CORRUPTION RISK ASSESSMENT AN OVERVIEW January 2019 Pilot
- Slides: 83
CORRUPTION RISK ASSESSMENT AN OVERVIEW January 2019 Pilot National Centre for Governance, Integrity TCC © 2018, project by ALL RIGHTS RESERVED and Anti-Corruption (GIACC) Implement ed by
CONTENTS CORRUPTION RISK ASSESSMENT An Overview • ABMS requirements • Managing uncertainty of corruption risk • Overall process Risk assessment process – The 7 -Steps Risk documentation TCC© 2018 ALL RIGHTS RESERVED 2
Corruption Risk Management (“CRM”) - Definition "CRM is a management process which helps to identify structural weaknesses that may facilitate corruption, provides a framework for all staff to take part in identifying risk factors and treatments, and embeds corruption prevention within a well-established governance framework" Source: ICAC New South Wales TCC© 2018 ALL RIGHTS RESERVED 3
The objectives of CRM Use as a risk-based management tool for corruption prevention Corruption risk profile is developed and managed through a structured approach: Identification Measurement Control evaluation Monitoring Serve as an effective forum for healthy discussion on corruption prevention Accountability and responsibility for corruption prevention are defined TCC© 2018 ALL RIGHTS RESERVED 4
CRM Benchmark comparisons Developed in July 2015 by SPRM, in accordance with International risk management standards "A Guide for Anti. Corruption Risk Assessment" by UN Global Compact Office TCC© 2018 ALL RIGHTS RESERVED ISO 31000: Risk Management Principles and Standards ISO 37001 – Anti Bribery Management System 5
Corruption risk management – Overall approach Establish Context Continuous improvement TCC© 2018 ALL RIGHTS RESERVED Understand the context of organization Apply context to the strategic and operational management Stakeholders/ interested parties Level of integrity Internal factors External factors Risk Assessment 7 -Steps Risk Assessment Process Develop risk profile Develop risk action plans Monitoring & Reporting Scanning the horizon - Monitor existing risks, emerging risks Monitor and evaluate risk action plans Risk Management Reporting 6
CRM IN THE CONTEXT OF ERM ENTERPRISE RISK MANAGEMENT ADAPTED TCC© 2018 ALL RIGHTS RESERVED 7
Common mindset of ERM… Risk management is about…. Managing Uncertainty Corruption risks ? ? “If you knew what you know in 2008, what would you have done differently in your business? ” TCC© 2018 ALL RIGHTS RESERVED 8
Enterprise Risk Management…… RISK MANAGEMENT……………. . PREVENTION The focus is on the effectiveness of INTERNAL CONTROLS TCC© 2018 ALL RIGHTS RESERVED 9
Integrating risk and controls Risk Objectives Internal Factors Control External Factors CHANGE To take risks you have to understand, embrace, and manage them TCC© 2018 ALL RIGHTS RESERVED 10
Definition of Corruption Risk Corruption risk is the possibility (LIKELIHOOD) of corrupt practices can happen, and the effect (IMPACT) of corruption risk on the OBJECTIVES of an organization. - Adapted from ERM definition of risk TCC© 2018 ALL RIGHTS RESERVED 11
Where is corruption risk in the context of enterprise risk management Enterprise Risk Management Enterprise-Wide Business Risk Strategic Country Regulatory Tax Political Catastrophe Currency Policy Culture Financial Risk Operational Procurement Project management Quality IT Systems HR/ Labour Safety & environment Compliance Regulatory Internal policies Laws Market Risk Price Risk (interest rate, equity, commodity) Credit Risk Liquidity Risk Funding Risk Default risk Market Lliquidity Budget TCC© 2018 ALL RIGHTS RESERVED Hazard Risk Physical hazard Moral hazard Property injury Fire Integrity Corruption Fraud Misconduct Legal hazard Behavioral hazard Lawsuits Litigations Carelessness Morale / Payment 12
How does it work? ERM • Dependencies? • Operational? • Shortages? • Strength/ weakness? • Opportunity/ threats? • PEST? • Control effectiveness? • KPI? • KRI? • Investment? • Cash flows? TCC© 2018 ALL RIGHTS RESERVED Strategic objectives Strategy? Main revenue drivers? Main products? Main market? Key processes? Corruption risk • What are the incentives? • What are the pressure? • Are revenue recorded systematically, or manually? • Abuse of power? • Conflict of interest? • Management override? • Type of assets vulnerable to misappropriation? • Where the money goes? Risk tolerance? 13
CORRUPTION RISK MANAGEMENT THE METHODOLOGY TCC© 2018 ALL RIGHTS RESERVED 14
ISO 37001: 2016 ABMS ISO 37001: 2016 Anti-Bribery Management System Section 4. 5: requires that an organization shall establish criteria for evaluating its level of bribery risk, which shall take into account the organization’s policies and objectives. In conducting the bribery risk assessment, the organization shall: a) identify the bribery risks the organization might reasonably anticipate, given the factors listed in 4. 1: Understanding the organisation and its context; b) analyse, assess and prioritize the identified bribery risks; and c) evaluate the suitability and effectiveness of the organization’s existing controls to mitigate the assessed bribery risks. CRM 2. 0@2017 ALL RIGHTS RESERVED 15
