RISK MANAGEMENT

HANDBOOK
Helpco NFP® 2012

Page |
Helpco NFP®
Risk Management Handbook

Contents
PREFACE iv

CHAPTER 1: INTRODUCTION 01

Risk Management
Importance of Events in Risk Management
Purpose of Risk Management
Consequence of Unmanaged Risk
Risk Management in Helpco NFP

CHAPTER 2: CLASSIFICATION OF RISK 04

Types of Risks
Sources of Risks

CHAPTER 3: DEVELOPING A RISK-AWARE CULTURE 07

What is a “Risk-Aware” Culture?

Characteristics of a Strong Risk-Aware Culture
Seeking out a Risk-Aware Culture in Helpco NFP
Developing and Maintaining a Risk-Aware Culture

CHAPTER 4: RISK MANAGEMENT PROCESSES 11

Risk Management Process

Basic Steps in Risk Management

CHAPTER 5: RISK IDENTIFICATION 14

Risk Identification Tools and Techniques

Risk Identification Datasheet

Helpco NFP® i
Risk Management Handbook

CHAPTER 6: RISK ASSESSMENT 20

Steps in Conducting Risk Assessment

Risk Mapping Tools
Risk Tolerance and Risk Appetite

CHAPTER 7: RISK RESPONSE 25

Types of Risk Treatment

Risk Mitigation Plan Register How to use the Risk Mitigation Plan Register

CHAPTER 8: COMMUNICATION, MONITORING AND REVIEW. 29

Information and Communication

Risk Monitoring and Review
Risk Reporting and Disclosure

REFERENCES 33

APPENDICES 35

Helpco NFP® ii
Risk Management Handbook

List of Table
Table 1: Classification of risk including their sources (internal, external, and both) with practical
example of associated risk within defined categories.

Table 2: Seventeen common risk areas for risk Identification and assessment.

Table 3: Risks ranking among the most common categories of risks.

List of Figure
Fig 1: Risk Management as a part of organizational processes.

Fig 2: Risk Management Process (University of Regina, 2012).

Fig 3: Risks Identification Tools Sample

Fig 4: Risks Calculation Worksheet.

Fig 5: A Risk Impact/Probability Chart (Source: IMA, 2007). (A sample list of ranked risks on the
basis of Risk impact vs probability chart can be found in Attachment B)

Fig 6: Risk Mitigation Plan Register.

Appendices
Appendix 1: Risk Assessment Questionnaire

Appendix 2: Factors to Consider when Identifying Risks

Appendix 3: Common risk language & glossary of risk terms

Helpco NFP® iii

Risk Management Handbook

Preface

The Purpose of This Handbook

Helpco NFP has developed this Risk Management handbook to raise awareness of essential
Risk Management concepts and mechanisms across Helpco NFP Field Divisions. The handbook is
built upon the existing Helpco NFP Risk Disclosure Procedure implemented in 2004 and, at present,
is being released as a non-compulsory set of tools, techniques, and templates to help field divisions
identify, evaluate, and manage negative risks through adequate forward planning and mitigation
strategies. The Handbook can be used to help Field Divisions to–

 Ensure that Major Risks are reported to the Vice President of Operations for review and
acceptance;
 Embed a culture of systematically evaluating and identifying risks at the country program
level;
 Provide a consistent Risk Management framework in which risks are identified, considered,
and addressed.

Responsibilities

1. Compliance Department: The Compliance Department within the Overseas Support

Department (OSD) is responsible for coordinating the development and maintenance of Risk
Management procedures, standards, and forms for Field Divisions. Compliance Department is also
responsible for periodic reporting of country program risks, events, and issues to the Vice President
of Operations (OverOps).

2. Field Division Director: Field Division Directors are responsible to ensure that risks are
regularly identified, assessed, mitigated, or managed. Field Division Directors are also responsible
for submitting the Loss Events and Issues Log to Compliance Department annually.

Handbook Implementation

Completion of the risk identification, assessment, and planning process is estimated to take
40 hours per year. At the implementation level, the Field Division Director shall designate senior-
level position to oversee implementation of the Risk Management Process across the country
program. It is highly recommended that assignment at the implementation level be designated to
the Head of Operations with regular support from the Head of Programming.

Helpco NFP® iv
Risk Management Handbook

Chapter Overview

In todays’ changing and challenging environment, modern organizations face multitude of

threats and opportunities that can negatively or positively affect the organizations toward fulfilling
their missions. Taking necessary preparation and advance action steps against possible threats and
harnessing the competitive advantages from potential opportunities require careful management
and examination of organizational processes. This handbook demonstrates a systematic approach
to Risk Management, including classification, identification, assessment, response, communication,
and monitoring processes. The following is a brief introduction to the various chapters of this
handbook.

Chapter 1 – Introduction: Having a set of risk related definition and background

description are important requirements in projecting the country program’s Risk Management
activities. Chapter 1 demonstrates some basic introductory elements of risk management –
definition of risks and risk management, importance of events, purpose of risk management,
consequences of unmanaged risks, and an overview of Helpco NFP’s Risk Management approach.

Chapter 2 – Classification of Risk: Classification of risk is necessary in order to

understand the interdependencies and relations among risks, which supports Risk Management
processes. The chapter classifies the risk according to the types and sources of risks.

Chapter 3 – Developing a Risk-aware Culture: One of the vital functions of Risk

Management is to develop a risk-aware culture which is addressed in this chapter. The chapter
points out the characteristics of a strong risk-aware culture and demonstrates Helpco NFP’s efforts
toward developing a risk aware-culture. At the end, some essential prerequisites to develop and
foster a risk-aware culture are discussed.

Chapter 4 – Risk Management Processes: The chapter gives an overview of the major risk
management processes, i.e., setting up contexts, realizing objectives, risk identification, risk
assessment, risk response, communication, and monitoring.

Chapter 5 – Risk Identification: This chapter demonstrates general prerequisites of risk

identification and illustrates risk identification tools and techniques. At the end of the chapter, there
is a list of seventeen key risk areas which forms the basis of the risk identification tools in the
country program.

Chapter 6 – Risk Assessment: Risk categorization, ranking, and risk mapping are the basic
steps of risk assessment, which are discussed in this chapter. The chapter contains a risk mapping
tool (impact/probability Chart) and the description of how to use it.

Chapter 7 – Risk Response: A major part of risk management activities is to identify

appropriate mitigation plans. The chapter describes three main types of risk Reponses– acceptance,
avoidance, and reduction. This chapter also demonstrates the Risk Mitigation Plan Register with a
detail explanation of how to use this tool.

Helpco NFP® v
Risk Management Handbook

Chapter 8 – Communication, Monitoring, and Review: The inseparable parts of risk

management are risk communication, monitoring, and review. The importance of communication
and monitoring is discussed at the beginning of the chapter. Subsequent discussions are made on
various important tools used in the country program, including risk reports, risk disclosure reports,
the risk register, and lost event and issue tracking. The chapter gives a brief direction about how
the country program reporting should be carried out.

Additional Materials

Appendices:

 Risk Assessment Questionnaire

 Factors to Consider When Identifying Risks
 Common risk language & glossary of risk terms

Attachments:
 Risk Identification Tool
 Impact Probability Worksheet
 Risk Mitigation Plan Register
 Loss Event and Issues Log

Helpco NFP® vi
Risk Management Handbook

Chapter 1: Introduction
Risk Management
A risk is any potential future event or issue that can have an adverse effect on the
organization’s performance, productivity, and existence managing of which not only save the
organization from potential losses, but can also create opportunities along the way. This
management of risks, which is called Risk Management, has a profound impact on an organization’s
overall wellness and development, for example, during harnessing various opportunities and in
creating a sustainable organizational culture. Risk Management is a process which is integrated into
an organization’s strategic management, whereby the organization explores, identifies, and takes
necessary measures to prepare action plans in order to overcome any potential pitfall. Indeed, Risk
Management encompasses an organization’s all activities and involves every entity in the process–
from board of directors to entry level employees.

Importance of Events in Risk Management

Events have the most important implication with the Risk Management. An Event is an
incident that directly stems from an organizational objective. An event can have either a positive or
a negative impact, or a combination of both. Events which produce negative impacts and adversely
affect the accomplishment of organizational objectives are recognized as risks (COSO, 2004;
Protiviti, 2007). A positive event helps an organization to achieve an objective, which is recognized
as opportunities. Identifying events and finding the links of these events with organizational
objectives are the major processes of Risk Management.

