uganda health marketing group (uhmg) management manual... · uganda health marketing group (uhmg)...
TRANSCRIPT
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 1
UGANDA HEALTH MARKETING GROUP
(UHMG)
RISK MANAGEMENT
MANUAL
July 2013
(Final)
Drawn By:
UHMG Internal Audit Department
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 2
TABLE OF CONTENTS
1.0 INTRODUCTION 8
1.1 Background 8 1.2 Application and Interpretation 8
1.3 Distribution of the RMM 9 1.4 Review and Update of the RMM 9
2.0 PURPOSE OF THE RISK MANAGEMENT MANUAL 11
2.1 Introduction 11 2.2 Objectives of the RMM 11
2.3 Nature of the RMM 12
2.4 Key Control Processes 12
3.0 RISK POLICY STATEMENT 13
3.1 UHMG BOD Risk Statement 13
4.0 ENTERPRISE RISK MANAGEMENT FRAMEWORK 14
4.1 COSO Enterprise Risk Management-Integrated Framework 15
4.2 Enterprise Risk Management Defined 16
5.0 RISK MANAGEMENT ROLES AND RESPONSIBILITIES 16
5.1 Board of Directors 16
5.2 Managing Director 16 5.3 Senior Management Team 17
5.4 Risk Management Steering Committee (RMSC) 17 5.5 Internal Audit 18
5.6 Staff 18
6.0 APPROACH TO RISK MANAGEMENT 19
6.1 ERM Components 19
6.2 ERM Limitations 20
7.0 RISK MANAGEMENT CONTEXT 21
7.1 The External Context 21
7.2 The Internal Context 21
8.0 RISK IDENTIFICATION AND CATEGORISATION 22
8.1 Risk Identification 22 8.2 Risk Categorization 23
9.0 RISK ASSESSMENT 25
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 3
9.1 Risk Rating 25
9.2 Risk prioritisation 25
10.0 RISK RESPONSE 30
10.1 Risk Appetite 30
10.2 Risk Treatment 31
11.0 RISK MONITORING AND REVIEW Error! Bookmark not
defined. 11.1 Documentation Error! Bookmark not defined.
11.2 Risk Monitoring Error! Bookmark not defined. 11.3 Review and Reporting Error! Bookmark not defined.
12.0 INFORMATION AND COMMUNICATION 34
13.0 APPENDICES 35
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 4
Acronyms
BARC Board Audit and Risk Management Committee
BOD Board of Directors
COSO Committee of Sponsoring Organisations of the Tread way Commission
ERM Enterprise Risk Management
IFRS International Financial Reporting Standards
MD Managing Director
NSSF National Social Security Fund
PAYE Pay As You Earn
RC Risk Coordinator
RO Risk Officer
RMM Risk Management Manual
RMC Risk Management Committee
UHMG Uganda Health Marketing Group
URA Uganda Revenue Authority
VAT Value Added Tax
WHT Withholding Tax
.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 5
Risk management glossary:
The Risk Manual is aimed at streamlining the risk management communication process by
promoting the use of consistent terminology across the organization.
Term Definition
Risk The chance of something happening that will have an impact on the
achievement of UHMG‟s objectives. It is measured in terms of
consequence and likelihood. Every risk consists of three components: an
event, a probability of occurrence and an impact.
Risk event: a discrete possible future occurrence that may affect the
organisation for better or worse. It could be a wanted event, an
opportunity with a potential positive impact, or an unwanted event or
threat with a potential negative outcome.
Probability: the likelihood that this event will happen.
Impact: the consequence of the risk, if it occurred.
Enterprise Risk
Management
A process, effected by an entity's board of directors, management and
other personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and
manage risks to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives
Gross Risk
Rating
An assessment of the risk before considering any actions or controls put in
place to mitigate risk.
Management
Controls
Processes in place to mitigate risks. Controls may be policies, procedures,
management systems and structures to assist UHMG in its operations.
Net Risk Rating An assessment of the risk after considering actions or controls that have
been put in place to mitigate the risk.
Risk Appetite and
Risk Tolerance
Both Risk Appetite and Risk Tolerance set boundaries of how much risk
an entity is prepared to accept. Risk Appetite is a higher level statement
that considers broadly the levels of risks that management deems
acceptable while Risk Tolerances are narrower and set the acceptable
level of variation around specific objectives. For instance, an organization
that says that it is does not accept risks that could result in a significant
loss of its revenue base is expressing Appetite. When the same
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 6
Term Definition
organization says that it does not wish to accept risks that would cause
revenue from its top-10 customers to decline by more than 10% it is
expressing Tolerance. Operating within risk tolerances provides
management greater assurance that the organization remains within its
risk appetite, which, in turn, provides a higher degree of comfort that, the
organization will achieve its objectives.
Risk Acceptance An informed decision to accept the likelihood and the consequences of a
particular risk by UHMG management.
Risk
management
The culture, processes and structures that are directed towards the
effective management of potential opportunities and adverse effects within
the environment that UHMG operates in.
Risk Management
Coordinator
The Officer responsible for co-coordinating the risk management process
across the organization.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 8
1.0 INTRODUCTION
1.1 Background
Uganda Health Marketing Group (UHMG) is a Company Limited by Guarantee which
was incorporated in 1999 and started full operations in April 2007. UHMG‟s vision is “a
good life for all Ugandans” and the mission is to “improve the quality of life of Ugandans
through provision of superior and affordable health-care solutions”. UHMG designs and
implements strategic and integrated health marketing interventions intended to improve
the overall wellbeing of the country's population, while stimulating and increasing
commercial sector participation.
The main strategic objectives of UHMG include:
a) To create a consumer driven approach to health marketing through innovative marketing and social communication platform that will lead to a good life;
b) To strengthen and work with the Private and Public sectors to widen and or to create new marketing, distribution and service delivery systems to increase consumer access to health products and services;
c) To strengthen the internal capacity of UHMG by developing its human, material and financial resources; and
d) To build UHMG into a competitive and sustainable health service provider
UHMG is implementing a five year Strategic Plan with the aim of designing,
implementing and mobilising resources to that effect. The organisation is now
establishing an Entity-wide Risk Management Framework to ensure a successful
exploitation of identified opportunities as well as timely identification and effective
management of any risks that may deter the successful implementation of the Strategic
Plan.
1.2 Application and Interpretation
1.2.1 The policies and procedures in this Risk Management Manual (RMM) shall apply to all the employees of UHMG and shall be interpreted and administered by the Management of UHMG or their authorised agents.
1.2.2 The RMM shall also be interpreted in light of UHMG‟s Memorandum and Articles of Association and in case of conflict; the requirements contained within the Memorandum and Articles of Association shall supersede the application and interpretation of this RMM.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 9
1.3 Distribution of the RMM
1.3.1 The Master copy of the RMM in use should be under the custody of the Risk Coordinator (RC). Other controlled copies shall be issued to the MD and other Directors.
1.3.2 The soft copy of the RMM shall be saved on a central server accessible to all staff as “read only”. The RC shall retain the password required to edit any of the sections of the RMM.
1.4 Risk management overview
1.4.1 Risk
A risk is any factor that has a possibility of causing harm and /or loss or prevents UHMG from achieving its objectives. Risk is measured in terms of consequences and likelihood combined to arrive at a rating from Low to Very high (see the Risk Assessment Matrix on appendix 2 page 30.
1.4.2 What is Risk Management (RM)?
RM is the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects within UHMG operational environment. RM is an integral part of UHMG approach to decision-making and accountability. RM involves the following risk phases:
Risk Identification
Risk Analysis
Risk Mitigation and Planning
Risk response
Thus, the RMM documents the procedures that will be used to manage risk throughout UHMG.
1.4.3 Why is Risk Management Important to UHMG?
An effective RM system shall safe guard UHMG‟s resources and ensure their best utilization. Recognition of RM as a central element of good corporate governance, and as a tool to assist in strategic and operational planning, has many potential planning benefits in the context of the changing operating environment of UHMG core business. The aim of the RM framework is not to eliminate Risk, rather to assist UHMG personnel to manage the risks involved in all UHMG‟s activities to maximise opportunities and minimise adverse consequences.
1.5 Review and Update of the RMM
1.5.1 This Manual shall be subject to amendment from time to time. Amendments may result from key omissions, changes in the nature of key operations or changes in the environment UHMG operates in.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 10
1.5.2 The Risk Management Committee (RMC) shall identify the sections of the manual that require amending after consultation with the relevant persons and document the proposed amendment.
1.5.3 Amendments to the manual may also be identified by any user of the manual who should submit a written request to their respective Risk Officer (RO) for review and submission to the RMC.
