Risk management supports public sector organisations in achieving their mandate and a wide range of policy goals and objectives (OECD, 2020[1]). Risks need to be identified, analysed and adequately managed. Among the variety of risks that can affect a public organisation, corruption, fraud and other unethical practices can undermine public integrity and threaten the achievement of the public policy goals and objectives. Furthermore, they impede an efficient use of public resources and are further undermining public trust in institutions.

In light of this, the OECD Recommendation on Public Integrity puts risk management at the heart of any strategy or approach to ensure and promote public integrity. The Recommendations calls on adherents to “apply an internal control and risk management framework to safeguard integrity in public sector organisations” (OECD, 2017[2]), echoing various international standards and guidance. For instance, several organisations have developed international frameworks or guidance for risk management in the public sector, such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the International Organisation for Supreme Audit Institutions (INTOSAI), the Institute for International Auditors (IIA) and the International Organisation for Standardization (ISO), among others.

In particular, countries should aim at ensuring a control environment with clear objectives that demonstrate managers’ commitment to public integrity and public-service values and that provides a reasonable level of assurance of an organisation’s efficiency, performance and compliance with laws and practices. They should further ensure a strategic approach to risk management that includes assessing risks to public integrity, thereby addressing control weaknesses (including building warning signals into critical processes), establishing an efficient monitoring and quality assurance mechanism for the risk management system and effectively strengthening the prevention of integrity violations.

In the public sector, normative and policy frameworks for risk management often align with international standards; however, implementation challenges typically persist. Ideally, public managers should identify and manage the risks arising in the processes and areas of their responsibility. An adequate understanding and assimilation of risk management allows to use continuously the information on risks to make management decisions by the administration. In addition, risk assessment mechanisms should be incorporated within a cyclical process where not only risks, but also methodological issues are revised and updated by incorporating new empirical evidence (OECD, 2018[3]).

The value of risk management is not always clear to public managers, however. For example, understanding why risk management matters requires, in the first place, a clear understanding of the values and objectives of the public function that is exercised. The lack of clear objectives and performance culture often observed in the public sector together with weak accountability and the difficulty to quantify both impact and productivity of the public sector, may undermine such a clear understanding. A public manager that is not held accountable for achieving objectives, or if these objectives are not clearly specified, may not feel the pressure to deliver and thus to identify and manage the risks that could undermine their achievement. In addition to the often unclear incentives, public managers may lack capacities and knowledge on how to manage risks and/or may lack support from their organisation.

In Latin America, similar to other regions, an OECD reported identified three main obstacles to achieving an effective risk management system (OECD, 2019[4]):

• Public managers are unaware of, or lack knowledge about, the standards, policies or guidelines on risk management.

• Public managers do not have a clear understanding about the concept of “risks” and about the processes and utility of risk management.

• Public managers believe that risk management is a function to be undertaken by someone else and do not see this as a task that belongs to their own management function.

While these challenges apply for risk management in general, they are also particularly relevant for managing integrity risks, where challenges may be even more severe and more complex given that it is a sensitive and complex topic. On the one hand, some unethical practices may be rationalised by public officials as legitimate or as normal (“that’s how things work here”) or these unethical practices may not even be perceived anymore as a problem. On the other hand, some fraud and corruption risks may be difficult to identify for public officials if they lack an understanding of complex fraud and corruption schemes or are simply unaware of the many different practices related to corruption. They may also be reluctant to speak about corruption and fraud risks when they are equalling risks with actual occurrence or feel that they are “talking bad” about their unit or themselves.

This OECD report reviews the current methodology for assessing integrity risks in the Brazilian Federal executive branch and provides avenues for modernising and strengthening the current methodology. The remainder of this chapter presents the integrity risk management framework and the challenges faced in its implementation. While the normative underpinning and guidance for integrity risk management will be analysed in detail in the forthcoming OECD Integrity Review of Brazil (OECD, forthcoming[5]), Chapter 2 focuses on three concrete avenues to strengthen and modernise the current approach by acknowledging and addressing cognitive and social barriers to an effective integrity risk management, by leveraging ongoing efforts to improve the use of data and data analytics for the purpose of preventing integrity violations and, finally, by strengthening the organisational support to integrity risk management in public entities of the federal executive.

