Definition and management of the System
Allow the Organization to have a management system, implemented on an IT platform, capable of preventing, tracking and addressing the risk of corruption, at the level of a single "risk activity" underlying the business processes.
Manage the planning of adaptation interventions.
The Management System has been implemented on KRC in order to make it fully compliant with the UNI ISO 37001 standard.
The conditions for success
To achieve the objectives described, the full awareness of the company contacts and the maximum collaboration of the resources involved in the audit process are required.
Analysis of the corporate context, through a meeting with the Management, the Anti-Corruption Manager, the Head of Legal Affairs, Internal Auditor and other Contact persons, is divided into:
- Process mapping, possibly declined at the level of activity phases, with identification and assignment, for each, of roles and responsibilities;
- Identification of external subjects who interact with the offices of the Organization at the level of each phase of the process, taking care to represent the nature of the relationship with the subject in question (eg requests for opinions, production of documents, supervision, etc. flows information, etc.).
- Configuration of risks and associated preventive control measures. The KRC system is equipped with a consistent library that facilitates the user in identifying both risks and measures.
Identification of Risk Activities; the activity takes place in the company and, for each phase of the process, the activities at risk of corruption underlying that specific phase are combined (e.g. Purchasing Process - Phase Direct assignment procedures for purchases below a predetermined threshold - Activities at Risk quotation request)
Analysis and Evaluation of Risk Activities; for each activity at risk of corruption, also taking into account the external parties who interact with the organization for that specific activity, the risks are associated. Each risk, during the assessment phase, is then assessed according to the criteria and methodologies established during the configuration phase.
Treatment of Risk Activities and Protocols; in this phase all the preventive and control measures necessary to contain the risk assessed in the previous phase are identified and established, making sure that, taking into account these interventions, it can reach a LOW level.
- Context analysis
- Analysis and evaluation of activities at risk
- Fulfillment/improvement program