TNRC Guide to conducting corruption risk assessments in a wildlife law enforcement context
Guide to conducting corruption risk assessments in a wildlife law enforcement context
This TNRC Guide shares practical knowledge for program designers and implementers to reduce corruption’s impact on conservation.
This guide is a high-level “how-to” for carrying out a corruption risk assessment in a conservation law enforcement context, using the Map, Characterize, Assess, and Recommend (MCAR) approach designed by the Basel Institute on Governance. The first section covers planning: the resources, timing, and other considerations for setting up the assessment. The second section lays out each step of the assessment, with tips, basic instructions, and implementation recommendations for each stage. Finally, the annexes provide sample supporting materials, including a simplified process diagram and map, a sample questionnaire for interviews, and a basic confidentiality agreement.
1. Getting started
1.1 Why conduct a CRA focused on law enforcement?
Public agencies and systems set up to enforce laws and regulations relating to wildlife, fisheries, and forests may be compromised by corruption risks. This hinders the ability to detect, investigate, prosecute, and sanction crimes and corruption involving these natural resources.
A CRA is an important part of the response to these risks. It can help answer two critical questions:
- What, where, how likely and how severe are the main corruption risks in law enforcement processes in this context?
- What can be done to mitigate major corruption risks to improve the functioning of the law enforcement system in support of conservation and natural resource management goals?
Specifically, a CRA can support partner agencies in assessing and improving their operational procedures. It offers a structured way to probe weaknesses, loopholes, or gaps that could be abused by corrupt officers, politicians, or others to interfere in law enforcement or judicial proceedings.
When conducted collaboratively with relevant partner agencies as part of a long-term partnership, a CRA can form the basis of a mutual understanding of integrity challenges. Risk mitigation measures can then be integrated into and supported by existing conservation programming.
However, a collaborative CRA may not always be possible. Some conservation or donor organizations may need or wish to conduct a CRA of a country’s law enforcement system without the collaboration or buy-in of agencies or stakeholders operating in this space. Motivations may include internal risk management or to generate evidence for wider anti-corruption strategies and conservation programming. Conversely, agencies may themselves be unwilling to collaborate in a CRA, due to distrust of the partner or opposition from influential decision-makers. Some elements of the MCAR approach outlined in this guide may be helpful in such “external” risk assessments, such as the “systems” approach and the visual mapping of the relevant phases of the criminal justice system. However, the MCAR approach is specifically designed to be a collaborative and circular process conducted together with relevant partner agencies.
1.2 Why use the MCAR method?
Several methods for conducting a CRA exist in conservation and natural resource management fields, such as the UNODC Scaling Back Corruption guide for addressing corruption risks in wildlife management authorities. Many are based loosely on the international risk management standard, ISO 31000:2018.
The Basel Institute designed the MCAR method specifically for assessing corruption risks in law enforcement / criminal justice processes, including those covering conservation and natural resource management. It is special in that it looks at the entire system of investigations and prosecutions (and ideally also sanctioning). This “systems approach” is particularly suited to law enforcement, which involves a multiplicity of actors and agencies with often overlapping roles.
MCAR is designed to focus on helping partner agencies fix systemic risks as part of an ongoing process – not applying one-off solutions in reaction to individual real incidents. In order to achieve this, a core element of the MCAR approach is developing a visual “map” or diagram of the actors and their roles within the relevant part of the criminal justice system. The mapping helps participants to fully understand how the system works, and to deconflict and clarify responsibilities, procedures, and potential overlaps. It also helps to precisely pinpoint the procedures where the risks manifest.
2. Planning: What to consider
2.1 An understanding of the political economic context
Before undertaking or initiating a CRA, it is extremely helpful to understand the political, social, and economic context through a broader analysis, such as a political economy analysis (PEA) (see this TNRC Practice Note and the WWF Strategic Framework for Political Economy Analysis for Conservation Impact).
