Risk Management Handbook
Risk Management Handbook
HANDBOOK
Helpco NFP® 2012
Page |
Helpco NFP®
Risk Management Handbook
Contents
PREFACE iv
CHAPTER 1: INTRODUCTION 01
Risk Management
Importance of Events in Risk Management
Purpose of Risk Management
Consequence of Unmanaged Risk
Risk Management in Helpco NFP
Types of Risks
Sources of Risks
Helpco NFP® i
Risk Management Handbook
REFERENCES 33
APPENDICES 35
Helpco NFP® ii
Risk Management Handbook
List of Table
Table 1: Classification of risk including their sources (internal, external, and both) with practical
example of associated risk within defined categories.
Table 2: Seventeen common risk areas for risk Identification and assessment.
List of Figure
Fig 1: Risk Management as a part of organizational processes.
Fig 5: A Risk Impact/Probability Chart (Source: IMA, 2007). (A sample list of ranked risks on the
basis of Risk impact vs probability chart can be found in Attachment B)
Appendices
Appendix 1: Risk Assessment Questionnaire
Preface
Helpco NFP has developed this Risk Management handbook to raise awareness of essential
Risk Management concepts and mechanisms across Helpco NFP Field Divisions. The handbook is
built upon the existing Helpco NFP Risk Disclosure Procedure implemented in 2004 and, at present,
is being released as a non-compulsory set of tools, techniques, and templates to help field divisions
identify, evaluate, and manage negative risks through adequate forward planning and mitigation
strategies. The Handbook can be used to help Field Divisions to–
Ensure that Major Risks are reported to the Vice President of Operations for review and
acceptance;
Embed a culture of systematically evaluating and identifying risks at the country program
level;
Provide a consistent Risk Management framework in which risks are identified, considered,
and addressed.
Responsibilities
2. Field Division Director: Field Division Directors are responsible to ensure that risks are
regularly identified, assessed, mitigated, or managed. Field Division Directors are also responsible
for submitting the Loss Events and Issues Log to Compliance Department annually.
Handbook Implementation
Completion of the risk identification, assessment, and planning process is estimated to take
40 hours per year. At the implementation level, the Field Division Director shall designate senior-
level position to oversee implementation of the Risk Management Process across the country
program. It is highly recommended that assignment at the implementation level be designated to
the Head of Operations with regular support from the Head of Programming.
Helpco NFP® iv
Risk Management Handbook
Chapter Overview
Chapter 4 – Risk Management Processes: The chapter gives an overview of the major risk
management processes, i.e., setting up contexts, realizing objectives, risk identification, risk
assessment, risk response, communication, and monitoring.
Chapter 6 – Risk Assessment: Risk categorization, ranking, and risk mapping are the basic
steps of risk assessment, which are discussed in this chapter. The chapter contains a risk mapping
tool (impact/probability Chart) and the description of how to use it.
Helpco NFP® v
Risk Management Handbook
Additional Materials
Appendices:
Attachments:
Risk Identification Tool
Impact Probability Worksheet
Risk Mitigation Plan Register
Loss Event and Issues Log
Helpco NFP® vi
Risk Management Handbook
Chapter 1: Introduction
Risk Management
A risk is any potential future event or issue that can have an adverse effect on the
organization’s performance, productivity, and existence managing of which not only save the
organization from potential losses, but can also create opportunities along the way. This
management of risks, which is called Risk Management, has a profound impact on an organization’s
overall wellness and development, for example, during harnessing various opportunities and in
creating a sustainable organizational culture. Risk Management is a process which is integrated into
an organization’s strategic management, whereby the organization explores, identifies, and takes
necessary measures to prepare action plans in order to overcome any potential pitfall. Indeed, Risk
Management encompasses an organization’s all activities and involves every entity in the process–
from board of directors to entry level employees.
Risk Management is one of the vital organizational processes that helps the organizational
visions and objectives become successful. As modern organizations evolve into more complex
form, Risk Management is becoming a strategic priority. Modern concept of ERM pushing the
boundary of Risk Management from traditional silo based risk mitigation toward a more elaborate
approach of risk portfolio optimization. A risk portfolio optimization entails the process of
identification of organizational risk appetite and risk capacity around some defined parameters and
harnessing opportunities within the boundary of those parameters (KPMG, 2001) in order to
optimize the use of available resources.
