A comprehensive fraud risk assessment serves as a fundamental tool for safeguarding integrity in European Structural and Investment (ESI) Funds and fulfilling the objectives of operational programmes (OP). Managing authorities (MAs) in the Slovak Republic are required to conduct risk assessments in line with Article 125 paragraph 5, c) of Regulation 1303/2013 and to introduce adequate anti-fraud measures based on risk identification. The regulatory and policy frameworks offer MAs some flexibility in terms of tailoring risk assessments to individual contexts. Indeed, as illustrated in this chapter, the risk management practices of MAs reflect differences in environments, operations and programmes. These differences are particularly pronounced in risk assessments and risk catalogues.

While there is variation in how MAs manage and assess fraud and corruption risks, they face common challenges and share opportunities – such as the need to improve analysis of fraud and corruption risks and the possibility of making better use of data in this process. Developed from OECD interviews and research on the policies activities for risk management and control in the Slovak Republic, this chapter explores actions for the government to enhance its approach to managing and assessing fraud and corruption risks involving ESI Funds, focusing on the following key priorities:

• Priority 1 – Identify relevant risks by sharpening the focus on fraud and corruption

• Priority 2 – Improve the precision and consistency of risk analysis and scoring

• Priority 3 – Enhance the analysis of control activities when conducting risk assessments

• Priority 4 – Make better use of national and external databases and data analytics to assess risks

• Priority 5 – Improve use of the Arachne risk-scoring tool to refine risk assessments.

Three of the four participating MAs formed risk management working groups. These working groups consist of members of different departments in MAs, experts from intermediate bodies (IBs), and representatives from paying units. The primary responsibilities of these working groups are to identify, analyse and evaluate risks; define existing control mechanisms; collect inputs from other units; monitor risks; and take mitigating actions. The risk management working groups generate a risk catalogue that summarises all possible identified risks, including fraud and corruption risks. To inform the risk catalogues, the working groups use historical knowledge and experience from the previous programming period, audit findings and media reports. The respective risk management procedures for different OPs also list several methodologies to support risk assessments, such as surveys and interviews.

The OECD reviewed risk management and internal control policies, processes and procedures, risk catalogues, organisational charts, meeting minutes and other supporting documents from the four participating MAs. The review focused on the design of a fraud risk management framework and its application in the selected OPs. The MAs have established binding procedures for risk management, which articulate a methodology for the risk assessment process. The methodology incorporates guidance from the Expert Group on European Structural Investment Funds of the European Commission (hereafter EGESIF). Programme authorities can refer to EGESIF in several areas, including the overall Management and Control System (MCS), audit strategy, and management verifications to ensure proper implementation of OPs. In particular, guidance from EGESIF, including the Fraud Risk Assessment and Effective and Proportionate Anti-Fraud Measures, provides recommendations on how MAs can establish effective and proportionate anti-fraud measures based on risks (European Commission, 2014[14]).

As a critical first step, the four MAs that participated in the project had set clear objectives for reducing risks and mitigating their impact on strategic and operational goals of OPs. Their objectives included:

• building common awareness and understanding of risks across functions and departments within MAs;

• allocating resources more efficiently based on risks;

• ensuring effective functioning of the MCS in accordance with EU regulations and national legislation; and

• strengthening financial and compliance control processes within MCS to minimise the need for financial corrections.

MAs in the Slovak Republic have also established procedures for risk assessments that include identification of fraud risks. Risk assessment are critical tools for supporting MAs to identify, analyse and evaluate the likelihood and impact of individual risks, as well as interlinkages between risks across organisational objectives. The assessments help authorities to understand threats related to both internal and external environments, and then take stock of control activities and the effectiveness of mitigating actions. In general, risk management working groups in the Slovak Republic follow a similar assessment process, illustrated in Figure ‎2.1.

Risk assessments in practice are not always the linear process illustrated in the figure above. However, it is common for risk identification to begin with an assessment of inherent risks. Inherent fraud risks, or “raw risks”, are assessed independently of relevant controls or mitigation measures. Their assessment typically involves an analysis, either qualitative (e.g. surveys, focus groups, interviews and desk research) or quantitative (e.g. statistical analysis and reviews of statistics and historical data), to understand their likelihood and impact. Identifying inherent risks requires an understanding of the universe of known fraud risks and the risk subgroups specific to each OP or MA. This activity benefits from the engagement of stakeholders with expert knowledge of different functions and sectors. After assessing inherent risks, a critical step is to then analyse and score the “residual risks,” which is the risk that remains after an organisation has attempted to mitigate them in some ways. As part of this step in the assessment process, the likelihood and impact of each fraud risk after taking into account the control activities associated with a particular risk. The result of this assessment informs decisions about whether controls need to be adapted to mitigate risks in relation to a pre-determined risk tolerance, as discussed in more detail below.

