MIMOS_2022_CRA v2 (1)_Workshop_Presentation

CORRUPTION RISK 1
MANAGEMENT

CRM Workshop
Integrity & Ethics Unit

14 April 2022

© 2022 MIMOS Berhad. All rights reserved.

CONTENTS 2

▪ CRM Overview
▪ ABMS Requirement
▪ Establish Context
▪ CRM Process
▪ Risk Documentation

© 2022 MIMOS Berhad. All rights reserved.

CORRUPTION RISK
MANAGEMENT

OVERVIEW

© 2022 MIMOS Berhad. All rights reserved. 3

CORRUPTION RISK MANAGEMENT (‘CRM”) - DEFINITION

"CRM is a Management Process which helps to:

(i) identify structural weaknesses that may facilitate
corruption,

(ii) provides a framework for all staff to take part in
identifying risk factors and treatments, and

(iii) embeds corruption prevention within a well-
established governance framework"

© 2022 MIMOS Berhad. All rights reserved. 4

OBJECTIVES OF CRM

▪ Use as a risk based-management tool for Risk
Prevention;

▪ Corruption risk profile / register is developed and
managed through a structured approach:
✓ Identification
✓ Measurement
✓ Control evaluation
✓ Monitoring

▪ Accountability and responsibility for corruption
prevention are defined

© 2022 MIMOS Berhad. All rights reserved. 5

WHERE IS CORRUPTION RISK IN THE CONTEXT OF ERM ?

Enterprise Risk Management

Enterprise-Wide

Business Financial Hazard
Risk Risk Risk

Strategic Operational Market Risk Physical Moral
hazard hazard
Country Procurement Price Risk (interest rate, equity,
Regulatory Project management commodity) Property Integrity
injury Corruption
Tax Quality Fire
Political IT Systems Fraud
Catastrophe HR/ Labour Legal Misconduct
Currency Policy Safety & environment hazard
Culture Behavioral
Lawsuits hazard
Compliance Credit Risk Liquidity Risk Litigations
Carelessness
Regulatory Default risk Funding Risk Morale
Internal policies
Market Liquidity
Laws

Budget / Payment

© 2022 MIMOS Berhad. All rights reserved. 6

CORRUPTION RISK
MANAGEMENT

ABMS REQUIREMENT

© 2022 MIMOS Berhad. All rights reserved. 7

ISO 37001:2016 ABMS 8

ISO 37001: 2016 Anti-Bribery Management
System
Section 4.5.1: In conducting the bribery risk
assessment, the organization shall:
a) identify the bribery risks the organization

might reasonably anticipate, given the
factors listed in 4.1: Understanding the
organisation and its context;
b) analyse, assess and prioritize the identified
bribery risks; and
c) evaluate the suitability and effectiveness of
the organisation’s existing controls to
mitigate the assessed bribery risks.
Sec 4.5.2 : requires that an organization shall
establish criteria for evaluating its level of bribery
risk, which shall take into account the
organization’s policies and objectives.

© 2022 MIMOS Berhad. All rights reserved.

ISO 37001:2016 ABMS

Section 4.5.3 also recommended that the bribery
risk assessment shall be reviewed:
a) on a regular basis so that changes and new

information can be properly assessed based on
timing and frequency defined by the
organization; and
b) in the event of a significant change to the
structure or activities of the organization.

© 2022 MIMOS Berhad. All rights reserved. 9

KEY COMPONENTS OF CRM

(In line with Section 4.5)

Identification Risk Root Cause Analysis

Measurement Impact Risk Rating
Likelihood
• Extreme
• High
• Significant
• Moderate
• Low

Control Entity-Level Controls Preventative Controls
Process-Level Controls Detective Controls
Corrective Controls

Action Plan Implementation Progress of Risk Action Plans
Monitor Reporting
Current Risks, New Emerging
© 2022 MIMOS Berhad. All rights reserved. Risks

10

CORRUPTION RISK
MANAGEMENT

ESTABLISH CONTEXT

© 2022 MIMOS Berhad. All rights reserved. 11

CRM – OVERALL APPROACH

MS ISO 31000: 2018 Overview of CRM Process

Establish context Define Objectives:
• Vision, Mission
• Strategic Goals
• Internal & External Factors

