APPLYING THE ENFORCEMENT PYRAMID TO ORGANISATIONAL ...€¦ · Corruption prevention policy Code of conduct Code of conduct – policies and procedures ... Management can be realised

APPLYING THE ENFORCEMENT PYRAMID TO

ORGANISATIONAL CORRUPTION PREVENTION

Paper prepared for the Ethics and Integrity of Government Study Group EGPA Conference, Rotterdam, 3-5 September 2008

Alexandra Mills

Principal Officer (Public Sector),

Corruption Prevention, Education & Research Division Independent Commission Against Corruption (New South Wales) Australia

EGPA 2008 Mills – Not for publication or distribution beyond the Study Group on Ethics and Integrity of Government. 2


BACKGROUND

This paper has been prepared specifically for this EGPA Study Group in the hope that participants will be inclined to engage with the challenge it discusses and some of the possible responses it raises. It is a snapshot of a work in progress by someone engaged in the work of preventing corruption in the context of an anti-corruption agency. Anti-corruption agencies that are established on the classic three-function model have as one of their functions a role usually described as “corruption prevention”. For an anti-corruption agency this is the positive side of the agency’s work and complements the role of exposing corruption by investigation and publicity. The objective and activities of this function can be compared with those of programs described in other contexts as “integrity policy” or “ethics management”. In this paper these terms are used to refer to the same concept. In recent years various models have emerged to describe ways that corruption might be prevented or integrity promoted or ethics managed. These models have been developed for use at the state (or national) level (Transparency International 2006), the city level (Huberts et al 2007) and the organisational level. This paper is concerned with the last of these - so-called organisational integrity systems (OIS). In Australia, public sector entities have had promoted to them several OIS models including a national standard (Standards Australia 2008) and several developed by authorities such as anti-corruption agencies and the auditor-general. Fortunately for Australian public sector managers the models are generally consistent in substance. They are capable of quite diverse visual representation but they generally all include a set of recognisable elements intended to capture common dynamics that are also represented in the OECD’s “ethics infrastructure” (OECD 1996). What these models lack however is guidance about the best way to apply their various elements in a given context. Public sector managers presented with a set of organisational policy initiatives are not always in a position to think long or deeply about implementing them. The political and resource considerations inherent in public sector management can be aggravated when corrupt or improper conduct is at issue. The usual methods for guiding resource allocation and policy implementation decisions such as cost-benefit analysis might be of little assistance in this field where effectiveness measures are scarce and outcomes are diffuse. In such a situation, deciding where to spend limited resources or focus the organisation’s attention can be difficult for managers whose core business is the efficient delivery of a particular public service. The argument of this paper is that no matter how comprehensive and soundly-based these systems may be organisational integrity systems alone will never provide individual public sector agencies with more than a reliable list of organisational activities that they should attend to or apply in order to reduce their vulnerability to corruption and misconduct. Understanding how and when to apply the policy elements that constitute them will require more than the system itself.


This paper summarises the main elements of OIS models promoted in Australia and then discusses the well-known model of the regulatory enforcement pyramid proposed by Ayres and Braithwaite as an option for guiding organisational decisions about the optimal application of the elements that comprise an OIS. The final sections of the paper consider some supplementary measures and suggestions for further work on this topic.

ORGANISATIONAL INTEGRITY SYSTEMS

Content of organisational integrity systems

Integrity systems for organisations, like those developed at national or city levels, articulate a framework of components that together will maintain and promote integrity in a particular context. In Australia a number have been developed by anti-corruption agencies, public audit authorities and a local government association for use in public sector organisations. The Crime and Misconduct Commission (CMC) is an anti-corruption agency in the Australian state of Queensland. It developed an integrity system model in 2001 comprising ten elements in its Fraud and Corruption Control Guidelines: 1. Agency-wide integrated policy 2. Risk assessment 3. Internal controls 4. Internal reporting 5. External reporting 6. Public interest disclosures 7. Investigations 8. Code of conduct 9. Staff education and awareness 10. Client / community awareness The New South Wales Audit Office Strategic Model for Fraud Control (1994) also has 10 elements: 1. Integrated macro policy 2. Responsibility structures 3. Fraud risk assessment 4. Employee awareness 5. Customer and community awareness 6. Fraud reporting systems 7. Protected disclosures 8. External notification 9. Investigation standards 10. Conduct and disciplinary standards The New South Wales ICAC’s D-I-Y Corruption Resistance Guide (ICAC 2002) proposes a model comprising: 1. core elements (values and leadership) 2. code of conduct 3. corporate strategies


4. systems 5. policies and procedures 6. external environment 7. training and development. An Australian Standard, AS 8001-2008 Fraud and Corruption Control, has also been developed with the objective of (Standards Australia 2008: 13): 1. elimination of internally and externally instigated fraud and corruption against the

entity 2. timely detection of all instances of fraud and corruption against the entity in the event

that preventative strategies fail 3. recovery for the entity of all property dishonestly appropriated or secure compensation

equivalent to any loss suffered as a result of fraudulent or corrupt conduct and 4. suppression of fraud and corruption by entities against other entities. The Standard is intended to be more comprehensive than most OIS models which generally aim for the first two parts of this objective only. The Standard includes a statement of twelve “fundamental elements of an integrity framework” (Standards Australia 2008: 26). Its content equates to that found in most OIS models: 1. Integrity framework 2. Example setting 3. Senior management 4. Codes of behaviour 5. Allocation of responsibility 6. Ethics committee 7. Communication 8. Training 9. Reinforcement 10. Benchmarking 11. Reporting 12. Compliance The language of these models may not be consistent but they nevertheless contain common objectives and essential elements. All of the models mentioned include some form of codes of conduct, staff awareness and socialisation, reporting of misconduct, integrating framework or policy statement, internal controls, external engagement and leadership as elements. The majority also include investigation and disciplinary processes, risk assessment and the need to assign responsibility for the system. The combined elements of these OIS models reflect those of an ‘ethics infrastructure’ proposed by the OECD in 1996: • Political commitment • Legislative framework • Accountability and control systems • Codes of Conduct


• Professional socialisation • Coordinating body • Public service conditions A version that distils the common elements of these OIS models might look like: • Code of conduct • Coordinating policy framework • Risk assessment • Responsibility and accountability structures • Reporting • Investigative capacity • Organisational controls • Education, training and socialisation • External communication As a total package the Australian Standard version of an OIS is the most comprehensive of these models. It includes some elements (notably ‘3.Senior management’, 7.Communication, 9. Reinforcement and 10. Benchmarking) that, in others, are either implied or mentioned only in accompanying commentary. As they are implicit in nearly all of the models a more accurate distillation of the various Australian models should include them to produce the following:

ELEMENT MECHANISMS

Risk assessment Risk management plan

Coordinating policy framework

Corruption prevention policy

Code of conduct Code of conduct – policies and procedures

Organisational controls Financial and administrative controls

Senior management Demonstrated commitment to the need for integrity in the organisation in responding to misconduct and adhering to the policy framework.

