Chapter 1 described and analysed the main challenges Brazil is facing in ensuring an effective implementation of the current integrity risk management framework and in particular in promoting a risk management culture throughout the federal executive branch. At the same time, integrity risk management becomes even more relevant in times of crisis, by ensuring not only effective but also efficient integrity policies and thus value for money.

As such, Brazil could consider strengthening the current methodology and approach by working along three main avenues that complement and build on one another:

The risk-based approach is fundamental to the OECD Recommendation on Public Integrity. The idea can be found throughout the Recommendation, which emphasises that risks analysis should guide the measures taken to mitigate these integrity risks, so they are proportionate, efficient and effective. However, it is easy to forget that the achievement of this goal rests, amongst others, upon three fundamental key steps: the accurate identification, assessment and mitigation of risks that could affect the achievement of the mandate and objectives of a public entity (Figure 2.1). In addition, integrity risk management should be clearly communicated, monitored and evaluated to ensure an effective implementation and learning over time. Each of these steps needs to be effective to reach the overall goal of integrity risk management and it is key to identify and understand potential challenges and problems.

While the CGU guide described in Chapter 1 provides orientation on all the three steps and emphasises the need to promote integrity risk management cultures in public entities, it only provides limited guidance on how this could concretely be achieved. Of course, there are a wide variety of aspects related, for example, to normative frameworks or available capacities that are fundamental to set a strong foundation for effective integrity risk management. These will be analysed in more detail in the forthcoming OECD Integrity Review of Brazil (OECD, forthcoming[5]). This section looks into some behavioural barriers and biases that can undermine integrity risk management in each of the three steps outlined in Figure 2.1, where human judgement and experience continues and will continue to provide relevant information. Indeed, the CGU guide currently lacks an analysis of such behavioural dimensions.

Applying behavioural insights can help in uncovering these cognitive biases and systematic errors in judgement to inform strategies to support public managers (risk owners) to improve the understanding, identification and assessment of risks. In turn, this can lead to more targeted integrity measures and an internal control system that is more resilient to fraud and corruption and, in the end, contributes to establishing an integrity risk management culture in public entities.

Indeed, human beings are subject to several biases that make it difficult for them to identify and assess the likelihood of occurrence and potential impact of a given risk event. Despite the use of methodologies that mimic objective assessments, the identification and the assessment of risks will always have a subjective component (Slovic, 1999[12]). The following aspects can affect the judgement of the public officials participating in integrity risk assessments, particularly in qualitative risk assessments such as those promoted in the CGU’s guidance:

• The concept of “risk”, and risk tolerance, is often misunderstood or difficult to define and communicate, particularly in the context of integrity risk management where a zero-tolerance is promoted in political rhetoric. In addition, unconscious rationalisation of unethical practices or the sensitivity that goes along with integrity violations may undermine the identification of relevant risk events. On the one hand, the task of identifying integrity risks may trigger discomfort or even fear. Public officials may perceive that identifying risks in processes under their responsibility corresponds de facto to an evaluation of their own integrity or the integrity of their teams. They confuse the risk of integrity violations with their actual occurrence. On the other hand, while public officials often do not understand the value added in identifying and managing risks, they may very well perceive potential costs for them. Public officials may then be unwilling to identify integrity risks, as they may perceive such an exercise as indicating weaknesses in their units and processes with potential consequences. For instance, officials may be reluctant to draw the attention of investigation or audit units, potentially creating additional work and stress.

• To identify more specific integrity risks, a detailed knowledge of the sector, the organisation and the processes is needed. As such, it can be useful to engage managers and frontline employees. They are directly responsible for operations or service delivery across the organisation and can improve risk identification by providing different perspectives and to validate the results of the risk mapping (OECD, 2020[1]). Following this logic, the CGU guide recommends the use of risk workshops, which are similar to brainstorming sessions, to identify risks and take into account different perspectives and experiences by involving public employees (CGU, 2018[8]). However, several behavioural insights show that brainstorming sessions are subject to social dynamics that may compromise the identification of risks. For instance, instead of correcting errors made by individuals of a group, a group can amplify these errors. Groups could just follow the ideas of those who spoke first, they could polarise around extreme ideas or focus on what everybody already knows instead of taking into account critical information of individuals that may not want to speak up (Sunstein and Hastie, 2014[13]).