Conducting a PEA alongside a law enforcement-focused CRA can:
- provide the background understanding needed to extract meaningful insights from the CRA data and spot windows of opportunity for addressing corruption risks;
- illuminate the underlying drivers of corruption risks, thereby supporting decision-making about mitigation measures that are relevant, impactful, and sustainable;
- highlight strategically important stakeholders that may support or oppose interventions aimed at improving the effectiveness and integrity of law enforcement;
- enable decision-makers to better allocate scarce resources towards addressing the corruption challenges most likely to undermine conservation efforts.
2.2 Human resources
A small team can cover the different skills and roles needed to conduct a CRA. Table 1 describes the different roles and how much time to allocate for each.
Table 1. The roles, skills, and time allocations needed for a CRA.
Days needed will vary depending on the scope of the assessment, number of interviews planned, and complexity of the system.
Skills and characteristics
Oversee CRA design and implementation, lead workshops and interviews, lead preparation of report and mitigation plan.
Experience in law / law enforcement procedures. A strong track record and reputation in the field. Trust-building skills and workshop facilitation skills.
20-30 days over 3 months; additional time if conducting PEA.
Research assistant (optional)
Set up tools and prepare interviews, “crunch” and analyze data, draft report.
Strong research, analytical, and writing skills.
Full time for the period of the CRA.
Facilitate introductions to agency leadership and participants, set up workshops and interviews.
Knowledgeable of context; well-connected and trusted with strong convening power.
5-7 days over the period.
2.3 Technical resources
For the mapping process outlined in Figure 1, specialist flowchart/mapping software like Microsoft Visio or Bizagi Modeler is helpful. The map could also be drawn in a simple design program (e.g., Canva or Microsoft PowerPoint) or even by hand.
For data collection, software can help keep note-taking during interviews structured. If using Word, create a template to keep the notes consistent and aid analysis. A Google Form can also be useful, as the notes are automatically transferred to a structured online spreadsheet. Software such as Microsoft Excel can then be used for data analysis.
If conducting interviews online over video, you will need a secure video calling system. If meeting in person, you will need an appropriate space, taking into account potential security concerns and participants’ desire for privacy.
Finally, document and presentation software such as Microsoft Word and PowerPoint can be used for report writing and results presentation. Professional graphic design, if feasible, may help with gaining attention and communicating the main messages.
2.4 Budget and timing
The major cost for most CRAs will be the team’s time. Selecting and contacting participants, setting up the research tools, mapping the law enforcement system, and arranging workshops and interviews may take longer than expected.
2.5 Relationships and communication
Corruption is always a sensitive topic, and even more so in a law enforcement context. Strong relationships between the organizations and people conducting the CRA and the relevant agencies are important. It will be critical to be able to draw on existing trust. Or if relationships are weaker, a careful assessment is needed of the likelihood of securing enough backing to initiate or conduct a CRA.
It may be helpful to use more indirect language such as “integrity assessment” or “integrity gap analysis.” However, to gain trust, it is essential to discuss the purpose of the assessment and the expected outcomes openly and clearly with agency partners. A PEA can help you decide how to approach the corruption topic with participants.
A written document, such as a concept note, is helpful for ensuring a shared understanding at the beginning of the process. In addition, a confidentiality agreement should be sent to interviewees before their interviews. The agreement should clearly state the purpose, funding source, data confidentiality and protection measures, and how the results will be used and stored. An example basic consent agreement is provided in Annex IV. Your organization may have its own. Whichever template is used, it should be carefully tailored to the specific context, with additional sections added if needed.
To retain trust, the agency should control dissemination of the resulting information. Publicly communicating the results of the CRA, even indirectly through journalists or civil society organizations, may risk a backlash. Typically, reports and mitigation measures will be strictly confidential and circulated only to key individuals in participating organizations on a need-to-know basis. Sanitized or summary versions could be prepared for use among country teams or to provide to funders. The map itself could potentially be made more widely available as a learning and discussion tool. No matter the output, all final products should be reviewed carefully to eliminate any information that might reveal the identities of specific participants.