The risk management procedures of MAs signal a commitment to meet EU requirements regarding the management of ESI Funds and align with international standards for risk management. Nonetheless, the MAs experience several implementation challenges, particularly with regards to assessing fraud and corruption risks. All four MAs referred to EGESIF when establishing their risk assessment practices, yet their risk mapping processes and outputs differ. Two of the four participating MAs use the fraud risk assessment template provided by the EC, which concentrates on anti-fraud measures. The other two MAs developed more comprehensive risk assessments and catalogues that cover many areas and processes, such as preparation, implementation, and monitoring and evaluation of an OP. These areas are then divided into sub-areas – such as project selection and evaluation, public procurement, application for payment and project monitoring – for which particular risks are detailed. Project partners in the Slovak Republic indicated that these processes were also representative of other MAs. During this review, two key issues emerged:

• A need to distinguish inherent fraud risks from other types of risks and control activities – The fraud risk catalogues are broad and several representatives from MAs confused fraud risks with business risks, or categorised the root cause of risks as the risk itself. For example, some risk catalogues listed “insufficient verification of cost-effectiveness” and “inconsistent performance of expert evaluation” as inherent fraud risks. However, these are deficiencies that signal ineffective control measures or other types of risks. Including them in the inherent fraud risk category generated a lengthy and overly complex list of “risks” within some MAs. In another instance, an MA had difficulty distinguishing between fraud risk schemes and associated red flags. A red flag is a warning sign that fraud may have occurred, or will occur in the future. It is not evidence of fraud, but can draw attention to risks. A fraud risk scheme may be connected with a number of red flags and could require multiple controls. Confusion over risk concepts such as inherent risks, red flags, and mitigating controls indicates a need to increase knowledge for and capacity in application of risk assessment methodologies. Therefore, mistaking red flags and controls for risks can quickly expand risk catalogues. For instance, one OP identified and assessed 167 fraud risks and 327 total risks, including broader strategic and operational risks. Cumbersome, overly detailed risk catalogues require significant time to complete and can impede risk prioritisation while increasing administrative burdens.

• A need to better assess fraud and corruption risks, taking into account the ESI Funds project cycle – The catalogues from at least two MAs do not contain several fraud and corruption risks that threaten projects throughout the ESI-funded project cycle. For instance, these risk catalogues did not identify the various types of procurement risks for contracts tendered and managed by beneficiaries. Missing risks in some MA catalogues reflect the need to build knowledge and awareness of fraud risks and the related anti-fraud measures in specific OPs. The omission of critical risks also reflects the need to integrate different perspectives and competencies into the risk assessment process. During the existing identification phase, the chairperson of a risk management working group sends the members a template of the risk catalogue to fill in with potential risks. The members complete and submit the self-assessment document to the email address indicated within a specified period. The chairperson then creates a single risk catalogue for the OP based on the collective responses. The chairperson evaluates the information and decides whether to propose any new risks to be reviewed. Such survey-based assessments offer some benefits: a large number of employees can access and contribute to the process with fewer constraints, and assessment can be undertaken at a low cost. However, several issues can cause setbacks, such as limited follow-up, risk of misinterpreting responses, and individual responses received in isolation from others. As a result, MAs may miscalculate fraud and corruption risks if they overlook critical fraud and corruption schemes such as avoidance of competitive procurement procedures, collusive bidding, and manipulation of costs.

The existing procedures of MAs can be amended to clarify the concepts of inherent risks, root causes, red flags and control activities. Developing and updating reference materials on common and actual fraud and corruption schemes, along with mitigating actions to detect and prevent risks, can also improve identification of inherent risks. For example, providing information on real cases that show the interconnected nature of fraud and corruption risks, schemes, red flags and control measures can inform the risk management working groups’ activities at the stage of inherent risk identification. To this end, guidance, reference materials and inputs to the risk management working groups could include the following components:

• prominent fraud and corruption risks across all stages of the ESI-funded project cycle, with a description of fraud and corruption schemes at each stage, submitted by managing authorities

• red flags for fraud and corruption risks at each stage of the project cycle, supported by data and indicators that can be used to detect them

• detailed case studies that demonstrate how a particular fraud or corruption operation was carried out, by whom, and how the fraud or corruption occurred

• good practices for preventing and mitigating fraud and corruption risks at each stage of the project cycle, including control measures and activities.

EC guidance places importance on including specific fraud risks identified through knowledge of previous fraudulent cases, as well as commonly recognised and recurring fraud schemes throughout all stages of the project cycle. The EGESIF guidelines on fraud risk assessments includes the fraud schemes and risks that are observed across OPs and EU Member States, including applicant selection, project implementation, and certification of costs and payments (European Commission, 2014[15]). According to EGESIF, MAs should adopt adequate preventive controls and detection measures, undertake thorough fraud risk assessments, provide timely responses to fraud risks and suspicions of fraud, and undertake investigations where appropriate. EGESIF also notes that anti-fraud measures should be proportionate to the risks identified.

MAs mostly adhere to and use the EGESIF guidelines as a baseline when developing risk assessments. Some MAs, however, have missed numerous significant fraud risks and schemes that are outlined in EGESIF and that may affect their OPs. To help focus the risk assessments, the MAs can review the identified risks against the recommended fraud risks in the EGESIF tool, and add other known risks for their specific OPs taking into account the ESI Funds project cycle, as illustrated in Chapter 1. However, it is critical that the MAs avoid simply replicating the risks in EGESIF and taking a “check-the-box” approach. Below are several common fraud and corruption risks identified by the OECD as having been omitted by at least two of the MAs.

Applicant selection stage

• Members of the MA or Evaluation Committees intentionally influence the selection of applications so as to favour certain applicants during shortlist approval and appraisal, influencing other decision makers in the process.