• Finally, the assessment of identified risks can be biased as well. Several studies find that humans are quite bad in thinking statistically and as such may face problems in assessing correctly the likelihood of risks (Kahneman and Tversky, 1982[14]; Kahneman and Tversky, 1972[15]). To deal with uncertainty and assess probabilities, humans tend to use heuristics (Tversky and Kahneman, 2007[16]). While these heuristics are cost-efficient, they often lead to biased judgments. For instance, humans tend to confuse plausibility with probability. However, a risk that seems plausible or has the most coherent narrative is not necessarily the most likely to occur. A typical factor that can bias our estimated probability is the base-rate fallacy. When asked for integrity violations in a given procedure, humans will imagine or remember how many times a violation occurred, but usually do not take into consideration how many times the procedure took place without any integrity violation. In addition, risk events that tend to affect us emotionally or that we have directly experienced in the past, are likely to trigger stronger feelings and make us believe they are more likely (Loewenstein et al., 2001[17]). Availability of information or salience of a topic may also influence our estimates. A strong media coverage on corruption cases, for example, could skew our perception towards overestimating the likelihood of occurrence of certain integrity risks. Finally, different worldviews and beliefs can lead to very disparate risk ratings with the result that the risk matrix has little or no benefit to manage risk effectively and rationally (Ball and Watt, 2013[18]).

Even if integrity risks have been reasonably well identified and assessed, through qualitative or quantitative techniques, behavioural barriers and biases may undermine taking the correct decisions with respect to the way to deal with these risks and thus affect an effective risk mitigation. Indeed, public managers that have to act based on the risk information available can either be prone to inaction or over-reaction.

• On the one hand, overconfidence or blindness to vulnerabilities could lead to preventive measures that are too weak. The already mentioned blindness to some unethical practices and the sensitivity related to integrity risks coupled with potential misunderstanding of risk vs. occurrence could lead public managers to prefer closing their eyes on integrity risks instead of taking actions, for example to avoid being in the focus of attention and potential stress, stigma or additional work.

• On the other hand, overly risk averse public managers and/or contexts where corruption scandals are widely covered in the media and are driving reactions from citizens and opposition parties, could lead to measures that are too strict (“overshooting”). Loss aversion is indeed a widely researched and established behavioural insight (Kahneman and Tversky, 1979[19]). The costs of facing a corruption scandal in an entity could seem prohibitive to senior management and could thus lead to extreme measures. However, it is important to bear in mind that anti-corruption measures come along with costs too (Falk and Kosfeld, 2006[20]; OECD, 2018[21]; Schulze and Frank, 2003[22]). These costs are related to trade-offs with flexibility and innovation, to psychological costs due to the signal of distrust that is sent to public servants and to the risk of crowding out intrinsic motivation to honesty.

As emphasised in Chapter 1, there a several challenges to implement an integrity risk management culture. These are related to capacity constraints (knowledge about integrity risks) and time constraints (competing priorities). In addition, the previous section emphasised that behavioural biases may exacerbate the challenge of establishing cultures of integrity risk management. While the CGU guide recognises some of these challenges, it does not provide guidance and support on how to address them concretely. In this case, applying behavioural insights means acknowledging and addressing the potential problems identified in the previous section. Concisely, the idea is to make integrity risk management less sensitive, more intuitive and less complex.

In particular, the CGU could consider to follow advice from behavioural insights by the following strategies or measures:

• Support identification of integrity risks by overcoming misunderstandings and demystifying integrity risks. The willingness to identify integrity risks in the first place is key for the outcome of integrity risk management. The CGU and the UGI should therefore continue and perhaps intensify efforts to explain the concepts of integrity and risks. In essence, it is key that public managers understand that integrity risk management looks at the integrity of positions and processes, not at their own personal integrity. As much as possible, communication needs to uncouple risk identification from specific cases. A strategy could be to start with a thought experiment along the following lines: “Imagine you leave your current position and want to ensure that whoever comes next cannot abuse the position and the processes under his or her responsibility.” Communication should also aim at "normalising" integrity risk management as far as possible. Managers should become aware that integrity risk management ultimately supports the achievement of institutional goals and objectives through better decision making, more targeted allocation of resources and avoidance of reputational damage.

