Research reports

Good governance in the public sector is the cornerstone for efficient and effective organisational performance and is underpinned by a number of accountability requirements.

Maintaining a workplace culture with strong ethics and integrity is part of a sound governance framework and is fundamental to good organisational performance.

Integrity frameworks provide a systemic and comprehensive approach to examining the management systems and environment which are in place to expose, deter and prevent corruption.

They can help create an understanding about the necessary consistency between a rules and process-based public management system on the one hand, and the influence of an agency’s leadership and culture in shaping people’s behaviour on the other.

This research paper examines the integrity frameworks in place to detect and prevent corruption in Victorian public sector agencies and concludes that corruption and its prevention is generally not on the radar of the responding agencies.

In 2013, the Independent Broad-based Anticorruption Commission (IBAC) commissioned the Australian National University (ANU) to review the
integrity frameworks within Victorian public sector (VPS) agencies.

Agencies were asked to identify and describe their integrity frameworks, and provide factual and documentary examples of potential risks of corruption and the strategies in place to identify and mitigate these risks. Thirty-six agencies provided responses from 54 requests.

The aim of the research was to provide baseline information on current systems and practices used to detect and prevent corruption in public sector
agencies in Victoria.

This paper outlines the VPS agencies’ responses on risk assessment, levels of perceived corruption risk and instances of corrupt conduct, disclosure mechanisms, prevention and detection measures, training, reporting and education of the public.

• Corruption and its prevention is generally not on the radar of Victorian public sector agencies.
• Very few agencies reported having stand-alone, specific anti-corruption risk assessment processes.
• The controls agencies had in place generally related to fraud – specific corruption risks were generally not defined.
• There was little evidence of explicit involvement of senior management in managing or having oversight of corruption measures.
• Most reporting systems or complaints mechanisms related only to suspected fraud rather than the wider issue of suspected corruption, making it difficult for agencies to measure corruption.
• Most agencies were aware of their obligations under the Protected Disclosure Act 2012 (Vic) (PD Act) and had dedicated positions to manage disclosures.
• Less than a third of agencies reported providing education to the public on anti-corruption practices.
• Few agencies had specific education or training programs for staff about corruption risks. 
• Within some portfolio departments, there was a disconnect around who was responsible for anti-corruption measures, making it easier for individuals to potentially exploit governance gaps.
• Agencies generally saw risks to their agency from poor behaviour, but they did not identify these as affecting the service they deliver to the public, or the public’s perception of the integrity of government processes.

Effective corruption prevention systems are generally built on the classification of behaviours, identification of opportunities, assessment of risks, adequate reporting mechanisms, suitable governance arrangements, and most of all the inculcation of integrity as an underlying principle in public sector behaviour and decision making.

Integrity frameworks provide a mechanism for assessing this and are commonly understood to include elements of:

• risk management
• management and commitment
• deterrent and prevention measures
• detection measures
• staff education and training.

In the eyes of the general public, public sector corruption is seen to cover a range of activities and people do not normally distinguish between misconduct, maladministration and corruption.

When they occur, they are all seen as examples of public officials behaving badly, and distinguishing them can be seen as splitting hairs.

However, misconduct and maladministration are usually less serious and can often be precursors to more serious corrupt conduct if undetected.

This is an important distinction to draw out in terms of assessing the public sector’s capacity to prevent corruption. Additionally, corruption as defined by the Independent Broad-based Anti-corruption Commission Act 2011 (Vic) (IBAC Act) involves an indictable offence, which does not (at least generally) apply to public sector misconduct or maladministration (see Definition of corrupt conduct).

This reinforces some of the findings from previous IBAC research which looked at perceptions of corruption by senior public sector employees (graded VPS 6 and above). The research suggested that many senior Victorian public sector employees would have trouble identifying corruption risks, would not know where to report corruption and were not aware of the existence of an integrity framework within their agency.  