• An entity applies for funding for the same project from several EU funds without declaring multiple applications.

Implementation stage

• A beneficiary avoids the required competitive procedure to favour a particular applicant by splitting purchases, unjustified single source award (when contracts are awarded directly to a bidder without meeting the competitive requirements), avoidance of a tendering process or extension/modification of the contract to elude the re-tendering process.

• A beneficiary favours an applicant/tenderer because of an undeclared conflict of interest, bribes or kickbacks.

• A beneficiary favours a tenderer in a competitive procedure through rigged specifications, leaking bid data or manipulation of bids.

• Bidders manipulate a competitive procedure organised by a beneficiary to win a contract by setting up fake bidders, collusive bidding or creating phantom service providers.

• A contractor manipulates cost claims or invoices to overcharge or recharge incurred costs.

• A beneficiary violates the contract conditions by non-delivery of the agreed project due to the non-existence of products or underperformed operation in relation to the agreement.

• A contractor intentionally overstates the activities of provided personnel to claim them as eligible costs or a beneficiary knowingly claims false labour costs not in line with the contract.

Certification/payment stage

• Expenditure may be validated by a certifying authority that has a connection to the beneficiary, resulting in conflict of interest.

The list above is not exhaustive. Beyond EGESIF, there are opportunities for MAs to update their risk catalogues to focus on the most common and severe types of fraud and corruption risks. The list should not be too extensive: a “reasonable” number of risks is subjective, but as a guiding principle, the risk catalogue should promote a concise overview of material risks linking to the broader objectives for managing fraud and corruption risks with ESI Funds. MAs can introduce other methods of conducting risk assessments and understand the root causes of risks to complement the existing survey-based electronic process. For instance, various tools can support the MAs and OPs to assess internal and external context, as well as the root causes of risks to better understand why a risk occurs.1 Such tools can help to promote communication among stakeholders from different ministries and teams. Similarly, increased use of interviews would also promote engagement with key stakeholders, and allow risk managers to ask follow-up questions, probe for underlying issues, and increase foresight regarding potential future events. Facilitated workshops can foster exchange among experienced participants, potentially uncover hidden risks, and build consensus around risk prioritisation. Chapter 3 delves more deeply into the priorities and key actions for developing skills and knowledge.

The four MAs have a similar risk assessment and scoring process. In general, the risk management working groups within MAs analyse and evaluate the likelihood and impact of risks, and then determine the overall risk level and mitigating controls. The MAs assess several key characteristics of each risk, including:

• the relevance to fraud, taking into account EGESIF recommendations;

• the type of environment from which the risk arises;

• potential risk owners;

• the risk impact, i.e. the degree of severity of the negative impact; and

• the likelihood of the risk.

The OECD reviewed the assessment processes and scoring of the four MAs, and noted several differences that indicate a need for better coherence and consistency of approaches between MAs. For instance, two MAs employ a five-by-five risk matrix, one MA uses a four-by-four risk rating scale, and the remaining MA chooses a three-by-three risk scoring system. A more consistent rating method may better facilitate benchmarking and exchange of good practices concerning risk assessments among OPs. The MAs’ procedures also summarise several techniques of risk analysis they employ – such as risk sensitivity analysis, which explores various possible risk scenarios, and event tree analysis, which is used to evaluate a process and related events that could generate risks. However, the procedures have limited information on conducting these techniques, which contributes to knowledge gaps and inconsistent implementation among MAs.

Current risk catalogues do not contain any detailed analysis for explaining the scores for the two risk attributes. Three of the four MAs only define the likelihood and impact of risks in general terms, without explicit criteria for scoring fraud and corruption risks. In addition, the current methods of risk analysis do not address the interrelationships between risks arising at different stages of the project life cycle. When potential events are correlated, risk managers should assess the combined effect, because the link among risks could alter their likelihood and impact (COSO, 2016[16]). For example, detection of fraud risks, such as tailoring call specifications at the project initiation stage, can often help prevent related risks arising in subsequent stages. In addition, MAs could clarify the extent to which they consider changes in internal and external contexts when assessing risks, and tailor risk rating criteria to the realities of specific OPs. The drivers and root causes of fraud and corruption risks in OPs can depend on a myriad of factors, such as the sector to which the OP relates, the actors involved in its implementation, or even the geographical location of the project.

To build on existing efforts, MAs can provide guidance and develop criteria for scoring fraud and corruption risks. The values assigned to the likelihood and impact are essential inputs for assessing and managing risks. Therefore, clear instructions are critical to ensure that risk profiles are accurate and to promote consistent risk assessments among the risk management working groups. One MA provides a practical example of what the scoring criteria could involve (Table ‎2.1 and Table ‎2.2).

The scoring system above is a simple, but effective, starting point that MAs can supplement with additional considerations of known risk factors for fraud and corruption. For instance, guidance materials can cover additional factors and questions when assessing the likelihood that a fraud risk will emerge, such as:

• Complexity – What is the complexity of activities involved in the process being analysed? Do they introduce any vulnerabilities?

• Vulnerability – How vulnerable is the area in the project cycle to fraud and corruption? Is there obtainable information or knowledge of beneficiaries based on previous projects? Have there been any significant changes made to the funded activities?