ISO 37001: 2016 ABMS ISO 37001: 2016 Anti-Bribery Management System Section 4. 5 also recommended that the bribery risk assessment shall be reviewed: a) on a regular basis so that changes and new information can be properly assessed based on timing and frequency defined by the organization; and b) in the event of a significant change to the structure or activities of the organization. CRM 2. 0@2017 ALL RIGHTS RESERVED 16
ISO 37001: 2016 ABMS 4. 1 Understanding the organization and its context The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the objectives of its anti-bribery management system. These issues will include, the following factors: The size, structure and delegated decision-making authority of the organization; The locations and sectors in which the organization operates or anticipates operating; The nature, scale and complexity of the organization activities and operations; The organization’s business model; The entities over which the organization has control, and entities which exercise control over the organization; The organization business associates; The nature and extent of interactions with public officials; Applicable statutory, regulatory, contractual and professional obligations and duties. CRM 2. 0@2017 ALL RIGHTS RESERVED 17
Corruption risk management – Overall approach MS ISO 31000: 2010 Establish context Overview of CRM Process Define Objectives: • Vision, Mission • Strategic Objectives • Level of integrity • Internal & External Factors RISK ASSESSMENNT Risk Identification Step 1: Identify risks Step 2: Identify causes/ corruption schemes, and consequences Risk Analysis Step 3: Determine Gross Risk Rating (GROSS) Step 4: Identify and analyses controls Monitoring & Reporting Communication & Consultation Step 5: Evaluate Control Effectiveness Step 6: Determine Residual Risk Rating (RESIDUAL) Risk Evaluation Step 7: Evaluate Residual Risk and Risk Treatment Options Risk Treatment Management Action Plans TCC© 2018 ALL RIGHTS RESERVED 18
Establish Context TCC© 2018 ALL RIGHTS RESERVED 19
Establish Context Basically, we ask: What does INTEGRITY mean for the organization? How does the organization DEMONSTRATE INTEGRITY? Where are the priority areas in CORRUPTION PREVENTION? TCC© 2018 ALL RIGHTS RESERVED 20
Establish Context – Level of Integrity Sources of information: • Internal sources: • Internal audit reports • Integrity surveys • Whistleblowing/ complaint reports • External sources: • Auditors General reports • MACC’s complaint reports • MACC’s investigation summary reports Categories Description Satisfactory Need improvement In crisis TCC© 2018 ALL RIGHTS RESERVED None or minimal number of integrity issues. External stakeholders generally consider the organisation as a trusted organisation. Internal stakeholders generally understand aware of the importance of integrity. Tolerable level of integrity issues External stakeholders generally accept some minor issues of trust; agreed that some improvement needed Internal stakeholders are committed to improvements Major integrity issues exposed External stakeholders raise major concerns about the trustworthiness of the management Internal stakeholders are ignorant, complacence or against the implementation of corruption prevention measures Suggested guidance for action plans Safeguarding Proactive actions Drastic and immediate actions 21
Scanning the Horizon – observe the changes in INTERNAL FACTORS “If there are changes in the internal factors, how these going to impact on the level of integrity and bribery in the organisation? ” People Strategy System Internal Factors Process Resources Governance TCC© 2018 ALL RIGHTS RESERVED 22
Scanning the Horizon – observe the changes in EXTERNAL FACTORS Political Legal Economic External Factors Environmen tal “If there are changes in the external factors, how these going to impact on the level of integrity and bribery in the organisation? ” Social Technology TCC© 2018 ALL RIGHTS RESERVED 23
Establish the context (Cont’d) C. Risk Management context – ISO 37001 ABMS Activities, Projects, Transactions Business associates Personnel in certain positions Bribery Risk Assessment Risk ranked as “more than low” rating Medium, Significant and High • • • TCC© 2018 ALL RIGHTS RESERVED Anti-Bribery Decisionmaking Anti-Bribery Due diligence Structure, nature, complexity Financing/ payment arrangement Level of control Parties involved (public officials) Competence Reputation Location Market talks Any ABMS? 1. 2. 3. 4. 5. Terminate Discontinue suspend or withdraw postpone or decline for new ones. 24