RISK ASSESSMENT Step 1: Identify potential risks Monitoring &
Reporting
Risk Identification Step 2: Identify causes, and determine
Risk Analysis consequences Communication
& Consultation
Risk Evaluation Step 3: Identify and analyses existing
controls and additional controls 12

Step 4: Evaluate Control Effectiveness

Step 5: Determine Risk Rating

Step 6: Evaluate Risk Rating and Risk
Treatment Options

Risk Treatment Step 7: CRM Action Plans

© 2022 MIMOS Berhad. All rights reserved.

TOP DOWN APPROACH TO CRM

Vision/ Mission Strategic Goal
(OACP) Strategy (OACP)

Key Processes Linked By linking
to Strategy corruption risks

Corruption Risks to strategic
Impact Key Processes goals, we are

© 2022 MIMOS Berhad. All rights reserved. treating
corruption risks

with same
priority as other
significant risks

of an

organization.

13

TOP DOWN APPROACH TO CRM – STEP 1 & 2

CRM 01

1 STRATEGIC GOALS

Increase public usage by 20% p.a. Plan, design and implement the What is the
development strategy with local government of a high technology Department’s goals /

park objectives?

2 KEY PROCESSES (LINKED TO STRATEGIC GOALS) Identify the
Department’s key
Project Management (Construction, Procurement)
process / main

activities linked to the
Department‘s goals /

objectives

© 2022 MIMOS Berhad. All rights reserved. 14

ISO 37001:2016 ABMS 15

Section 4.1 Understanding The Organization And Its Context

The organization shall determine External and Internal issues that are
relevant to its purpose and that affect its ability to achieve the objectives of
its anti-bribery management system.

These issues will include, the following factors:

a) The size, structure and delegated decision-making authority of the
organization;

b) The locations and sectors in which the organization operates or
anticipates operating;

c) The nature, scale and complexity of the organization activities and
operations;

d) The organization’s business model;
e) The entities over which the organization has control, and entities which

exercise control over the organization;
f) The organization business associates;
g) The nature and extent of interactions with public officials;
h) Applicable statutory, regulatory, contractual and professional obligations

and duties.

© 2022 MIMOS Berhad. All rights reserved.

SCANNING THE HORIZON
Observe THE Changes in Internal Factors

“If there are People
changes in the
internal factors, Strategy System
how these going Process
to impact on the Internal
bribery in the Factors
organization?”
Resources

Governance

© 2022 MIMOS Berhad. All rights reserved. 16

SCANNING THE HORIZON:
Observe THE Changes in External Factors

Political “If there are
changes in the
Legal Economic external factors,
Social how these going
External to impact on the
Factors bribery in the
organization?”

Environmen
tal

Technology

© 2022 MIMOS Berhad. All rights reserved. 17

GROUP ACTIVITY

© 2022 MIMOS Berhad. All rights reserved. 18

GROUP ACTIVITY – NO.1

Identify Strategic Goals and Key Processes – 20 minutes

Within your group, discuss and present the following:
▪1 Strategic Goals of your department; and
▪2 Identify the Key Processes critical for your department to

achieve it’s strategic goals

a) Please use Template CRM01; and
b) At the end of the discussion, present to the class your

results of discussion.

© 2022 MIMOS Berhad. All rights reserved. 19

CORRUPTION RISK 20
MANAGEMENT

CRM PROCESS

© 2022 MIMOS Berhad. All rights reserved.

