Internal control and risk management support public sector organisations in achieving a wide range of policy goals and objectives. In the OECD’s Recommendation on Public Integrity, the principle on risk management focuses on aspects of internal control and risk management in the context of preserving integrity and combating corruption in the public sector. Governments must ultimately tailor their approach to their respective legal, regulatory and cultural contexts. This involves embedding integrity objectives into existing internal control and risk management policies and practices. It also entails adapting international standards and concepts for internal control and risk management to local realities and the public sector.

The Anti-Corruption Policy of the Slovak Republic for 2019-2023, approved by Government Resolution No. 585/2018, sets out measures to strengthen the framework for corruption prevention in the public sector. Within the Anti-Corruption Policy, the Government of the Slovak Republic recognises the need to introduce corruption risk management to government agencies. As such, the Corruption Prevention Department (CPD) in the Office of the Government of the Slovak Republic leads and oversees activities targeted at identifying and mitigating corruption risks in government agencies and across the public sector. This chapter provides insights and recommendations on how the CPD can improve its risk analysis and the guidance it provides for government agencies on corruption risk management.

Based on research, analysis of documents and interviews with representatives of government agencies, this chapter provides proposals for action for the CPD to consider. To foster a strategic approach to corruption risk analysis, it identifies room for improvement in how the CPD documents its own risk analysis, and how it can communicate about emerging corruption risks. In addition, it suggests that the CPD make use of a number of resources when analysing corruption risks. To strengthen the capacity to prevent and detect corruption in government agencies, this chapter proposes improvements to the CPD’s corruption risk assessment guidelines, namely, to include practical resources and tools to aid the risk assessment process. It also assesses the development of the sectoral anti-corruption programmes, and suggests that the CPD establish a working group to foster horizontal knowledge-sharing and to harmonise the process of developing the programmes. To raise awareness of corruption and to refine messages for a risk-informed culture, the last section of this chapter proposes that the CPD develop a comprehensive communication strategy for both the public and government officials. To engage citizens and non-experts, the chapter provides examples to the CPD of innovative and accessible formats to present its work. Regarding its communication with government officials, the chapter draws attention to the need for clearer messaging around the CPD’s guidelines, and in particular the need for government agencies to utilise a wider variety of sources as inputs for their corruption risk assessments. Additionally, it underlines the need for government agencies to consult with internal audit teams to help build a proactive risk culture.

As part of its activities in centralising policies to prevent corruption, the CPD is responsible for designing and implementing projects and measures aimed at reducing corruption in the public sector. In February 2019, each ministry in the Slovak Republic established the position of anti-corruption co-ordinator. This co-ordinator is responsible for overseeing the anti-corruption activities of the ministry, including the implementation of corruption risk management measures. The introduction of an anti-corruption co-ordinator and the implementation of corruption risk management practices is also recommended to the President of the Judicial Council, the General Prosecutor and the President of the Association of Towns and Municipalities.

In 2019, the CPD established corruption risk assessment guidelines for government agencies. This methodology applies to all departments in the public sector on how to manage corruption risks, in line with the anti-corruption policy of the Slovak Republic for 2019-2023. Departments are required to carry out the corruption risk assessment on an annual basis, in line with these guidelines. In addition, working with a private company, the CPD has developed an IT tool on corruption risk management for all public bodies as part of the project of implementation of ISO 37001:2016 (Anti-Bribery Management System). This IT tool, which consists of an electronic questionnaire, is disseminated to all public authorities. The dissemination to municipalities is also foreseen through the Ministry of Interior’s contact point. Filling out the questionnaire, which the CPD first distributed in 2020, is currently not obligatory.

The anti-corruption co-ordinator of the Office of the Government of the Slovak Republic is also the administrator of the electronic questionnaire, and can make adjustments or updates to the questionnaire where necessary. Once the questionnaire has been completed, the anti-corruption co‑ordinator provides managers with the results and consults with them on the proposals for measures to mitigate identified corruption risks. Managers shall subsequently prepare a corruption risk register and propose relevant measures.