Meeting strategic needs – A top-down approach to CRM 2. 0 Vision/ mission Strategic Objectives Strategy Key Processes Linked to Strategy Corruption risks impact key processes TCC© 2018 ALL RIGHTS RESERVED By linking corruption risks to strategic goals, we are treating corruption risks with same priority as other significant risks of an organization. 25
Top-down approach to CRM (Cont’d) Strategic goals Increase public usage by 20% p. a. Plan, design and implement the development strategy with local government of a high technology park Enhance efficiency by implementing ICT (technology)-based processes Product innovation Develop new designs (2 new designs per year) through research and development projects Create an efficient and dynamic working environment with integrity and good governance Key Processes linked to strategic goals Project management (construction, procurement) ICT management R & D process Human resource management Financial management Potential Corruption Risks (linked to key processes) Abuse of power in tendering - Loose contract to favour an interested sub-contractor Specification of ICT equipment was intentionally catered for interest party Leakage of R&D information to competitors Misuse of discretion and authorization for offices in foreign countries Management over-write for payment of incomplete work Collusion among site managers and checkers to certify noncompliance structure Collusion with suppliers to supply low quality parts Bribery to government officials to register the patents/ trademarks Hiring of “own” people to smooth the tendering and awarding of contracts False claims Bribery to government officials for approval of unsafe building designs Use of middleman TCC© 2018 ALL RIGHTS RESERVED Waiver of job rotation for key positions le p m a x ee tiv a r st Illu 26
GROUP ACTIVITY TCC© 2018 ALL RIGHTS RESERVED 27
Group activity Identify key processes – 40 minutes Within your group, discuss and present the following: Strategic objectives of the entity; and Identify the key processes / activities critical for the entity to achieve it’s strategic objectives Using Template 1: “Organisation Context: Strategic Objectives and Key Processes” b) At the end of the discussion, present to the class your results of discussion. a) TCC© 2018 ALL RIGHTS RESERVED 28 28
CORRUPTION RISK ASSESSMENT THE PROCESS TCC© 2018 ALL RIGHTS RESERVED 29
Key components of CRM process (In line with Section 4. 5) Identification Corruption schemes Measurement Impact Root cause analysis Risk rating Likelihood Control Monitor TCC© 2018 ALL RIGHTS RESERVED Entity-level controls Preventative controls Scheme specific controls Detective controls Reporting Current risks, new emerging risks Progress of risk action plans 30
Corruption risk management – Overall approach MS ISO 31000: 2010 Establish context Overview of CRM Process Define Objectives: • Vision, Mission • Strategic Objectives • Level of integrity • Internal & External Factors RISK ASSESSMENNT Risk Identification Step 1: Identify risks Step 2: Identify causes/ corruption schemes, and consequences Risk Analysis Step 3: Determine Gross Risk Rating (GROSS) Step 4: Identify and analyses controls Monitoring & Reporting Communication & Consultation Step 5: Evaluate Control Effectiveness Step 6: Determine Residual Risk Rating (RESIDUAL) Risk Evaluation Step 7: Evaluate Residual Risk and Risk Treatment Options Risk Treatment Management Action Plans TCC© 2018 ALL RIGHTS RESERVED 31
RISK ASSESSMENT “THE 7 -STEPS” TCC© 2018 ALL RIGHTS RESERVED 32
The 7 -step - Corruption risk assessment process Define objectives 1 Identify Risk 4 2 Scheme/ causes Existing controls: • Control 1 • Control 2 • Control 3 A Scheme/ causes: • Scheme/ Cause 1 • Scheme/ Cause 2 • Scheme/ Cause 3 B 3 Determine Consequences 5 Inherent Risk Rating Impact o o Identify Controls Control Effectiveness Additional controls: • Control 1 • Control 2 • Control 3 6 High Significant Moderate Low Residual Risk Rating Impact Likelihood • • • Satisfactory Some weaknesses Weak • • Likelihood High Significant Moderate Low [Inherent risk – Control = Residual Risk] TCC© 2018 ALL RIGHTS RESERVED Management Action Plans 7 Risk Treatment Options Terminate Reduce Accept Pass on (Source: SPRM CRM 2. 0) 33
TERMINOLOGY TCC© 2018 ALL RIGHTS RESERVED 34
Risk Matrix (5 x 5) Likelihood of Occurrence Almost certain Significant High Moderate Significant High Moderate Low Moderate Significant High Unlikely Low Moderate Significant High Rare Low Moderate Significant Insignificant Minor Moderate Major Catastrophic Likely Magnitude of Impact Risk is measured in terms of likelihood of occurrence & consequence upon occurrence TCC© 2018 ALL RIGHTS RESERVED 35
Risk Rating - Risk Parameters Risk measurement – Impact & Likelihood Risk appetite is the amount of risk, on a broad level, that an organization is willing to accept in pursuit of value. Risk tolerance / Risk appetite • • • Likelihood TCC© 2018 ALL RIGHTS RESERVED Impact Determine the amount of risk an enterprise able to take Risk tolerance determined up-front with board of directors or those incharge of governance Allow enterprises to have a means to identify which risks are most critical and important for them to focus on and allocate the resources 36