Responsibility and accountability structures

Documented organisational structure, position descriptions, delegations of authority

External and internal communication

Continuous and regular dissemination of internal information that raises awareness of integrity issues.

Public awareness of the organisation’s role and standards of conduct.

Education and training Ongoing employee and management awareness of code of conduct, policies, responsibilities and accountabilities through training.

Reporting Internal reporting of complaints, grievances and misconduct.

Access to external reporting including whistleblowing management.


Investigation and discipline Established disciplinary process; capacity to investigate and review.

Benchmarking Continuous measurement of the organisation’s performance against integrity standards over time.

Reinforcement Incorporation of integrated ethical standard into performance management

Purpose and operation

In her discussion of organisational integrity models Paine describes the goal of an integrity model as (2003: 96):

To define and give life to an organisation’s guiding values, to create an environment that supports ethically sound behaviour, and to instil a sense of shared accountability among employees.

The ICAC echoes this view describing its model as a ‘framework to integrate corruption resistance strategies into an agency’s usual business and corporate planning’ (2002: 6) with the outcome that ‘an organisation’s operational systems, corruption prevention strategies and ethical standards are fully integrated to achieve the organisation’s purpose’ (ICAC 2001:5). The OECD proposes a similar outcome in terms of ‘control’, ‘management’ and ‘guidance’ (OECD 1996: 27):

Control can be achieved through the following three elements: a legal framework enabling independent investigation and prosecution; effective accountability mechanisms; and public involvement and scrutiny. Likewise guidance can occur though three elements: a well articulated commitment from political leadership; codes of conduct expressing values and standards; and professional socialisation activities such as education and training. Management can be realised through two remaining elements: sound public service conditions based on effective human resource policies; and coordination of the infrastructure by either an existing central management body, department or agency, or a special body. [My emphasis]

The OECD ‘infrastructure’ captures both punitive and aspirational measures with a managerial overlay that provides maintenance and implementation of the system. All of the models aim for this kind of diversity. They combine both sides of the integrity/compliance debate drawing on elements that achieve several outcomes in relation to corruption. They have also been described as aiming for a third dimension to the reduction of corruption that relies on the observable expression of public values in an organisation. Larmour and Wolanin in their introduction distinguish organisational integrity from ‘interventionist’ and ‘managerialist’ approaches to preventing organisational corruption saying that it ‘refers to the integration of an organisation’s operational systems, corruption control strategies and ethical standards’ (2001: xx). It aims to incorporate interventionist


mechanisms such as detection and punishment with managerial ones such as organisational rules and procedures into a system in which ‘dealing with corruption problems is a seamless part of the core business of the organisation’ (xxiii). Application

The systems reviewed here can be used as a checklist or audit tool to identify gaps in the policy framework and encourage continuous application of its elements. The Audit Office model is described as a ‘conceptual, analytical, planning and review tool’ (1994: vol1). The primary role of an OIS, however, seems to be as a policy development tool. They direct an organisation’s managers to the policy initiatives they should introduce to enable the organisation to deal with corruption both before and after it occurs. The Australian Standard, for example, specifically addresses the prevention, detection and response to fraud and corruption (AS 8001:17). The CMC Guidelines are said to ‘present an integrated approach that includes proactive measures designed to enhance system integrity (prevention measures) and reactive responses (reporting, detecting and investigating activities)’ (2005: xi). All of the OIS models mentioned here are accompanied by commentary describing each of the elements they contain and advising about the way they should be implemented. Three main themes run through this advice. The first is that the OIS elements should be integrated. This term seems to have two meanings. One is that ‘integrity measures should not be seen as a separate and distinct activity but rather as an integral part of all management systems’(OECD 2000:19). The other refers more to the coordination of the OIS elements with each other. The CMC advises ‘No one element should be considered in isolation’ and emphasise holistic planning and monitoring of the elements (2005:xi). The ICAC captures both advising that the elements of the framework must ‘work together’ and also that they must be part of ‘an agency's usual business and corporate planning’ (ICAC 2002: 6). Another key theme used by all of these models in relation to implementation is that it should be strategic. This refers to the fact that the models are ‘adaptive and should not be implemented blindly or without regard to the needs and resources required’ by the organisation’s ‘individual requirements’ (AO 1994: 9). The CMC reminds readers that (2005: 3):

Good policy development requires an in-depth knowledge of an agency’s operations, a clear understanding of the relevant issues, and a good grasp of the ethical principles that underpin the policy objectives in each area.

The commentary on the Audit Office model also warns of the dangers of proceeding without the ‘the necessary analysis and evaluation’ or a ‘broader conceptual framework’ for implementation. These include that any action might be counterproductive or undermine other elements of the OIS model (1994:14). Most OIS models identify plenty of hazards of careless or uniformed implementation but include little advice about specific implementation. This is deliberate and the reasons for such an approach are sound. As the Audit Office says (1994:9):


a prescriptive model may tend to discourage agencies from properly and seriously examining their own situation by encouraging a simple compliance response. This would utterly fail in achieving the outcome of chief executives taking proper responsibility for fraud control within their agencies.

In effect these comprehensive policy frameworks identify a set of tools and describe their dynamics and rationale. Specific decisions about which tool should be used and when will not be the same for every organisation. In that event where should agencies look to conduct the ‘necessary analysis and evaluation’ recommended by the Audit Office or to identify the ‘relevant issues’ suggested by the CMC? An obvious answer is a third main theme of the implementation advice in these models - a comprehensive corruption risk assessment. The Australian Standard advises that ‘Adoption of this standard requires an appropriate level of forward planning and application of a structured risk management approach’ (2008:13). Risk assessment is an element of the four Australian models and incorporating corruption and fraud risks into the standard mandatory enterprise risk management system of a public organisation is an essential part of ensuring the OIS as a whole is integrated into its corporate management cycles. It can also help identify parts of the organisation that might be more vulnerable to corruption problems and therefore call for application of specific elements of the standard OIS. Consider the situation of an executive team of a public sector agency that has been allocated funds earmarked for corruption prevention – perhaps following an unprecedented fraud or corruption inquiry. Will they, presented with any OIS model be able to decide between setting up an internal audit unit with highly trained investigators, complaint management experts and data mining capacity or a prevention unit full of educators, policy advisers and analysts? Is an external independent reporting hotline necessary? Should they invest in technology or people? Is it a simple choice between proactive and reactive? Should they select a bit from each of these options or spread the new funds over the entire OIS model that they have picked off the shelf? What if any resources exist to help them make these decisions? A corruption risk assessment will be useful but an organisation new to the world of corruption may need guidance to know where to look and what to look for. Where should the agency look to identify the risks that it should address to prevent corruption? Then once risk areas have been identified how should the elements of the OIS be applied to those risks? REGULATION AND CORRUPTION PREVENTION

The prevention of corruption in governance is still developing as a discipline and does not yet have a unified and coherent policy base to draw on. Rather there are scholars from a number of disciplines working to develop a better understanding of corruption and how to prevent it. Larmour writes about some of these together with the prevention responses that they suggest. He summarises approaches from philosophical, public administration, political, economic and criminological analyses of corruption and refers to the possibility of “others, from anthropology or psychology perhaps, or different theological perspectives, or indigenous traditions” (Larmour 2006: 10). One possibly relevant source that he does not mention is the study of regulation and compliance.


