Introduction to
Risk Management
&
MPTF portfolio risk analysis
(programme/project level)
Risk Management Unit, United Nations Somalia
Today’s Objectives
• Enterprise risk management standards and processes
• Have the knowledge to produce planned Risk
management actions using the Risk Management
processes and methodologies
• Role of RMU (current and future)
• Joint Risk Management Strategy for SDRF Funds
• MPTF programme level risk analysis, observations and
recommendations
Risk Management Unit
Introduction to Risk
Management
Risk Management Unit
ISO 31000 Risk Management Standard
Principles
• Set of principles, guidelines and processes to follow in managing risk
• Widely regarded as Best Practice.
• Systematic approach to risk management.
• Not specific to particular industries and can be applied to any sector.
Framework
• The Standard offers three main components
RM
Process
Risk
What is Risk?
Why Do We Have Risk
Management?
• Silo Approaches
• Donor Requirements
• Lack of useable information
• Reputation
• Organisational change
Defining Risk
Defining Risk
Management
Risk Management is a range of coordinated activities that
direct and control an organisation with regards to Risk.
Many dynamics feed into this.
It is important to promote a positive risk culture to allow
everyone the opportunity to have buy-in from the top
down and from the bottom up!
Risk Management Entails
Systematic Application of:
• Management Policies
• Procedures and Practices
With The Objective Of:
• Identifying;
• Analysing
• Assessing
• Treating; and
• Monitoring RISK
Types of Approaches
Qualitative
Likelihood + Consequence
= Risk level
The UNCT RMU utilises
a Qualitative approach
to Risk Management
Effective Risk Management
Aspects
For the effective management of risk, there are a number of aspects that need to be recognised:
• Risk is present in all work
• It requires a decision framework
• Risk Management should be
methodical
• It needs a holistic approach
• You will never manage ALL risk (or
have a risk free environment)
• Management of risk requires
encouragement and support from the
top down
• It needs to be integrated throughout
an organization
• It requires Quality Information
ISO 31000 Risk Management Process
The area encircled by the box is
known as the Risk Assessment
Process. This is where Risk
identification, Analysis and
evaluation occur and is at the core
of this process
This is the ISO 31000 Risk
Management Process. It is a step by
step activity and is at the heart of
your risk management strategy
Communication and Consultation
Establish
Context
Identify Risks
Analyse Risks
Evaluate Risks
Document, Monitor and Review
Treat Risks
Communicate & Consult
Communicate and consult with key individuals participating or interested in the activity
Establish
Context
Identify
Risks
Analyse
Risks
What are you trying to
achieve?
What are the sources
of risk?
What is the likelihood of
the risk occurring?
Who has an interest in
your activity?
What are the risks?
What are the potential
consequences?
What level of risk is
acceptable?
What are the risk
impacts?
Evaluate
Risks
Treat
Risks
Is the level of risk
acceptable?
What is the overall level of
risk?
Risk Assessment
Treatment Options
Avoid
Accept
Risk
Reduce
No
Transfer
Who has responsibility for
treatment?
Yes
Document, Monitor & Review
Document your decisions / actions & Monitor and Review treatment and changing circumstances
Communication and Consultation
Risk Management Process
Risk Treatment
• The activity of selecting and implementing appropriate
Establish
Context
Identify
Risks
Analyse
Risks
Evaluate
Risks
Document, Monitor and Review
Tolerate
control measures to modify the risk.
• Should provide efficient and effective internal controls.
• Is a cyclical process
Treat
• Effectiveness of internal controls is the degree to which
the risk will either be eliminated or reduced by the
Transfer
proposed control measures.
• The cost-effectiveness of internal controls relates to the
cost of implementing the controls compared to the risk
reduction benefits achieved.
Terminate
Treat
Risks
Joint Risk Management Strategy
Informed
Decision
Making
"Do No
Harm" /
Fiduciary
Increased
Conflict
Accountability
Impact
Sensitivity
Inform strategic
decisionmaking for
portfolio management
Mitigate the risk of doing
harm through fund
operations
Ensure funds are used for their
intended purpose
Robust risk
management should
enhance the impact of
the funds
The purpose of this Risk Management Strategy is to support the delivery
of the SDRF strategic objectives, within the risk context in which the
funds operate.
