uganda health marketing group (uhmg) management manual... · uganda health marketing group (uhmg)...

RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP

(UHMG)

Version: 1...1 Issue Date: July-2013

UGANDA HEALTH MARKETING GROUP

(UHMG)

RISK MANAGEMENT

MANUAL

July 2013

(Final)

Drawn By:

UHMG Internal Audit Department


(UHMG)


TABLE OF CONTENTS

1.0 INTRODUCTION 8

1.1 Background 8 1.2 Application and Interpretation 8

1.3 Distribution of the RMM 9 1.4 Review and Update of the RMM 9

2.0 PURPOSE OF THE RISK MANAGEMENT MANUAL 11

2.1 Introduction 11 2.2 Objectives of the RMM 11

2.3 Nature of the RMM 12

2.4 Key Control Processes 12

3.0 RISK POLICY STATEMENT 13

3.1 UHMG BOD Risk Statement 13

4.0 ENTERPRISE RISK MANAGEMENT FRAMEWORK 14

4.1 COSO Enterprise Risk Management-Integrated Framework 15

4.2 Enterprise Risk Management Defined 16

5.0 RISK MANAGEMENT ROLES AND RESPONSIBILITIES 16

5.1 Board of Directors 16

5.2 Managing Director 16 5.3 Senior Management Team 17

5.4 Risk Management Steering Committee (RMSC) 17 5.5 Internal Audit 18

5.6 Staff 18

6.0 APPROACH TO RISK MANAGEMENT 19

6.1 ERM Components 19

6.2 ERM Limitations 20

7.0 RISK MANAGEMENT CONTEXT 21

7.1 The External Context 21

7.2 The Internal Context 21

8.0 RISK IDENTIFICATION AND CATEGORISATION 22

8.1 Risk Identification 22 8.2 Risk Categorization 23

9.0 RISK ASSESSMENT 25


(UHMG)


9.1 Risk Rating 25

9.2 Risk prioritisation 25

10.0 RISK RESPONSE 30

10.1 Risk Appetite 30

10.2 Risk Treatment 31

11.0 RISK MONITORING AND REVIEW Error! Bookmark not

defined. 11.1 Documentation Error! Bookmark not defined.

11.2 Risk Monitoring Error! Bookmark not defined. 11.3 Review and Reporting Error! Bookmark not defined.

12.0 INFORMATION AND COMMUNICATION 34

13.0 APPENDICES 35


(UHMG)


Acronyms

BARC Board Audit and Risk Management Committee

BOD Board of Directors

COSO Committee of Sponsoring Organisations of the Tread way Commission

ERM Enterprise Risk Management

IFRS International Financial Reporting Standards

MD Managing Director

NSSF National Social Security Fund

PAYE Pay As You Earn

RC Risk Coordinator

RO Risk Officer

RMM Risk Management Manual

RMC Risk Management Committee

UHMG Uganda Health Marketing Group

URA Uganda Revenue Authority

VAT Value Added Tax

WHT Withholding Tax

.


(UHMG)


Risk management glossary:

The Risk Manual is aimed at streamlining the risk management communication process by

promoting the use of consistent terminology across the organization.

Term Definition

Risk The chance of something happening that will have an impact on the

achievement of UHMG‟s objectives. It is measured in terms of

consequence and likelihood. Every risk consists of three components: an

event, a probability of occurrence and an impact.

Risk event: a discrete possible future occurrence that may affect the

organisation for better or worse. It could be a wanted event, an

opportunity with a potential positive impact, or an unwanted event or

threat with a potential negative outcome.

Probability: the likelihood that this event will happen.

Impact: the consequence of the risk, if it occurred.

Enterprise Risk

Management

A process, effected by an entity's board of directors, management and

other personnel, applied in strategy setting and across the enterprise,

designed to identify potential events that may affect the entity, and

manage risks to be within its risk appetite, to provide reasonable

assurance regarding the achievement of entity objectives

Gross Risk

Rating

An assessment of the risk before considering any actions or controls put in

place to mitigate risk.

Management

Controls

Processes in place to mitigate risks. Controls may be policies, procedures,

management systems and structures to assist UHMG in its operations.

Net Risk Rating An assessment of the risk after considering actions or controls that have

been put in place to mitigate the risk.