THE 10 STEPS OF CRM PROCESSES

1 Define Strategic Goal 6 Evaluate Control Effectiveness 8 Risk Treatment
2 Identify Key Process Options -TRAP

3 Identify Potential Terminate
Reduce
Risk Accept
Pass on

7 Risk Rating

Impact Likelihood 9 Corruption Risk
Action Plan
• Extreme
4a Identify Causes • High
• Significant
4b Determine • Moderate 10 Monitoring
Consequences • Low
(Integrity &
Identify Controls Ethics Unit)

5a 5b

Existing Additional

Controls: Controls:
•Control 1 •Control 1
•Control 2 •Control 2
•Control 3 •Control 3

(Source: SPRM CRM)

© 2022 MIMOS Berhad. All rights reserved. 21

CRM FORMS

CRM01 • Strategic Goal, Key Processes For Department
CRM02 & Potential
CRM03 Monitoring by
CRM04 • Corruption Risk Register Integrity &
CRM05 Ethics Unit
CRM06 • Corruption Risk Management
CRM07 Plan
CRM08
CRM09 • Summary of Corruption Risk

© 2022 MIMOS Berhad. All rights reserved. • Summary Of CRM Plan

• Monitoring: Preparation of
CRM Plan

• Monitoring: Implementation of
CRM Plan

• Monitoring: The effectiveness
of CRM Plan

• Monitoring: Potential of New
Risk

(Source: SPRM CRM)

22

TOP DOWN APPROACH TO CRM – STEP 3

CRM 01

1 STRATEGIC GOALS

Increase public usage by 20% p.a. Plan, design and implement the
development strategy with local government of a high technology

park

2 KEY PROCESSES (LINKED TO STRATEGIC GOALS)

Project Management (Construction, Procurement)

POTENTIAL CORRUPTION RISKS (LINKED TO KEY Identify the potential
corruption risks /
3 PROCESSES) activities/ main

Abuse of power in Collusion among site Bribery to government processes that may
approving progress managers and officials for approval of affect the Department
payments checkers to certify non- unsafe building designs in achieving its goals/
compliance structure
objectives

© 2022 MIMOS Berhad. All rights reserved. 23

HOW TO IDENTIFY POTENTIAL CORRUPTION RISK

Management Research
Report

Internal Audit Interview
Report

Brainstorming Survey
Session

Assessment

(Source: SPRM CRM)

© 2022 MIMOS Berhad. All rights reserved. 24

BRIBERRY VS CORRUPTION

definition BRIBERY CORRUPTION
form
The act of offering, giving, A wrongdoing on the part of
receiving, or soliciting authority or powerful party
something of value in
through illegitimate and
exchange for some kind of immoral means, which are
influence or action in return
incompatible with ethic
Bribery is a form of standard.
corruption
Corruption includes other
dishonest activities such as

embezzlement, fraud,
collusion, and abuse of

power

© 2022 MIMOS Berhad. All rights reserved. 25

FORMS OF BRIBES

(Source: SPRM CRM)

© 2022 MIMOS Berhad. All rights reserved. 26

CORRUPTION RISK – MACC ACT 2009

CORRUPTION

Does not only involve GIVING and ACCEPING gratification

4There are corrupt offences according to the MACC Act 2009;-

1. Soliciting and receiving bribe
2. Offering and giving bribe
3. False claim
4. Abuse of power

(Source: SPRM)

© 2022 MIMOS Berhad. All rights reserved. 27

CORRUPTION RISK – MACC ACT 2009

(Source: SPRM)

© 2022 MIMOS Berhad. All rights reserved. 28

EXAMPLE OF CORRUPTION RISK – MACC ACT 2009

(Source: SPRM)

© 2022 MIMOS Berhad. All rights reserved. 29

CORRUPTION RISK – MACC ACT 2009

(Source: SPRM)

© 2022 MIMOS Berhad. All rights reserved. 30

EXAMPLE OF CORRUPTION RISK – MACC ACT 2009

(Source: SPRM)

© 2022 MIMOS Berhad. All rights reserved. 31

CORRUPTION RISK – MACC ACT 2009

(Source: SPRM)

© 2022 MIMOS Berhad. All rights reserved. 32

EXAMPLE OF CORRUPTION RISK – MACC ACT 2009

(Source: SPRM)

© 2022 MIMOS Berhad. All rights reserved. 33

EXAMPLE OF CORRUPTION RISK – MACC ACT 2009

(Source: SPRM)

© 2022 MIMOS Berhad. All rights reserved. 34

CORRUPTION RISK – MACC ACT 2009

(Source: SPRM)

© 2022 MIMOS Berhad. All rights reserved. 35

EXAMPLE OF CORRUPTION RISK – MACC ACT 2009

(Source: SPRM)

© 2022 MIMOS Berhad. All rights reserved. 36

POTENTIAL CORRUPTION AREAS 37

01- Human Resources Management

02- Information Systems

03- Procurement

04- Financial Management
05- Research & Development
06- Use of the Organisation’s Equipment and Resource by

Staff for Personal Purposes

© 2022 MIMOS Berhad. All rights reserved.

