Risk management

The OECD Recommendation of the Council on Public Integrity calls on adherents to “apply an internal control and risk management framework to safeguard integrity in public sector organisations, in particular through:

a) Ensuring a control environment with clear objectives that demonstrate managers’ commitment to public integrity and public-service values, and that provides a reasonable level of assurance of an organisation’s efficiency, performance and compliance with laws and practices;

b) Ensuring a strategic approach to risk management that includes assessing risks to public integrity, addressing control weaknesses (including building warning signals into critical processes) as well as building an efficient monitoring and quality assurance mechanism for the risk management system;

c) Ensuring control mechanisms are coherent and include clear procedures for responding to credible suspicions of violations of laws and regulations, and facilitating reporting to the competent authorities without fear of reprisal.”

Questions for self-assessment:

1. Do government-wide policies for risk management have an explicit focus on managing integrity risks?

There is no explicit focus on managing integrity risks in government-wide risk management policies and standards.
The centre of government (CoG) or other relevant body developed internal control and risk management standards with an explicit focus on managing integrity risks. However, the standards are not formalised or communicated.
The CoG or other relevant body sets and harmonises government-wide standards and policies for internal control and risk management with an explicit focus on integrity risks. There is systemic oversight to ensure that senior management establishes an integrity-driven control environment.
The CoG or other relevant body sets and harmonises government-wide standards and policies for internal control and risk management with an explicit focus on integrity risks. There is systemic oversight to ensure that senior management establishes an integrity-driven control environment. In addition, the various government entities that share responsibility for implementation of standards (for example, CoG, audit institutions, central harmonisation units, and integrity or anti-corruption bodies) have clearly defined roles and responsibilities to ensure a consistent control environment.

2. Is there government-wide guidance to support managers in managing and assessing integrity risks?

No government-wide guidance is provided to support managers in managing and assessing integrity risks.
The CoG or other relevant body developed guidance to support managers in managing and assessing integrity risks, however these are not widely distributed or communicated.
The CoG or other relevant body provides guidance to support managers in managing and assessing integrity risks. These are distributed and communicated across government, and supported through generic risk management training modules.
The CoG or other relevant body provides guidance to support managers in managing and assessing integrity risks.These are distributed and communicated across government. To address different levels of capacity and expertise for integrity risk management, guidance and training is targeted and sector-specific.

3. Are there government-wide policies, guidance and mechanisms in place for reporting and responding to potential integrity violations?

There are no policies, guidance or mechanisms in place for reporting and responding to potential integrity violations within the government.
The CoG or other relevant body established policies and guidance that requires reporting and responding to possible integrity violations. However, communication of these policies and guidance is limited. There are no mechanisms for reporting suspected violations in place.
The CoG or other relevant body established policies and guidance for reporting and responding to suspected integrity breaches, and there is effective communication of these policies and guidance in place. Centralised mechanisms have been established for government officials and the public for reporting suspected violations, but response times are long, co-ordination poor and results about follow-up actions are not communicated.
The policies and guidance for reporting and responding to suspected integrity breaches are well-established and communicated across government. Centralised mechanisms exist for government officials and the public for reporting suspected violations, and reports are processed in a timely manner, co-ordination is effective, and results of follow-up actions are communicated to relevant government bodies.

4. Are there government-wide policies in place that require internal auditor functions to provide assurance on the management of integrity risks?

There are no policies in place requiring internal audit functions to provide assurance on the management of integrity risks.
The CoG or other relevant body developed policies for internal audit functions to provide assurance on the management of integrity risks. However, roles and responsibilities of the internal audit functions to provide assurance for managing integrity risks remains unclear.
The CoG or other relevant body has developed policies for internal audit functions to provide assurance on integrity risk management in public sector organisations. Roles and responsibilities of the internal audit functions to provide assurance for managing integrity risks are clear, but there is limited guidance to carry out these roles and responsibilities, and no co-ordination mechanisms exist for knowledge sharing.
The CoG or other relevant body has developed policies for internal audit functions to provide assurance on integrity risk management in public sector organisations. Roles and responsibilities of the internal audit functions to provide assurance for managing integrity risks are clear, with guidance in place to support these roles and responsibilities. Effective co-ordination mechanisms exist across government between internal audit functions for knowledge sharing and promoting coherent approaches.

5. Do organisation-level risk management policies have an explicit focus on managing integrity risks?

The risk management policy does not have an explicit focus on managing integrity risks.
There is a risk management policy in place with specific objectives for managing integrity risks. Roles and responsibilities are defined, but give a lead role to the internal audit function for assessing integrity risks instead of managers. The risk management policy is not linked to broader organisational objectives and is poorly communicated. Policies are not reviewed or updated to keep pace with evolving risks and changes in the external and internal environment.
There is a risk management policy in place that includes managing integrity risks. The policies for managing integrity risks make a clear link to broader organisational objectives, and are widely communicated. Policies clearly define the roles and responsibilities for assessing integrity risks. Integrity risk managers have a direct reporting line to senior management. The roles and responsibilities of the internal audit function and managers are clearly defined and in line with international standards. Policies are reviewed and updated on an ad hoc basis to keep pace with evolving risks and changes in the external and internal environment.
There is a risk management policy in place that includes managing integrity risks, and is linked to broader organisational objectives. Roles and responsibilities for managing and assessing integrity risks are clearly defined, with managers leading integrity risk management, and the internal audit function playing an assurance role. The managers have direct reporting lines to senior management. The risk management policies and practices are communicated and well-known throughout the organisation to promote everyone’s responsibility for proactively managing integrity risks at all levels. Policies are regularly reviewed and updated to keep pace with evolving risks and changes in the external and internal environment.