Regulators and those engaged in preventing corruption have much in common. Indeed anti-corruption agencies might be regarded as regulators themselves. Without taking a firm view on that point the common features of these two groups include that they both have a public interest objective whether that is public health and safety or public integrity. Both are concerned with understanding and promoting ways to increase behaviour that conforms to desired standards of conduct and reduce non-complying behaviour. Both activities employ similar tools to achieve their objectives. Traditionally the choice of tools has been between those that deter certain behaviour of one hand and those that encourage, other, behaviours on the other. These approaches are often labelled ‘deterrent and compliant’ or ‘punish and persuade’ (Braithwaite 1992: 92). The distinction is generally consistent with one made between rules-based and values-based approaches to organisational ethics, or integrity, management. Applied to the work of an anti-corruption agency (ACA) this distinction is explicit in the stated functions of most ACAs to both investigate corruption or misconduct and promote integrity1. Any practitioner will say that these are not alternatives and both types of tools must be engaged.

Braithwaite 1993: 87

Integrating these two approaches was one of the goals of the “enforcement pyramid” (originally devised by Ayres and Braithwaite 1992, reproduced here from Braithwaite 1993: 87) which has become a touchstone of modern regulatory theory. The pyramid is a model of the way that regulators can influence the behaviour of regulatees by drawing on both punitive and persuasive methods as required to respond to the conduct of a particular regulatee. The wide base of the pyramid is given to methods that have no penalty attached to them but operate by persuasion. Regulators are expected to work upwards through the escalating ranks leaving the most punitive measures until it is clear that the behaviour of the regulatee is not amenable to any less drastic action.

THE PYRAMID AND ORGANISATIONAL CORRUPTION PREVENTION

This paper considers whether the pyramid model could be used to help the beleaguered public sector executives mentioned earlier to implement an OIS most effectively. Just as 1 ICAC ‘expose and minimize’; CMC ‘fighting crime and promoting integrity’; CCC ‘combat and reduce organized crime and improve continuously integrity in the public sector reducing the incidence of misconduct’.


the pyramid is increasingly popular in regulatory environments the integrity system model is heavily promoted in corruption prevention advice and they have much in common. They both aim to reduce non-compliant behaviour rather than simply punish it and they employ a similar operational method combining punitive and persuasive methods of encouraging compliance. The most attractive feature of the pyramid is that unlike the OIS models discussed here which give little guidance about how their various elements should be applied in any particular context, the pyramid is clear in advocating an escalation approach based on the behaviour of the regulatee in a given regulatory environment. The strategic orientation (as required by the OIS model) of the pyramid comes from this idea that each level is engaged in turn in response to the regulatee’s conduct. A critical difference in the use of these two models is that the pyramid is designed for use by public regulatory authorities not inside organisations. In Australia, the pyramid has been adapted to many regulatory contexts including revenue collection, health and safety and the enforcement of quarantine rules for imports. Applications of the pyramid still usually occur in context of the regulation of an industry or statutory regime such as revenue collection, environmental protection and enforcement of safety standards. The pyramid can be adapted, at least superficially, to the organisational context with few adjustments. The first is the identity of the regulatee. When the regulatory environment is an organisation, rather than a community or industry, the individual employee is the subject of the enforcement pyramid but within a particular context. The second adjustment follows the first. If the regulatee is the employee, then the ‘regulator’ must be the management of the organisation in the form of the supervisors and managers who have the authority to represent the organisation for the purposes of managing compliance. In his application of the Ayres & Braithwaite pyramid to the enforcement of compliance with an organisation’s code of conduct Brien proposed the following model (2001:77):

Incapacitation Deterrent-based penalty Warnings Performance review Persuasion and counselling

Ethical education Code of ethics compliance mechanism Fig 4.1 Brien 2001:77

This pyramid is concerned with the enforcement of a particular regulatory tool, the code of conduct, it does not aim to incorporate the whole of an organisation’s integrity system. An initial attempt to do so could look like the following model which captures the essential principle of diversity, by incorporating both persuasive tools (eg training, counselling) and punitive ones (eg discipline and dismissal). It also allows for escalation in applying mechanisms by beginning with widespread education about rules, reinforced by supervision


of employee compliance with the rules, closer monitoring and, in the event of breach, the capacity to report, investigate, discipline and/or dismiss the employee.

OIS Pyramid version1 Even this pyramid does not include the full range of mechanisms that are articulated in most OIS models or exist in most organisational governance arrangements. Systems for performance management, internal reporting, regular audit cycles, accountability and control are all routine features of organisational governance that, as the OIS models all acknowledge are designed to operate continuously regardless of non-compliant events to which management in the role of regulator might respond with escalation up the pyramid. Not only might this pyramid be incomplete, it still suggests a ‘catching crooks’ paradigm that depends on reactive intervention by the regulator prompted by the employee’s behaviour. As Black says it is ‘trapped in the compliance/deterrence dialectic’ seeing regulators as only either punishing or persuading (2001: 21). She argues that regulators can take on other roles, giving as examples conciliation, education and the importance of building regulatory capacity within organisations. These roles all resonate with the principles of an OIS.

Dismiss

Discipline

Investigate

Monitor

Supervise

Educate


They are also roles that might be labelled ‘preventive’ in Sparrow’s classification of regulatory mechanisms as reactive, proactive or preventive (2000:191-2). Preventative mechanisms such as organisational or work structures and education might be classified as proactive in some contexts. Equally early detection can easily lead into reactive measures. These measures can be seen as part of a continuum that could look like the following:

PROACTIVE PREVENTATIVE REACTIVE

Research/intelligence education structure control early detection investigation penalty

The question to be asked then is whether the pyramid model is bound to be restricted to reactive strategies or can be usefully expanded to include preventive and proactive ones as well? The following model has met this challenge by expanding the middle of the pyramid to include a wide range of mechanisms that exist in the regulatory environment for quality and safety in health care (Healy and Braithwaite 2005: S52).

