This week I’ve been in Nairobi, Kenya, delivering workshops for local NGOs on minimising the risk of money-laundering and terrorist financing. Preparing the material led me to reflect on some of the conversations I’ve had with NGO managers about reducing the risk that physical assets, funds and stock might fall into the hands of those designated as terrorists, or subject to financial sanctions.
This presents a very challenging issue for NGOs that work in high-risk areas, and one with significant tensions at its heart. These include the tension between minimising the risk of diversion versus disrupting the delivery of aid, competing obligations on the ground, and the wider balancing act between regulation and enforcement versus guidance and capacity building.
It does not help that the international regulatory picture and sectoral response are far from coherent, and subsequently it is understandable that there are widespread misunderstandings. This is not an exhaustive article, of course, but we’ll explore (in no particular order) some of the most common areas that have popped up in my conversations around the sector.
Audit may be unlikely to pick up incidents.
Audit is a helpful process that assists managers to meet their organisational goals and minimise risks. It is not its purpose to detect financial crime (less than 20% of detected fraud cases are identified this way). That’s assuming, of course, that systematic and independent audit even happens – in remote programmes, conflict zones or humanitarian emergencies, whole projects in some organisations may see little or no independent review at all.
NGO managers need to avoid the errors of assuming that a detection-free audit is an all-clear, or that it is solely the duty of auditors to prevent and detect financial crime, rather than everybody’s responsibility. ‘Protection money’ or ‘taxes’ paid to terrorist groups can be masked as vague costs, such as ‘transport’ or ‘security.’ If identity and sanctions list checks of partners, contractors, consultants, staff and volunteers were not conducted, auditors won’t necessarily pick up positive hits either. Audit may help identify vulnerabilities, but it cannot be relied upon to spot incidents.
Instead, according to FATF, factors that might elevate an NGO’s risk include programmes in close proximity to terrorist groups, and/or those that are ‘service’-oriented; these could include construction and distributions (i.e. operations more likely to involve the movement of physical assets, funds or stock). An NGO in this position needs to ensure that it implements a meaningful risk management cycle, creating space to look for vulnerabilities and taking reasonable precautions. Risk assessment is only a bureaucratic ‘tick-box exercise’ if we let it be – it can be a powerful method to spot what could go wrong and do our best to prepare for it.
Transferring all the risk to local partners isn’t fair.
In my book, I suggest that a chain of unbridled risk transfer from back-donors to INGOs to local partners has the opposite effect of protecting funds – it increases the risk of fraud and corruption. In the end, too much risk derived from decisions taken in coffee-laced, air-conditioned meetings in Brussels, London and Kabul sits on the shoulders of one Afghan worker standing in the sun at a checkpoint in Badakhshan. This is poor risk management, poor partnership-working, and poor diversion prevention.
The flow needs to be inverted. Rather than just responsibility flowing from back-donor to local organisation, communication about the nature of the risks needs to flow the other way, and provoke increased investment in capacity-building and shared responsibility. There are difficulties with reconciling programmatic objectives and terrorism risk (‘what if we really can’t access that population without a payment?’), but we will not start to address these if agencies hide behind risk transfer to avoid the conversation.
Relying on assurances of non-prosecution is dangerous.
In 2015, the UK government issued guidance describing the risk of a prosecution for a terrorism offence as a result of involvement in humanitarian efforts or conflict resolution as ‘low.’ This was encouraging in terms of the British government’s recognition of the vital need for humanitarian work in conflict zones and the difficult circumstances in which it occurs. However, we need to be cautious about how we respond to this in terms of our investment in minimising the risk – we might have been here before.
In 2010, the Bribery Act led to a flurry of compliance activity amongst NGOs keen to avoid prosecution for failing to prevent bribery. According to some, however, unnamed British officials apparently indicated to nervous NGOs that their organisations were not the focus of this legislation and appeared to imply that they would not be paid much attention. Some perceive that, sadly, this well-intentioned move contributed to a dwindling of effort amongst some NGOs in developing meaningful compliance frameworks. (Ironically, in this regulation with strong ‘prevention’ requirements, it is the dwindling of effort and its consequences that could potentially elevate the chances of prosecution!)
Implied assurance of non-prosecution is always caveated, is not always made by those with the correct authority, and might not relate to that which is perceived. The British guidance note, for example, does not indicate whether it is referring to placing resources in the hands of terrorists (potentially s15-18 Terrorism Act offences), failing to have sufficient systems to prevent sanctions breaches (potentially a s34 Terrorist Asset Freezing Act offence of neglect), failing to report a suspected funding offence (s19 Terrorism Act), or some of those, or none – and so on. In any event, any decisions would be made on the basis of the prevailing circumstances of the case and it is worth noting that Save the Children International were investigated by the Metropolitan Police for allegedly failing to report a suspected incident of theft by a terrorist group in Somalia.
This situation also comes with an ethical choice – if we are not to be prosecuted, is it okay to commit the offence? Our donors and supporters may have something to say about that.
Assurances of the low probability of prosecution are not literal Get Out Of Jail Free cards. Instead, a pragmatic response for NGOs might be to continue to do all that is reasonable to comply with regulations, invest in proper systems to reduce the risk of both incidents and non-compliance, and maintain dialogue with authorities on the implications for humanitarian operations generated by the intricacies of their regulatory regimes. And there is no substitute, of course, for professional legal advice.