Definition of corrupt conduct The IBAC Act sets out corrupt conduct as conduct of any: person that adversely affects the honest performance by a public officer or public body of their functions public officer or public body that constitutes or involves the dishonest performance of their functions public officer or public body that knowingly or recklessly breaches public trust public officer or public body that involves the misuse of information or material acquired in the course of the performance of their role or function, whether or not for the benefit of the public body or person public officer or public body who conspires or attempts to engage in the above corrupt activity. The conduct must, if the facts were found proved beyond reasonable doubt at a trial, constitute an indictable offence. Victorian public sector bodies include government departments and statutory authorities, Victoria Police, local councils, schools and universities, public hospitals, Members of Parliament, judges and magistrates.​​

The survey sought responses from a sample of public sector agencies in order to gain an understanding of their respective integrity frameworks. The 12 questions in the survey asked about:

• risk management and risk assessment with respect to corruption, and an overview of relevant processes and outcomes
• current high, medium and low risk areas for corruption as identified by the risk assessment process
• reporting systems to senior management
• processes for reporting and management of protected disclosures (including welfare management)
• oversight by senior management of anti-corruption measures, and the means of ensuring oversight measures are effective
• specific employees, teams or committees with responsibilities for anti-corruption measures
• specific controls or operating procedures to help deter and prevent corrupt conduct
• education and information provided to the public to minimise opportunities for corruption
• internal reporting systems to enable employees to report suspected corruption
• reporting systems to law enforcement authorities (eg. police) or integrity bodies (eg. IBAC)
• the main ways suspected conduct was identified within the public body over the last three years
• internal training and education provided to employees to help prevent corruption.

Public bodies were also asked to provide details about the size of the agency in fulltime equivalent employees (FTE), the budget for the current year and annual new hires over three years.

Following consultation with a range of agencies, IBAC selected 54 public bodies to receive the survey ranging from major departments to small specialised regulatory and statutory authorities.

Agencies were advised that:

• their responses to the survey would be confidential and that no agencies would be identified
• the survey was not designed to identify individual corrupt activities
• the survey was not linked to any IBAC investigation.

The survey was conducted in September and October
2013. Thirty-six responses were received, with many
agencies supplying additional documents describing
their integrity policies and operational processes.

The responses were analysed using qualitative rather
than quantitative methods. Responses were received
from a range of agencies, and were grouped into
four clusters:

• Tier 1 agencies (six in number) are those with less than 50 FTE, and a budget of less than $10 million (in most cases less than $5 million)
• Tier 2 agencies (13 in number) are those with 50 to 300 FTE, and a budget of $10 to $100 million
• Tier 3 agencies (10 in number) are those with several hundred FTE, and budgets of $100 to $700 million
• Tier 4 agencies (seven in number) are those at Departmental level (with one exception), with budgets exceeding $700 million (all but one had budgets over $1 billion).

The survey asked participating agencies to identify and describe their integrity systems and provide examples of potential risks of corruption and the strategies in place to mitigate these risks. These have been broken into a number of key themes.

Identifying and managing corruption

Behaviour that damages integrity might be classified as any of, or any combination of, misconduct, maladministration, fraud, or corruption. The boundaries are not always clear, and if there is no clarity, then an organisation’s response to protect integrity will not necessarily be well managed and appropriately targeted.

Agency responses demonstrated a nuanced understanding of fraud and theft risks. The comprehensive range of anti-fraud and theft controls that most agencies described seem reasonably well adapted to these sorts of risks. This is attributed, in part, to stated agency compliance with the Financial Management Act 1994 (Vic), (and the Financial Management Framework and Ministerial directions) which require strategies to be put in place to minimise financial misconduct.

Few agencies however, demonstrated an understanding of how public servants might misuse the authority associated with their particular role, whether in relation to regulatory or licensing functions or otherwise.  Some agencies identified broad misconduct risks, but without demonstrating an understanding of the ways in which the identified misconduct might manifest as corrupt conduct.

Agencies were aware of financial misconduct, but less likely to report other behaviours that might contain corruption risks. They were aware of risks to the
agency and poor internal behaviour, but less likely to identify behaviours that would undermine community confidence or behaviours that might lead to or corrupt outcomes from inappropriate service delivery.

The old adage ‘if you don’t know what you’re looking for, you won’t know how to find it’, appears to hold true in the corruption prevention context.