FORMS OF CORRUPTION

1. Bribery 5. Embezzlement, Theft and Fraud
a) Kickbacks 6. False Claim
7. Unauthorised Disclosure of
b) Facilitation Payments
Confidential Information
c) Charitable & Political 8. Favouritism, Nepotism and
Donations, Sponsorship, Travel,
and Promotion Expenses Patronage

2. Conflict of Interest 9. Revolving Door

3. Collusion 10. Tax Evasion

a) Bid Rigging

b) Price Fixing

c) Cartels

4. Abuse of Power/ Function/
Position

(Source: "A Guide for Anti-Corruption Risk
Assessment" by UN Global Compact Office)

© 2022 MIMOS Berhad. All rights reserved. 38

STEP 4a - IDENTIFY CORRUPTION CAUSES

Risk ID: 01 Project Management CRM 02
2

Risk Title: 3 Abuse Of Power In Approving Progress
Payment

Risk Description:

Corrupt practices in progress payments. For example, 80% to 90% of
project’s costs was paid to contractor when it only had completed less than
40% of the project. Arising from abuse of power and taking advantage in the
weaknesses in VO procedures.

4a CAUSES . 4a

1. Lack of monitoring and enforcement of the contract terms. Contractor was Analyse root causes
not reprimanded for delay and incomplete work. Potentially, conflict of
interest involved.

2. Taking the opportunity when the project owner undergoing a shortage of
technical competency to properly inspect and verify the progress of the
construction.

3. Taking advantage of the loopholes in VO claims – there is a lack of clear
guidelines as to the maximum amount of VO or number of times allowable.

4. Corrupt practices were not reported as there is a lack of trust over the
whistle blowing channel.

© 2022 MIMOS Berhad. All rights reserved. 39

STEP 4b - DETERMINE CORRUPTION CONSEQUENCES

CRM 02

Risk ID: 01 Project Management 2

3Risk Title: Abuse Of Power In

Approving Progress Company Name: ABC BHD

Payment

Risk Description: Department: TELCO Project
Risk Owner: Management
Corrupt practices in progress payments. For Telco
example, 80% to 90% of project’s costs was paid to
contractor when it only had completed less than 40% 4b CONSEQUENCES 4b
of the project. Arising from abuse of power and taking
advantage in the weaknesses in VO procedures. 1. Project was delayed – for example a prison ▪ Has direct relation to
project where a 3-year project was delayed risk appetite
4a CAUSES for 7 years, abandoned, and needed re-
work. ▪ Often link to Key
1. Lack of monitoring and enforcement of the Performance
contract terms. Contractor was not 2. Financial loss – Prison Project: additional Indicators (KPI)
reprimanded for delay and incomplete work. re-work costs of RM55 mil or 34% more
Potentially, conflict of interest involved. (original costs 165 mil) ▪ Will link to impact
measurement in step
2. Taking the opportunity when the project 3. Poor quality of the project –not fulfilling the 7
owner undergoing a shortage of technical safety and security requirements of a prison.
competency to properly inspect and verify
the progress of the construction. 4. Project objective, for example, on providing
prison services was delayed or not achieve
3. Taking advantage of the loopholes in VO in time.
claims – there is a lack of clear guidelines as
to the maximum amount of VO or number of
times allowable.

