Photo: Lou Levit

Development agencies, by definition, must engage with corruption risk. Working in settings where corruption is engrained in governance and accountability mechanisms are weak or repressed, it is impossible to avoid corruption risk completely. But agencies are also pressed to prevent loss of funds and to avoid contributing to corruption in the countries where they operate. Managing corruption risk is therefore essential. Aid agencies are developing approaches to corruption risk management, but they are still incomplete, and their effectiveness is unproven. This U4 Brief addresses three questions: What does corruption risk management look like, in theory and in practice? What makes it such a challenge for aid agencies? And what else do we need to know to strengthen corruption risk management in development assistance?

We need to build a better understanding of corruption risk management

Corruption is not just a risk in development aid; in some settings it is a near certainty, and it has the potential to significantly compromise desired development outcomes. So ignoring corruption risk is ill advised at best, and at worst it can endanger an agency’s objectives, credibility, and legitimacy. But according to a survey conducted by the Organisation for Economic Co-operation and Development (OECD) and the U4 Anti-Corruption Resource Centre, many development agencies are struggling with how to embrace the risk inherent in the contexts where they work while at the same time responding to concerns about protecting aid funds from misuse.1 This U4 Brief is part of a series of publications that seek to build a better understanding of corruption risk management in development practice to help practitioners engage in a more informed and constructive way with the risky environments in which they work.

What does corruption risk management look like in theory?

While other elements of an agency’s integrity system address only its own practices and those of its direct grantees or contractors, corruption risk management operates at the nexus of internal procedures and policies, on the one hand, and external context, on the other. A framework for a comprehensive risk management approach is available in the first U4 paper on this topic (Johnsøn 2015). For this follow-up brief, an important concept is disaggregating risk management, as summarized in Box 1.

Box 1. Three phases of corruption risk management

Risk management involves both outward-looking and inward-looking analysis and action. Disaggregating risk management into different stages helps to illustrate how this works.

Risk identification: What are the specific types of corruption risk that are likely to affect the desired outcomes of this activity? When done properly, this step requires identifying specific types of corrupt behaviours, not simply the fact that corruption exists in the operating environment. The risks presented by partners’ management systems, along with the broader external environment, should be assessed alongside any potential weaknesses in internal processes.

Risk assessment: How serious are these risks? When possible, risk assessment should use both a measure of probability and a measure of impact or magnitude. For instance, the health sector in a country may be characterized by a large amount of petty bribery, frequent theft of medicines for sale on the commercial market, and also instances of fraud in major procurements. A rigorous risk assessment would use measures to gauge the relative frequency of these behaviours and the scale of their effect in order to assess which ones are likely to have the greatest impact on the desired outcomes.

Risk mitigation: What can be done to reduce the potential frequency and/or effect of the behaviours identified? Actions may include strengthening internal processes, conducting activities to mitigate risky conditions in the external environment, or both.

[Source: Johnsøn 2015]

Done well, risk management adapts an agency’s rules and processes in response to realistic assessments of the possible corruption problems an activity may face, with the objective of reducing risks that negatively affect desired development outcomes (developmental risk). This approach emphasises the role of corruption risk management as a tool for improving development outcomes. It doesn’t negate the importance of limiting financial losses (fiduciary risk) or avoiding negative publicity about aid (reputational risk), but it allows consideration of the balance between the expected development benefits and the costs of the risk mitigation measures. This could also mean accepting a critical risk if the potential for transformational effect of the activity is deemed significant enough.

What does corruption risk management in development aid look like in practice?

As is so often the case, the reality is quite different from the ideal. Agencies have invested significantly in up-front analysis and various control regimes, but there is scant evidence of more complex approaches to corruption risk management, particularly cost-benefit analysis (see Box 2).

Box 2. Cost-benefit analysis in corruption risk management

The risk of corruption in development assistance can never be reduced to zero, and it would be prohibitively expensive to try in any case. Sophisticated corruption risk management, therefore, is distinguished from more common “control” approaches by a cost-benefit orientation. Cost-benefit analysis weighs the costs of minimizing any given risk against the expected benefits of the activity.

Measurement of costs and benefits goes beyond simple financial considerations. Estimation of costs should take into account not only the expense of the control or mitigation effort, but also the ways in which mitigation measures might undermine the objectives of the activity. Similarly, benefits should be measured in terms of the likely gains from preventing or reducing certain types of corrupt behaviours, along with the overall development benefits of the activity itself. Rather than seeking to monitor and verify every element of a project to minimize corruption, an approach that has seldom proved effective, risk management should seek to identify the greatest risks – those with potentially the greatest cost in terms of development outcomes – and mitigate those.

Most of the agencies that responded to the OECD/U4 survey require some sort of corruption risk analysis at the country or programme/project level. The most common form is national-level political economy analysis or statistical profiling. At the same time, a majority of agencies also conduct due diligence on potential funds recipients to check for financial controls and other good management practices. Significantly fewer require sector- or institution-level corruption analysis that would provide the kind of detail on specific corruption risks that can be translated effectively into programme design. Additionally, just over half the agencies that require corruption risk assessments do not have detailed guidance on how they should be done or what should be included, which undermines consistency in how the agencies evaluate corruption risks and respond.