2.6 Limitations and risks of conducting a CRA of law enforcement agencies
A CRA may not be appropriate or feasible for every context. Risks to consider before deciding whether to conduct a CRA related to environmental law enforcement functions include:
- Difficulties obtaining accurate or comprehensive information. Participants may not wish to talk about corruption risks or may give false or misleading information. A PEA can help identify reliable participants and provide a contextual basis to triangulate the information from interviews.
- Security risks to the individuals carrying out the CRA and/or the participants, including retaliation in the workplace. If security cannot be assured through standard procedures, then it is inadvisable to proceed.
- Relationship damage, including backlash from agencies asked to participate in the assessment and/or other government partners. Clear, upfront discussions with senior leaders and a strict communication plan should help manage this risk.
- Cost and schedule overruns. A realistic budget and timeline are essential, as is a strong research lead. Hiring consultants on a set fee basis could help prevent cost overruns.
- Leaks of sensitive data can be avoided by keeping the CRA team small and disciplined regarding data protection and information sharing.
It may be that the risks of conducting a CRA outweigh the potential benefits. If you do proceed, you should have in place a thorough safeguards and risk mitigation plan before launching the CRA.
3. The MCAR process: Step-by-step
Once you have completed or resolved the considerations in the “Planning” stage, you are ready to start the CRA.
3.1 Prepare and launch
If not already completed during “Planning,” draw up a concept note indicating the scope and breadth of the CRA. Specify the process under assessment; e.g., are you just assessing investigations and prosecutions, or will the CRA also include the judiciary and the prison system?
Set out the methodology and timeline, adapting the steps below to your needs and context. Recruit and brief the team, making sure they are on board with the methodology and will adhere to measures to mitigate the risks of conducting the CRA (see point 2.6). Together, start to prepare the research tools and confidentiality agreements.
3.2 Identify and engage with participants and other stakeholders
The main participants in the CRA will be members of the relevant agencies. The CRA should cover different levels and roles, including:
- Leadership. It is important for the senior management of agencies to be on board with the CRA and to inform their staff that they can participate freely. Ideally, they will also display willingness to engage with the final report and implement recommended mitigation measures.
- Risk owners. These are the individuals in charge of the procedures that contain the risks. For example, the team leader of a prosecution unit would be a “risk owner” of a corruption risk relating to collusion between prosecutors and the defense. Risk owners have the direct experience necessary to identify risks and suggest feasible mitigation measures.
- Internal control / audit functions. These mechanisms are key to implementing and evaluating the effectiveness of the risk mitigation measures and to supporting risk owners. If the CRA becomes a recurring process (see Figure 3 below), the internal audit function may be the appropriate “home” for it.
Where appropriate and safe, you could also consider interviewing third parties with relevant knowledge as part of either a broader analysis like a PEA or the CRA itself. These might be civil society representatives or local/international non-profit organizations and experts. It may also be helpful to engage other public bodies such as the supreme audit institution or civil service commission. These institutions are responsible for wider reviews of operational effectiveness and integrity in the public sector, and may have useful existing information or reports that they are willing to share with you.
3.3 Map the law enforcement process and identify vulnerable points
Through desk research complemented by insights from knowledgeable stakeholders, draft a process map depicting the elements of the law enforcement system relating to the scope of your CRA. This map – and the process of creating it – will help you and participants to:
- fully understand the system and its different phases;
- identify areas where the system is unclear or roles/responsibilities overlap;
- identify potential vulnerable points, to help refine the interview questions and characterize the risks at each stage.
The mapping will take some time. Sometimes, there may be no defined process but simply a series of laws, criminal procedural codes, and decrees assigning responsibilities to an agency. These must be re-constructed in order to understand the full picture, and you may find big differences between theory and practice. The map should reflect the latter, noting any significant discrepancies.
Drawing the map – main steps
- First, plot the relevant actors and their roles within the process.