4. Corrupt practices were not reported as there
is a lack of trust over the whistle blowing
channel.

© 2022 MIMOS Berhad. All rights reserved. 40

STEP 5 - IDENTIFY CONTROLS

STEP 6 - EVALUATE CONTROLS EFFECTIVENESS

CRM 02

Risk Title: Abuse Of Power In Approving Progress Payment 3

5a EXISTING CONTROLS 5b ADDITIONAL CONTROLS /

1. Treasury guidelines on procurement – tender ACTION PLANS AND TOR
selection and awarding (3)
1. To consider legal actions to enforce terms in
2. Whistleblowing channel for reporting the integrity pact (recovering costs and
malpractices (4) termination of contract) (1,2,3)

3. Guidelines on direct negotiations issued by 2. To enhance the trustworthy of whistleblowing
MOF (1) channel (4)

4. Integrity pact signed by contractor, but lack 3. To set up a project technical team before
monitoring and enforcement (1,3,4) project is allowed to start (2)

6 CONTROL EFFECTIVENES Some Weaknesses

Determine controls ❑ Satisfactory
effectiveness of ❑ Some

6 existing controls weakness √

in managing a ❑ Weak
particular risk
41
© 2022 MIMOS Berhad. All rights reserved.

7 TERM OF REFERENCES - SPRM

TOR1 1. POLICY AND 5. INTERNAL CONTROL TOR5
TOR2 LEGISLATIVE TOR6
TOR3 FRAMEWORK 6. DETECTION, TOR7
TOR4 PUNISHMENT AND
2. SYSTEM AND WORK REHABILITATION /
PROCEDURE
CORRECTION
3. CODE OF ETHICS
7. RECOGNITION
4. CUSTOMER
MANAGEMENT

© 2022 MIMOS Berhad. All rights reserved. (Source: SPRM CRM)

42

STEP 6 – EVALUATE EFFECTIVENESS OF CONTROLS
(Section 4.5.1 (c)

Determine controls effectiveness of existing controls in managing a particular
corruption risk

Satisfactory Controls are strong & operating properly, providing a
reasonable level of assurance that objectives are being
achieved.

Some weakness Some control weaknesses/inefficiencies have been identified.
No serious risk exposure but improvements are required to
provide reasonable assurance that objectives will be
achieved.

Weak Controls do not meet an acceptable standard, as many
weaknesses/inefficiencies exist. Controls do not provide
reasonable assurance that objectives will be achieved.

© 2022 MIMOS Berhad. All rights reserved. 43

STEP 7 – RISK RATING

CRM 02

Risk title: #1 Abuse Of Power In Approving
Progress Payments

Residual Risk Rating 7

Impact Likelihood Rating

Moderate Moderate Significant

Control Some Weakness
effectiveness

Targeted Risk Rating 5x5 Matrix

Impact Likelihood Rating 44
Moderate
Moderate Unlikely

© 2022 MIMOS Berhad. All rights reserved.

RISK RATING : CONSEQUENCES / IMPACT (SPRM)

CONSEQUENCES / IMPACT

FACTOR INSIGNIFICANT MINOR MODERATE MAJOR CATASTROPIC

Example Risk Measurement

IMAGE/REPUTATION Not substantiated, low Substantiated, low Substantiated, public Substantiated, public Substantiated, public
impact, low news embarrassment, embarrassment, high news embarrassment, highly
impact, no news item. profile moderate local news profile, third party action. Long widespread news profile,
profile. Escalating term damage to public image third party action/ Global
Attention quickly customer implications. media coverage.

contained, short term

recoverability.

FINANCIAL LOSS Additional costs/ funding/ Additional costs/ Additional costs/ Additional costs/ funding/ Additional costs/ funding/
wastages/ revenue funding/ wastages/ funding/ wastages/ wastages/ revenue wastages/ revenue
< 5% of initial funds revenue revenue Between 25 to 40% Above > 41%
Between 6 to 15% Between 16 to 25%
PUBLIC < 5 per month 21-50 per month >50 per month
COMPLAINTS 6-10 per month 11-20 per month
LEGAL/ Minimal penalties. Substantial, may include Major scrutiny and
COMPLIANCE Moderate fines. Major scrutiny and criminal charges. investigation
Minimal customer investigation
STAKEHOLDERS - Complaints and recovery Minimal decline in Strained key customer Loss of major customer
CUSTOMERS costs. customer relationships Loss or decline of relationships and significant relationships and serious
and some recovery customer relationships recovery costs and threat to threat to future growth.
costs. and moderate recovery future growth.
costs

