Risk Management short practical guidance April 2014 Introduction Risks are related to potential problems or situations that, if they materialise, could affect negatively the achievement of the Organisation s objectives and outputs as defined in the biennial Programme and Budget. At the same time, conscious and controlled risk taking is required to seize emerging opportunities. Risk management is a systematic way of gathering, evaluating, recording and disseminating information leading to action in response to identified risks. It is an internal management tool that today is used also by most international organisations. Risk Management is foreseen in the CoE Financial Regulations and based on positive pilot exercises it was decided in January 2014 that systematic risk management is introduced in the whole Organisation. Risk management is a not a one-off but a continuous exercise in four main stages: 1. Identifying risks, 2. Assessing risks (their likelihood and potential impact, enabling them to be prioritised), 3. Addressing risks (mitigating the occurrence or impact of adverse events and maximising the likelihood that objectives will be achieved), and 4. Reviewing and reporting on risks (the status and effectiveness of mitigating controls or action). How to prepare a risk register? The key requirement is a risk register table, prepared and followed-up at the MAE-level. The following summarises the steps for preparing the risk register using the template in table 4 at the end of this document. The template contains some examples as illustration. While using the steps shown below, the level of involvement of individual staff should be adapted according to the size of the MAE/directorate. This is at the same time a team building exercise and increases the communication among the staff. Foresee several sessions and you may need a break between them to gather new ideas and reflect on the draft elements established. If possible, invite an external moderator in order to help in compiling and assessing the risks and agreeing on follow-up action. DIO is ready to participate in the preparation before, during and after such sessions to provide methodological support. Step 1: Recall the strategic objective The point of departure is the relevant strategic objective as per the Programme and Budget document, please enter it into the line Strategic Objective of the risk register in table 4 below. 1
Step 2: Identify risks The following question should be answered: What can put the achievement of strategic and other objectives at risk? Specific risks, each belonging to a defined risk area, should be described in the risk register (table 4 below). To start the process each staff member (or manager in bigger MAEs) should list the five most important risks regarding their line of work. The focal point for the risk assessment, or the heads of units, should fill them into the draft risk register table. It is important to prepare the risk register with different risk areas and angles in mind but it is not necessary to address all the risk areas listed below. The MAE s overall register should generally not contain more than 20-25 specific risks in order to remain operational. However, fraud risks should always be considered. The identified risks should be largely actionable by the MAE and not only depend on organisation-wide actions and additional resources. Table 1: Main types of risk areas in the CoE context Risk areas Examples Communication and reputation Lack of visibility, incorrect information, information leaks, bad performance, unethical behaviour of staff Political risks Politically incorrect action/decision, non-implementation by states, lack of political support, member states leaving the organisation. Management Deficient forecasting/planning/management, weaknesses in conflict resolution, inefficient processes, etc. Safety and security Security of staff in the workplace, work accidents, protection of property, break-ins or intrusions Human resources Financial Lack of motivation, imbalanced work load distribution, loss of key staff, recruitment duration and constraints, legal disputes, falsified diplomas, baseless claims for family or other allowances, etc. Excess costs, shortfalls in income, failure to achieve potential savings, procurement issues, financial losses, embezzlement, etc, Legal IT or technical Contractual risk, risk of legal action, obligations towards third parties, etc. Computer system deficiencies, loss of data, equipment failures, etc. During a meeting or a retreat, compile all risks in one table for the MAE and strive for a consensus about the assessment of the risks. Identifying particularly sensitive or confidential risks is an important part of the risk 2