Conclusion
As with many of the corruption risks facing NGOs, the issues are complex and difficult. NGOs require the understanding – and patience – of the public, their donors and host governments. However, there is much that NGOs can do to reduce these risks.
Many of the systems and approaches that minimise the risk of diversion represent good governance and management – creating space for proper planning and monitoring of operations, ensuring that open internal communication channels exist, investing in the coherent verification of outputs, the diligent management of third parties, and so on. Getting these things right in areas where we are more able to do so reduces overall exposure, allowing us to focus our problem-solving on the areas where things are more challenging.
Improving transparency – or, in old money, having the conversation – will start the ball rolling.
But there is a tension. Case studies such the UN’s experience in Somalia support a perception amongst many in the sector that, generally speaking, working with local partners represents an elevated fraud and corruption risk. A range of reasons are commonly cited for this, but the most common perhaps is where partners carry lower capacity and capability in finance and wider management by comparison to that of the international agencies, or donor expectations.
The first is the very reason international agencies often work with them in the first place – they understand their local environment. They know where the risks are, and are in a strong position to evaluate how to reduce them. This can mean more informed planning (how long does it take to get that permit without paying a bribe?) and risk management, if the space is given to it.
Whether in remote programme management or not, local partners are often physically closer to project delivery or able to more efficiently move around and interact. This is a substantial advantage for monitoring, and the detection of red flags.
Development expert Jennifer Lentfer tells 
The global coverage of telecommunications is expanding as fast as its costs are declining, meaning that much humanitarian and development work is happens underneath its umbrella. This means that innovative software and hardware solutions to manage and monitor programming are increasingly available and affordable.
There are corrupt local organisations out there, of course, who have the sole or corollary aim of gaining access for their principals to international agencies’ funds. But the vast majority of local organisations whom I have encountered have been full of passionate people doing amazing work in difficult circumstances. Robust selection processes are needed to ensure that these are the partners who are taken on.
Find out more about the risk that fraud and corruption pose to humanitarian and global development organisations, and how they can better deter, prevent, detect and respond to it, in my book! Click here to get your copy of Fighting Fraud and Corruption in the Humanitarian and Global Development Sector from the 
Another way to think of this concealed drainage is like corrosion under your car – unless you go looking for it, you won’t ever realise its presence, scale and danger… until your car falls apart in the middle of the motorway. You may fear the consequences (e.g. costs involved) of detecting the corrosion and needing to deal with it, but these costs in the long run are less than those that the motorway incident might involve.
As public scrutiny of the sector rises, together with increased recognition of the scale of fraud and corruption risk facing such organisations, we need to move to a virtuous circle, fuelled by a desire to secure donor, public and staff trust by evidencing accountability and transparency. A virtuous circle might look like this:
In 2010, there were a 
Research suggests that we feel losses more intensely than gains – so if you lost a £100,000 sports car, you’d feel that much more powerfully than you would if you won a £100,000 sports car in one of those airport car lotteries. This emphasis leads to an 
Celebrated psychologist Dan Ariely conducted an interesting experiment in which he placed dollar bills and cans of Coca-Cola around the campus of an American university. When he went back, the dollar bills were all still there – but the Coke cans had gone. (You can read about this, and other experiments, in his fantastic book 
When you’re driving, have you ever noticed that if someone else makes a mistake, then they’re an idiotic and dangerous driver – but if you make a mistake it’s because you were interrupted by a passenger, the car needs servicing, or you were responding to something another car was doing? This effect is known as the 
A few years ago, in a Middle Eastern country, I was delivering a workshop for managers on reducing fraud and corruption. A lady interrupted me to say, ‘but this is just the way things are here!’
Firstly, fraud and corruption are designed to hide and masquerade, like chameleons, stonefish or those 
Don’t just seek two employment references – after all, what self-respecting fraudster volunteers damaging referees? Consider:
Having a culture of trust does not mean having no, or inadequate, controls. Neither, of course, does it mean an onerous filing cabinet’s worth of policies, procedures and systems (in fact evidence suggests that too many, or too demanding, controls reduces compliance). It means having just enough to manage the risks – an ongoing cycle of design, implementation and review of proportionate internal controls. It also, of course, means having an effective organisational counter-fraud and corruption framework.
Instead, to feel safe, secure and successful, we all need to know where the boundaries are, and we all need feedback on our performance. After all, if we are mission-oriented, then ‘oversight’ is about colleagues working together to maximise our effectiveness and efficiency in delivering that mission, right?
One of the things we can do to reduce the perception that having and following rules represents a failure to trust, is to re-frame activities like due diligence and monitoring. We need to be clear with managers and staff about our expectations, and explain that following policies, procedures and systems is about:
management framework – would not have significantly reduced the chances of it happening. An example might be World Vision’s 
Ironically, of course, a driver behind the flawed narrative is a desire to see good stewardship in NGOs. But in the same way that it would not represent good stewardship for a fire department to send firefighters into burning houses without protective clothing, it does not represent good stewardship for charities to move resources around without sufficient protective systems clothing those resources. Although there is, of course, a balance to strike – enormous overhead, administrative and support costs are a red flag – under-investment in prevention, and the infrastructure that makes prevention happen, is a key enabler of fraud and corruption for NGOs.
Second Marshmallow 