Purpose of Risk Management

Enterprise Risk Management (ERM) is a structured approach to utilize organizational
resources through an appropriate Risk Management framework, which not only helps to overcome
uncertainties, but also reveals a range of opportunities that can be utilized to create greater values
and to obtain competitive advantages (KPMG, 2001).

Risk Management is one of the vital organizational processes that helps the organizational
visions and objectives become successful. As modern organizations evolve into more complex
form, Risk Management is becoming a strategic priority. Modern concept of ERM pushing the
boundary of Risk Management from traditional silo based risk mitigation toward a more elaborate
approach of risk portfolio optimization. A risk portfolio optimization entails the process of
identification of organizational risk appetite and risk capacity around some defined parameters and
harnessing opportunities within the boundary of those parameters (KPMG, 2001) in order to
optimize the use of available resources.

Helpco NFP® Page | 1

Risk Management Handbook

Fig 1: Risk Management as a part of organizational processes.

Consequences of Unmanaged Risks

When risks are well managed, everyone in the organization can reap its benefit; inadequate
management of risks can jeopardize any important mission and may cause substantial harm toward
the achievement of the country program’s objectives. Some of the possible consequences of
unmanaged risks are–

 Poor service delivery to program beneficiaries;

 Damaged reputation with the host-country government;
 Loss of credibility with the donor.

Risk Management in Helpco NFP

In today’s changing times, international NGOs are facing greater scrutiny of performance
and accountability, both internally and by donors and host country governments. This coupled with
increased competition in the international NGO community, the shrinking availability of resources,
and the challenging environments in which we operate presents Helpco NFP with a host of threats
to and opportunities for our mission of serving the poor.

Helpco NFP field divisions often have high operational risks due to the complexity of
funding, programming diversity, scopes of geographic coverage, host countries’ policies and
regulations, project implementation involving multiple partners, etc. Accordingly, without a proper

Helpco NFP® Page | 2

Risk Management Handbook

system of identification, assessment, and management of the possible risks that the country
program may encounter, Helpco NFP could find itself unprepared to respond to a significant threat
or opportunity, which could possibly result in a tarnished reputation and a diminished trust by
stakeholders in our ability to manage resources entrusted to us or to deliver quality program
services to our beneficiaries.

Risk Management helps to ensure that risks associated with a country program are
identified and well understood so that their impact can be recognized, managed, and mitigated at
an early stage before they become a crisis. This early identification and successful management of
risk will help demonstrate Helpco NFP its accountability and achievements to donors, host country
governments, and other stakeholders and will result in maintaining our credibility as a leader in
delivering services to those in need.

In 2004, Helpco NFP first attempted to implement a Risk Management system which took
place through the roll-out of its Risk Disclosure Reporting. During this early stage, the system
reported existing issues to headquarter with a main goal of identifying the financial impact of those
issues and, subsequently, accruing liabilities in Helpco NFP financial reports. Although this was an
important start, Helpco NFP is now seeking to develop a more systematic, integrated and forward-
looking approach to Risk Management and is instilling Risk Management awareness and cultural
changes in an Agency-wide basis.

Helpco NFP® Page | 3

Risk Management Handbook

Chapter 2: Classification of Risk

Types of Risk

Identification and classification of different types of risks are necessary to develop

appropriate action plans against those risks. Though there are many kinds of risks, most of them
fall under four main categories: hazard risks, financial risks, operational risks, and strategic risks
(Razali and Tahir, 2011).

1. Hazard Risks: Hazard risks include natural and man-made calamities and uncertainties
that adversely damage properties and resources. Most organizations normally address these risks
by insuring to the proper channel, transferring risk mitigation controls to the appropriate agents or,
in some cases, terminating a process or operation (AIRMIC, Alarm, and IRM 2010).

Example of Hazard Risks

 Damage of property due to fire, flood, windstorm, and other natural disaster;
 Theft, vandalism, political instability, terrorism, etc.;
 Business interruption;
 Liability claims; etc.

2. Financial Risks: Financial Risks are at the core focus of most organizations. Financial
risks are mainly associated with investment risks and the risks resulting from the interaction
between assets and liabilities (Rudolph, 2009).

Example of Financial Risks

 Fluctuation of commodity price, interest rate, asset price, foreign exchange rate, etc.;
 Liquidity risks;
 Credit risks.

3. Operational Risks: An operational risk can be defined as the risk causing direct and
indirect losses resulting from any internal failure, for example, insufficiency of people, processes,
etc., or from any external events that have a negative effect on the operation of the organization
(Basel Committee on Banking Supervision, 2001).

Example of Operational Risks

 Business operation (e.g., customer dissatisfaction, product failure, etc.);
 Empowerment ( e.g., poor corporate leadership);
 Information technology (e.g., problem in data access);
 Departmental fraud, etc.

Helpco NFP® Page | 4

Risk Management Handbook

4. Strategic Risks: Strategic risks have deep implications with the organization as these
risks are directly related to the organization’s vision, strategies, and objectives. Strategic Risk
Management is concerned about the identification, assessment, and remediation of the risks
emerging from organizational processes, objectives, etc. (Frigo and Anderson, 2011).

Examples of Strategic Risks

 Reputation related risks (e.g., fraud, bad publicity, etc.);
 Competition;
 Innovation;
 Regulatory issues; etc.

Sources of Risks

Both external and internal sources of risk may affect a country program and its objectives.
Some risks may be unpredictable (e.g., natural disaster, host country policy change, or reductions in
donor funding). Others may be more predictable (e.g., losses due to large-scale food program).
Therefore, to achieve a structured and manageable overview of all the possible risks, it helps to
further classify them into three categories based upon the sources of the risks – internal, external,
and both internal and external.

1. Internal Risks: Risks linked to the internal environment, e.g. operational risks in running
a program or project. These risks will largely be within the sphere of influence of the country
program and need to be proactively managed.

2. External Risks: Risks linked to the external environment, e.g. political risks associated
with host country’s government policies. These risks will largely be outside the sphere of influence
of the country program and may require elaborate contingency planning.

3. Both Internal and External Risks: These risks linked to both internal and external
environment, e.g., risks linked to working in partnership. Managing these risks requires close
cooperation with partner organizations.

The effective management of risks is all about being proactive; management identifies and
tackles potential concerns before they turn into problems. The following table offers examples of
potential downside risks in each category above.

Helpco NFP® Page | 5

Risk Management Handbook

Table 1: Classification of risks according to their types and sources (internal, external, and
both) with practical example of the associated risk within each category.

Risk category Example

Internal Risks (within the country program’s control)

Strategic
Programming/Operational
Operational/business processes
Human resources
Management and Information
Integrity
Information technology
Financial
Internal and External Risks
Relationships and Partnerships
Vague or unclear objectives for the country program (no SPP)
Failure to position the country program to compete for available
resources
Failure to identify threats and opportunities to the country
program’s activities
Poorly designed or overly ambitious projects
Programs outside the expertise of Helpco NFP
Poor service delivery, day-to-day crises, and misuse or neglect of
human capital and other resources.
Failure to deliver projects on time, budget, or specification
Poor partner institutional capacity
Heavy bureaucratic procedures and lack of flexibility leading to
delays
Inadequate systems leading to poor management of information
Inadequate internal controls leading to fraud or loss of resources
Staff levels; transfers; timing; capacity
Unsatisfactory communication between parties
Lack of leadership from supervisors
Unclear communication structures
Corruption and fraud
Risks related to regulatory compliances
Reliability of information used for decision making
Poor budget management; questionable financial allocation
Poor partner institutional capacity

External Risks
Political Change of government; changes in policies; political instability
Economic Reduced funding/ down-turns in the economy
Legal or compliance Newly imposed laws and regulations which restrict or impede
activities.
Security Threats of attack by rebel groups, terrorist, or bandits

Helpco NFP® Page | 6

Risk Management Handbook

Chapter 3: Developing a Risk-aware

Culture

What is a “Risk-aware” Culture?

A “risk-aware” culture is a culture that persists in a corporate environment where an

effective ERM strategy is integrated with the organization’s mission, objectives, and strategies
(Protiviti, 2007). In a risk aware-culture, everyone in the organization is responsible for the risks
and their consequences, and the organization effectively promotes risk training, education, and
awareness programs.