When risks are well managed, everyone in the organization can reap its benefit; inadequate
management of risks can jeopardize any important mission and may cause substantial harm toward
the achievement of the country program’s objectives. Some of the possible consequences of
unmanaged risks are–
In today’s changing times, international NGOs are facing greater scrutiny of performance
and accountability, both internally and by donors and host country governments. This coupled with
increased competition in the international NGO community, the shrinking availability of resources,
and the challenging environments in which we operate presents Helpco NFP with a host of threats
to and opportunities for our mission of serving the poor.
Helpco NFP field divisions often have high operational risks due to the complexity of
funding, programming diversity, scopes of geographic coverage, host countries’ policies and
regulations, project implementation involving multiple partners, etc. Accordingly, without a proper
system of identification, assessment, and management of the possible risks that the country
program may encounter, Helpco NFP could find itself unprepared to respond to a significant threat
or opportunity, which could possibly result in a tarnished reputation and a diminished trust by
stakeholders in our ability to manage resources entrusted to us or to deliver quality program
services to our beneficiaries.
Risk Management helps to ensure that risks associated with a country program are
identified and well understood so that their impact can be recognized, managed, and mitigated at
an early stage before they become a crisis. This early identification and successful management of
risk will help demonstrate Helpco NFP its accountability and achievements to donors, host country
governments, and other stakeholders and will result in maintaining our credibility as a leader in
delivering services to those in need.
In 2004, Helpco NFP first attempted to implement a Risk Management system which took
place through the roll-out of its Risk Disclosure Reporting. During this early stage, the system
reported existing issues to headquarter with a main goal of identifying the financial impact of those
issues and, subsequently, accruing liabilities in Helpco NFP financial reports. Although this was an
important start, Helpco NFP is now seeking to develop a more systematic, integrated and forward-
looking approach to Risk Management and is instilling Risk Management awareness and cultural
changes in an Agency-wide basis.
1. Hazard Risks: Hazard risks include natural and man-made calamities and uncertainties
that adversely damage properties and resources. Most organizations normally address these risks
by insuring to the proper channel, transferring risk mitigation controls to the appropriate agents or,
in some cases, terminating a process or operation (AIRMIC, Alarm, and IRM 2010).
2. Financial Risks: Financial Risks are at the core focus of most organizations. Financial
risks are mainly associated with investment risks and the risks resulting from the interaction
between assets and liabilities (Rudolph, 2009).
3. Operational Risks: An operational risk can be defined as the risk causing direct and
indirect losses resulting from any internal failure, for example, insufficiency of people, processes,
etc., or from any external events that have a negative effect on the operation of the organization
(Basel Committee on Banking Supervision, 2001).
4. Strategic Risks: Strategic risks have deep implications with the organization as these
risks are directly related to the organization’s vision, strategies, and objectives. Strategic Risk
Management is concerned about the identification, assessment, and remediation of the risks
emerging from organizational processes, objectives, etc. (Frigo and Anderson, 2011).
Sources of Risks
Both external and internal sources of risk may affect a country program and its objectives.
Some risks may be unpredictable (e.g., natural disaster, host country policy change, or reductions in
donor funding). Others may be more predictable (e.g., losses due to large-scale food program).
Therefore, to achieve a structured and manageable overview of all the possible risks, it helps to
further classify them into three categories based upon the sources of the risks – internal, external,
and both internal and external.
1. Internal Risks: Risks linked to the internal environment, e.g. operational risks in running
a program or project. These risks will largely be within the sphere of influence of the country
program and need to be proactively managed.
2. External Risks: Risks linked to the external environment, e.g. political risks associated
with host country’s government policies. These risks will largely be outside the sphere of influence
of the country program and may require elaborate contingency planning.
3. Both Internal and External Risks: These risks linked to both internal and external
environment, e.g., risks linked to working in partnership. Managing these risks requires close
cooperation with partner organizations.
The effective management of risks is all about being proactive; management identifies and
tackles potential concerns before they turn into problems. The following table offers examples of
potential downside risks in each category above.
Table 1: Classification of risks according to their types and sources (internal, external, and
both) with practical example of the associated risk within each category.
External Risks
Political Change of government; changes in policies; political instability
Economic Reduced funding/ down-turns in the economy
Legal or compliance Newly imposed laws and regulations which restrict or impede
activities.
Security Threats of attack by rebel groups, terrorist, or bandits
A risk-aware culture integrates ERM in all aspects of operation of an organization. Here are
some typical characteristics of a strong risk-aware culture.