Example Agency A (a tier 2 agency) provided a list of corruption risks which combined aspects of internal management, misconduct and corruption: inappropriate use of confidential information staff acting in the interests of regulated entities,rather than [the agency] inappropriate access to IT systems inappropriate collusion or personal benefits received in the procurement process irregularities or inappropriate benefits to staff through the payroll system staff acting outside their delegated authority staff inappropriately using information or relationships in their employment subsequent to [the agency] inappropriate bias or favourite in recruitment processes conflict of interest or inappropriate use of [agency] resources in the course of secondary employment actual or perceived conflict between the interests of a staff member and [the agency]. This agency is involved in licensing and regulation, areas in which there is significant potential for corruption risks. It is of interest that the agency listed generic risks, that could apply to any agency, and did not identify risks associated with its particular regulatory function, though ‘conflict of interest’ and ‘secondary employment’ might be two ways a staff member can act or be induced to act corruptly in making licensing determinations.

 

Understanding and managing corruption risks

Thirty-three of the 36 agencies provided information on potential risks they had identified. The agencies reported between one and 14 perceived risks, and 202 separate risks were identified. Several agencies reported risks that were unique to their operational context.

The most commonly reported risks and their most common classifications were:

• procurement (medium or high risk)
• breach of IT or information security (medium or high risk)
• financial misconduct by employees (across all levels of risk)
• misconduct relating to recruitment or human resources (low or medium risk)
• theft or misuse of resources by employees (low risk).

Overwhelmingly, the identified risks were related to financial management or procurement, and to the integrity of the agencies’ information technology
capacity and resources, but not to specifically designated corruption risks.

Twenty-eight out of the 36 agencies reported having risk assessment processes, which were mainly directed to financial, audit or fraud risks and related controls.  Only a few agencies reported having stand-alone, specific anti-corruption risk assessment processes, although a slightly larger number of agencies reported having ‘mixed’ assessment systems which dealt with corruption measures, but also with other matters such
as misconduct and fraud.

Agencies generally referred to utilising the Victorian Government Risk Management Framework (VGRM) in their risk assessment activities, but it is noted that the VGRM does not refer specifically to the issue of corruption risks.

Another concern was that in a limited number of cases, agencies indicated that the question of risk assessment or anti-corruption measures was a matter for the portfolio department, and not a matter for particular consideration by the agency (sub-entities).

These responses represent a fundamental misunderstanding of the responsibility of each respective agency, whatever its position in the hierarchy, to take responsibility for the management of corruption risk, and for complying with the relevant integrity framework.

When identified, corruption risks were generally seen as risks to the reputation of the agency, rather than being seen as risks to the agency mandate itself. The risks in most cases were to the bureaucratic structure that is the agency, rather than to the underlying role and functions of the agency.

There is a danger of missing the woods for the trees in the case of an agency which has enormous potential for corruption risks if they simply assess or list their high risks as routine agency risks – IT misuse, procurement irregularities, manipulation of staff entitlements etc.  This can also allow complacency to develop.

 

Detecting and reporting integrity breaches and protecting those who report

The detection of corruption and misconduct comes from three main sources – detection processes such as internal and external audit, reports by employees who have observed or suspected breaches, and reports from stakeholders, suppliers or the general public. The survey did not probe these differences.

Commonly, investigations into corruption were triggered by complaints from members of the public.

The next most common way for investigations to be triggered arose from complaints by managers and complaints from colleagues. Two agencies
indicated that investigations commenced after suppliers reported irregularities in staff conduct
or ordering procedures.

When asked about the main ways suspected corrupt conduct had been identified by the agency within the last three years, few agencies indicated how
many of the instances of reported conduct were subsequently found to have been corrupt or unethical.

A number of agencies reported that their fraud control policy requires the reporting of corrupt or fraudulent conduct. In these agencies and others, staff who report corruption formed the cornerstone of the detection process. However, no agency indicated any way of determining if or when, staff were reporting corruption.

