Risk management in ILRI

775 views
670 views

Published on

Presented by John C.M. Mwangi to the ILRI APM, 2006

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
775
On SlideShare
0
From Embeds
0
Number of Embeds
22
Actions
Shares
0
Downloads
34
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Risk management in ILRI

  1. 1. Risk Management in ILRI John CM Mwangi Associate Director CGIAR Internal Auditing Unit ILRI APM 2006 INTERNAL AUDITING UNIT
  2. 2. Outline of RM Presentation <ul><li>Brief introduction to CGIAR IAU </li></ul><ul><li>What is RM </li></ul><ul><li>Why get involved in RM </li></ul><ul><li>How to implement a RM system </li></ul><ul><li>Progress made in ILRI </li></ul>IAU
  3. 3. Official definition of Internal Audit from the IIA (Institute of Internal Auditors) Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management , control, and governance processes. IAU
  4. 4. The CGIAR Internal Auditing Unit IAU Provides audit and advisory services to Future Harvest Centers (full or joint) Disseminates learning and good practices Acts as catalyst within the CGIAR System on control, risk management and governance issues Develops professional internal audit across the Future Harvest Centers
  5. 5. IAU The CGIAR IAU Organization DIRECTOR (IRRI, Los Banos ) SR. INT. AUDITOR (IS auditor) (IRRI, Los Banos ) INT. AUDITOR (IRRI, Los Banos) ASSOCIATE DIRECTOR (Africa Region) (ILRI, Nairobi) ASSOCIATE DIRECTOR (Americas Region) (CIMMYT, Mexico) INT AUDITOR (Asia Region ) (ICRISAT, Hyderabad) ADMIN ASST (IRRI, Los Banos)
  6. 6. Some features of the CGIAR IAU IAU <ul><li> Established in 2000 </li></ul><ul><li>Provides services to 15 Centers </li></ul><ul><li>Reports to Center DGs and Boards </li></ul><ul><li>Conducts audits and risk management support activities </li></ul><ul><li>Adopts International Standards for the </li></ul><ul><li>Professional Practice of Internal Audit </li></ul><ul><li>Subject to external quality assurance </li></ul><ul><li>review at least every 5 years – first one carried out in 2004 </li></ul>
  7. 7. IAU What is risk management ? Definition of Risks and Opportunities An occurrence that will have an Adverse / Advantageous impact on the achievements of the organizations objectives, resulting from inadequate or failed systems or processes, mistakes or external events
  8. 8. What is Risk Management? A process that has 7 key elements IAU <ul><li> PURPOSE (Ensure clarity of purpose) </li></ul><ul><li>IDENTIFY (Identify risks and opportunities) </li></ul><ul><li>ANALYSE (assess impact and likelihood) </li></ul><ul><li>PRIORITISE (isolate major risks) </li></ul><ul><li>MITIGATE/MANAGE (respond to major risks) </li></ul><ul><li>MONITOR (document and track the implementation of mitigation plans) </li></ul><ul><li>REPORT (management, BoT, stakeholders) </li></ul>
  9. 9. PURPOSE – Why do we exist ? and what factors affect the achievement of the Centre’s vision and mission IAU RESEARCH STRATEGY AND PROJECT PORTFOLIO PEOPLE PHYSICAL INFRASTRUCTURE TECHNOLOGY INTELLECTUAL AND GERMPLASM ASSETS FINANCE INTERNAL PROCESSES EXTERNAL ENVIRONMENT
  10. 10. IDENTIFY Categories of opportunities and risks facing Canters IAU OPERATIONAL EFFECTIVENESS FINANCIAL INTEGRITY AND COMPLIANCE LEGAL COMPLIANCE EFFICIENCY SAFETY AND SECURITY
  11. 11. ANALYSE & PRIORITISE : Assess impact/likelihood and isolate major risks IAU IMPACT LIKELIHOOD High Medium Low High Medium Low
  12. 12. Why the attention on more formalized risk management? <ul><li>Growing expectations and need for improved governance </li></ul><ul><li>Management and Board interest in improving oversight </li></ul><ul><li>Donor nudge tied to unrestricted funding </li></ul><ul><li>Help avoid surprises- enhance certainty in the complexity </li></ul><ul><li>Facilitate the allocation of scarce resources </li></ul><ul><li>Early warning system (You were warned!) </li></ul>IAU
