Integrity Maturity Self-Assessment Guide and Frequently Asked Questions | Australian Commission for Law Enforcement Integrity (ACLEI)

Integrity Maturity Self-Assessment Guide and FAQ Integrity Maturity Self-Assessment Guide and FAQ.pdf (527.47 KB)

Introduction

The Commonwealth Integrity Maturity Framework provides accessible information to support entities to design, implement and review the effectiveness of their integrity frameworks so that they are tailored to their risk profiles, size and contexts.

The following suite of products have been produced to support the Framework:

Integrity Maturity Framework
The Integrity Maturity Framework is a set of 8 Integrity Principles, that are derived from the key Commonwealth integrity laws, policies and procedures. Each principle summarises the corresponding governance obligations and controls.

Integrity Maturity Self-Assessment Guide and FAQ Each Integrity Principle is accompanied by a 4-level maturity scale, with each level of maturity building on the previous level.
The Self-Assessment Guide and FAQ provides guidance for entities to undertake a self-assessment of their integrity maturity, by interpreting and applying the most appropriate indicators and indices.

Towards Integrity Maturity: Mapping the Commonwealth integrity landscape This report describes the roles of the Commonwealth integrity agencies and the wide range of integrity-related laws, policies and procedures that govern the actions of Commonwealth officials and entities. It is provided as a useful reference for agencies to understand the various aspects of the Commonwealth integrity landscape.

Assessing integrity maturity

Entities lead and conduct their own integrity maturity self-assessment. While assessing current maturity and setting desired maturity is important, understanding the actions and initiatives needed to progress to the desired state is also valuable. It is a positive step to undertake the assessment and plan for improvement where necessary.

The self-assessment is a participative diagnostic exercise, not an audit process or a training course. Assessment results are guided by the experience and beliefs of participants—informed by methodical risk assessment, integrity metrics, monitoring and reporting.

Focus on prevention
Share lessons learned and expertise
Encourage participative assessment and learning
Determine scope and participants
Aim for appropriate maturity levels
Design and conduct the integrity maturity self-assessment

Focus on prevention

The focus of the self-assessment is on identifying ways to prevent integrity breaches and strengthen the resilience and maturity of the entity by identifying and managing integrity risks and vulnerabilities. The purpose is not to detect, investigate, or sanction integrity failures.

Encourage participative assessment and learning

Important objectives of the maturity self-assessment include:

entity-wide learning about what it means to sustain a positive, resilient culture of integrity in the workplace
collaborative identification and shared understanding of integrity risks and vulnerabilities, including specific risks arising from the entity’s mandate, powers and functions
understanding and ownership of measures to strengthen integrity maturity and maintain resilience

Aim for appropriate maturity levels

Continuous improvement in maturity is important as integrity risks are constantly evolving. However, it is not always necessary or desirable to aim for the highest level of capability maturity in implementing each of the 8 Integrity Principles. An appropriate level of maturity should be guided by:

identifying the most likely and harmful integrity risks
deciding whether existing integrity controls adequately mitigate such risks, or whether new controls are warranted
confirming that residual risks are consistent with the organisation’s integrity risk tolerance

Many commonwealth entities are exposed to similar, or linked, integrity threats and vulnerabilities. Entities can therefore benefit by sharing lessons learnt on strategies to manage risk, how to build maturity and resilience, and how to conduct integrity maturity assessments. Entities could consider inviting representatives from other organisations to participate in the maturity assessment process.

Determine scope and participants

Scope

Ideally, the maturity self-assessment will assess the current state of integrity across the whole entity, although it would be possible to assess certain functional areas or parts of the organisation. Specific areas of integrity focus or concern could inform the assessment’s objectives.

Participants

Choose a representative sample of participants, consistent with the objectives of promoting entity-wide learning, ownership of the maturity assessment and recommendations, and sharing of lessons learned and expertise. A position or functional area responsible for integrity or governance coordinates the entity’s assessment with relevant internal stakeholders.

Most commonwealth entities already conduct maturity assessments, such as for protective security and fraud prevention. Staff experienced in such assessments could make a valuable contribution to the integrity maturity assessment, as could staff from integrity-related areas such as internal audit and human resource management.

Summarise information on integrity performance

Various sources and types of information could inform the maturity assessment process:

Reports from Parliament, oversight agencies, civil society and the media
Government assessments and reports and associated maturity ratings, including those produced under the:
- Commonwealth Risk Assessment Policy (see Integrity Principle 4)
- Commonwealth Fraud Control Policy (Principle 5)
- Protective Security Policy Framework (Principle 7)
Organisational data and information: staff survey results, perception or witnessing of misconduct or corruption, reports of harassment, bullying or discrimination (e.g. APS Census); complaints, code of conduct reports and investigation results, integrity testing results (where applicable); sanctions or disciplinary action; performance management data, unscheduled absence rates, rates of staff turnover; work health and safety data; integrity training rates.

Design and conduct the integrity maturity self-assessment

Choose the maturity level that on balance best reflects the entity’s current approach to integrity for each of the 8 Integrity Principles. Occasionally, entities may have implemented different levels of maturity across a single principle. In this case, use judgement to decide on the overall current maturity level based on what actions and initiatives are in place.