Characteristics of a Strong Risk-Aware Culture

A risk-aware culture integrates ERM in all aspects of operation of an organization. Here are
some typical characteristics of a strong risk-aware culture.

1. Management is Knowledgeable: Managers and stakeholders have an in-depth

understanding of risk policies and risk appetites of the organization (KPMG, 2011).
2. Open and transparent: Everyone is encouraged to be risk conscious; all employees
disclose the risk without fear (Protiviti, 2007); risks are clearly presented by all staffs and
managers.
3. High priority: Risk Management is impregnated into strategic management and decision
making processes. The organization is ready to allocate resources for Risk Management.
4. Training and development: There is a presence of ERM training and development,
covering risk policies, risk responsibilities, different ERM tools, and best practices.
5. Acknowledging Risk: Risk is acknowledged as part of everyone’s daily activities, annual
planning, strategic planning, and project development.
6. Risk Management is closely linked to the performance and development: Risks are
made part of departmental and personal objectives, which is reflected in the performance
development and appraisal processes, i.e., the reward system is aligned with ERM.

Seeking out a Risk-aware Culture in Helpco NFP

As Helpco NFP field divisions work towards fulfilling their objectives in today’s changing
times, the divisions will require a shift in their attitude in managing risks by adopting a continuous,
systematic, and proactive approach. Bringing about fully effective Risk Management and embedding

Helpco NFP® Page | 7

Risk Management Handbook

Risk Management into the minds, behaviors, and activities of all staffs require a significant change
in the Agency’s culture.

A shift in Helpco NFP’s approach to managing risks also assumes the strengthening of
existing assessment, communication and monitoring capabilities and calls for the need to set up
and implement preemptive mitigation and response plans.

Developing and Maintaining a Risk-Aware Culture

Organizations should focus on a proactive approach in managing risk, which is opposed to
the reactive approach of traditional Risk Management. The reactive approach or the traditional silo
based Risk Management has a number of significant drawbacks where risks are identified
categorically, and the Risk Management tasks are confined into identifying and mitigating so called
“hazard risks.” The risk is viewed through the individual and departmental perspective rather than
the whole organizational perspective. On the contrary, a proactive approach promotes greater
collaboration among different departments (Casualty Actuarial Society, 2003) and across the cross-
functional barriers to support and nurture an integrated Risk Management process. Nevertheless,
besides greater collaboration, modern approach to Risk Management is conscious about risk
responsibilities and encourages individual and departmental concerns and initiatives. Following
are some of the important suggestions to promote a successful risk-aware culture.

Incorporate ERM into Organizational Strategies

In order to develop a risk-based corporate culture, ERM has to be integrated within
strategic development and implementation encompassing an organization’s overall mission and
objectives (KPMG, 2001). The role of the executive management, in this regard, is to ensure a
friendly and cooperative environment where the employees feel comfortable to report risks to the
designated authority as soon as they realize them. Risk Management has to be included in the
country program strategic plan, annual plan, and during major project proposal development.

Encourage Full-Engagement and Accountability

Managers and board of directors have normally difficulty recognizing the risk at the first
hand by their own (AGB, 2009). They identify organizational risks through how individuals and
departments perceive the risks. So it is important to create a full-fledged engagement and
accountability among all levels of employee. Identification and assessment of risk periodically in
multiple levels will ensure a risk-oriented focus among the employees. In this regard, exploring the
overall benefits of Risk Management and tying Risk Management metrics to employees’
performance measures (AON, 2010) are important strategies to develop a risk-aware culture.

Helpco NFP® Page | 8

Risk Management Handbook

Define ERM Terminology, Code of Conduct, and Other Elements

In order to establish a uniform risk-aware culture, an organization should create its own
risk language and concepts, develop appropriate channel for risk reporting, identify proper tool-
sets, and ensure the skills necessary to utilize the tools (KPMG, 2001). The organization needs to
define a set of code-of-conduct regarding Risk Management. During establishing essential code of
conduct, the organization should also define risk responsibilities and the tolerance level of
noncompliance, which will help to execute the implementation of Risk Management smoothly (AGB,
2007).

Involve Everyone
Country program should create a culture where all employees perceive themselves as risk
managers. All staffs have to have a clear perception about how Risk Management can create
positive effects on individual and departmental progress, promote innovation, and deliver results.
Country programs have to bring maximum collaboration involving lots of people at all stages of the
Risk Management cycle, including objective setting, risk identification, risk assessment, and risk
optimization processes. Risks must become the part of day-to-day activities and core processes. All
programs, projects, and work flows must consider the consequences of potential risks as well as
existing ones.

Facilitate with Training and Build Awareness

One of the important prerequisites to develop a risk-oriented culture is to create an
increase focus on building awareness and implementing strategies for better risk-based decision
making (KPMG, 2010). In order to develop such awareness, the organization needs to develop an
appropriate level of skill-sets thorough effective training. It is necessary that all employees receive
risk-based training depending upon not only their levels, types, and exposure to the risk, but also
on their personal understanding of various processes concerning the risks. The key aims at
facilitating training and building awareness in Helpco NFP are as follows.

 All staffs in the country program understand the basic concepts and benefits of Risk
Management:
 All staffs are aware of and understand the country program’s approach to Risk
Management; and
 All staffs can effectively apply the country program’s Risk Management principles in
their day-to-day operations.

Create and Foster an Environment Supporting Strong Communication

Effective communication is a crucial part of Risk Management. Appropriate communication
is necessary to convey risk information and strategies to staffs, to ensure that all employees
understand the country program goals and objectives, and to enable employees to carry out their

Helpco NFP® Page | 9

Risk Management Handbook

responsibilities. A communication culture can be established by the regular arrangement of

meeting, seminars, and workshops and by ensuring active participation of all employees about
various risk issues. In order for effective risk communication, organizations should develop a
general language describing necessary risk-terminology and ensure that all employees understand
and accustomed to this language. Repeated communication based upon a common risk language
will remove confusion and misunderstanding, which is the most important prerequisite in
developing a risk-oriented culture.

Helpco NFP® Page | 10

Risk Management Handbook

Chapter 4: Risk Management Processes

Risk Management Process
The Risk Management process is a series of integrated activities operated systematically
throughout the county program in order to identify, assess, and mitigate risks. Risk Management
activities can be broadly divided into three steps–identification, assessment, and response to risk. A
typical Risk Management process diagram is represented below.

Fig 2: Risk Management Process (University of Regina, 2012).

It should be borne in mind that Risk Management tasks are repeated endeavor cycling
though the organizational processes. In primary steps, Risk Management activities can focus on
downside risks and, later on, move forward to the more advanced steps. In advance stages, risk
management tasks are associated with risk portfolio optimization, which includes finding the
interdependency and relationship of risks, recognizing potential opportunistic events during risk
identification processes, increasing the focus on risk priority determination, and tuning the
response plan as the status or the priority of risks changes.

Helpco NFP® Page | 11

Risk Management Handbook

Basic Steps in Risk Management

Setting up contexts
Establishing suitable context is an essential stage in Risk Management. The country
program should define the context around which the risk identification process will revolve. This
task of context setting also creates a foundation of organization’s risk appetite (University of
Regina, 2012). Contexts can be both internal and external. Internal contexts are organizational
missions, strategies, objectives, various performance indicators, policies, procedures, etc. (Casualty
Actuarial Society, 2003). External contexts include donors and other stakeholders; socioeconomic,
cultural, and political conditions; and other legal and regulatory issues (University of Regina, 2012).

Realizing Objectives
One of the most important steps in the event identification process is defining objectives. By
investigating the mission, strategies, and other contextual elements, the country program will set
realistic objectives aligning with its risk appetite. A clear understanding of country program
objectives is essential for all participants in the program.

Risk or Event Identification

The risk identification is associated with the event identification. Different internal and
external events are the main focus of an organization which can influence the organizational
achievements. Events are identified on the basis of external and internal contexts and
organizational objectives. Different event identification tools and techniques, for example,
brainstorming, event history analysis, workshop, meeting, etc. can facilitate the event identification
process.

Risk Assessment
Once possible risks are identified, risks are then assessed according to their probability of
occurrence (likelihood) and possible impact by utilizing different risk analysis tools and techniques.
On the basis of probability and impact, risks are then categorized (e.g., high, medium, and low)
according to their importance. Risk assessment is necessary to determine appropriate response
plan against the risk.