• History – How frequently has this fraud or corruption scheme occurred in the past? What do historical risk data indicate?

Two common pitfalls that undermine risk assessments are the failure to include relevant stakeholders in the process, and inadequate consideration of insight from experts who have experience in dealing with fraud and corruption. Effective risk analysis of the impact and likelihood of risks requires dialogue beyond compiling risk scores from working group members. When analysing qualitative information, staff within MAs should document the nature, root causes and drivers of identified risks to support risk scores. Risk management functions can also improve qualitative analysis by drawing upon quantitative data. Priority 3 in this chapter will delve deeper into this issue, exploring practical ways to develop data-driven approaches for fraud risk management.

The MA’s risk management procedures specify that the working groups or another responsible risk management function in MAs should determine whether controls reduce risks to an acceptable level. The MAs determine what is “acceptable” and define their risk tolerances for each risk accordingly prior to the risk identification process. Risk tolerance is a critical concept in risk management. It represents the level of risk that managers are willing to accept after implementing control activities, and therefore it helps to guide officials in their decisions to accept, reduce, avoid or share risks. The institution’s overall objectives and resources are other factors that influence determinations about the level of risk tolerance.

The European Commission’s Guidance Note on Fraud Risk Assessment and Effective and Proportionate Anti-Fraud Measures notes that “all programme authorities should be committed to zero tolerance to fraud, starting with the adoption of the rights tone from the top” (European Commission, 2014[14]). “Zero tolerance” can indeed be a compelling message for promoting the right tone to support a culture of integrity, but risk tolerance serves a practical purpose for assessing inherent and residual risks, as illustrated in Figure ‎2.2 below. In general, all MAs should have a low tolerance or risk threshold for fraud and corruption and should seek to maintain residual or net risks at a perceived level of low (or “very low”).

The MAs state their risk tolerance in their risk management procedures; however, a review of the MAs’ risk catalogues and discussion with officials indicated a disconnect between the stated risk tolerances and control activities. Moreover, for several MAs, some of the controls documented were not appropriate for the identified fraud schemes. For instance, controls like separation of duties or the four-eye principle—where a certain activity, decision or transaction must be approved by at least two people—are at best insufficient and likely ineffective for mitigating the risks of fraudulent applications or collusive bidding. Incomplete or inaccurate assessments of control activities, without proper linkage to risks and risk tolerances, can undermine the risk assessment process and ultimately lead to gaps in treating fraud and corruption risks. Moreover, several MAs do not regularly evaluate controls at all to determine if they are effective. Consequently, the risk management working groups may inaccurately assess the effect of controls in reducing risks, or overlook risks altogether.

Another related challenge facing the MAs is that in some cases control measures are not proportionate to the assessed risk levels. At present, most projects and beneficiaries undergo the same verification procedures and control checklists as part of the compliance-oriented “zero tolerance” regime, regardless of the level of risks. Fraud and corruption risks with greater impact and likelihood do not necessarily trigger responsive, proportionate control measures. To lessen the probability of certain fraud and corruption risks materialising at subsequent stages of the project cycle, it is critical for MAs to assess and monitor the proportionality of controls.

MAs can improve the risk assessment process and the clarity of risk catalogues by ensuring that control measures adequately address the identified fraud and corruption risks. The key action under Priority 2, developing guidance that includes detailed information on common fraud and corruption schemes along with descriptions of mitigating controls, can contribute to this. Moreover, MAs could draw from the experience of other Member States. The OECD conducted a survey on practices for managing fraud and corruption risks in the European Union; 79 programme authorities from the 28 Member States participated. The responses indicated that false declarations submitted by applicants and conflict of interest within evaluation committees, which is responsible for appraising and choosing applications, pose some of the highest risk when selecting applicants. To inform improvements to MAs’ controls in these high-risk areas, they could ensure the following activities, employed by MAs in other Member States, are effectively designed and implemented:

• A standard documented process for the selection of projects based on agreed criteria. Staff with the appropriate skills and experience review the outline and full applications, following the established assessment and appraisal processes. There should be greater scrutiny and review for quality assurance.

• A conflict of interest policy, including an annual declaration and register for all employees, and has measures in place to ensure that these are followed and checked.

• All applications are recorded and appraised in accordance with pre-determined criteria. Furthermore, all decisions on acceptance or rejection are communicated to the applicants.

• The evaluation committee provides advice on whether proposed activities meet strategic needs, provide good value for money, and are consistent with the defined priorities. These discussions are fully documented.

Furthermore, the OECD survey and follow-up interviews with practitioners suggested that manipulation of competitive procurement procedures and submission of fraudulent documents is another high risk, occurring most often during the project implementation stage.2 To mitigate these risks, controls must be specific and targeted to address the various types of fraud and corruption schemes. Practitioners from EU Member States rated the following controls, some of which are reflected in EGESIF, as the most effective means for reducing risk exposure when tendering and managing contracts:

• The MA recommends that at least two staff members sign off procurement scoring documentation, and evidence of tenders is tested during on-the-spot (OTS) checks.

• The MA requires the beneficiary to provide information on the procurement process, including details regarding whoever carried out the tender process.

• The MA performs management verifications before certification and confirms that the beneficiary has adequate controls applied to the procurement process, including bidding procedures.

