Credit Risk Default risk Liquidity Risk Funding Risk Market Lliquidity Legal hazard Lawsuits Litigations Behavioral hazard Carelessness Morale Budget / Payment

13 How does it work? Strategic objectives Strategy? Main revenue drivers?
ERM Dependencies? Operational? Shortages? Strength/ weakness? Opportunity/ threats? PEST? Control effectiveness? KPI? KRI? Investment? Cash flows? Corruption risk What are the incentives? What are the pressure? Are revenue recorded systematically, or manually? Abuse of power? Conflict of interest? Management override? Type of assets vulnerable to misappropriation? Where the money goes? Strategic objectives Strategy? Main revenue drivers? Main products? Main market? Key processes? Risk tolerance?

14 Corruption risk Management
The Methodology

15 ISO 37001: 2016 ABMS ISO 37001: 2016 Anti-Bribery Management System
Section 4.5: requires that an organization shall establish criteria for evaluating its level of bribery risk, which shall take into account the organization’s policies and objectives. In conducting the bribery risk assessment, the organization shall: identify the bribery risks the organization might reasonably anticipate, given the factors listed in 4.1: Understanding the organisation and its context; analyse, assess and prioritize the identified bribery risks; and evaluate the suitability and effectiveness of the organization’s existing controls to mitigate the assessed bribery risks. ALL RIGHTS RESERVED

16 ISO 37001: 2016 ABMS ISO 37001: 2016 Anti-Bribery Management System
Section 4.5 also recommended that the bribery risk assessment shall be reviewed: on a regular basis so that changes and new information can be properly assessed based on timing and frequency defined by the organization; and in the event of a significant change to the structure or activities of the organization. ALL RIGHTS RESERVED

17 ISO 37001: 2016 ABMS 4.1 Understanding the organization and its context The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the objectives of its anti-bribery management system. These issues will include, the following factors: The size, structure and delegated decision-making authority of the organization; The locations and sectors in which the organization operates or anticipates operating; The nature, scale and complexity of the organization activities and operations; The organization’s business model; The entities over which the organization has control, and entities which exercise control over the organization; The organization business associates; The nature and extent of interactions with public officials; Applicable statutory, regulatory, contractual and professional obligations and duties. ALL RIGHTS RESERVED

18 Corruption risk management – Overall approach
MS ISO 31000: 2010 Overview of CRM Process Monitoring & Reporting Communication & Consultation Establish context Define Objectives: Vision, Mission Strategic Objectives Level of integrity Internal & External Factors RISK ASSESSMENNT Risk Identification Step 1: Identify risks Step 2: Identify causes/ corruption schemes, and consequences Risk Analysis Step 3: Determine Gross Risk Rating (GROSS) Step 4: Identify and analyses controls Step 5: Evaluate Control Effectiveness Step 6: Determine Residual Risk Rating (RESIDUAL) Risk Evaluation Step 7: Evaluate Residual Risk and Risk Treatment Options Risk Treatment Management Action Plans

19 Establish Context

20 Establish Context Basically, we ask:
What does INTEGRITY mean for the organization? How does the organization DEMONSTRATE INTEGRITY? Where are the priority areas in CORRUPTION PREVENTION?

21 Establish Context – Level of Integrity
Sources of information: Internal sources: Internal audit reports Integrity surveys Whistleblowing/ complaint reports External sources: Auditors General reports MACC’s complaint reports MACC’s investigation summary reports Categories Description Suggested guidance for action plans Satisfactory None or minimal number of integrity issues. External stakeholders generally consider the organisation as a trusted organisation. Internal stakeholders generally understand and aware of the importance of integrity. Safeguarding Need improvement Tolerable level of integrity issues External stakeholders generally accept some minor issues of trust; agreed that some improvement needed Internal stakeholders are committed to improvements Proactive actions In crisis Major integrity issues exposed External stakeholders raise major concerns about the trustworthiness of the management Internal stakeholders are ignorant, complacence or against the implementation of corruption prevention measures Drastic and immediate actions

22 Scanning the Horizon – observe the changes in INTERNAL FACTORS
People System Process Governance Resources Strategy “If there are changes in the internal factors, how these going to impact on the level of integrity and bribery in the organisation?”