In Brazil’s federal executive branch, the Joint Normative Instruction No. 01/2016 established the creation and improvement of internal management controls, governance and risk management. In the following year, integrity risk management became mandatory for all federal public entities with Decree 9203/2017. Integrity risk management is a key element of the Integrity Programmes and the Integrity Plans that have been established since 2017 in all 186 entities of the Federal executive to prevent, detect, punish and remediate fraud, corruption and other unethical practices. In 2021, the creation of the Public Integrity System of the Federal Executive Branch (Sistema de Integridade Pública do Poder Executivo Federal, SIPEF) through Decree 10756/2021 further institutionalises and strengthens the Integrity Programmes and with them the requirement to ensure an effective integrity risk management (Box 1.1).

The Office of the Comptroller General of the Union (Controladoria Geral da União, CGU) first defined integrity risks as a “vulnerability that could favour or facilitate the occurrence of corruption, fraud, illicit acts and/or violations of the standards of ethics and conduct, which in turn could compromise the aims of the institution” (CGU Ordinance 57/2019). Recently, with the SIPEF, the definition of an integrity risk was revised to the “possibility of an event of corruption, fraud, irregularity or ethical or conduct deviation that may impact the achievement of institutional objectives” (Decree 10756/2021). The CGU emphasises that integrity risk management permeates across the federal government, including different functions (e.g. human resource management, public financial management, internal control and risk management and public procurement) and sectors (e.g. infrastructure, housing, health, education, taxation and customs).

In 2018, the CGU issued a Practical Guide to Integrity Risk Management to support federal entities (CGU, 2018[8]). The document provides guidance on the implementation of integrity risk management, raises awareness and delivers concrete “how-to” steps for implementation. The guide also reinforces the notion that managing integrity risks is the responsibility of public managers as risk owners. Specifically, it requires that managers should establish, monitor and improve risk management and internal control systems. This includes the identification, assessment, mitigation and monitoring of integrity risks that may affect the achievement of objectives when fulfilling the institutional mission of public entities.

In line with the OECD Recommendation on Public Integrity (2017), CGU’s Guide shifts the focus of integrity policies towards a context-dependent, behavioural and risk-based approach. Its general nature enables federal public entities to adapt the methodology to specific contexts while ensuring a minimum of coherence across the federal administration. This means as well, for example, that if a public entity already has adopted a risk assessment methodology for other areas, it will be able to apply this methodology to the identification of integrity risks. In addition, the guide offers flexibility to continually improve the methodology while the institution gains maturity in its implementation.

The guide also invites going beyond the traditional anti-corruption approach based on compliance with the rules and reinforces the relevance of promoting an effective cultural change in the organisation. In this sense, CGU emphasises principles and aspects in the management of integrity risks, such as the commitment of senior management, the support for the engagement of different parts of the public entity and the capacity building in the field of public integrity.

Furthermore, the guide supports public managers in identifying integrity risks by providing a generic list of potential events that may hinder the realisation of organisational objectives (“transversal integrity risks”) and by providing methodological tools. Public entities are invited to employ different methodologies to collect information and identify integrity risks, such as analysing information that already exists within the organisation (Box 1.1), taking advantage of public servants’ experiences and skills, exchanging experiences with similar organisations or analysing scenarios. Choosing the best approach will depend on the organisations’ maturity and the available human and financial resources. For example, as one possible tool amongst others, the Guide suggests the use of brainstorming workshops, to encourage key actors to meet and share viewpoints to facilitate risk identification.

Principally, the CGU guide provides the methodology for assessing integrity risks. To do so, it follows the standard approach of categorising a risk according to its likelihood and impact and emphasises several ways to estimate and present both dimensions of an integrity risk, depending on its accuracy and complexity. In particular, the CGU Guide encourages each organisation to adopt impact and probability rating scales to build a heat map, depending on the aspired complexity. Organisations with less mature integrity risk management activities, for instance, can adopt basic methodologies, such as a 4x4 matrix (four probability levels and four impact levels) as shown in Table 1.1 below. Accordingly, for each catalogued integrity risk, the organisation must score the possibility of its occurrence (probability) and the severity of the possible consequences (impact). This process sets the ground for analysing the most appropriate measures to address the risks according to their severity.