Risk Response
Based upon its own appetite for risks, an organization decides the appropriate response
plan, whether it will avoid a risk by taking proper action steps, accept the risk and its consequences,
or optimize the risk by reducing its extent of likelihood or possible impact.

Helpco NFP® Page | 12

Risk Management Handbook

Apart from the above five essential steps, the two most vital ingredients that support and
nurture the entire Risk Management process are communication and monitoring.

Information and Communication

The most important ingredient to support Risk Management process is information.
Moreover, appropriate channels need to be established to communicate risk information. To
facilitate greater communication and to create a risk-aware culture, an organization needs to
develop proper risk language based upon consistent terminology.

Risk Monitoring and Review

To implement a successful Risk Management process, organizations need to incorporate
monitoring and review activities surrounding all risk related functions. Monitoring and review are
accomplished by senior managers to ensure that the risk related activities are taking place
according to the set benchmark. Important risk monitoring activities include maintaining a risk
register, using risk tracking and management software, risk reporting, risk disclosure reporting,
loss event and issues tracking, etc.

Helpco NFP® Page | 13

Risk Management Handbook

Chapter 5: Risk Identification

Risk identification is the process of identifying possible events that can impede the success
of organizational objectives. Risk identification is accomplished on the ground of organizational
mission, strategies, and objectives and through the analysis of tasks and events that stem from
these vital components. The risk identification process normally should have the following
characteristics–

 The risk identification process is comprehensive, encompassing all aspects of an

organization.
 The Risk identification should have a core focus on the organizational dynamics, i.e., the
changes of mission, objectives, and timescale (Langer and Samer, 2009).
 The Risk identification process is accomplished through the collaboration of different
level of employees and stakeholders.

(A list of some common factors during the risk identification process is included in
appendix 2.)

Sometimes downside risks can be effectively mitigated or turned into opportunities if

identified at an early stage. The initial stage of a risk identification process seeks to identify the
sources and causes of key risks which may affect the country program. Some Important
considerations during the risk identification process include–

 An organization needs to bring greater collaboration and create a congenial atmosphere

to promote risk identification processes.
 Relying on multiple methods of risk identification will reveal more potential areas of
risks and will identify events that can eventually be recognized as accessible
opportunities (IMA, 2007).
 During the risk identification process, exploring the association of organizational
objectives with cross-functional areas can also reveal many opportunities for the
organization as well as risks.

Risk Identification Tools and Techniques

Identification of risks relies upon the identification of events and their associated objectives.
So, it is important to bear it in mind that risk identifying efforts will be most effective once the
identifiers have a clear understanding about the country programs’ mission, objectives, and
contexts within which potential events are interwoven. Once this criterion is met, the following
tools and techniques can tremendously facilitate in identifying possible risks that a country
program might encounter.

Helpco NFP® Page | 14

Risk Management Handbook

Brainstorming Session
Brainstorming sessions comprising all staffs and managers in a country program may
disclose many potential events–both risks and opportunities. Brainstorming sessions should be
headed by the subject matter experts or trained facilitators. In order to make a brainstorming
session effective, before starting the session, the facilitator should ensure that the country program
strategies, objectives, and contexts are well understood by all the participants.

Event Inventory
An event inventory is a very useful component in exploring the risk, particularly during a
brainstorming session. Generic inventories of risk similar to a country program can be obtained
from various publications and repositories (IMA, 2007).

Historical Loss-event Data

Historical loss event data provide insights into what has already happened in a country
program. The data inform the country program about the anticipated and unanticipated risks it
experienced previously and can also help to predict about future risk issues. Sometimes, external
data on various loss-events of similar organizations or projects can save the efforts during
identifying relevant risks and in determining their possible treatments (IMA, 2007).

Self-assessment Questionnaire, Interview and Survey

A self-assessment questionnaire can be provided to the staffs in a country program to
recognize the objectives surrounding their individual roles and responsibilities and to identify
potential events that can negatively affect the accomplishment of those objectives (IMA, 2007). In
this aspect, country program managers address important issues to identify the areas of risks and
encode them in a suitable questionnaire form with open-end and closed-end (e. g., Likert’s five-
point scale) questions (COSO, 2004). The questionnaire can also be provided to the various internal
or external participants to collect feedback regarding particular risks or associated areas. For a
clear understanding, a standard self-assessment questionnaire on some predefined risk areas is
included in Appendix 1.

A closed-end questionnaire survey limits the response of the participants, and a paper-
based survey has several limitations. In that sense, a one-on-one or a group interview can reveal
useful insights regarding past events as well as potential future events (COSO, 2004).

Facilitated Workshop
Arrangement of facilitated workshops is an effective technique in event identification. The
workshop may accommodate cross-functional teams or multi-level individuals (COSO, 2004) who
can effectively identify the association of potential events with the mission and objectives of the
country program. A facilitated workshop can utilize information collected from brainstorming

Helpco NFP® Page | 15

Risk Management Handbook

sessions, self-assessment questionnaires, interviews, etc. By utilizing necessary information and

resources, a cross-functional team will identify the association of risks with different departments
and interconnect risks across various cross-functional barriers. Identified risks can then be
categorized and ranked according to the priority and with the consensus of the workshop
participants (IMA, 2007). A facilitated workshop can be arranged with the participation of country
program staffs, regional staffs, senior managers, and subject matter experts by the direction and
supervision of a trained facilitator.

Process Flow Analysis

The process flow analysis helps to identify events from objectives. A process flow is a
diagrammatic representation of an organizational process demonstrating various executable tasks
derived from the objectives. Each task is then analyzed to identify potential events associated with
it. A process flow diagram consists of the representation of a process input, tasks associated with
that input, and process outputs. Each input within the process stems from an executable objective,
and each task derived from the input can generate potential events through analysis. A country
program should clarify how each of its objectives will be executed. With the help of subject matter
experts, a process flow analysis can reveal many potential events unveiling the risks and
opportunities.

Risk Identification Datasheet

Helpco NFP devised a Risk Identification Tool (Attachment A/ Appendix 1) which is an

Excel based datasheet to help facilitated workshops or discussion sessions. It contains 17
predefined risk areas and provides a series of questions with assigned values to choose from. The
assigned value (1, 2, 3, etc. according to the priority) for each question and a rating (high, medium,
and low) for the value are tabulated and registered in the Risk Calculation Sheet (Fig-4). This
generates an overview of the priority areas of risks that the country program should consider. With
the aid of a trained facilitator, a structured discussion should take place around these 17 risk areas.
The template also provides an additional 2 tabs for which a country program can add risk areas
unique to their operations.

Appendix 1 demonstrates these 17 risk areas with a series of pre-defined questions and
assigned values to help identify and assess risks for a country program or project. The following
table enlists these risk areas.

Helpco NFP® Page | 16

Risk Management Handbook

Table 2: Seventeen common risk areas to help in facilitated discussion during risk
identification and assessment.

Common Risk Areas:

1) Country context 10) Legal and Compliance

2) Country Program Scope and Size 11) Regional Support Capacity
3) Program Structure 12) Cash Management *
4) Technical Capacity 13) Personnel Management *
5) Country Program Staffing 14) Procurement Management *
6) Staffing Experience 15) Fixed Asset Management *
7) Sub-recipient Monitoring Systems 16) Inventory Management *
8) Sub-recipient Monitoring * 17) Segregation of Duties *
9) Procurement and SCM

 Note: These tabs rely on information already entered in the ICQ

Some useful techniques to facilitated risks identification process:

• Your own experience: Consider the history of risks in your area of expertise and the
plausibility that similar – or contradictory – risks may occur in the future. Ask: “What
might happen if the conventional wisdom does not to come about?”
• Asking yourself ‘what-if’ questions, for example: What if a supplier goes bankrupt during a
critical project?
• What if there is a sudden change in the political situation restricting access to areas in the
host country? What if we can no longer work with a partner in an effective way?
• Challenging and questioning assumptions: Have we been too optimistic? Or too
pessimistic? Is there any bias in our assumptions?
• Thinking wider than given facts: Brainstorm the not-so-obvious risks. Spend some time
focusing on the exception, not on the norm.
• Audit findings: Look at audit reports (from either internal or external audits).
• Historical data and future trends: Have you come across such risks before? How can they
temporarily or permanently affect programs and activities?
• Scenario planning: A powerful way to imagine the unthinkable.
• Root cause analysis: Ask a series of why questions to get to the very root of what might
make the risk occur.
• One-to-one interviews: Useful to surface information that is perceived as sensitive, and to
engage new members of staff.
• Questionnaires.
• Team brainstorming: Usually best done at regular meetings.
• Structured discussions involving a relatively small group of people.