1.5.4 The written request should include the following minimum information:
a) The section to be amended;
b) The proposed amendments;
c) The reason for the proposed amendment; and
d) The signature of the preparer and reviewer (RO)
1.5.5 All proposed procedural amendments should be submitted through the RMC to the MD for review and approval. All proposed policy amendments should be submitted by the RMC through the MD to the BOD for approval.
1.5.6 On approval of the amendments, the RC shall update the relevant sections of the RMM and the Summary of RMM Changes which will act as a reference trail for management.
1.5.7 The RC shall distribute the new approved sections to the appropriate people (see distribution list above) and retain the Master Copy of the same.
1.5.8 The RMM shall be reviewed regularly, at least annually by Senior Management and approved by the BOD to ensure that the procedures remain relevant to the operations of UHMG. For effectiveness, this review process should be aligned with the annual strategic plan review exercise.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 11
2.0 PURPOSE OF THE RISK MANAGEMENT MANUAL
2.1 Introduction
UHMG management and BOD understand that risk is inherent in all programmatic,
administrative and business activities, and therefore, the successful operation of any
organisation depends on effective risk management.
UHMG recognises the challenge for promoting risk awareness and culture in a broad
sense across the organisation so that line managers and employees understand and
accept their accountability for identifying business threats and opportunities.
In order to incorporate risk management into UHMG's operations, the BOD and
management of the UHMG has developed a framework for systematically identifying,
categorising, assessing and managing risks at all levels of the organisation. The
adoption of a strategic and formal approach to risk management will: improve decision
making; enhance outcomes; reduce surprises; and ultimately enhance accountability.
The aim of this framework is not to eliminate risk, but rather to manage the risks
involved in all UHMG activities in order to maximise opportunities and minimise
adversity.
2.2 Objectives of the RMM
2.2.1 To provide staff, management and BOD of UHMG with guidance on their risk management roles, responsibilities and authority.
2.2.2 Support a common understanding of Risk management in UHMG
2.2.3 Provide some general guidance and tools to use when integrating risk management into work implementation.
2.2.4 To ensure significant risks are known and monitored, thus empowering management and the BOD to make more effective decisions.
2.2.5 To give a sound basis for strategic planning since key elements of risk will have been identified and appropriate mitigating strategies defined.
2.2.6 To ensure that the risk management policies and procedures of UHMG are applied consistently and do not contradict other existing policies.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 12
2.3 Nature of the RMM
2.3.1 Given that UHMG operates in a constantly changing environment, this RMM will have to be periodically updated in order to ensure that it remains relevant.
2.3.2 It is the responsibility of all users to ensure that the policies and procedures in the RMM are adequate for their operations.
2.3.3 The relevant parties that have a responsibility to coordinate the updating of existing procedures and adding of new procedures to the RMM have been identified in Section 1.5 of this document.
2.3.4 All changes to this RMM shall be carried out in line with the procedures laid out in Section 1.5 of this document.
2.4 Key Control Processes
2.4.1 The MD (Overall Risk Owner), Management and Staff of UHMG shall refer constantly to the RMM when executing their duties to ensure that possible threats and opportunities have been managed accordingly.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 13
3.0 RISK POLICY STATEMENT
3.1 UHMG BOD Risk Statement
3.1.1 The BOD of UHMG is committed to implementing a proactive risk management approach to embed risk management practices in the operations of UHMG and hence give reasonable assurance of achievement of the overall goals of the organisation.
3.1.2 UHMG‟s Policy on Risk Management shall be based on the following Principles :
a) Risk management shall be integrated into UHMG strategic and business planning processes and shall give guidance for decision-making on day to day activities of UHMG;
b) As far as possible, UHMG will anticipate and take proactive actions to risks rather than react to surprises.
c) The management of UHMG shall ensure that significant emerging risks are escalated to the BOD and operational risks are reported to the relevant departments in a timely manner.
d) UHMG will seek to mitigate and manage risks effectively to enhance achievement of organizational objectives.
e) A consistent approach to the identification, assessment and management of risks shall be maintained throughout UHMG.
f) All staff shall endeavor to understand and execute their risk management roles, responsibilities and accountabilities.
UHMG shall commit resources to implement risk responses that are effective and
whose costs do not outweigh the benefits.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 14
4.0 ENTERPRISE RISK MANAGEMENT FRAMEWORK
4.1 Enterprise Risk Management Definition
4.1.1 ERM deals with risks and opportunities affecting value creation or preservation. UHMG shall adopt the COSO definition of ERM stated below:
4.1.2 The adopted definition reflects certain fundamental concepts. ERM is:
a) A process, ongoing and flowing through an entity. It shall not be a one-off event in UHMG;
b) Effected by people at every level of an organization. Everyone in UHMG shall have a role in ERM;
c) Applied in strategy setting;
d) Applied across the organization, at every level and unit, and includes taking an entity level portfolio view of risk;
e) Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite;
f) Able to provide reasonable assurance to an entity‟s management and board of directors; and
g) Geared to achievement of objectives in one or more separate but overlapping categories.
4.1.3 ERM shall enable UHMG management to effectively deal with uncertainty and associated risk and opportunity, enhancing the organization‟s capacity to build value. UHMG shall maximize value when the set objectives and strategies strike an optimal balance between risk and return during resource allocation.
4.1.4 The ERM framework in UHMG shall include the following:
a) Aligning risk appetite and strategy – UHMG Management shall consider the entity‟s risk appetite in evaluating strategic alternatives, set related objectives, and develop mechanisms to manage related risks.
b) Enhancing risk response decisions – ERM shall provide the rigor to identify and select among alternative risk responses including: risk avoidance, reduction, sharing, and acceptance.
c) Reducing operational surprises and losses – over time, UHMG will gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.
d) Identifying and managing multiple and cross-organizational risks – UHMG faces a myriad of risks affecting different parts of the organization, and ERM will facilitate effective response to the interrelated consequences, and integrated responses to multiple risks.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 15
e) Seizing opportunities – By considering a full range of potential events, UHMG management shall be positioned to identify and proactively realize opportunities.
f) Improving deployment of funding – Obtaining robust risk information will allow UHMG management to effectively assess overall funding needs and enhance fund allocation.
4.1.5 These capabilities inherent in the ERM framework will enable UHMG BOD and management to achieve the organization‟s performance targets and prevent loss of resources. ERM shall ensure effective reporting and compliance with laws and regulations, and shall help to avoid damage to the entity‟s reputation and associated consequences. In sum, the ERM framework will help UHMG achieve its objectives while avoiding surprises en route.
4.2 Committee of Sponsoring Organizations of the Tread way Commission
(COSO )-Enterprise Risk Management-Integrated Framework
4.2.1 UHMG management shall adopt the COSO ERM-Integrated Framework to provide a comprehensive approach for the organization to identify and manage risks that could deter UHMG from achieving its goals. The framework shall present an organization-wide perspective of risk and standardize terms and concepts to promote effective implementation across the organization.
4.2.2 The implementation of a robust and transparent risk management program has become increasingly important given that UHMG operates in a challenging environment characterized by: Increasing competition; greater accountability requirements; higher quality standards for both product and service delivery; and a complex business model that combines profit and non-profit elements.
4.2.3 The changing and challenging environment, places more pressure on UHMG resources and presents risk and uncertainty to the organization and hence the need for a structured approach to continually align priorities and objectives.
4.2.4 The COSO framework describes the critical principles and components of an effective ERM process. The framework shall:
a) Allow UHMG to proactively manage its risks in a systematic and structured way and to continually refine its processes to reduce UHMG‟s risk profile thereby maintaining a safer environment for all its stakeholders;
b) Provide a common language, so that when executives, directors and others talk about risk management, they are truly communicating;
c) Embed the risk management process and ensures it is an integral part of UHMG‟s planning process at a strategic and operational level;
d) Ensure appropriate strategies are in place to mitigate risks and maximize opportunities; and
e) Describe the roles of key players in the ERM process.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 16
5.0 RISK MANAGEMENT ROLES AND RESPONSIBILITIES
Everyone in UHMG - the board, senior management and staff - is responsible for the
effective management of risk in the organization. The specific responsibilities are
articulated in the following sections:
5.1 Board of Directors
The risk management roles and responsibilities of the UHMG BOD include the following:
5.1.1 Providing oversight of risk management within UHMG including ensuring that management has established an appropriate risk management framework;
5.1.2 Reviewing and approving the overall risk management policy and risk appetite management of UHMG.
5.1.3 Ensuring that the risk management framework established by management enables the UHMG to identify all material risks on an on-going basis;
5.1.4 Reviewing, on a semi-annual basis, the significant strategic risks that may materially affect the operations of UHMG.
5.1.5 Ensuring that management has designed and implemented timely, adequate and cost effective risk responses to ensure that all the identified material risks are effectively managed and are within acceptable risk appetite.
