Corporate risk register



Similar documents
IFAD Policy on Enterprise Risk Management

WFP ENTERPRISE RISK MANAGEMENT POLICY

Risk Management approach for Cultural Heritage Projects Based on Project Management Body of Knowledge

Security Risk Assessment Tool

In accordance with risk management best practices, below describes the standard process for enterprise risk management (ERM), including:

Policy : Enterprise Risk Management Policy

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

Operational Risk Management Policy

Confident in our Future, Risk Management Policy Statement and Strategy

Phase II of Compliance to the Policy on Internal Control: Audit of Entity-Level Controls

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

DRAFT RESEARCH SUPPORT BUILDING AND INFRASTRUCTURE MODERNIZATION RISK MANAGEMENT PLAN. April 2009 SLAC I

Enterprise Risk Management Framework Strengthening our commitment to risk management

Developing an Effective Enterprise Risk Management Program

OAC Presentation to UNESCO Member States

PROJECT RISK MANAGEMENT

Guidance Note: Stress Testing Class 2 Credit Unions. November, Ce document est également disponible en français

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

Risk Identification in Project Management

MARSH REPORT October International Business Resilience Survey 2015

Periodic risk assessment by internal audit

ERM Program. Enterprise Risk Management Guideline

Risk Management Strategy EEA & Norway Grants Adopted by the Financial Mechanism Committee on 27 February 2013.

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Project Risk Management

Victorian Government Risk Management Framework. March 2015

RISK APPETITE IN THE WORLD FOOD PROGRAMME

Risk/Issue Management Plan

Risk Management Programme Guidelines

Compliance Management Framework. Managing Compliance at the University

Appendix V Risk Management Plan Template

Enterprise Risk Management

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

Governance and Risk Management in the Public Sector. Fernando A. Fernandez Inter-American Development Bank (202)

Framework of engagement with non-state actors

Table of Contents PERFORMANCE REVIEWS STRATEGIC REVIEWS

Evaluation of the PEFA Programme & Development of Recommendations Beyond 2011 (dated July 2011)

Fraud Risk Management

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

RISK MANAGEMENT POLICY

Principal risks and uncertainties

The Role of Internal Audit in Risk Governance

Information technology Security techniques Information security management systems Overview and vocabulary

PROJECT MANAGEMENT PLAN Outline VERSION 0.0 STATUS: OUTLINE DATE:

WORLD HEALTH ORGANIZATION. Draft budget for the first financial period

Bricker Professional Education Course Library

3.6 - REPORT BY THE CHAIRMAN OF THE BOARD OF DIRECTORS ON CORPORATE GOVERNANCE, RISK MANAGEMENT AND INTERNAL CONTROLS

Interagency Statement on Pandemic Planning

On the Setting of the Standards and Practice Standards for. Management Assessment and Audit concerning Internal

A Risk Management Standard

IT Governance. What is it and how to audit it. 21 April 2009

Business Continuity and Disaster Planning

Risk Management. Did you know? What is Risk Management?

Risks and uncertainties

RISK MANAGEMENT REPORTING GUIDELINES AND MANUAL 2013/14. For North Simcoe Muskoka LHIN Health Service Providers

Plan for the audit of the 2011 financial statements

OCC 98-3 OCC BULLETIN

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

Disaster Recovery Planning as a Means to Resilient Development. PDNA Course

FINANCIAL INFORMATION CONSOLIDATED FINANCIAL STATEMENTS. Risk management

IT Project Management Methodology. Project Risk Management Guide. Version 0.3

Resolution adopted by the General Assembly. [on the report of the Fifth Committee (A/63/648/Add.3)]

J u n e N a t i o n a l R e s e a r c h C o u n c i l C a n a d a. I n t e r n a l A u d i t, N R C. Audit of Risk Management.

Version Adoption by Council: 2013 Resolution Number: 2013/177 Current Version: V1.0 Administered by: Governance Coordinator

Sound Practices for the Management of Operational Risk

The Essentials of Enterprise Risk Management. Steven C. Tourek, Senior Vice President, General Counsel & Secretary, The Marvin Companies

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

P3M3 Portfolio Management Self-Assessment

Project Management Frequently Asked Questions:

NGO security coordination and other sources of support WITHIN FIRST 1-2 WEEKS. Office/compound/ facility security

CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE

Revised Human Resources Strategy

Approaches for Survey Feedback and Action Planning


Risk Management Policy

Enterprise Risk Management VCU Process

FINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund

Nuclear Security Plan

1.20 Appendix A Generic Risk Management Process and Tasks

Initial Professional Development - Professional Values, Ethics, and Attitudes (Revised)