  13. 13. Why attention on RM: Sources of Good Practice adopted <ul><li>United States – COSO Enterprise Risk Management Framework </li></ul><ul><li>National risk management standards in Australia/NZ, Canada, Japan, UK </li></ul><ul><li>South Africa King II Code of Corporate Practices and Conduct </li></ul><ul><li>UK, Canadian Treasury Guidelines </li></ul>IAU
  14. 14. How to implement risk Management: Common concepts <ul><li>Risk analysis </li></ul><ul><li>Impact (High, medium, low) </li></ul><ul><li>Likelihood (High, medium, low) </li></ul><ul><li>Risk mitigation </li></ul><ul><li>Risk response </li></ul><ul><li>Risk appetite </li></ul><ul><li>Risk mitigation plan </li></ul>IAU
  15. 15. Examples of risks identified: Research strategy and project portfolio <ul><li>Opportunities for research breakthroughs </li></ul><ul><li>Some potential risks: </li></ul><ul><ul><li>strategy not relevant; </li></ul></ul><ul><ul><li>projects not aligned with strategy; </li></ul></ul><ul><ul><li>Inadequate dissemination – low impact </li></ul></ul><ul><ul><li>Project quality failure </li></ul></ul><ul><ul><li>Inefficient research </li></ul></ul><ul><ul><li>Non-compliance with donor </li></ul></ul><ul><ul><li>agreements </li></ul></ul>IAU
  16. 16. Examples: People <ul><li>Opportunities for applying world class expertise to research problems through staff and partners </li></ul><ul><li>Some potential risks: </li></ul><ul><ul><li>Failure to attract, select and retain excellent staff </li></ul></ul><ul><ul><li>Demotivated staff </li></ul></ul><ul><ul><li>Sub-optimal organization structure </li></ul></ul><ul><ul><li>Research partners fail to deliver </li></ul></ul><ul><ul><li>Change programs fail </li></ul></ul><ul><ul><li>Non compliance with host </li></ul></ul><ul><ul><li>country tax and labor laws </li></ul></ul><ul><ul><li>Unsafe working environment </li></ul></ul>IAU
  17. 17. Examples: Physical Infrastructure <ul><li>Opportunities, through acquiring, constructing and operating dedicated facilities, for focused and efficient research activities </li></ul><ul><li>Some risks: </li></ul><ul><ul><li>Misuse, theft or damage to Center property </li></ul></ul><ul><ul><li>Loss of experimental station viability for </li></ul></ul><ul><ul><li>research </li></ul></ul><ul><ul><li>old and inefficient infrastructure </li></ul></ul><ul><ul><li>Non-compliance with host </li></ul></ul><ul><ul><li>country requirements with </li></ul></ul><ul><ul><li>regard to use </li></ul></ul><ul><ul><li>Environmental damage / </li></ul></ul><ul><ul><li>biosafety incidents </li></ul></ul>IAU
  18. 18. Examples: Intellectual and Germplasm Assets <ul><li>Opportunities to generate and apply public good knowledge and germplasm assets </li></ul><ul><li>Some risks: </li></ul><ul><ul><li>Endangered genetic resources not collected </li></ul></ul><ul><ul><li>Loss of germplasm collections </li></ul></ul><ul><ul><li>Insufficient seed stock </li></ul></ul><ul><ul><li>Research data lost </li></ul></ul><ul><ul><li>IP restrictions on use of data </li></ul></ul><ul><ul><li>Breach of MTA conditions </li></ul></ul><ul><ul><li>Product liability to third parties </li></ul></ul><ul><ul><li>Introduction of pests, diseases, </li></ul></ul><ul><ul><li>transgene contamination </li></ul></ul>IAU
  19. 19. Examples: Finance <ul><li>Opportunities to maximize financial resources available for research </li></ul><ul><li>Some potential risks: </li></ul><ul><ul><li>Funding volatility </li></ul></ul><ul><ul><li>Insufficient project pipeline </li></ul></ul><ul><ul><li>Missed funding opportunities </li></ul></ul><ul><ul><li>Liquidity (short and long term) </li></ul></ul><ul><ul><li>Loss of funds due to speculative investment </li></ul></ul><ul><ul><li>Loss of funds due to financial institution failure </li></ul></ul><ul><ul><li>Foreign exchange losses </li></ul></ul><ul><ul><li>Inadequate cost recovery </li></ul></ul><ul><ul><li>Financial fraud </li></ul></ul><ul><ul><li>Financial reporting error </li></ul></ul><ul><ul><li>Goods & services overpayment </li></ul></ul>IAU
