Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Assessment Workshop

Published byNoel Boyd Modified over 5 years ago

Similar presentations

Presentation on theme: "Risk Assessment Workshop"— Presentation transcript:

1 Risk Assessment Workshop
Rahul Bhan – Director Audit Asia

2 Agenda of the today’s presentation
S. No. Agenda Item 1 Risk Management – Process, benefits, CIFOR Policy 2 Updated Risks 2017

3 Contents What is Risk? Benefits of Risk Management
ISO 31000: Risk Management Framework Risk Management Process Risk Appetite Responsibilities of CIFOR Risk Assessment Risks at CIFOR

4 What is Risk? Risk is: Risk management is:
The effect of uncertainty on the ability of an organisation to meet its objectives. Risk management is: The ability to manage the negative outcome of an uncertainty and its adverse effect on organisation objectives. RISK Management Vs CRISIS Management : The only alternative to risk management is crisis management – and crisis management is much more expensive, time consuming and embarrassing - JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003

5 Benefits of Risk Management
As per the ISO 31000:2009, when implemented and maintained in accordance with this International Standard, the management of risk enables an organization to; 1. Increase the likelihood of achieving objectives 2. Encourage proactive management 3. Be aware of the need to identify and treat risk throughout the org 4. Improve the identification of opportunities and threats 5. Comply with relevant legal and regulatory requirements and international norms 6. Improve governance 7. Improve stakeholder confidence and trust 8. Establish a reliable basis for decision making and planning 9. Improve controls 10. Effectively allocate and use resources for risk treatment 11. Improve operational effectiveness and efficiency 12. Improve loss prevention and incident management 13. Improve organizational learning

6 ISO 31000 : Risk Management Framework

7 RMP - Risk Management Process

8 Risk Management Process at CIFOR

9 Risk Organization Chart of CIFOR

10 Risk Appetite Risk appetite is the amount of risk an organization is prepared to be exposed to before it judges action to be necessary. Few examples are as follows: a) The risk appetite of CGIAR Centers concerning investment of surplus funds is (through policies set by the Boards) generally very low. b) The risk appetite for outsourcing research to partner institutions with limited capacity may be high where capacity building or partnership objectives are prominent in Center/program strategies. c) Similarly, the risk appetite for investing in research with uncertain returns, but which has the potential to produce valuable scientific breakthroughs, can be quite high. Rittenburg L. and Martens F. (2012) in a COSO paper on risk appetite state that ‘An organization’s risk appetite should be articulated and communicated so that personnel understand that they need to pursue objectives within acceptable limits. Without some articulation and communication, it is difficult for management to introduce operational policies that assure the board and themselves that they are pursuing objectives within reasonable risk limits. A risk appetite statement effectively sets the tone for risk management. The organization is also more likely to meet its strategic goals when its appetite for risk is linked to operational, compliance, and reporting objectives.’

11 Risk Appetite – Questions for BOT
What are the significant risks the BOT is willing to take? What are the significant risks the board is not willing to take? What are the strategic objectives of the organisation? Are they clear? What is explicit and what is implicit in those objectives? Is the BOT clear about the nature and extent of the significant risks it is willing to take in achieving its strategic objectives? Does the BOT need to establish clearer governance over the risk appetite and tolerance of the organisation? What steps has the BOT taken to ensure oversight over the management of the risks?

12 Risk Appetite - Four level scale
Proposed four level scale for risk appetite which can be used to define appetite for different families of risk e.g. governance, funding and donor relations, research, operations, human resources etc. Level Definition High We accept and encourage opportunities presenting risks of failure if the likelihood of risks materializing combined with their potential impact make benefits greater than potential losses Significant We accept opportunities presenting a risk of limited under-achievement if the likelihood of risks materializing combined with their potential impact make benefits greater than potential losses Moderate While accepting the possibility of under-achievement in some circumstances, we seek safe operations and program/project delivery options despite lower potential rewards. Low We are not willing to accept risks under any circumstances that would significantly impact achievement of our objectives

13 Risk Appetite Statement (to be finalized)
Business areas Risk appetite Science High Research Low Partnerships Moderate Partners Support Operations Modest Financial Management Investments Infrastructures Compliance Branding Communication People Occupational Health & Safety

14 Responsibilities of CIFOR BoT
Providing guidance in developing the Center’s strategic directions including the appetite and capacity for risk, and approves CIFOR 's strategy and business plans taking into account related risks that potentially affect the achievement of the Centre’s objectives. Promoting and supporting centre-wide risk management approaches e.g. through the annual statement on risk. Making sure that major risks to CIFOR objectives are adequately managed; risk-taking is aligned with the Board approved risk appetite of the institution and that opportunities are being taken advantage of.