• The MA is furnished with guidance that clearly contains a requirement for any single source awards (otherwise known as direct contracts) to be reported to the MA with detailed justification.

• The MA seeks further evidence and information regarding any additional works, and tests whether or not these have been awarded correctly during OTS checks.

• The MA ensures a transparent bid process and reviews the operation of related controls for a sample of beneficiaries.

• The MA reviews contract awards and verifies the tendering process during on-the-spot checks for a sample of projects.

Early detection of fraud and corruption risks can enable MAs to implement appropriate and proportional measures that reduce the likelihood of similar issues arising later on in the project. MAs in the United Kingdom, for example, assess fraud and corruption risks, check for relevant controls at all stages of the project cycle and encourage early intervention, which helps to mitigate risks in the later stages of project implementation (see Box ‎2.1). Various measures can be applied in the Slovak Republic to strengthen the detection of fraud and corruption in the preliminary stages of the project cycle. Currently, MAs analyse risks before the final approval of a call for proposals. The risks they consider mainly focus on implementation failures, such as selecting inappropriate conditions of applicant eligibility or excluding value-for-money criteria. MAs risk analysis can account for fraud and corruption risks before approving calls for projects, including assessing conflicts of interest, undermining of merit-based procedures, tailored call specifications and vague criteria. MAs can also introduce additional checks to detect and prevent risks like nepotism and conflict of interest at the project development phase when they score, review and select applicants. At this stage, MAs can also begin to consider fraud and corruption risks that are specific to procurement processes, and identify high-risk partners and subcontractors who may be involved in multiple ESI-funded projects.

Lastly, relevant units from MAs could better monitor and test selected controls, particularly in areas facing higher risks, to verify that they are designed properly and are functioning efficiently. Given the fact that multiple personnel and various entities within and outside of the MAs are involved in risk mitigation measures, there should be clear communication of how to evaluate the effectiveness of controls in the relevant procedures and guidance. The testing of control quality also serves to provide evidence of how effectively controls mitigate risks, which should be properly communicated to all risk owners.

National and external databases and systems can provide insights into fraud and corruption risks across OPs, and provide systemic monitoring and reports for Anti-Fraud Co-ordination Service (AFCOS) network partners. MAs use several systems such as ITMS 2014+ (ITMS), the Irregularities Management System (IMS), procurement databases and company registers. ITMS is a national system that supports ESI-funded projects and serves as a central registry for a project’s monitoring, control, and financial management. The Deputy Prime Minister's Office for Investments and Informatisation (DPMO-II) and the Central Co-ordination Body (CCB) are the owners of this system. Central Contact Point (CCP) OLAF reports irregularities in ESI Funds implementation to IMS based on the data provided by certifying authority (CA) and information recorded by MAs in ITMS. Irregularities are reported to OLAF through IMS on a quarterly and monthly basis in accordance with relevant EU legislation. The Public Procurement Office (PPO) makes available several procurement databases, including a registry of contracts, the profile of contracting authorities, compulsory disclosure of information and a registry of beneficial owners. Company registers feature data on change of ownership and management, financial performance and company assets. The Ministry of Justice maintains and updates the registers.

The detailed information ITMS generates on ESI-funded projects includes irregularities (including suspected fraudulent irregularities), project background, applicable laws/acts, and a probable sum of funds connected to an irregularity. Project managers also use other databases to assist with management verifications. However, the data from these national systems are not extensively used for identifying and assessing fraud risks in the Slovak Republic. And while MAs, CA and other programme authorities apply national tools including ITMS and public procurement databases, they do not do so on a systematic basis. The databases contain information valuable for detecting different types of fraud and corruption schemes. ITMS, for example, can help identify double funding and manipulation of project costs. Data from company registers combined with the registry of beneficial owners can be used to detect risks of conflict of interest. Procurement databases that are not currently being used, on the other hand, could reveal red flags for collusive bidding and manipulation of competitive procurement procedures. Furthermore, system-level risk analysis and reporting related to fraud and corruption risks in ESI funds covering all OPs are not currently undertaken. Nor do MAs share reports or indicators related to fraud and corruption.

Examples can be drawn from other EU Member States to demonstrate how these databases can be used to monitor fraud and corruption risk trends at the national level. In Croatia and the United Kingdom, for example, authorities that maintain the national tools for tracking ESI-funded projects and recording irregularities define granular data fields to capture relevant information, including business processes, sources, sectors, geographical location, beneficiaries, types and causes of irregularities, and resulting fraud. The MAs together with the AFCOS authority review and discuss the aggregate trends and statistical analysis of these cases to identify the riskiest areas in the country. In the Czech Republic, several MAs adopted a common approach to integrating red flags to monitor fraud risks in project management with a mechanism called risk cards. A national system helps these MAs assess and quantify the probability of fraud emerging and the associated impact through the use of a risk card, along with the red flags (PWC, 2018[17]). As a result, each individual project has an accompanying risk profile and a description of the risk management approach, including planned verifications throughout the different stages of a project. The central authorities therefore have access to a holistic view of the total risks based on a selected portfolio of projects.

The OECD recognises a valuable opportunity in the Slovak Republic to review and revise available national tools and data sources, including ITMS, IMS, and public procurement databases consisting of company and beneficial ownership registers. A preliminary mapping of data sources is provided in Table ‎2.3.