• Support identification of integrity risks by simplifying the methodology and providing intuitive guidance. Even though the current integrity risk management framework in Brazil corresponds to international standards and practice, the fact-finding during this project evidenced that it is perceived as complicated and requiring specific skills. Details matter, but integrity risks are often well-known and could be dealt with in a more generic way. In essence, taking into account the current maturity of integrity risk management in the Brazilian government, there are benefits in simplifying approaches, identifying small wins and resisting the urge for overly sophisticated approaches to assessing integrity risks, while being aware of biases and pitfalls of qualitative risk assessments, as discussed.

• Address problematic group dynamics to avoid biases in the identification and assessment of integrity risks. Acknowledging issues arising in brainstorming sessions can help in counterbalancing these when implementing group work. As such, the CGU could adopt techniques to avoid typical pitfalls in brainstorming and groupthink (Sunstein and Hastie, 2015[23]). For example, adapting it to integrity risk identification, Brazil could consider the methodology developed in the UK where participants silently (but not anonymously) contribute to a single online document at once (Box 2.1). Similarly, integrity risks could be identified by a group working jointly on an online joint document. When efforts mature, Brazil could also explore the integration of qualitative and quantitative insights for triangulating risks in key sectors and validating manager’s perceptions of risk likelihood and impact, based on historical data when available.

• Support a more adequate assessment of integrity risks and use of the information obtained. Along the process, reminders or nudges could aim at making salient typical biases in human assessments of risk events. Essentially, the idea is nudging public officials involved in risk assessment to move towards a more reflective use of the information and to be less subject to the biases described in the previous section. Arguably, even simple reminders of potential biases could lead public managers to switch from an intuitive, largely unconscious way of thinking, that avoid efforts but is subject to biases (thinking fast, or “system 1”), to a more rational and conscious thought process (thinking slow, or “system 2”) (Kahneman, 2013[24]).

Finally, IT tools could incorporate some of these behaviourally inspired recommendations and contribute to support public managers throughout the process. As mentioned in Chapter 1, AGATHA is currently not user friendly enough to make a difference and, for these reasons, has not been widely adopted in the Brazilian public administration. Therefore, Brazil could consider reviewing and simplifying AGATHA. However, developing a new tool from scratch, in line with CGU guidance and behavioural insights, may be an easier solution. The resulting product supporting public managers could be an interface in an application for mobile devices and/or an online platform that guides the public managers through the process of integrity risk management. The tool would aim at reducing the inputs of public managers to a strict minimum and at the same time serving a pedagogical function by clarifying concepts related to integrity and risk management. To achieve this, the CGU could prepare automated guidance and information on the typical generic integrity risks in advance and incorporate these into the interface. The CGU already has started working on systematising such “transversal integrity risks”, which could be used as a starting point. This work could be translated into guiding questions to support public managers and to walk them through the process of identifying an assessing integrity risks.

Such a user-friendly and simple interface could contribute to demystifying integrity risk management and help in overcoming typical misunderstandings and fears. Ultimately, such an interface could contribute to improving the quality of risk assessments and in promoting integrity risk management cultures in federal entities. The interface could be promoted through the UGI to ensure that all federal entities are on board. Over time, if a critical mass of participants are using the tool, the collected data could be aggregated centrally by the CGU to inform sectorial or regional risk maps. Figure 2.2 provides an overview of the theory of change underlying such an IT tool to support managers in integrity risk management.

The development of Information and Communication Systems has led to the generation of a significant volume of data in the public sector. Considering the human limitation in making sense of big amounts of information, governments around the world began to adopt digital strategies to take advantage of the profusion of data mushrooming over the past years, creating new opportunities for improving integrity risk management. Alongside the behavioural insights discussed in the previous section, data and analytics can further facilitate future iterations of CGU’s efforts to manage and assess integrity risks (OECD, 2019[26]).