Helpco NFP® Page | 17

Risk Management Handbook

Fig 3: Risks Identification Tools Sample

Helpco NFP® Page | 18

Risk Management Handbook

Fig 4: Risks Calculation Worksheet.

Helpco NFP® Page | 19

Risk Management Handbook

Chapter 6: Risk Assessment

Risk assessment denotes the task of evaluation and ranking of risks once they are identified.
A comprehensive risk assessment process involves recording sufficient information about each risk.
Risk related information is recorded in a risk register which can be an excel worksheet or any other
manageable database (AIRMIC, Alarm, and IRM 2010).

Some Important Characteristics of Risk Assessment

 Risk assessment should be a part of the decision making process integrated into all
organizational strategies (AIRMIC, Alarm, and IRM 2010).
 The risk assessment process should be considered on a progressive basis, starting with the
most significant risks in earlier stages (Frigo and Anderson, 2011).

Steps in Conducting Risk Assessment

Classification of Risks
After the process of risk identification, an organization may come up with too many risks,
which are very difficult to track and analyze. A classification based on common characteristics of
risks and their interdependencies can tremendously help the risk assessment process to prepare
appropriate action plans and to avoid misuse of resources (KPMG, 2001). Several risks may have
similar profiles; and, the fate of one particular risk may positively or negatively affect another risk.
Identifying these interdependencies require a deep understanding of organizational processes,
strategies, and objectives.

A table representing the classification and sources of common risk categories is displayed in
chapter 2 (Table 1).

Ranking of Risks
The main goal of ranking risks is to produce an accurate profile for each risk and to
determine their importance in order to enhance the treatment efforts. Organizations can perform
this categorization and ranking by devising their own methods of measurement and by adopting
suitable tools. However, the proper use of such tools requires a thorough analysis of risks as well as
a comprehensive understanding of the country program’s strategies, objectives, and processes.
Ranking of risks is done by ranking each of the risk components, i.e., risk impact, likelihood of
occurrence, risk exposure, etc. individually and by incorporating a suitable scale (for example, low,
medium, and high) for each of the components.

Helpco NFP® Page | 20

Risk Management Handbook

Table 3: Subsequent ranking of risks after the classification of risks into common categories.

Risk categories High impact Low impact

Strategic The risk of losing goodwill with the donor Staff member charged or
community, host country government, local convicted of fraud or
Church or communities we serve. corruption.

Risks associated with actual or alleged

sexual exploitation.
Programming/ Continued interruptions in essential Targets or results missed by
Operational delivery of life-saving services less than a set percentage.

Becoming irrelevant, losing the support of

public and private funding sources, and
failing to respond to local needs and donor
requirements.

Poor partnership implementation.

Financial Financial exposure (dis-allowed costs) due Fluctuation of exchange,
to inadequate or inaccurate information. interest and inflation rates.

Overspent or underspent budget.

Legal and Project and funding suspension or Payment of penalties and
Compliance termination due to non-compliance with interest for non-compliance
regulations or restrictions on the use of with legislation (e.g. expatriate
funds from donors and funding agencies. tax payments).

Sanctions or Patriot Act non-compliance.

People Staff safety and security (fatalities or Staffing levels, transfers, timing,
(Human Resource) injuries requiring hospitalization). capacity, or limited work
permits.
Ability to attract and retain qualified staff.

Helpco NFP® Page | 21

 Risk Management Handbook

Risk Mapping Tool

The primary focus of the country program is to prepare an initial database with a
manageable number of risks categorized into low, medium, and high priority based upon the
vulnerability of the risks. Vulnerability is a combination of possible negative impact on the
achievement of an objective and the likelihood of its occurrence. Suitable tools (e.g.,
impact/probability chart) or mathematical models (e.g., statistical analysis) can be developed to
identify which risks require the most attention. Additional factors (other than impact and
likelihood) which are not easy to calculate but can have an impact on ranking risk should be taken
into consideration, for example, various internal and external controls, including existing controls
and mitigation plans. A basic form of the Risk Impact/Probability Chart is shown in the diagram
(Figure- 5) below.

Fig 5: A Risk Impact/Probability Chart (Source: IMA, 2007).

Impact/Probability Chart
The Risk Impact/Probability Chart is based upon the principle that a risk has two primary
dimensions: probability of occurrence and possible impact.

Probability of Occurrence: The probability of occurrence determines the likelihood of a

risk to occur. At an early stage of Risk Management, managers should seek an “order of magnitude”
approach in ranking the probability, instead of using a percentage determination or any number
based ranking. However, the quality of assessment is a crucial requirement when “probability”
identification relies upon the informed decision of experts, other than the use of any statistical or
mathematical tools (Protiviti, 2007).

Helpco NFP® Page | 22

Risk Management Handbook

Impact: Management rates the impact of a possible risk in terms of the difficulty in
achieving a particular objective (Protiviti, 2007), which may be due to the possible financial loss,
difficulty in a strategic implementation, or any hazardous consequence, etc.

The impact vs. probability chart allows the country program to map a potential risk on two
dimensions. The probability that a risk will occur is represented on one axis of the chart and the
possible impact on the other. If assessed and prepared by experts, the impact vs. probability chart
can give a quick and clear view of the priority of each risk, which helps to determine what resources
may be allocated to manage that particular risk.

Simple Exercise to Use Impact/Probability Chart

To use the Risk Impact/Probability Worksheet, print the worksheet in Attachment B, and
then follow these steps:

1. List all of the possible risks that you identified for the country program.
2. Assess the probability of each risk occurring, and assign it a rating. For example, you
could use a scale of 1 to 10. Assign a score of 1 when a risk is extremely unlikely to occur
and use a score of 10 when the risk is extremely likely to occur.
3. Now, estimate the possible impact of the risk on the country program if the risk would
occur. Again, do this for every single risk on your list. Using your 1-10 scale, assign it a 1
for little impact and a 10 for a huge, catastrophic impact.
4. Map out the ratings on the Risk Impact/Probability Chart.
5. Develop a response plan for each risk according to its position in the chart and record
your response on the Risk Mitigation Plan Register (Fig-6/ Attachment C). Remember,
risks in the bottom left corner can often be ignored, while those in the top right corner
need a great deal of time and attention.

Primarily, the country program should identify and focus on middle and high-priority risks
in order to keep the number of risks manageable. Concentrating on too many risks at a time may
spread the efforts too thinly, and waste resources on unnecessary Risk Management. The Risk
Impact/Probability Chart will help to map out each risk, and its position on the Chart will
determine its priority. High-probability/high-impact risks are the most critical, which deserve the
most attention. The low-probability/high-impact risks and high-probability/low-impact risks are
next in priority; however, a different approach can be adopted based upon the necessity arises in
time.

Risk Tolerance and Risk Appetite

An organization should be very careful in dealing with risks as it can’t prepare for every
possible risk that it may encounter. It has to optimize risk mitigation processes so that the country
program can be successful with minimum wastages of resources. On this ground, the organization
needs to define the boundary of risks where the risks will be assessed on a set of criteria and policy
statements, which is essentially done by setting up the appetite and tolerance of risk.

Helpco NFP® Page | 23

Risk Management Handbook

Risk Appetite

Risk appetite is the number and quality of risk that a country program wants to accept or
deal with in order to accomplish its mission and objectives (KPMG, 2010). Risk appetite refers to
the agency’s attitude toward risk taking and its ability to tolerate either a high or a low level of
exposure to specific risks. There is no defined limit of risk appetite; it depends on the country
program’s scope, financial allocation, donors’ and stakeholders’ interests, and the quality and
nature of risks that a country program normally encounters.

Risk Tolerance

Risk tolerance is the amount of risk a country program can withstand without changing its
strategic objectives. Risk tolerance level helps the organization to identify its risk appetite and
recourse its objectives. So, an organization’s risk appetite has to be smaller than its risk tolerance.
In Helpco NFP, criteria may differ in different department of the organization, e.g. low appetite for
risk in security, higher in program areas where innovation is important, etc.

