Organisational Risk Management Policy

Introduction, Purpose, and Scope

Risks are an everyday part of ICARS’ activities. The realisation of ICARS’ mission and strategy depends on the organisation’s ability to recognise and address risks.

ICARS must be able to manage risk proactively and take responsibility for risk management processes. Therefore, to be effective, risk management at ICARS follows these principles:

• Ensuring that the process for managing risks is dynamic, transparent, inclusive and fit for purpose.
• Establishing legal compliance as a minimum standard.
• Ensuring that roles and responsibilities are explicit and clear.

Risk management aims firstly to anticipate risks. Then, in the case of negative risks, it aims to prevent them from happening or to minimize their impact if they do.

Risk management is important at all levels. While this policy focuses on the organisational level, the ICARS Project Risk Management Policy focuses on the project level. The key tool for effective risk management at both the project and organisational levels is the respective risk registers.

This policy[1] is supported by related policies and processes, principally in the following areas: Financial processes and controls, project management, human resources, information services and technology. Key complementary policies include the Anti-bribery, Fraud and Corruption Policy, the Conflict-of-interest Policy, ICARS’ due diligence policy (in development), the internal ICARS Staff Travel Policy and ICARS’ Security and Safety Policy.

Purpose

The purpose of organisation-wide risk management is to enable ICARS to be better prepared for the potential realisation of organisational risks, following an analysis of the likelihood, impact and management of those risks.

Scope

This policy applies to all processes at the organisational level.

Key definitions

Organisational Risk: Uncertainties which may impact ICARS’ ability to achieve its objectives.

Risk Management: All activities performed by ICARS to anticipate, identify, assess and control the risk.

Likelihood: A qualitative characterization of probability.

Impact: A qualitative characterisation of the consequence of an event.

Organisational risk register: Critical risks are detailed in a log of all risks that could impact a project. Specifically, a risk register is a table that seeks to capture and track risks, and contains all information relating to identified risk events, including a description of the risk, the owner of the risk, the likelihood of the risk, the impact of the risk, and mitigation measures.

Risk owner: the person/team in charge of managing and monitoring an identified risk.

The Risk management process

Risk management and internal control elements are embedded in processes throughout ICARS, for example in processes related to finance, grant management, legal issues and compliance.

The standard risk management process consists of four stages:

1. Risk identification and classification
2. Risk assessment
3. Risk mitigation
4. Monitoring and review

Risk classification and risk identification

Systematic classification of risks is useful for ensuring key areas of risk are identified. The identified categories are:

• Implementation/Technical Risks
• Financial Risks
• Staff, systems and structures
• Political/governance
• Reputational

These categories are not mutually exclusive. For example, any major damage to reputation is also likely to become a financial risk because of the loss of donor confidence; a technical error might also lead to reputational damage.

Risk identification requires understanding the external and internal context relevant for the realisation of objectives at the organisational level. Therefore, communication and consultation are key. The identification of all organisational risks requires an inclusive communication and consultation approach with relevant stakeholders, including all key staff members. Communication and consultation need to take place at regular/planned intervals to inform all steps of the risk management process (cf Section 6).

Risk assessment

The objective of risk assessment is to provide sufficient information at appropriate intervals for risk-informed management decisions.

For each significant risk area, every specific risk and its implications are noted, and an assessment is made of the Impact of that risk and the Likelihood of it occurring. Available information and evidence are considered in the assessment of likelihood and impact. In cases where likelihood and/or impact remain difficult to estimate and there is a potential for harm, a precautionary approach is applied by estimating the worst-case scenario to ensure the risk is treated accordingly and closely monitored. The risk analysis should be adjusted when more information becomes available.

Impact and likelihood will be scored as follows:

Risk management action

As a first step, all existing procedures to manage each identified risk will be captured.

Based on the analyses of individual risks, together with the accompanying risk appetite, an evaluation is made to determine which risks can be accepted and which risks require a priority response.

The options described below should be considered for each identified risk:

• Accept: accept the risk by keeping procedures unchanged. This option may be applied when exposure is tolerable, control is impossible, or the cost of control exceeds the potential benefit. It may be supplemented by contingency planning for handling the potential impact.
• Transfer: share the risk by involving stakeholders. Transferring risk works especially well for financial risks or risks to assets, and includes taking conventional insurance or paying a third party to take the risk. This option is not possible for reputational risks.
• Mitigate: adjust (add or revise) relevant procedures.
• Terminate: avoid or cancel the activities that give rise to the risk, especially when the cost/benefit relationship is in jeopardy.

Monitoring and reviewing risk

After the establishment of an initial detailed risk register, each risk will have to be regularly monitored. This will include noting the following:

• any change in the assessment of the risk.
• any suggested changes to the risk mitigation strategy.
• progress made regarding the detailed plan of action so far.

Roles and responsibilities

Risk management is embedded throughout ICARS.

Role of the Board

The ICARS Board has a fundamental role to play in the management of risk. The role is to:

• approve and monitor the risk management strategy and demonstrate the commitment to effective risk management.
• set the tone and influence the culture of risk management within ICARS. This includes determining what types and levels of risk are acceptable (the so-called risk appetite).
• approve major decisions affecting ICARS’s risk profile or exposure.
• review ICARS’ approach to risk management every two years and, if appropriate, recommend changes or improvements to key elements of its processes, policies, and procedures.

Role of the Executive Management

The Executive Management is responsible for:

• day-to-day risk management: The Executive Director delegates responsibility for risk management through a management structure designed to ensure effective leadership, accountability and decision making.
• ensuring that the major risks have been properly considered and can be appropriately managed following the guidance provided by the Board or seeking additional guidance where needed.
• communicating the policy and information about risk management to all staff and making the policy publicly available.

Roles of Staff

ICARS staff should:

• understand that risk management and risk awareness are a key part of ICARS’ culture.
• report promptly to the Executive Management any perceived new risks or failures of existing control measures.
• follow ICARS’s Whistleblowing Policy if they have concerns that actions are not being taken properly through normal channels.

Organisational risk register

Critical risks are detailed in the organisational risk register. This register states the risk, the level of risk (analysis of the impact and likelihood of occurrence of a risk), actions for managing the risk, lead risk owner, recent progress, and date for review. The register serves as the repository of the most important risks that impact on the organisation’s ability to reach its objectives. It allows the Executive Management and the Board of Directors to monitor these risks both individually and taken together, to strengthen procedures where needed and otherwise to be assured that appropriate mitigation actions are being taken.

The following format will be applied as a starting point but can be refined where appropriate following guidance by the Board of Directors.

Recording, periodic review and ad-hoc reporting

The organisational risk register will be revised and updated at least annually at the time of preparing the annual budget for review by the Board of Directors. The Board will consider any significant risks which may affect the achievement of ICARS’ objectives.

All incidents (where risks have materialised), or factors that lead to a significantly higher risk level (impact or likelihood), and therefore are time sensitive and require a new assessment and management action will be reported promptly to the Board of Directors.

Policy review

The policy will be reviewed at least every two years, i.e., regularly every two years or whenever the need arises.

[1] Inspired amongst others by CABI’s Policy for Risk Management, the 2019 Global Alliance for Improved Nutrition (gain)’ Risk Management Policy, WHO’s Corporate risk register, the 2014 Global Fund’s Risk Management Policy and the 2019 UNDP Enterprise Risk Management (ERM) Policy and Procedures.