Systems for reporting corruption to senior management generally only referred to the PD Act requirements.  Some agencies identified different bodies or officers as being an avenue for employees to lodge complaints or reports, however these mechanisms generally related to suspected fraud, rather than corruption (eg. audit committees, fraud control officers, fraud
prevention offices, compliance and risk managers).

In larger agencies, individual business units were responsible for maintaining registers about reports, but most of the responses referred to reports of fraud rather than to reports of corruption. However, several smaller agencies provided explicit details as to recording procedures for reports of corruption, with details of escalation procedures to senior management, with a variety of different reporting points and mechanisms depending on the nature of the allegations. However, such detailed procedures and mechanisms directly relating to corruption allegations were very much in the minority.

While most responses referred to the role of senior management in terms of oversight of misconduct issues, there was little evidence of explicit involvement of senior management in anti-corruption measures.

When asked whether agencies had internal reporting systems or procedures to enable employees to report corruption, the responses revealed that, while a number of agencies had developed or were developing protected disclosure requirements, most reporting systems or complaints mechanisms related only to suspected fraud rather than suspected corruption.  The bodies, officers or committees (mainly audit committees) to which such reports were made were not tasked to deal with the wider issue of corruption, but with fraud or financially-related matters.

In relation to mechanisms or systems to facilitate external reporting to relevant law enforcement authorities or to integrity bodies, most responses referred to the obligations to refer protected disclosure matters to IBAC, or the need to report suspected criminal activity to the police. There was overall a lack of specificity as to the reporting of corruption matters, with some agencies referring to the Ombudsman (no longer its role) as well as to IBAC.

Many agencies responded that reporting was a policy requirement. However, the mere existence of a policy does not, in and of itself, mean a lot. It is possible that simply relying on staff to report is an effective way of identifying corruption, but on its own, and without systematic anti-corruption measures in place, it can be a very high-risk approach and will be strongly dependent on organisational cultures and processes.

The reasons people report are many and varied.  These may relate to a desire to conform to policy, an individual’s sense of ethics, or to the level of support they feel they will receive if they make a report. These factors are not always dealt with through the mere existence of an agency policy. 

Agencies were also asked about the processes for the reporting and management of potential protected disclosures, including how the relevant agency ensured that the processes were operating effectively. Even though the requirements for public bodies under the PD Act are quite new, most agencies reported that they were aware of their obligations under that Act.  Most agencies reported having a specific officer or officers with PD Act responsibilities (commonly described as a ‘protected disclosure coordinator’ and a ‘protected disclosure manager’).

Generally, the responding agencies indicated a high level of recognition of the requirements of the PD Act, and provided responses about the making
and handling of protected disclosures, and managing protected disclosures. There were only a few isolated cases of agencies not referring to the requirements of the PD Act, and still referring to the repealed Whistleblowers Protection Act 2001 (Vic).

 

Leadership

One of the most vital elements for any effective anti-corruption system is that senior managers must commit unflinchingly to an ethical culture and to a corruption-free organisation, with dedicated resources and monitoring. This commitment is best defined and described as setting the ‘tone at the top’.

Tone at the top plays an important part in the overall integrity processes and framework in any agency, and effective leadership is essential in driving a commitment to lawful and ethical behaviour. If a public body is to be successful in introducing and maintaining a culture of compliance (which prevents, deters and detects misconduct and corruption), then such top level commitment will very often be a more potent motivating force than any element of compulsion.

It is important that agencies involve senior management in all aspects of oversight and management of anti-corruption measures within the agency.

Most of the agencies surveyed identified that senior management is responsible for issues relating to fraud and corruption risk. The managers specified were those usually involved in the business operations of the agency, with reference to terms like ‘business assurance’ and ‘business integrity’ being featured.

Responses were sought about senior management oversight of anti-corruption measures within each agency. While most responses referred to the role
of senior management in oversighting misconduct issues, there was little evidence of senior management oversight of anti-corruption measures.

The limited number of responses that did refer to senior management oversight in anti-corruption measures mentioned the role of audit committees,
audit and risk committees, risk officers, fraud control officers, or compliance officers.

