Updated: Aug 22, 2021
Where would you start? If you are ever put in the position of putting together an assessment of whether your organisation has adequate corruption and procurement fraud risk mitigation in place, after taking a deep breath, an initial focus should be on planning a risk assessment of your organisation's procurement lifecycle and compliance capability.
Quality means doing it right when no one is looking
There is no one size fits all approach to evaluating the external and insider threats that an organisation can face from corruption and procurement fraud including the mitigation procedures that should be put in place to counter these risks. Such an assessment shouldn’t be a tick box approach of common risks or controls but to design an organisation's anti-corruption framework in response to its corruption risk assessment.
There are many areas to consider in a risk management approach from vendor onboarding, manipulation of procurement route, pre and post award stages, contract management, and the end of life and disposal of assets to name but a few. A walk through of your processes and compliance programmes with the relevant organisation expertise including finance, procurement, projects, quality assurance, and projects will further identify risks from different perspectives and expertise.
When evaluating risk mitigation requirements an assessment should first be conducted to determine which are the key risk areas, this will ensure that your organisation can properly task and coordinate its finite resources.
Part of the problem in assessing risk is the availability or access to information including limited identification of data sources that are of value to the assessment, which in itself can be a significant risk where assessments are being made with only half of the available data. Many organisations have departments that protect their own data and don’t share it with other departments including compliance, which can create a situation where the scale of a problem is underestimated or unknown.
A case example includes an investigation surrounding an insider threat and the improper award of single source consultancy contracts and procurement risk management. The conclusion of the investigation confirmed that an individual within the project team who received the initial consultancy requirement had set up his own recruitment company to facilitate the award of consultancy services to his own recruitment company.
What became clear six months later was that an audit of the organisation's single source procurement had been conducted without the knowledge of the investigation team. The conclusions of the audit raised significant concerns surrounding the gaps in the justification and authorisation process including the control failures in a significant number of single source contracts.
If this information had been shared with the investigation team at the time then they might have better understood the scale of the risk and had the opportunity to assess whether other cases or individuals were involved.
RISK MITIGATION FRAMEWORK
To determine whether your organisation has the ability to assess and mitigate its own risk, a number of initial questions should be answered:
Do you have a communication strategy to build organisation culture and respond to corruption and procurement fraud risk?
Do you have a corruption risk and fraud response plan?
Do you have documented investigation procedures?
Have you conducted a project assessment for corruption and procurement fraud risk?
Have you assessed your organisation's capability against BS10501 British Standard, Guide to Implementing Procurement Fraud Controls, and ISO37001: Anti-Bribery Management Systems?
Do you have a structured training program that outlines current corruption and procurement fraud risk, impact and risk mitigation?
Can your organisation centrally collect and analyse its own data for corruption and procurement fraud risk?
Have you conducted an assessment of your procurement lifecycle for corruption and procurement fraud risk?
Do you have asset tracking as part of your organisations asset management procedures?
Do you have asset disposal procedures for goods and materials that are obsolete, scrap, damaged or write-offs?
WHAT WILL YOUR APPROACH BE
The answers to these initial questions will give you an insight into whether your organisation has the ability to assess its risk and if it can adequately respond to it. If you are unable to answer these questions fully, then you may want to ask yourself what is the potential impact to the organisation of not having these procedures and mitigation in place.
Be the first to receive our latest articles and anti-corruption information