Risk management in ILRI
-
Upload
ilri -
Category
Technology
-
view
918 -
download
1
description
Transcript of Risk management in ILRI
Risk Management in ILRI
John CM MwangiAssociate Director
CGIAR Internal Auditing Unit
ILRI APM 2006
INTERNAL AUDITING UNIT
2
Outline of RM Presentation
1. Brief introduction to CGIAR IAU 2. What is RM 3. Why get involved in RM4. How to implement a RM
system 5. Progress made in ILRI
IAU
3
Official definition of Internal Audit from the IIA (Institute of Internal Auditors)
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.
It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management, control, and governance processes.
IAU
4
The CGIAR Internal Auditing UnitProvides audit and advisory services
to Future Harvest Centers (full or joint)
Disseminates learning and good practices
Acts as catalyst within the CGIAR Systemon control, risk management and governance issues
Developsprofessional internal audit across the Future Harvest
Centers
IAU
5
IAUThe CGIAR IAU Organization
DIRECTOR(IRRI, Los Banos)
SR. INT. AUDITOR (IS auditor)
(IRRI, Los Banos)
INT. AUDITOR(IRRI, Los Banos)
ASSOCIATE DIRECTOR(Africa Region)(ILRI, Nairobi)
ASSOCIATE DIRECTOR(Americas Region)(CIMMYT, Mexico)
INT AUDITOR (Asia Region)
(ICRISAT, Hyderabad)
ADMIN ASST (IRRI, Los Banos)
6
Some features of the CGIAR IAU IAU
Established in 2000 Provides services to 15 Centers Reports to Center DGs and Boards Conducts audits and risk management support activities Adopts International Standards for the
Professional Practice of Internal Audit Subject to external quality assurance
review at least every 5 years – first one carried out in 2004
7
IAU
What is risk management ?Definition of Risks and Opportunities
An occurrence that will have an
Adverse / Advantageous
impact on the achievements of the organizations objectives, resulting from inadequate or failed systems or processes, mistakes or external events
8
What is Risk Management? A process that has 7 key elements IAU
PURPOSE (Ensure clarity of purpose) IDENTIFY (Identify risks and opportunities) ANALYSE (assess impact and likelihood) PRIORITISE (isolate major risks) MITIGATE/MANAGE (respond to major risks) MONITOR (document and track the implementation of mitigation plans) REPORT (management, BoT, stakeholders)
9
IAU
RESEARCH STRATEGY AND PROJECT PORTFOLIO PEOPLE
PHYSICAL INFRASTRUCTURE
TECHNOLOGYINTELLECTUAL AND GERMPLASM ASSETSFINANCE
INTERNALPROCESSES
EXTERNALENVIRONMENT
PURPOSE – Why do we exist ?and what factors affect the achievement of the Centre’s
vision and mission
10
IDENTIFY Categories of opportunities and risks facing Canters
OPERATIONAL EFFECTIVENESS
FINANCIAL INTEGRITY AND COMPLIANCE
LEGAL COMPLIANCE EFFICIENCY
SAFETY AND SECURITY
IAU
11
ANALYSE & PRIORITISE : Assess impact/likelihood and isolate major risks IAU
IMPACT
LIKELIHOOD
High
Medium
Low
HighMediumLow
12
Why the attention on more formalized risk management?
Growing expectations and need for improved governance
Management and Board interest in improving oversight
Donor nudge tied to unrestricted funding Help avoid surprises- enhance certainty in
the complexity Facilitate the allocation of scarce
resources Early warning system (You were warned!)
IAU
13
Why attention on RM: Sources of Good Practice adopted
United States – COSO Enterprise Risk Management Framework
National risk management standards in Australia/NZ, Canada, Japan, UK
South Africa King II Code of Corporate Practices and Conduct
UK, Canadian Treasury Guidelines
IAU
14
How to implement risk Management:Common concepts Risk analysis Impact (High, medium, low) Likelihood (High, medium, low) Risk mitigation Risk response Risk appetite Risk mitigation plan
IAU
15
Examples of risks identified: Research strategy and project portfolio IAU
Opportunities for research breakthroughs Some potential risks:
strategy not relevant; projects not aligned with strategy; Inadequate dissemination – low impact Project quality failure Inefficient research Non-compliance with donor agreements
16
Examples: PeopleIAU
Opportunities for applying world class expertise to research problems through staff and partners
Some potential risks: Failure to attract, select and retain excellent
staff Demotivated staff Sub-optimal organization structure Research partners fail to deliver Change programs fail Non compliance with host country tax and labor laws Unsafe working environment
17
Examples: Physical InfrastructureIAU
Opportunities, through acquiring, constructing and operating dedicated facilities, for focused and efficient research activities
Some risks: Misuse, theft or damage to Center property Loss of experimental station viability for research old and inefficient infrastructure Non-compliance with host country requirements with regard to use Environmental damage / biosafety incidents
18
Examples:Intellectual and Germplasm Assets
IAU
Opportunities to generate and apply public good knowledge and germplasm assets
Some risks: Endangered genetic resources not collected Loss of germplasm collections Insufficient seed stock Research data lost IP restrictions on use of data Breach of MTA conditions Product liability to third parties Introduction of pests, diseases, transgene contamination
19
Examples: FinanceIAU
Opportunities to maximize financial resources available for research
Some potential risks: Funding volatility Insufficient project pipeline Missed funding opportunities Liquidity (short and long term) Loss of funds due to speculative investment Loss of funds due to financial institution failure Foreign exchange losses Inadequate cost recovery Financial fraud Financial reporting error Goods & services overpayment
20
Examples: TechnologyIAU
Opportunities to leverage information and communication technology to work efficiency, with a wider range of partners
Some risks: Loss of electronic data Hardware failure/loss Software failure/unavailability Extended network unavailability IT strategy not aligned with business needs Software licence non-compliance Privacy violations
21
Examples: Internal ProcessesIAU
Opportunities for efficiency by streamlining and decentralizing processes
Some risks: Loss of quality Inappropriate processes Inefficient processes Non-compliance with
Center policies
22
Examples: External EnvironmentIAU
Opportunities created by changes in science, technology, donor focus, partner capacity, global economic, social and political changes
Some risks: donor funding reductions disasters disrupt operations host country relationship deterioration targeted efforts disrupt operations
23
Risk analysis:Description for risk impact
IAU
Impact High – failure has the potential to significantly damage or destroy
the effective functioning of the Center or its future viability, particularly through loss of important donors’ confidence or major financial or reputational loss; Also includes potentially significant employee health and safety hazards
Medium – failure has the potential to damage important aspects of the Center’s functions or future viability, which would require significant management effort and time to recover
Limited – failure has the potential to damage particular aspects of the Center’s functions, drawing on significant management effort if an adverse event occurred, but not expected to damage the overall medium-long term operations of the Center.