Agencies are even less likely to do the kind of cost-benefit analysis that characterizes sophisticated risk management and helps agencies move beyond simple control approaches that may or may not be cost-effective. Most corruption analysis stops at the risk identification stage rather than analysing specific corrupt behaviours, their frequency or probability, and the scale of their impact. Even when agencies have frameworks for more nuanced risk analysis, such as a “red-yellow-green” matrix, making meaningful distinctions is difficult. As one official responsible for reviewing risk analyses put it, “Everything is yellow.”

Quantitative evaluation of frequency or impact is rare in agency risk matrices. More often, the risk assessment is based on qualitative information, and “corruption” may not be disaggregated. Furthermore, while most responding agencies indicated that corruption assessments inform investment decisions, fewer than half have specific procedures that define acceptable levels of risk, such as thresholds for higher-level approvals when higher levels of corruption risk are assessed. Without some conception of what constitutes acceptable risk, there is nothing against which to assess the costs or benefits of various mitigation efforts.

An obvious issue for agencies is that a risk management approach necessarily and explicitly accepts that not all risks can or should be eliminated, that some activities may be undermined by corruption, and that some may even fail as a result. This is not an easy position for most agencies, pressed as they are to promise results from all aid investments. In taking on this challenge, agencies can benefit from a clearer approach to risk management, including cost-benefit analysis and standards for project approval based on levels of risk. If and when corruption problems do emerge, such procedures can help demonstrate to critics that the agency followed a rigorous rationale and review process when approving a risky project.

While complex risk management remains a challenge for aid agencies, some good practices are emerging. On the programme side, some agencies use project management tools that require identification and assessment of corruption risk as part of the approval process. Good examples include the business case used by the UK Department for International Development (DFID 2011) and the contribution management system of the Swedish International Development Cooperation Agency (Sida). For agencies that use risk matrices as discussed above, good practice is to revisit those assessments throughout the project, making adjustments to mitigation efforts as needed.

Even with these improved practices, corruption risk management in most agencies remains underdeveloped after initial risk identification or assessment. While some agencies may revisit risk matrices periodically, the degree to which corruption risk management is fully integrated in the later stages of the project cycle, through monitoring, evaluation, and learning, is unclear. Particularly for projects that do not directly target the governance and accountability environment – such as public services, productive sectors, and humanitarian aid – monitoring and evaluation frameworks are unlikely to include indicators that reflect corruption risk factors, so these are not necessarily monitored over the life of the project. A stronger approach would use existing monitoring and reporting requirements to track corruption risks along with other indicators. A further benefit of this approach is that it puts corruption concerns more clearly at the centre of all programmes, helping to mainstream understanding of corruption’s negative effects on a wider range of development outcomes.2

On the control side, most responding agencies indicated that they use investigation and audit findings to inform future audit plans and other internal control efforts. This “risk-based” approach to auditing and other controls was among the most common responses to the heightened attention to corruption risk. The Inter-American Development Bank’s Integrity Risk Reviews (IRR) are a good example of how an institution can use data from its own investigations to feed back into future risk management approaches.3 The IRRs involve programme staff in country offices and help inform funding choices. However, other agencies indicated they have not yet achieved strong collaboration between control-oriented staff (usually auditors and/or investigators) and programme staff. This constitutes a missed opportunity to bring more resources together for corruption risk management.

Why is corruption risk management so difficult for aid agencies?

Shortcomings in the risk management practices of development agencies are not necessarily due to lack of interest. Indeed, most agencies want to manage corruption risks more effectively. Three issues lie at the heart of the challenge.

First, agencies have limited resources, particularly expertise, relative to the requirements of refined risk analysis and monitoring. With anti-corruption experts typically in short supply, these activities may be the responsibility of generalist program officers who lack detailed knowledge of corruption red flags and anti-corruption tools – each of these being an area of expertise in its own right. Even when good analysis is done, agencies struggle to identify meaningfully different responses to different risk profiles, a task made more daunting by the lack of solid evidence of the effectiveness of most anti-corruption approaches (Johnsøn, Taxell, and Zaum 2012; DFID 2015).

Second, and perhaps more important, many agencies have not clearly established the objectives of corruption risk management and convey mixed messages to staff. While management systems often require that risk be assessed in terms of its potential impact on development outcomes, staff often perceive a strong message that reducing corruption risk is a goal in its own right, for either fiduciary or reputational reasons. A cost-benefit approach to corruption risk management is politically difficult for many agencies to implement due to pressures for “zero tolerance” (see De Simone and Taxell 2014). Whether driven by political pressures to prevent waste in aid funding or by a moral sense of fairness and justice, or both, many agencies would find it difficult to state openly that certain corruption risks are not worth attempting to mitigate because their expected impact on development outcomes is minimal, or because the potential benefits of the activity are so great that the risks are worth taking.