Risk Appetite and

Risk Tolerance

Both Risk Appetite and Risk Tolerance set boundaries of how much risk

an entity is prepared to accept. Risk Appetite is a higher level statement

that considers broadly the levels of risks that management deems

acceptable while Risk Tolerances are narrower and set the acceptable

level of variation around specific objectives. For instance, an organization

that says that it is does not accept risks that could result in a significant

loss of its revenue base is expressing Appetite. When the same


(UHMG)


Term Definition

organization says that it does not wish to accept risks that would cause

revenue from its top-10 customers to decline by more than 10% it is

expressing Tolerance. Operating within risk tolerances provides

management greater assurance that the organization remains within its

risk appetite, which, in turn, provides a higher degree of comfort that, the

organization will achieve its objectives.

Risk Acceptance An informed decision to accept the likelihood and the consequences of a

particular risk by UHMG management.

Risk

management

The culture, processes and structures that are directed towards the

effective management of potential opportunities and adverse effects within

the environment that UHMG operates in.

Risk Management

Coordinator

The Officer responsible for co-coordinating the risk management process

across the organization.


(UHMG)


1.0 INTRODUCTION

1.1 Background

Uganda Health Marketing Group (UHMG) is a Company Limited by Guarantee which

was incorporated in 1999 and started full operations in April 2007. UHMG‟s vision is “a

good life for all Ugandans” and the mission is to “improve the quality of life of Ugandans

through provision of superior and affordable health-care solutions”. UHMG designs and

implements strategic and integrated health marketing interventions intended to improve

the overall wellbeing of the country's population, while stimulating and increasing

commercial sector participation.

The main strategic objectives of UHMG include:

a) To create a consumer driven approach to health marketing through innovative marketing and social communication platform that will lead to a good life;

b) To strengthen and work with the Private and Public sectors to widen and or to create new marketing, distribution and service delivery systems to increase consumer access to health products and services;

c) To strengthen the internal capacity of UHMG by developing its human, material and financial resources; and

d) To build UHMG into a competitive and sustainable health service provider

UHMG is implementing a five year Strategic Plan with the aim of designing,

implementing and mobilising resources to that effect. The organisation is now

establishing an Entity-wide Risk Management Framework to ensure a successful

exploitation of identified opportunities as well as timely identification and effective

management of any risks that may deter the successful implementation of the Strategic

Plan.

1.2 Application and Interpretation

1.2.1 The policies and procedures in this Risk Management Manual (RMM) shall apply to all the employees of UHMG and shall be interpreted and administered by the Management of UHMG or their authorised agents.

1.2.2 The RMM shall also be interpreted in light of UHMG‟s Memorandum and Articles of Association and in case of conflict; the requirements contained within the Memorandum and Articles of Association shall supersede the application and interpretation of this RMM.


(UHMG)


1.3 Distribution of the RMM

1.3.1 The Master copy of the RMM in use should be under the custody of the Risk Coordinator (RC). Other controlled copies shall be issued to the MD and other Directors.

1.3.2 The soft copy of the RMM shall be saved on a central server accessible to all staff as “read only”. The RC shall retain the password required to edit any of the sections of the RMM.

1.4 Risk management overview

1.4.1 Risk

A risk is any factor that has a possibility of causing harm and /or loss or prevents UHMG from achieving its objectives. Risk is measured in terms of consequences and likelihood combined to arrive at a rating from Low to Very high (see the Risk Assessment Matrix on appendix 2 page 30.

1.4.2 What is Risk Management (RM)?

RM is the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects within UHMG operational environment. RM is an integral part of UHMG approach to decision-making and accountability. RM involves the following risk phases:

Risk Identification

Risk Analysis

Risk Mitigation and Planning

Risk response

Thus, the RMM documents the procedures that will be used to manage risk throughout UHMG.

1.4.3 Why is Risk Management Important to UHMG?

An effective RM system shall safe guard UHMG‟s resources and ensure their best utilization. Recognition of RM as a central element of good corporate governance, and as a tool to assist in strategic and operational planning, has many potential planning benefits in the context of the changing operating environment of UHMG core business. The aim of the RM framework is not to eliminate Risk, rather to assist UHMG personnel to manage the risks involved in all UHMG‟s activities to maximise opportunities and minimise adverse consequences.

1.5 Review and Update of the RMM

1.5.1 This Manual shall be subject to amendment from time to time. Amendments may result from key omissions, changes in the nature of key operations or changes in the environment UHMG operates in.