As Helpco NFP field divisions work towards fulfilling their objectives in today’s changing
times, the divisions will require a shift in their attitude in managing risks by adopting a continuous,
systematic, and proactive approach. Bringing about fully effective Risk Management and embedding
Risk Management into the minds, behaviors, and activities of all staffs require a significant change
in the Agency’s culture.
A shift in Helpco NFP’s approach to managing risks also assumes the strengthening of
existing assessment, communication and monitoring capabilities and calls for the need to set up
and implement preemptive mitigation and response plans.
Involve Everyone
Country program should create a culture where all employees perceive themselves as risk
managers. All staffs have to have a clear perception about how Risk Management can create
positive effects on individual and departmental progress, promote innovation, and deliver results.
Country programs have to bring maximum collaboration involving lots of people at all stages of the
Risk Management cycle, including objective setting, risk identification, risk assessment, and risk
optimization processes. Risks must become the part of day-to-day activities and core processes. All
programs, projects, and work flows must consider the consequences of potential risks as well as
existing ones.
All staffs in the country program understand the basic concepts and benefits of Risk
Management:
All staffs are aware of and understand the country program’s approach to Risk
Management; and
All staffs can effectively apply the country program’s Risk Management principles in
their day-to-day operations.
It should be borne in mind that Risk Management tasks are repeated endeavor cycling
though the organizational processes. In primary steps, Risk Management activities can focus on
downside risks and, later on, move forward to the more advanced steps. In advance stages, risk
management tasks are associated with risk portfolio optimization, which includes finding the
interdependency and relationship of risks, recognizing potential opportunistic events during risk
identification processes, increasing the focus on risk priority determination, and tuning the
response plan as the status or the priority of risks changes.
Realizing Objectives
One of the most important steps in the event identification process is defining objectives. By
investigating the mission, strategies, and other contextual elements, the country program will set
realistic objectives aligning with its risk appetite. A clear understanding of country program
objectives is essential for all participants in the program.
Risk Assessment
Once possible risks are identified, risks are then assessed according to their probability of
occurrence (likelihood) and possible impact by utilizing different risk analysis tools and techniques.
On the basis of probability and impact, risks are then categorized (e.g., high, medium, and low)
according to their importance. Risk assessment is necessary to determine appropriate response
plan against the risk.
Risk Response
Based upon its own appetite for risks, an organization decides the appropriate response
plan, whether it will avoid a risk by taking proper action steps, accept the risk and its consequences,
or optimize the risk by reducing its extent of likelihood or possible impact.
Apart from the above five essential steps, the two most vital ingredients that support and
nurture the entire Risk Management process are communication and monitoring.
(A list of some common factors during the risk identification process is included in
appendix 2.)
Brainstorming Session
Brainstorming sessions comprising all staffs and managers in a country program may
disclose many potential events–both risks and opportunities. Brainstorming sessions should be
headed by the subject matter experts or trained facilitators. In order to make a brainstorming
session effective, before starting the session, the facilitator should ensure that the country program
strategies, objectives, and contexts are well understood by all the participants.
Event Inventory
An event inventory is a very useful component in exploring the risk, particularly during a
brainstorming session. Generic inventories of risk similar to a country program can be obtained
from various publications and repositories (IMA, 2007).
A closed-end questionnaire survey limits the response of the participants, and a paper-
based survey has several limitations. In that sense, a one-on-one or a group interview can reveal
useful insights regarding past events as well as potential future events (COSO, 2004).
Facilitated Workshop
Arrangement of facilitated workshops is an effective technique in event identification. The
workshop may accommodate cross-functional teams or multi-level individuals (COSO, 2004) who
can effectively identify the association of potential events with the mission and objectives of the
country program. A facilitated workshop can utilize information collected from brainstorming
Appendix 1 demonstrates these 17 risk areas with a series of pre-defined questions and
assigned values to help identify and assess risks for a country program or project. The following
table enlists these risk areas.
Table 2: Seventeen common risk areas to help in facilitated discussion during risk
identification and assessment.
Risk assessment should be a part of the decision making process integrated into all
organizational strategies (AIRMIC, Alarm, and IRM 2010).
The risk assessment process should be considered on a progressive basis, starting with the
most significant risks in earlier stages (Frigo and Anderson, 2011).
A table representing the classification and sources of common risk categories is displayed in
chapter 2 (Table 1).
