Integrity risks during challenging times

Guidance

For public authorities, chief executive officers and senior leadership teams on potential vulnerabilities that could lead to misconduct and suggested measures to reduce the risk.

Conditions created by the COVID-19 coronavirus pandemic – such as rapid change, social and economic pressures, and organisational reprioritisation – can make an authority more vulnerable to misconduct.

The majority of employees work with integrity. A few, however, may see the current situation as an opportunity to engage in conduct that does not meet an authority’s or the community’s expectations. While we all need to work differently during these times, it should not come at the expense of protecting public resources.

Change management and crisis management approaches that include strong consideration of integrity and risk better prepare public authorities for Western Australia’s social and economic recovery.

We can use American criminologist Donald Creesey’s Fraud Triangle to understand how rationalisation, opportunity and pressure can create an environment of heightened risk.

Organisational systems to detect and prevent misconduct

Usual controls – including checks and balances on systems, processes and work practices – may be weaker, compromised or made redundant with new ways of working. Altered working arrangements may create opportunities for employees, suppliers and members of the community to exploit this changed operating environment, for example where supervision is undertaken remotely or there is increased autonomy in decision making.

Human factors that may increase motivations for engaging in misconduct

Employees and their families, suppliers and those seeking to do business with public authorities may feel pressure to act in a particular way – whether as a result of personal financial concerns or at the request of family and friends. For example, employees may feel pressured to prioritise family members when making decisions. Employees, suppliers and members of the community may use current circumstances to justify their actions, such as, rationalising that this is a time to put their own interests first.

Unique risk identification

In times like this, it is easy to consider risk only in the context of business continuity and emergency response planning. However, an authority’s general risk profile may have also changed, with emerging risks that did not exist only weeks ago.

Senior leadership teams must attempt to identify how their unique risk profile has changed and amend or implement appropriate controls in response. For example, many authorities have moved rapidly to implement remote working arrangements, introducing:

technology risks such as those associated with secure access
specific integrity risks such as increased COVID-19-themed malicious cyber activity, working from home scams and phishing emails.

The Australian Cyber Security Centre suggests “…malicious COVID-19 websites are designed to look legitimate or impersonate well-known organisations, making it difficult for individuals to detect. Cybercriminals use them to install computer viruses onto people’s devices.”

A key integrity risk to manage is ensuring the balance between expediency and proper process. Senior leadership teams may be under pressure to address or eliminate problems immediately, making a full risk assessment impractical. Any deviation from usual processes should be identified early and documented for future transparency.

Integrity risks may change as government recommendations change and where certain arrangements such as remote working persist. To accommodate this, authorities should be prepared to make changes to business processes and practices on an ongoing basis.

Leadership is integral

Tone from the top continues to be important. Senior leadership teams and managers should be visible – in person or virtually. Leaders should reiterate their commitment to integrity promotion and misconduct prevention messages, both internally and externally. They should also reinforce the consequences of not adhering to the authority’s ethical codes and policies. These messages should be short, engaging and specific, and complement other information being provided to employees and stakeholders.

Ethical decision making

People may not feel that it is the ‘right time’ to talk about misconduct when there is a real risk to public health. However, it is important to sustain the community’s trust in public officers who are providing essential services.

For many authorities, decision making may need to be undertaken differently and there may no longer be enough time for usual planning, consultation and engagement. While a regular process may need to be suspended, this does not mean there should be no process at all. While ‘ethical perfection’ in challenging times is largely unrealistic, it is important to document amended processes so decisions and actions can be explained and understood by other employees and the community.

Frank and fearless discussions still need to take place among the senior leadership team. Diversity of thought and using the vast knowledge, skills and expertise that sit around the leadership table remain important ways to make appropriate, proportionate and justifiable decisions.

Employment and employee management

Authorities still need to recruit. Some may recruit at a reduced rate while others, like health and emergency services, need to rapidly increase resources in particular areas. While it might be tempting to ‘shortcut’ established processes when there is a real or perceived urgency, human resources teams need to remain vigilant around new and existing employees.

Prevention measures

Follow integrity screening processes, especially as they relate to qualification and training checks. This is particularly important in fields like healthcare where qualifications and training are essential.
Complete reference checks and collect referee reports to ensure potential new employees are being honest about their work experience and history.
Feature unbiased decision making in recruitment and deployment processes. This includes avoiding conflicts of interest such as favouring family and friends.
Make sound and transparent decisions to discontinue or suspend discipline processes. Decisions must be based on the conduct as opposed to other factors and circumstances, such as a focus on other activities or lack of resources.
Remind new and existing employees of their obligations to operate in line with ethical codes and that integrity remains everyone’s responsibility. This includes always being respectful, displaying personal integrity and taking accountability for their actions.

Finance and procurement

Authorities with a role in distributing funding must be alert to individuals who may seek to take improper advantage of new money, processes and programs.

Authorities’ finance and corporate services areas may be under pressure to conduct ‘emergency’ procurement, agree quickly to contract extensions or variations, award contracts quickly by waiving ‘red tape’, pay suppliers more quickly than usual, rely more heavily on the use of corporate purchasing cards and work around usual due diligence processes for contracting suppliers. All these actions can increase an authority’s vulnerability to misconduct.