15 Responsibilities of CIFOR Risk Owners
Monitoring the levels of risk exposure for the assigned risks and informing other risk owner of potential impact on their areas of responsibility. Designing, planning and coordinating activities to manage the assigned risks. Ensuring that activities planned to manage assigned risks are implemented within agreed timeframes. Reporting on any delays in the implementation of mitigating actions and any resultant risk exposure outside of the CIFOR risk appetite.

16 Responsibilities of CIFOR Managers and staff
Establishing objectives for the functions/hubs they are responsible for. Making sure that risks to functional and hub objectives and to the objectives of all new activities/projects are assessed before being embarked on. Identifying risk mitigating activities where risk levels exceed risk appetite. Escalating all critical/high risks to the senior management. All staff are responsible for reporting and escalating risk exposures and incidents e.g. on health and safety, security, fraud, code of conduct. All staff are also responsible for following and implementing CIFOR policies and procedures, and reporting any breaches.

17 CIFOR Center Risk Register

18 Risk Assessment Criteria - Impact
Description Low Medium Significant High Funding Possible reduction in funding to the Centre’s budget of > 0.5% Possible reduction in funding to the Centre’s annual budget of > 1% OR some scale back of research activities is required Possible reduction in funding to the Centre’s budget of > 5% OR reduction in funding requires major scale back of research and support services in a country hub and/or at the Centre level. Possible reduction in funding to the Centre’s budget of > 10% OR reduction in funding makes a country hub no longer economically viable. Donor Requirements - Isolated failure in meeting a significant donor’s requirement resulting in additional donor imposed restrictions on a short-term or limited basis including loss of funding. Serious or repeated failure to meet a critical donor’s requirements resulting in additional donor imposed restrictions on a long-term basis. Serious or repeated failure to meet a critical donor’s requirements resulting in immediate cessation of funding. Regulatory Possible minor or very short term litigation Potential for limited litigation Potential for prolonged or serious litigation. Any serious reportable incident resulting in investigation by an official body or a key donor. Severe adverse judgement or criminal prosecution against CIFOR. Possible imprisonment of a CIFOR director in BOGOR OR the possible imprisonment of any CIFOR representative outside BOGOR. Strategic Targets Reduced ability to deliver on one or more CIFOR publically stated strategic target (target will still be achieved). Significantly reduced ability to deliver on one or more CIFOR publically stated strategic targets Failure to deliver on one or more CIFOR publically stated strategic targets Non delivery of multiple critical strategic targets

19 Risk Assessment Criteria - Impact
Description Low Medium Significant High Research Activities - Reduced research activities cause missed annual targets of < 10% Reduced research activities cause missed annual targets > 10% Business Disruption Short term business interruption. Medium term business interruption. Medium- to long-term business interruption. Long-term or permanent closure of CIFOR HQ office Safeguarding of assets and information Possible loss of assets (e.g. loss of assets due to fraud, theft, natural disaster, civil war, government action) < $10,000 Possible loss of assets or reserves (e.g. due to fraud, theft, natural disaster, civil war, government action) of > $10,000 OR other financial loss due to mismanagement or dis- allowance < $100,000 Loss of assets or reserves (e.g. due to fraud, theft, natural disaster, civil war, government action) > $50,000 OR project overspend due to mismanagement or dis- allowance total > $100,000 Reputational Possible minor damage to CIFOR brand or reputation. Significant damage to CIFOR brand or reputation. Serious or lasting damage to CIFOR brand or reputation. Irreparable damage to CIFOR reputation in a key country of operation. Safety & Security Safety or security incident involving staff (or their dependents) or CIFOR representatives results in injuries Safety or security incident involving staff (or their dependents) or CIFOR representatives results in: one fatality OR multiple serious injuries OR serious threat of harm Safety or security incident involving staff (or their dependents) or CIFOR representatives results in multiple fatalities

20 Risk Assessment Likelihood
Descriptor Score Example Law 1 Unlikely to occur in normal circumstances in the next two years OR has not occurred in the last two years OR may occur in the longer term Medium 2 Could occur several times or in some circumstances in the next two years OR has occurred in the last two years Probable 3 Will occur frequently or in many circumstances in the next two years OR has occurred in the last one year Highly Probable 4 Will occur in most circumstances in the next two years OR has occurred more than once in last one year Risk Rating - Matrix