23 Scanning the Horizon – observe the changes in EXTERNAL FACTORS
Political Economic Social Technology Environmental Legal “If there are changes in the external factors, how these going to impact on the level of integrity and bribery in the organisation?”

24 Establish the context (Cont’d)
C. Risk Management context – ISO ABMS Activities, Projects, Transactions Business associates Personnel in certain positions Bribery Risk Assessment Anti-Bribery Due diligence Anti-Bribery Decision-making Risk ranked as “more than low” rating Medium, Significant and High Structure, nature, complexity Financing/ payment arrangement Level of control Parties involved (public officials) Competence Reputation Location Market talks Any ABMS? Terminate Discontinue suspend or withdraw postpone or decline for new ones.

25 Key Processes Linked to Strategy
Meeting strategic needs – A top-down approach to CRM 2.0 By linking corruption risks to strategic goals, we are treating corruption risks with same priority as other significant risks of an organization. Vision/ mission Strategic Objectives Strategy Key Processes Linked to Strategy Corruption risks impact key processes 25

26 Top-down approach to CRM (Cont’d)
Strategic goals Increase public usage by 20% p.a. Plan, design and implement the development strategy with local government of a high technology park Enhance efficiency by implementing ICT (technology)-based processes Product innovation Develop new designs (2 new designs per year) through research and development projects Create an efficient and dynamic working environment with integrity and good governance Key Processes linked to strategic goals Project management (construction, procurement) ICT management R & D process Human resource management Financial management Potential Corruption Risks (linked to key processes) Abuse of power in tendering - Loose contract to favour an interested sub-contractor Specification of ICT equipment was intentionally catered for interest party Leakage of R&D information to competitors Misuse of discretion and authorization for offices in foreign countries Management over-write for payment of incomplete work Collusion among site managers and checkers to certify non-compliance structure Collusion with suppliers to supply low quality parts Bribery to government officials to register the patents/ trademarks Hiring of “own” people to smooth the tendering and awarding of contracts False claims Bribery to government officials for approval of unsafe building designs Use of middleman Waiver of job rotation for key positions Illustrative example 26

27 GROUP ACTIVITY 27

28 Group activity Identify key processes – 40 minutes
Within your group, discuss and present the following: Strategic objectives of the entity; and Identify the key processes / activities critical for the entity to achieve it’s strategic objectives Using Template 1: “Organisation Context: Strategic Objectives and Key Processes” At the end of the discussion, present to the class your results of discussion.

29 Corruption risk assessment
The process

30 Key components of CRM process (In line with Section 4.5)
Identification Corruption schemes Root cause analysis Measurement Impact Risk rating Likelihood Control Entity-level controls Preventative controls Scheme specific controls Detective controls Current risks, new emerging risks Monitor Reporting Progress of risk action plans

31 Corruption risk management – Overall approach
MS ISO 31000: 2010 Overview of CRM Process Monitoring & Reporting Communication & Consultation Establish context Define Objectives: Vision, Mission Strategic Objectives Level of integrity Internal & External Factors RISK ASSESSMENNT Risk Identification Step 1: Identify risks Step 2: Identify causes/ corruption schemes, and consequences Risk Analysis Step 3: Determine Gross Risk Rating (GROSS) Step 4: Identify and analyses controls Step 5: Evaluate Control Effectiveness Step 6: Determine Residual Risk Rating (RESIDUAL) Risk Evaluation Step 7: Evaluate Residual Risk and Risk Treatment Options Risk Treatment Management Action Plans

32 RISK ASSESSMENT “THE 7-STEPS”

33 The 7-step - Corruption risk assessment process
Define objectives 1 4 Identify Risk Identify Controls 2 Scheme/ causes Existing controls: Control 1 Control 2 Control 3 Additional controls: Control 1 Control 2 Control 3 A Scheme/ causes: Scheme/ Cause 1 Scheme/ Cause 2 Scheme/ Cause 3 Management Action Plans B Determine Consequences 5 6 Control Effectiveness Residual Risk Rating 7 3 Risk Treatment Options Inherent Risk Rating Impact Likelihood Impact Likelihood Terminate Satisfactory Some weaknesses Weak High Significant Moderate Low High Significant Moderate Low Reduce Accept Pass on [Inherent risk – Control = Residual Risk] (Source: SPRM CRM 2.0)