Risk ratings HIGH Risk with high impact and high likelihood of occurrence. Controls are not effective or the causes are from external factors. Require immediate risk action plans to reduce the exposure of the risk. SIGNIFICANT A priority risk with high impact and high likelihood of occurrence. Require risk action plans to reduce the exposure of the risk if necessary. MODERATE LOW TCC© 2018 ALL RIGHTS RESERVED Moderate and Low risks are considered manageable risks where the controls are working as intended, or the inherent risk is already as moderate level. No risk action plans are required. Continuous monitoring of the controls are important. 37
Effectiveness of existing controls (Section 4. 5 (c) ) Determine controls effectiveness of existing controls in managing a particular corruption risk Satisfactory Controls are strong & operating properly, providing a reasonable level of assurance that objectives are being achieved. Some weakness Some control weaknesses/inefficiencies have been identified. No serious risk exposure but improvements are required to provide reasonable assurance that objectives will be achieved. Weak Controls do not meet an acceptable standard, as many weaknesses/inefficiencies exist. Controls do not provide reasonable assurance that objectives will be achieved. TCC© 2018 ALL RIGHTS RESERVED 38
Inherent risk is assessed without the consideration of controls in place at the enterprise, These are the risks that come by virtue of having the business operations. Ask the question : “How likely the corruption scheme would happen, in the environment that controls are insufficient? “ TCC© 2018 ALL RIGHTS RESERVED 39
Residual risk rating Residual risk = Inherent risk – controls After rating the effectiveness of internal controls that reduce the risk of each corruption scheme, next is to determine the level of residual risk Residual risk is ranked based on the same basis of inherent risk A High residual risk –> controls are not effective A Moderate or Low residual risk –> controls are working as intended, or the inherent risk is already as moderate level. This is considered a manageable risk. TCC© 2018 ALL RIGHTS RESERVED 40
internal controls - Definition Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. (Source: COSO Internal Control — Integrated Framework ) TCC© 2018 ALL RIGHTS RESERVED 41
CORRUPTION RISK MANAGEMENT THE RISK ASSESSMENT PROCESS TCC© 2018 ALL RIGHTS RESERVED 42
The 7 -step - Corruption risk assessment process Define objectives 1 Identify Risk 4 2 Scheme/ causes Existing controls: • Control 1 • Control 2 • Control 3 a Scheme/ causes: • Scheme/ Cause 1 • Scheme/ Cause 2 • Scheme/ Cause 3 b 3 Determine Consequences 5 Inherent Risk Rating Impact o o Identify Controls Control Effectiveness Additional controls: • Control 1 • Control 2 • Control 3 6 High Significant Moderate Low Residual Risk Rating Impact Likelihood • • • Satisfactory Some weaknesses Weak • • Management Action Plans Likelihood High Significant Moderate Low 7 Risk Treatment Options Terminate Reduce Accept Pass on [Inherent risk – Control = Residual Risk] TCC© 2018 ALL RIGHTS RESERVED 43
IDENTIFY RISK Step 1 – Identify corruption risk Step 2 (a) – Determine corruption schemes / causes TCC© 2018 ALL RIGHTS RESERVED 44
Step 1 – Identify corruption risk Step 2 a – Determine schemes / causes Risk title: #1 False claims - abuse of power in approving progress payments Description: Construction project, example, a new prison Corrupt practices in progress payments. For example, 80% to 90% of project’s costs was paid to contractor when it only had completed less than 40% of the project. Arising from abuse of power and taking advantage in the weaknesses in VO procedures. Corruption schemes: 1 Process/ Risk Category: Construction Project Management Risk Owner: 2 a 1) Collusion between Project Manager and Project Owner, through the appointment of a “professional” negotiator, to claim for progress payments over incomplete work. 2) Project awarded through direct negotiation without adhering to the guidelines on contractors selection procedures. A favoured contractor with past poor performance was selected. Root causes: 1) Lack of monitoring and enforcement of the contract terms. Contractor was not reprimanded for delay and incomplete work. Potentially, conflict of interest involved. 2) Taking the opportunity when the project owner undergoing a shortage of technical competency to properly inspect and verify the progress of the construction. 3) Taking advantage of the loopholes in VO claims – there is a lack of clear guidelines as to the maximum amount of VO or number of times allowable. 4) Corrupt practices were not reported as there is a lack of trust over the whistle blowing channel. TCC© 2018 ALL RIGHTS RESERVED 45