As previously noted, the ITMS 2014+ system provides a wealth of data for fraud risk management activities: information on calls for proposals, applications for grants, projects, irregularities, public procurement, suppliers, and requests for payments. No defined plan for taking a data-driven approach to complement existing qualitative risk assessment is in place to guide government entities to extract meaningful data from these sources through analysis, tools or techniques. Consequently, opportunities to utilise data and enhance data analytics for safeguarding ESI Funds against fraud and corruption may be overlooked.

The creation of a data-driven risk assessment plan is critical in enabling MAs and other programme authorities to improve their use of data to prevent and detect fraud and corruption. Furthermore, by improving data governance, data management, and analytics in the context of corruption and fraud risk assessments, MAs can benefit from positive spill over effects to enhance the use of data to advance other objectives, such as identifying and assessing strategic and operational risks.

Data governance can drive the improved use of data to assess fraud and corruption risks in ESI Funds, in particular, the risk identification and analysis stages. When developing a plan for taking a data-driven approach, key areas to take into account include the following:

• Institutional and data governance – Various institutional factors can influence the use of data analytics and the readiness of a government entity such as MA to apply data-driven approaches for identifying, analysing and assessing fraud risks. A plan for improving the use of data, therefore, also needs to consider these major factors and the associated limitations in the long term in order to establish realistic expectations about what can be achieved for the use of data and data analytics in the Slovak Republic. The mandate and policies can show senior management’s support for data analytics and assign clear roles and responsibilities. The top leadership can demonstrate that they value data analytics by requiring data to be presented to make major decisions. Since many stakeholders use systems such as ITMS, consistent and comprehensive data governance needs to provide standards and controls that will help ensure availability, consistency, security and integrity of data. Ongoing measures by the CCB to provide more open data and to enhance data quality can allow better use of structured data from the system. Effective governance enables access to and sharing of data and establishing co-operative relationships among entities, including for example data producers such as the CCB and PPO and data users such as MAs and IBs.

• People and skills – Skills and knowledge to apply appropriate methodologies and analytic techniques are critical. ESI fund authorities can evaluate several criteria including staff backing, people resources and leadership buy-in, to gauge the organisational readiness. Furthermore, data analytics for assessing fraud and corruption risks require inputs from individuals with anti-fraud experience and sector-specific knowledge. For instance, fraud and corruption risks in the education sector can be different from those in the renewable infrastructure sector, where schemes and operations carry distinct levels of complexity. Risk management expertise can also complement the process of integrating data analytics with established risk assessment methodologies. Government entities that employ data analytics on a more advanced level can also informally share good practices with other authorities. One MA recently created an analytical unit to establish good practices of data analysis – an effective way to group resources together to develop the in-house technical capability for analysing data. This new structure also allows investing in specialised staff with training to promote more data-driven risk analysis.

• Technology – Technological infrastructure, tools and software underpin many of the processes for effective data-driven risk assessments (OECD, 2019[18]). The MAs and relevant authorities can co-ordinate and adopt a strategic approach to investment in infrastructure that supports data analytics, aligning investments with objectives. The technology should match the available skills of the staff to employ the tools. Open-source solutions and free third-party tools sometimes can sufficiently meet the needs of technological infrastructure before the personnel move to a more advanced stage of data analytics.

In addition to considering the elements above, a data analytics plan for making better use of data also needs to articulate a concrete application. In the context of individual fraud and corruption risk assessments, data is particularly useful for risk identification and analysis. Defining the specific uses during the risk assessment processes helps to link the plan to specific activities and defines a manageable scope that reflects policies and processes that are familiar to stakeholders. It also allows individual MAs to tailor the plan to their specific contexts for conducting risk assessments. The OECD has developed guidance that identifies good practices to support government entities to conduct data-driven risk assessments to safeguard integrity (OECD, 2019[18]). Programme authorities can draw lessons from the guide for integrating data into their risk assessment processes further. The steps below are not necessarily sequential, and they are often iterative. For instance, objectives can direct the MAs towards a specific source of data for understanding fraud and corruption risks, but issues with data availability or quality can also change the scope of those objectives. Moreover, the steps should be refined based on the selected phase of the risk assessment process. The MAs decisions about when and how to incorporate an analytics capacity within the risk assessment process, such as risk identification, analysis, or scoring, would influence the practical application of these steps. These steps are simplified for illustrative purposes, and are primarily meant as a starting point to inform the strategic thinking of the CCB and MAs in this area:

• Define objectives – The ultimate aim of a data-driven approach is to enhance risk assessments, which can inform decision making – for example, decisions about types of preventive actions to take to respond to risks and adapt controls. Ongoing risk assessments aid in developing questions about hindsight, insight, and foresight so that risks steer the objectives of the data analytics as opposed to having tools and data drive the questions. For example, some questions that data analytics can help answer are the particular suppliers and sectors that present the highest fraud risks, or those phases of the ESI Funds project cycle that appear to pose the greatest corruption risks and why. Data analytics can help MAs establish where risks are and determine with greater confidence the impact and likelihood of the identified fraud and corruption schemes. However, further review, investigation and a court ruling are required to ascertain whether fraud or corruption occurred. The objective of data analytics in risk assessments is primarily preventive, and offers the prospect of detecting high-risk cases for referral (OECD, 2019[18]).