Prevention measures

For those managing procurement and contracts, apply regular controls such as:
- following usual financial delegations
- having different incurring and approving officers
- involving at least two people in any significant procurement or contracting process wherever possible and practical
- being vigilant to unusual requests for payments from suppliers or requests to change banking details
- documenting the rationale for any exceptions to, and exemptions from, finance and procurement processes
- undertaking ‘due diligence’ on suppliers, especially those unknown to the authority
- using electronic detection on financial management systems to monitor for irregularities
- control and monitor contract deliverables and expenditure limits when contracts are extended or varied.
Remind employees that purchasing cards are:
- only to be used for work related purchases
- to remain within approved limits unless otherwise authorised
- subject to auditing processes.
Pay close attention to unusual and repetitive expenditure under threshold amounts and services supplied by unknown providers, and advise employees that you will be doing so.
Support those working in finance and corporate services to ensure appropriate accountability in the expenditure of public money.

Assets and public resources

With everyday products scarce in the community, some employees may see it as an opportunity to take advantage of public resources available to them in the workplace. This could include irregular or inappropriate use of electronic devices, basics like kitchen and office supplies, and other portable attractive items. Non-physical assets, like an employee’s time, can also be exploited when there is a perception that managers are not watching as closely.

Prevention measures

Enact usual controls around access to supplies, assets and stocktake regimes.
Remind employees with work-issued resources of their responsibilities and accountabilities for appropriate use and secure storage.

Conflicts of interest and gifts, benefits and hospitality

Undisclosed and unmanaged conflicts of interest are a misconduct risk for authorities and have the potential to be heightened in challenging times.

Employees may be tempted to call on their own supplier and contractor networks to ‘get the job done’. They may also receive pressure from family and friends who have lost employment and are seeking to gain work with authorities via ‘the back door’.

Suppliers, contractors and clients may genuinely want to show their appreciation for work completed or assistance rendered by employees. Remote working may create a perception that it is easier to accept gifts or make promises such as increased access to essential services.

Gifts and benefits (like promises):

introduce a new conflict of interest risk
increase the potential that employees may not be able to make unbiased or impartial decisions
give the perception that employees are giving favourable treatment to certain stakeholders.

Prevention measures to continue

Apply gifts, benefits and hospitality policies and processes at all times.
Ensure employees officers are vigilant with reporting and declaring conflicts to managers.
Declare and manage all conflicts in line with regular processes.
Advise suppliers and those doing business with an authority that the authority has a zero-tolerance approach to fraud and misconduct.
Advise suppliers how to report an employee who seeks a gift or benefit.
Continue to use conflict of interest and gifts, benefits and hospitality registers, and scrutinise them for irregularities.

Pressure from external influences

Members of the community may be more motivated to have their needs met immediately by authorities in challenging times. Employees with discretionary decision making powers or those working in approvals or regulatory compliance areas must be alert to stakeholders who may seek to influence their decisions. This may be heightened where employees feel compassion towards someone’s circumstances.

Prevention measures

Send reminders about integrity from the senior leadership team to particular job groups that may be susceptible to external influences.
Remind clients and stakeholders that proper processes are being followed and decisions made impartially, regardless of the current environment.

Remote work and supervision

Maintaining integrity while working remotely covers some of the personal accountabilities of managers and staff when working remotely. While it has been developed with the current situation in mind, the principles around integrity while working remotely apply at all times. Close management of employees, particularly when working remotely, remains one of the best misconduct detection and prevention tools available to authorities.

Prevention measure

Set directions and expectations through the senior leadership team about working remotely, including reminding employees that their obligations when working remotely are the same as when they are at the workplace.

Recordkeeping

Good recordkeeping is a key way employees demonstrate transparency and ensure their decision making is capable of review. When decisions are being made quickly and things are changing at a fast pace, employees may forget to document complete records about the processes followed and approvals provided.

The State Records’ Office has useful tips about recordkeeping during COVID-19.

Prevention measures

Document key decisions appropriately by, for example, allocating someone to take minutes at emergency/crisis meetings.
Keep corporate recordkeeping systems online and accessible to employees so official records can be stored and accessed, whether from the workplace or remotely.
Enable audit tracking on corporate recordkeeping systems and monitor audit logs periodically to ensure employees are not accessing material without appropriate authorisation.
Remind employees that hard copy records taken off-site while working remotely must be stored securely and returned to the workplace for appropriate filing, retention or disposal.

Reporting frameworks

Authorities may find it difficult to maintain the usual misconduct management and prevention activities, like face-to-face integrity training, with altered working environments. Modifying some controls – rather than abandoning prevention, detection and investigation activities altogether – reduces the risk to your authority.

One of the best detection and prevention tools available to authorities are reports by employees, members of the community or those that do business with the authority.

Employees are an authority’s ‘eyes and ears’ on the frontline, and act as an early warning system to potential integrity issues. This is even more important when things are being done differently than usual.

Prevention measures

Keep internal reporting pathways accessible at all times, including online and anonymous reporting methods.
Remind employees, including those working remotely, of these reporting avenues.
Assess reports and take action as appropriate in a timely way to protect public resources.
Have conduct and standards areas assist managers with managing conduct matters and allegations of misconduct.
Action timely notification of misconduct to oversight agencies.

Recovery and effectiveness of crisis decision making

While it may not be practical for authorities to complete formal risk management processes such as a full internal audit program, senior leadership should continue to identify, assess and manage integrity risks as part of decision making.

Authorities that normalise their control environments as quickly as possible, lower the chance of misconduct occurring.

Once business as usual resumes, authorities should increase resources to identify irregularities or anomalies that may have occurred under the altered working arrangements. It is recommended that an audit process focusing on financial/contractual processes is completed as soon as practical.

A Senate Select Committee will be established to review the Australian Government’s COVID-19 response. The announcement notes “In these uncertain times, ensuring transparency, scrutiny and oversight of the government’s response to the COVID-19 crisis is paramount, if the Australian people are to maintain confidence in the parliamentary system.”

In the same respect, authorities must also be in a strong position to explain reasons for decisions made during this time to ensure public trust is maintained.