Joint risk management strategy Principles
• Risk sharing
• Risk acceptance – trade offs
• Regular dialogue
• Pro-active approach
• Risk diversification
Risk dashboard:
High Priority Risks
Assessment
Treatment
High priority risks to be discussed Brief description of the risk Brief description of the current
in
and its current status.
treatment and proposed options,
if relevant.
consultations with fund
e.g. Has it improved,
stakeholders
What is already being done about
worsened, or stayed the
this risk? What could be done
same? Which factors are
differently and who should take
contributing to this
responsibility?
trajectory?
Monitoring
Monitor treatment measures for
effectiveness and second order
risks
Joint risk management strategy
Fund-level risks are grouped into three categories:
• SDRF Governance & Strategy: Risks related to the aid architecture and the funds’ strategies
• Contextual: Risks emanating from the broader country context
• Programme & Operational: Risks related to the implementation of fund operations and
programs/projects
• Risk management framework
Risk Assessment
Risk
Risk Drivers Risk outcome Likelihood
Estimated
Potential for Factors that Effects the
influence the risk would
chance of a
a
have
on
fund
risk
defined realization of
objectives and occurring
adverse
a risk
operations
event or
outcome to
occur
Monitoring Plan
Impact
Estimated
severity
of the risk
outcome
Risk Level
&
Trajectory
Responsibility
Regularity
Treatment Options
Sources
The party
The
The
responsible for frequency sources of
Risk level =
Likelihood x monitoring the at which a information
risk (individual risk should used for
Impact
or team)
be
Trajectory =
monitoring
monitored
Direction of
(e.g.
risk
level since last
weekly,
assessment
monthly,
quarterly)
Mitigation
Adaptation
Measures Identified contingency
measures to reduce
taken to
reduce the the impact of a risk
impact
after it is realized
and/or
probability
of a risk
before it is
realized
Likelihood
Very Likely
Likely
Possibly
Unlikely
Rare
Occurrence
Frequency
The event is expected to
occur in most circumstances
The event will probably
occur in most circumstances
The event might occur at
some time
The event could occur at
some time
The event may occur in
exceptional circumstances
Twice a month or more
frequently
Once every two months or
more frequently
Once a year or more frequently
Consequence
Extreme
Major
Moderate
Minor
Insignificant
Once every three years or
more frequently
Once every seven years or
more frequently
Consequences
Likelihood
Very likely
(5)
Likely (4)
Possible (3)
Unlikely (2)
Rare (1)
Insignificant
(1)
Minor (2)
Moderate
(3)
Major (4)
Extreme (5)
Medium (5)
High (10)
High (15)
Very High (20)
Very High (25)
Medium (4)
Low (3)
Low (2)
Low (1)
Medium (8)
Medium (6)
Low (4)
Low (3)
High (12)
High (9)
Medium (6)
Medium (3)
High (16)
High (12)
Medium (8)
Medium (4)
Very High (20)
High (15
High (10)
High (5)
Result
An event leading to massive or irreparable damage or
disruption
An event leading to critical damage or disruption
An event leading to serious damage or disruption
An event leading to some degree of damage or disruption
An event leading to limited damage or disruption
Level of
risk
Result
Very
High
Immediate action required by executive
management. Mitigation activities/treatment
options are mandatory to reduce likelihood
and/or consequence. Risk cannot be accepted
unless this occurs.
Immediate action required by senior/
executive management. Mitigation
activities/treatment options are mandatory to
High
reduce likelihood and/or consequence.
Monitoring strategy to be implemented by
Risk Owner.
Senior Management attention required.
Mitigation activities/ treatment options are
Medium undertaken to reduce likelihood and/or
consequence. Monitoring strategy to be
implemented by Risk Owner.
Management attention required. Specified
ownership of risk. Mitigation
activities/treatment options are
Low
recommended to reduce likelihood and/or
consequence. Implementation of monitoring
strategy by risk owner is recommended.