34 TERMINOLOGY

35 Risk Matrix (5 x 5) Likelihood of Occurrence Magnitude of Impact
Almost certain Significant High Likely Moderate Low Unlikely Rare Insignificant Minor Major Catastrophic Likelihood of Occurrence Magnitude of Impact Risk is measured in terms of likelihood of occurrence & consequence upon occurrence

36 Risk measurement – Impact & Likelihood
Risk Rating - Risk Parameters Risk measurement – Impact & Likelihood Risk tolerance / Risk appetite Impact Likelihood Risk appetite is the amount of risk, on a broad level, that an organization is willing to accept in pursuit of value. Determine the amount of risk an enterprise able to take Risk tolerance determined up-front with board of directors or those in-charge of governance Allow enterprises to have a means to identify which risks are most critical and important for them to focus on and allocate the resources

37 Risk ratings HIGH SIGNIFICANT MODERATE LOW
Risk with high impact and high likelihood of occurrence. Controls are not effective or the causes are from external factors. Require immediate risk action plans to reduce the exposure of the risk. SIGNIFICANT A priority risk with high impact and high likelihood of occurrence. Require risk action plans to reduce the exposure of the risk if necessary. MODERATE Moderate and Low risks are considered manageable risks where the controls are working as intended, or the inherent risk is already as moderate level. No risk action plans are required. Continuous monitoring of the controls are important. LOW

38 Effectiveness of existing controls
(Section 4.5 (c) ) Determine controls effectiveness of existing controls in managing a particular corruption risk Satisfactory Controls are strong & operating properly, providing a reasonable level of assurance that objectives are being achieved. Some weakness Some control weaknesses/inefficiencies have been identified. No serious risk exposure but improvements are required to provide reasonable assurance that objectives will be achieved. Weak Controls do not meet an acceptable standard, as many weaknesses/inefficiencies exist. Controls do not provide reasonable assurance that objectives will be achieved.

39 Inherent risk Inherent risk is assessed without the consideration of controls in place at the enterprise, These are the risks that come by virtue of having the business operations. Ask the question : “How likely the corruption scheme would happen, in the environment that controls are insufficient? “

40 Residual risk rating Residual risk = Inherent risk – controls
After rating the effectiveness of internal controls that reduce the risk of each corruption scheme, next is to determine the level of residual risk Residual risk is ranked based on the same basis of inherent risk A High residual risk –> controls are not effective A Moderate or Low residual risk –> controls are working as intended, or the inherent risk is already as moderate level. This is considered a manageable risk.

41 internal controls - Definition
Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. (Source: COSO Internal Control —Integrated Framework )

42 Corruption risk Management The risk assessment process

43 The 7-step - Corruption risk assessment process
Define objectives 1 4 Identify Risk Identify Controls 2 Scheme/ causes Existing controls: Control 1 Control 2 Control 3 Additional controls: Control 1 Control 2 Control 3 a Scheme/ causes: Scheme/ Cause 1 Scheme/ Cause 2 Scheme/ Cause 3 Management Action Plans b Determine Consequences 5 6 Control Effectiveness Residual Risk Rating 7 3 Risk Treatment Options Inherent Risk Rating Impact Likelihood Impact Likelihood Terminate High Significant Moderate Low Satisfactory Some weaknesses Weak High Significant Moderate Low Reduce Accept Pass on [Inherent risk – Control = Residual Risk]