5.1.6 Seeking input from internal audits, compliance audits, external audits and relevant consultancy engagements to evaluate the risk management framework.
5.1.7 The BOD may delegate certain risk management activities to the Board Audit and Risk Management Committee, although ultimate responsibility of risk management oversight rests with the BOD.
5.2 Managing Director
The risk management roles and responsibilities of the UHMG MD include the following:
5.2.1 The MD is ultimately accountable to the BOD for ensuring that there is a risk management program in place as part of UHMG‟s Corporate Governance framework.
5.2.2 Ensuring that a risk management framework is established implemented and maintained in accordance with this policy. Assignment of responsibilities in relation to risk management is the prerogative of the MD.
5.2.3 Creation of an integrated risk management structure that enables identification of interdependences among cross functional risks and thus synergies and coordination of risk responses.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 17
5.2.4 Through consistent communication and actions, ensure growth of a risk culture in UHMG to enhance embedment of risk management in all operations of UHMG.
5.2.5 Ensure that UHMG commits adequate resources to cost effectively manage identified risks.
5.2.6 Ultimately, the MD is the arbitrator between pursuing opportunities and holding back due to excessive risk.
5.3 Senior Management Team
The risk management roles and responsibilities of the Senior Management Team include the following:
5.3.1 Devolution of the risk management process to operational managers within their units.
5.3.2 Identifying, communicating and managing operational risks within their areas of control.
5.3.3 Promoting the desired risk culture within their units and promoting compliance with the agreed risk appetite.
5.3.4 Collectively the Senior Management Team is responsible for:
a) The design of UHMG‟s ERM framework ;
b) The formal identification of risks that impact upon UHMG‟s mission;
c) The development of risk management plans; and
d) Establishing the risk appetite for UHMG.
5.4 Risk Management Committee (RMC)
5.4.1 The RMC shall be headed by the (Risk Coordinator) RC, who will be a Director, appointed and fully backed by the MD.
5.4.2 The RMC shall have 5 member representatives from each directorate called Risk Officers (ROs) who shall be headed by the Risk Coordinator.
5.4.3 The ROs, with the support of their respective Directors, shall have the responsibility of embedding risk management principles within their directorates and to facilitate seamless coordination between them and the RMC.
5.4.4 The RMC shall be charged with the following responsibilities and roles:
a) Developing terms of reference for the RMC and submitting them to the MD for approval;
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 18
b) Rolling out the approved risk management framework and promoting risk management awareness through periodical education to management and staff;
c) Ensuring consistent assessment of risks from a broad organizational perspective and coordinating periodical risk assessment exercises undertaken at departmental level;
d) Updating the risk register and ensuring that all risks have accountable managers who have developed action plans for addressing the risks;
e) Reviewing progress against agreed risk management plans and reporting to management on a monthly basis and the BOD on a quarterly; and
f) RMC is NOT responsible for identifying or managing risks but coordinating the processes.
5.5 Internal Audit
5.5.1 While they do not have primary responsibility for establishing or maintaining ERM, internal auditors contribute to its effectiveness by carrying out independent evaluation of the adequacy and effective operation of the risk management processes, methodologies, internal controls.
5.5.2 Specific ways in which internal auditors can add value to ERM include:
a) Providing advice in the design and improvement of control systems;
b) Implementing a risk-based approach to planning and executing the internal audit process;
c) Ensuring that internal audit resources are directed at those areas that are most important to the organization;
d) Challenging the basis of UHMG risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies.
e) Facilitating ERM workshops.
5.6 Staff
5.6.1 The staff of UHMG shall be responsible for executing ERM in accordance with this RMM and other established directives and protocols.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 19
6.0 APPROACH TO RISK MANAGEMENT
6.1 ERM Components
6.1.1 UHMG shall maintain procedures to provide the organisation with a systematic view of the risks faced in the course of its activities. The ERM framework selected by UHMG consists of eight interrelated components that are integrated with the management process. These components include:
a) Internal Environment: – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity‟s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
b) Objective Setting: – Objectives must exist before management can identify potential events affecting their achievement. ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity‟s mission and are consistent with its risk appetite.
c) Event Identification: – Internal and external events affecting achievement of an entity‟s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management‟s strategy or objective-setting processes.
d) Risk Assessment: – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
e) Risk Response: – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity‟s risk tolerances and risk appetite.
f) Control Activities: – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
g) Information and Communication: – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
h) Monitoring: – The entirety of ERM is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. ERM is not strictly a serial process, where one component affects only the next. It is a multidirectional, iterative process in which almost any component can and does influence another.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 20
6.1.2 The eight ERM components must be continuously assessed to ensure they are present and functioning effectively. For the components to judged effective there should be no material weaknesses, and risks should have been brought within UHMG‟s risk appetite.
6.2 ERM Limitations
6.2.1 While ERM provides important benefits, limitations exist due to the inherent weaknesses in human judgement and the possibility of simple errors/mistakes. It is also possible for controls to be circumvented by collusion of two or more people, and management has the ability to override ERM decisions.
6.2.2 These limitations preclude the BOD and management from having absolute but rather reasonable assurance as to achievement of UHMG‟s objectives.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 21
7.0 RISK MANAGEMENT CONTEXT
The context in which UHMG‟s risk assessment criteria is set shall involve understanding
and appraising: UHMG‟s external environment and relationships; its own internal
environment; and the risk management context. This will provide guidance as to
whether the risks are acceptable or not.
7.1 The External Context
7.1.1 Prior to undertaking a risk assessment, UHMG shall seek to understand the external environment in which it operates. From a strategic perspective, UHMG will consider social, political, economic, demographic, ecological, regulatory, legislative and cultural factors that have an impact on the organisation.
7.1.2 UHMG‟s strengths, weaknesses, opportunities and threats shall be assessed and consultations made from external stakeholders, such as donors, relevant government departments, the community, sub-grantees, contractors and suppliers. This will provide a more complete assessment.
7.1.3 UHMG‟s Strategic Plan will be reviewed annually to identify changes in UHMG‟s external strategic environment, measure performance against set targets and adjust strategies, as required. Strategic Risk Profile of UHMG and proposed risk responses shall be aligned to the Strategic and Business Plans during this exercise.
7.2 The Internal Context
7.2.1 Before undertaking a risk assessment, the internal and operational context should be established which shall include an understanding of UHMG‟s goals and objectives, management and organisational structures, systems, processes, resources, key performance indicators, and other drivers.
7.2.2 Internal stakeholders including management and staff shall be consulted and their views and perceptions considered accordingly.
7.2.3 The Directors shall ensure that the annual departmental plans are geared towards achieving UHMG‟s overall strategic objectives and that the departmental strategic and operational risk assessments are aligned to their respective operational plans.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 22
8.0 RISK IDENTIFICATION AND CATEGORISATION
8.1 Risk Identification
8.1.1 The main objective of this section is to develop a systematic approach to identifying risks and provide a basis for categorising identified risks and linking them to the business targets or values they impact.
8.1.2 The risk identification stage shall involve identifying events that can impact on the achievement of UHMG‟s objectives either negatively (threats) or positively (opportunities).
8.1.3 UHMG Management will channel opportunities back to the strategic planning processes to ensure that the organisation takes full advantage of them. The threats on the other hand shall be recorded in the risk register and managed.
8.1.4 In order not to exclude critical risks, UHMG shall undertake a systematic and comprehensive identification of all risks including those not directly under the control of UHMG. The following approaches may be used for risk identification:
a) Review of strategic plans, operational plans, policy manuals and other key documents;
b) Team-based brainstorming, structured interviews, focus groups;
c) Self-assessments and other facilitated workshops;
d) Past organizational experiences;
e) Carrying out SWOT (Strengths, Weaknesses, Opportunities, Threats) analyses;
f) Comparison with similar organizations, discussion with peers, benchmarking, engaging risk consultants;
g) Carrying out processes mapping, scenario analyses;
h) Carrying out business diagnostics and organizational assessments;
i) Internal and external reports.
8.1.5 The risk approaches above shall be used to identify risks from a variety of perspectives or categories, including:
a) Sources of risk:- governance, strategic, operational/program, financial, external, compliance, and information technology (see Appendix 3 page 31 for generic sources of risk);
b) Objectives: - the risks that could keep the organization from achieving each of its objectives: e.g. planned events, programs, building projects, etc.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 23
c) Areas affected:- reputation, assets, revenues, costs, performance, staff, volunteers, customers and other stakeholders;
d) Specific hazards: - fire, theft, earthquake, etc. The hazard-based approach is usually based on the policy coverage available from insurers;
e) Capacity gaps: - inexperienced or inadequate human resources or inadequate systems and processes to track performance;
f) Risk drivers: - pressure points that if left unchecked contribute to increased risk exposure, for example, high rate of expansion, culture or degree of information flow within the organization;
g) Degree of Control:- the degree of control that the organization has over the risk, e.g.:
No control- e.g. natural disasters, political, economic, social.