In addition to identifying, describing and rating the risks, the guide also requires that organisations point out the most significant causes and consequences associated with this potential event. Identifying causes makes it possible to grasp the reasons or circumstances that are more likely to encourage, cause or allow any misconduct that violates public integrity. Mapping the consequences, in turn, enables a better understanding of how the integrity risks can affect the objectives of the organisation (CGU, 2018[9])

Finally, the CGU guide provides orientation on how to use the information obtained from the risk assessment and the heat map to introduce efficient and effective measures to mitigate those risks. When developing the integrity plans, the guide recommends that public entities should focus on the most relevant integrity risks to be managed, that is, those with both the most significant impact and probability within a risk level previously defined by senior management. Public entities should prioritise integrity risks that exceed their risk tolerance (“apetite a riscos”). According to the guide, the integrity plans then should identify and promote the implementation of measures to avoid, mitigate or transfer the most relevant, prioritised integrity risks, ensuring that appropriate responses are timely. Based on the priorities established in the heat map and the risk tolerance level, the entity should verify already existing measures and assess the need to improve or establish new strategies. Personnel training, transparency promotion, social control and reducing the level of discretion of decision makers in sensitive processes are some of the measures recommended by the CGU guide to address integrity risks (CGU, 2018[8]). Several other actions can be taken, depending on the specific risks of each organisation and the availability of resource. In addition, the guide emphasises that it is essential to adapt the measures to the actual needs of the organisation to help achieve its objectives, instead of generating unnecessary bureaucracy and slowing down processes.

The identification, assessment and mitigation of integrity risks is a crucial step for the approval of the integrity plan. As pointed out by the CGU, carrying out integrity risk identification and assessment prior to implementing the integrity programme helps to identify processes and areas that are more susceptible to corruption and enables the entity to act timely and adjust to new risks over time (CGU, 2018[9]).

Institutionally, within federal entities, the Integrity Management Units (Unidades de Gestão da Integridade, UGI) are playing a crucial role in co-ordinating and supporting integrity risk management, as a unit of the second line of defence. The UGI are mandatory and established in all entities of the Federal executive. They co-ordinate the development of the Integrity Plan of the entity and the subsequent implementation, monitoring and evaluation of the plan. With the Public Integrity System of the Federal Executive Branch (SIPEF), there is an opportunity to further strengthen the UGI to ensure they can deliver on the key role they are playing as sectorial units of the SIPEF (OECD, 2021[7]).

In Brazil, capacity for risk management has long been a challenge in the government. In 2014, TCU conducted a survey in co-ordination with the Rui Barbosa Institute, the Association of Members of the Brazilian Courts of Accounts (Associação dos Membros dos Tribunais de Contas do Brasil, ATRICON), and 28 subnational audit entities, which highlighted the systemic need for improved risk management and control in government. Specifically, they assessed the maturity of risk management based on a set of criteria and identified inefficiencies in risk management in public sector entities. Out of the 380 federal public entities surveyed, 304 (80%) at the time were considered at an early stage of risk management (i.e. non-existent or insufficient capacity) (TCU, 2014[10]). Ensuring an effective implementation remains one of the key issues facing the Brazilian government concerning integrity risk management, and in general, ensuring effective accountability.

As noted above, implementing risk management in the public sector is a challenge, but implementing integrity risk management perhaps even more (OECD, 2019[4]). Many countries struggle with applying the conceptual frameworks in day-to-day practice and promoting a culture of integrity risk management in public entities. Brazil is not an exception. OECD fact-finding through a questionnaire, an online focus group with UGI and CGU as well as several interviews conducted with public officials evidenced that despite the normative framework and the available guidance, integrity risk management is still at an early stage. While there is a degree of heterogeneity with respect to the maturity of integrity risk management across the federal administration, with some public entities being more advanced than others, there is an overarching acknowledgement that there are still important implementation challenges in the majority of public entities in the Brazil federal executive.

One of the major challenges related to strengthening integrity risk management in Brazil concerns the difficulty of consolidating a culture of public integrity that goes beyond the traditional legalistic view and begins to encompass a context-dependent and risk-based approach. The results obtained from the focus group conducted by the OECD demonstrate that the compliance culture is still widespread among federal public entities and that there is a strong resistance to change among civil servants.

In addition, it is essential to have the support of senior managers and invest in employee training. In practice, however, the answers to the OECD questionnaire indicate that the lack of support from senior management is one of the main difficulties faced by the UGIs in carrying out their work and supporting integrity risk assessments. Furthermore, despite the relevance of investing in capacity building, the results of the fact-finding conducted by the OECD reveals that currently only a minimal part of the work of UGIs is focused on advising and training staff on integrity issues. Additionally, there is a significant need to intensify training on specific public integrity topics in areas that carry out activities related to this matter.