Ranking of Risks
The main goal of ranking risks is to produce an accurate profile for each risk and to
determine their importance in order to enhance the treatment efforts. Organizations can perform
this categorization and ranking by devising their own methods of measurement and by adopting
suitable tools. However, the proper use of such tools requires a thorough analysis of risks as well as
a comprehensive understanding of the country program’s strategies, objectives, and processes.
Ranking of risks is done by ranking each of the risk components, i.e., risk impact, likelihood of
occurrence, risk exposure, etc. individually and by incorporating a suitable scale (for example, low,
medium, and high) for each of the components.
Table 3: Subsequent ranking of risks after the classification of risks into common categories.
Strategic The risk of losing goodwill with the donor Staff member charged or
community, host country government, local convicted of fraud or
Church or communities we serve. corruption.
Impact/Probability Chart
The Risk Impact/Probability Chart is based upon the principle that a risk has two primary
dimensions: probability of occurrence and possible impact.
Impact: Management rates the impact of a possible risk in terms of the difficulty in
achieving a particular objective (Protiviti, 2007), which may be due to the possible financial loss,
difficulty in a strategic implementation, or any hazardous consequence, etc.
The impact vs. probability chart allows the country program to map a potential risk on two
dimensions. The probability that a risk will occur is represented on one axis of the chart and the
possible impact on the other. If assessed and prepared by experts, the impact vs. probability chart
can give a quick and clear view of the priority of each risk, which helps to determine what resources
may be allocated to manage that particular risk.
1. List all of the possible risks that you identified for the country program.
2. Assess the probability of each risk occurring, and assign it a rating. For example, you
could use a scale of 1 to 10. Assign a score of 1 when a risk is extremely unlikely to occur
and use a score of 10 when the risk is extremely likely to occur.
3. Now, estimate the possible impact of the risk on the country program if the risk would
occur. Again, do this for every single risk on your list. Using your 1-10 scale, assign it a 1
for little impact and a 10 for a huge, catastrophic impact.
4. Map out the ratings on the Risk Impact/Probability Chart.
5. Develop a response plan for each risk according to its position in the chart and record
your response on the Risk Mitigation Plan Register (Fig-6/ Attachment C). Remember,
risks in the bottom left corner can often be ignored, while those in the top right corner
need a great deal of time and attention.
Primarily, the country program should identify and focus on middle and high-priority risks
in order to keep the number of risks manageable. Concentrating on too many risks at a time may
spread the efforts too thinly, and waste resources on unnecessary Risk Management. The Risk
Impact/Probability Chart will help to map out each risk, and its position on the Chart will
determine its priority. High-probability/high-impact risks are the most critical, which deserve the
most attention. The low-probability/high-impact risks and high-probability/low-impact risks are
next in priority; however, a different approach can be adopted based upon the necessity arises in
time.
Risk Appetite
Risk appetite is the number and quality of risk that a country program wants to accept or
deal with in order to accomplish its mission and objectives (KPMG, 2010). Risk appetite refers to
the agency’s attitude toward risk taking and its ability to tolerate either a high or a low level of
exposure to specific risks. There is no defined limit of risk appetite; it depends on the country
program’s scope, financial allocation, donors’ and stakeholders’ interests, and the quality and
nature of risks that a country program normally encounters.
Risk Tolerance
Risk tolerance is the amount of risk a country program can withstand without changing its
strategic objectives. Risk tolerance level helps the organization to identify its risk appetite and
recourse its objectives. So, an organization’s risk appetite has to be smaller than its risk tolerance.
In Helpco NFP, criteria may differ in different department of the organization, e.g. low appetite for
risk in security, higher in program areas where innovation is important, etc.
In an advance level of Risk Management, an organization needs to set up its risk appetite
and risk tolerance (KPMG, 2010). Currently, in Helpco NFP, risk appetite and risk tolerance are not
well-documented in the country program policy. The field division senior management team will
investigate the country program’s objectives, strategies, and the expectations of various
stakeholders and donors. By consulting with the respective regional director and various other
stakeholders, the team will prepare necessary statements for its risk appetite and risk tolerance
level. Like other Risk Management processes, it is an ongoing process which will progress through
periodic review, subsequent follow-up, and consultation. The risk appetite and risk tolerance
statements should have the following characteristics:
The risk appetite and risk tolerance statements have to be prepared by the subject level
experts with the help of senior managers and directors.