44 IDENTIFY RISK Step 1 – Identify corruption risk
Step 2 (a) – Determine corruption schemes / causes

45 Step 1 – Identify corruption risk
Step 2 a – Determine schemes / causes 1 Risk title: #1 False claims - abuse of power in approving progress payments Description: Construction project, example, a new prison Corrupt practices in progress payments. For example, 80% to 90% of project’s costs was paid to contractor when it only had completed less than 40% of the project. Arising from abuse of power and taking advantage in the weaknesses in VO procedures. Process/ Risk Category: Construction Project Management Risk Owner: Corruption schemes: Collusion between Project Manager and Project Owner, through the appointment of a “professional” negotiator, to claim for progress payments over incomplete work. Project awarded through direct negotiation without adhering to the guidelines on contractors selection procedures. A favoured contractor with past poor performance was selected. Root causes: Lack of monitoring and enforcement of the contract terms. Contractor was not reprimanded for delay and incomplete work. Potentially, conflict of interest involved. Taking the opportunity when the project owner undergoing a shortage of technical competency to properly inspect and verify the progress of the construction. Taking advantage of the loopholes in VO claims – there is a lack of clear guidelines as to the maximum amount of VO or number of times allowable. Corrupt practices were not reported as there is a lack of trust over the whistle blowing channel. 2 a

46 Step 1 – Identify corruption risk
Step 2 a – Determine schemes / causes Examples of corruption risks - Procurement Potential corruption risks Soliciting bribe from third parties with a promise of obtaining successful works Accepting bribe to manipulate pre-qualification process – eg. approving a non-performing contractor, suppliers Selecting third parties who has personal interest Accepting bribe in return of disclosing price sensitive information to third parties Collusion between insider and third parties to tailor the tender requirements to suit the third party for a successful tender Misuse of position to influence tender committee

47 Corruption Schemes - examples
Step 1 – Identify corruption risk Step 2 a – Determine schemes / causes Procurement Corruption Schemes - examples In a bidding round, the terms of reference (including technical specifications) are biased to favour one supplier or to exclude potential competitors Bribe solicitation for confidential information during pre-bidding or bidding stage Intermediary offers company to win bidding upon payment of loser’s fee during pre-bidding or bidding stage local government agency demands a fee for technical approval of equipment Approving false tender information in the selection of suppliers with personal interest in the supplier company Collusion in selecting maintenance / service vendors for a kick-backs in continuing a maintenance contract Collusion to approving a low quality / off-spec supply for a kick-backs

48 Corruption practices are described as follows: Accept/receiving bribe
Step 1 – Identify corruption risk Step 2 a – Determine schemes / causes “Corruption” Corrupt practices which involve the offering, promising, giving, receiving or soliciting, directly or indirectly, anything of value to influence improperly the actions of another party, by misusing the position in which they are placed. Corruption practices are described as follows: Accept/receiving bribe Offer/gives bribe Using office or position for bribe

49 “The misuse of entrusted power for private gain”
Step 1 – Identify corruption risk Step 2 a – Determine schemes / causes Definition of corruption: “The misuse of entrusted power for private gain” – Transparency International

50 Corruption = (Monopoly + Discretion) – Accountability - Integrity –
Step 1 – Identify corruption risk Step 2 a – Determine schemes / causes Definition of corruption Klitgaard’s Formula Corruption = (Monopoly + Discretion) – Accountability - Integrity – Transparency

51 Donald Cressey’s Fraud Triangle
Step 1 – Identify corruption risk Step 2 a – Determine schemes / causes Donald Cressey’s Fraud Triangle A perceived financial pressure, or incentives (e.g., pressure to meet client expectations, financial targets, sales targets); A perceived opportunity to commit an act of corruption with a low likelihood of detection (e.g., monitoring/controls that are perceived to be ineffective, or very complex corporate structure); Rationalization or Attitudes (e.g., history of illegal practices at the enterprise, such as, competitors pay bribes, no one will find out, if I don’t do this I’ll lose the contract and my job, low staff morale)

52 Weak internal controls
Step 1 – Identify corruption risk Step 2 a – Determine schemes / causes Causes of corruption Weak internal controls Poor enforcement Acceptance culture 52

53 IDENTIFY RISK Step 2 (b) – Determine consequences of risk

54 Step 2 b – Determine consequences
Risk title: #1 False claims - abuse of power in approving progress payments Consequences: Project was delayed – for example a prison project where a 3-year project was delayed for 7 years, abandoned, and needed re-work. Financial loss – Prison Project: additional re-work costs of RM55 mil or 34% more (original costs 165 mil) Poor quality of the project –not fulfilling the safety and security requirements of a prison. Project objective, for example, on providing prison services was delayed or not achieve in time. Consequences/ Impact Has direct relation to risk appetite Often link to key performance indicators Will link to impact measurement in step 3 and 6 2 b