Setting-up Risk Appetite

In an advance level of Risk Management, an organization needs to set up its risk appetite
and risk tolerance (KPMG, 2010). Currently, in Helpco NFP, risk appetite and risk tolerance are not
well-documented in the country program policy. The field division senior management team will
investigate the country program’s objectives, strategies, and the expectations of various
stakeholders and donors. By consulting with the respective regional director and various other
stakeholders, the team will prepare necessary statements for its risk appetite and risk tolerance
level. Like other Risk Management processes, it is an ongoing process which will progress through
periodic review, subsequent follow-up, and consultation. The risk appetite and risk tolerance
statements should have the following characteristics:

 Risk appetite and risk tolerance statements should be comprehensive in nature

encompassing all organizational activities.
 The statements should be aligned with organizational strategies and objectives and serve
the interest of various stakeholders.
 The statements must be easy to perceive, meaningful, and should clearly define the
boundary of the risks that a country program is going to accommodate (SCOR, 2009).

The risk appetite and risk tolerance statements have to be prepared by the subject level
experts with the help of senior managers and directors.

Helpco NFP® Page | 24

Risk Management Handbook

Chapter 7: Risk Response

Once the risk is identified, assessed, and categorized according to their importance, the next
step is to prepare appropriate action plans in order to mitigate or optimize the risks. The
conventional risk mitigation plans limit the risk response mostly by placing the appropriate control
in place. However, the modern approach to risk response works toward risk portfolio optimization
where an organization determines its risk appetite and risk capacity, explore the risk within this
boundary, fine tune risk response according to the timeframe and other requirements, and harness
opportunities stemming from potential events during the process ( KPMG, 2001). To identify risks
and to prepare appropriate action plans for them, the country program needs to arrange meetings,
seminars, and brainstorming sessions in the presence of relevant staffs, managers, and subject
matter experts.

Types of Risk Treatment

Sometimes the opportunity to respond to a risk in an organization is limited, which relies
upon available resources. Depending upon the nature of the risk, an organization may accept the
risk, reduce the risk to some extent, share or transfer the risk to the appropriate channel, or take
necessary steps to completely avoid the risk. A cost-benefit analysis is necessary in order to
prepare an appropriate response plan against each risk.

The country program risk response activities can be divided into three categories–risk
acceptance, risk avoidance, and risk reduction.

Risk Acceptance
The country program acknowledges some risks recognizing that it can tolerate the exposure
to those risks. Risks are accepted when it is realized that the risks cannot be avoided or mitigated in
any meaningful way, and the actions to avoid or mitigate the risk can be too costly or time
consuming.

Risk Avoidance
In this case, appropriate steps are taken to eliminate a risk. Depending upon the
circumstances, the program may need to modify or terminate plans or activities, hire additional
resources, or adopt different technical solutions. Avoidance can be costly, but it may be the only
way to achieve the country program mission.

Helpco NFP® Page | 25

Risk Management Handbook

Risk Reduction
Through analysis and necessary consideration, alternative solutions are sought in order to
minimize the potential impact of any recognized risk. In essence, this is a combination of acceptance
and avoidance. Necessary plans and activities are carried out to minimize the chance that a risk will
occur. In some situations, only plans are made in advance, instead of taking advance action steps,
which define what measures will be taken once the risk actually strikes so that the extent of the risk
can be minimized. In order to reduce the consequences of some certain risks, particularly those of
high impact and low probability, risk can be shared by means of some external arrangements, for
example, insurance, co-operative agreements, and outsourcing (AGB, 2007). There are numerous
scopes to explore these opportunities in the country program.

In choosing which strategy to apply, keep in mind the main objectives of Risk Management:
“Risks are identified and well understood so their impact can be managed, planned for, and mitigated
at an early stage before they become a crisis.”

Risk Mitigation Plan Register

The risk response is documented in a Risk Mitigation Plan and Register. The country
program’s Risk Mitigation Plan register can be found in Attachment C. A screenshot of this register
is displayed at the end of this chapter (Fig.-6).

The register records three major functions regarding risk mitigation.

1. After event identification and subsequent assessment of risks, the country program
records all identified risks in the Risk Mitigation Plan Register. If the country program plans
sufficiently for the unknowns that may occur, then the likelihood of failure can dramatically be
reduced.

2. In the next step, each risk is ranked into low, medium, and high priority based upon their
probability of occurrence and likelihood of impact using available risk mapping tools. Each risk has
a different chance of occurrence, and each one has a different impact if it does occur. Identifying
this fact allows the country program to spend its time mitigating risks based on its ability to
withstand against the different degree of vulnerability.

3. Finally, possible mitigation plans for selected risks and their follow-up status are
recorded.

Helpco NFP® Page | 26

Risk Management Handbook

Fig 6: Risk Mitigation Plan Register.

Helpco NFP® Page | 27

Risk Management Handbook

How to use the Risk Mitigation Plan Register

The Risk Mitigation Plan Register has the following fields.

Risk ID: The first column in the Risk Mitigation Plan Register (Fig-2) is the risk identifier.
Risk ID facilitates easy addressing and communicating about the risk in a country program.

Risk Description: This is the summary of the identified risk for which the country program
is willing to prepare necessary response plans.

Probability: This is the probability that a risk will materialize. Risks are ranked into high,
medium, and low categories according to their likelihood or probability of occurrence, which
demonstrate a relative positioning of risk in the risk register.

It is worthwhile to mention that the probability of a risk, along with its possible impact, will
determine what action plan will be taken against it. An important purpose of the risk register is to
identify the top priority risks so the country program may decide which risks need to be mitigated
first.

Impact: The field “impact” enlists the possible consequences of a risk on the country
program if it materializes. The scale of ranking the impact is similar to that of ranking the
probability, i.e., low, medium, and high.

Exposure: Exposure to the risk determines the extent of a risk if the risk materializes. It
also determines the priority of the risk in the scale of low, medium, and high.

Mitigation: Mitigation is a set of tasks or action steps that the country program undertakes
to minimize the occurrence of a risk. Each of these action steps is assigned to someone and has a
deadline associated with it.

Contingency: One of the major priorities of Risk Management is to take advance action
steps to reduce the likelihood of occurrence of the risks. However, sometimes the risk response
begins after the occurrence of a risk. Contingency contains necessary action plans to reduce the
effects of a risk once it strikes the country program.

Likelihood after Mitigation: When a risk is mitigated according to the plan, the likelihood
of occurrence for that risk should drop. So it gives an indication of how the mitigation plan is
working for a particular risk or type of risk. Necessary plans can be prepared based on this
indication to reduce the “exposure” of risk as well.

Helpco NFP® Page | 28

Risk Management Handbook

Chapter 8: Communication, Monitoring

and Review.
Information and Communication
The information serves as a raw material which, via effective communication, keeps the
vital processes in an organization alive. Communication helps different units to share, exchange,
and utilize necessary information. The appropriate volume of internal and external information is
an essential component of Risk Management, which will enable an organization to carry out Risk
Management functions, including the major processes, e.g., aligning objectives and contexts with
risks and vice versa, determining risk appetites from objectives and missions, identifying and
assessing events, and preparing necessary response plans. A greater collaboration facilitated with
information and communication is also necessary to build event inventories, risk registers, risk
reports, and other essential components.

Communication is necessary to set expectations and benchmarks in Risk Management, to

assign proper responsibility (COSO, 2004), and to create an overall organizational culture. Risk
communication is carried out via a coherent language which enables each employer to share a
common view and working ground without confusion and misunderstanding. In this regard,
organizations have to develop their own risk terminology to facilitate effective communication,
which also adds to the creation of a better corporate culture.

Risk Monitoring and Review

In order to evaluate the success of Risk Management, the presence of essential components
and their proper functioning are monitored (COSO, 2004). Risk monitoring is not a separate or a
distinctive step in the Risk Management, rather than an integral process with the whole system.
Risk monitoring is a continuous process which periodically collects risk reports, risk disclosure
reports, and other risk related inputs from the internal and external environment of the
organization and publishes regular progress reports (Casualty Actuarial Society, 2003) that reflect
the organization’s proper risk status. The risk status is necessary to reveal a comprehensive risk
picture of the country program to employees, managers, donors, and other stakeholders. While risk
monitoring is accompanied by senior managers, various separate audits (e.g., internal or external
audit) can evaluate the risk monitoring and add to the progress report.