Indeed, using quantitative techniques and data analytics can help to identify potential fraud and corruption in a range of areas where governments tend to collect reliable and valid data by raising red flags (OECD, 2021[27]). Artificial intelligence (AI), including machine learning, has a rich history of applications for risk management, for example turning structured and unstructured data into insights for risk spotting and monitoring. Beyond raising red flags, analytics can inform integrity risk management to guide prevention. Predictive models can inform decision making and help managers react to risks before they materialise (OECD, 2021[28]). Methodologies for assessing risks based on AI or statistical analysis in general is only as good as the quality of the data available. Open and administrative data in areas such as public infrastructure, procurement, payroll, social services, health and employment services often are of sufficient quality for use and reuse.

Applications of data and analytics to public integrity and risk mitigation are increasingly common in Latin America. Recent examples are Colombia and Mexico (OECD, 2021[28]; OECD, 2021[29]). Brazil as well has been an early adopter of analytics and a driver in the region in terms of their use for oversight and accountability. For instance, as mentioned in Chapter 1, ALICE (Analisador de Licitações, Contratos e Editais, Bids, Contracts and Public Notices Analyser) and FARO (Ferramenta de Análise de Risco de Ouvidoria, Instrument for Risk Analysis of incoming report to the Ombudsman) stand out in the context of supporting audits and investigations. ALICE is a Robotic Process Automation (RPA) tool that uses artificial intelligence (AI) to allow the continuous auditing of public procurement and contracting processes. ALICE has been deployed since 2015 by the CGU and, since 2016, by the Federal Court of Accounts of Brazil (Tribunal de Contas da União, TCU). The tool has contributed to fight corruption in public procurement. FARO is also an AI-based technology, adopted in 2021 by the Federal Ombudsman's Office (Ouvidoria-Geral da União, OGU, which is part of CGU) to automate the investigation of the complaints sent by citizens through the Fala.BR online platform.

In Brazil, the high volume of bids present major analytical challenges, considering that, based on information provided by Brazil, on average 357 notices are published each day. In addition, many tenders may be open for just a few weeks or even days. Consequently, auditors have to conduct risk assessments quickly before the contracts are signed, which in practice is nearly impossible. Aiming to overcome this challenge, the CGU and the TCU started deploying ALICE.

At the TCU, for example, this tool is programmed to access on a daily basis Comprasnet, the Brazilian Federal Public Procurement Portal (Portal de Compras do Governo Federal, https://www.gov.br/compras/pt-br), where data on public procurements at the federal level are saved. At CGU, ALICE is also programmed to retrieve data from Licitações-e and the daily federal publication register. Licitações-e is the procurement portal used by the Banco do Brasil, which is also shared with many state owned enterprises and local governments agencies. From the daily federal publication register, ALICE extracts information about bids that were waived and unenforced. According to information updated by the CGU, ALICE downloads the documents and data of all bids and carries out data matchings using 23 government data bases and 14 text analyses to detect signs of misbehaviour and risks in the tendering documents, such as bid rigging, competitiveness restriction, over-invoicing on prices and lacking important information in the public notice (Bemquerer Costa and Leitão Bastos, 2020[30]).

For example, ALICE analyses the “materiality factor”, which is an estimated risk value applied to the bidding notices. Since the bidding notices are saved in PDF, text is often not uniform. ALICE runs an algorithm that automatically obtains the monetary values of the bids from the PDFs and organises the data by applying a Random Forest classification method. According to the CGU, an agreement currently being negotiated with the Ministry of Economy will allow ALICE to directly access the correct monetary value of the bids. To detect irregularities in the tenders, ALICE also obtains relevant information from Comprasnet and saves it in a repository in a machine-readable format to later cross-reference with other datasets. The TCU has agreed with the Brazilian Federal Revenue to obtain confidential data regarding the bidder's Taxpayer Identification Number as a unique identifier to use for cross-referencing entities across databases and detecting anything that could be cause for ineligibility during the tendering phase.