55 ANALYSE RISK Step 3 – Inherent Risk Rating
(Measure risk – Impact vs Likelihood)

56 Step 3 – Inherent Risk Rating
Risk measurement – Impact & Likelihood Risk tolerance / risk appetite Impact measurement Likelihood measurement

57 Step 3 – Inherent risk rating
Risk title: #1 False claims - abuse of power in approving progress payments Inherent Risk Rating Impact Likelihood Rating Major Likely HIGH 5x5 Matrix Significant Low High Moderate

58 Step 3 – Inherent risk rating Risk Matrix (5 x 5)
Corruption risks are measured and ranked against a risk matrix: Impact Likelihood Compared against a set of pre-defined risk parameters which coincide with the RISK TOLERANCE of an organization: Financial loss Safety Quality Reputation Legal Casualty rate Combat readiness Corruption risk A Corruption risk B Corruption risk C Significant Low Hight Moderate 58

59 Risk Rating - Impact (1) Factor Consequences Insignificant Minor
Moderate Major Catastrophic Example Risk measurement Image/ reputation Not substantiated, low impact, no news item. Attention quickly contained, short term recoverability. Substantiated, low impact, low news profile Substantiated, public embarrassment, moderate local news profile. Escalating customer implications. Substantiated, public embarrassment, high news profile, third party action. Long term damage to public image. Substantiated, public embarrassment, highly widespread news profile, third party action/ Global media coverage. Financial loss Additional costs/ funding/ wastages/ revenue < 5% of initial funds Between 6 to 15% Between 16 to 25% Between 25 to 40% Above > 41% Legal/ compliance Minimal penalties. Notice of violation/ warnings requiring administrative action. Moderate fines. Routine governing body litigations subject to moderate fines and penalties may be subject to regulatory proceedings and/ or hearings Substantial penalties. Routine litigation subject to substantial fines or penalties, subject to regulatory proceedings and/or hearings. Substantial, may include criminal charges. Potentially a significant governing body scrutiny, investigations subject to substantial fines and penalties, which may include some criminal charges, subject to regulatory proceedings and/or hearings Major scrutiny and investigation Major scrutiny, investigations subject to substantial fines and penalties including criminal charges, and/or cease-and-desist orders, possible regulatory action. Factor Consequences Insignificant Minor Moderate Major Catastrophic Example Risk measurement Image/ reputation Not substantiated, low impact, no news item. Attention quickly contained, short term recoverability. Substantiated, low impact, low news profile Substantiated, public embarrassment, moderate local news profile. Escalating customer implications. Substantiated, public embarrassment, high news profile, third party action. Long term damage to public image. Substantiated, public embarrassment, highly widespread news profile, third party action/ Global media coverage. Financial loss Additional costs/ funding/ wastages/ revenue < 5% of initial funds Between 6 to 15% Between 16 to 25% Between 25 to 40% Above > 41% Legal/ compliance Minimal penalties. Notice of violation/ warnings requiring administrative action. Moderate fines. Routine governing body litigations subject to moderate fines and penalties may be subject to regulatory proceedings and/ or hearings Substantial penalties. Routine litigation subject to substantial fines or penalties, subject to regulatory proceedings and/or hearings. Substantial, may include criminal charges. Potentially a significant governing body scrutiny, investigations subject to substantial fines and penalties, which may include some criminal charges, subject to regulatory proceedings and/or hearings Major scrutiny and investigation Major scrutiny, investigations subject to substantial fines and penalties including criminal charges, and/or cease-and-desist orders, possible regulatory action.