Some influence or little control- e.g. public expectations, reputation, competition, and changes to legislation.
Controllable- e.g. choice of programs, events and major projects. 8.1.6 Once the risks are identified, they should be documented in the Risk Register
(Ref Appendix 5 page 33).
8.2 Risk Categorization
8.2.1 Within the context of UHMG‟s established mission or vision, management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the organisation. This ERM framework is geared to achieving UHMG‟s objectives, and seeks to identify and manage risk in the following four categories:
a) Strategic risk: – The risk of having inappropriate or unrealistic strategies and programs, and includes:
External Risk: the risk of becoming irrelevant, losing the support of the public and funding sources, and failing to respond to external factors such as economic, demographic, political and other trends;
Governance risk: the risk of ineffective oversight and poor decision-making;
Reputation risk: the risk of losing goodwill, status in the community, and appeal to prospective partners.
b) Operational risk: – The risk of poor service delivery, and misuse of human capital and other resources;
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 24
c) Financial risk: – The risk of fraud, financial failure and financial decisions based on inadequate or inaccurate information;
d) Compliance risk: – The risk of fines and other regulatory penalties due to failure to comply with relevant laws and regulations, including donor requirements.
8.2.2 This categorization of UHMG‟s objectives allows a focus on separate aspects of ERM. These distinct but overlapping categories address different entity needs and help to ensure a comprehensive coverage of all the potential risks and opportunities facing UHMG.Refer to Risk Register-Appendix 5 page 33.
8.2.3 The adopted risk categories and their definitions represent the meaning of risk for UHMG. Over time, this shall be modified to reflect the changing environment and organisational strategic outlook.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 25
9.0 RISK ANALYSIS
9.1 Risk Rating
9.1.1 UHMG shall assess the identified risks to determine their effect on the organisation and its objectives.
9.1.2 Assessment of risk shall involve consideration of two key parameters:
a) Risk Likelihood: – the chances of a particular risk occurring. This may involve considering how frequently the risk is likely to occur.
b) Risk Impact: – the severity or consequences to UHMG if the risk actually occurred, in particular, the impact on areas such as business continuity, human and financial resources, the community, the environment, corporate image, reputational damage, legal and political implications etc.
9.1.3 The criterion for determining Likelihood of Occurrence of a particular risk and Magnitude of Impact in case it occurs is set out in Appendix 1page 28
9.1.4 UHMG shall adopt a “risk mapping” technique that assesses each identified risk by displaying the relationship between its Likelihood of Occurrence and Magnitude of Impact (Ref Appendix 2: Risk Assessment Matrix page 30).
9.1.5 The risk assessment matrix shall enable management to rank risks and form a basis for determining how these risks should be managed.
9.1.6 UHMG shall evaluate risks at two levels:
a) Gross/Inherent risk rating: - i.e. before considering controls management has put in place to mitigate the risk; and
b) Net/Residual risk rating: - i.e. assessment of the risk after considering the strength of management controls put in place.
9.1.7 As part of their activities, internal audit shall evaluate whether the established management controls are as robust as assessed by management in bringing the gross risk down to the residual risk.
9.1.8 The residual risk rating will determine further risk responses that management needs to take depending on whether the residual risk is within the acceptable limits.
9.2 Risk prioritization
UHMG shall prioritize risks according to the level of residual risk and document them in
the Risk Response Plan: Appendix 6 Page 62.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 26
10.0 RISK MITIGATION AND PLANNING
RISK MONITORING AND REVIEW
Risk Management is a dynamic process and, to be effective, requires ongoing monitoring and review to ensure that the risk environment in which UHMG operates is constantly up to date and reflects the general operating environment.
10.1. Documentation
10.1.1. Documentation of the UHMG risk management process shall be carried out at each stage for the following reasons:
a) It gives integrity to the process and is an important part of good corporate governance;
b) It provides an adequate audit trail and evidence of a structured approach to risk identification and analysis;
c) It provides a record of decisions made which can be used and reviewed in the future;
d) It provides a record of risks for UHMG which can be continuously updated.
10.1.2. UHMG‟s risk management process will be mainly captured using a Risk Register (see Appendix 5 page 33) and a Risk Response Plan (see Appendix 6 page 62)
10.1.3. The Risk Register will be reviewed and updated throughout the year on a regular basis to provide comfort that identified risks are managed within acceptable levels. It shall be owned by the BOD and CEO/MD albeit maintained by the RMC. It shall contain the following information:
Risk category
Risk ID
Description of the risk event
Specific discussion and concerns
Gross/Inherent Risk Rating
Risk mitigation strategies in place
Net/Residual Risk Rating
Early warning and reporting triggers
Responsible officer
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 27
10.1.4. The Risk Response Plan shall include:
Risk ID to provide a cross reference to the risk register
Risk description
Treatment option chosen by management
Risk rating after treatment
Responsible officer
Implementation timetable
Monitoring mechanisms
10.2. Risk Monitoring
10.2.1. This process shall involve:
a) Monitoring residual risks;
b) Checking that new risks are identified, evaluated and reported;
c) Ensuring that any significant failures of control systems are properly reported and appropriate actions taken;
d) There is an adequate level of understanding of individual responsibilities for both implementation and monitoring of the control systems;
e) Ensuring that the BOD is provided with relevant up to date information
f) Executing the risk reduction plans; and
g) Evaluating the effectiveness of the risk management programme as a whole.
h) Documentation of any planned action, along with the manager accountable for the action and its expected completion date.
10.2.2. The BOD will monitor risk by:
a) Ensuring that the identification, assessment and mitigation of risk is linked to the achievement of UHMG‟s operational objectives;
b) Ensuring that the assessment process reflects the BOD‟s view of acceptable risk;
c) Reviewing and considering the principal results of risk identification, evaluation and management;
d) Reviewing and considering update reports where the need for further action is identified;
e) Considering any significant new activities or opportunities as they arise to ensure any risks are identified and managed; and
f) Considering, periodically, external factors such as new legislation or new requirements from funders.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 28
10.2.3. The risk monitoring process shall provide an opportunity for UHMG to learn from risk and shall involve questions such as:
a) Are we achieving the results we planned?
b) Are we monitoring and learning from control breakdowns and losses?
c) What are we doing about the major risks we have identified?
d) Do we have the necessary guidelines or policies and procedures? Are they working effectively to mitigate the risks?
e) How well are we doing in managing risk?
f) Are “near misses” recorded, tracked and used for learning?
10.3. Review and Reporting
10.3.1. Progress on the action plans will be reported monthly to senior management and quarterly to the BOD by the Risk Co-ordinator through the Risk Management Committee.
10.3.2. An annual report will also be prepared by the RMC and form part of the annual strategic plan review process. Once the revised targets have been established the various Directors, together with their managers and staff, will identify and rank the potential risks that might affect achievement of these targets.
10.3.3. The nature of reporting will vary depending on the level. For instance, the quarterly reporting to the BOD shall focus on UHMG‟s key (say, top 10) risks and any significant developments during the period.
10.3.4. Specific issues to report to the BOD shall include:
a) The status of major risks including current exposure and effectiveness of risk management techniques;
b) How the strategic environment is changing, what new risks and opportunities are appearing, how they are being managed and what, if any, modifications in strategic direction should be adopted;
c) Progress on closing major gaps in risk management capabilities;
d) Reviews of compliance with risk tolerance policy limits;
e) Any litigation against the organization; and
f) The status of any crises currently being managed and any potential crises.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 29
10.3.5 Risk Planning involves the use of the following tools in the following areas:
(a) Risk context involves developing a stakeholder consultation and a communication
plans
(b) Risk identification involves the risk universe, brainstorming, scenario analysis,
process mapping, system analysis, operational modeling and expert opinion.
©. The analysis of risks includes qualitative analysis, semi quantitative and quantitative
analysis.
(d) Evaluating risks covers the heat map, numerical ranking of risks and decision trees.
(e) Treating risks involves risk transfer and outsourcing, risk mitigation stated above and
having a cost benefit analysis.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 30
11.0. RISK RESPONSE
11.1. Risk Appetite
11.1.1. Risk appetite is a high level statement that considers broadly the levels of risk that an organisation deems acceptable in pursuit of its objectives. Risk appetite has two components:
a) Risk tolerance: - this refers to how much risk the organization is willing to take i.e. what probability it is prepared to accept that specified objectives will not be met. Operating within risk tolerances provides management greater assurance that UHMG remains within its risk appetite, which, in turn, provides a higher degree of comfort that the organization will achieve its objectives; and
b) Risk capacity: - this refers to the absolute limit of risk that the organization is able to bear. It is based on the strength of its finances, donor support, reputation, and competence of staff. A well-financed organization with experienced, competent and well-equipped staff is in a good position to succeed in new initiatives and to survive setbacks.