Business Continuity Position Description

Risk Assessment & Enterprise Risk Management

Risk Management Framework

Desktop Scenario Self Assessment Exercise Page 1

Risk Profiling Toolkit DEVELOPING A CORPORATE RISK PROFILE FOR YOUR ORGANIZATION

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

Information Security Guideline for NSW Government Part 1 Information Security Risk Management

The PNC Financial Services Group, Inc. Business Continuity Program

APICS INSIGHTS AND INNOVATIONS SUPPLY CHAIN RISK CHALLENGES AND PRACTICES

GENERAL TERMS OF SERVICE OF THE BUDAPEST STOCK EXCHANGE LTD. BOOK EIGHT REGULATIONS ON OPERATIONAL RISK MANAGEMENT

Best Practices module

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

University of Windsor Board of Governors. That the Board of Governors approve of the Enterprise Risk Management Framework.

Nonprofit risk management

Aegon Global Compliance

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

Operational Risk Publication Date: May Operational Risk... 3

EBA final draft Regulatory Technical Standards

Transcription:

EXECUTIVE BOARD EB133/10 133rd Session 17 May 2013 Provisional agenda item 7.3 Corporate risk register Organization-wide strategic risk management in WHO Report by the Secretariat 1. This report is submitted in response to the request by the Executive Board for regular updates on risk management. SCOPE AND PURPOSE The need for an Organization-wide framework and top-level risk register 2. management is a means of identifying, assessing, prioritizing and controlling risks across an organization, with a coordinated and cost-effective application of resources to minimize, monitor, and control the probability and/or impact of adverse events or to maximize the realization of opportunities. management is not new in WHO, but attempts to formalize it across the Organization have only been undertaken relatively recently. Some progress has been made since 2009, when different offices and units started developing risk management frameworks. 1 However, there is a need to make further progress towards a common, Organization-wide framework and the harmonization of risk management practices, and to consolidate the existing cluster or regional office risk registers into an Organization-wide, top-level risk register. A preliminary draft of such a framework and register is contained in the annex to the present report. A risk management culture 3. management is a cultural and behavioural issue and requires substantial effort and investment in advocacy, communication and on-the-job training. It requires changes in managers attitudes and practices; effective changes in organizational culture stem from the attitudes and practices of senior staff. Facilitating this process will be an important part of the work of the new Compliance, Management and Ethics unit. 2 1 For example, in 2009, the General Management cluster initiated the development of a risk management framework that focused mainly on general management, and the Pan American Health Organization has also developed a well-established risk management system. 2 This unit is currently being created in the Office of the Director-General, and a director and compliance and risk management officer hired. This unit will lead the process of drawing up a detailed inventory of all existing risk management practices in WHO. The permanent framework will draw lessons from existing risk management frameworks within WHO and will also need to include the tools to be used in regular, systematic, Organization-wide, bottom-up registration and prioritization of risks, the steps to be taken towards the institutionalization of risk management (linked to other existing management tools), as well as determining further requirements such as the training of staff.

ELEMENTS OF AN ORGANIZATION-WIDE RISK MANAGEMENT FRAMEWORK 4. The main elements of the proposed risk management framework are: A. Identification and categorization of risks B. assessment and prioritization C. Mitigation D. Implementation of risk mitigation E. Monitoring and review of the risks. A. Identification and categorization of risks Definition of risk 5. In WHO a risk is understood to be an expression of the likelihood and impact of an event that would affect the Organization s ability to achieve its objectives. If it occurs, the event may have a positive (opportunity) or negative (threat) impact on the achievement of the Organization s political, strategic and operational objectives. Recent examples 6. The importance of structured management of Organizational risks may be illustrated by examples from the recent past. Although WHO managed the H1N1 pandemic well, as the Review Committee on the Functioning of the International Health Regulations (2005) concluded, the Organization underestimated the risks posed to its reputation by the allegations of collusion with industry, and did not react quickly enough when they were first raised on social media sites. This perceived damage to the reputation of WHO was a threat not only to the units involved, but to WHO as a whole. WHO was severely affected by the sudden exchange rate changes that occurred during the financial crisis in 2011, and which had financial, staffing and programmatic impacts. The sudden death in 2006 of then Director-General, Dr LEE Jong-wook, caught the Organization unprepared and led to a short crisis during the Fifty-ninth World Health Assembly before an acting Director-General could be designated. 7. The purpose of Organization-wide risk management is to enable WHO to be better prepared for the potential realization of risks, following an analysis of the impact and management of those risks. For example, awareness of the potential risk to WHO s reputation caused by allegations of collusion with industry might have helped to guide communications beforehand. An analysis of the risks posed to WHO offices by natural disasters such as floods or earthquakes, as well as political events, would permit measures to be taken to manage the most likely of those risks. 2