ALICE has been generating a significant positive impact in strengthening the practice of identifying integrity risks in Brazil and fighting corruption in public procurement at the federal public administration. According to information provided by the CGU, in the first year that the ALICE came into use, more than 100 000 notices had been analysed and, between December 2018 and November 2019, 8 bids had been revoked, totalling approximately R$ 3.2 billion. In addition, 14 bids had been suspended due to signs of corruption uncovered by ALICE, totalling R$ 470 million. In 2021, 139 566 bids were assessed, 35 461 notices about risks where sent, 646 notices were analysed by auditors who opened 70 different audit engagements. According to the TCU activities report, in 2020, the amount of benefits arising from the analyses carried out through the ALICE system totalled more than R$ 194 million (TCU, 2021[31]).

ALICE constitutes a successful example of the use of data and analytics to identify red flags for potential corrupt acts and misbehaviour in procurement, as well as to enhance the efficiency of auditors' work. Two underlying success factors can be singled out:

• A decisive factor for obtaining valuable results in identifying corruption risks in public procurement was the support of senior management, which is deemed a key element in consolidating a culture of integrity. For instance, the use of ALICE innovated the way auditors tackle irregularities that are uncovered. The fact that auditors were promptly supported by the TCU Counsellors, who agreed to sign an ordinance validating a new workflow, enabled them to act in the most efficient way to address the risks and signs of corruption identified by this AI-based technology.

• To avoid overloading the auditors with information and address the human inability to process large amounts of data, both the CGU and the TCU have adopted two strategies to support auditors. First, ALICE sends daily emails with the bids’ most important information and the alerts generated by the system, considering each area’s main responsibilities, thereby enabling auditors to prioritise information to conduct their analyses. Second, a dashboard for auditors was created, which allows to apply different filters to target their search and where more detailed information about the analysis of bids conducted by ALICE and the irregularities can be found.

In Brazil, the Fala.BR online platform (falabr.cgu.gov.br) aims to address the challenge of examining the numerous complaints filed by citizens through the internet. Fala.BR is managed by the CGU to replace two different systems: the ombudsman system previously called e-Ouv and the access to information system formerly known as the e-SIC. It is an innovative platform that allows citizens to not only request information, but also to make complaints or claims against any federal body, express satisfaction or dissatisfaction for a service or programme, and provide suggestions for improving or simplifying public services (OECD, forthcoming[32]). At the federal level, the Federal Ombudsman's Office (OGU), a public entity directly linked to the CGU, is currently responsible for receiving these complaints. Throughout this process, the aptitude analysis is a fundamental step during which all materials referring to each of the complaints (their texts and attachments) are examined to verify if they meet the minimum requirements to be further explored by investigative units such as the disciplinary board or internal audit offices. To carry out this analysis, it is necessary to validate the information indicated in the texts and complement it with other external data.

A large number of complaints, together with the extensive volume of documents to be analysed, overburdens the OGU and prevents this entity from acting in a timely manner to investigate and take the necessary measures. Additionally, for a thorough understanding of what is pointed out by the citizens, it is generally necessary to take into consideration other information that is not presented in the text of the complaints. Therefore, to automate the examination process and promote greater efficiency in the aptitude analysis, the OGU started in 2021 to adopt FARO, an AI-based tool that supports the decision process of whether a complaint must be investigated or not. In addition to automating the processes of identification and extraction of certain variables from the texts of the complaints, this tool also enriches the input provided by citizens by correlating it with data from 57 external databases, thereby identifying new elements associated with the complaints.

The methodology applied by FARO to automate the complaints assessment of whether they are apt or not to be further examined includes five main steps (Paiva and Pereira, 2021[33]).

• First, in the conversion stage, this technology reads all the materials attached to the complaints, which usually come in different formats (e.g. images, spreadsheets, PDF, presentations etc.) and are often not machine-readable. These annexes are transformed into a text format and relevant information is extracted and linked to the original texts of the complaints.

• Second, FARO extracts relevant information from the texts of the complaints, such as the name of taxpayers and companies through the Individual Taxpayer Registry (Cadastro de Pessoas Físicas, CPF) and the National Register of Legal Entities (Cadastro Nacional da Pessoas Jurídicas, CNPJ), contract and agreement numbers, monetary values, as well as words or expressions considered relevant in the context of potential misconduct indicated by the complaints (e.g. fraud, corruption, overbilling). Once identified, all these elements are stored in a centralised database to be used throughout the investigation.