11.1..2.The BOD of UHMG shall communicate to management the boundaries and limits set by their policy to ensure a clear understanding of the risks that can be accepted and those that the BOD would consider unacceptable.
11.1.3. UHMG shall consider some of the following questions in determining its risk appetite:
a) What risks will UHMG not accept? (e.g. environmental or quality compromises)
b) What risks will UHMG bear as it takes on new initiatives? (e.g. new product lines, new business units)
c) What amount of money is UHMG prepared and able to lose if a strategy or project is less successful than anticipated?
d) What is the potential risk to UHMG‟s reputation and credibility if a strategy or project is poorly received or otherwise unsuccessful?
e) What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share for the product facility?)
f) What are the limits of the MD’s authority beyond which BOD approval is needed?
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 31
g) What information should the BOD receive before making decisions/granting approvals? E.g. for every proposal or action requiring BOD approval, information should be provided about:
The potential risks and how they will be managed, as well as the potential opportunities;
The alternatives that were rejected as well as the proposal being advanced;
The worst case scenario; and
Management‟s concerns and uncertainties as well as its optimistic expectations.
11.1.4. The BOD may choose to discuss and approve risk factors on an unstructured, case-by-case basis, or to formulate a formal “risk appetite statement”. In either case, the basis for decisions shall be recorded for future reference.
11.1.5. The RMC will help to translate the overall risk appetite of UHMG, approved by the BOD, into a set of limits and risk metrics that can be tied to particular business strategies and risks, and flow down through the various departments. These metrics shall be defined using quantitative or qualitative terms.
11.1.6. The level of risk UHMG is willing to accept shall provide a benchmark against which the organisation‟s risk assessment is undertaken. The risk assessment and evaluation in turn shall inform the BOD of the overall risk profile of UHMG and the steps taken to manage major risks identified.
11.2. Risk Treatment
11.2.1. Having identified and assessed the major risks, decisions shall be made regarding how to manage each of them. For example, minor risks that occur frequently can often be managed by good procedures and training. Major but infrequent risks may also require insurance and/or contingency planning in addition to established procedures.
11.2.2. UHMG recognises that it is unlikely that risks will ever be entirely eliminated, however, that the risks can be reduced to a more acceptable level. UHMG shall draw from the commonly accepted risk treatment options below in light of their cost effectiveness:
a) Accepting risk:
Provided that the risk is unlikely or would not cause serious harm to UHMG, management will accept and monitor it.
A risk may also be accepted if it is identified as unavoidable or no suitable treatment plans are available.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 32
b) Mitigating risk:
This shall involve developing control activities and procedures to detect and reduce the likelihood and/or severity of risks.
For mitigating strategies to be effective, they must fit well with UHMG‟s corporate strategy.
UHMG may reduce the likelihood and Impact of risks by considering the following actions:
Structured training and supervision of staff; Periodic testing of controls, e.g. fire alarms Enhanced management controls such as reviewing policies and
procedures, quality control checks; Improved compliance monitoring and audit programs Contingency planning such as Disaster Recovery plans, Business
Continuity plans Fraud and Corruption control programs; Better contractual arrangements; Preventive maintenance; Establishing financial reserves; Phased commitment to large projects; Public relations; Succession planning, etc
c) Transferring risk:
This shall involve other parties bearing or sharing the risk either partially or in full.
UHMG shall consider transferring risk by buying insurance policy to mitigate perils such as fires and thefts.
UHMG may transfer risk through establishing contractual relationships with other organizations that have the expertise and resources to handle specialized issues and risks. This could be through arrangements such as outsourcing, partnerships, joint ventures among others.
Sharing of risks may however expose UHMG to other risks such as reputational or litigation risks if the party taking on the risk does not meet their obligations. As such, UHMG shall take great care in identifying parties with whom to hare risk and clearly document expectations and responsibilities of each party.
d) Avoiding risk:
This involves taking a decision not to start or continue with a particular activity (e.g. potential grant, project, product line, market etc) that gives rise to the risk.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 33
This can be a legitimate strategy that UHMG may opt for as a last resort after weighing the potential costs and benefits, and exploring control activities and other ways to manage the risks.
UHMG shall bear in mind that if UHMG‟s objectives are to be met, some risks cannot be avoided regardless of the risk levels, due to their inherent nature.
11.2.3. In some instances more than one approach may be used. For example, UHMG may establish procedures and controls to mitigate some risks and then buy insurance to cover the residual risk where the established procedures cannot adequately bring the risk within the acceptable limits or where the potential losses may not be easily absorbed from UHMG‟s operating budget or financial reserves.
11.2.4. While evaluating various risk treatment options, UHMG shall consider the following factors:
a) Comparison of the cost of establishing the risk response to the potential magnitude of the consequences to ensure that it makes business sense to finance the risk response;
b) The extent of risk reduction gained by the risk response; and
c) The extent to which there is an ethical or legal duty to implement a risk treatment option which may override any cost/benefit analysis.
11.2.5. Once each risk has been evaluated, the RMC will draw up a combined plan for actions to be taken to cover the risks. This action plan shall be approved by the MD and the BOD.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 34
11.0 INFORMATION AND COMMUNICATION
a) Communication and consultation shall be carried out at each stage of the UHMG Risk Management process with all relevant stakeholders. Strong communication and consultation shall enhance buy-in from the BOD, senior management and specific risk owners across the entire organisation.
b) UHMG recognizes that when people know what they are expected to do and understand how to recognize and respond to risks, problems are less likely to occur and easier to resolve. The RMC shall ensure that people know and understand the risks that affect other departments and the organisation as a whole, and the consequences of their own actions to others.
c) This shall enable management and/or the RMC to provide training and guidance to staff and volunteers as well as written policies, procedures and job descriptions. The goal shall be to create a “risk-aware culture” in which people are encouraged to take appropriate action to manage risks or report them to others.
d) The Enterprise Risk Management - Integrated Framework requires feedback of information from throughout the organisation. This information must be current and accurate and must be robust enough to support the analysis of different risk responses. Management of UHMG, therefore shall identify, capture, and communicate pertinent information in a form and timeframe that enables people to carry out their responsibilities.
e) Risk management results shall be communicated in different forms including:
Dashboard of risks and related responses (visual status of where key risks stand relative to risk tolerances);
Flowcharts of processes with key controls noted;
Narratives of business objectives linked to operational risks and responses;
List of key risks to be monitored; and
Management understanding of key business risk responsibility and communication of assignments.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 35
12.0 APPENDICES
Appendix 1: Risk Rating Criteria – Impact and Likelihood
Magnitude of Impact
Description Examples of impact
Major Loss of major donor
Major disruption of business with severe impact on operational performance and achievement of objectives
Serious erosion of brand value and reputation with adverse publicity
Litigation with potential for major loss
Event requires Board and Senior Management attention
Moderate Significant impact on the business – projects delayed; beneficiaries affected
Brand value affected in the short-term
Litigation with potential for minor loss
Event requires Senior and Middle Management intervention
Minor Impact on internal business only
Minor potential impact on brand value
Issue delegated to Middle Management for resolution
Likelihood of occurrence
Description Examples of likelihood
Likely Event will probably occur in most circumstances
Event will probably occur at least once a year
Possible Event might occur at some time, moderate probability of occurrence
Event might occur, say once every 2 or 3 years
Unlikely Event could occur at some time, low probability of occurrence
Event could occur, say once every 5 years
NOTE: These criteria are only guidelines and management can modify them with time, to better reflect UHMG‟s risk profile.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 36
Appendix 2: Risk Assessment Matrix
Management Action
High (7–9)
Unacceptable risk – Management must take action to lower the risk
Medium (4-6)
Judgmental Boundary – Should be dealt with on a case by case basis
Low (1-3) Acceptable Risk – No further management action required
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP
(UHMG)
Version: 1...1 Issue Date: July-2013 Page 37
Appendix 3: Generic Sources of Risk and Their Areas of Impact
Identifying sources of risk and areas of impact provides a framework for risk identification and analysis. A generic list of sources and impact will focus risk identification activities and contribute to more effective risk management.
I) Generic Sources of Risk
Each generic source has numerous components, any of which can give rise to a risk. Generic sources of risk may include:
a) Commercial and Legal Relationships: including but not limited to contractual risk, product
liability, professional liability and public liability.
b) Economic Circumstances: These can include such sources as currency fluctuations,
interest rate changes, taxation and changes in fiscal policy.
c) Human Behavior: such as riots, strikes sabotage.
d) Natural Events: These can include fire, water damage, earthquakes, vermin, disease and
contamination.
e) Political Circumstances: such as legislative changes or changes in government policy that
may influence other sources of risk.
f) Technology and Technical Issues: Examples of this include innovation, obsolescence and
reliability.
g) Management Activity and Control: such as poor safety management, the absence of
control and inadequate security.
h) Individual Activity: including, misappropriation of funds, fraud, vandalism, illegal entry,
information misappropriation and human error.
