ICARS is committed to ensuring that all projects limit the potential risks and their impact to ensure successful project implementation. Therefore, all ICARS projects are required to undergo a risk assessment to help them prepare for potential problems, manage risk, and implement mitigation procedures. The risk management policy seeks to provide guidance and support in reaching project objectives and minimising vulnerability. It employs two tools to facilitate this process: A risk matrix and a risk register, and rates risks according to likelihood and potential impact.
The policy establishes the steps for the management of risks faced by ICARS projects. The policy also establishes the process whereby ICARS reviews cumulative risk across projects.
The policy complements several other ICARS policies that further strengthen our risk management efforts. Among these are the Organisational Risk Management Policy, which provides overarching risk management guidance at the organisational level, and the Whistleblowing Policy, which enables ICARS staff as well as ICARS partners to report unethical or illegal practices that may pose risks. Additionally, the Anti-bribery, Fraud, and Corruption Policy safeguards the reputation and financial viability of ICARS through improved management of bribery, fraud and corruption risk. while the Standard Operating Procedure (SOP) for Quarterly Project Performance Reviews provides a structured process for internal assessment and mitigating risks throughout the project lifecycle. Together, these policies create a comprehensive framework for managing risks and enhancing the resilience of ICARS and ICARS’ projects.
This policy forms part of the ICARS project framework and applies to all activities and processes within and across ICARS Implementation and Intervention Research projects and other project-related activities.
Risk: An unplanned event or condition that influences the project’s ability to reach its objectives.
Risk assessment: The systematic process of evaluating the potential risks that may be involved in a project activity or undertaking.
Risk matrix: A matrix used to gauge the level of risk by visually depicting the likelihood of the risk occurring and the potential impact of that risk. See Appendix 1 for a risk matrix template.
Likelihood: A qualitative characterisation of probability.
Impact: A qualitative characterisation of the consequence of an event.
Risk register: A log of all risks that could impact a project. Specifically, a risk register is a table that seeks to capture and track risks and contains all information relating to identified risk events, including a description of the risk, the owner of the risk, the impact of the risk, and the mitigation measures. See Appendix 2 for a risk register template.
Risk owner: The project team member in charge of managing and monitoring an identified risk.
The risk management process is initiated during the project proposal phase of the co-development process. It is an ongoing process, which is monitored throughout the project life cycle and includes the following steps:
A risk identification exercise must take place during the co-development of the project proposal. This exercise involves analysing the consequences and likelihood of potential risks, which can be done through various means such as workshops, surveys, and brainstorming sessions. It is at this stage of the process that the project team should begin to develop the risk register (Annex 2). Risks can be categorised in various ways, which will change depending on the type of project being implemented. Examples of risk categories are: Financial, Schedule, Infrastructure, Political, and Technological etc. Examples of specific risks may include Covid-19, delays, lack of commitment, insufficient budget etc.
The impact of all identified risks should be evaluated according to probability and impact. The risk matrix (Appendix 1) is a tool used to help measure the impact.
Each risk should be ranked according to the risk matrix created in the previous step. In other words, considering the likelihood of the risk happening and the potential impact on the project. This will help the project team direct their focus.
The next step is to decide on the particular response for each identified risk. The response should be tailored to the specific risk level (likelihood and impact) ensuring it is suitable and attainable. Risk responses include:
The risk register should be monitored on a regular basis.
Risk management within the project is the overall responsibility of the in-country Project Coordinator, who is responsible for the development, coordination and monitoring of the risk management process. The Project Co-ordinator should, in addition, periodically review project activities to identify new risks if and when they emerge during project implementation. The Project Coordinator will work closely with the ICARS Advisor assigned to the project. An annual review of the risk register—focused on identifying emerging risks and evaluating previously recognized risks—is mandatory for all ICARS projects. The ICARS Advisor will inform the ICARS Science Director of all major identified risks on a regular basis. See section 7 below.
Risk management on a programme-wide level is the responsibility of the Executive Management, who are responsible for reviewing the top risks across all projects in order to assess cumulative risk, and balance the overall risk portfolio. This process is carried out through the Standard Operating Procedure (SOP) for project performance reviews ensuring that cumulative risks are systematically identified, evaluated, and effectively managed.
The risk register will be the primary means of recording and monitoring risks within projects. Additionally, the “challenges section” in the regular narrative progress reports to ICARS will be the main channel for reporting project-specific risks, challenges, and the corresponding mitigation actions implemented by country teams.
ICARS Executive Management will notify the Board of Directors of significant risk management issues within the ICARS projects and other project-related activities as well as the actions employed to manage the risks where appropriate. In addition, the ICARS Executive Management will inform the Board of Directors of all programme-wide risks. The following reporting process is in place:
All ICARS staff, ICARS project teams and the ICARS Board of Directors will be informed of the Risk Management Policy and training will be provided where necessary.
It is important to regularly assess the effectiveness of risk management strategies. As such a formal review of this Risk Management Policy will be conducted every two years. The review will be conducted by the Executive Management who will assess the Risk Management Policy according to its effectiveness in managing risk within a project framework as well as its integration with other ICARS processes. The results will be communicated to the Board of Directors and the policy will be amended where necessary.
