Effectiveness of Internal Control and Risk ManagementRisk management in practice

Use of integrity risk management in budget organisations in practice.

Review of data provided by the central government body responsible for risk management. Α sample is taken to review practice. The sample organisations include all ministries and the 10 central government agencies reporting directly to a ministry, the Government, or the central budget authority with the largest budgets. Integrity risk assessments have to be conducted within the past 3 years.

Subindicators fulfilled per country

All sample organisations have conducted at least one risk assessment exercise in the past 3 years.

Roles and responsibilities for risk management and for managing integrity risks have been assigned in all budget organisations, in line with the regulatory framework.

All sample organisations have established a system for documenting the results of risk assessments, including as a minimum creating risk profiles or risk registers.

The IA function has reviewed the adequacy and effectiveness of the risk management policies and processes for all public sector bodies within the past 3 years.

The body with direct responsibility for managing integrity risks is not part of the IA function and reports directly to the head of the institution in all sample organisations.

The body with direct responsibility for managing integrity risks is not part of the compliance department or legal counsel in all sample organisations.

Guidance documents on managing integrity risks, including red flags for corruption and fraud risks that are relevant for the entity’s operations, exist for at least half of sample organisations.

Risk assessments for at least half of sample organisations identify integrity risks.

Integrity risk assessments for at least half of sample organisations identify both inherent and residual risks.

Integrity risk assessments for at least half of sample organisations include an examination of existing controls and whether changes are needed in the control environment (i.e. risk treatment).

Integrity risk assessments for at least half of sample organisations apply either a qualitative or quantitative scoring methodology (e.g. risk likelihood, impact and velocity) that enables prioritisation of high versus low risks.