Other challenges relate to obstacles that have been preventing the effective institutionalisation of integrity risk management in the Brazilian federal executive. First, there is a lack of public resources specifically assigned to this agenda, which ends up preventing adequate investment in building capacities and in the expansion of public integrity-related activities. According to the results of the OECD questionnaire, 93% (28) of the UGIs that responded did not have their own budget at that time. This means that activities related to integrity are currently often subject to the availability of public resources allocated to the other non-integrity related activities of the UGI. Second, there is insufficiency of skilled labour fully dedicated to the management of integrity risks. In this regard, the OECD focus group drew attention to the fact that the public managers responsible for carrying out integrity risk management often work at the limit of their capabilities, having to perform other duties. In turn, the UGIs could provide support to public managers but generally do not have a staff with exclusive dedication and properly trained to deal with integrity risk management (OECD, 2021[7]). These issues explain why integrity risk management is not yet widely implemented among federal government entities, which leads to incomplete integrity plans, unfinished risk analyses and difficulties in establishing effective detection systems.

In addition, while IT tools can help public entities to properly identify integrity risks, assess them and assist public managers in the decision-making process, such tools are currently used only in very few public entities. Even then, these tools are mostly used for detection and investigative purposes, rather than being used to anticipate critical events and strengthen public integrity. Examples of these tools are: ALICE (Analisador de Licitações, Contratos e Editais, Bids, Contracts and Public Notices Analyser) and FARO (Ferramenta de Análise de Riscos de Ouvidoria, Instrument for Risk Analysis of incoming report to the Ombudsman). The CGU and, for the case of ALICE, also the Federal Court of Accounts (Tribunal de Contas da União, TCU), use these tools to support investigation of suspicious events. ALICE focuses on public procurement, FARO supports the analysis of complaints directed to the federal ombudsman. These IT tools, and how Brazil could build on them to strengthen integrity risk management, will be analysed in more detail in Chapter 2.

AGATHA, a tool developed by the former Ministry of Planning, Development and Management (MP) aims to support the risk management and internal controls system. This tool was designed to help managers to assess internal and external strengths, weaknesses, opportunities and threats (SWOT analysis) and to identify, assess and guide critical risk analysis to positively impact the achievement of the public entities’ objectives as requested by Decree 9 203/17. However, in practice, this tool is not being widely adopted, despite being available under a free license. For example, among the UGIs that responded to the OECD questionnaire, only 10% (3) are currently using AGATHA and one entity is considering its use. A few other units are in the process of implementing this tool and some point to the urgent need for training and clearer guidance on how to use AGATHA. Interviews carried out by the OECD to understand the reasons why AGATHA is not being used more systematically indicated that the tool is not user-friendly and is limited in terms of analytical support, offering only a heat map to facilitate analysis.

Overall, the points raised above reinforce the need to continue improving the maturity of integrity risk management in the Brazilian federal administration. Not at least, the Covid-19 outbreak imposed several additional challenges to countries, including Brazil, expanding public spending, exacerbating their financial situation, blurring decision-making processes and obstructing social control. As reported during the fact-finding, public entities in Brazil have experienced several challenges to carrying out their work under these new circumstances. In addition, it was reported that the public integrity agenda lost importance because of the crisis among some public entities, which reflected in exacerbating the budget constraints to deal with this matter.

Unfortunately, a recent survey on ethics and corruption in the Brazilian federal public service reveals that, during the Covid-19 crisis, there has been an increase in public managers' perceptions of corrupt acts, such as political interference in the decision-making process and limited transparency and accountability of decisions concerning public procurement and contracting (Ortega Nieto et al., 2021[11]). Hence, in a context of crisis, integrity risk management becomes even more relevant to guide efficient and effective integrity policies.

Nonetheless, it is noteworthy that, despite the challenges experienced in some public entities during the current crisis, the establishment of the SIPEF in 2021 constitutes a milestone which reinforces that Brazil is on the right track to consolidating the integrity agenda in the federal executive. However, this new system still requires to be reinforced to achieve its goal of promoting cultures of integrity risk management in the federal administration (OECD, 2021[7]). Based on the analysis of the current situation, the following chapter provides concrete avenues to continue strengthening the culture of public integrity and integrity risk management. The recommendations presented in the next chapter will be complemented by the OECD Integrity Review of Brazil (OECD, forthcoming[5]), which will provide a more systemic analysis of the integrity risk management and control framework in Brazil.