- Identify the sparks or triggers that start a criminal investigation (see examples below) and which agencies are in charge of these particular triggers.
- Then, depict the criminal justice process step by step, with each step representing a decision point and potential vulnerability.
- “Walk” through the process together with knowledgeable stakeholders and/or interview participants, checking for coherence with your research on the topic and noting any areas where you lack information.
See Annex II for a simplified diagram for the mapping process and an example of how the final map could look. Most processes will include some version of the four steps in Table 2.
A criminal case may be initiated in several ways, depending on the jurisdiction. Common triggers are an anonymous source, a formal criminal complaint or a referral from another public authority.
Some agencies may have no direct responsibility over wildlife but are allowed to receive a criminal complaint and route it to the appropriate authorities.
This includes the procedures of evidence collection and arrests, and agencies that provide technical support such as forensic analysis.
In some jurisdictions, the investigation is divided into different phases; some may even overlap with the prosecution phase. It is less important how a specific procedure is categorized, as long as the chronology and interactions between actors are properly captured.
This phase involves all the activities that are prosecutor-led and are directly associated with preparing the case to be presented in court.
This phase covers judicial proceedings in which judges or magistrates decide on the merits of the case (or an appeal against an earlier judgement) and hand down judgements, penalties, and sentences.
3.4 Characterize risks through interviews
Using the map as a base, conduct semi-structured interviews using a questionnaire (like the example in Annex III) in order to:
- understand, validate, or refine the process map;
- clarify roles and responsibilities of agencies and key actors;
- gather data on corruption risks.
You could consider gathering the data in a group workshop rather than one-on-one interviews. However, individuals may be more willing to open up in an individual, confidential setting.
Considering the need for trust, live in-person meetings are preferable where feasible and where this does not pose a security risk. Some participants may however feel more comfortable speaking online or on the telephone from their homes. Be guided by their wishes, since it is important that they feel secure and protected from potential retaliation or other risks.
3.5 Assess and prioritize risks
It is helpful to gather all risk information from interviews in a spreadsheet, where it can be systematically “crunched” to merge duplicate risks and categorize them broadly. (The categories in the TNRC topic brief may provide inspiration.) Depending on the team’s analytical skills, it may be helpful to evaluate the prevalence of the risks across different phases of the system and the number of participants who mentioned them.
Where feasible, you will then bring participants together in an in-person workshop to assess and prioritize risks “live.” This typically uses a scoring system that assigns scores (low, medium, high) based on participants’ perceptions of a risk’s likelihood to occur and its impact (severity) if it does occur. Basically, as shown here, the higher the impact and the higher the likelihood, the higher the priority.
Well-managed in-person workshops have the benefit of increasing buy-in from participants and helping them get over their hesitation of scoring risks. This is far harder in individual meetings or virtual group meetings, which tend to suffer from technical difficulties and challenges in trust building. It does however require an experienced facilitator who is able to build trust between participants from different agencies and quickly analyze information provided on the spot.
The result of the risk scoring is that you are able to generate a list of 8–10 high-priority risks, plus a “runners up” list of other risks.
3.6 Shape potential mitigation measures
During the workshop, ask risk owners how they themselves believe they could mitigate the risks. They know what is feasible and what they would be willing (and able) to implement. Generating recommendations without involving the risk owners is likely to lead to them being discarded or forgotten.
These ideas can then be combined with expert contributions and insights from a PEA or similar analysis to shape a set of feasible, relevant, and sustainable mitigation measures. It is also vital to include a plan to test the effectiveness of such control measures. In some cases, and where funding permits, proposed mitigation measures may benefit from an additional targeted analysis to assess their feasibility. Alternatively, an assessment of feasibility, including factors like leadership commitment, presence or absence of a political enabling environment, and resource or capacity considerations, could be requested as part of the task of the assessment team.
Table 3 shows some examples of mitigation measures.
Table 3. Risk and mitigation measure examples
Mitigation measure examples
Improve security access to evidence locker; electronic locks; reduce the need for physical evidence (photographs, etc.) in court.