  20. 20. Examples: Technology <ul><li>Opportunities to leverage information and communication technology to work efficiency, with a wider range of partners </li></ul><ul><li>Some risks: </li></ul><ul><ul><li>Loss of electronic data </li></ul></ul><ul><ul><li>Hardware failure/loss </li></ul></ul><ul><ul><li>Software failure/unavailability </li></ul></ul><ul><ul><li>Extended network unavailability </li></ul></ul><ul><ul><li>IT strategy not aligned with </li></ul></ul><ul><ul><li>business needs </li></ul></ul><ul><ul><li>Software licence non-compliance </li></ul></ul><ul><ul><li>Privacy violations </li></ul></ul>IAU
  21. 21. Examples: Internal Processes <ul><li>Opportunities for efficiency by streamlining and decentralizing processes </li></ul><ul><li>Some risks: </li></ul><ul><ul><li>Loss of quality </li></ul></ul><ul><ul><li>Inappropriate processes </li></ul></ul><ul><ul><li>Inefficient processes </li></ul></ul><ul><ul><li>Non-compliance with </li></ul></ul><ul><ul><li> Center policies </li></ul></ul>IAU
  22. 22. Examples: External Environment <ul><li>Opportunities created by changes in science, technology, donor focus, partner capacity, global economic, social and political changes </li></ul><ul><li>Some risks: </li></ul><ul><ul><li>donor funding reductions </li></ul></ul><ul><ul><li>disasters disrupt operations </li></ul></ul><ul><ul><li>host country relationship </li></ul></ul><ul><ul><li>deterioration </li></ul></ul><ul><ul><li>targeted efforts disrupt </li></ul></ul><ul><ul><li>operations </li></ul></ul>IAU
  23. 23. Risk analysis: Description for risk impact <ul><li>Impact </li></ul><ul><li>High – failure has the potential to significantly damage or destroy the effective functioning of the Center or its future viability, particularly through loss of important donors’ confidence or major financial or reputational loss; Also includes potentially significant employee health and safety hazards </li></ul><ul><li>Medium – failure has the potential to damage important aspects of the Center’s functions or future viability, which would require significant management effort and time to recover </li></ul><ul><li>Limited – failure has the potential to damage particular aspects of the Center’s functions, drawing on significant management effort if an adverse event occurred, but not expected to damage the overall medium-long term operations of the Center. </li></ul>IAU
  24. 24. Risk analysis: Description for risk likelihood <ul><li>High – The risk mitigating actions taken by the Center – in terms of (i) avoidance of certain activities, (ii) controls (such as policies, procedures, clarity of responsibilities, training, management monitoring and information), and/or (iii) insurance arrangements – are not considered sufficient or controls are not yet operating effectively, and the probability of occurrence of adverse events for the Center is therefore considered high (>50% probability i.e. more likely than not) over the short-medium term. </li></ul><ul><li>Moderate – The risk mitigating actions taken by the Center are partial and there are further opportunities in terms of action the Center should take, or are planned but not yet fully implemented. As a result probability of occurrence of adverse events for the Center is therefore considered moderate (25%-50% probability) over the short-medium term. </li></ul><ul><li>Low – The risk mitigating actions taken by the Center are sufficiently designed and operating effectively to reasonably protect the Center against foreseen adverse events. </li></ul>IAU