Information was sought about whether the agency had a specific employee, team or committee with responsibilities for anti-corruption measures.  As noted above, there is a wide variety of different bodies or officers to which complaints can be made (as opposed to having oversight), however, most
related only to suspected fraud, rather than the wider issue of corruption.

There was little evidence (other than for a few agencies) that such officers or committees were tasked to actively deal specifically with corruption prevention measures.

 

Deterrence and prevention

In general terms, there appears to be a high level of compliance by public bodies with the different government requirements to have a suite of deterrent and prevention measures to deal with misconduct, financial management and value for money considerations.

Most agencies reported having developed a range of controls, programs and policies (eg. gifts, benefits and hospitality policies, conflict of interest policies), but there was little evidence that these measures were expressly or specifically linked or related to corruption prevention.

Many of these measures are generic in nature, and while they may play some incidental role in preventing corruption, this is a by-product only, rather than a targeted approach to corruption prevention. Accordingly, unless such policies are adapted to deal not only with misconduct but also protect against corrupt activity, then valuable corruption prevention opportunities will be missed.

Most of the deterrent and prevention strategies used related to fraud and financial matters, though the comprehensive nature of some of these, it could
be argued, cover corruption. Mostly these are based at least in part on the broad guidelines in the Code of conduct for Victorian public sector employees (VPS Code of conduct), which refer in general terms to standards, conflicts of interest, gifts and benefits etc, but with only one reference to corrupt conduct (without further definition) in clause 3.6 of the VPS Code of conduct.

Agency responses demonstrated the following processes were frequently in place:

• gifts, benefits and hospitality policies, including a register of hospitality either offered or accepted
• frequent reviews of financial and human resources delegations
• maintenance of detailed records of private interest declarations
• publications, usually on the agency intranet, of policies such as ethical behaviour, secondary employment
• procurement policies.

Some agencies stated that they had specific codes of practice or standing directions relating to segregation of incompatible duties, user access levels, identity checking for new employees, fleet policies, travel policies, purchasing card policies etc.

Example Agency B (a tier 4 agency) indicated their ‘high risks’ included: improper disclosure of personal information non-compliance with new Payment Card Industry Data Security Standards (ie. information security) identity fraud. Breach of IT and communications security was rated a medium risk. Their controls included: an extensive range of financial controls and policies controls over procurement controls over recruitment processes. These controls clearly implement the Financial Management Act and the associated reporting requirements. However, the controls do not fully reflect the corruption risks the agency faces. This agency is in the infrastructure cluster. The risks identified are internal risks to the management of the agency, and did not identify the harms that could be caused to the community if corrupt practices were occurring.​​

 

Training and education

Staff education

Relatively few agencies reported having specific education or training programs to assist staff to understand what constitutes corruption. Most agencies referred simply to induction training programs on the VPS codes of conduct for public sector employees.

However, as noted the VPS codes contain very little specific information about corruption. In a few cases it appears that new officers were simply provided
with a copy of the VPS Code of Conduct, or had their attention drawn to the existence of material on the agency’s intranet or website.

A few agencies indicated that they were developing fraud and corruption awareness training modules, and some agencies referred to training in relation to the PD Act.

Example Agency C (a tier 4 agency) has a number of high corruption risks and a strong commitment to staff training which includes: staff induction program compulsory e-learning programs which are complementary to understanding the operation of the code of conduct (must be repeated every second year) ethics and values workshops for all executives, delivered in conjunction with the St James Ethics Centre training in procurement requirements to ensure that policies and procedures are followed.

Almost half of the agencies who responded reported no corruption prevention training.

Two agencies commented that it is difficult to measure the effectiveness of training. There seems to be no consistent approaches, nor any clear underlying learning objectives and outcomes. If training is meant to prevent a particular behaviour then effectiveness will of necessity be hard to measure. However, even if the perceived level of corruption and awareness of corruption may be low, the objective should be to enhance integrity and develop better processes rather than to provide simply one-off training during the induction process.

This lack of training is of concern given that IBAC’s previous perceptions of corruption survey of more than 800 senior public sector employees revealed that one-fifth of respondents did not know where to report corruption, and one-tenth of respondents were not aware of the existence of an integrity framework in their agency, or did not know how effective it was.