Risk monitoring will ensure that the Risk Management activities are aligned with policies
and procedures. Appropriate controls are set in place where there are non-compliances in Risk
Management activities. The country program can implement proper training to ensure that Risk
Management activities are carried out safely according to the policies and procedures.

Helpco NFP® Page | 29

Risk Management Handbook

Determine Risk Ownership

Once identified, each risk should be assigned to a subject matter expert or a business
process-owner who has sufficient authority to manage the risk. This places responsibility for the
continuous monitoring of risk trends and their proactive management at the business process-
owner level (Protiviti, 2007).

If possible, an individual should be assigned to oversee the status of all identified risks with
the aim to providing an objective assessment of risk disclosure and to ensure that the mitigation
plans are implemented.

Risk Reporting and Disclosure

Risk Report

To facilitate risk monitoring, risks are periodically reported to the management team. A
risk report is a summary of project risks and opportunities, risk responses, and risk trends
(AIRMIC, Alarm, and IRM, 2010). The following items serve as the basis for generating project risk
status report:

 The risk register and the supporting risk treatment action plans,
 Work performance data,
 Project schedule and progresses,
 Status of project deliverables, etc.

Risk reports are usually submitted to the senior management on a regular basis or as
required. Project risk reporting is a part of standard project management reporting.
Communicating and reporting risks helps the country program managers, regional office staffs, and
designated persons in Head Quarter (HQ) to understand existing risks, opportunities, and trade-
offs. The purpose of risk reporting and disclosure is to ensure all parties are fully informed of
existing risks and to support internal decision-making processes.

Risk Disclosure Report

A risk disclosure report differs from a risk report. While a risk report deals with existing
risk status and trends, a risk disclosure report anticipates possible risks and their consequences
(AIRMIC, Alarm, and IRM, 2010). Comprehensive, transparent, and objective risk disclosure is an
essential component of the Risk Management process. This includes disclosure and periodic
reporting of risks to the country program senior management team.

Helpco NFP® Page | 30

Risk Management Handbook

The country program office creates risk reports and risk disclosure reports and
communicates with the country representative, regional office, and headquarters in order to
maintain the consistency of Risk Management actions.

Risk Register

Risk tracking and monitoring activities are recorded in the risk register. A risk register
contains different program objectives, list of identified risks, the priority and status of risks, various
risk responses, control activities, monitoring status (KPMG, 2011), etc. The use of various risk
reporting and risk monitoring software can further streamline the entire process.

Country Program Reporting: The country program risk register is an excel-based

datasheet which is called Risk Mitigation Plan and Register (Attachment C). The identified risks,
their likelihood, impact, and mitigation strategies should be documented in the Risk Mitigation Plan
and Register and presented to the senior management team for monitoring, reviewing, and
disclosing the risks to the headquarter as needed.

Loss Event and Issue Tracking

Loss event and issue data provide insights into what have already happened in a country
program. It tells the country program where anticipated and unanticipated risks were experienced
and what remediation actions were taken. Loss event and issue tracking also helps the prediction of
future losses or issues. For these reasons, it is important that Helpco NFP maintains a log of
previous loss events and issues.

Headquarters Reporting: Currently, the Loss Event and Issue Log (Attachment D) is the
only report that the Headquarter requires while, for the time being, information on future events
(risk disclosure report) is remaining within the Country Program.

Items to be Reported: The loss event and issue log must list open items which include:
 Any instance of fraud; any allegation of sexual exploitation.
 All existing events (unanticipated, discrete, or specific) and issues (identified risks
which have now been materialized) with a monetary value of $3,000 and above.
 Any events and issues that attract stakeholder’s concern.
 All events and issues that have high impacts on our ability to execute the projects in the
country program.

Medium of Reporting: Field divisions will use a spreadsheet to report loss events and
issues and report the following information based on the criteria above.

1. Loss Event or Issue Type

2. File

Helpco NFP® Page | 31

Risk Management Handbook

3. Loss Event or Issue Description

4. Responsibility
5. Decision-Maker
6. Loss Event or Issue Date
7. Update Due
8. Loss Event or Issue Amount
9. Status

Each region may develop its own Loss Event and Issue Log review procedures as needed.

Frequency of Reporting: The Loss Event and Issue Log must be submitted to compliance
department and is due semi-annually as follows–
 April 15
 September 15

Helpco NFP® Page | 32

Risk Management Handbook

References

AGB, 2009. The State of Enterprise Risk Management at Colleges and Universities Today. United
educators and the association of governing Boards of universities and colleges. Washington, D.C.
Available at: <http://agb.org/sites/agb.org/files/u3/AGBUE_FINAL.pdf>; [Accessed: 05 October
2012].

AGB, 2007. Meeting the Challenges of Enterprise Risk Management in Higher Education. United
educators and the association of governing Boards of universities and colleges. Washington, D.C.
Available at: <www.ucop.edu/riskmgt/erm/documents/agb_nacubo_hied.pdf>; [Accessed: 05
October 2012].

AIRMIC, Alarm, and IRM, 2010. A Structured Approach to Enterprise Risk Management (ERM) and
the requirements of ISO 31000 (London: Institute of Risk Management). Available at:
<http://www.theirm.org/documents/SARM_FINAL.pdf> ; [Accessed: 01 October 2012].

AON, 2010. Global Enterprise Risk Management Survey 2010.

Basel Committee on Banking Supervision, 2001, Operational Risk. Basel, BIS. Available at:
<www.bis.org/publ/bcbsca07.pdf>; [Accessed: 01 October 2012].

Casualty Actuarial Society, 2003. Overview of Enterprise Risk Management. Enterprise Risk
Management Committee, Summer 2003.

COSO, 2004. Enterprise Risk Management - Integrated Framework. Committee of Sponsoring

Organizations of the Tread Way Commission.

Frigo M. L. and Anderson R. J., 2011. Thought Leadership in ERM: Embracing Enterprise Risk
Management: Practical Approaches for Getting Started. A publication commissioned by COSO.

IMA, 2007. Enterprise Risk Management: Tools and Techniques for Effective Implementation. An
IMA (Institute of Management Accountants) White Paper, 2007.

KPMG, 2001. Enterprise Risk Management: an emerging model for building shareholder value. A
KPMG White Paper, KPMG, November 2001. Available at:
<http://www.kpmg.com.au/aci/docs/ent-risk-mgt.pdf>; [Accessed: 05 October 9, 2012].

KPMG, 2010. Enterprise Risk Management: From Theory to Practice. A KPMG White Paper, 2010.
Available at: <http://www.kpmg.com/SG/en/IssuesAndInsights/ArticlesPublications/
Documents/EnterpriseRiskMgmtTheoryPractice.pdf>; [Accessed: 05 October, 2012].

KPMG, 2011. Risk Management: A Driver of Enterprise Value in the Emerging Environment. A
KPMG White Paper, KPMG, November 2001. Available at: <http://www.kpmg.com/IN/en/
IssuesAndInsights/ThoughtLeadership/KPMG_Risk_Management_Survey_2011_1.pdf>; [Accessed:
05 October, 2012].

Helpco NFP® Page | 33

Risk Management Handbook

Langer B. and Samer F., 2009. Risk Identification and Assessment. Published in SCOR White Paper:
Enterprise Risk Management (ERM): A driving force for the insurance industry.

Protiviti, 2007. Guide to Enterprise Risk Management: Frequently Asked Questions; Protiviti Inc.
January 2006; Available at: <http://www.ucop.edu/riskmgt/erm/documents/protiviti_
faqguide.pdf>; [Accessed: 01 October 2012].

Razali A. R. and Tahir I. M., 2011. Review of the Literature on Enterprise Risk Management.
Business Management Dynamics, Vol.1 (5), Nov 2011, pp.08-16. Available at:
<http://bmdynamics.com/issue_pdf/bmd110159_Malaysia_8_16.pdf>; [Accessed: 05 October,
2012].

Rudolph M. J., 2009. Enterprise Risk Management (ERM) Practice as applied to Health Insurers,
Self-Insured Plans, and Health Finance Professionals. A publication of Rudolph Financial
Consulting, LLC. Available at: <http://www.soa.org/files/pdf/research-erm-pract-health.pdf>;
[Accessed: 05 October, 2012].