The maturity level indicators might not describe the current approach perfectly, and not all characteristics may be in place or need to be in place. Some elements may be assessed as more mature than others.

The following topics and tasks could comprise, for example, a two-day workshop, or a sequence of smaller meetings and events to undertake the self-assessment

Orientation	What does it mean to sustain a positive, resilient culture of integrity in the workplace?
Integrity Performance	What do we know about the status of integrity in the entity? What can we learn from relevant official reports, media coverage, internal integrity metrics and monitoring, and related maturity assessments?
Risk Assessment	What are the current and emerging integrity threats and vulnerabilities associated with the entity’s mandate, powers and functions, and consequent integrity risks? Of the risks identified, which are the most likely and the most potentially harmful? Are the integrity risks already managed effectively, or do they require improved governance controls?
Maturity Assessment	Informed by the most likely and harmful integrity risks, assess the level of maturity of governance controls under each of the 8 Integrity Principles, using the Maturity Indicators provided for each principle. Note: Maturity assessments are routinely conducted for the Commonwealth Risk Management Policy (Principle 4) and the Protective Security Policy Framework (Principle 7). The maturity ratings of those assessments should be used in this process.
Reporting	The report of the maturity assessment process could be structured to include: Integrity Performance: What we know about the status of integrity in the entity. Risk Assessment Results: Which integrity risks were identified? Which are the most likely and most harmful? Maturity Assessment Results: What is the assessed maturity level for each of the 8 Integrity Principles? Improvement plan: For each of the 8 Integrity Principles, plan to either maintain the current level of maturity, or seek a higher level of maturity over time in consideration of the entity’s operating context, risks and constraints. The plan should indicate which improvements should be given priority and who should be responsible for each action.

Next Steps

Disseminate: Share the self-assessment and improvement plan within the entity, for example with the accountable authority of the entity, leadership group and other relevant stakeholders (e.g. audit and risk committee) for comment and endorsement. This process provides an opportunity for the leadership group to reflect on the entity’s current approach to integrity.

Implement: Implement the plan and monitor improvements. This will require leadership support.

Repeat: Decide when to undertake the next self-assessment, it may coincide with the entity’s own review cycle.

Frequently Asked Question

The framework provides accessible information to support entities to implement effective integrity frameworks tailored to their risk profiles, size and contexts. Entities can also use it to help put in place action plans to uplift their integrity maturity.
The maturity model is designed for broad use across all Commonwealth entities wishing to assess their integrity maturity.
Please refer to our Self-Assessment Guide for detailed information on undertaking a self-assessment. Basic principles for self-assessment include:
- Participative assessment and evidence: involve a cross-section of employees and gather evidence to support assessment against the maturity indicator elements.
- Risk assessment: identify integrity threats and vulnerabilities associated with the entity’s mandate, powers and functions, and consequent integrity risks.
Various resources are available, including Towards Integrity Maturity: Mapping the Commonwealth Integrity Landscape, the 8 Integrity Principles and Maturity Indicators and the Integrity Maturity Index.
No. Integrity maturity self-assessment is optional.
Entities are free to decide how to use the integrity maturity resources. However, entities that undertake a maturity assessment are encouraged, under Principle 8, to undertake:

Reporting and decision making on recommendations to reach desired maturity levels, and to sustain a culture of integrity where institutional systems, policies and practices are purposeful, proportionate, legitimate and trustworthy.
Entities are free to choose to whom they provide the results of maturity assessments.

Principle 4: Manage Risk and Develop a Positive Risk and Pro-integrity Culture encourages entities to communicate and consult about risk in a timely and effective manner to internal and external stakeholders; and share risks, risk treatments and capabilities with other Commonwealth entities.
No. However, entities are encouraged to consider involving other entities in integrity maturity assessments, and to share risks, risk treatments and capabilities with other Commonwealth entities. This avoids positivity bias and promotes shared learning.
No. In some circumstances entities may be satisfied with lower levels of maturity, provided that integrity risks are: well understood, effectively managed under current arrangements, consistent with the entity’s risk appetite, and consistent with mandatory obligations (e.g. under the PGPA Act).
This project has drawn together various Commonwealth statutory obligations and policies relevant to organisational integrity. Some of these elements have existing maturity models (e.g. PSPF and Commonwealth Risk Assessment Policy). The project has also drawn from the Australian Public Service Commission’s Integrity Metrics Maturity Model and Western Australian Public Sector Commission’s Integrity Framework Maturity Self-Assessment Tool.
ACLEI reviewed various maturity models and sought to achieve a workable balance between simplicity and completeness.

Other Commonwealth entities also use a four-level model, including AGD (PSPF) and the Defence Signals Directorate(Essential Eight Cyber Maturity Model). The Western Australian Public Sector Commission’s Integrity Framework Maturity Self-Assessment Tool has informed the development of this project and uses a 4-level maturity model.
One of the anticipated functions of the NACC is to support corruption prevention among Commonwealth entities. The Commonwealth Integrity Maturity Framework will assist agencies to review and uplift their integrity frameworks ahead of the establishment of the NACC.