In particular, employees should be asked to certify that they understand and will comply with the relevant agency policy in relation to anti-corruption. Employees should also be informed about proper procedures and contact channels for guidance, as well as know how to report suspected corruption.

Public education

Only 11 agencies reported providing any kind of ‘educational initiatives’ to the public regarding anti-corruption practices. Of those 11 agencies, nine provided information via their website.

Most agencies simply noted that the VPS Code of conduct was provided on their website. Three agencies mentioned providing information to the public on
appropriate ways to deal with agency staff, while four agencies mentioned providing information on making protected disclosures.

Nine of the 11 agencies provided other sorts of information to the public including:

• instructions to persons or companies submitting tenders of appropriate ways to interact with agency staff, as well as information about transparency and other applicable standards
• information in the annual report
• information on how to make complaints.

Several agencies indicated that their efforts were inwardly focused. In most cases, when information was provided to the public over and above the VPS Code of conduct, its purpose was to avoid financial misconduct or to limit public collusion resulting in financial loss for the agency.

Some of the agencies with tendering standards suggested that the apparent absence of collusion and fraud in the tendering process was evidence of the effectiveness of the information they were providing. No agency reported mechanisms for assessing the effectiveness of the public information or education they were providing.

 

Culture and processes

As previously highlighted, several agencies described robust anti-fraud and misappropriation processes, while not identifying or acknowledging significant corruption risks inherent in their operations. In these cases a culture of integrity is also necessary to complement the processes.

Other agencies, whose functions were inherently high-risk, provided responses indicating a vigorous and engaged integrity culture within the organisation.

One agency noted they were still developing processes in particular areas. Unlike most agencies reviewed this agency had not, at the time of completing the survey, implemented a protected disclosure policy. However, unlike other organisations whose comprehensive suite of policies ‘missed the risks’, those processes the agency currently had in place were highly adapted to the operating context.

There was repeated commitment to integrity as a ‘work in process’, and ‘continual assessment’.  The response demonstrated a genuine commitment to a culture of integrity.

One particular challenge is to work out where in any agency the culture is formed and behaviour is accordingly influenced.

Nobel Prize winner Elinor Ostrom argues the most effective level of governance should be as close as possible to the regulatory object, where ‘participants invest resources in monitoring and sanctioning the actions of each other so as to reduce the probability of free riding’.

The consistent challenge, as identified by Ostrom, is to sort out how far from the ground the rule setting ought to be. If it is too far, it may seem remote and irrelevant, and if too close it may be parochial and insular. In both cases, and unless the balance is right, the results can impact good governance and can damage agency performance.

 

Responsibility and nesting

Several of the agencies that responded were small agencies that sit within a larger portfolio department.  For example several large portfolio departments include a large number of agencies with responsibility for service delivery and other functions. This phenomenon is described as ‘nesting’.

Two themes were apparent from the survey. When agencies are nested there can be a disconnect in terms of effective governance. One agency which had a major service and operational role gave the impression that it did not need to develop any operational plans or special arrangements in relation to corruption prevention as this was a matter for the central portfolio department.

In another survey response, a large agency reported that ‘oversight for anti-corruption measures for the Department is managed by Regional and Executive Services. [The agency] does not have stand-alone oversight, it is managed from a departmental level.’

This agency has a sphere of operation that is highly vulnerable to corruption risk. The agency indicated they did not conduct a risk assessment, did not identify any particular risks, had no staff with responsibility for anti-corruption measures and that records of suspected corrupt or fraudulent activity were maintained only at the portfolio department level. The departmental response however, made no reference whatsoever to the agency in question and the significant risks presented by its operation. Instead, its response focused on integrity risks related to financial practice and tendering matters.

It appears that the portfolio department, rather than driving corruption prevention activities, relied on sub-agencies to undertake comprehensive anti-corruption activities themselves that were then reported upwards. If, as it would appear, certain sub-agencies believe that the portfolio department has responsibility, governance gaps will almost inevitably occur.