60 Risk Rating - Impact (2) Factor Consequences Insignificant Minor
Moderate Major Catastrophic Example Risk measurement Stakeholders - customers Minimal customer Complaints and recovery costs. Minimal decline in customer relationships and some recovery costs. Loss or decline of customer relationships and moderate recovery costs Strained key customer relationships and significant recovery costs and threat to future growth. Loss of major customer relationships and serious threat to future growth. Stakeholders - employees Insignificant impact on ___Department’s ability to recruit and retain employees Some impact on ___Department’s ability to recruit and retain employees. Significant impact on __Department’s ability to recruit and retain top performers. Major impact on ___Department’s ability to recruit top performers. Sustained impact on ___ Department’s ability to recruit and retain top performers. Risk consequences/ management effort Negligible effects Impact can be readily absorbed through normal activity STRATEGIC VIEW: NORMAL IMPACT ASSOCIATED WITH PROGRAM PLANNING & OPERATIONS Normal administrative difficulty An adverse event which can be absorbed with some management effort DELAY IN FULFILLING THE MANDATE OF THE INSTITUTION A serious event which requires additional management effort DELAY IN ACCOMPLISHING PROGRAM OR PROJECT OBJECTIVES Program or project re-design, re-approval and re-do required. Fundamental rework before objective can be met. A critical event which requires extraordinary management effort STRATEGIC VIEW: STRATEGIC PLAN REQUIRES MAJOR REVAMP, APPROVAL, PROGRAM RE-WORK Project or program irrevocably finished, objective will not be met. Disaster with potential to lead to “collapse “ STRATEGIC VIEW: MANDATE OF THE ORGANISATION OR ORGANISATION ITSELF, IS FINISHED

61 Risk Rating - Likelihood of occurrence
Quantitative Status of actual cases of the scheme Complexity Rare Low probability, occur only in exceptional circumstances, Approximately below 5% chance of occurring in the next 12 months Root cause of incident has been remediated (reducing the chance of repeat occurrence). Very difficult to perpetrate even without controls place Unlikely Little probability, could occur at some time. Approximately below 25% but above 5% chance of occurring in the next 12 months Root cause of incident is in the process of being remediated. Difficult to perpetrate even without controls in place. Moderate Some probability, might occur half of the time Approximately below 50% but above 25% chance of occurring in the next 12 months Incident has been contained. Moderately complex to perpetrate without controls in place Likely Will probably occur in most circumstances Approximately below 95% but above 50% chance of occurring in the next 12 months Incident is in the process of being contained Easy to perpetrate without controls in place. Almost certain High probability, is expected to occur in most circumstances Approximately above 95% chance of occurring in the next 12 months Incident has been reported and is currently under investigation Very easy to perpetrate without controls in place.

62 EVALUATE EFFECTIVENESS OF EXISTING CONTROLS
Step 4 – Control Effectiveness Evaluation

63 Step 4 – Identify controls Step 5 – Evaluate effectiveness of controls
Determine controls effectiveness of existing controls in managing a particular risk Risk title: #1 False claims - abuse of power in approving progress payments 5 4 Existing Controls: Treasury guidelines on procurement – tender selection and awarding (3) Whistleblowing channel for reporting malpractices (4) Guidelines on direct negotiations issued by MOF (1) Integrity pact signed by contractor, but lack monitoring and enforcement (1,3,4) Satisfactory Some weakness √ Weak 4 Additional Controls: To consider legal actions to enforce terms in the integrity pact (recovering costs and termination of contract) (1,2,3) To enhance the trustworthy of whistleblowing channel (4) To set up a project technical team before project is allowed to start (2)

64 Step 5 – Evaluate effectiveness of controls
Determine controls effectiveness of existing controls in managing a particular corruption risk Satisfactory Controls are strong & operating properly, providing a reasonable level of assurance that objectives are being achieved. Some weakness Some control weaknesses/inefficiencies have been identified. No serious risk exposure but improvements are required to provide reasonable assurance that objectives will be achieved. Weak Controls do not meet an acceptable standard, as many weaknesses/inefficiencies exist. Controls do not provide reasonable assurance that objectives will be achieved.

65 Step 6 – Residual risk rating
Risk title: #1 False claims - abuse of power in approving progress payments Inherent Risk Rating Impact Likelihood Rating Major Likely HIGH Control effectiveness Some Weakness 6 5x5 Matrix Residual Risk Rating Impact Likelihood Rating Major Unlikely Significant

66 Step 6 – Residual risk rating
When ranking residual risk rating, ask if the existing controls able to reduce: The likelihood; or The impact; or Both.