The country program risk response activities can be divided into three categories–risk
acceptance, risk avoidance, and risk reduction.
Risk Acceptance
The country program acknowledges some risks recognizing that it can tolerate the exposure
to those risks. Risks are accepted when it is realized that the risks cannot be avoided or mitigated in
any meaningful way, and the actions to avoid or mitigate the risk can be too costly or time
consuming.
Risk Avoidance
In this case, appropriate steps are taken to eliminate a risk. Depending upon the
circumstances, the program may need to modify or terminate plans or activities, hire additional
resources, or adopt different technical solutions. Avoidance can be costly, but it may be the only
way to achieve the country program mission.
Risk Reduction
Through analysis and necessary consideration, alternative solutions are sought in order to
minimize the potential impact of any recognized risk. In essence, this is a combination of acceptance
and avoidance. Necessary plans and activities are carried out to minimize the chance that a risk will
occur. In some situations, only plans are made in advance, instead of taking advance action steps,
which define what measures will be taken once the risk actually strikes so that the extent of the risk
can be minimized. In order to reduce the consequences of some certain risks, particularly those of
high impact and low probability, risk can be shared by means of some external arrangements, for
example, insurance, co-operative agreements, and outsourcing (AGB, 2007). There are numerous
scopes to explore these opportunities in the country program.
In choosing which strategy to apply, keep in mind the main objectives of Risk Management:
“Risks are identified and well understood so their impact can be managed, planned for, and mitigated
at an early stage before they become a crisis.”
1. After event identification and subsequent assessment of risks, the country program
records all identified risks in the Risk Mitigation Plan Register. If the country program plans
sufficiently for the unknowns that may occur, then the likelihood of failure can dramatically be
reduced.
2. In the next step, each risk is ranked into low, medium, and high priority based upon their
probability of occurrence and likelihood of impact using available risk mapping tools. Each risk has
a different chance of occurrence, and each one has a different impact if it does occur. Identifying
this fact allows the country program to spend its time mitigating risks based on its ability to
withstand against the different degree of vulnerability.
3. Finally, possible mitigation plans for selected risks and their follow-up status are
recorded.
Risk ID: The first column in the Risk Mitigation Plan Register (Fig-2) is the risk identifier.
Risk ID facilitates easy addressing and communicating about the risk in a country program.
Risk Description: This is the summary of the identified risk for which the country program
is willing to prepare necessary response plans.
Probability: This is the probability that a risk will materialize. Risks are ranked into high,
medium, and low categories according to their likelihood or probability of occurrence, which
demonstrate a relative positioning of risk in the risk register.
It is worthwhile to mention that the probability of a risk, along with its possible impact, will
determine what action plan will be taken against it. An important purpose of the risk register is to
identify the top priority risks so the country program may decide which risks need to be mitigated
first.
Impact: The field “impact” enlists the possible consequences of a risk on the country
program if it materializes. The scale of ranking the impact is similar to that of ranking the
probability, i.e., low, medium, and high.
Exposure: Exposure to the risk determines the extent of a risk if the risk materializes. It
also determines the priority of the risk in the scale of low, medium, and high.
Mitigation: Mitigation is a set of tasks or action steps that the country program undertakes
to minimize the occurrence of a risk. Each of these action steps is assigned to someone and has a
deadline associated with it.
Contingency: One of the major priorities of Risk Management is to take advance action
steps to reduce the likelihood of occurrence of the risks. However, sometimes the risk response
begins after the occurrence of a risk. Contingency contains necessary action plans to reduce the
effects of a risk once it strikes the country program.
Likelihood after Mitigation: When a risk is mitigated according to the plan, the likelihood
of occurrence for that risk should drop. So it gives an indication of how the mitigation plan is
working for a particular risk or type of risk. Necessary plans can be prepared based on this
indication to reduce the “exposure” of risk as well.
Risk monitoring will ensure that the Risk Management activities are aligned with policies
and procedures. Appropriate controls are set in place where there are non-compliances in Risk
Management activities. The country program can implement proper training to ensure that Risk
Management activities are carried out safely according to the policies and procedures.
If possible, an individual should be assigned to oversee the status of all identified risks with
the aim to providing an objective assessment of risk disclosure and to ensure that the mitigation
plans are implemented.