  25. 25. Risk analysis: Centerwide Risks vs Organisation Unit Risks <ul><li>Centerwide Risks affect the Centre's overall objectives and threaten its continued and sustained viability </li></ul><ul><li>Organisational Unit risks affect the Units objectives and threaten the continued ability to the Unit to support the Centre’s objectives </li></ul><ul><li>Significant organisational Unit risk can also be significant Centerwide risks if not effectively managed. </li></ul>IAU
  26. 26. Organisation Unit Risk analysis Key Questions <ul><li>What is the purpose of my Organisational Unit? (Clarify the purpose of your OU) </li></ul><ul><li>What are the key risks (key processes & assumptions) threatening the ability of my Unit to achieve its purpose? (Impact – High or medium, likelihood –high or medium) </li></ul><ul><li>Do these risks impact on the entire Centre? </li></ul><ul><li>What can we do as a Unit to mitigate these risks? </li></ul><ul><li>Who will be responsible for the mitigation actions? </li></ul><ul><li>By when should these be accomplished? (action plan) </li></ul>IAU
  27. 27. Organisation Unit Risk analysis: Link to staff workplans <ul><li>What can we do as a Unit to mitigate these risks? (Important question to direct our work priorities) </li></ul><ul><li>Who will be responsible for the mitigation actions? (Staff within the OU) </li></ul><ul><li>By when should these be accomplished? (action plan included in individual work plans and monitored periodically) </li></ul>IAU
  28. 28. Risk analysis: Risk Profile format IAU Impact MEDIUM HIGH LOW Likelihood LOW MEDIUM HIGH
  29. 29. End product of risk analysis: The risk Profile IAU Some Examples..............
  30. 30. Center-wide risk analysis example: Project implementation risks IAU Likelihood Impact HIGH MEDIUM LOW LOW MEDIUM HIGH PROJECT RELEVANCE PROJECT QUALITY FAILURE DONOR AGREEMENT NON-COMPLIANCE RESEARCH DATA LOSS PRODUCT LIABILITY PROJECT TIME/ COST OVERRUN PROJECT EFFORTS NOT ALIGNED WITH STRATEGY SCIENTIFIC FRAUD INADEQUATE RESULTS DISSEMINATION FAIL TO GET PROPER IP LICENSES/AGR – LITIGATION
  31. 31. Matrix analysis example: Financial risks IAU Likelihood Impact HIGH MEDIUM LOW LOW MEDIUM HIGH ERRONEOUS PAYMENTS INTERNAL EMBEZZLEMENT * INTERNET BANKING * CHEQUE/WIRE MISUSE OF CENTER ASSETS ADMINISTRATIVE INEFFICIENCY FINANCIAL CONFLICTS OF INTEREST WITHHOLDING TAX LIABILITIES TERRORIST FINANCING OVER-PRICED GOODS&SERV
  32. 32. Mitigate and Manage the risks: <ul><li>Identification of those risks where preventive controls or mitigating measures could be improved </li></ul><ul><li>Identification of “risk owners” responsible for action </li></ul><ul><li>Time bound action plans (Format provided) </li></ul><ul><li>Annual review and update </li></ul>IAU
  33. 33. Progress to date in ILRI: <ul><li>Board, management and staff sensitization (ongoing) </li></ul><ul><li>Development and adoption of Policy on Risk Management (Adopted) </li></ul><ul><li>Establishment of RM committee (committee active) </li></ul><ul><li>Initial Centre-wide risk analysis (In 2004) </li></ul><ul><li>Update of initial analysis (in 2005) </li></ul><ul><li>Organisation Unit risk analysis (to be implemented) </li></ul><ul><li>Documentation of major Centre-wide risks and development of mitigation plans (mitigation plans developed) </li></ul><ul><li>Management reporting to BoT (for 2004 and 2005) </li></ul><ul><li>Issue of annual Board Statement (2005 and 2006) </li></ul><ul><li>ESBC Project in progress (System wide project) </li></ul><ul><li>Annual RM cycle (In place) </li></ul>IAU
  34. 34. The Annual RM cycle <ul><li>RM committee to review progress on implementation of mitigation plans (twice a year – Sept and Feb) </li></ul><ul><li>RM committee to update Centres risk analysis (annually – November) </li></ul><ul><li>DG to report to Board (annually – March) </li></ul><ul><li>Board to issue annual statement to stakeholders. </li></ul><ul><li>IA audit assessment of progress on cycle (twice a year before board meetings) </li></ul>IAU
  35. 35. IAU Thank You

×