SCOR, 2009. Enterprise Risk Management (ERM): A driving force for the insurance industry. A
white paper of SCOR. October 2009.

University of Regina, 2012. Enterprise Risk Management Framework. [Policy paper], University of
Regina. Available at: <http://www.uregina.ca/presoff/vpadmin/policymanual/
general/ERM%20Framework.pdf>; [Accessed: 05 October, 2012].

Helpco NFP® Page | 34

Risk Management Handbook

Appendix 1: Risk Assessment Questionnaire

LOW RISK MEDIUM RISK HIGH RISK

Country Context
How secure is the country
Political stability risk
Government effectiveness risk
The legal & regulatory environment is favorable to NGOs
Financial risk (Banking, inflation, currency devaluation, export
Tax policy risk
Labor market risk
Infrastructure risk

Country Program Size and Scope LOW RISK MEDIUM RISK HIGH RISK
Number of years in country
Current overall program value
Distribute In-kind resources (commodities/medicines, supplies, etc.)
Number of unique donors
Number of sectors
Geographic Spread (# of states/provinces/districts we work)
Number of U.S. implementing partners
Number of national implementing partners
Number of new U.S. implementing partners (less than 3 years)
Number of new national implementing partners (less than 3 years)

Helpco NFP® Page | 35

Risk Management Handbook

Program Mission Compatibility LOW RISK MEDIUM RISK HIGH RISK

Project Fit to CP
Goals Conflict
Resource Conflict
Leadership
Program Manager Experience
Definition of the Program
Program Participant Conflict
Work Flow

CP Size and Scope LOW RISK MEDIUM RISK HIGH RISK

Number of years as Prime Recipient
Number of years as Sub Recipient
Value of resources budgeted
% of resources budgeted for procurement
% of resources budgeted for in-kind distribution
Number of U.S. partners implementing
Number of national partners implementing
Number of new U.S. implementing partners (less than 2 years)
Number of new national implementing partners (less than 2 years)

CP Staffing LOW RISK MEDIUM RISK HIGH RISK

Number of programming staff dedicated to activities
Number of monitoring staff dedicated to activities
Number of finance staff dedicated to activities
Number of procurement staff dedicated to activities
Number of audit staff dedicated to activities
Number of transport staff dedicated to activities
Number of other support staff dedicated to activities

Helpco NFP® Page | 36

Risk Management Handbook

Project Management Team LOW RISK MEDIUM RISK HIGH RISK

PM Team has been fully identified
PM overall project management experience
PM budget management experience
PM experience with USAID reporting and compliance rules and regulations
Team member composition
Team member experience

Partner Capacity Assessment LOW RISK MEDIUM RISK HIGH RISK

Systems are in place to assess partner monitoring capacity
Systems are in place to assess partner service delivery capacity
Systems are in place to assess partner organizational capacity
Systems are in place to assess partner financial management systems
Systems are in place to assess partner procurement systems
Systems are in place to assess partner logistical systems
Audits of partner systems and transactions are done periodically through
the life of the project

Partner Management LOW RISK MEDIUM RISK HIGH RISK

Review of progress reports and documentation
Careful review of liquidations and the supporting documentation
accompanying advance requests
Audits are done and an evaluation of any finding take place
Perform on-site visits
Review financial and programmatic records
Perform distribution monitoring
Inspect facilities to ensure compliance with program requirements
Monitoring follow-up is done to ascertain corrective action has been taken
for any problems or deficiencies that may have been identified.

Helpco NFP® Page | 37

Risk Management Handbook

Procurement & Supply Management LOW RISK MEDIUM RISK HIGH RISK
Project materials and products availability
USAID requirements are understood
Procurement policies and procedures are in place
Systems are in place to monitor procurement and supplier performance
Systems are in place to collect and report on both distribution and
inventory-related information.
Warehousing and distribution systems meet the minimum standards and
requirements
Systems are in place to oversee health product management
Sufficient storage space and storage conditions are available throughout
the supply chain.

Financial Management LOW RISK MEDIUM RISK HIGH RISK

The accounting system includes project level detail providing for the
recording of receipts and expenditures for each donor and project by
required budget cost categories?
Does the CP prepare financial reports at least quarterly?
Are there budgetary controls in effect (e.g. comparison of budget with
actual expenditures on a monthly basis)
Accounting entries are supported by appropriate documentation; e.g.
purchase orders and vouchers.
Separation of responsibility in the receipt, payment, and recording of cash.
Financial policies and procedures are in place
Systems are in place to monitor partner financial performance
Systems are in place to collect and report on partner finacial activity
Adequate banking facilities exist which meet CP needs
Bank reconciliations are done monthly

Helpco NFP® Page | 38

Risk Management Handbook

Appendix 2: Factors to Consider When Identifying Risks

Identifying risks requires a broad approach. It needs to be inclusive and should involve management, staff, members and other stakeholders. It also
requires an open environment and often the best way to get things rolling is by providing an opportunity for everyone to input ideas and this can be
through a brainstorming workshop. Remember there is no right or wrong risks; they should all be identified.

• Financial transactions (recording and reporting).

• Budget management.
• Project / program funding,
• Project/program design and approval; implementation; and monitoring, reporting and evaluation (e.g. ability to adhere to time and budget
constraints; supply chain/food pipeline).
• Food call forwards (e.g. quality, damage, theft, relocation).
• Commodity management.
• Transport and logistics (ocean, overland/inland, air, fleet management).
• Other procurement.
• Human resources management (e.g. skills, recruitment and retention, performance, morale, work load, living conditions).
• Non-food procurement, excluding transport and logistics (e.g. quality, damage, theft, relocation).
• Legal services.
• Information and communications management (e.g. recording, accessibility, quality, adequacy for decision making, knowledge base, performance
information, recording, reporting).
• Security of staff.
• Resource mobilization, donor relationships and partnerships
• Fundraising/resource mobilization.
• Partnerships (e.g. clarity of roles, commitment).
• Public and media relations.
• New programs/projects/operations
• Operating and setting up operations in a new area.
• New / revised agency policy and requirements
• Organizational changes and change initiatives – initiatives for organizational change may threaten current capacity to perform and/or provide
opportunity to enhance capacity.
• Political/socio-political
• Economic – e.g. changes in the global or local economy; quality of local banking system; changes in market prices; currency fluctuations.
• Sociocultural – e.g. stakeholder expectations; media interest.
• Technological – e.g. new ICT technology.
• Legal/regulatory – e.g. USG regulations; local laws imposing new requirements on NGOs activities.
• Environmental – e.g. movement of local population; climate change; spread of infectious diseases (such as HIV/AIDS, pandemic); quality of
infrastructure (such as schools).
• Natural hazards – e.g. earthquake; storm/flooding; drought; locust.
• Partners – e.g. capacity; clarity of roles; efficiency; resources

Helpco NFP® Page | 39

Risk Management Handbook

Appendix 3: Common risk language & glossary of risk terms

The following examples provide a helpful set of key definitions which could form the basis of a common risk language
.
Control – A preventative and/or detective activity, intended to manage the inherent risks identified within a country program. This will normally relate
to management of the potential impact and/or likelihood of risk exposure but may also involve risk transfer, mitigation or elimination.

Control environment – The operating environment that comprises the integrity and competency of colleagues, management's philosophy and operating
style and the way management communicates and delegates responsibility, and develops its people.

Inherent risk – The risk in a country program or process before the effect of any risk mitigation, control or transfer activities.

Impact: Estimated financial cost or reputational harm that would be realized if a risk event were to occur.

Mitigation Plan: A strategy for reducing the exposure to, or likelihood of, a risk.

Operational risk – The risk of loss resulting from inadequate or failed internal processes, people or systems, or from external events.

Risk: A (i) future event that may occur or (ii) potential issue that may develop that may impact negatively on the achievement of a country program’s
strategic or programmatic objectives or on the Agency as a whole.

Risk Assessment: The process of identifying and analyzing risk.

Risk Category: Distinct classes of risks that allow risk to be compared and analyzed.

Risk Likelihood: The probability that a risk will occur.

Risk Management: A comprehensive program designed to proactively and continuously identify and manage real and potential threats that may impact
the Agency.

Helpco NFP® Page | 40