• Third, FARO carries out an expansion process, which consists of finding new information on the previously identified entities in one of the 57 external databases to validate their existence and to discover new elements and relationships. For instance, when a specific CNPJ is identified in the text of a complaint, this variable is first cross-referenced with other databases to check if this is a valid CNPJ. Subsequently, other elements derived from this CNPJ are sought, such as the people listed as members of this entity.

• The fourth step consists of qualifying the entities identified in the previous phases. As an example, in the case of a CPF, it is possible to verify whether it belongs to a public servant or even if he/she receives benefits from social programmes.

• Finally, FARO conducts a data preparation, during which the information obtained in the previous steps is aggregated, thereby creating a centralised database that is used to train the model. Each complaint is represented by a set of structured data obtained from the original texts of the complaints (annexes included) as well as information derived from other sources.

As such, FARO proves to have significant potential as it allows deriving and including information that was not originally part of the complaints, and by improving the efficiency of the analysis of complaints. FARO reduces efforts to manually consult different documents and systems to assess whether it is worthwhile and possible to investigate the complaints forwarded to the OGU through Fala.BR platform.

According to data provided by the OGU, since the beginning of its operation in January 2020, FARO was responsible for the treatment of 5 361 complaints. 40% of reports were automatically classified by FARO as not fit for further investigation (obtaining a score under 30 points) and 8% automatically classified as having enough elements for initiating an investigation procedure (obtaining over 80 points). Thus, the ombudsman team was able to concentrate its efforts over the remaining 52% of the complaints, already pre scored and qualified with data from other government databases by FARO, to decide whether they had or not the elements needed by the investigative units.

Notwithstanding the advances of Brazil in the use of data and analytics and the benefits achieved so far, there are still some fundamental challenges to make the most of the use of data analytics in integrity risks management among the organisations of the Brazilian federal executive. To effectively embed the culture of integrity risk management in public entities and promote a preventive approach, it is necessary to implement strategies that go beyond the mere identification of red flags and investigative purposes.

For example, despite that ALICE helps identifying integrity risks in the bidding phase, this technology is implemented by the CGU and the TCU primarily to increase the efficiency of the auditors' work, enabling them to analyse a much larger quantity of bids and identifying red flags of corruption in the tendering phase. Indeed, even though both entities are advancing in the use of data science, have an excellent IT structure, are obtaining positive results and are expanding the use of ALICE to other courts of accounts at local levels (Project Alice Nacional), the tool is currently limited to investigative activities in public procurement (Bemquerer Costa and Leitão Bastos, 2020[30]). In addition, while public procurement is a major integrity risk area, it is not the only one, and Brazil could explore deepening the applications of analytics in other areas, such as the analysis of grants and subsidies or travel expenses, for example.

Therefore, the CGU could take advantage of the technical teams and the maturity already achieved in applying data science to develop a technological framework that supports integrity risk management in entities across the federal executive and is based fundamentally on predictive models. To do so, CGU could develop a strategy and action plan for using data and enhancing analytics that takes into account the specific context of integrity and anti-corruption in the federal public administration. In this exercise, a co-ordination and exchange of information between CGU and TCU could be considered.

Such a strategy and action plan should be based on:

• Mapping databases that are relevant for assessing integrity risks. Such a mapping includes a stocktaking of all databases potentially available for strengthening CGU’s capacity to assess integrity risks. The mapping can build on the significant work achieved by the CGU and should not be purely descriptive, but should include an analysis of the quality, accessibility and relevance of the data for assessing integrity risks. In addition, it could include analysis of priority databases for further improving the data analytics strategy in the future.

• Reviewing and carrying out a comparative analysis of analytics strategy and capacity. The use of data and analytics relies on having strategies with clearly articulated objectives, as well as a range of pre-conditions and technical capacities. The CGU could assess these areas, including the data governance, data management and data skills available for assessing integrity risks. The analysis would provide a clear road map about areas for improvement to develop and implement the strategy and action plan.