While the CPD oversees the implementation of corruption risk management practices within government agencies through the guidelines it has developed and the distribution of the electronic survey, the CPD also undertake its own form of risk analysis separately from these activities. This involves assessing at a broader level prevalent corruption risks across the Slovak public sector in order to inform and develop the national anti-corruption programme. The CPD is comparatively advanced in the development of its risk analysis activities. A study carried out in 2020 found that for most Anti-Corruption Authorities (ACAs), overseeing, implementing and undertaking corruption risk analysis is not a widespread practice at the international level, with just over half of respondents reporting that they are obliged to undertake risk mapping or analysis (L'Agence française anticorruption, 2020[1]). More frequently, ACAs tend to be responsible for designing anti-corruption strategies, codes of conduct and receiving complaints.

As part of its risk analysis to develop the national anti-corruption programme and to inform the development of the sectoral programmes, the CPD notes that it considers the following sources to assess risks:

• information received through the anti-corruption hotline

• responses to the electronic survey/IT tool

• analysis of legislative gaps or shortcomings

• complaints from citizens

• recommendations from international organisations

• consultation with NGOs and civil society actors

• media reports.

While the CPD appears to consult a variety of sources to identify prevalent corruption risks, it could consider other sources that would prove beneficial for evaluating systemic risks across the public sector. For example, the CPD notes that it does not use information from external audit reports; however, these reports are publicly available and could therefore be used by the CPD when evaluating risks. The CPD does not appear to consult risk registries of departments either, noting that it obtains this information from the IT tool. The CPD’s guidelines on corruption risk assessment require departments to create and maintain a risk register. As such, the CPD could use these as an additional resource to get a clearer sense of which corruption risks are most prevalent.

Furthermore, the CPD could improve how it documents the risk analysis process and develop a strategy on disseminating results. Representatives from the CPD note that at present, the CPD does not have a documented process or strategy for disseminating the results of its risk analysis, which may hinder the effectiveness of its risk management practices. The CPD shares insights with public organisations on an ad hoc basis, meaning that said organisations may not benefit from findings that could inform improvements to the control environment. The CPD notes that across organisations in the Slovak public sector, there is a stronger focus on enforcement rather than preventive measures for fraud and corruption. By sharing the findings of its analysis and suggesting improvements where necessary, the CPD can demonstrate the value of its risk analysis and the added value for organisations. This can also strengthen risk management practices at the entity level.

While the CPD works closely with government agencies on the development of their sectoral anti-corruption programmes, providing clarity on how it undertakes its own corruption risk analysis and informs actions at the national level can raise awareness of the CPD’s risk management efforts and create buy-in across the public sector. This can help to institutionalise corruption risk management and guide government agencies in their risk management activities. In addition, this can serve as a strong basis for the CPD to expand its risk analysis activities beyond the national anti-corruption programme to develop different approaches and outputs, such as identifying emerging corruption risks. In Australia, for example, the Crime and Corruption Commission (CCC) produces materials for government agencies to raise awareness of current and emerging corruption risks (Box 3.1). The CPD could draw inspiration from this practice in order to expand its risk analysis and adopt a multi-faceted approach to identifying trends in corruption risks experienced by government agencies.

The corruption risk assessment guidelines are a methodology established in 2019 by the CPD for all departments in the public sector on how to manage corruption risks, in line with the anti-corruption policy of the Slovak Republic for 2019-2023. Departments are required to carry out the corruption risk assessment on an annual basis, in line with these guidelines. The guidelines include the following:

• definitions of corrupt behaviour or activity

• responsibilities vis-à-vis corruption risk assessment

• potential causes and sources of corruption risks in the public sector

• risk identification and detection

• assessment and evaluation of identified risks

• how frequently the process should be carried out

• the requirement to maintain a risk register

• monitoring of measures and communicating results.

During interviews with selected government agencies, representatives noted that they have undertaken one corruption risk assessment so far in line with the CPD’s guidelines, and will undertake another at the beginning of 2021. Some representatives report that they consult the corruption risk assessment guidelines regularly, and that they consider the guidelines to be a valuable resource. Indeed, the guidelines provide a strong foundation for corruption risk assessment in public sector organisations in the Slovak Republic, describing the conditions in which different corruption risks may occur, and designating responsibility for the identification and treatment of risks.

However, the guidelines do not provide practical materials for managers to use to carry out risk assessments. For example, the guidelines do not contain risk matrices that demonstrate how to assess and prioritise risks, nor templates that managers could use. In the United Kingdom (UK), for example, the Home Office committed to publishing a bribery and corruption assessment template in the UK Anti-Corruption Plan. This template is published online and is targeted at government agencies and departments to assess their response to bribery and corruption (Box 3.2).