Step 1 – Identify corruption risk Step 2 a – Determine schemes / causes Examples of corruption risks - Procurement Potential corruption risks Soliciting bribe from third parties with a promise of obtaining successful works Accepting bribe to manipulate pre-qualification process – eg. approving a nonperforming contractor, suppliers Selecting third parties who has personal interest Accepting bribe in return of disclosing price sensitive information to third parties Collusion between insider and third parties to tailor the tender requirements to suit the third party for a successful tender Misuse of position to influence tender committee TCC© 2018 ALL RIGHTS RESERVED 46
Step 1 – Identify corruption risk Step 2 a – Determine schemes / causes Procurement Corruption Schemes - examples In a bidding round, the terms of reference (including technical specifications) are biased to favour one supplier or to exclude potential competitors Bribe solicitation for confidential information during pre-bidding or bidding stage Intermediary offers company to win bidding upon payment of loser’s fee during prebidding or bidding stage local government agency demands a fee for technical approval of equipment Approving false tender information in the selection of suppliers with personal interest in the supplier company Collusion in selecting maintenance / service vendors for a kick-backs in continuing a maintenance contract Collusion to approving a low quality / off-spec supply for a kick-backs TCC© 2018 ALL RIGHTS RESERVED 47
Step 1 – Identify corruption risk Step 2 a – Determine schemes / causes “Corruption” Corrupt practices which involve the offering, promising, giving, receiving or soliciting, directly or indirectly, anything of value to influence improperly the actions of another party, by misusing the position in which they are placed. Corruption practices are described as follows: • Accept/receiving bribe • Offer/gives bribe • Using office or position for bribe TCC© 2018 ALL RIGHTS RESERVED 48
Step 1 – Identify corruption risk Step 2 a – Determine schemes / causes Definition of corruption: “The misuse of entrusted power for private gain” – Transparency International TCC© 2018 ALL RIGHTS RESERVED 49
Step 1 – Identify corruption risk Step 2 a – Determine schemes / causes Definition of corruption Klitgaard’s Formula Corruption = (Monopoly + Discretion) – Accountability - Integrity – Transparency TCC© 2018 ALL RIGHTS RESERVED 50
Step 1 – Identify corruption risk Step 2 a – Determine schemes / causes Donald Cressey’s Fraud Triangle A perceived financial pressure, or incentives A perceived opportunity to commit an act of corruption with a low likelihood of detection • TCC© 2018 ALL RIGHTS RESERVED (e. g. , pressure to meet client expectations, financial targets, sales targets); (e. g. , monitoring/controls that are perceived to be ineffective, or very complex corporate structure); Rationalization or Attitudes (e. g. , history of illegal practices at the enterprise, such as, competitors pay bribes, no one will find out, if I don’t do this I’ll lose the contract and my job, low staff morale) 51
Step 1 – Identify corruption risk Step 2 a – Determine schemes / causes Causes of corruption 1. Weak internal controls 2. Poor enforcement 3. Acceptance culture TCC© 2018 ALL RIGHTS RESERVED 52
IDENTIFY RISK Step 2 (b) – Determine consequences of risk TCC© 2018 ALL RIGHTS RESERVED 53
Step 2 b – Determine consequences Risk title: #1 2 b False claims - abuse of power in approving progress payments Consequences/ Impact Consequences: • Has direct relation to risk appetite 1. Project was delayed – for example a prison project where a 3 -year project was delayed for 7 years, abandoned, and needed re-work. • Often link to key performance indicators 2. Financial loss – Prison Project: additional re-work costs of RM 55 mil or 34% more (original costs 165 mil) 3. Poor quality of the project –not fulfilling the safety and security requirements of a prison. • Will link to impact measurement in step 3 and 6 4. Project objective, for example, on providing prison services was delayed or not achieve in time. TCC© 2018 ALL RIGHTS RESERVED 54
ANALYSE RISK Step 3 – Inherent Risk Rating (Measure risk – Impact vs Likelihood) TCC© 2018 ALL RIGHTS RESERVED 55
Step 3 – Inherent Risk Rating Risk measurement – Impact & Likelihood Risk tolerance / risk appetite Likelihood measurement TCC© 2018 ALL RIGHTS RESERVED Impact measurement 56
Step 3 – Inherent risk rating Risk title: #1 False claims - abuse of power in approving progress payments Inherent Risk Rating 5 x 5 Matrix Impact Likelihood Rating Major Likely HIGH Low Moderate TCC© 2018 ALL RIGHTS RESERVED Significant High 57
Step 3 – Inherent risk rating Risk Matrix (5 x 5) Corruption risks are measured and ranked against a risk matrix: • Impact • Likelihood Compared against a set of pre-defined risk parameters which coincide with the RISK TOLERANCE of an organization: Corruption risk A Corruption risk B Corruption risk C TCC© 2018 ALL RIGHTS RESERVED Low Moderate Significant Hight • Financial loss • Safety • Quality • Reputation • Legal • Casualty rate • Combat readiness 58