To facilitate risk monitoring, risks are periodically reported to the management team. A
risk report is a summary of project risks and opportunities, risk responses, and risk trends
(AIRMIC, Alarm, and IRM, 2010). The following items serve as the basis for generating project risk
status report:
The risk register and the supporting risk treatment action plans,
Work performance data,
Project schedule and progresses,
Status of project deliverables, etc.
Risk reports are usually submitted to the senior management on a regular basis or as
required. Project risk reporting is a part of standard project management reporting.
Communicating and reporting risks helps the country program managers, regional office staffs, and
designated persons in Head Quarter (HQ) to understand existing risks, opportunities, and trade-
offs. The purpose of risk reporting and disclosure is to ensure all parties are fully informed of
existing risks and to support internal decision-making processes.
A risk disclosure report differs from a risk report. While a risk report deals with existing
risk status and trends, a risk disclosure report anticipates possible risks and their consequences
(AIRMIC, Alarm, and IRM, 2010). Comprehensive, transparent, and objective risk disclosure is an
essential component of the Risk Management process. This includes disclosure and periodic
reporting of risks to the country program senior management team.
The country program office creates risk reports and risk disclosure reports and
communicates with the country representative, regional office, and headquarters in order to
maintain the consistency of Risk Management actions.
Risk Register
Risk tracking and monitoring activities are recorded in the risk register. A risk register
contains different program objectives, list of identified risks, the priority and status of risks, various
risk responses, control activities, monitoring status (KPMG, 2011), etc. The use of various risk
reporting and risk monitoring software can further streamline the entire process.
Loss event and issue data provide insights into what have already happened in a country
program. It tells the country program where anticipated and unanticipated risks were experienced
and what remediation actions were taken. Loss event and issue tracking also helps the prediction of
future losses or issues. For these reasons, it is important that Helpco NFP maintains a log of
previous loss events and issues.
Headquarters Reporting: Currently, the Loss Event and Issue Log (Attachment D) is the
only report that the Headquarter requires while, for the time being, information on future events
(risk disclosure report) is remaining within the Country Program.
Items to be Reported: The loss event and issue log must list open items which include:
Any instance of fraud; any allegation of sexual exploitation.
All existing events (unanticipated, discrete, or specific) and issues (identified risks
which have now been materialized) with a monetary value of $3,000 and above.
Any events and issues that attract stakeholder’s concern.
All events and issues that have high impacts on our ability to execute the projects in the
country program.
Medium of Reporting: Field divisions will use a spreadsheet to report loss events and
issues and report the following information based on the criteria above.
Each region may develop its own Loss Event and Issue Log review procedures as needed.
Frequency of Reporting: The Loss Event and Issue Log must be submitted to compliance
department and is due semi-annually as follows–
April 15
September 15
References
AGB, 2009. The State of Enterprise Risk Management at Colleges and Universities Today. United
educators and the association of governing Boards of universities and colleges. Washington, D.C.
Available at: <http://agb.org/sites/agb.org/files/u3/AGBUE_FINAL.pdf>; [Accessed: 05 October
2012].
AGB, 2007. Meeting the Challenges of Enterprise Risk Management in Higher Education. United
educators and the association of governing Boards of universities and colleges. Washington, D.C.
Available at: <www.ucop.edu/riskmgt/erm/documents/agb_nacubo_hied.pdf>; [Accessed: 05
October 2012].
AIRMIC, Alarm, and IRM, 2010. A Structured Approach to Enterprise Risk Management (ERM) and
the requirements of ISO 31000 (London: Institute of Risk Management). Available at:
<http://www.theirm.org/documents/SARM_FINAL.pdf> ; [Accessed: 01 October 2012].
Basel Committee on Banking Supervision, 2001, Operational Risk. Basel, BIS. Available at:
<www.bis.org/publ/bcbsca07.pdf>; [Accessed: 01 October 2012].
Casualty Actuarial Society, 2003. Overview of Enterprise Risk Management. Enterprise Risk
Management Committee, Summer 2003.
Frigo M. L. and Anderson R. J., 2011. Thought Leadership in ERM: Embracing Enterprise Risk
Management: Practical Approaches for Getting Started. A publication commissioned by COSO.
IMA, 2007. Enterprise Risk Management: Tools and Techniques for Effective Implementation. An
IMA (Institute of Management Accountants) White Paper, 2007.
KPMG, 2001. Enterprise Risk Management: an emerging model for building shareholder value. A
KPMG White Paper, KPMG, November 2001. Available at:
<http://www.kpmg.com.au/aci/docs/ent-risk-mgt.pdf>; [Accessed: 05 October 9, 2012].