Risk matrices, risk registries or simple Excel tables can be useful tools for documenting the results of risk assessments, as well as assessing interlinkages between risks and controls. Regardless of how they are documented, it is critical that the results of risk assessments reflect the acceptable level of risk based on predetermined criteria. Heat maps or other tools that convey scoring of the likelihood and impact of risks without also showing the level of risk management deemed acceptable have little value for decision making or adapting mitigation measures (OECD, 2020[4]). The CPD can draw from internationally recognised resources and standards to update its guidance material for operational risk assessments at the entity level. For example, the CPD could draw inspiration from existing tools, such as those developed by the Association of Certified Fraud Examiners (ACFE). The ACFE has developed a fraud risk management tool, which is an Excel file containing risk assessment scoring scales, a risk assessment matrix and a heat map, among other factors (Association of Certified Fraud Examiners, 2020[5]). While targeted at fraud risks, the CPD can adapt and tailor its guidance and tools to the corruption risk management practices in the Slovak public sector.

Should the CPD update its guidelines to include practical tools, it may consider developing targeted training activities for government agencies. While representatives from government agencies noted that overall they find the CPD’s training activities to be sufficient, there appears to be an ad hoc approach to trainings within government agencies on the subject of corruption and integrity. For example, one ministry reported that there is a compulsory training module that employees must undertake every two years, whereas in another government agency, this is done every five years. Moreover, the CPD currently does not offer any trainings that focus specifically on using the corruption risk assessment guidelines. While it is in not within the CPD’s mandate to determine the frequency of training modules within government agencies, it can envision developing training activities on the practical tools included in its guidance. This would contribute to the practical application of CPD’s guidance materials in a systematic way. The frequency of such trainings may depend on available resources and other external factors, such as the ongoing COVID-19 restrictions.

A core element of effective risk management is communication, which means the timely involvement of stakeholders to take into consideration their knowledge, views, and perceptions. This risk management principle implies a systematic approach to communication and consultation, sharing information with targeted audiences, and obtaining feedback from relevant parties to shape risk management processes (OECD, 2019[6]). In the Slovak Republic, representatives from government agencies report that while they view the CPD’s co-ordination and guidance positively, there may be room for improvement regarding how they can exchange practical outcomes with colleagues across the public sector on risk management issues. Given that corruption risk management in the Slovak Republic is quite a recent development, the CPD could help establish working groups to bring together those in government agencies that are responsible for carrying out risk assessments. During meetings, participating government agencies supported the idea of such an initiative, which they agreed could improve interactions and sharing of experiences in managing and assessing risks.

Regular exchanges on corruption risk management practices can help enhance individual risk assessments and improve coherence across agencies while recognising the need for tailoring to different contexts. In addition, establishing risk management working groups can facilitate horizontal knowledge-sharing between entities that may not otherwise have the opportunity to share their experiences. This may be particularly beneficial for agencies that are less advanced in their risk management practices. For example, analysis of the existing corruption risk management practices in the Slovak public sector shows that there is variation across government agencies, with some agencies being relatively more advanced in this regard.

Through a working group, these government agencies can share their insights and provide guidance to others on how to effectively implement corruption risk management and undertake assessments. Furthermore, establishing corruption risk management working groups can benefit those government agencies that are not included in the national anti-corruption programme, such as the Anti-Monopoly Office (AMO) and the Supreme Audit Office of the Slovak Republic. While these entities are not directly included in the national anti-corruption programme, interviews with representatives from the AMO showed that the office is committed to implementing corruption risk management, in line with the CPD guidance. As such, corruption risk management working groups can bring together government agencies that may not have other avenues to exchange on these issues, and foster a bottom-up approach to implementing risk management practices.

Bringing together government agencies in this way can also help to promote a harmonised approach to the development of sectoral anti-corruption programmes. In line with the Government Resolution No. 585/2018 for the national anti-corruption policy of the Slovak Republic 2019 – 2023, all government agencies have made a commitment to adopt a sector-relevant anti-corruption programme based on corruption risk analysis. Regarding the application of corruption risk management, at present there are 14 government agencies undertaking such practices, including the Office of Government. The main output of the corruption risk management practices and assessments by government agencies are the sectoral anti-corruption programmes and the development of the national anti-corruption programme led by the CPD.