Risk Rating - Impact (1) Insignificant Factor Example Risk measurement Image/ Not substantiated, reputation low impact, no Minor Consequences Moderate Major Catastrophic Substantiated, low impact, low news profile Substantiated, public embarrassment, moderate local news profile. Escalating customer implications. Substantiated, public embarrassment, high news profile, third party action. Long term damage to public image. Substantiated, public embarrassment, highly widespread news profile, third party action/ Global media coverage. Financial loss Additional costs/ funding/ wastages/ revenue < 5% of initial funds Additional costs/ funding/ wastages/ revenue Between 6 to 15% Additional costs/ funding/ wastages/ revenue Between 16 to 25% Additional costs/ funding/ wastages/ revenue Between 25 to 40% Additional costs/ funding/ wastages/ revenue Above > 41% Legal/ compliance Moderate fines. Substantial penalties. Substantial, may include criminal charges. Major scrutiny and investigation Routine litigation subject to substantial fines or penalties, subject to regulatory proceedings and/or hearings. Potentially a significant governing body scrutiny, investigations subject to substantial fines and penalties, which may include some criminal charges, subject to regulatory proceedings and/or hearings Major scrutiny, investigations subject to substantial fines and penalties including criminal charges, and/or cease-and-desist orders, possible regulatory action. news item. Attention quickly contained, short term recoverability. Minimal penalties. Notice of violation/ Routine governing warnings requiring body litigations administrative action. subject to moderate fines and penalties may be subject to regulatory proceedings and/ or hearings TCC© 2018 ALL RIGHTS RESERVED 59
Risk Rating - Impact (2) Insignificant Factor Example Risk measurement Stakeholders Minimal customer - customers Complaints and recovery costs. Stakeholders - employees Insignificant impact on ___Department’s ability to recruit and retain employees Risk • consequences • / management effort Negligible effects Impact can be readily absorbed through normal activity STRATEGIC VIEW: NORMAL IMPACT ASSOCIATED WITH PROGRAM PLANNING & OPERATIONS TCC© 2018 ALL RIGHTS RESERVED Minor Consequences Moderate Major Catastrophic Loss of major customer relationships and serious threat to future growth. Minimal decline in customer relationships and some recovery costs. Loss or decline of customer relationships and moderate recovery costs Strained key customer relationships and significant recovery costs and threat to future growth. Some impact on ___Department’s ability to recruit and retain employees. Significant impact on __Department’s ability to recruit and retain top performers. Major impact on Sustained impact on ___Department’s ability to to recruit top performers. recruit and retain top performers. • A serious event which requires additional management effort • Program or project redesign, re-approval and re-do required. Fundamental rework before objective can be met. • A critical event which requires extraordinary management effort STRATEGIC VIEW: STRATEGIC PLAN REQUIRES MAJOR REVAMP, APPROVAL, PROGRAM RE-WORK • • Normal administrative difficulty An adverse event which can be absorbed with some management effort STRATEGIC VIEW: DELAY IN FULFILLING THE MANDATE OF THE INSTITUTION STRATEGIC VIEW: DELAY IN ACCOMPLISHING PROGRAM OR PROJECT OBJECTIVES • Project or program irrevocably finished, objective will not be met. • Disaster with potential to lead to “collapse “ STRATEGIC VIEW: MANDATE OF THE ORGANISATION OR ORGANISATION ITSELF, IS FINISHED 60
Risk Rating - Likelihood of occurrence Likelihood Quantitative Status of actual cases of the scheme Complexity Rare Low probability, occur only in exceptional circumstances, Approximately below 5% chance of occurring in the next 12 months Root cause of incident has been remediated (reducing the chance of repeat occurrence). Very difficult to perpetrate even without controls place Unlikely Little probability, could occur at some time. Approximately below 25% but above 5% chance of occurring in the next 12 months Root cause of incident is in the process of being remediated. Difficult to perpetrate even without controls in place. Moderate Some probability, might occur half of the time Approximately below 50% but above 25% chance of occurring in the next 12 months Incident has been contained. Moderately complex to perpetrate without controls in place Likely Will probably occur in most circumstances Approximately below 95% but above 50% chance of occurring in the next 12 months Incident is in the process of being contained Easy to perpetrate without controls in place. Almost certain High probability, is expected to occur in most circumstances Approximately above 95% chance of occurring in the next 12 months Incident has been reported and is currently under investigation Very easy to perpetrate without controls in place. TCC© 2018 ALL RIGHTS RESERVED 61