Excessive authority and limited accountability of officials in making decisions
Introduce a double signature approval system; limit opportunities for exceptions; automate processes; implement external review committees for key decision points, especially in big cases; collective decision-making on case milestones (seizure, indictment, arrest).
External influence on investigators or prosecutors
Avoid assigning staff to cover cases in their home village/town; take care if the opposing counsel shares some affinity with prosecutors, like having attended university together; ensure operational security of case files; review wealth declarations of officers where legislation allows it.
Leakage of information about ranger locations
Install strict access protocols to control rooms; strengthen data security; provide information on locations and plans only on an as-needed basis.
3.7 Create report(s)
The report conveys the results of the CRA and the proposed mitigation measures. The full report typically contains:
- A description of the scope, purpose, funding source, and time period of the CRA.
- The map of the law enforcement process under examination.
- Main findings, focusing on the priority risks and with a broader explanation of the different risk categories identified.
- Recommended mitigation measures for the priority risks, and a mitigation action plan to aid implementation. A monitoring, evaluation and learning process should be built into this action plan, as well as a timeline for reporting on results and the following re-assessment.
- The full list of risks identified and analyzed, along with the questionnaire for semi-structured interviews and the workshop agenda, can be attached to the report in an annex.
3.8 Disseminate for implementation
The main recipients of the full report are typically the leadership of the agencies involved in the CRA, plus those in charge of implementing the mitigation measures – usually agency “risk owners” and internal audit or control units. Given the need for trust and buy-in for effective implementation, it is advisable to meet in person with the leaders first to explain the key findings and practical implications.
3.9 Monitor, evaluate, and reassess
A CRA is most valuable when it is part of a project cycle involving monitoring, evaluation, and reassessment. Figure 3 illustrates how such a circular process might work. Agencies may wish to consider setting up a multi-agency risk committee that is responsible for implementation, tracking the results, and reviewing and updating the CRA once or twice a year.
Annex I: CRA units of assessment
Three types of units of assessment can be thought of when conducting a CRA: single agency, multi-agency, or process oriented. The MCAR approach set out in this guide is primarily process oriented. Feel free to adapt the methodology to suit other units of assessment if that is more appropriate in your context.
1. Single agency
This is conducted within a single agency or department, for example the investigative department of a wildlife management agency or a specialized environmental crime unit within a public prosecutions office.
Single-agency assessments are more focused and allow you to dive deep into risks that are internal to that agency. For example, you may identify a risk of evidence disappearing from a storage room, which may be mitigated with a secure storage unit and improved processes for evidence management. This may be an option where resources are low and/or you have a strong relationship with only one agency.
However, this does not address corruption risks arising from the wider law enforcement process, so the impact of mitigation measures may be limited. For example, initial investigations by staff of the wildlife management agency may be improved, but this has little effect if the police investigators in charge of taking the case further are compromised by corruption risks.
2. Multi-agency assessment
Assessing corruption risks in multiple agencies along the law enforcement chain has similar benefits to the single-agency approach, but will likely have greater impact as more agencies are assessed.
However, these assessments miss the crucial interactions between different agencies in the law enforcement process, which is where many of the corruption risks arise. Issues around information exchange are not addressed.
3. Systems approach / process-oriented assessment
The law enforcement process in wildlife cases necessarily involves multiple public agencies, such as wildlife management authorities, financial intelligence units, police, and prosecutors. A systems approach / process-oriented assessment helps you to fully understand the actors and their specific roles and interactions within the process.
Annex II: Sample process diagrams and maps
Annex III: Sample questionnaire for semi-structured interviews
The interviewer starts by explaining the project and confirming that the participant understands and agrees with the items in the consent form. The participant should be offered a chance to ask questions before the interview starts.
1. Participant role
Which of the following best describes the participant’s role?