Within each government agency, the sectoral anti-corruption programmes are developed in line with the national anti-corruption policy, the requirements of ISO 37001 on anti-bribery systems and the corruption risk assessments of the respective agencies. The sectoral programmes are targeted at employees within the agency, as well as employees of partner organisations. The minister or head of the agency is responsible for the anti-corruption programme and the measures it contains. In general, each sectoral anti-corruption programme consists of the following:

• Definitions of relevant terms related to integrity risks or breaches, such as corruption, conflict of interest, integrity, corruption risk.

• The objectives of the anti-corruption programme and how it contributes to corruption prevention within the agency.

• The tasks and measures determined to reduce the scope for the emergence of corruption risks, including indicators to measure results and a timeframe for the tasks and measures to be implemented.

• Monitoring and evaluation activities of said tasks and measures involving organisational units and partner organisations, which are overseen by the anti-corruption co-ordinator, who is required to develop a summary document detailing these activities.

The existing sectoral anti-corruption programmes provide a strong basis for corruption risk management and mitigation measures. However, there appear to be variations in the content and proposed actions of the programmes, with some providing a greater level of detail on identified risks and internal control vulnerabilities. Others, however, are not a comprehensive in nature and appear to repeat sections of the anti-corruption policy. Currently, the CPD regularly provides consultation to government entities that ask for explanation or clarifications concerning the guidelines or sectoral programmes. The CPD also publishes relevant materials on these topics on its website. The CPD does not have the legal authority to force entities to participate in working groups. Nonetheless, the CPD can promote coherence in this process by inviting willing entities to join working groups, recognising the specific context and environment of each government agency when developing the sectoral anti-corruption programmes.

For ACAs, it is essential to promote the activities they undertake to raise public awareness of corruption and the efforts made by governments and agencies to mitigate risks of corruption. The CPD does not make results from its risk analysis public, nor the consolidation of results from the electronic survey, which may hinder awareness-raising efforts. The CPD notes that these results and findings are not made public because the survey and corruption risk management practices are relatively new. However, the CPD also notes that there is a lack of awareness around corruption and fraud risks in the Slovak Republic, and that the public tends not to consider corruption as a pressing issue. Despite this, the CPD notes that fraud and corruption schemes are continuing to evolve, and that it is observing a rise in the number of the following schemes:

• kickbacks and bid-rigging

• avoidance of proper public procurement procedures, such as inflating project costs for goods or services

• collusion between a network of individuals, including those in positions of authority (i.e. members of the police force, prosecutors, judges)

• various form of rent seeking.

Furthermore, the CPD gauges the public perception as somewhat negative towards anti-corruption efforts, which implies that there may be a lack of public support around these efforts. To reinforce the message that there are indeed serious challenges vis-à-vis corruption in the public sector, and to highlight what the CPD is doing to address these challenges, the CPD could develop a communication strategy to raise awareness and inform the public and other stakeholders about its role. The CPD notes that there has traditionally been a formalistic approach to anti-corruption measures in the Slovak Republic, characterised by an over-reliance on sanctions and legal recourse. By developing a comprehensive communication strategy, the CPD can demonstrate its commitment to moving away from this approach towards more effective prevention measures. This is evidenced by the CPD’s role in leading and implementing corruption risk management in the Slovak public sector, and specifically in guiding government agencies in undertaking risk assessments. Box 3.3 provides an example of how the French Anti-Corruption Agency (AFA) developed a communication strategy around its activities.

To engage a wider audience and strengthen communication with the public about corruption and prevention activities, the CPD could consider presenting information and materials in more reader-friendly and innovative formats. For example, Box 3.4 provides examples from other institutions that have developed products that present findings in a more concise and visually appealing way.

The CPD’s corruption risk assessment guidelines stipulate that when undertaking a corruption risk assessment, government agencies should consult a variety of sources to identify internal and external corruption risks. The sources of information that the CPD suggests government agencies can use include the following:

• questionnaire or survey responses

• public opinion polls using Google Forms, for example

• information from media sources including social media

• historical data on corruption risks or trends

• suggestions or findings from NGOs and civil society actors

• findings from audits and inspections

• reports of corruption through hotlines

• results from monitoring and evaluation activities of preventive controls

• information from the ARACHNE IT tool.