EVALUATE EFFECTIVENESS OF EXISTING CONTROLS Step 4 – Control Effectiveness Evaluation TCC© 2018 ALL RIGHTS RESERVED 62
Step 4 – Identify controls Step 5 – Evaluate effectiveness of controls Risk title: #1 False claims - abuse of power in approving progress payments 4 Existing Controls: • Treasury guidelines on procurement – tender selection and awarding (3) • Whistleblowing channel for reporting malpractices (4) • Guidelines on direct negotiations issued by MOF (1) • Integrity pact signed by contractor, but lack monitoring and enforcement (1, 3, 4) 5 Determine controls effectiveness of existing controls in managing a particular risk q Satisfactory q Some weakness √ q Weak 4 Additional Controls: • To consider legal actions to enforce terms in the integrity pact (recovering costs and termination of contract) (1, 2, 3) • To enhance the trustworthy of whistleblowing channel (4) • To set up a project technical team before project is allowed to start (2) TCC© 2018 ALL RIGHTS RESERVED 63
Step 5 – Evaluate effectiveness of controls Determine controls effectiveness of existing controls in managing a particular corruption risk Satisfactory Controls are strong & operating properly, providing a reasonable level of assurance that objectives are being achieved. Some weakness Some control weaknesses/inefficiencies have been identified. No serious risk exposure but improvements are required to provide reasonable assurance that objectives will be achieved. Weak Controls do not meet an acceptable standard, as many weaknesses/inefficiencies exist. Controls do not provide reasonable assurance that objectives will be achieved. TCC© 2018 ALL RIGHTS RESERVED 64
Step 6 – Residual risk rating Risk title: #1 False claims - abuse of power in approving progress payments Inherent Risk Rating Impact Likelihood Rating Major Likely HIGH Control effectiveness Some Weakness 5 x 5 Matrix 6 Residual Risk Rating Impact Likelihood Rating Major Unlikely Significant TCC© 2018 ALL RIGHTS RESERVED 65
Step 6 – Residual risk rating When ranking residual risk rating, ask if the existing controls able to reduce: a) The likelihood; or b) The impact; or c) Both. TCC© 2018 ALL RIGHTS RESERVED 66
Step 6 - Residual risk rating Likelihood of Occurrence Risk Matrix Almost Significant certain Significant High Moderate Significant High Moderate Low Moderate Significant High Unlikely Low Moderate Significant High Rare Low Moderate Significant Insignificant Minor Moderate Major Catastrophic Likely uncertainty Magnitude of Impact Uncertainty A Uncertainty B Uncertainty C TCC© 2018 ALL RIGHTS RESERVED 67
RISK TREATMENT DECISIONS & ACTION PLANS Step 7 – Risk Treatment Options TCC© 2018 ALL RIGHTS RESERVED 68
Step 7 – Risk treatment options Risk profile HIGH SIGNIFICANT Risk Treatment Options Terminate Reduce Risk appetite Communication & Monitoring Moderate Accept Low Pass on Corruption Risk Action Plan Cost/ Benefit Analysis TCC© 2018 ALL RIGHTS RESERVED 69
Risk action plan template RISK False claims - abuse of power in approving progress payments RISK ID: 001 Risk analysis q Controllable q On-going Interconnect to other risks? q Uncontrollable q Discrete Project delay q Combination Risk Treatment Strategy: o o o Risk Category: Operational Risk Owner: Terminate Reduce Risk Accept Assessment date: Next assessment date: 20 June 2016 30 November 2016 Residual Impact: Major Residual Likelihood: Unlikely Risk Rating: SIGNIFICANT Target Impact: MODERATE Target Likelihood: UNLIKELY Target Risk Rating: MODERATE High level action plan to be considered Responsibility Target date for detailed plan 1. To consider legal actions to enforce terms in the integrity pact (recovering costs and termination of contract. 2. To enhance the trustworthy of whistleblowing channel (4) 3. To set up a project technical team before project is allowed to start (2) 4. 5. TCC© 2018 ALL RIGHTS RESERVED 70
RISK DOCUMENTATION THE DELIVERABLES TCC© 2018 ALL RIGHTS RESERVED 71
GROUP ACTIVITY TCC© 2018 ALL RIGHTS RESERVED 72
Group activity Identify and analyse corruption risks Based on the group exercise 1, on the same template, identify potential corruption risks of the key processes and analyse the risk – root causes/ schemes, controls, risk ratings and action plans. In your group, discuss and present the following: a) Risk Map b) Summary of risks c) Summary of action plans d) Risk register TCC© 2018 ALL RIGHTS RESERVED 73 73
QUESTION& ANSWERS TCC© 2018 ALL RIGHTS RESERVED 74
THANK YOU! Teh Chau Chin Email: tehchauchin@gmail. com Contact: +60126513777 TCC© 2018 ALL RIGHTS RESERVED 75
APPENDIX TCC© 2018 ALL RIGHTS RESERVED 76
