risk management in ilri

35
Risk Management in ILRI John CM Mwangi Associate Director CGIAR Internal Auditing Unit ILRI APM 2006 INTERNAL AUDITING UNIT

Upload: ilri

Post on 22-Apr-2015

919 views

Category:

Technology


1 download

DESCRIPTION

Presented by John C.M. Mwangi to the ILRI APM, 2006

TRANSCRIPT

Page 1: Risk management in ILRI

Risk Management in ILRI

John CM MwangiAssociate Director

CGIAR Internal Auditing Unit

ILRI APM 2006

INTERNAL AUDITING UNIT

Page 2: Risk management in ILRI

2

Outline of RM Presentation

1. Brief introduction to CGIAR IAU 2. What is RM 3. Why get involved in RM4. How to implement a RM

system 5. Progress made in ILRI

IAU

Page 3: Risk management in ILRI

3

Official definition of Internal Audit from the IIA (Institute of Internal Auditors)

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.

It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to

evaluate and improve the effectiveness of risk management, control, and governance processes.

IAU

Page 4: Risk management in ILRI

4

The CGIAR Internal Auditing UnitProvides audit and advisory services

to Future Harvest Centers (full or joint)

Disseminates learning and good practices

Acts as catalyst within the CGIAR Systemon control, risk management and governance issues

Developsprofessional internal audit across the Future Harvest

Centers

IAU

Page 5: Risk management in ILRI

5

IAUThe CGIAR IAU Organization

DIRECTOR(IRRI, Los Banos)

SR. INT. AUDITOR (IS auditor)

(IRRI, Los Banos)

INT. AUDITOR(IRRI, Los Banos)

ASSOCIATE DIRECTOR(Africa Region)(ILRI, Nairobi)

ASSOCIATE DIRECTOR(Americas Region)(CIMMYT, Mexico)

INT AUDITOR (Asia Region)

(ICRISAT, Hyderabad)

ADMIN ASST (IRRI, Los Banos)

Page 6: Risk management in ILRI

6

Some features of the CGIAR IAU IAU

Established in 2000 Provides services to 15 Centers Reports to Center DGs and Boards Conducts audits and risk management support activities Adopts International Standards for the

Professional Practice of Internal Audit Subject to external quality assurance

review at least every 5 years – first one carried out in 2004

Page 7: Risk management in ILRI

7

IAU

What is risk management ?Definition of Risks and Opportunities

An occurrence that will have an

Adverse / Advantageous

impact on the achievements of the organizations objectives, resulting from inadequate or failed systems or processes, mistakes or external events

Page 8: Risk management in ILRI

8

What is Risk Management? A process that has 7 key elements IAU

PURPOSE (Ensure clarity of purpose) IDENTIFY (Identify risks and opportunities) ANALYSE (assess impact and likelihood) PRIORITISE (isolate major risks) MITIGATE/MANAGE (respond to major risks) MONITOR (document and track the implementation of mitigation plans) REPORT (management, BoT, stakeholders)

Page 9: Risk management in ILRI

9

IAU

RESEARCH STRATEGY AND PROJECT PORTFOLIO PEOPLE

PHYSICAL INFRASTRUCTURE

TECHNOLOGYINTELLECTUAL AND GERMPLASM ASSETSFINANCE

INTERNALPROCESSES

EXTERNALENVIRONMENT

PURPOSE – Why do we exist ?and what factors affect the achievement of the Centre’s

vision and mission

Page 10: Risk management in ILRI

10

IDENTIFY Categories of opportunities and risks facing Canters

OPERATIONAL EFFECTIVENESS

FINANCIAL INTEGRITY AND COMPLIANCE

LEGAL COMPLIANCE EFFICIENCY

SAFETY AND SECURITY

IAU

Page 11: Risk management in ILRI

11

ANALYSE & PRIORITISE : Assess impact/likelihood and isolate major risks IAU

IMPACT

LIKELIHOOD

High

Medium

Low

HighMediumLow

Page 12: Risk management in ILRI

12

Why the attention on more formalized risk management?

Growing expectations and need for improved governance

Management and Board interest in improving oversight

Donor nudge tied to unrestricted funding Help avoid surprises- enhance certainty in

the complexity Facilitate the allocation of scarce

resources Early warning system (You were warned!)