Participation in risk identification across the different levels of the Organization 8. An escalation process is required by which each level of the Organization identifies, evaluates and then prioritizes the risks it faces, and then reports the major risks to the next level up in the Organization. Thus individual risks will need to be identified for each office and unit in WHO and the major risks reported to the next level up, e.g. department level, where they are reviewed and complemented with the identification and analysis of specific risks at that level. Departments and country offices will prioritize the risks they face and report the main risks to the cluster or regional office, respectively. The same process will then take place critical review of the reported risks, prioritization, and complementing with risks specific to the cluster or regional office and the major risks reported at Organization-wide level. This escalation process must involve top-level, in-depth analysis of risks that might not be identified at the level below, but which often represent the most critical risks for the Organization as a whole. categorization 9. Currently, different parts of WHO use different categories of risk. An Organization-wide risk management framework will require a common understanding of the categories of risk. The following categorization is proposed, which should cover the needs of country offices, regional offices, technical clusters, management and administration, and enable an Organization-wide view to be taken of major risks: technical/ financial systems and structures political/governance reputational. 10. These categories are not mutually exclusive. For example, any major damage to reputation is also likely to become a financial risk because of the loss of donor confidence; a technical error involving an incorrect appreciation of a global health risk might also lead to reputational damage. B. assessment and prioritization 11. This element consists of a detailed classification, analysis of the likely impact and likelihood of occurrence of a risk. In order to enable comparison and consolidation of the different risk registers in WHO, a common structure will be needed. 12. Based on the structures currently used, the following structure for the risk register is proposed: identification assessment Unit category name Description owner Impact score Probability score Mitigation Escalation 3

13. It is proposed that impact and probability be scored as follows: Score Impact Probability 5 Critical Expected >90% 4 Severe Highly likely <90% 3 Moderate Likely <60% 2 Minor Not likely <30% 1 Negligible Slight <10% 14. The first Organization-wide inventory of risks will provide guidance on the criteria to be used for prioritization, such as the combined weight of the impact and probability scores. An Organization-wide risk register 15. An Organization-wide risk register would consist of the escalation steps of the risk registers at the different levels. The annex of the present document identifies a preliminary top-level risk register, which would have to be reviewed on the basis of guidance provided by the Independent Expert Oversight Advisory Committee and the Executive Board and after the first bottom-up risk evaluation process. The process will be described in detail by the new Compliance, Management and Ethics unit, based on the following broad assumptions: Organization-wide risks will be approved by the Global Policy Group and reported to the governing bodies; the register will be built from the bottom up, but will require at each level an analysis of the specific risks of that level (top-down approach); the Organization-wide risk register will be continuously monitored and managed, and reviewed annually; the process will build on existing elements, such as the terms of reference of the risk owners, and guidance will be provided for the distinction of a relevant risk triggered by an event to be registered from common uncertainties inherent to daily management that do not need to be registered; risk management will be integrated into existing management processes such as planning, budgeting and performance management and evaluation; the risk register as well as the management of events will be built and managed through an escalation from unit/country office/team level, to budget centre/department level, to regional office/cluster level, to Organization-wide level, as illustrated by the following diagram: 4

Organization wide top level priority risks Reported to organization wide level Regional Office/Cluster priority risks Reported to Regional Office/Cluster Department priority risks Reported to department Units priority risk Unit risks C. Mitigation 16. The mitigation options described below should be considered for each risk. Tolerate: accept the risk by keeping activities unchanged. This option may be applied when exposure is tolerable, control is impossible or the cost of control exceeds potential benefit. It may be supplemented by contingency planning for handling the potential impact. The question of whether a particular risk can be tolerated is a key management decision. Treat: adjust (add or revise) relevant activities. Transfer: share the risk by involving stakeholders. Transferring risk works especially well for financial risks or risks to assets, and includes taking conventional insurance or paying a third party to take the risk. This option is not possible for reputational risks. The relationship with the third party needs to be carefully managed. Terminate: avoid or cancel the activities that give rise to the risk, especially when the cost/benefit relationship is in jeopardy. D. Implementation of risk mitigation 17. Mitigation strategies would be translated into mitigation activities with timelines. For those areas and items for which the risk owner recommends the option treat, i.e. mitigate the risk, actions would be taken to reduce the probability of the risk occurring or to reduce the impact of the risk. Mitigation measures would also be linked to the best use of resources. When developing the system further, decisions would have to be taken on where these resources should come from. Management of corporate risks would need to be funded by the Organization. 5

E. Monitoring and reviewing the risk 18. After the establishment of an initial detailed risk register, each risk will have to be regularly monitored, which will include noting the following: any change in the assessment of the risk; any suggested changes to the risk mitigation strategy; progress made with regard to the detailed plan of action so far. ACTION BY THE EXECUTIVE BOARD 19. The Executive Board is invited to provide further guidance. 6