management process. If so wished, such risks can be brought to the exclusive attention of the Secretary General, who will look at all key risks of the CoE Risk Register. Step 3: Likelihood and impact analysis The following definitions are used for likelihood (probability of occurrence) and impact determination. The categories are qualitative and are best established in a group discussion. The results of the assessment are again entered in the columns under risk assessment in the risk register (table 4 below). Table 2: Risk likelihood and impact categories Likelihood High Medium Low Impact High Medium Low Definition The risk is very likely to occur and controls are ineffective. The risk is likely to occur and controls have some effect. The risk is not likely to occur and controls are effective. Definition Severe adverse effects on organisational operations, assets, or individuals expected. Serious adverse effects on organisational operations, assets, or individuals expected. Limited adverse effects on organisational operations, assets, or individuals expected. Step 4: Determine the risk exposure When the risks have been analysed by likelihood and impact they can be categorised as in the graph below. High impact and high likelihood combined give the highest risks which need considerable management effort to address them (shown as red), medium impact and medium likelihood risks require still management attention (shown as orange) while on the other hand low impact and low likelihood risks can be accepted (shown as green). The results are entered into the column exposure in the risk register table 4 below. 3
Table 3: Risk heat map IMPACT RISK MANAGEMENT ACTIONS High Management required AMBER Must actively manage and monitor risks RED Considerable management effort essential RED Medium Risks may be worth accepting with monitoring GREEN Management required AMBER Must actively manage and monitor risks RED Low Accept risks GREEN Accept, but monitor risks GREEN Management required AMBER Low Medium High LIKELIHOOD Step 5: Prepare the risk mitigation action The next step is to develop action addressing the various risks, starting with the most urgent ones in red and put them into the table 4 below. The most common categories of possible action are: Prevention: Prevent the risk from materialising or prevent it from having an impact on objectives; Reduction: Reduce the likelihood of the risk developing or limiting the impact in case it materialises; Transference: Pass the impact of the risk to a third party (for ex. via an insurance policy); Contingency plan: Prepare actions to implement should the risk occur; Acceptance: Accept the possibility that the risk may occur and go ahead without further measures to address the risk. Key part of the preparation of the action is to define target dates for implementing the mitigating actions and to name the Risk Manager and the Risk Owner. Each risk is assigned to a single Risk Owner in order to clarify the accountability. Risk Owners are 4
generally the Commitment Officers who are responsible for the implementation of the action items and will report on them to the Secretary General. The Risk Manager implements the mitigation action and reports to the Risk Owner. Step 6: Complete the risk register and send it to DIO / follow-up The last step is to complete the risk register in table 4 below and to send it to DIO by the set deadline. DIO will aggregate all risk registers received to a draft organisation-wide Risk Register for submission to the Secretary General and discussion by the Senior Management Group. The central as well as specific risk registers need to be reviewed at least once per year in order to remain up-to-date and to assure accountability for the actions identified. DPFL, DIO and the Oversight Advisory Committee (previously called Audit Committee) will also use the CoE Risk Register. Thank you for your cooperation. Prepared by the Directorate of Internal Oversight. 5
Table 4: MAE Risk Register (with example from DIO) Strategic objective: the DIO provides independent oversight to support the Secretary General and senior managers in fulfilling their responsibilities for the effective management of resources of the Organisation through internal audit, evaluation and investigation services. Compiled by: DIO staff Reviewed by: A Eussner Review date: January 2014 Risk Nr Risk area as per table 1 Specific risks in risk area Risk assessment Internal controls currently in place Additional actions planned to mitigate risks identified Target date for implementing the actions planned Risk Manager and Risk Owner Impact 1 Likelihood 1 Exposure 2 1 Human resources Losing key staff M H RED Recruitment constraints M M AMBER Insufficient consultancy funds M M AMBER Staffing table of the directorate as per budget and programme Staff policy Budget controls Develop staff (training, certification) Offer stable employment Motivate Recognise efforts Pro-active and forward looking staff planning, Clear and specific job description in vacancy notices Clarify criteria for the distribution of funds among divisions Agree on the distribution before work programmes are agreed Continuous Continuous I/2014 Head of division X Director of Department Y Head of division X Director of Department Y Head of division X Director of Department Y 1 High Medium or Low 2 Red, Amber or Green 6