• Developing a data-driven integrity risk assessment model. The model should reflect the maturity of the CGU based on different factors, including the creation of a platform that mainstreams several integrity-related databases, and be ambitious, state-of-the-art and theoretical sound. Leveraging on the experience with FARO, the CGU could use the latest in machine learning and artificial intelligence, as also used in Spain with OECD support (OECD, 2021[27]). Other techniques could include indicator-based risk scoring, for example. The objective of the model goes beyond the mere crossing of databases and aims at moving towards the use of analytics and AI-based tools that directly support integrity risk management, detecting patterns, making predictions and providing valuable insights.

• Building capacities. The strategy and action plan should identify and include objectives related to providing trainings and workshops to support the implementation of the risk model and addressing some of the challenges identified. These workshops are an opportunity to bring together a range of actors across the federal executive, as appropriate, to promote the model and enhance the identification of risks. CGU could support public entities with the use of the information obtained through analytical tools (see next section). This would help to further strengthen the SIPEF and allow the CGU, as the central body of this system, to deploy integrity risk management at the organisational level across the federal executive.

Beyond demystifying and making integrity risk management simpler and applying data analytics to support public managers, it is essential to continue developing capacities for integrity risk management across the federal executive. This includes ensuring organisational support, regular staff training, sharing of best practices, providing ad-hoc guidance etc. and covers areas such as concepts, generic integrity risks, risk assessment methodologies as well as data and IT literacy.

To reach out across the federal executive, the Integrity Management Units (UGI) play a major role in the Public Integrity System of the Federal Executive Branch (SIPEF). The UGI are responsible for providing training and assisting the areas responsible for carrying out integrity risk management, including guidance on the use of data analytics (OECD, 2021[7]). Concretely, Decree 10756/2021, which establishes the SIPEF, lays out that the UGI shall co‑ordinate the management of risks to integrity. They are further responsible for steering the development of an institutional Integrity Plan, which must be based on an integrity risk analysis (CGU, 2018[9]; CGU, 2018[34]). This responsibility is key as the quality of the Integrity Plans and the proposed preventive measures depend heavily on the quality of the integrity risk assessments in the first place.

Therefore, given the pivotal role of integrity risk management for ensuring the relevance, efficiency and effectiveness of the integrity measures implemented in federal public entities, the CGU should prioritise capacity development of UGI staff in this area. The UGI, in turn, can then build on their role in the second line of assurance to reach out to public managers, providing them with guidance and support. As such, the OECD report on the SIPEF already emphasised that the UGI, in particular, could promote a better understanding of the relevance of integrity risk management amongst public managers (OECD, 2021[7]). The UGI should be able to clearly communicate about the rationale of integrity risk management and contribute to demystify the concept and to reduce fears and misunderstandings related to them. In addition, the UGI should also provide guidance and support to public managers. To do so and with help from CGU’s General Co-ordination unit for Public Integrity (Coordenação-Geral de Integridade Pública), the UGI need to develop skills in carrying out integrity risk assessments and in providing support to public managers if needed.

To promote a culture of integrity risk management at organisational levels, however, such measures are necessary but probably not enough. To achieve cultural change, in addition to directly intervening on organisational routines, policies and procedures and providing training, behavioural insights suggest the value of influencing specific individuals in those organisations to affect organisation-wide changes (OECD, 2020[35]). In the OECD report on integrity leadership in Brazil, the role of leader as examples and integrity managers for the promotion of organisational cultures of integrity is highlighted (OECD, forthcoming[36]). The same applies of course to integrity risk management. Therefore, the UGI could start identifying a set of public managers within their entity that already are or show the potential of becoming such leaders and could become the link to other public managers, a source of knowledge and information and, not at least, a role model to follow (Figure 2.3).

Finally, the CGU is not merely providing inputs and developing capacities within the SIPEF. Integrity risk management also provides a unique opportunity for the CGU to receive quantitative and qualitative information on integrity risks collected at entity level, but also to receive feedback and collect good practices. This information about integrity risks and integrity measures can be analysed in a centralised and comparative manner by CGU’s General Co-ordination unit for Public Integrity to draw conclusions about emerging and changing integrity risks, for example, or about what works and why in the prevention of these risks. For analytical purposes, this information coming from public entities of the SIPEF can be aggregated at federal level or in a way to represent specific sectors, regions or processes such as procurement or human resource management, for instance.