ANNEX PRELIMINARY REGISTER OF TOP LEVEL ORGANIZATION-WIDE RISKS This initial Organization-wide list of risks contains only the top-level risks. Future versions of this register will be the top level of a much broader Organization-wide pyramid of risks. Financial Incorrect assessment of a global health risk Overreaction or lack of sufficient reaction in an emergency Business continuity in a severe pandemic Distrust in WHO s capacity to address a major global health challenge Dissemination of guidelines or other technical information that are not evidence-based or that lack scientific and/or technical accuracy Withdrawing or defaulting of major donors Foreign exchange currency risk and staff financing risks s associated with long-term liabilities Failure to implement new financing model Staff, systems and structures Loss of essential infrastructure (e.g. Global Service Centre, Strategic Health Operations Centre, information technology, building collapse, terror attack) Loss of staff productivity Hacking or altering of WHO data Political/governance Major governing body deadlock or divisive vote Failure to implement WHO governance reform Political or economic turmoil at major office location Lack of Organization-wide coherence Reputational Undue external influence on WHO priorities and activities Fraud or corruption in the Organization Failure to deliver expected results 7

8 This preliminary risk register will form the basis for more detailed description and mitigation planning by the risk owners and will be revised in the process of establishing the first systematic Organization-wide risk inventory, a task to be coordinated by the new Compliance and Management unit. Unit category Financial identification owner assessment name Description ( risk manager ) Impact Probability score score Incorrect assessment of a global health risk Overreaction or insufficient reaction in an emergency Business continuity in a severe pandemic Distrust in WHO s capacity to address a major global health challenge Promotion of inaccurate technical information to Member States and the public Dissemination of guidelines or other technical information which are not evidence based or lack scientific and technical accuracy Withdrawing or defaulting of major donors Mitigation (preliminary illustrative points) 4 2 Tolerate, continuous scrutiny of technical quality and observation of scientific literature and social media of the Polio, Emergencies and Country Collaboration Cluster, and Health Security and the Environment Cluster Assistant Director-General of the Health Security and the Environment Cluster Assistant Director-General of the General Management cluster 4 1 Mitigate by full implementation of the International Health Regulations (2005) and improved conflict of interest management Escalation 5 1 Mitigate by business continuity planning 4 1 Mitigate by WHO reform 4 2 For data mitigate by HIS central clearance of health information 4 2 Mitigate by guideline review committee and WHO reform 4 3 Mitigate in the short term by monthly reporting and in the medium term by new financing model EB133/10 Annex

9 Unit category identification owner assessment name Description ( risk manager ) Impact Probability score score Financial Global financial crisis Office of the Director- General, and Assistant Director-General of the General Management cluster Mitigation (preliminary illustrative points) 4 2 Mitigate by new financing model and zero growth in budget Financial Foreign exchange currency risk Comptroller 3 2 Mitigate by hedging and by proposal to split currency of assessment Financial Staff financing risks Comptroller 3 3 Mitigated through improved HR planning and new financing model Financial Financial Systems and structures Systems and structures Systems and structures Political/ governance Political/ governance Political/ governance s associated with long-term liabilities Failure to implement new financing model Loss of essential infrastructure Comptroller 3 3 Mitigate by annual actuarial assessment for all future staff liabilities Office of the Director- General, and Assistant Director-General of the General Management cluster Assistant Director-General of the General Management cluster Loss of staff productivity Assistant Director-General of the General Management cluster Hacking/altering of WHO data Assistant Director-General of the General Management cluster Major governing body deadlock or divisive vote Failure to implement WHO governance reform Political/economic turmoil at major office location Office of the Director- General/Member States Office of the Director- General/Member States 4 Single occurrence Mitigate through reform Escalation 4 2 Mitigate through business continuity plans 4 2 Mitigate by changes in staffing model and dialogue with staff association 4 2 Mitigate by IT security plans 4 1 Mitigate by improved preparation of Secretariat and Member States for governing bodies meetings 4 2 Mitigate by reform implementation plan 3 3 Mitigation plans to be updated Annex EB133/10

10 = = = Unit category Political/ governance Reputational Reputational identification owner assessment name Description ( risk manager ) Impact Probability score score Lack of Organization-wide coherence Undue external influence on WHO priorities and activities Fraud or corruption in the Organization Reputational Failure to deliver on its results Mitigation (preliminary illustrative points) 4 2 Mitigate through reform, in particular harmonization of governing bodies and clarification of the role of the three levels of the Organization 4 2 Treat by improved management of conflicts of interest and tolerating residual risk Comptroller 4 2 Mitigate by strengthening internal control framework and tolerating residual risk Escalation 5 1 Mitigate by WHO reform EB133/10 Annex

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information