Regulatory pyramid and examples of safety and quality mechanisms (Healy & Braithwaite 2005: p S57).

It draws in elements of the regulatee’s environment that can work in reactive, proactive and preventive ways suggesting that the pyramid can be used beyond the paradigm of the reactive interventionist regulator. Several of the mechanisms included have parallels in an


OIS including – education, clinical protocols and guidance, performance contracts, disclosure, clinical governance, protection for whistleblowers and clinical audit. The way these mechanisms are ordered might also be instructive for a public sector agency. The pyramid progresses from broad base to narrow peak according to the degree of regulatory intervention required as well as the likely scope of its application. In an organisation the mechanisms at the lower levels of the pyramid will apply to all employees. Mechanisms are being operated in the absence of any known misconduct for the purposes of promoting organisational integrity, an ethical climate or corruption resistance (depending on which OIS model is being implemented). They will continue to apply to all employees even as some employees begin to move up the pyramid. Based on this example, the next version of the organisational integrity pyramid would appear as:

OIS Pyramid version 2

Dismiss

Discipline – counsel, suspend,

demote

Investigate/ report

Monitor/ check supervise, apply controls, report

Manage implement organistional design, policy frameworks and procedural standards

Raise awareness Educate, socialise, research, increase knowledge


The next consideration in applying the pyramid to OIS mechanisms is how the escalation process would actually work. Black maintains that ‘compulsory escalation’ up the pyramid is too simplistic and rigid for most regulators (2001: 20) and this may be the case in many organisations. The infinite nuance and complexity of organisational behaviour calls for the maximum discretion that might legitimately be allowed in the circumstances. Nevertheless the purpose of our present exercise is to find ways to guide managers’ decisions about applying OIS mechanisms in their organisations and the concept of escalation is one useful way to consider what a strategic application of and OIS might look like. The following table tests the adapted pyramid with a worked example of an organisational response to an employee’s undeclared conflict of interest in an organisation. It is a simple, and hypothetical, example but it shows demonstrates that the pyramid is capable of modelling a relationship between the regulatee-regulator even when it exists inside an organisation and engage preventative as well as reactive mechanisms. The OIS mechanisms that are employed appear in italics. Objective Example

Level 1: Raise awareness

A new employee receives an induction that includes a copy of and training in the code of conduct that refers to conflicts of interest procedures.

Level 2: Manage

The employee goes to work in the organisation’s procurement division and is consequently subject to the organisation’s conflict of interest procedures which require disclosures of conflicts of interest (potential, actual and perceived) as a standard declaration in all purchasing documentation submitted for approval.

Level 3: Monitor and check

The manager of the procurement division authorises purchases based on the documentation submitted and reviews any conflicts disclosures made.

The database of conflict of interest declarations are reviewed by the designated conflicts of interest officer on a regular basis. The organisation’s internal audit program conducts a 2 year cycle of file audits that includes procurement records.

Level 4: Report and investigate

The organisation has a confidential internal reporting system for employees to report improper conduct that breaches proper procedure. An allegation that the employee has awarded a contract to a related contractor is received this way. The organisation’s internal investigations staff investigate the allegations with reference to the informant, the conflicts database and the audit report and establishes that the allegation has substance.

Level 5: Discipline

Based on the findings of fact (eg, small amount of money, no direct personal benefit, the related contractor met the specifications) the employee is formally warned and demoted.

ALTERNATIVELY, OR IN THE EVENT OF REPEATED CONDUCT …

Level 6: Dismiss

Based on the seriousness of the conduct the employee is dismissed from the organisation.

In this example the actions of the regulator employer become more specific to the individual employee at each level of intervention. Measures at the first level apply to all employees. Those at the next level apply to those working in procurement and so on until the persistent perpetrator is punished.


It appears then that the principle of escalation of regulatory actions that characterises the pyramid has at least some application as a strategy for implementing an OIS. The other implementation themes of integration and risk assessment have yet to be answered. Because it also incorporates diverse mechanisms that are both preventative and reactive into the OIS Pyramid 2 might also be described as integrated. However the presence of both types of mechanisms may not indicate an integrated strategy just a ‘balanced’ one that ‘specifies a mix of tools and resource allocations among them, it does not normally coordinate or integrate the work of the different tools, nor organise them around any specific risk’ (Sparrow 2000: 195). In contrast ‘An integrated compliance strategy (problem-solving approach) organises the tools around the work, rather than vice versa’ (Sparrow 2000: 201). The integration of strategies on the basis of identified risks is a principal objective of OIS models so should also be an essential feature of a pyramid-shaped OIS. Sparrow emphasises the importance of understanding the problem to be solved before applying any tools to address it. This approach is consistent with the OIS models which strongly advocate conducting corruption risk assessments before implementing an OIS. Both the Australian Standard on Fraud and Corruption Control and the CMC OIS include step-by-step guidance for applying risk management principles and processes to preventing corruption. They refer to the Australian Standard on Risk Management (AS/NZS 4360) which proposes a generic risk management process of five steps (AS 8001-2008: 31): • establish the context; • identify risks (what can happen, when, where, how and why); • analyse risks (to determine the level of risk); • evaluate risks; and • treat risks. Enterprise risk assessment and management is mandatory in most Australian public sector agencies and the Australian Standard is widely used. The use of this process to identify and manage risk to an organisation from fraud or corruption, however, is not common. Advice about exactly what and where a corruption risk might be is difficult to find. All steps of the risk management process might be applied in a corruption risk assessment but the points at which knowledge about corruption and corruption prevention is needed are in establishing the context, identifying risks and treating risks. Like other implementation advice in the OIS models the guidance provided for risk assessment is not specific to organisations or even types of organisations. If risk assessment is to be used to help our executive team to apply an OIS to their corruption problem – or even to understand the nature of their corruption problem - they will need a lot more information than is found in an OIS or envisaged by the pyramid. Corruption risks also pose particular difficulties for which intelligence and specific information are essential proactive prevention tools. Sparrow mentions three classes of risk that can apply to corruption that make it particularly difficult to uncover and address.