Third, despite pressures to limit corruption risk through control measures that may or may not be effective, there are persistent institutional incentives to simply discount corruption risk. These contradictory positions send mixed messages to agency staff. Survey respondents and interviewees pointed to competing foreign policy priorities or economic interests that get in the way of frank discussion of corruption risks with host country counterparts. Pressures to spend aid allocations or get projects approved also create disincentives to careful risk analysis and management.

Finally, it’s important to note that even agencies that have embraced corruption risk management tools cannot yet cite evidence of effectiveness or impact. While some agencies report that more corruption analysis is being done and more staff are familiar with the issues, it is less clear whether corruption risk assessment and management tools are creating meaningful differences in how aid activities are designed and implemented. It will be hard to make the case for investing in even more nuanced risk management efforts if their impact cannot be proven.

Where should we go from here?

While many development agencies have embraced in principle the need to engage with corruption risk through risk management instead of risk avoidance (or discounting risk), the challenges are many. The OECD Development Assistance Committee is exploring a possible recommendation on integrity in aid, and early drafts call for including risk management alongside internal ethics and control regimes as an essential part of an integrity system.4 But in order for agencies to do corruption risk management well, more knowledge is needed on two fronts.

First, we need to find out more about the effect of current corruption risk management approaches. There are several key questions:

  • What types of risk analysis can most effectively produce meaningful differences in assessed risk levels? In other words, can we move beyond “everything is yellow”?

  • Do different levels of assessed risk result in meaningfully different project designs or mitigation measures?

  • What sorts of mitigation approaches, including greater collaboration across control and programme functions, seem to be working best, and under what conditions? Is there any evidence of improved development outcomes as a result?

  • To what extent is corruption risk management helping to build better understanding of corruption challenges across sectors and move corruption beyond the province of governance advisors and agency control functions?

Second, agencies and researchers need to build experience in assessing the scale of various types of corruption risk vis-à-vis the costs of mitigating them and the potential benefits of an activity—with and without mitigation efforts. This is the first step toward using cost-benefit analysis as a basis for risk management. Corruption assessments that help to “triage” various types of corruption risks and target mitigation efforts on the potentially most damaging ones are still not common. But data sources that reveal the scale of resources moving through various public finance systems, and sometimes also the frequency or scale of losses, are increasingly available. Used alongside tools such as institutional integrity reviews or vulnerability assessments, such data make it more feasible to attach relative values to different types of corruption risks.

At the same time, the persistent lack of clarity about the ultimate purpose of corruption risk management – better development outcomes or less corruption in aid projects – makes this kind of cost-benefit analysis difficult to implement. Political pressure to prevent loss of funds to corruption, along with perceptions that corruption is unjust and should never be accepted, are valid concerns for development agencies, but they also limit risk taking and the potential benefits of aid activities. Sophisticated risk management should acknowledge these trade-offs openly, provide clear signals about levels of acceptable risk, and establish procedures for dealing with higher-risk projects, rather than leaving agency staff to navigate these issues on their own. The latter approach, at best, leads to inconsistency in programming; at worst, it creates uncertainty and risk-averse behaviour, with anti-corruption and development goals hanging in the balance.


De Simone, Francesco, and Nils Taxell. 2014. Donors and “Zero Tolerance for Corruption”: From Principle to Practice. U4 Brief 2014:2. Bergen, Norway: CMI-U4. 

DFID. 2011. Writing a Business Case. How To Note. London: DFID. 

———. 2015. Why Corruption Matters: Understanding Causes and Effects and How to Address Them. DFID Evidence Paper. London: DFID. 

Hart, Elizabeth. 2015. Building Donors’ Integrity Systems: Background Study on Development Practice. Paris: OECD. 

Johnsøn, Jesper. 2015. Basics of Corruption Risk Management: A Framework for Decision Making and Integration into the Project Cycle. U4 Issue 2015:18. Bergen, Norway: CMI-U4.

Johnsøn, Jesper, Nils Taxell, and Dominik Zaum. 2012. Mapping Evidence Gaps in Anti-Corruption: Assessing the State of the Operationally Relevant Evidence on Donors’ Actions and Approaches to Reducing Corruption. U4 Issue 2012:7. Bergen, Norway: CMI-U4.



  1. This U4 Brief draws on a study of donor integrity frameworks, co-funded by the OECD GOVNET and U4. The study was based on a survey of donor integrity practices, including elements of risk management. Twenty-five agencies responded, and follow-up interviews were conducted with nine (Hart 2015).

  2. An approach to corruption risk management that clearly focuses on risk to development objectives may lend legitimacy to this mainstreaming.

  3. For more information on the IRRs, see IDB: Corruption Prevention Tools

  4. Draft Recommendation of the Council on Internal Integrity Guidelines for Development Cooperation