• Identify data needs and sources – Once objectives are defined in alignment with the identified fraud and corruption risks, the next step is to look for the data that will illuminate these risks and locate the related data sources. These sources could be within the MAs, in other government institutions, or be from external, non-governmental organisations. The ITMS and IMS both depend on inputs by the MAs, IBs, CAs, and AAs regarding each project. The source of procurement information on open tenders originates from the publicly open data released by PPO.

• Obtain and understand data and evaluate its quality – The next step involves collecting the data and testing its quality, including usability, consistency, completeness and reliability. This stage is essential for understanding and evaluating data obtained from external entities. Sometimes, the formats of data from various sources can be unstructured or incompatible, a situation that may lengthen the time required for data cleaning. Analysts can apply validation tests to verify and ensure data quality. Any discrepancies should be addressed before moving to the analysis. A third-party service provider – such as for example the ITMS tool – could also perform this step, to ensure the data’s quality.

• Develop an analytical approach and perform the analysis – At this stage, an analytical approach is needed; the plan should describe the data to be analysed, the specific analytics methodologies to be conducted, and the frequency of analysis. The MAs and relevant authorities should plan to analyse all relevant data and design data analytic procedures based on the identified fraud indicators. They also need to determine if analysis should be performed on an ad hoc, periodic or continuous basis. Whenever possible, specific analytic tests can be automated to create efficiencies for future study. Various software programmes can facilitate analyses. These can be simple tools such as Microsoft Access and Excel for analysing the trends of irregularities and potential fraud types. Alternatively, a more sophisticated data analytics team can also use other software programmes (e.g. SAS and open-sourced languages such as R and Python) to process more massive databases and employ complex techniques such as text analysis and predictive modeling. In the Slovak Republic, these suggested opportunities for improving the use of data analytics for fraud risk assessments already comprise the necessary tools for analysis without the need to design new analytical methods from scratch. Therefore, MAs and relevant authorities, including the CCB, can implement the recommended actions with minimum technical barriers.

• Interpret, communicate and act – Finally, MAs need to interpret the results in order to answer the questions set in the initial objectives. Data analytics do not confirm fraud incidents but signal specific cases that are more prone to certain fraud and corruption risks. Furthermore, the results can also uncover patterns and trends, which are useful in assessing risks in OPs and at system level across the MAs. Data visualisation tools such as dashboards, maps and charts can point out areas with higher risks, help communicate the findings, and propel remediating actions at both OP and system levels.

MAs, with the support of CCP OLAF, can conduct periodic statistical analysis of irregularities, suspected fraud, corruption investigations and audit findings to help determine higher-risk areas in various sectors. This analysis can better pinpoint specific fraud and corruption activities or beneficiaries that pose higher risk. To take fuller advantage of insights from audit bodies and with support from the new task force dedicated to fraud risk management, MAs can develop new approaches to compiling and analysing pertinent data from audit reports, and thereby build institutional knowledge and awareness across the national system. This includes gaining insights from the fraud and corruption risks uncovered by the MA, as well as data on how effective their fraud risk management activities and controls have been at preventing and detecting fraud and corruption over time. In the United Kingdom, MAs make use of audit reports to identify common trends in fraud and corruption schemes during the previous quarter, as well as to assess how well their anti-fraud measures are functioning. For example, audit reports for one OP indicated that the MA needed to carry out more rigorous testing and due diligence checks on grant beneficiaries to mitigate conflict of interest risks. As a result, the MA is now testing the conflict of interest registers more frequently. Crucially, analysis of audit data, along with data from other internal and external sources (detection tools, reporting mechanisms, media reports), allows managers to prioritise and take corrective actions where necessary (GAO, 2015[19]).

As discussed, the approach to risk assessments of the four MAs participating in the OECD review is qualitative, based on the perceptions of the risk management working groups and input from key employees. In its guidance, the EC encourages the use of data analytics to enrich the risk assessment process, and in particular the use of Arachne, a web-based tool with data on contractors, contracts, beneficiaries and projects (European Commission, 2014[14]). Arachne became operational in 2013 as a tool to support authorities of EU Member States to identify and prioritise fraud risks, conflicts of interest and irregularities involving ESI Funds. Data sources for Arachne include data from MAs as well as external databases (e.g. ORBIS and World Compliance). In December 2018, according to the EC, 21 Member States used Arachne for 165 OPs, which accounted for 54% of all EU cohesion funding for 2014‑20 (excluding the European Territorial Co-operation objective of the European Regional Development Fund) (European Court of Auditors, 2019[4]). See Box ‎2.2 for more details on the risk data Arachne makes available.

In the Slovak Republic, MAs have actively used this tool since late 2018, and its use is in fact mandated in a methodological note for Arachne prepared by the CCB. MAs supplement Arachne with several other databases, including the ITMS 2014+, IMS, the Early Detection and Exclusion System, company registers and procurement databases. MAs said that the most commonly applied data analytics techniques they use with the support of these systems are traditional rules-based detection and descriptive tests, such as data matching and data mining. Data from ITMS 2014+ are transferred to Arachne and updated every two weeks.

