Principles and approaches: Introducing an Anti-Diversion Programme (ADP)
The first part of this book considered the nature of the problem, tackled some myths and misunderstandings, explored the legal landscape, and unpacked the diversion risks themselves. This second part turns to potential ways forward, and describes a framework through which an INGO can manage the risk of diversion. After exploring the advantages that a risk-based approach to diversion has over a compliance-based approach, this chapter sets out the framework which will also be the subject of the rest of this book — the ADP. It also includes a case for investment in an ADP, given the frequent complaint of the rising cost of delivery' amongst INGOs.
Risk-based versus compliance-based approaches
‘Risk’ and ‘compliance’ appear in both risk-based and compliance-based approaches. Adopting one does not mean abandoning the other. But each represents a different profile of priorities, focus, and application. This section describes first the issues with what might be termed a ‘compliance-based approach,’ and then outlines the strengths of the risk-based approach that is the foundation of this book.
A compliance-based approach to diversion
In a compliance-based approach, diversion is seen primarily as a matter of complying with donor, legislative, and regulatory' obligations. Anti-diversion activities are often seen as expensive compliance costs observed in order to unlock funding and the ability to operate.
Characteristics of a compliance-based approach
A range of indicators may suggest the presence of such an approach. The first cluster around the dialogue between an INGO partner and its donors; the INGO demands clarity' from donors on precisely what its obligations are, perhaps with a supplicant tone akin to just tell us and we’ll do it’— but suffers from fatigue as intensive requirements build up across multiple donors.
Table 5.I Advantages and disadvantages of risk-based and compliance-based approaches
|
Advantages |
Disadvantages |
|
|
Risk-based approach |
|
|
|
Compliancebased approach |
|
|
Some of those donors issue ever-more onerous and directive requirements and guidance, particularly around screening.
Internally, armies of donor accountants, donor reporting officers, and donor relationship managers command the attention of programme staff. The issue of diversion is jealously guarded by the legal department, and the surest way to generate action from both business support and programme functions is to leverage the law. When that activity does take place, it represents the minimum effort, at the last possible moment, to comply.
Dry, legalistic training for staff focuses on quoting laws, donor rules, and definitions. Participants leave sessions uneasy, none the wiser, and on course to have forgotten most of it by the following week. Should an incident actually occur, there is hand-wringing up and down the management chain at the prospect of notifying the donor, and when that does happen it can result in suspensions, emergency remedial controls, and lengthy investigations. After all,
Principles and approaches 61 it is potentially a breach of both the law and the donor’s requirements — a liability the INGO is carrying alone.
Disadvantages of a compliance-based approach
It should be clear from this picture that while a compliance-based approach is a matter of choice for an INGO, it is also encouraged by the global development system at large. Institutional donors, for example, do need to manage the risks associated with their own funds, and are accountable to other government actors. As both ‘compliance’ is a well-established and broadly positive business discipline, and contracting a key lever and safety net in business relations, passing on billowing contractual requirements to implementing partners is an attractive way for donors to protect themselves. But in this sector, even the word ‘compliance’ seems inadequate, suggesting that we steward resources properly only because a donor or law requires it.
The approach is not entirely negative, nor should INGOs decline to comply with donors or the law, but it presents some significant disadvantages. Firstly, institutional donor requirements are often designed to protect the donor, not its partner. The controls prescribed do not necessarily derive from the risks borne by the INGO, but the donor. Following the donor’s controls alone, then, can blind the INGO to its own actual diversion risks. Merely executing the donor’s screening requirements, for example, might satisfy an INGO’s contract but unless all risks have been properly considered by the INGO, it may lead to a false sense of security. It also damages the link between risk and control, as donor requirements rarely elucidate the risks that each control is designed to address. Inviting INGO staff to carry out onerous procedures without a clear understanding of the relevant risks fosters bureaucracy.
Secondly, a compliance-based approach can misdirect risk assessment. Where INGOs identify a diversion risk it might be articulated as ‘legal non-compliance,’ for example, rather than focussing on diversion typologies. Legal non-compliance may indeed be a business risk, but controls to modify' it may be different from those which would modify the risks of diversion incidents. And as we explored in Chapter 4, diversion can occur in many different ways - a compliance-based approach may not successfully identify all of them in any given programme, may misidentify them, or could lead to those risks being structured ineffectively.