Communication and Consultation
Risk Management Process
Establish
Context
Evaluate Risks
Identify
Risks
Analyse
Risks
Evaluate
Risks
Document, Monitor and Review
Consequences
Likelihood
Insignificant
Minor
Moderate
Major
Extreme
Almost
Certain
Medium
High
High
Likely
Medium
Medium
High
High
Possible
Low
Medium
High
High
High
Unlikely
Low
Low
Medium
Medium
High
Rare
Low
Low
Medium
Medium
High
Very High
Very High
Very High
Treat
Risks
Risk Management Unit (RMU) – What we do
Our
Clients
Integrated
Office
Our
Services
Risk
Assessments
& Analysis
Our
Vision
Our
Objectives
UNSOM
Risk
Management
Advice
Increasing Impact &
Accelerating Delivery
Continue to build a shared
understanding across the UN,
Donors and NGOs
UN
Agencies
Risk
Management
Training
Protecting the UN
Donors
Development
of Common
Approaches
NGOs
Monitoring
Protecting Beneficiaries /
Do No Harm
Further develop UN wide risk
management solutions
Government
Best Practice
Dissemination
Somali
People
Data Base &
Information
Sharing
MPTF Risk
Management
Advice and
analysis
Capacity Building
through Partnerships
Develop complementary and
harmonised approaches across
the aid community
Improve the international
community’s contextual and
strategic risk analysis and its links
to risk management practice
Opportunities Ahead: RMU
Available
Resources
Databases
Information
Wider
Network
Data
Availability
Enhanced
Services
Analytical
Training
Best Practice
Support Online / Class Products
Client
Support
Integrated
Office
Governm
ent
Challenges
Skill Sets
Data
Verification
UNSOM
UN
Agencies
Referrals
/ Links
Donors
Silo
Approach
Roles
Unclear
Perception
Impartiality
Lack of
Reciprocity
Incentives
/ Awards
NGOs
MPTF risk analysis
• Risk analysis framework
• Intent of this exercise
• Role of RMU
• Current overview of programme risks
• Most common risks
• How to strengthen risk management
• The way forward
Risk analysis framework and approach
• ISO 31000
• Joint Risk Management Strategy for SDRF Funds – 2015
• Individual MPTF programme risk analysis
MPTF risk analysis
• Intent of the analysis
• This exercise analyzes understanding and approach to risk and
strengthens risk management of MPTF.
• To ensure coherence and consistency among PUNOs and JPs and
supports strengthening of risk management
MPTF Portfolio ($ 150 million)
PSG
1.
2.
3.
PSG-1
4.
5.
6.
PSG-1 & PSG-1
7.
PSG-4
8.
9.
PSG-5
10.
11.
12.
Cross-Cutting
Programme Title
JP State Formation and Federalism
JP Constitutional Review
JP Electoral Support
JP Parliament Inclusive
JP Support to Stabilization
JP Rule of Law
JP Youth Employment
JP Local Governance
National Window – Service Delivery
JP Capacity Development
JP Enablers
JP Charcoal Reduction and Alternative Livelihoods
Current overview
• All programmes/projects have identified and introduced risk
treatment at the design stage
• Main risk categories: contextual, strategic and programme/
operations implementation risks
• Not all projects have analyzed the risks (likelihood + probability)
• There is lack of coherence on rating and treatment measures
across programmes
• Risk updates in several cases is incomplete
• High risk working environment
• Limited communication on risk management among PUNOs
Common risks
Risk
Risk Level
Trajectory
Risk Factors
Security impact over the programme
implementation
High
Elections, next military
campaign?
Political
High
Elections, state formations,
lack of legislations, etc?
Tension between states and federal
government
High
Fiduciary (mismanagement of funds)
High
Internal controls, low
capacity etc
Lack of funding
High
Resources not mobilized,
delay in donor contribution,
speed of delivery among
different UN agencies?
Capacity of the implementing partners
High
Not established institutions,
high turnover,
Delay in the programme
implementation
High
Low capacity, security, lack
of
Challenges
• Thee risks at the project/programme level are managed
according to the rules, regulations, policies and procedures of
each fund administrator and its recipient agencies. / Agencies
have different risk appetites and RM procedures
Additional observations
• Risk management within MPTF is very complex due to involvement of different
UN agencies with different risk appetite and different risk management
approaches
• All project documents reflect the initial risk assessment and not the residual risk
• Risk ownership and qualitative/quantitative indicators to monitor the risk and
mitigation measures have not been identified
• The risk response is not consistent.
• New risks that the programs might have been exposed during the reporting
period.
• All projects provide updating on the risks status in the quarterly reports (PBF
funded projects send updates every 6 months).
• Risk updates are not very consistent among different programmes – some put
more efforts than the others that just copy/paste from the initial document.
Several programmes though do clearly make reference to the risks identified in
the project document and provide updates which are easy to read
• Some projects may address the risks through different mechanisms, even
though it is not reflected in the regular updates
Way forward
• Improve risk rating in compliance with both international
standards and Risk Management strategy
• Identify risk ownership, monitoring tools and measurable
indicators
• Update the risk rating on regular basis
• Apply an integrated approach on treatment
• Ensure consistency in the risk management process among
programmes and agencies
• Whenever possible, identify the cost, time and quality
implications of the risk, if occurred.
• Risk management capacity development class / online course
Discussions & Questions