II) Areas of Impact
A source of risk may impact on one or more areas. Areas of impact may include:
a) Asset and resource base including personnel;
b) Revenue and entitlements;
c) Costs both direct and indirect;
d) People;
e) The community;
f) Performance;
g) Timing and schedule of activities;
h) The environment;
i) Intangibles such as reputation, goodwill and the quality of life; and
j) Organisational behavior.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 38
Appendix 4: Risk Register format
Category Risk ID
Risk Event
Discussion and
Concerns
Inherent Risk Risk Mitigatio
n strategy/controls in place
Residual Risk Early warning
and reporting triggers
Responsible Officer Likeli
hood Impact Rating Likeli
hood Impact Rating
Appendix 5: UHMG RISK REGISTER
The risks have been categorized in 7 sub-sections
1. Strategic Risks
2. Operational Risks
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 39
3. Financial risks
4. Reputation Risks
5. IT and Information Risks
6. Regulatory Risks
7. People Risks
Explanatory Note on these Risks with examples
1. Strategic Risks- PESC- Political (government policy), Economic( inflation and interest rates, Social( demography and social
economic trends) and Customers( failure to meet the current and changing needs of customers)
2. Operational Risks- Competitive ( value for money, product and quality), Physical( fire, security , health and safety, Contractual (
failure to deliver goods, services on time, cost and specifications)
3. Financial Risks- Failure of financial planning, budgetary controls, funding shortfall, mismanagement of resources, inaccurate or
inadequate monitoring and reporting).
4. Reputation Risks- Media coverage or inaction to damage UHMG’s good name.
5. IT and Information Risks-Technological; lack of capacity to deal with pace and scale of change, Physical: IT equipment.
6. Regulatory Risks: Legislative: acting contrary to legislation, Environmental: failure to assess environmental consequences, Legal:
failure related to breaches to legislation.
7. People risks: Professional: financial acumen, initiation, Staff and management: Loss of key staff or inability to retain them.
Components of a Risk Register
1. Reference Number of the Risk
2. Risks- Clear idea of what the risk is.
3. Consequence- Defining the possible if the risk is not mitigated. Consequences that will remain after adopting the control measures
to be listed in the first column.
4. Probability:
- 5- Definite.
- 4-Very likely
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 40
- 3- Likely
- 2-Occassional
- 1- Rare.
5. Rating- Each of the risks must be assigned a certain rating based on the extent of the damage it can cause.
- 5-Disastrous
- 4- Serious damage
- 3- Moderate damage
- 2- Minor damage
- 1-Insignificant
6. Risk Score. The risk score is obtained by multiplying the risk rating with the risk probability. This represents the importance or
urgency of mitigating the risk.
7. Control Measures: It is reserved for enlisting the control measures that have been identified for handling the risk.
8. Control Score; Makes it clear whether the proposed control measures are enough to mitigate the risk completely. They are rated
as follows:
- 3- Significant –the control measures will annul the risk
- 2- Reasonable –can reduce the risk significantly but not completely.
- 1- Insufficient –the control measures are not enough.
PROPOSED NEW FORMAT FOR THE RISK REGISTER:
Reference
Number-
1.
Risks-2. Consequences/Concerns
3.
Likelihood/
Probability5
to 1 4. A
Impact/Rating
5 to 1
5.B
Risk Score
1. A*B
Control
Measures
identified
for
dealing
with the
Risk
7.
Control
Score
8.
Current
Status and
Ownership.
9.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 41
(A) Strategic Risks
Risk Event (Discussions)/Current
Practices, short
comings (concerns) in
place.
Likelihood Impact Rating Risk mitigation strategy/controls proposed to be put in
place
1. Strategic plan not well understood and not reviewed on a regular basis. It can become static Managing Director
Strategic plan
duration and
relevance to the
current operations
of UHMG
Inadequate
utilization of
research data and
analysis
Poor analysis of
the environment in
which UHMG
operates (PEST)
and the inherent
SWOT analysis of
the strategic plan
Need for clarity of
UHMG’s mandate
that underpins its
broad strategies ,
business plan and
work plans
Likely Major Disaster Updated strategic plan and logical framework
Periodic monitoring and review of strategic plan
Succinct Board meetings that address PEST, SWOT
and the strategic direction of UHMG.
Management meetings focusing of performance
improvement.
Be used as a reference by top management in decision
making.
Reference by staff and stakeholders
Used in annual work plans by all the staff.
Current Status:
Strategic Plan and Logical framework are not
reviewed half yearly
PEST,SWOT are not given regular performance
review
The work plans, KRAs and KPIs are not
referenced to the strategic Plan as a matter of
procedure.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 42
Risk Event (Discussions)/Current
Practices, short
comings (concerns) in
place.
Likelihood Impact Rating Risk mitigation strategy/controls proposed to be put in
place
2. UHMG not meeting donor reporting requirements- -Managing Director
Failure to report in
line with donor
agreements
Failure to meet
different
stakeholders’
requirements in
time.
Unlikely Major Moderate Develop summaries for donor reporting guidelines for
easy follow up and encourage staff to attend trainings
on donor reporting requirements.
Standardized reporting mechanisms put in place as per
the signed agreements and contracts.
Current Status
No audit finding that donor reporting
requirements are not adhered to.
3. Performance
management not
adequate- to
have the right
people and
skills for the
positions
Director of
Human
Resources
There is a performance management system in place which is not very comprehensive
Possible Major High Improve the system for managing performance by introducing progressive performance monitoring meetings. This should be done on a monthly basis by each directorate.
Performance management system that is working and
transparent
Periodic staff assessments and feedback
Relevant trainings for staff for continuous
improvement
Tone at the top required for effective implementation
Risk management and controls be monitored regularly.
HR review required to align objectives, positions and
skills to determine those to train, promote or retire.
Current Status
It is an area of concern raised by KPMG and in
AFFORD capacity building plan.
Objective tool not in place based on agreed
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 43
Risk Event (Discussions)/Current
Practices, short
comings (concerns) in
place.
Likelihood Impact Rating Risk mitigation strategy/controls proposed to be put in
place
targets, KRAs and KPIs.
4. Business unit in UHMG may not complement each other as required in the Business Plan-Managing Director
Complementarity
of the two business
units required.
Investment
decisions need
harmonization
Competition
required for the
commercial units
Procedural
required for the
NGO unit
Possible Major High Clear vision, mission and objectives
Synergy enhancement
Clear policies and procedures
Review possibility of strengthening PF sales to
compete favourably, and marketing MSI competences
for UHMG’s sustainability
No internal politics and favouritism be allowed.
Current Status
Need for stand- alone PF rather than relying on the
support of programs
Compete with other service /product suppliers to
get the best supplier for the products.
5. Stakeholder and Partners having a conflict of interest and relationship is not mutually
Membership
register not in
place
Ownership status
required for
clarification
Possible Managea
ble
Moderate Clarity of stakeholder interest, concerns and value
enhancement
Carry out a comprehensive stakeholder analysis for
value enhancement.
Establish external register for partners and outside
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 44
Risk Event (Discussions)/Current
Practices, short
comings (concerns) in
place.
Likelihood Impact Rating Risk mitigation strategy/controls proposed to be put in
place
beneficial.-Managing Director
Value
enhancement be
demonstrated for
each partner and
stakeholders
stakeholders.
Current Status
Register required for all partners and stakeholders
Stakeholders analysis required to be done annually
6. UHMG not achieving the objective of being a leading health marketing hub in the region-Director of Marketing and Strategic Information
Health
Communication
strategies not yet
in place for the
region.
Possible Major High Build capacity of a leading health communication hub
in the country and replicate it in the region
Put in place skilled internal staff to drive the process
Adopt best practices health marketing in social
marketing.
Create awareness about UHMG so that its members
can get their work published through journals or in-
house magazines.
Current Status
Lack of skilled manpower internally to drive
the process
Communication strategy done and approved
by the Board
Knowledge Manager hired to drive the
intellectual level process.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 45
Risk Event (Discussions)/Current
Practices, short
comings (concerns) in
place.
Likelihood Impact Rating Risk mitigation strategy/controls proposed to be put in
place
7. Disease pandemic-as this can have an impact on UHMG’s service delivery-Director of Programs and Services
In the past, disease outbreaks in the different parts of the region (Cholera, Ebola, etc) have paralyzed UHMG business in those regions. Future incidences could dent company revenues.