67 Step 6 - Residual risk rating
Risk Matrix Almost certain Significant High Likely Moderate Low Unlikely Rare Insignificant Minor Major Catastrophic Likelihood of Occurrence uncertainty Uncertainty A Uncertainty B Uncertainty C Magnitude of Impact

68 RISK TREATMENT DECISIONS & ACTION PLANS
Step 7 – Risk Treatment Options

69 Communication & Monitoring
Step 7 – Risk treatment options Risk profile Risk Treatment Options Communication & Monitoring HIGH Terminate Corruption Risk Action Plan SIGNIFICANT Risk appetite Reduce Accept Moderate Low Pass on Cost/ Benefit Analysis

70 Risk action plan template
False claims - abuse of power in approving progress payments RISK ID: 001 Risk analysis Controllable On-going Interconnect to other risks? Uncontrollable Discrete Project delay Combination Risk Treatment Strategy: Risk Category: Operational Terminate Reduce Risk Accept Risk Owner: Assessment date: 20 June 2016 Next assessment date: 30 November 2016 Residual Impact: Major Residual Likelihood: Unlikely Risk Rating: SIGNIFICANT Target Impact: MODERATE Target Likelihood: UNLIKELY Target Risk Rating: High level action plan to be considered Responsibility Target date for detailed plan 1. To consider legal actions to enforce terms in the integrity pact (recovering costs and termination of contract. 2. To enhance the trustworthy of whistleblowing channel (4) 3. To set up a project technical team before project is allowed to start (2) 4. 5.

71 Risk Documentation The Deliverables

72 GROUP ACTIVITY 72

73 Group activity Identify and analyse corruption risks
Based on the group exercise 1, on the same template, identify potential corruption risks of the key processes and analyse the risk – root causes/ schemes, controls, risk ratings and action plans. In your group, discuss and present the following: Risk Map Summary of risks Summary of action plans Risk register

74 QUESTION& ANSWERS

75 THANK YOU! Teh Chau Chin Contact:

76 APPENDIX

77 Examples of anti-corruption controls
Entity-level anti-corruption controls A formal anti-corruption compliance programme; An Anti-Corruption or Compliance Committee mandated to review or receive updates on all high-risk transactions; Written standards (i.e., the code of conduct and anti-corruption and other related policies); Anti-corruption training and communication for employees Tone from the top and the middle Employee background checks; Whistleblower system; Gift, entertainment, and hospitality request approval and tracking; Conflict of interest certification/disclosure process; (Source: "A Guide for Anti-Corruption Risk Assessment" by UN Global Compact Office)

78 Examples of anti-corruption controls (Cont’d)
Entity-level anti-corruption controls Third-party contract provision on compliance; A competitive bidding/selection process including RFP dissemination to prospective vendors and proposal review; Risk tier classification system for third parties; Third party due diligence (in line with the designated risk tier); Multiple levels of vendor contract approval or internal sign-off (e.g., requiring approval from procurement, the legal and compliance functions, and local management); Accounting controls on vendor invoice review, approval, and payment; An employee culture of ethics and knowledge assessment; Mandatory rotation of key management level personnel in high risk locations. (Source: "A Guide for Anti-Corruption Risk Assessment" by UN Global Compact Office)

79 Examples of anti-corruption controls
Preventive controls Written standards (code, anti-corruption policies); Anti-corruption training and communication, including a resource library; Tone from the top and the middle: visible senior and mid-level managements setting the expectations; A risk classification system for third parties, corporate locations, and business activities (i.e., a tiered system whereby higher risk parties would be subjected to a more robust due diligence and oversight than lower risk parties); A formal anti-corruption programme in place with defined structure, ownership, reporting lines, and planned activities, and periodic measurement for effectiveness; Due care and due diligence, including personnel background checks, third party initial due diligence, policy certification/acknowledgement; Gift, hospitality, and entertainment advance approval; Segregation of duties; Contract provisions on compliance with the law in general and anti-bribery specifically; Incentives for proper conduct, ethics awards, and (to some extent) performance evaluations with specific ethics and compliance provisions. (Source: "A Guide for Anti-Corruption Risk Assessment" by UN Global Compact Office)

