Risk management is at the heart of any strategy or approach to ensure and promote public integrity. Although in the public sector the normative and policy frameworks for risk management are usually aligned with international standards, the actual implementation of risk management frameworks into day-to-day practice often lags behind. Challenges around managing integrity risks may be even stronger and more complex, given that corruption and fraud are sensitive and complex topics.

In Brazil’s federal executive, integrity risk management became mandatory for all public entities in 2017. Integrity risk management is a key element of the Integrity Programmes and the Integrity Plans that have been established since 2017 in all 186 entities of the federal executive. Since 2021, the Public Integrity System of the Federal Executive Branch (Sistema de Integridade Pública do Poder Executivo Federal, SIPEF) further institutionalises and strengthens the Integrity Programmes and, with them, the requirement to ensure effective integrity risk management. This report reviews the methodology for identifying and assessing integrity risks in Brazil and provides concrete recommendations for strengthening the current approach.

In 2018, the Office of the Comptroller General of the Union (CGU), central organ of the SIPEF, issued a Practical Guide to Integrity Risk Management to support federal entities. The document raises awareness of integrity risk management and provides guidance on its implementation, including concrete “how-to” steps as well as insights on generic integrity risks and cases. Within federal entities, the Integrity Management Units (UGI) play a crucial role in co-ordinating and supporting integrity risk management, as a “second line of defence”.

Despite this relatively sound integrity risk management framework, Brazil is still facing significant implementation challenges:

• While some public entities are more advanced than others, most public entities in the Brazil federal executive are still at an early stage when it comes to mainstreaming integrity risk management.

• A major challenge concerns the difficulty of enabling a culture of public integrity that goes beyond a traditional compliance-based approach to encompass a context-dependent and risk-based approach.

• A lack of support from senior management has been identified as one of the main difficulties faced by the UGIs. Furthermore, only a small part of the work of UGIs is focused on advising and training staff on integrity issues, while there is a significant need to intensify training on these topics. Finally, there is a lack of public resources specifically assigned to integrity risk management, which prevents adequate investment in capacity-building and expanding public integrity-related activities.

• While IT tools could help public entities properly manage integrity risks, only very few of them currently use the tools available. In addition, the tools are mostly used on an ad hoc basis for detection and investigative purposes, rather than being used systematically to anticipate critical events and strengthen public integrity.

Overall, the challenges identified reinforce the need to continue improving integrity risk management in the Brazilian federal administration. Brazil could consider strengthening the current methodology for identifying and assessing integrity risks by working in three main areas that complement and build on one another.

• First, applying behavioural insights raise awareness of cognitive biases in judgement and help public managers better understand, identify and assess integrity risks. In essence, the idea is to make integrity risk management less sensitive, more intuitive and less complex. Brazil could incorporate such behaviourally inspired guidance into an IT tool to support public managers in taking better decisions.

• Second, Brazil could build on the significant progress made in recent years with data analytics tools such as “ALICE” or “FARO” to move beyond detection and investigation to develop solutions that support integrity risk management in federal entities based on predictive models. To do so, CGU could develop a strategy and action plan for using data and enhancing analytics.

• Third, it is essential to continue developing capacities for integrity risk management. This includes ensuring organisational support, staff training, sharing of best practices and providing ad hoc guidance on areas such as generic integrity risks, risk assessment methodologies, or data and IT literacy. This can best be achieved by working through the UGI and by training selected public managers to lead a change towards an integrity risk management culture.