Possible Major High Build safeguards to ensure quick action to minimize costs when unexpected diseases break out.
Put for such eventualities in the work plans with corresponding budgets for emergencies.
Assess internal capacity before taking on new projects.
Invest in hiring multi skilled program staff
Hire program assistants where the qualified staff cannot be obtained.
Current Status :
Internal Capacity not well developed to handle such emergencies when they occur.
Work plans and contingency budgets are not in place.
8. Likely shift in government policy and/or donor priorities-Managing Director
Government
policies affecting
social marketing
e.g. family
planning products
Unlikely Managea
ble
Moderate Influence policy where possible through net working
Keep up to date with developments in government
policies
Attend forums where invited on Government Policies.
Current Status
Managing Director and Senior Level Management
are aware of any shift in Government Policy.
9. Negative Tarnished Possible Critical Disaster Staffs are made aware of UHMG reputation and
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 46
Risk Event (Discussions)/Current
Practices, short
comings (concerns) in
place.
Likelihood Impact Rating Risk mitigation strategy/controls proposed to be put in
place
publicity from a partner or member-Managing Director
corporate image
leading to loss of
goodwill,
community status,
and appeal to
prospective donors
and partners
Over exposure
(media)
Pursuit of
partnerships that
may erode
goodwill and
reputation
Partner shared
values
Shared mission
Shared objectives
Partner confidence
surrounding risks.
Design clear guidelines to all stakeholders on UHMG’s involvement in various community activities.
Information to media should be vetted internally before being publicized
All partners should be vetted and accepted on the basis
of a pre-designed criteria
Proper screening of projects to undertake
Proper evaluation of additional resources required
Compliance with statutory and legal framework
Regular meetings with partners and stakeholders.
Current Status
Risk Management awareness required in the whole
company.
Information sharing is done through the shared
drive
UHMG has close relationship with the advertising
agencies in town (SCANAD and
METROPOLITAN REPUBLIC).
10. Aggressive
expansion not
properly
planned.-
Over trading
possible
Expanding beyond
capacity in certain
Possible Major High Proper feasibility studies - Evaluation of investment
plans
Matching resources with expansion plans
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 47
Risk Event (Discussions)/Current
Practices, short
comings (concerns) in
place.
Likelihood Impact Rating Risk mitigation strategy/controls proposed to be put in
place
Managing
Director
areas
Thinly spread in
areas with no
synergies
Constitution of a committee to oversee expansion
programs
AS UHMG develops its next strategic plan 2014-2019,
the MD will ensure that a clear growth plan
commensurate to the organization’s capacity will also
be developed as a guide for institutional business
growth
Current Status:
Board and SLM retreats are to ensure proper
growth plans are put in place and implemented.
11. Lack of proper
systems to cope
with project
and program
demands-
Managing
Director
Uncoordinated supervision and monitoring of sub-grantees.
Supervision of sub-contractors/ grantees not adequately done
Massive consultancy in projects and services due to lack of local capacity.
Possible Major High A plan to monitor and build capacity for sub-grantees
be made by hiring a Grants manager.
Strengthen the effectiveness of the sub-grantee process
through mentorship.
Internal capacity building in UHMG Programs and
Services directorate.
Have a phased reduction in the use of consultants for
Program and Service work.
Current Status:
A monitoring checklist has been put in place
followed in monitoring and evaluation
exercise.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 48
Risk Event (Discussions)/Current
Practices, short
comings (concerns) in
place.
Likelihood Impact Rating Risk mitigation strategy/controls proposed to be put in
place
Teams are now in place covering different
functions going along to do monitoring work.
Internal capacity is still in progress with
reference to work being done by outside
consultants.
12. Failure to continuously innovate and remain relevant through ideas and technology - Director of Marketing and Strategic Information.
Relevant Products
be in place
Relevant Service
be the guiding
model
Reduction in
customer demand
cycle.
Possible Major High Innovation team establishment and empowerment
Working with like minded partners
Carrying out research/ surveys to gauge acceptability
of UHMG products and services.
Constantly seek to re-position UHMG brands based on
changing consumer tastes and preferences. Broaden the
market, hence wide customer base
Current Status
KRAs and KPIs of MSI are being aligned to
achieve UHMG’s strategic objectives.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 49
(B) Operational Risks
Risk Event Concerns Likelihood Impact Rating Risk mitigation strategy/controls in place
1. Lack of effective credit monitoring system in PF.Director of Finance
Large, long
outstanding debtor
balances
Credit ratings
Credit limit and
overdue invoices
Failure to account for advances given to staff
Unlikely Major Moderate Credit status evaluation should be vigilantly
performed for all parties requesting for credit.
Deal with good quality customers
Establishment and operationaliation of the
credit committee
Establishment and operationalisation of credit
limits
Accountability policy
Accounts receivable management
Hiring a Credit Officer.
Current Status
The above mitigations have been implemented
2. Lack of documented Supplier relationship procedures.- Director of Product Facility
Supplier dependency – product quality, cost, delivery terms, lead times (delays); limited supplier options
Possible Major High Contracts state delivery terms and product quality.
Need to open up supplier options
Follow ISO procedure standards
Current Status
ISO certification is in progress where procedures for dealing with suppliers and third parties are well stated.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 50
Risk Event Concerns Likelihood Impact Rating Risk mitigation strategy/controls in place
3. Lack of market knowledge- Director of Product Facility.
Business
environment
Sales volumes
Sales margins
Business practices
Inflation
Possible Major High
Market and product surveys
Diversified products and services
Diversified customers
Pricing strategies
Retail audits
Commission based sales targets
Development of marketing plans
Current Status
Retail audits are carried out
Market surveys are done
Diversified customers, products and
services is done.
4. Lack of a health and safety policy. Director of Human Resources
Staff working under hazardous conditions
Possible Major High Health and safety policy developed
Improvement in employee working conditions
Management’s constant oversight over employee working conditions
Current Status
There is room for improvement especially with waste management in PF etc.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 51
Risk Event Concerns Likelihood Impact Rating Risk mitigation strategy/controls in place
5. Failure to achieve value for money on procurement of goods and services. Director of Product Facility
Lack of proper controls at the warehouse, storage locations, and pharmacies (monitoring and controlling movement of stock items, checking dispensing errors, and maintaining proper records)
Possible Major High Proper systems for ordering and receipt of stock
Sufficient and proper storage of stock
Recording movement of stock
Linkage of the electronic data system to
physical records
Controls over access to stock storage locations
Procurement policies and procedures
Suppliers’ pre-qualification procedures
Supplier sourcing, bidding, and selection process
Initiation, authorization, and approval of procurements
Monitoring of purchase orders
Current Status:
ISO certification is under way where all the procedures are documented to be followed.
6. Periodical customers’ complaints on product delivery –Director of Product Facility
Poor planning
Lack of resources
Incompetence
Long procedures
Poor coordination
Possible Managea
ble
Moderate Proper planning
Coordinated decision making
Delivery times for Kampala and out of Kampala documented and now adhered to.
Current Status
ISO certification is addressing most of these concerns.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 52
(C) Financial Risks
Risk Event Concerns Likelihood Impact Rating Risk mitigation strategy/controls in place
1. Lack of adequate funding sources to fund its approved strategic objectives. –-Director of Finance
Donor dependency
and thus failure to
generate new
funding
Acceptance of
grants not aligned
to strategic
objectives
Lack of UHMG
owned assets
Negative
relationship with
bankers
Favourable debt
financing
Funding maturities
Budget is
insufficient to
maintain cost of
excellence
Failure to develop
alternative sources
of funding
Failure to establish
cost recovery
systems to match
reduction in
Possible Major High Proposal writing is now regularly done.
Positioning UHMG as a leader in social
marketing
Diversified Portfolio business based on core
competences
Plan new and replacement funding requirements
Budget allocation process done through
approved work plans
Budget and annual plans regularly done.
Management’s efforts to identify alternate
sources of funds is on going
Contribution margins of sponsored programmes
to core costs are now being done.
Acceptance criteria for sponsored programs
Management’s efforts to obtain more physical
facilities to support UHMG expansion
Identification of alternative sources of funding
Have alternative funding plans/mechanisms
through PF operations.
Current Status
UHMG is addressing this problem pro
actively through project proposal
management.
PF is to be the back bone of financial
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 53
Risk Event Concerns Likelihood Impact Rating Risk mitigation strategy/controls in place
funding
Sponsored
programs do not
make appropriate
contribution to
UHMG overheads
and financial
sustainability
stability of UHMG.
Project management t is in line with the
overall UHMG strategic objectives
2. The TALLY Accounting Package may not meet the changing requirements of the finance team-Director of Finance and Administration.
Regular updates and review of the Package required.
Move to ERP Packages
Unlikely Managea
ble
Moderate Regular IT review be done as per customers’ requirements.