Corruption is sometimes regarded as one of the ‘invisible offences’ like ‘extortion, gambling, prostitution, drug dealing’ that are notoriously underreported by victims. Like organised crime it often involves ‘conscious opponents’ who work hard to make their actions undetectable. Corruption can also be ‘catastrophic’ especially for an organisation or where public safety is affected (2000:272-278). In the form of corruption these risks are best addressed by early intervention techniques and encouraging people to report them (Gorta 2001: 19-24) but understanding them requires good quality intelligence and information. Another type of useful knowledge that employers may find hard to obtain is personal information about their employees. Black notes the pyramid relies on the regulator having extensive knowledge about the regulatee in order to effectively escalate regulatory responses appropriately. It is especially problematic at an organisational level not because, as in most regulatory relationships, the perpetrator is remote, but because of the limits on the extent to which employers can impose conditions without regard to privacy or anti-discrimination considerations. (An exception would be employees in roles that are highly exposed to corruption risks such as investigation, security or enforcement.) Black cites the taxonomy proposed by Kagan & Scholz of perpetrators as either ‘amoral calculators’, ‘political citizens’ or ‘organisationally incompetent’ adding her own ‘irrational non-compliers’ to the mix (2001: 9). There are similar theories that characterise potential perpetrators (or regulatees) in the organisational context. Warren (2006: 132) has proposed an analysis of employees who are non-compliant with an organisation’s rules due to: • ignorance about rules, • ignorance about rule application (whether a rule applies to them), • opportunistic non-compliance (eg amoral calculators) or • principled non-compliance (eg political citizens). The Knapp Commission inquiring into the New York City Police distinguished between types of corrupt police officers as follows (Newburn 1999:12):

The meat eaters are those patrolmen who... aggressively misuse their police powers for personal gain. The grass eaters simply accept the payoffs that the happenstances of police work throw their way ....

Classifying perpetrators is imprecise, subjective and can amount to little more than an academic parlour game. In practice it is particularly difficult for a regulator to acquire sufficient reliable information about regulatees to classify them in advance of any conduct which is the time it would be most useful to the executive team tasked with allocating their corruption prevention budget. Some perpetrators are easily classifed. For example, a brothel inspector who received bribes and other benefits had been able to operate with little systemic oversight agreed in similar evidence that he thought his corrupt dealings would not be detected (ICAC 2007:29). Another public official who was found to have appropriated $400 000 for himself by selling his employer’s decommissioned electricity transformers gave similar


evidence that indicated that he was an amoral calculator who believed he could act with impunity (ICAC 2003: 24:

Well when I first took over and – and – not only in this area but in a whole host of other areas in the organisation, there were things that went on that – that were very inappropriate and I guess at a stupid moment in my like, I – I thought, ‘Well I can get away this’ and I did it.

Others are not so clear cut and may fit more than one category simultaneously. Even if perpetrators’ evidence about the reasons for their actions is available it may be self-justifying or rationalising. A Government Minister in one ICAC inquiry explained his non-compliance with rules governing the use of stationery and other resources by saying (ICAC 2004: 23):

I started out in Parliament working out of my own home off the kitchen table and interviewing people in the lounge room, and I’m probably a dinosaur. I just continued to do things in the way I’d done and I just didn’t keep up, I’m sorry. That’s the truth of the matter …

He might have been non-compliant as the result of ignorance with the rules but was he also an amoral calculator, political citizen or organisationally incompetent? If so, what does this mean for the design of a corruption prevention strategy? Finally the available categories of regulatee might be inadequate encouraging them to be applied in an artificial or inaccurate way. For example, it would be difficult to classify the perpetrator who had advanced undetected through senior management positions for five years on the basis of forged qualifications and gave evidence that he continued to include his false qualifications in job applications largely because eventually ‘I had painted myself into a corner which became very difficult to extract myself from’ (ICAC 2003:14). This perpetrator may even fit more than one classification. Despite the difficulties and hazards of doing so, understanding why individuals fail to comply is useful in deciding how best to prevent such non-compliance. Classifications of perpetrator types will be useful to most organisations simply by raising awareness that there can be many types of perpetrators in a single organisation and using this awareness to select appropriate risk strategies. However, broad classifications that have some cogency in the particular regulatory environment will help to apply regulatory tools most effectively. Larmour & Wolanin (2001: xvii-xviii), for example, divide ‘most people who work in organisations’ into three groups, those who: • want to do the right thing and need varying degrees of guidance about what the right

thing is to do • are too timid to take the risk of operating outside the rules and limit any deviance to

technical, sometimes clever, compliance with rules • will operate outside the rules entirely regardless. The AQIS enforcement pyramid (Commonwealth of Australia 2007) uses similar classifications to explicitly make connections between regulatory tools and regulatees.


Ref: QUARANTINE LAWS AND THE ROLE OF AQIS Commonwealth of Australia May 2007

Perpetrator information need not be only predictive. Information about perpetrators can also be collected after the detection of a corrupt event as part of analysis of how and why particular incidents of corruption (or ‘near misses’ in the safety parlance) occurred and used to inform risk management strategies and tailor the application of an OIS. Perpetrators are not the only source of corruption risks in an organisation. One of the criticisms often directed at the rational actor-deterrence model of crime (and corruption) prevention is that it assumes perpetrators to be acting in a vacuum making decisions to act without significant influence of the context in which they operate. In fact, contexts carry both opportunities and incentives for corrupt conduct. They can also affect regulatory effectiveness as a survey that asked organisational ethics officers about ways of integrating organisational ethics and compliance programs concluded (Joseph 2001:55):

… there is no single most effective model for integration. This does not imply that all approaches are equal. Rather, program success seems to depend on an awareness of best practices and an ability to choose those most appropriate for one’s organisation. In other words program effectiveness often depends on context. Adding to the challenge, effectiveness often becomes a moving target as organisational priorities shift. … Effective programs will have to fit their organisations by evolving and changing along with them.


Black (2001:23) suggests four contextual factors that can affect regulatory effectiveness: the legal framework, the broader context, organisational practices and relationships between regulator and regulatee. At the organisational level these factors can be adapted to: • the quality of the organisation’s policies and procedures, • the environment in which the organisation operates such as industry, government