KPMG, 2010. Enterprise Risk Management: From Theory to Practice. A KPMG White Paper, 2010.
Available at: <http://www.kpmg.com/SG/en/IssuesAndInsights/ArticlesPublications/
Documents/EnterpriseRiskMgmtTheoryPractice.pdf>; [Accessed: 05 October, 2012].
KPMG, 2011. Risk Management: A Driver of Enterprise Value in the Emerging Environment. A
KPMG White Paper, KPMG, November 2001. Available at: <http://www.kpmg.com/IN/en/
IssuesAndInsights/ThoughtLeadership/KPMG_Risk_Management_Survey_2011_1.pdf>; [Accessed:
05 October, 2012].
Langer B. and Samer F., 2009. Risk Identification and Assessment. Published in SCOR White Paper:
Enterprise Risk Management (ERM): A driving force for the insurance industry.
Protiviti, 2007. Guide to Enterprise Risk Management: Frequently Asked Questions; Protiviti Inc.
January 2006; Available at: <http://www.ucop.edu/riskmgt/erm/documents/protiviti_
faqguide.pdf>; [Accessed: 01 October 2012].
Razali A. R. and Tahir I. M., 2011. Review of the Literature on Enterprise Risk Management.
Business Management Dynamics, Vol.1 (5), Nov 2011, pp.08-16. Available at:
<http://bmdynamics.com/issue_pdf/bmd110159_Malaysia_8_16.pdf>; [Accessed: 05 October,
2012].
Rudolph M. J., 2009. Enterprise Risk Management (ERM) Practice as applied to Health Insurers,
Self-Insured Plans, and Health Finance Professionals. A publication of Rudolph Financial
Consulting, LLC. Available at: <http://www.soa.org/files/pdf/research-erm-pract-health.pdf>;
[Accessed: 05 October, 2012].
SCOR, 2009. Enterprise Risk Management (ERM): A driving force for the insurance industry. A
white paper of SCOR. October 2009.
University of Regina, 2012. Enterprise Risk Management Framework. [Policy paper], University of
Regina. Available at: <http://www.uregina.ca/presoff/vpadmin/policymanual/
general/ERM%20Framework.pdf>; [Accessed: 05 October, 2012].
Country Program Size and Scope LOW RISK MEDIUM RISK HIGH RISK
Number of years in country
Current overall program value
Distribute In-kind resources (commodities/medicines, supplies, etc.)
Number of unique donors
Number of sectors
Geographic Spread (# of states/provinces/districts we work)
Number of U.S. implementing partners
Number of national implementing partners
Number of new U.S. implementing partners (less than 3 years)
Number of new national implementing partners (less than 3 years)
Procurement & Supply Management LOW RISK MEDIUM RISK HIGH RISK
Project materials and products availability
USAID requirements are understood
Procurement policies and procedures are in place
Systems are in place to monitor procurement and supplier performance
Systems are in place to collect and report on both distribution and
inventory-related information.
Warehousing and distribution systems meet the minimum standards and
requirements
Systems are in place to oversee health product management
Sufficient storage space and storage conditions are available throughout
the supply chain.
The following examples provide a helpful set of key definitions which could form the basis of a common risk language
.
Control – A preventative and/or detective activity, intended to manage the inherent risks identified within a country program. This will normally relate
to management of the potential impact and/or likelihood of risk exposure but may also involve risk transfer, mitigation or elimination.
Control environment – The operating environment that comprises the integrity and competency of colleagues, management's philosophy and operating
style and the way management communicates and delegates responsibility, and develops its people.
Inherent risk – The risk in a country program or process before the effect of any risk mitigation, control or transfer activities.
Impact: Estimated financial cost or reputational harm that would be realized if a risk event were to occur.
Mitigation Plan: A strategy for reducing the exposure to, or likelihood of, a risk.
Operational risk – The risk of loss resulting from inadequate or failed internal processes, people or systems, or from external events.
Risk: A (i) future event that may occur or (ii) potential issue that may develop that may impact negatively on the achievement of a country program’s
strategic or programmatic objectives or on the Agency as a whole.
Risk Category: Distinct classes of risks that allow risk to be compared and analyzed.
Risk Management: A comprehensive program designed to proactively and continuously identify and manage real and potential threats that may impact
the Agency.