Meanwhile, in diversion incidents, a compliance-based approach can underemphasise the consequences that should be of the greatest focus to an INGO — the implications for its beneficiaries and its operations. Incidents become alarming donor management and legal issues rather than opportunities to improve and adapt for the benefit of the INGO’s mission.
Fourthly, the approach can misdirect responsibility away from the INGO and towards donors, regulators, and lawmakers. INGOs lose agency, and become implementation engines and the objects of legal leverage for donor agencies. Worse, many INGOs will perpetrate this systemic dysfunction by passing onequally over-specific requirements to their own implementing partners. As the sector wrestles with how to be more localised, it is not helped by this practice.
Finally, perhaps the most compelling issue is that compliance-oriented thinking might contribute to the ‘chilling effect’ (Debarre, 2019), in which counter-terror and sanctions laws are allowed to discourage humanitarian and development programming. In this context, it is a starting point that can emphasise hazard management, rather than the more difficult but exhilarating practice of focussing on humanitarian possibility, and the negotiation, innovation, and collaboration necessary to seize it.
Introducing the risk-based approach
In a risk-based approach, we start with the specific diversion risks faced by an organisation, programme, or project, and respond to those. Our primary objective is to minimise incidents of diversion. This is delivered through a schedule of work, the ADP, whose focus, activities, and resourcing are directed by risk assessment.
A risk-based approach does not mean that compliance with donor requirements or the law is not important. It means that it is not the sole purpose, or even the focus, of the ADP. The risk-based approach can also be applied by donors, through avoiding lengthy, detailed screening obligations and instead requiring the existence of a risk-based ADP in their partners.
Advantages of the risk-based approach
A risk-based approach is the only way to fully respect the unique disposition of the INGO, each country programme, different aid modalities, and every project. Assessing the specific risks faced by each can ensure that they are relevant, and controls are effective and proportionate. It is also pragmatic — procedures or systems that do not have a clear link to a risk can be removed. This pragmatism puts an INGO in a stronger position to manage complexity, especially in dynamic situations.
This touches on a second key advantage — that it embeds proportionality, the minimum disruption to business in order to reduce risks to an acceptable level. Identifying risks and determining their priority and severity guards against two equal but opposing errors — ineffective or non-existence controls, on the one side, and overbearing bureaucracy at the other.
A third advantage is that a well-designed risk-based ADP should result in a range of policies, procedures, systems, and activities that may well harmonise with donor and legal requirements, reducing duplication. With such policies, procedures, and systems in place, an INGO may not need to ‘re-invent the wheel’ with every new contract, for example, but can draw from a pre-existing collection. Gaps can then be filled through obligations management (Chapter 7). Much financial crime legislation expects elements of a risk-based approach, and there is now considerable consistency of expected practice. Another form of efficiency arises in the ADP’s relationship to other risk management programmes — there may already be policies, procedures, and systems from which to draw.
Fourthly, the approach offers some protection against legal opacity and alternative agendas. Where there are tension points with unwieldy legislation, disharmony between different government departments, or bounty activism, a risk-based approach can help INGOs to reduce aggregate risk by focusing on minimising the incidents that exacerbate or give succour to these issues in the first place. A risk-based approach can also support advocacy and public engagement; being able to articulate a well-designed ADP can reassure donors, both when assessing an INGO’s funding bid, and should an incident take place. Having a clear and documented picture of the risks an INGO faces also supports its wider engagement with the sector, banks, regulators, and legislators.
Finally, just as compliance-oriented thinking might contribute towards a ‘chilling effect,' a risk-based approach is positive and constructive. It focuses not on what we must not do or must avoid, but on what we can do. Good risk management is about enabling the safe pursuit of opportunity — and for aid organisations, that is the opportunity to save and improve lives. With a clear understanding of the risks and a functional ADP to manage them, INGO boards can enjoy confidence that they are able to operate as safely as possible in highly challenging places.