policy framework, social and economic changes, • the organisation’s operating norms and practices, and • the way managers manage their staff and the organisation. This list is supported by scholars in other fields. The management and implementation literature abounds with work emphasising the importance of the design and appropriateness of rules (National Audit Office 2001; Brien 2002; Dimitrakopoulos & Richardson 2001) and the choice of internal controls (Snell and Youndt 1995; Candreva 2006) in an organisation. Similarly the influence of an organisation’s operating environment has been analysed by theorists and practitioners alike (Clinard 1983; Grabosky 1989). The impact of an organisation’s operating norms on employee conduct is a more complex issue. It has been explored in terms of the ethical climate (Victor & Cullen 1988) or culture (Thorne & Jones 2006) of an organisation. Operating norms and practices can be systemic like workarounds that may become the ‘active failures’ and ‘latent conditions’ that contribute to many kinds of adverse events in organisations (Reason 2000: 769). Some norms and practices become the kind of ‘under the radar behaviour’ that might constitute invisible risks such as withholding effort, or shirking, in the workplace (Bennett & Naumann 2006:113-4). In the language of fraud detection they can be ‘red flags’ (‘anomalies that are behavioural, statistical or organisational’ (Grabosky & Duffield 2001: 2)) and can indicate a larger problem if enough information is available to identify them. They effectively become informal governance mechanisms that influence employee compliance in the organisation in a generalised way rather than through a specific manager/employee relationship. While they have the capacity to create the conditions for misconduct an organisation’s operating norms and practices they need not be negative influences. The Australian Standard OIS model captures them in the elements called ‘reinforcement’, ‘senior management’ and ‘communication’. They will affect the operation of the pyramid but are not identified as part of it. Black’s fourth point about relationships between regulators and regulatees, can be interpreted within an organisation as the way that managers manage their staff and even, for senior managers, the organisation more broadly. Management behaviour has long been recognised as critical to an organisation’s performance. Its significance in organisational wrongdoing has been increasingly investigated in recent years particularly since Clinard’s conclusion that the main influences on unethical behaviour include senior management’s ‘individual ethics, personal ambition and poor supervision’ (1983: 70). Similar findings were reported in research by the ICAC conducted with NSW public sector senior managers who emphasised the importance of managers (ICAC 1999: 23):


• showing consistency in action and communication • managing staff expectations • ensuring that middle managers as well as top management are reflecting the

desired values and behaviours and, • employing tools such as codes of conduct and accountability mechanisms.

The regulatory personality of managers in organisations have characteristics that can influence the way individual employees comply with organisational rules. Braithwaite’s spectrum of regulator types that can help understand the regulatory behaviour of an organisation’s managers (quoted in Black 2001:5):

Conciliators … relying instead on bringing parties together to resolve disputes as the way to achieve regulatory goals, …. Benign big guns also adopt a reactive approach, and are agencies that have extremely severe sanctions at their disposal (eg licence revocation, product approval, powers to close down businesses), but very rarely use them. Diagnostic inspectorates … were concerned to maintain co-operative relationships, offered advice and education on how to achieve compliance, and encouraged industry self regulation. Token enforcers in contrast were also proactive, but they were not concerned to educate, nor particularly to sanction. Instead inspections were perfunctory rulebook inspections … . Detached token enforcers were similar, but less inclined to build up any relationship with the firm, as were detached modest enforcers. Finally, modest enforcers were those that adopted a sanctioning approach: they were much more likely than any of the others to be punitive, prosecuting or imposing administrative sanctions.

Few organisations are likely to be able to engage all of these regulatory types but some are found routinely in public sector organisations. The ‘benign big guns’ for example might be the Director-General, or the Minister, whose interventions are rare but significant when they happen. ‘Diagnostic inspectorates’ can be found in the internal audit function of many public agencies and even some human resources roles. The proactivity of ‘token enforcers’ suggests an external auditor or inspector while ‘conciliators’ might be any manager or supervisor who adopts conciliation as their own ‘management style’. Even at lower levels of management those seen as organisational leaders are understood to influence the moral decision making of others (such as employees’) by their own moral decision making and by their leadership style (Trevino and Brown 2006:71). Tomlinson and Greenberg, for example, concluded that employee theft in an organisation can be influenced by employees seeing managers engage in improper conduct themselves (2006: 215) or perceiving injustice in the workplace. Sunahara (2004) reached similar conclusions in studies of police misconduct and tolerance of misconduct. The fair, or unfair, treatment of employees is something that is often within an individual manager’s control and part of the management style of some organisations. In Brien’s analysis using the pyramid to guide regulatory interventions in fact helps to promote fairness. He maintains that escalating enforcement on the basis of principles of ‘proportionality and due process’ (Black 2001:20) engenders trust which ‘encourages ethical action’ (2001: 79).


Knowing what management styles exist in an organisation should help inform decisions about the regulatory approaches to be adopted and can influence their effectiveness. For example, Maesschalck matched a range of ethics management tools that usually appear on the ‘compliance-integrity continuum’ to four main management styles (fatalist, hierarchist, individualist and egalitarian) to suggest four types of regulatory style – ‘oversight and review’, ‘mutuality’, ‘competition’ and ‘contrived randomness’(2005: 27). This kind of analysis can help to integrate ‘ethics management’ tools into the routine operation of an organisation. Activities, such as risk assessment, staff surveys and data analysis, that will collect and analyse this and other information are needed to understand management styles and should appear somewhere in the pyramid. However, for the pyramid to genuinely include proactive measures, such as data collection, it may be necessary to add a level that changes the shape of the pyramid. The conflicts of interest management example discussed earlier demonstrates this failing. The example as worked finishes at dismissal because that is where the pyramid shape finishes. After a dismissal a record of the events and the way they came about can be captured and analysed as intelligence or context for routine corruption risk assessment. To maintain the pyramid shape this kind of information could be captured at Level 4 – Investigate or the model might include an arrow that directs the information to Level 1 – Awareness where ideally a risk assessment is performed in any event. As it stands, the pyramid implies that information has been collected and analysed at a number of points. Level 1 Raise awareness identifies ‘education; knowledge; socialisation; research’ as activities. The risk assessment process could be included in this level as well or it could form a foundation for the pyramid to rest on. There is another dimension to risk assessment that would also be represented in a complete OIS pyramid. Sparrow quotes former Australian Tax Commissioner Trevor Boucher saying (Sparrow 2000: 222) ‘Risk analysis is an iterative, dynamic and organic process. It does not have a defined finishing line that we can cross’. All corruption prevention activities are like this. They require maintaining through sustained implementation. Once the decisions about resource allocation and prioritisation have been made the pyramid should also show how the mechanisms that have been selected for inclusion or emphasis will be maintained. These sustaining or maintaining measures are not, on their face, enforcement actions but if the routine actions of managers are so critical to the compliance of employees with the organisation’s rules and values they must be acknowledged in the pyramid. They are a form of continuous, generalised enforcement informed by proactive and preventative mechanisms rather than purely reactive enforcement prompted by the single action of a perpetrator. The importance of management sustaining the regulatory effort pervades Braithwaite’s ‘essential requirements of an effective self-regulatory system’ for organisations (1986:150, 165) [my emphasis]: 1. top management support for compliance personnel such as inspectors and auditors 2. make sure that line managers have clearly defined accountability for compliance

performance


3. monitor managers’ performance and let them know when it is inadequate 4. effective communication of compliance problems to those capable of acting on them 5. training and supervision (especially of front line supervisors) for compliance 6. ensure that performance pressures on employees do not encourage unlawful behaviour. These are not regulatory actions to be applied in response to action by a regulatee or perpetrator. They are part of an ongoing management strategy applied over an extended period of time (consistent with the content of a comprehensive OIS model). Nevertheless Braithwaite calls them ‘essential requirements’ suggesting that they should be acknowledged somewhere in the pyramid – especially a pyramid that captures a comprehensive OIS framework. To do so might require the pyramid to incorporate a time dimension as well as the extra layers and actions already identified.