24
Risk analysis:Description for risk likelihood
IAU
High – The risk mitigating actions taken by the Center – in terms of (i) avoidance of certain activities, (ii) controls (such as policies, procedures, clarity of responsibilities, training, management monitoring and information), and/or (iii) insurance arrangements – are not considered sufficient or controls are not yet operating effectively, and the probability of occurrence of adverse events for the Center is therefore considered high (>50% probability i.e. more likely than not) over the short-medium term.
Moderate – The risk mitigating actions taken by the Center are partial and there are further opportunities in terms of action the Center should take, or are planned but not yet fully implemented. As a result probability of occurrence of adverse events for the Center is therefore considered moderate (25%-50% probability) over the short-medium term.
Low – The risk mitigating actions taken by the Center are sufficiently designed and operating effectively to reasonably protect the Center against foreseen adverse events.
25
Risk analysis:Centerwide Risks vs Organisation Unit Risks
IAU
Centerwide Risks affect the Centre's overall objectives and threaten its continued and sustained viability
Organisational Unit risks affect the Units objectives and threaten the continued ability to the Unit to support the Centre’s objectives
Significant organisational Unit risk can also be significant Centerwide risks if not effectively managed.
26
Organisation Unit Risk analysisKey Questions
IAU1. What is the purpose of my Organisational Unit? (Clarify the
purpose of your OU)
2. What are the key risks (key processes & assumptions) threatening the ability of my Unit to achieve its purpose? (Impact – High or medium, likelihood –high or medium)
3. Do these risks impact on the entire Centre?
4. What can we do as a Unit to mitigate these risks?
5. Who will be responsible for the mitigation actions?
6. By when should these be accomplished? (action plan)
27
Organisation Unit Risk analysis:Link to staff workplans
• What can we do as a Unit to mitigate these risks? (Important question to direct our work priorities)
• Who will be responsible for the mitigation actions? (Staff within the OU)
• By when should these be accomplished? (action plan included in individual work plans and monitored periodically)
IAU
28
Risk analysis:Risk Profile format IAU
Impact
MEDIUM
HIGH
LOW
Likelihood
LOW MEDIUM HIGH
29
End product of risk analysis: The risk Profile IAU
Some Examples..............
30
Center-wide risk analysis example:
Project implementation risksIAU
Likelihood
ImpactHIGH
MEDIUM
LOW
LOW MEDIUM HIGH
PROJECT RELEVANCE
PROJECT QUALITY FAILURE
DONOR AGREEMENT NON-COMPLIANCE
RESEARCH DATA LOSS
PRODUCT LIABILITY
PROJECT TIME/COST OVERRUN
PROJECT EFFORTS NOT ALIGNED WITH STRATEGYSCIENTIFIC
FRAUD
INADEQUATE RESULTSDISSEMINATION
FAIL TO GET PROPER IP LICENSES/AGR – LITIGATION
31
Matrix analysis example: Financial risks IAU
OVER-PRICED
GOODS&SERV
Likelihood
Impact
HIGH
MEDIUM
LOW
LOW MEDIUM HIGH
ERRONEOUS PAYMENTS
INTERNAL EMBEZZLEMENT * INTERNET BANKING* CHEQUE/WIRE
MISUSE OF CENTER ASSETS
ADMINISTRATIVE INEFFICIENCY
FINANCIAL CONFLICTS OF INTEREST
WITHHOLDINGTAX LIABILITIES
TERRORIST FINANCING
32
Mitigate and Manage the risks:
Identification of those risks where preventive controls or mitigating measures could be improved
Identification of “risk owners” responsible for action
Time bound action plans (Format provided)
Annual review and update
IAU
33
Progress to date in ILRI:
Board, management and staff sensitization (ongoing) Development and adoption of Policy on Risk Management
(Adopted) Establishment of RM committee (committee active) Initial Centre-wide risk analysis (In 2004) Update of initial analysis (in 2005) Organisation Unit risk analysis (to be implemented) Documentation of major Centre-wide risks and development
of mitigation plans (mitigation plans developed) Management reporting to BoT (for 2004 and 2005) Issue of annual Board Statement (2005 and 2006) ESBC Project in progress (System wide project) Annual RM cycle (In place)
IAU
34
The Annual RM cycle
1. RM committee to review progress on implementation of mitigation plans (twice a year – Sept and Feb)
2. RM committee to update Centres risk analysis (annually – November)
3. DG to report to Board (annually – March)4. Board to issue annual statement to stakeholders.5. IA audit assessment of progress on cycle (twice a year
before board meetings)
IAU
35
IAU
Thank You