Corruption risk management as a response to corruption awareness

U4 celebrates 20 years in anti-corruption! This milestone reminds us that managing corruption risks was already a priority for certain (astute) donors two decades ago. And this begs two questions that I will answer below: ‘how has corruption risk management (CRM) evolved in the aid sector over those 20 years; and what can we learn about its limitations, the opportunities it presents, and future trends?’

It might come as a surprise that many aid agencies only began to prioritise CRM in the 1990s. So why then? It was primarily due to the substantial shifts in aid delivery that occurred after the end of the Cold War. While donors had traditionally managed and directly delivered aid for decades, aid modalities evolved towards bigger volumes of aid, greater provision of ‘budget support’ to partner governments, and increased engagement with civil society organisations (CSOs) and multilateral organisations. This shift introduced new risks for aid donors as large funds were more exposed to government systems.

For U4, the growing challenges in risk management heightened the demand for guidance. Donors were keen that their aid should not be caught in corruption, or become a source of corruption. As far back as 20 years ago, donors approached U4 for advice on crafting anti-corruption plans for embassies (2007), checking fraud in aid projects (2007), or mainstreaming anti-corruption into their organisations (2010).

Corruption risks shift from donors to CSOs and multilateral organisations

In practice, this emphasis on CRM also carried political-economic ramifications. Under budget support arrangements, donors collaborated with recipient countries to implement public financial management reforms aimed at mitigating risks and achieving desired outcomes. However, donors soon recognised that conditionalities might prove ineffective in countries with high levels of corruption, and budget support could inadvertently exacerbate ‘elite capture’ and fuel corruption. U4, for example, provided insights into the political economy surrounding public procurement reforms (2009). As a consequence, the utilisation of budget support declined.

Subsequently, donors became inclined to mitigate fiduciary risk by entrusting aid delivery to ‘trustworthy’ (largely Western) CSOs and multilateral institutions. U4 publications demonstrate the eagerness to introduce fresh CRM requirements in collaborations with partners, such as codes of conduct for NGOs (2009) or anti-corruption clauses in cooperation agreements (2010). Nevertheless, the public exposure of certain shortcomings within the NGO and multilateral aid systems, as witnessed in the aftermath of the Haiti earthquake in 2010, underscored the challenge of reconciling performance outcomes with adherence to compliance standards. The transfer of responsibility from donors to third parties continued anyway. But new CRM practices emerged.

A new dynamic leads to the standardisation of CRM

As corruption awareness increased, new legal obligations for public and private organisations led to new CRM standards and practices within the aid sector. For instance, the UK Bribery Act (2010) required the UK Department for International Development to establish a functional CRM system. Consequently, demand for U4’s sector-specific and country-specific corruption assessments rose, and these have been used in formulating risk registers and mitigation strategies.

To attract funds, NGOs and multilaterals faced increased pressure to comply with donors’ tightening integrity management and financial procedures. Even small local CSOs became aware of donors’ financial reporting requirements or due diligence conditions.

However, the emergence of new CRM standards has also prompted criticism. For instance, U4 cautioned that due diligence requirements might exhibit bias, particularly affecting and indeed excluding aid organisations originating from countries with high levels of corruption (2022).

Moreover, some international development organisations that were regarded as highly compliant, in fact faced serious corruption allegations. USAID, for example, was accused by the US Special Inspector General for Afghanistan Reconstruction of using ‘flawed oversight and contracting practices, and partnering with malign powerbrokers’.

However, the growth of digitisation appeared to many to offer ways to reconcile greater compliance with improved outcomes.

CRM in the digital age

Standardised and cost-effective digital tools seem to be gaining traction in mainstream CRM for numerous aid organisations. U4 has been actively involved in supporting this, for instance advising on digital whistleblowing channels (2020) or providing free online anti-corruption training (2022).

These digital tools are helping organisations to more readily pinpoint and address corruption risks. For example, U4 has documented the rise of civil society monitoring systems (2022), which facilitate the detection of corrupt practices and enhance social accountability.

In addition, there is a rise in the availability of commercial third-party risk management platforms like OneTrust, Smart Global Governance, and Aravo. These platforms aim to streamline GRC (governance, risk, and compliance) by ‘deconstructing’ anti-corruption laws and standards (eg, ISO 37001), allowing them to prescribe specific requirements and controls. Organisations using these platforms can more easily adhere to these parameters and maintain compliance.

Patterns of suspicious activity can now be detected by collecting evidence through automated checks on IT systems and workstations (eg, using keywords), during due diligence processes, or for bid oversight. Monitoring is simplified through the implementation of alerts or action triggers founded on risk scores and variations, as seen in the e-procurement management system for Ukraine recovery.

While these ‘tech’ solutions look smart, I see some inherent limitations in such compliance-driven methodologies.

The standardisation of CRM is not a guarantee of quality

First of all, formal compliance approaches may reduce personal engagement and discourage officers from actively seeking mutual regulation and self-regulation. Essentially, I see a contradiction between a surveillance-oriented society and the drive to uphold ethical principles. People need trust to engage in reporting corruption, for instance to report gendered forms of corruption. Impersonal tools and a strong emphasis on control instead of support can disincentivise reporting wrongdoings. As donors depend heavily on reporting to uncover wrongdoings, this situation could pose a challenge.

Second, malpractices – as well as human and institutional biases – will continue to exist with the use of technology. It’s important to acknowledge that corruption scandals have arisen even within organisations equipped with well-established compliance systems. The recent UNOPS corruption case serves as an example where leadership failed to respond to red flags. So again, effective CRM demands a comprehensive strategy that extends beyond mere technological implementation.

The way forward for effective CRM solutions

I believe that capacity building with aid partners along delivery chains remains of utmost importance in enhancing the quality of CRM. Cultivating sustainable partnerships and supporting local aid organisations in their risk management can reduce corruption risks by addressing corruption drivers, power imbalances, and bolstering oversight.

Success in corruption risk management also relies on adapting to the local context and engaging key stakeholders. This involves empowering managers, fostering social accountability towards beneficiaries, advocating for gender equality and inclusion, and conducting field visits, but it also means developing an understanding of the political economy. For example, in some contexts corruption may be best considered as systemic, so simply listing individual acts of corruption may miss the ways in which corrupt acts are intimately connected and organised.

Finally, I perceive that CRM is evolving into integrity management, entailing a more comprehensive integration of CRM within aid organisations, including functions like HR, communications, IT, and more. As development practitioners are deeply motivated by the impact of their work, successful integrity management will combine compliance perspectives with values-based approaches.

By considering these principles, I am convinced that CRM can harness the full potential of technology to embrace the complexity of corruption. Our most recent U4 strategy follows this trajectory, and we remain committed to supporting our partners and colleagues on the journey!