The list of potential sources included in the guidelines is comprehensive. However, a number of representatives from different government agencies note that during the corruption risk assessment undertaken in 2020, they did not consider many sources as inputs for the assessment. While some representatives reported using a variety of sources, such as data submitted by relevant units, media reports and internal audit reports. While this government agency noted that the survey is just one input that is used to verify and confirm the results of their risk analysis, in general there appears to be an over-reliance on the survey to inform risk assessments in government agencies. While a key input, the corruption risk assessment can be strengthened by considering a number of other factors and resources. This will be a vital area to address, as the Government resolution No.585 requires central government bodies to implement corruption risk management in order to inform the sectoral anti-corruption programmes. These programmes determine the implementation of control activities, and therefore should be based on strong and robust risk assessment processes, considering numerous data sources. Moving forward, the CPD can seek to frame this issue in a way that communicates to the ministries that the survey is one key input for the risk assessment, but should not be the sole data source. This is in line with the CPD’s guidelines and the extensive list of sources to draw from when carrying out corruption risk assessments.

One of the potential sources listed in the corruption risk assessment guidelines are internal audit reports. Furthermore, the CPD underlines the value of consulting internal audit or inspection reports when undertaking corruption risk assessments, including them in a list of potential sources to draw from. However, representatives from some government agencies reported that they did not consult internal audit reports or liaise with internal audit teams as part of the first corruption risk assessment. One ministry noted that they did consult with their internal audit function when assessing corruption risks, but based on the feedback from other ministries and agencies, this is not yet a standardised practice. Internal auditors’ objective, value-based insights and evidence can help public sector organisations better manage and assess integrity risks. In practice, this involves identifying integrity risk factors in the course of internal audit work and assessing whether these risks are being managed effectively, even if the public sector organisation does not have formal integrity risk management programmes in place. For example, internal auditors can red-flag high-risk areas for integrity breaches such as third-party relationships, outsourced activities or procurement. Audit recommendations to improve the control environment in these high-risk operational areas can improve the organisation’s efforts to prevent and detect fraud and corruption.

While internal auditors should have sufficient knowledge to evaluate integrity risk factors and the management of risks within an organisation, they are not required to have the knowledge or expertise to take on an investigative role. Internal audit’s role with regard to investigations of suspected integrity breaches depends on a number of factors, such as the structure of the organisation and the availability of resources. To ensure that all government agencies undertaking corruption risk assessments can use insights from internal audit teams, the CPD can improve how it communicates about its guidelines and guide agencies on how to effectively engage internal auditors while ensuring their independent and objective assurance. The CPD could also envision including internal audit teams in the corruption risk management working groups, should they be established.

[5] Association of Certified Fraud Examiners (2020), Fraud Risk Assessment Tool, https://www.acfe.com/frat.aspx?id=6797.

[2] Crime and Corruption Commission (Queensland) (2020), Current and emerging corruption risks: opportunities to detect, intervene and prevent corruption, https://www.ccc.qld.gov.au/sites/default/files/Docs/Publications/CCC/Prevention-in-focus-Current-and-emerging-corruption-risks.pdf.

[8] Europol (2020), Public Awareness and Prevention Guides, https://www.europol.europa.eu/activities-services/public-awareness-and-prevention-guides.

[7] L’Agence française anticorruption (2017), Annual Report 2017, https://www.agence-francaise-anticorruption.gouv.fr/files/files/AFA_rapportAnnuel2017GB.pdf.

[1] L’Agence française anticorruption (2020), Global Mapping of Anti-Corruption Authorities, https://www.agence-francaise-anticorruption.gouv.fr/files/2020-06/NCPA_Analysis_Report_Global_Mapping_ACAs.pdf.

[4] OECD (2020), Public Integrity Handbook, http://www.oecd.org/corruption-integrity/reports/oecd-public-integrity-handbook-ac8ed8e8-en.html.

[9] OECD (2019), Fraud and Corruption in European Structural and Investment Funds: A Spotlight on Common Schemes and Preventive Actions, OECD, Paris, http://www.oecd.org/gov/ethics/prevention-fraud-corruption-european-funds.pdf.

[6] OECD (2019), Tackling Fraud and Corruption Risks in the Slovak Republic: A Strategy with Key Actions for the European Structural and Investment Funds, http://www.oecd.org/gov/ethics/tackling-fraud-and-corruption-risks-in-the-slovak-republic-6b8da11a-en.htm.

[3] United Kingdom Home Office (2016), Bribery and corruption assessment template, https://www.gov.uk/government/publications/bribery-and-corruption-assessment-template.