CONCLUSIONS

Is an organisational-integrity-system pyramid useful?

This paper has meandered through a number of fields of endeavour trailing some loose ends that can be pulled together in a final version of a pyramid that attempts to incorporate the elements of an organisational integrity system combined with the following propositions and questions. The pyramid can be a useful device in the implementation of organisational initiatives and measures to prevent corruption and promote integrity. Like an OIS it is only a device and is unlikely to be a definitive guide to deciding how and where to spend the corruption prevention budget. It can be expanded comfortably to include many of the standard OIS mechanisms but whether it can accommodate other essential elements such as information gathering and ongoing socialisation without testing the limits of geometry is not clear. Not all of the mechanisms of an OIS are easily accommodated in the standard pyramid. The actions, such as investigations and even education, fit well enough because they can be used as reactive measures in the escalation process but the organisation’s systems work to prevent corruption in a different way. Even more difficult to represent in the pyramid are the less tangible contextual factors such as the way managers manage and attitudes of staff. The revised version of the pyramid below accommodates most of the features of an OIS by making the three main adjustments to it. The first is that broadly-focused regulatee knowledge appears in the same way as in the AQIS pyramid (Commonwealth of Australia 2007) and gathers data that feds back to an expanded information-gathering capacity at the base of the pyramid as an additional foundation level. The information collected here is fed back into the OIS whose mechanisms - both formal and informal – appear in the right hand column as enablers or facilitators of the enforcement actions at each level.


EMPLOYEE

ACTION

OIS

Will not comply

DISMISS

Complies when forced

DISCIPLINE

Counsel, suspend, demote

Wants to comply but fails

MONITOR Investigate

report supervise

Needs help to comply

MANAGE Supervise

Enforce policies

Wants to comply and does

EDUCATE

Raise awareness of employees, customers, community

Induction, training socialisation by peers and leaders

Legislative framework

conduct & disciplinary standards, process

conduct & disciplinary standards; due process

investigation function and standards

audit systems internal & external

reporting accountability &

control systems performance

management policy frameworks corporate

strategies senior management

leadership Training programs communication

systems statement of

business ethics code of conduct

Intelligence

INFORMATION Risk assessment, staff surveys,

Environmental scanning

Macro prevention policy Coordination


Propositions

This pyramid is based on some assumptions that can be captured in the following propositions. The first is that an organisational integrity system is an infrastructure only. For it to be more than a checklist of anti-corruption measures it must be engaged or operated with the guidance of an overarching principled-based strategy. Second, the OIS model requires that corruption prevention tools should be implemented by organisations in a manner that is strategic, integrated and informed by risk assessment. Third, the enforcement pyramid suggests a strategic implementation of these tools but does not provide as much guidance for the integration of regulatory tools. Fourth, taking a problem-oriented approach to the prevention of corruption in an organisation provides a focus for an integrated application of the tools of an OIS. Finally, a problem-oriented approach based on risk assessment that can be used as a guide to applying the elements of an OIS relies on an organisation having an informed awareness about the perpetrator and about the organisation – particularly, its managers and management style, its operating context and its informal governance practices. Questions The following, as well as many other, questions remain for further consideration: 1. Can the pyramid successfully incorporate the proactive mechanisms of gathering and

analysing information and intelligence needed to maintain a sound OIS? 2. Is the pyramid a useful device for understanding the application of an OIS or has it

become a different shape already? Should it instead be embedded in the OIS as a useful model for the enforcement parts of the OIS, or in training managers responsible for routine compliance in understanding its underlying principles of proportionality and due process in enforcement?

3. Can elements that have a continuous or time dimension such as management and peer socialisation be included?

4. If the OIS can’t be arranged as a pyramid, what shape would a problem-oriented OIS model have?

5. Is having a model counterproductive? Is it mechanistic over-engineering that discourages adaptive and creative responses to organisational risks?

Black (2001:3) alludes to the famous HL Mencken quote that ‘There is always a well-known solution to every human problem--neat, plausible, and wrong’ H. L. Mencken, Prejudices: Second Series, 1920 US editor (1880 - 1956). Corruption prevention is surely such a problem. The complexity of the problem might be unravelled with reference to Larmour’s conclusion is that ‘there is no single right approach’ and that a multi-disciplinary approach is called for (2006:10). It is an ongoing challenge to draw on and apply the insights and knowledge of those disciplines that have something to say about preventing corruption with rigour and then testing them against experience.


In the meantime what advice is there for the executive team with the OIS model in one hand and a corruption prevention budget in the other? These systems and models and guidelines offer a plethora of options many of which are close to identical once examined. Public sector managers must often think that there is too much to know for them to do anything effective to protect integrity and guard against corruption. There is much to know but most of it is for the researchers and policy analysts. The wise advice may be that understanding the technical operation of an organisational integrity system is not what they need to do most urgently. The best thing for them to know is their own organisation – where it comes from, what it does, what its supposed to do, what its people think, how they behave and where it is most vulnerable.



ATTACHMENT 1: ELEMENTS OF OIS MODELS

ICAC 2002 CMC 2001 NSW Audit 1994 AS 2008 OECD 1996

1. Core elements –

values and leadership

2. Code of conduct

3. Corporate strategies

4. Systems

5. Policies /procedures

6. External environment

7. Training

/development.

1. Agency-wide

integrated policy

2. Risk assessment

3. Internal controls

4. Internal reporting

5. External reporting

6. Public interest

disclosures

7. Investigations

8. Code of conduct

9. Staff education and

awareness

10. Client / community

awareness

1. Integrated macro policy

2. Responsibility structures

3. Fraud risk assessment

4. Employee awareness

5. Customer and

community awareness

6. Fraud reporting systems

7. Protected disclosures

8. External notification

9. Investigation standards

10. Conduct and disciplinary

standards

1. Integrity

framework

2. Examples setting

3. Senior management

4. Codes of behaviour

5. Allocation of

responsibility

6. Ethics committee

7. Communication

8. Training

9. Reinforcement

10. Benchmarking

11. Reporting

12. Compliance

• Political commitment

• Legislative framework

• Accountability and control

systems

• Codes of Conduct

• Professional socialisation

• Coordinating body

• Public service conditions

PLUS public scrutiny



REFERENCES Adams K, R Gorse and D Leeson 2004 Internal Controls and Corporate Governance Second edition Person Prentice Hall Sydney Audit Office of NSW 1994 Strategic Model for Fraud Control Audit Office of NSW, Sydney http://www.audit.nsw.gov.au/publications/better_practice/better_practice.htm downloaded 15 August 2008. Australian Government 2005 Comcare Enforcement Policy: Investigative and Enforcement Provisions of the Occupational Health and Safety Act 1991 Commonwealth of Australia http://www.comcare.gov.au/safety/compliance_and_enforcement/guidance_material/compliance_material downloaded 15/06/2008. Australian Government (undated) A Practical Guide to OHS Regulatory Framework http://www.comcare.gov.au/safety/a_practical_guide_to_the_ohs_legislative_framework downloaded 15/06/2008

Australian Quarantine and Inspection Service (AQIS) & Australian Customs Service 2007, Guidelines on Enforcement Powers in Respect to Offence Provisions under the Customs Act 1901 and Compliance Agreements under the Quarantine Act 1908 http://www.aqis.gov.au/icon32/asp/ex_topiccontent.asp?TopicType=Quarantine+Alert&TopicID=7500 http://www.daff.gov.au/aqis/about/complaince-investigations downloaded 16 July 2008.