Include acquisition of ERP in future budgeting requirements.
Current Status
This is being addressed within budget limitations.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 54
Risk Event Concerns Likelihood Impact Rating Risk mitigation strategy/controls in place
3. Lower returns on investment- -Director of Finance
Proper investment
decision
evaluations
No feasibility
study for the
outlets
Investment
decisions
Unlikely Managea
ble
Moderate
PF - need to identify fast moving products;
There may be need to rethink strategy for
outlets
Investment in viable business with an optimal
return on investment
Diversified investment portfolio
Investment committee set up by SLM.
Current Status
MD and Director of Finance and
Administration as signatories are
responsible for the investment decisions.
4. Lack of fraud risk policy for detecting and preventing fraud. Director of Administration
Unauthorised
employee activity
Collusion to
defraud the
organisation
Possible Major High Whistle blowing policy
Strong internal control systems
Well defined and highly segregated roles in
procurement and payment.
An engaged finance and audit Board
Committees.
Robust internal and risk advisory services.
Staff of integrity are hired and retained.
Current Status
There is room for improvement especially
in fraud risk management to close gaps
through the internal audit process.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 55
Risk Event Concerns Likelihood Impact Rating Risk mitigation strategy/controls in place
5. Lack of Foreign exchange hedging instruments.--Director of Finance
Huge transaction
forex losses
Translation losses
Pricing strategies
Possible Major High Hedging against foreign exchange risk through
Invoicing in USD;
Forward foreign exchange contracts
establishment; and
Currency swaps, futures and options.
Current Status
Finance Manual is to be reviewed to
include hedging mechanisms.
6. Lack of
appropriate
hedging
mechanisms for
Interest rate
fluctuations on
the Mortgage -
Director of
Finance
Varying/fluctuating
interest rates on the
mortgage facility
Possible Major High Mix of fixed and floating-rate debt
New or replacement debt
Lock in the interest to be changed where
possible.
Current Status
Finance Manual is to be reviewed to
include hedging mechanisms
7. The finance team at the Regional Offices and projects may not fully understanding the different Tally System functionalities .-Director of Finance and Administration
Regular training
required and
attachment at Head
Office finance for
skills
improvement.
Unlikely Managea
ble
Moderate Have training /orientation sessions to ensure
that staff understand the different systems
Current status
Being done
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 56
(D) Reputational Risks
Risk Event Concerns Likelihood Impact Rating Risk mitigation strategy/controls in place
1. Brand integrity , market ratings, transparency – Director of Marketing and Strategic Information
Brand marketing is not as effective as BCC promotion and survey results show
Tracking of brand performance not a regular feature
Value for money of advertising spends needs to be demonstrated.
Possible Major High Media coverage, action or inaction to damage
UHMG good name.
Current status
KRAs and KPIs of the Unit is being harmonized to address the concerns.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 57
i. Regulatory Risks
Risk Event Concerns Likelihood Impact Rating Risk mitigation strategy/controls in place
1. Lack of up to date follow up on compliance issues with regulations-Director of Administration
The increasing regulatory scrutiny and rules placed on communication methods, pharmaceutical product marketing and distribution are likely to affect UHMG’s core business.
Possible Major High Stay up to date with industry regulations.
Integrate business and compliance program activities and controls in all UHMG interventions.
Regular legal briefs on new legislations.
Current Status
Legal Officer is now carrying out legal audits together with the internal auditor for compliance.
2. Product liability- Director of Product Facility
Negative side effects leading to legal action
Possible Major High Enshrine product liability conditions in MoUs
Current Status
Legal Officer is now carrying out legal audits together with the internal auditor for compliance.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 58
Risk Event Concerns Likelihood Impact Rating Risk mitigation strategy/controls in place
(F).IT AND INFORMATION RISKS
Risk Event Concerns Likelihood Impact Rating Risk mitigation strategy/controls in place
1. Loss of company information affecting competitive advantage--Director of Marketing and Strategic Information
Theft of strategies
and concepts; loss
of sales data;
inadequate data
backup and
security (viruses
and other
malicious attacks)
Possible Critical Disaster
Development of business continuity plan and
achieves center for UHMG.
Establishment of a central information hub and
database for ease of reference.
Off –site back up services form Bitworks
Technologies who will provide Software for
cloud backup
Current Status
Off site back up is in place.
Knowledge Manager hired to co-ordinate
information hub and data base for ease of
reference.
2. Lack of a Disaster
Majorly fire and
accidents
Possible Major High Ensure periodic data backup is done
Obtain a backup system for the organization
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 59
recovery plan –-Director of Administration
Explore and implement options for storing data
backups off site
Keep proper copies of vital data
Install and regularly test UPS, fire and smoke
sensors and alarms and anti-theft alarm systems
Use anti-virus and malware removal software
Explore options of types of disaster insurance
Install fire proof cabinets
Current Status
Off site back up is in place.
Copies of vital data are kept.
3. Lack of
adequate IT
security-
Director of
Administrati
on
Unrestricted Tally usage rights
Erroneous & loss of soft documents (Tally)
Possible Major High Frequent tally updates, maintenance & audits
Tally usage trainings
Clear effective & efficient Tally rights for all
staff
IT end user refresher trainings for all staff
Current Status
This is a continuous exercise, as systems
and skills are being upgraded.
Close monitoring is being done.
(G).PEOPLE RISKS
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 60
Risk Event Concerns Likelihood Impact Rating Risk mitigation strategy/controls in place
1. Lack of capacity to attract and retain key staff-- Director of Human Resources
Low staff self esteem
Low salary compensation as compared to other organizations of a similar size
Lack of financial resources
Lack of an effective performance management system
Possible Major High Set performance targets for staff against which performance is evaluated
Ensure that staff have a realistic idea of what
their jobs entail
Provide career development opportunities
Maintain effective appraisals
Ensure that staff have a good work/ life balance
Provide a mechanism for staff to register
dissatisfaction, whether it is related to
appraisals, grievance proceedings, etc
Provide leadership training for all managers and
staff in positions of leadership
Conducive work environment
Competitive market pay rates
Transparent recruitment process
Current Status
Effective performance systems are not in
place to retain the right staff
Funding issues are a challenge given the
closure of AFFORD project.
Performance and rewards are not properly
aligned.
2. Succession plan not in place- Director of Human Resources
Poor planning
Understaffing
Possible Major High Develop employee replacement policy/
succession plan for UHMG.
Current Status
SLM is doing this.
Mentorship is not in a written form in its
documents.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 61
3. Organizational culture not conducive to UHMG operations.-Human Resources Director
Lazier fair culture
Inability to attract
and retain
competitive staff
Internal politics
Unlikely Major Moderate Adapt to high performance and competitive
culture
High rewarding culture to reward high
performing staff
Punitive measures for non performing staff
Staff recruitment, training and retention policy
Conducive working environment
Updated human resource policies and
procedures manual
Staff hand book that is accessible to all UHMG
staff to be developed
Current Status
SLM and the Board retreats are to take
place in April and May for new UHMG, its
structure and the business it is in.
4. Poor
institutional
governance.)Ma
naging Director
Conflict of interest
issues
Board performance
Corruption, graft,
bribery
Lack of
documented Board
member induction
programme
Failure to attract
the appropriate
Board members
Board composition
– balance between
Executive and non
Executive
members and the
Possible Manageable Moderate
Board charter in place
Updated Board manual
Evaluation of Board effectiveness
Board member induction program document and
process
Board’s strategic oversight on UHMG
Succession plan for Managing Director and
senior management
Code of conduct for Board members
Current Status
SLM and the Board retreats are to take
place in April and May for new UHMG, its
structure and the business it is in.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 62
nomination process
Lack of a
succession plan to
ensure smooth
transition without
compromising
continuity, quality, and morale
Lack of regular
performance
evaluation for the
board and its sub-
committee.
5. Board
Relationships
(senior
management
team and the
Board members.
Managing
Director
The Board of Directors hires the Managing Director and the Senior Management. Reporting expectations may not be clear apart from those in the
Unlikely Manageable Moderate Organisational structure to indicate clear
reporting lines and assignment of
responsibilities
Clear Terms of Reference communicated to the
Board members
Clear job descriptions for management team
Lobbying and fund raising be an activity for
Board Engagement.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 63
Board Manual.
Board be involved in seeking external funds from outside parties and outside marketing and lobbying on behalf of UHMG.
Current Status
Lobbying and fund raising by the Board
Members is not actively being done.
RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)
Version: 1...1 Issue Date: July-2013 Page 64
Appendix 5: Risk Response Plan
Risk ID
Risk Event
Treatment Option
Risk Rating after Treatment Responsible Officer
Implementation Timetable
Monitoring Mechanisms Likelihood Impact Rating