Examples of anti-corruption controls Entity-level anti-corruption controls • • • A formal anti-corruption compliance programme; An Anti-Corruption or Compliance Committee mandated to review or receive updates on all high-risk transactions; Written standards (i. e. , the code of conduct and anticorruption and other related policies); Anti-corruption training and communication for employees Tone from the top and the middle Employee background checks; Whistleblower system; Gift, entertainment, and hospitality request approval and tracking; Conflict of interest certification/disclosure process; (Source: "A Guide for Anti-Corruption Risk Assessment" by UN Global Compact Office) TCC© 2018 ALL RIGHTS RESERVED 77 77
Examples of anti-corruption controls (Cont’d) Entity-level anti-corruption controls • Third-party contract provision on compliance; • A competitive bidding/selection process including RFP dissemination to prospective vendors and proposal review; • Risk tier classification system for third parties; • Third party due diligence (in line with the designated risk tier); • Multiple levels of vendor contract approval or internal sign-off (e. g. , requiring approval from procurement, the legal and compliance functions, and local management); • Accounting controls on vendor invoice review, approval, and payment; • An employee culture of ethics and knowledge assessment; • Mandatory rotation of key management level personnel in high risk locations. (Source: "A Guide for Anti-Corruption Risk Assessment" by UN Global Compact Office) TCC© 2018 ALL RIGHTS RESERVED 78 78
Examples of anti-corruption controls Preventive controls • Written standards (code, anti-corruption policies); • Anti-corruption training and communication, including a resource library; • Tone from the top and the middle: visible senior and mid-level managements setting the expectations; • A risk classification system for third parties, corporate locations, and business activities (i. e. , a tiered system whereby higher risk parties would be subjected to a more robust due diligence and oversight than lower risk parties); • A formal anti-corruption programme in place with defined structure, ownership, reporting lines, and planned activities, and periodic measurement for effectiveness; • Due care and due diligence, including personnel background checks, third party initial due diligence, policy certification/acknowledgement; • Gift, hospitality, and entertainment advance approval; • Segregation of duties; • Contract provisions on compliance with the law in general and anti-bribery specifically; • Incentives for proper conduct, ethics awards, and (to some extent) performance evaluations (Source: "A Guide for Anti-Corruption Risk • with specific ethics and compliance provisions. Assessment" by UN Global Compact Office) TCC© 2018 ALL RIGHTS RESERVED 79 79
Examples of anti-corruption controls Detective controls • Gift, hospitality, and entertainment tracking (after the fact); • Expense report audit; • Periodic third party monitoring (e. g. , performance assessment, recertification); • Whistleblower system, investigation process and case management; • Exit interviews; • Corporate audit, transaction audit, third party audit; • Employee culture of ethics and compliance assessment, particularly if it includes questions about pressure to commit misconduct, actual policy violations, etc. • Customer, vendor, or third party survey or interview. (Source: "A Guide for Anti-Corruption Risk Assessment" by UN Global Compact Office) TCC© 2018 ALL RIGHTS RESERVED 80 80
Examples of anti-corruption controls ISO 37001 ABMS - Financial controls: Segregation of duties Limit of authority (LOA) – payment approval Verification check over payee’s appointment and work/services by authorized person At least 2 signatories on payment approval Supporting documents for payment approval Accurate and clear payment categorizations and descriptions in the accounts periodic management review of significant financial transactions periodic and independent financial audits TCC© 2018 ALL RIGHTS RESERVED 81 81
Examples of anti-corruption controls ISO 37001 ABMS – Operational controls: Using approved contractors/ sub-contractors/ suppliers/ consultants (or third parties) with prequalification process Assess bribery risk exposure of these third parties Conduct anti-corruption due diligence Enforce anti-corruption contract terms Transparent and fair selection and awarding procedures 2 persons to evaluate tenders and approve the award of contracts Segregation of duties Limit of authority Management oversight Prevent leakage of information TCC© 2018 ALL RIGHTS RESERVED 82 82
Definition of “RISK” “The effect of uncertainty on objectives”. • A risk is often specified in terms of an event or circumstance and the consequences that may flow from it. • It is expressed in terms of consequences and likelihood. ISO: 31000, 2009 - Risk Management Principles and Guidelines TCC© 2018 ALL RIGHTS RESERVED 83