STAKEHOLDERS - Insignificant impact on Some impact on Significant impact on Major impact on Department’s Sustained impact on
EMPLOYEES Department’s ability to Department’s ability to Department’s ability to ability to recruit top performers. Department’s ability to
recruit and retain recruit and retain recruit and retain top recruit and retain top
RISK CONSEQUENCES/ employees employees. performers. ▪ Program or project re- performers.
MANAGEMENT EFFORT design, re-approval and re-
▪ Negligible effects ▪ Normal ▪ A serious event do required. Fundamental ▪ Project or program
▪ Impact can be readily administrative which requires rework before objective can irrevocably finished;
difficulty additional be met. objective will not be
absorbed through management effort met.
normal activity ▪ An adverse event ▪ A critical event which
which can be requires extraordinary ▪ Disaster with potential
absorbed with management effort to lead to “collapse “
some management
effort

© 2022 MIMOS Berhad. All rights reserved. (Source: SPRM CRM)

45

MIMOS CONSEQUENCES / IMPACT RATING

CATEGORY CONSEQUENCES/ IMPACTS DESCRIPTION (QUALITATIVE / QUANTITATIVE)

CATASTROPIC Disaster/ Extraordinary event with potential to lead to collapse
MAJOR
MODERATE A critical event which requires extraordinary management effort
MINOR
INSIGNIFICANT A serious event which requires additional management effort
An adverse event which can be absorbed with some management
effort
Impact can be readily absorbed through normal activity

© 2022 MIMOS Berhad. All rights reserved. 46

RISK RATING : LIKELIHOOD OF OCCURANCE
(SPRM / MIMOS)

CATEGORY RISK LIKEHOOD DESCRIPTION

ALMOST The event is expected to occur in most circumstances
CERTAIN E.g. Approximately above 95% chance of occuring in the next 12
LIKELY months

MODERATE The event will probably occur in most circumstances
E.g. Approximately below 95% but above 50% chance of occuring in
UNLIKELY the next 12 months

RARE The event might occur in some time
E.g. Approximately below 50% but abov 25% chance of occuring in
the next 12 months

The event might occur in some time
E.g. Approximately below 25% but above 5% chance of occuring in
the next 12 months

Event occur in exceptional circumstances
E.g. Approximately below 5% chance of occuring in the next 12
months

© 2022 MIMOS Berhad. All rights reserved. 47

RISK RATING ▪ Risks with Extreme and High impact and
likelihood of occurrence, where the
EXTREME controls are not effective or the causes
HIGH are from external factors.

SIGNIFICANT ▪ Require immediate risk action plans to
reduce the exposure of the risk.
MODERATE
LOW ▪ A priority risk with high impact and high
likelihood of occurrence.

▪ Require risk action plans to reduce the
exposure of the risk if necessary.

▪ Moderate and Low risks are considered
manageable risks, where the controls are
working as intended, or the inherent risk is
already as moderate level.

▪ No risk action plans are required.
▪ Continuous monitoring of the controls are

important.

© 2022 MIMOS Berhad. All rights reserved. 48

RISK RATING – RISK PARAMETERS

Risk Measurement = Impact & Likelihood

Risk Tolerance / Risk Appetite is the amount of risk, on
Risk Appetite a broad level, that an organization is
willing to accept in pursuit of value.
Likelihood Impact
1) Determine the amount of risk an
enterprise able to take

2) Risk tolerance determined up-front
with board of directors or those in-
charge of governance

3) Allow enterprises to have a means
to identify which risks are most
critical and important for them to
focus on and allocate the resources

© 2022 MIMOS Berhad. All rights reserved. 49

STEP 8 – RISK TREATMENT OPTIONS CRM 03
STEP 9 – CORRUPTION RISK ACTION PLAN

Risk EXTREME 8 Communication
profile HIGH & Monitoring
Risk Treatment
Risk SIGNIFICANT Options 9
appetite
Terminate Corruption
Risk
Reduce
Action Plan
Moderate Accept

Low Pass on Cost/ Benefit
Analysis

© 2022 MIMOS Berhad. All rights reserved. 50