21 High Risks at CIFOR Risk type Risk title Inherent Risk Level
Mitigation Plan Infrastructure/ capability Potential inadequate local access to materials, labor, resources (New) 16 - Financial Unreliability of W1/W2 funding; changing funding model with shorter funding periods 12 Decreasing as much as possible the exposure to W1-2 funding; reducing OH and indirect costs while increasing recovery. Changes in GOI Legislation affecting CIFOR workforce (BPJS) (New) Ask the GOI for CIFOR to be exempted from the application of this legislation, in light of CIFOR's similarity in some aspects of the status the World Bank and the UN landslide, fallen trees (New) Improve the condition of the ground, assess & cut trees Delay in earlier project phases jeopardizes ability to meet programmed delivery commitment (New) Labour shortage/inexperienced labor assigned in the projects (New) Reputational Insufficient Board mandate for required change processes (New) Board and Signatory countries made aware by management of the constitutional requirements for change. Ineffective Board recruitment and succession process (New) Board succession process has been addressed in recent Board meetings, with more involvement of CIFOR HR team in the process. Research/ science Continued CGIAR reform and uncertainties it creates 9 Improvement, streamlining business processes; internal reorganization; creation of pooled resources Consultant or contractor delays (New) materials are delivered late and delay project construction. (New) Unplanned work that must be accommodated (New) Impaired Board effectiveness (New) Review of Board operations; Board's own self-assessment; Establishment of working groups; Closer interaction with Management Inability to attract talent Efficiency and effectiveness to be monitored. regular staff engagement surveys and close monitoring of completion of agreed actions Insufficient cost recovery Review of proposal budgets and costs. need to focus on NCEs

22 Medium Risks at CIFOR Risk type Risk title Inherent Risk Level
Mitigation Plan Research/ science Impairment to Science Quality: this includes commitment to quality and potential quality 8 Focus on partnerships and delivery. More stringent selection od partners and consultants. Reputational Brand risk: Associations with individuals, organisations, aims and activities As in past issues with one or more Centers or even deficits across multiple centers may cause concerns amongst donors. Inability to perform research in locations with conflicts and restrictions etc. 7 More bilateral project driven, possible more focus on single projects may cause issues. Infrastructure/ capability Lack of leadership capacity (x-Poor management of change) More difficult entry for interns and limitation on period of stay in Indonesia; 360-Degree Review of the Team Leaders Non-compliance with host country agreements HQ campus and other infrastructure pressures may increase Partners not effective including CRP partnerships - poor partner delivery Slight increase as most funds are bilateral and partnerships are key to delivering impact. Inability to adequately respond to security threats Efforts to fund raise from GoI must bear fruit and crucial to show support to Center and HQ operations Impaired Board Effectiveness 6 Board failing to make timely decisions Financial Cash flow and reserves affected by insufficient funding and reimbursements Deficits and reimbursement basis of payments increase this risk when 90% funding is bilateral. Financial Reporting: Financial losses due to Forex Exchange Natural hedging is used to extent possible Lack of cohesion and institutional mission alignment; ineffective implementation of strategy Review how the Teams are performing in linking to the SDGs and how they are fund raising? Unresolved project conflicts not escalated in a timely manner (New) Comprehensive & clear understanding of Project scope, schedule, objectives, cost, and deliverables Unexpected 3rd party requirements during project construction (New) - Permits delayed or take longer than expected (New) delay project start (New)

23 Medium Risks at CIFOR Risk type Risk title Inherent Risk Level
Mitigation Plan Infrastructure/ capability unstable prices from suppliers (New) 6 - telecommunication failure (New) Apply routine maintenance Dispute on terms of agreement or technical provisions during project construction (New) Financial Infective procurement of goods and services Increased focus on development projects and procurement there in Non- compliance with donor conditions also on the part of implementing partners Increase n bilateral means need for more focus on these issues. Inefficient business processes and systems; loss of their integrity Unchanged but periodic review of structure suggested Poor internal control measures in the Hubs and project offices and partners doing work on behalf of CIFOR 5 Partner due diligence by PMC and RDP need to happen Inadequate management of Business Continuity Emergency Action Plan, Management of Incidents, Upgrade in ICT infrastructure and backup strategy; additional web back up Poor expense management at: HQ & Projects Authorization table, Financial Services Unit Policies and Guidelines Inadequate visa arrangements for international staff Information to project staff regarding interns - so that appropriate decisions can be made Loss or damage to Centre property 4 Fixed assets policy; annual assets counts; insurance for assets Non-payment from donors (New) Donor assessment. Negotiate for getting advance payment rather than cost-reimbursement method. Avoid as much as possible to respond to calls from donors where we had bad experience. Overdependence on few donors (New) Risk diversification in relation to ensuring appropriate mix of donors, and project sizes Research/ science Insufficient Research Impact