80 Examples of anti-corruption controls
Detective controls Gift, hospitality, and entertainment tracking (after the fact); Expense report audit; Periodic third party monitoring (e.g., performance assessment, re-certification); Whistleblower system, investigation process and case management; Exit interviews; Corporate audit, transaction audit, third party audit; Employee culture of ethics and compliance assessment, particularly if it includes questions about pressure to commit misconduct, actual policy violations, etc. Customer, vendor, or third party survey or interview. (Source: "A Guide for Anti-Corruption Risk Assessment" by UN Global Compact Office)

81 Examples of anti-corruption controls
ISO ABMS - Financial controls: Segregation of duties Limit of authority (LOA) – payment approval Verification check over payee’s appointment and work/services by authorized person At least 2 signatories on payment approval Supporting documents for payment approval Accurate and clear payment categorizations and descriptions in the accounts periodic management review of significant financial transactions periodic and independent financial audits

82 Examples of anti-corruption controls
ISO ABMS – Operational controls: Using approved contractors/ sub-contractors/ suppliers/ consultants (or third parties) with prequalification process Assess bribery risk exposure of these third parties Conduct anti-corruption due diligence Enforce anti-corruption contract terms Transparent and fair selection and awarding procedures 2 persons to evaluate tenders and approve the award of contracts Segregation of duties Limit of authority Management oversight Prevent leakage of information

83 Definition of “RISK” “The effect of uncertainty on objectives”.
A risk is often specified in terms of an event or circumstance and the consequences that may flow from it. It is expressed in terms of consequences and likelihood. ISO:31000, Risk Management Principles and Guidelines

Download ppt "CORRUPTION RISK ASSESSMENT"

Similar presentations

Appendix H: Risk training slides (sample). What is Risk? “ Risk is the effect of uncertainty on objectives ” AS/NZS ISO31000:2009.

Appendix H: Risk training slides (sample). What is Risk? “ Risk is the effect of uncertainty on objectives ” AS/NZS ISO31000:2009.
Control and Accounting Information Systems

Control and Accounting Information Systems
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
1 Risk management and Investigation Peter Roberts

1 Risk management and Investigation Peter Roberts
Risk Assessment Frameworks

Risk Assessment Frameworks
Purpose of the Standards

Purpose of the Standards
Corporate Ethics Compliance *

Corporate Ethics Compliance *
INTRODUCTION TO PUBLIC FINANCE MANAGEMENT Module 3.2 -Internal Control & Audit.

INTRODUCTION TO PUBLIC FINANCE MANAGEMENT Module 3.2 -Internal Control & Audit.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Governance of the Treasury Function CIPFA Scottish Treasury Management Forum Alan George, Regional Director 23rd February 2012.

Governance of the Treasury Function CIPFA Scottish Treasury Management Forum Alan George, Regional Director 23rd February 2012.
An Educational Computer Based Training Program CBTCBT.

An Educational Computer Based Training Program CBTCBT.
RISK ASSESSMENT 2010/2011 M.J Ramakgolo. THE PURPOSE The aim of the risk assessment session is to develop the Strategic Risk Profile for the municipality.

RISK ASSESSMENT 2010/2011 M.J Ramakgolo. THE PURPOSE The aim of the risk assessment session is to develop the Strategic Risk Profile for the municipality.
Planning an Audit The Audit Process consists of the following phases:

Planning an Audit The Audit Process consists of the following phases:
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.

Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
Introduction to Internal Control Systems

Introduction to Internal Control Systems
IAEA International Atomic Energy Agency Reviewing Management System and the Interface with Nuclear Security (IRRS Modules 4 and 12) BASIC IRRS TRAINING.

IAEA International Atomic Energy Agency Reviewing Management System and the Interface with Nuclear Security (IRRS Modules 4 and 12) BASIC IRRS TRAINING.
CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26.

CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26.

Similar presentations

Ads by Google