6. Does the public organisation assess integrity risks?

The organisation assesses risks but does not assess integrity risks specifically.
The organisation assesses integrity risks, however assessments are ad-hoc and largely seen as compliance-oriented (i.e. check-the-box) exercises. To the extent integrity risks assessments are carried out, they are narrow in scope and incomplete. Tools for analysing risks and documenting the results of risks assessments are undeveloped or non-existent. There are limited or no guidance materials or training opportunities available on risk identification and assessment, as well as no dedicated staff in place.
The organisation assesses integrity risks periodically. Integrity risk assessments take into account both inherent and residual risks, as well as risks in the internal and external environment. Risk assessments are proactive, go beyond check-the-box approaches, and include an analysis of the effectiveness of control activities. However, risk tolerances are poorly defined and not considered during risk analyses. The organisation makes effective use of tools for analysing and documenting the results of risk assessments, such as risk maps, registers and profiles. In general, risk assessments are mainly qualitative and based on perceptions. The results of risk assessments are used to inform changes to the control environment, but not communicated widely across the organisation.
The organisation regularly assesses integrity risks, taking into account inherent and residual risks as well as risks in the internal and external environment. Risk assessments also take into account emerging risks relevant for organisational objectives and the control environment. Risk criteria is articulated for each category of risk, including fraud and corruption. Criteria are supported by defined risk tolerances. Qualitative and quantitative methods are used to perform risk assessments (i.e. automated risk registers and dashboards). There are appropriate tools (i.e., data analytics programmes and IT tools) and models that aid risk assessments. The results of risk assessments are used to inform managerial decision making, performance evaluation and changes to the control environment. The results of integrity risk assessments are communicated widely across the organisation.

7. Are there clear procedures and mechanisms in place for reporting and responding to potential integrity violations within the organisation?

There are no procedures or mechanisms in place to enable the reporting of potential integrity violations within the organisation.
There are reporting mechanisms available, with safeguards in place to protect anonymity. The mechanisms however are not well-advertised and procedures are unclear. Responsibilities are assigned to a unit or individual to respond to reports of potential integrity violations, but there is limited capacity to carry out these roles.
There are reporting mechanisms available for public officials, with safeguards in place to protect anonymity. The mechanisms are well-advertised and clear procedures in place. There are limited reporting mechanisms available to the public. Guidance outlines the appropriate course of action to take in the event of a suspected integrity violation, including internal investigation and referral to law enforcement authorities. Responsibilities are assigned to a unit or individual to respond to reports of potential integrity violations, and capacity is sufficient to handle reports. Limited co-ordination and communication with relevant stakeholders, including regulators, law enforcement, ethics officers or others, exists.
There are reporting mechanisms in place, with separate lines of communication established and available to public officials and the public (e.g. ethics and whistleblower hotlines, internal reporting). Safeguards are in place to protect anonymity as well as confidentiality throughout the process. Guidance outlines the appropriate course of action to take in the event of a suspected integrity violation, including internal investigation and referral to law enforcement authorities. Awareness raising measures actively encourage reporting of suspected integrity violations. The unit or individual responsible for receiving and responding to reports is well-resourced and has sufficient guidance. Cases are resolved effectively and efficiently. Regular co-ordination and communication with relevant stakeholders, including regulators, law enforcement, ethics officers or others, takes place.

8. Does the internal audit function provide assurance on the management of integrity risks within the organisation?

The internal audit function does not provide assurance on the management of integrity risks in the organisation.
The internal audit function provides limited assurance on the management of integrity risks. Audits rarely, if ever, have specific objectives related to integrity risk management.
The internal audit function provides reasonable assurance on the management of integrity risks through regular audits. The internal audit function is independent in determining the scope of internal auditing, performing work, and communicating results. The internal audit function guides management on responding to risks, and actively supports awareness raising of integrity risks. It draws on the work of and co-ordinates with other audit bodies, such as Supreme Audit Institutions or other internal audit functions, in its assessments of integrity risks.
The internal audit function provides reasonable assurance on the management of integrity risks through regular audits, and is independent in determining the scope of internal auditing, performing work, and communicating results. The internal audit function guides management on responding to risks, and contributes to risk identification, but does not lead risk assessments. It draws on the work of and co-ordinates with other audit bodies, such as Supreme Audit Institutions or other internal audit functions, in its assessments of integrity risks.

Loading...