24 Low Risks at CIFOR Risk type Risk title Inherent Risk Level
Mitigation Plan Research/ science Inadequate Research Data Management 3 Some minor increase in risks due to ageing storage (IT); need to find solutions to move to cloud Infrastructure/ capability Power failure, no generator or backup water supply. (New) Apply routine maintenance IP Disputes+ Conflict of interest. 2 Environment Safety to be integrated into CIFOR research Financial Losses due to inadequate Banking and Investments arrangements 1 Investment policy

25 Risk Assessment 2017 - Newly added Risks
Risk type Risk Inherent Risk level 2017 Mitigation plan Financial Non-payment from donors 4 Donor assessment. Negotiate for getting advance payment rather than cost-reimbursement method. Avoid as much as possible to respond to calls from donors where we had bad experience. Overdependence on few donors Risk diversification in relation to ensuring appropriate mix of donors, and project sizes Infrastructure/ capability Changes in GOI Legislation affecting CIFOR workforce (BPJS) 12 Ask the GOI for CIFOR to be exempted from the application of this legislation, in light of CIFOR's similarity in some aspects of the status the World Bank and the UN landslide, fallen trees Improve the condition of the ground, assess & cut trees Unresolved project conflicts not escalated in a timely manner 6 Comprehensive & clear understanding of Project scope, schedule, objectives, cost, and deliverables Unexpected 3rd party requirements during project construction - Permits delayed or take longer than expected Consultant or contractor delays 9 Delay in earlier project phases jeopardizes ability to meet programmed delivery commitment

26 Risk Assessment 2017 - Newly added Risks
Risk type Risk Inherent Risk level 2017 Mitigation plan Infrastructure/ capability Power failure, no generator or backup water supply. 3 Apply routine maintenance Delay project start 6 - Materials are delivered late and delay project construction. 9 Unstable prices from suppliers Telecommunication failure Labour shortage/inexperienced labor assigned in the projects 12 Potential inadequate local access to materials, labor, resources 16 Unplanned work that must be accommodated Dispute on terms of agreement or technical provisions during project construction

27 Risk Assessment 2017 - Newly added Risks
Risk type Risk Inherent Risk level 2017 Mitigation plan Reputational Insufficient Board mandate for required change processes Board and Signatory countries made aware by management of the constitutional requirements for change. Ineffective Board recruitment and succession process Board succession process has been addressed in recent Board meetings, with more involvement of CIFOR HR team in the process. Impaired Board effectiveness Review of Board operations; Board's own self-assessment; Establishment of working groups; Closer interaction with Management

28 Risk Assessment 2017 - Deleted Risk
Risk type Risk Reason to delete Infrastructure/ capability Loss of institutional Memory; poor knowledge management Because now they have automated the staff onboarding system and exit procedures

29 Risk Assessment 2017 Risk type Risk Risk level compared 2016 2017
Mitigation plan Research/ science Continued CGIAR reform and uncertainties it creates Improvement, streamlining business processes; internal reorganization; creation of pooled resources Impairment to Science Quality: this includes commitment to quality and potential quality impairment due to loss of staff as part of recent/anticipated changes Focus on partnerships and delivery. More stringent selection od partners and consultants. Insufficient Research Impact Focus on RTI/PMC to ensure CIFOR and partners deliver Inadequate Research Data Management Some minor increase in risks due to ageing storage (IT); need to find solutions to move to cloud Partners not effective including CRP partnerships - poor partner delivery Slight increase as most funds are bilateral and partnerships are key to delivering impact. IP Disputes+ Conflict of interest. Environment Safety to be integrated into CIFOR research Inability to perform research in locations with conflicts and restrictions etc. More bilateral project driven, possible more focus on single projects may cause issues.