- Law enforcement agent
- Environmental crimes prosecutor
- Member of the judiciary
- Civil society representative
- Anti-corruption consultant
- Conservation consultant
- Human rights advocate
- Member of NGO involved in anti-corruption efforts
- Member of NGO involved in conservation efforts
- Member of NGO involved in strengthening law enforcement and prosecutions
- Investigative journalist
[Keep in mind: These categories may change and adapt to your specific case. However, it should be narrowed down to actors or parties directly interested in the criminal justice process. Of great value are members of civil society and members of the press who might not be actors in the process but follow or promote proceedings of public interest.]
2. Overview of criminal justice system for illegal wildlife trade (or other focus of the risk assessment)
Interviewer displays previously developed map of the relevant criminal justice processes and asks whether the information appears to be:
- Imprecise and in need of clarification
Interviewer asks: Do you have any comments or corrections on the map?
[Keep in mind: The process map is focused more on the process along several agencies and not so focused on drilling down to standard operating procedures.]
3. Integrity risks in different phases
For each phase of the map that is relevant to the participant, the interviewer displays the section of the map displaying that phase and asks the following questions:
- How likely are integrity risks in this phase? (1 = unlikely, 2 = likely, 3 = highly likely).
- How high is the impact of integrity risks in this phase on the functioning of the criminal justice process? (1 = low impact, 2 = medium impact, 3 = high impact).
- What would a likely, high-impact integrity risk look like in this phase?
- How do you think such an event could be prevented? (E.g., through amending laws or operational procedures, strengthening processes…).
- Any other comments about this phase?
The different phases could be:
- Actions by Financial Intelligence Units (FIU)
- Investigative triggers
- Sanction imposition
[Keep in mind: These phases are not drafted according to legal definitions. They are generic descriptions of the process in order allow comparisons between jurisdictions or different criminal justice systems.]
If a participant is not knowledgeable about a particular phase or does not wish to answer questions about it, the interviewer skips to the next phase.
The interviewer ends by reiterating the confidentiality of the answers and explaining what the next steps will be.
Annex IV: Sample consent form
[Name of risk assessment project]
You are invited to participate in a study to assess integrity risks in [focus of the assessment / country]. The study is led by [lead organization] and takes place from [dates].
Purpose of this study
The purpose of this study is to carry out an integrity risk assessment for [focus of the assessment and intended aim].
Type of participation
This assessment invites your participation in a [virtual/in-person] interview with a duration of around [45 minutes]. The participation is purely voluntary. There is no financial compensation linked to your participation.
Funding donors and project partners
The study is funded by the [funding body] and carried out by [lead organization] in collaboration with [other participating organizations].
Confidentiality and data protection
Your participation in this study is fully confidential. The discussion points will be recorded in note form only (no video or audio recording). All information obtained will be anonymized and not attributed to any one individual. All notes and other information provided will be stored securely in password-protected folders on the [organization’s] servers and treated with the utmost confidentiality both during and after the project, in accordance with the [link to the organization’s data privacy statement]. The data will be retained for a limited time period. No notes or details of any discussions will be shared with anyone beyond the immediate project staff on a need-to-know basis. The analytical products resulting from this study will not contain participants' identifying details.
This research does not intend to disclose or discover concrete cases of corruption involving known or unknown individuals. Rather, it focuses on strategic level risks and how these risks manifest. No information about concrete cases of corruption will be asked or recorded.
This research project adheres to the following ethical guidelines:
- [E.g., lead research organization’s Code of Ethics]
- [Other relevant ethical guidelines for research, e.g., Concordat to Support Research Integrity, the UK's national policy statement on research integrity).
By participating in this study, you consent to provide your input in questions regarding integrity risks in [focus of research]. You may withdraw your consent at any time during the study.
Point of contact
For further information on the project and to follow up on project activities and outcomes please contact:
[Contact name, title, organization, and email address]
 CRAs may be occasioned by a planned collaboration with a particular agency or an organization's desire to strengthen a certain function. In some cases, weaknesses may be revealed through other activities, like court or case monitoring.