IAU

Page 13: Risk management in ILRI

13

Why attention on RM: Sources of Good Practice adopted

United States – COSO Enterprise Risk Management Framework

National risk management standards in Australia/NZ, Canada, Japan, UK

South Africa King II Code of Corporate Practices and Conduct

UK, Canadian Treasury Guidelines

IAU

Page 14: Risk management in ILRI

14

How to implement risk Management:Common concepts Risk analysis Impact (High, medium, low) Likelihood (High, medium, low) Risk mitigation Risk response Risk appetite Risk mitigation plan

IAU

Page 15: Risk management in ILRI

15

Examples of risks identified: Research strategy and project portfolio IAU

Opportunities for research breakthroughs Some potential risks:

strategy not relevant; projects not aligned with strategy; Inadequate dissemination – low impact Project quality failure Inefficient research Non-compliance with donor agreements

Page 16: Risk management in ILRI

16

Examples: PeopleIAU

Opportunities for applying world class expertise to research problems through staff and partners

Some potential risks: Failure to attract, select and retain excellent

staff Demotivated staff Sub-optimal organization structure Research partners fail to deliver Change programs fail Non compliance with host country tax and labor laws Unsafe working environment

Page 17: Risk management in ILRI

17

Examples: Physical InfrastructureIAU

Opportunities, through acquiring, constructing and operating dedicated facilities, for focused and efficient research activities

Some risks: Misuse, theft or damage to Center property Loss of experimental station viability for research old and inefficient infrastructure Non-compliance with host country requirements with regard to use Environmental damage / biosafety incidents

Page 18: Risk management in ILRI

18

Examples:Intellectual and Germplasm Assets

IAU

Opportunities to generate and apply public good knowledge and germplasm assets

Some risks: Endangered genetic resources not collected Loss of germplasm collections Insufficient seed stock Research data lost IP restrictions on use of data Breach of MTA conditions Product liability to third parties Introduction of pests, diseases, transgene contamination

Page 19: Risk management in ILRI

19

Examples: FinanceIAU

Opportunities to maximize financial resources available for research

Some potential risks: Funding volatility Insufficient project pipeline Missed funding opportunities Liquidity (short and long term) Loss of funds due to speculative investment Loss of funds due to financial institution failure Foreign exchange losses Inadequate cost recovery Financial fraud Financial reporting error Goods & services overpayment

Page 20: Risk management in ILRI

20

Examples: TechnologyIAU

Opportunities to leverage information and communication technology to work efficiency, with a wider range of partners

Some risks: Loss of electronic data Hardware failure/loss Software failure/unavailability Extended network unavailability IT strategy not aligned with business needs Software licence non-compliance Privacy violations

Page 21: Risk management in ILRI

21

Examples: Internal ProcessesIAU

Opportunities for efficiency by streamlining and decentralizing processes

Some risks: Loss of quality Inappropriate processes Inefficient processes Non-compliance with

Center policies

Page 22: Risk management in ILRI

22

Examples: External EnvironmentIAU

Opportunities created by changes in science, technology, donor focus, partner capacity, global economic, social and political changes

Some risks: donor funding reductions disasters disrupt operations host country relationship deterioration targeted efforts disrupt operations

Page 23: Risk management in ILRI

23

Risk analysis:Description for risk impact

IAU

Impact High – failure has the potential to significantly damage or destroy

the effective functioning of the Center or its future viability, particularly through loss of important donors’ confidence or major financial or reputational loss; Also includes potentially significant employee health and safety hazards

Medium – failure has the potential to damage important aspects of the Center’s functions or future viability, which would require significant management effort and time to recover

Limited – failure has the potential to damage particular aspects of the Center’s functions, drawing on significant management effort if an adverse event occurred, but not expected to damage the overall medium-long term operations of the Center.

Page 24: Risk management in ILRI

24

Risk analysis:Description for risk likelihood

IAU

High – The risk mitigating actions taken by the Center – in terms of (i) avoidance of certain activities, (ii) controls (such as policies, procedures, clarity of responsibilities, training, management monitoring and information), and/or (iii) insurance arrangements – are not considered sufficient or controls are not yet operating effectively, and the probability of occurrence of adverse events for the Center is therefore considered high (>50% probability i.e. more likely than not) over the short-medium term.

Moderate – The risk mitigating actions taken by the Center are partial and there are further opportunities in terms of action the Center should take, or are planned but not yet fully implemented. As a result probability of occurrence of adverse events for the Center is therefore considered moderate (25%-50% probability) over the short-medium term.