The OECD identified one main area for MAs to improve the use of Arachne for assessing integrity risks. Based on workshops and discussions with MAs, officials said the MAs lacked experience in using Arachne and reported difficulties in interpreting its outputs, which include a multitude of reports and dashboards. During the OECD mission, MAs emphasised the need for more guidance and training on the use of Arachne for detecting, preventing and managing fraud and corruption risks in ESI Funds. Guidance is not completely lacking: for instance, in 2018 the aforementioned methodological note from the CCB explains the baseline functionalities and application of Arachne. However, the note provides limited guidance to support the MAs in the practical use of Arachne to assess risks. Ineffective or inefficient use of Arachne can produce an administrative burden and undermine its adoption and benefits. Additional guidance and training could help to address the knowledge and skill gaps, going beyond functionalities.

Users primarily employ Arachne to assess conflicts of interests and analyse fraud across different processes, sectors and OPs (PWC, 2018[17]). Nonetheless, Arachne has additional potential as a tool for MAs to assess risks. On an aggregated level, Arachne can display historical evaluation and risk trends of an OP to inform risk assessments. EC reports show, for example, that Arachne can furnish statistical analysis and data about the distribution of projects and project costs among risk categories. Moreover, Arachne allows for analysis of the correlation among several factors, including project cost, region, and individual risk scores, and can thus shed light on hidden fraud patterns.

These different types of analyses that Arachne can support underscore the need to set objectives when using it, as is the case with any data analytics tool or technique. One objective for the assessment could be to identify integrity risks in individual project (or among specific) contractors or beneficiaries. However, there are other questions that could shape or complement this objective and therefore lead to different types of analyses. To improve on the existing methodological note, the CCB – with input from the MAs, the Anti-Corruption Unit of the government office and other key stakeholders – can provide additional guidance and training for the effective use of Arachne, with a focus on helping MAs to set objectives as well as practical considerations for assessing integrity risks. This can also include elaboration on the full capabilities of the Arachne tool, such as strategic analysis and management verifications (including administrative and on-the-spot verifications). Pursuant to EU Commons Provision Regulation No. 1303/2013, MAs should include administrative verifications (i.e. a desk review) of each application by beneficiaries for reimbursement as well as on-the-spot checks of operations (European Commission, 2015[22]).

MAs in the Slovak Republic indicated they do not perform a systemic analysis of their respective OPs. Upon request from a Member State, the EC can provide a report with programme analysis of data from each OP, which includes an aggregate review for each risk category as well as the overall risk score for all projects (as described in Box ‎2.2). This use of Arachne can provide an overall picture of risk, and help MAs target further risk analysis and controls. For example, Figure ‎2.3 shows the distribution of projects for an OP in the Slovak Republic by project cost category and overall risk score for the 2007‑13 ESI Fund programming period. It suggests, perhaps counter-intuitively, that costs alone do not provide a strong indication of risk, as the projects with the highest costs have lower overall risk scores than those categorised as low-medium cost (i.e. in the cost range of EUR 10 000 to EUR 100 000).

The report can also provide insights on fraud, reputational, and concentration risk indicators. The latter shows whether a project partner or contractor is involved in more than one programme or project. High levels of aggregated and individual scores in these categories can be a key signal for MAs to focus their attention on them when carrying out control activities.

Overall risk scores offer a useful but incomplete picture of the risks in ESI Funds; MAs should therefore be cautious about relying solely on that score. Indeed, discussions with MAs indicated that they pay the most attention to overall risk scores and that the threshold they follow is their maximum level (i.e. 20, as described in Box ‎2.2). Strict adherence to this score and threshold could lead the MAs to overlook other issues. For instance, projects with acceptable overall scores can present high risks in specific risk categories (i.e. procurement, reputation, fraud alerts and concentration). Guidance for MAs should support analysis of individual risk categories at the operational level, with a focus on helping MAs identify patterns, root causes and linkages among risks. This analysis can support the process of verifying claims for reimbursements, and ensure that any detected irregularities during verification are excluded from expenditures declared to the EC.

MAs are required to undertake OTS checks of operations. When conducting these checks, the EC requires quantitative and qualitative assessments of any irregularities detected in order for the MA to understand the prevalence and severity of risks in other operations that it did not sample. The MA should then take corrective measures (European Commission, 2015[22]). In the Slovak Republic, MAs could make better use of Arachne to support these activities. Discussions with MAs suggested that OTS checks largely focus on conflict of interest and the operations that are checked are decided arbitrarily, with limited consideration of risk data or where the highest risks may lie. Using Arachne for the preparation of OTS checks can allow better targeting of activities as well as more effective and efficient use of resources. For instance, Arachne can help MAs understand whether improper links exist between the beneficiary and contractors, and it can highlight historical trends to elucidate how risks evolve over time as well as fluctuations in risk scores. The OECD also identified one example where a contract was agreed with companies that were barred from being involved with ESI-funded project implementation, which should have triggered questions about the selection process and potentially false statements submitted by the contractor. Arachne can also provide information to MAs about whether beneficiaries own companies with residences in tax havens or have high-risk scores in key categories like procurement. Practical guidance from the CCB and training for MAs can improve identification of such risks and other red flags, drawing on the available data in Arachne. Building knowledge and skills in this area will also rely on close co-operation with organisations from the AFCOS network, including investigation units, Public Procurement Office and police/law enforcement bodies. That co-operation will be vital, as discussed further in Chapter 3.