Responsibility must be clearly delineated, with those as close to the site of possible corrupt activity involved in the design and implementation of prevention and detection mechanisms. This might mean that agencies participate in the identification and response to particular risks, and it may result in specific but differing anti-corruption frameworks for discrete parts of a large public body.

Higher levels of administration and management should complement local level initiatives, and engage with the specific risk issues within the mandate of the portfolio department.

Nesting by organisations is a practical governance arrangement and need not of itself be problematic.  When nested agencies are properly aligned, there
is limited opportunity to take advantage of the system.  Without alignment, individuals find it easier to seek out opportunities for corrupt activity, and to take advantage of governance gaps.

The clear conclusion drawn from this research is that corruption and its prevention is generally not on the radar of responding VPS agencies. There is considerable awareness of and measures in place to respond to fraud and misconduct, but corruption itself is not a specific focus. This confirms findings from a previous IBAC survey of senior Victorian public servants 

In reviewing Victorian public sector integrity frameworks, it is important to recognise the number, size and diversity of functions undertaken by government agencies. It is also important to appreciate that a number of public bodies, due to their functions or size or a combination of both, may not involve medium or high corruption risks.

However, it will always be important for all public bodies to establish and maintain robust risk assessment processes and to have at least the basic elements of compliance management systems directed to detecting and preventing corruption.

This starts with a strong legislative and policy framework.  The overall range of policies disclosed by the agency responses serve to assist in preventing and deterring misconduct, and may indirectly assist in deterring and preventing some types of corruption. However, there is an urgent need for key policies to be examined, and if appropriate, modified to deal explicitly with the issue of corruption risks, and to reflect greater emphasis on corruption prevention and deterrent measures.

This examination should take place at a whole-of government level, and at the relevant public body level.  This does not mean that there needs to be completely new or discrete documents relating to corruption in all of these policy areas, but rather that the existing policies be suitably adapted to encompass the overall goals of corruption prevention.

At an operational level, all public sector agencies, whatever their status or position within a departmental portfolio or organisational hierarchy, must take specific responsibility for the prevention, detection and management of corruption risks.

This research reinforces that an integrity framework for a public body is essential, and must play a central role in an organisation strategy to prevent misconduct, and to deter, detect and prevent corruption. The integrity framework should be supported by senior management engagement, and must be underpinned by robust cultural and ethical values, which in turn should be embedded in all aspects of a public body’s operations, whether related to planning, design, policy formulation or service delivery. The integrity framework should operate to safeguard integrity, and be designed to strengthen internal public body resistance to corruption.

No matter the size of the public body, the most senior managers should set the ‘tone at the top’ and send clear signals that breaches of anti-corruption policies and codes of conduct will not be tolerated, and that sanctions will be enforced. If the predominant attitudes and behaviours of the senior management encourage a culture of compliance within the organisation, then that ethos will do much to influence the public body’s obligations in relation to corruption prevention.

Internal compliance structures – in the hands of a competent and committed management team – may play a central role in an organisation’s preventative approach to corruption. In particular, risk assessment processes must be alive to the possibility of clandestine, well-concealed pockets of corrupt activity which, if undetected, tend to opportunistically expand and broaden out, implicating both participants and passive observers. People who exploit organisational weaknesses may also adopt new methods of corrupt behaviour as opportunities are closed to them.

Public bodies should be encouraged to adopt risk management practices (at all levels of the agency) which focus on specific corruption risks, with the clearest commitment by senior management to be responsible for compliance management.

Agencies need to develop specific risk assessment processes for corruption detection and prevention, and these processes should complement but not replace other agency processes for fraud or other misconduct risks.

The assessment of corruption risks should not be delegated or ‘shuffled off’ to solitary officers or audit committees remote from senior or upper management, or regarded as a mere mechanical annual exercise.

As effective deterrent and prevention mechanisms are progressively developed throughout the Victorian public sector, it would be expected that over time, presently unsuspected or unforeseen corruption opportunities and activities will be detected and prevented from reoccurring.

IBAC has an important function to proactively assist public sector agencies to improve their systems and processes to prevent corrupt conduct. This paper will inform future work with the Victorian public sector to strengthen their capacity in these areas.