30 Risk Assessment 2017 Risk type Risk Risk level compared 2016 2017
Mitigation plan Research/ science Lack of cohesion and institutional mission alignment; ineffective implementation of strategy 6 Review how the Teams are performing in linking to the SDGs and how they are fund raising? Reputational Brand risk: Associations with individuals, organisations, aims and activities that may undermine the integrity of the organization’s research Most of CG going through a funding crises. As in past issues with one or more Centers or even deficits across multiple centers may cause concerns amongst donors. Impaired Board Effectiveness Board failing to make timely decisions may impair the Center Infrastructure/ capability Inadequate visa arrangements for international staff Information to project staff regarding interns - so that appropriate decisions can be made Lack of leadership capacity (x-Poor management of change) More difficult entry for interns and limitation on period of stay in Indonesia; 360-Degree Review of the Team Leaders Inability to adequately respond to security threats Efforts to fund raise from GoI must bear fruit and crucial to show support to Center and HQ operations Poor internal control measures in the Hubs and project offices and partners doing work on behalf of CIFOR Partner due diligence by PMC and RDP need to happen

31 Risk Assessment 2017 Risk type Risk Risk level compared 2016 2017
Mitigation plan Infrastructure/ capability Non-compliance with host country agreements HQ campus and other infrastructure pressures may increase Loss or damage to Centre property Fixed assets policy; annual assets counts; insurance for assets Inadequate management of Business Continuity Emergency Action Plan, Management of Incidents, Upgrade in ICT infrastructure and backup strategy; additional web back up Inability to attract talent 9 Efficiency and effectiveness to be monitored. regular staff engagement surveys and close monitoring of completion of agreed actions addressing survey results Financial Unreliability of W1/W2 funding; changing funding model with shorter funding periods Decreasing as much as possible the exposure to W1-2 funding; reducing OH and indirect costs while increasing recovery; increasing bilateral funding. Financial Reporting: Financial losses due to Forex Exchange Natural hedging is used to extent possible Non- compliance with donor conditions also on the part of implementing partners Increase n bilateral means need for more focus on these issues.

32 Risk Assessment 2017 Risk type Risk Risk level compared 2016 2017
Mitigation plan Financial Losses due to inadequate Banking and Investments arrangements Investment policy Cash flow and reserves affected by insufficient funding and reimbursements Deficits and reimbursement basis of payments increase this risk when 90% funding is bilateral. Insufficient cost recovery Review of proposal budgets and costs. need to focus on NCEs Poor expense management at: - HQ - Projects Authorization table, Financial Services Unit Policies and Guidelines Infective procurement of goods and services Increased focus on development projects and procurement there in Inefficient business processes and systems; loss of their integrity Unchanged but periodic review of structure suggested

33 Thank you!

Download ppt "Risk Assessment Workshop"

Similar presentations

Program Management Office (PMO) Design

Program Management Office (PMO) Design
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Child Safeguarding Standards

Child Safeguarding Standards
Control and Accounting Information Systems

Control and Accounting Information Systems
Development of internal control: methodology and responsibility

Development of internal control: methodology and responsibility
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
1 Risk management and Investigation Peter Roberts

1 Risk management and Investigation Peter Roberts
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
ISO 26000 Richard Welford CSR Asia www.csr-asia.com © CSR Asia 2011.

ISO Richard Welford CSR Asia © CSR Asia 2011.
Business Crisis and Continuity Management (BCCM) Class Session 8 8 - 1.

Business Crisis and Continuity Management (BCCM) Class Session
Basics of OHSAS Occupational Health & Safety Management System

Basics of OHSAS Occupational Health & Safety Management System
Managing Risks During Tendering and Contract Procurement Tanya Jackson, Principal Consultant.

Managing Risks During Tendering and Contract Procurement Tanya Jackson, Principal Consultant.
IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253

IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253
Risk Management For the Board of The Law Society 16 February 2005.

Risk Management For the Board of The Law Society 16 February 2005.
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.

An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
1 Introducing Enterprise Risk Management (ERM) - The KOC Experience November 2012 Khaled Al-Awadhi Risk Management Team Kuwait Oil Company.

1 Introducing Enterprise Risk Management (ERM) - The KOC Experience November 2012 Khaled Al-Awadhi Risk Management Team Kuwait Oil Company.
Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.

Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.
Consultant Advance Research Team. Outline UNDERSTANDING M&E DATA NEEDS PEOPLE, PARTNERSHIP AND PLANNING 1.Organizational structures with HIV M&E functions.

Consultant Advance Research Team. Outline UNDERSTANDING M&E DATA NEEDS PEOPLE, PARTNERSHIP AND PLANNING 1.Organizational structures with HIV M&E functions.
Developing an Investment Governance Framework

Developing an Investment Governance Framework

Similar presentations

Ads by Google