Low – The risk mitigating actions taken by the Center are sufficiently designed and operating effectively to reasonably protect the Center against foreseen adverse events.

Page 25: Risk management in ILRI

25

Risk analysis:Centerwide Risks vs Organisation Unit Risks

IAU

Centerwide Risks affect the Centre's overall objectives and threaten its continued and sustained viability

Organisational Unit risks affect the Units objectives and threaten the continued ability to the Unit to support the Centre’s objectives

Significant organisational Unit risk can also be significant Centerwide risks if not effectively managed.

Page 26: Risk management in ILRI

26

Organisation Unit Risk analysisKey Questions

IAU1. What is the purpose of my Organisational Unit? (Clarify the

purpose of your OU)

2. What are the key risks (key processes & assumptions) threatening the ability of my Unit to achieve its purpose? (Impact – High or medium, likelihood –high or medium)

3. Do these risks impact on the entire Centre?

4. What can we do as a Unit to mitigate these risks?

5. Who will be responsible for the mitigation actions?

6. By when should these be accomplished? (action plan)

Page 27: Risk management in ILRI

27

Organisation Unit Risk analysis:Link to staff workplans

• What can we do as a Unit to mitigate these risks? (Important question to direct our work priorities)

• Who will be responsible for the mitigation actions? (Staff within the OU)

• By when should these be accomplished? (action plan included in individual work plans and monitored periodically)

IAU

Page 28: Risk management in ILRI

28

Risk analysis:Risk Profile format IAU

Impact

MEDIUM

HIGH

LOW

Likelihood

LOW MEDIUM HIGH

Page 29: Risk management in ILRI

29

End product of risk analysis: The risk Profile IAU

Some Examples..............

Page 30: Risk management in ILRI

30

Center-wide risk analysis example:

Project implementation risksIAU

Likelihood

ImpactHIGH

MEDIUM

LOW

LOW MEDIUM HIGH

PROJECT RELEVANCE

PROJECT QUALITY FAILURE

DONOR AGREEMENT NON-COMPLIANCE

RESEARCH DATA LOSS

PRODUCT LIABILITY

PROJECT TIME/COST OVERRUN

PROJECT EFFORTS NOT ALIGNED WITH STRATEGYSCIENTIFIC

FRAUD

INADEQUATE RESULTSDISSEMINATION

FAIL TO GET PROPER IP LICENSES/AGR – LITIGATION

Page 31: Risk management in ILRI

31

Matrix analysis example: Financial risks IAU

OVER-PRICED

GOODS&SERV

Likelihood

Impact

HIGH

MEDIUM

LOW

LOW MEDIUM HIGH

ERRONEOUS PAYMENTS

INTERNAL EMBEZZLEMENT * INTERNET BANKING* CHEQUE/WIRE

MISUSE OF CENTER ASSETS

ADMINISTRATIVE INEFFICIENCY

FINANCIAL CONFLICTS OF INTEREST

WITHHOLDINGTAX LIABILITIES

TERRORIST FINANCING

Page 32: Risk management in ILRI

32

Mitigate and Manage the risks:

Identification of those risks where preventive controls or mitigating measures could be improved

Identification of “risk owners” responsible for action

Time bound action plans (Format provided)

Annual review and update

IAU

Page 33: Risk management in ILRI

33

Progress to date in ILRI:

Board, management and staff sensitization (ongoing) Development and adoption of Policy on Risk Management

(Adopted) Establishment of RM committee (committee active) Initial Centre-wide risk analysis (In 2004) Update of initial analysis (in 2005) Organisation Unit risk analysis (to be implemented) Documentation of major Centre-wide risks and development

of mitigation plans (mitigation plans developed) Management reporting to BoT (for 2004 and 2005) Issue of annual Board Statement (2005 and 2006) ESBC Project in progress (System wide project) Annual RM cycle (In place)

IAU

Page 34: Risk management in ILRI

34

The Annual RM cycle

1. RM committee to review progress on implementation of mitigation plans (twice a year – Sept and Feb)

2. RM committee to update Centres risk analysis (annually – November)

3. DG to report to Board (annually – March)4. Board to issue annual statement to stakeholders.5. IA audit assessment of progress on cycle (twice a year

before board meetings)

IAU

Page 35: Risk management in ILRI

35

IAU

Thank You