Australian Taxation Office Compliance Program 2006-07 Commissioner’s Foreword downloaded 17/1/07. Ayres I and J Braithwaite 1992 Responsive Regulation: Transcending the Deregulation Debate Oxford University Press, Oxford Black J 2001 ‘Managing Discretion’ ARLC Conference Papers - Penalties: Policies, Principles and Practices in Government Regulation June 2001 Braithwaite J 1992 ‘Responsive Business regulatory Institutions’ in CAJ Coady and CJG Sampford (eds) Business Ethics and the Law pp 83-92 Braithwaite J 1993 ‘Responsive Regulation’ Chapter 6 in P Grabosky and J Braithwaite (eds) Business regulation and Australia's future Canberra: Australian Institute of Criminology, 1993 Braithwaite J, J Walker & P N Grabosy 1987 ‘An enforcement Taxonomy of Regulatory Agencies 9 Law & Policy 3: 323-351 Braithwaite J 1986 ‘Self-regulation: internal compliance strategies to prevent crime by public organisations’ in Grabosky P (ed) Government Illegality Australian Institute of Criminology, Canberra pp 145-170.


Brien A 2001 ‘Regulating virtue: formulating, engendering and enforcing corporate ethical codes’ Chapter 4 in Corruption and Anti-Corruption Asia Pacific Press Canberra pp 62-81 Candreva P 2006 ‘Controlling Internal Controls’ Public Administration Review May/June 2006: 463-465. Clinard M B 1983 Corporate Ethics and Crime: the role of management Sage Publications Beverley Hills Crime and Misconduct Commission 2005 Fraud and Corruption Control: Guidelines for best practice CMC Brisbane Dimitrakoplis D & J Richardson 2001 ‘Implementing Public Policy’ in Richardson J (ed) European Union: Power and Policy Making Routledge London Gorta A 2001 ‘Research: a tool for building corruption resistance’ Chapter 2 in Corruption and Anti-Corruption Asia Pacific Press Canberra pp 11-29. Grabosky P N 1989 Wayward Governance: illegality and its control in the public sector Australian Institute of Criminology Canberra Grabosky P N and G Duffield 2001 Red Flags of Fraud No 200 Trends & Issues in crime and criminal justice March 2001 Australian Institute of Criminology Canberra ACT Healy J and J Braithwaite 2006 “Designing safer health care through responsive regulation” Medical Journal of Australia 2006: 184 (10 Suppl): S56-S59 Huberts, L, F Anechiarico, F Six 2008 Local Integrity Systems: World Cities Fighting Corruption and Safeguarding Integrity Boom Juridische Uitgevers ICAC 2001 The First Four Steps: Building Organisational Integrity ICAC Sydney ICAC 2002 Do-it-Yourself Guide to Corruption Prevention ICAC Sydney Joseph J 2001 Integrating Ethics and Compliance Programs: Next steps for successful implementation and change Ethics Resource Centre Washington DC Larmour P and N Wolanin 2001 Introduction Corruption and Anti-Corruption Asia Pacific Press Canberra Larmour P 2006 Diagnosing the disease of corruption: what difference disciplines say about curing corruption in Corruption and Anti-Corruption Policy Brief Crawford School of Economics and Government, ANU College of Asia & the Pacific Canberra pp 7-10. Maesschalck J 2004 Approaches to Ethics Management in the Public sector: A Proposed extension of the Compliance-Integrity Continuum Vol 7 Public Integrity No 1: 20-41.


National Audit Office 2001 Modern Policy-Making: ensuring policies deliver value for money Report by the Comptroller and Auditor General, LondonBY THE COMPTROLLER C 289 Session 201 November 2001 Newburn T. 1999 Understanding and preventing police corruption: lessons from the literature Policing and Reducing Crime Unit, UK Home Office (1999) http://www.homeoffice.gov.uk/rds/prgpdfs/fprs110.pdf OECD 1996 Public Service Ethics: current issues and practice OECD Paris OECD 2000 Trust in Government OECD Paris Paine L S 2003 ‘Managing for Organisational Integrity’ Harvard Business Reviewon Corporate Ethics Harvard Business School Publishing Corporation Boston pp 85-113 Reason J 2000 ‘Human error: models and management’ British Medical Journal 320: 768-770. Snell S and M Youndt 1995 ‘Human resource Management and Firm Performance: Testing a Contingency Model of Executive Controls’ 21 Journal of Management 4: 711-737 Sparrow, M 2000 The Regulatory Craft: Controlling risks, solving problems, and managing compliance Brookings Institution Press Washington DC Standards Australia 2008 AS 8001-2008 Fraud and Corruption Control Standards Australia Sydney Standards Australia 2004 AS/NZS 4360 Risk management Standards Australia Sydney Sunahara D F 2004 Searching for Causes: entitlement and alienation as precursors of unethical police behaviour Canadian Police College Ottawa Transparency International 2006 TI’s National Integrity System Approach http://www.transparency.org/policy_research/nis downloaded 15 August 2008 Thorne L & J Jones 2005 ‘Organisational Deviance and Culture Chapter 13 in R E Kidwell & L C Martin (eds) Managing Organisational Deviance Sage Publications Inc 309-326 Victor B & J. B. Cullen (1988) “The Organizational Bases of Ethical Work Climates” Administrative Science Quarterly Vol.33, No.1, March 1988. Warren D 2006 ‘Managing Non-compliance in the Workplace’ Chapter 6 in R E Kidwell & L C Martin (eds) Managing Organisational Deviance Sage Publications Inc pp 131-148.

Documents

APPLYING THE ENFORCEMENT PYRAMID TO ORGANISATIONAL ...€¦ · Corruption prevention policy Code of conduct Code of conduct – policies and procedures ... Management can be realised