This information is not a guide to conducting the risk management process. There is now a significant amount of literature on risk management, including valuable guidance material by NSW State Government agencies such as NSW Treasury. There is also an Australian Standard (AS/NZS ISO 31000) on risk management, which is widely used. 

These publications and resources can be used effectively to identify and manage corruption risks. It is essential that the identification stage of the risk management process is as comprehensive and thorough as possible. If any risks are not identified at this stage, they may not be further analysed and remain unmanaged.

To be effective in identifying corruption risks public sector managers need to understand what constitutes public sector corruption and how to identify corruption risks.

Some methods of identifying corruption risks

Use information you already have

  • Past organisational experience
  • Annual audit results
  • Relevant ICAC / internal investigation reports
  • Results of audits / physical inspections
  • Records of prior losses
  • Staff and client/customer complaints.

Use the experience and skills of your staff

  • Ask employees to identify ways that existing controls could be bypassed i.e. flaws in the system.  Tap into their expert knowledge and judgment
  • Conduct interviews with experienced and knowledgeable staff
  • Conduct focus group discussions
  • Distribute surveys and questionnaires
  • Ask staff to complete risk forms/identification sheets
  • Directly observe  workplace activities
  • Analyse specific scenarios
  • Conduct audits and physical inspections.

Use the experience of other agencies

  • Examine the results and findings of private, local or overseas agencies.

Use the experience of your clients and customers

  • Conduct interviews and focus group discussions
  • Distribute surveys and questionnaires.

 Use professionals

  • Employ professional consultants
  • Brainstorm with a facilitator.

Get technical

  • Comparative methods e.g. checklists, reviews of historical or incident data, physical audits and inspections
  • Fundamental methods e.g. applying foresight through structured brainstorming, 'What If' Analysis, Hazard and Operability Studies (HAZOP), Failure Mode and Effect Analysis (FMEA), SWOT, process mapping and more
  • Deductive or inductive reasoning techniques, logic diagrams such as Fault Tree Analysis (FTA), Event Tree Analysis (ETA) and Root Cause Analysis (RCA).

Frequently asked questions

Why do we need to go to the trouble of identifying our corruption risks if we already have all the standard controls in place?

Every agency has a different operating environment and consequently may have some different corruption risks to other agencies involved in the same type of work e.g. regulation. Each agency needs to understand its own context and its own risks to be sure that the risk management strategies (or controls) it has in place are appropriate and effective.

All organisations are dynamic and work in contexts that change constantly – sometimes in subtle ways. The controls that work at one point in time may not always be so effective over time. 



  • Commonwealth Fraud Control Guidelines, Australian Government Attorney-General's Department.
  • Internal Audit and Risk Management Policy for the NSW Public Sector, NSW Treasury, Sydney.
  • Australian Standard AS/NZS ISO 31000, Risk Management, Principles and Guidelines, Standards Australia, 2009.

Relevant websites

Relevant topics on the ICAC website