1. 19 March 2008Corruption Risk Mapping1 Corruption risk mapping Towards an Integrity risk map for the Hungarian public sector

2. 19 March 2008Corruption Risk Mapping2 Introduction (1) Corruption  Corruption <> Integrity (2) Risk  Vulnerability <> Risk (3) Mapping  Entity assessment <> Risk map public sector

3. 19 March 2008Corruption Risk Mapping3 ‘Lifecycle’ of anti-corruption policies 1. Ignoring / denying the problem 2. Awareness / ‘wake-up call’ – (external forces / incidents) 3. Hard-line approach – (criminal) law and regulations – repression: investigation / punishment 4. Recognition of limitations of repression only 5. Focus on prevention / integrity approach – ‘hard controls’ (internal controls, security,...) – ‘soft controls’ (culture, management attitude,...) 6. Balanced approach: prevention / repression

4. 19 March 2008Corruption Risk Mapping4 What is corruption? ‘Narrow’ definition – penal law ‘Broad’ definition  Integrity / ethical conduct Scope is important because the focus should be on: Prevention rather than repression Responsibility of management rather than judiciary Good governance rather than punishing

5. 19 March 2008Corruption Risk Mapping5 Integrity in the public sector Essential condition for trust Integrity is a positive goal Breaches of integrity have a wider scope than corruption, for example: –Conflicts of interests –Disclosure of confidential information –Discrimination / intimidation Integrity relates to ethics and culture and has two sides: - Employee: proper / ethical conduct... - Employer: proper / ethical conduct + eliminating temptations for employees… Focus: promoting integrity in public sector

6. 19 March 2008Corruption Risk Mapping6 Two approaches of Integrity Negative approach of IntegrityPositive approach of Integrity Rule based: Imposed Norms (law and regulations) Principle based: shared norms and values (decency) Hard controlsSoft controls Opinion: people are generally badOpinion: people are generally good Focus on tackling integrity violationsFocus on facilitating good behavior Legalistic approachManagerial approach Repression / ReactivePrevention / Pro-active

7. 19 March 2008Corruption Risk Mapping7 Summary of integrity concept Integrity has a wide scope, beyond fraud and corruption Integrity is responsibility of management (‘ownership’) Integrity approach is partly rule-based and partly principle-based Balanced approach of preventative and repressive measures is best practice

8. 19 March 2008Corruption Risk Mapping8 (2) Risk Assessment essential for targeted and well-balanced approach Vulnerability –Vulnerable areas –Vulnerability increasing circumstances Resilience –Maturity level of integrity controls (general, hard and soft controls) Risks Mitigation of risks by specific controls Remaining ‘unbalance’ = remaining risk

9. 19 March 2008Corruption Risk Mapping9 Vulnerabilities Resilience is determined by the maturity level of integrity controls Balance may be achieved by reducing vulnerability or enhancing controls Vulnerabilities Resilience Remaining Vulnerability

10. 19 March 2008Corruption Risk Mapping10 Objective: Well-balanced approach Assessing vulnerabilities is also important to avoid excessive implementation of integrity controls Vulnerabilities Resilience

11. 19 March 2008Corruption Risk Mapping11 (specific) Risks Mitigation of risks is possible by introducing specific controls Remaining unbalance = Remaining risks Vulnerabilities Resilience Risks Mitigation Remainin g risks

12. 19 March 2008Corruption Risk Mapping12 Basic characteristics assessment method Self-assessment Targeted at prevention Building on staff’’s knowledge/experience Raising integrity awareness Integrity vulnerabilities Maturity of integrity control system Concrete action plan

13. 19 March 2008Corruption Risk Mapping13 Assessment methodology Object definition - organisation - processes Assessment vulnerabilities Assessment Maturity level Integrity Control System Gap analysis Recommendations for strengthening controls

14. 19 March 2008Corruption Risk Mapping14 High vulnerability areas Areas dealing with the public or with the private sector CollectingAssessments, taxes, import duties, excise duties, fees, charges ContractingTenders, orders, assignments, awards PaymentSubsidies, benefits, allowances, grants, sponsoring Granting/ issuancePermits, passports, driving licenses, identity cards, authorisations, inspections Public servicesHealth care, education, garbage collection, water supply etc. RegulatingDesign and implementation of new regulations Supervising/ enforcement Supervision, control, inspection, prosecution, detection, justice, punishment Areas dealing with government property InformationNational security, confidential information, documents, dossiers, copyright Money treasury, financial instruments, portfolio management, cash/bank via budgets, premiums, expenses, bonuses, allowances, etc. GoodsBuying/selling (auction), management and consumption Real estateBuying/selling (buildings / land)

15. 19 March 2008Corruption Risk Mapping15 Vulnerability Enhancement Profile Factors Complexity Change/dynamics Management Personnel Problem history

16. 19 March 2008Corruption Risk Mapping16 Assessment of integrity controls

17. 19 March 2008Corruption Risk Mapping17 (3) Mapping Public sector consists of a high number of entities (organisations) with specific characteristics, vulnerabilities, risks and maturity level of controls An overview or ‘map’ of this integrity profile of the public sector is important for a targeted approach Necessary steps: –Description / overview of public sector entities –Assessment on entity (organisation) level –Composition of a map of the public sector

18. 19 March 2008Corruption Risk Mapping18 Lay-out integrity risk map

19. 19 March 2008Corruption Risk Mapping19 Outlook / planning March 2008: First survey results for ministries December 2008: Preliminary map of vulnerability profiles, based on sample of entities from all sectors of the government As of 2009: further implementation by (self)- assessment of maturity levels of integrity controls and gap analysis (identification of remaining risks) Focus on implementation and improvement of basic integrity controls (quick results with not too much detail)