(UHMG)


1.5.2 The Risk Management Committee (RMC) shall identify the sections of the manual that require amending after consultation with the relevant persons and document the proposed amendment.

1.5.3 Amendments to the manual may also be identified by any user of the manual who should submit a written request to their respective Risk Officer (RO) for review and submission to the RMC.

1.5.4 The written request should include the following minimum information:

a) The section to be amended;

b) The proposed amendments;

c) The reason for the proposed amendment; and

d) The signature of the preparer and reviewer (RO)

1.5.5 All proposed procedural amendments should be submitted through the RMC to the MD for review and approval. All proposed policy amendments should be submitted by the RMC through the MD to the BOD for approval.

1.5.6 On approval of the amendments, the RC shall update the relevant sections of the RMM and the Summary of RMM Changes which will act as a reference trail for management.

1.5.7 The RC shall distribute the new approved sections to the appropriate people (see distribution list above) and retain the Master Copy of the same.

1.5.8 The RMM shall be reviewed regularly, at least annually by Senior Management and approved by the BOD to ensure that the procedures remain relevant to the operations of UHMG. For effectiveness, this review process should be aligned with the annual strategic plan review exercise.


(UHMG)


2.0 PURPOSE OF THE RISK MANAGEMENT MANUAL

2.1 Introduction

UHMG management and BOD understand that risk is inherent in all programmatic,

administrative and business activities, and therefore, the successful operation of any

organisation depends on effective risk management.

UHMG recognises the challenge for promoting risk awareness and culture in a broad

sense across the organisation so that line managers and employees understand and

accept their accountability for identifying business threats and opportunities.

In order to incorporate risk management into UHMG's operations, the BOD and

management of the UHMG has developed a framework for systematically identifying,

categorising, assessing and managing risks at all levels of the organisation. The

adoption of a strategic and formal approach to risk management will: improve decision

making; enhance outcomes; reduce surprises; and ultimately enhance accountability.

The aim of this framework is not to eliminate risk, but rather to manage the risks

involved in all UHMG activities in order to maximise opportunities and minimise

adversity.

2.2 Objectives of the RMM

2.2.1 To provide staff, management and BOD of UHMG with guidance on their risk management roles, responsibilities and authority.

2.2.2 Support a common understanding of Risk management in UHMG

2.2.3 Provide some general guidance and tools to use when integrating risk management into work implementation.

2.2.4 To ensure significant risks are known and monitored, thus empowering management and the BOD to make more effective decisions.

2.2.5 To give a sound basis for strategic planning since key elements of risk will have been identified and appropriate mitigating strategies defined.

2.2.6 To ensure that the risk management policies and procedures of UHMG are applied consistently and do not contradict other existing policies.


(UHMG)


2.3 Nature of the RMM

2.3.1 Given that UHMG operates in a constantly changing environment, this RMM will have to be periodically updated in order to ensure that it remains relevant.

2.3.2 It is the responsibility of all users to ensure that the policies and procedures in the RMM are adequate for their operations.

2.3.3 The relevant parties that have a responsibility to coordinate the updating of existing procedures and adding of new procedures to the RMM have been identified in Section 1.5 of this document.

2.3.4 All changes to this RMM shall be carried out in line with the procedures laid out in Section 1.5 of this document.

2.4 Key Control Processes

2.4.1 The MD (Overall Risk Owner), Management and Staff of UHMG shall refer constantly to the RMM when executing their duties to ensure that possible threats and opportunities have been managed accordingly.


(UHMG)


3.0 RISK POLICY STATEMENT

3.1 UHMG BOD Risk Statement

3.1.1 The BOD of UHMG is committed to implementing a proactive risk management approach to embed risk management practices in the operations of UHMG and hence give reasonable assurance of achievement of the overall goals of the organisation.

3.1.2 UHMG‟s Policy on Risk Management shall be based on the following Principles :

a) Risk management shall be integrated into UHMG strategic and business planning processes and shall give guidance for decision-making on day to day activities of UHMG;

b) As far as possible, UHMG will anticipate and take proactive actions to risks rather than react to surprises.

c) The management of UHMG shall ensure that significant emerging risks are escalated to the BOD and operational risks are reported to the relevant departments in a timely manner.

d) UHMG will seek to mitigate and manage risks effectively to enhance achievement of organizational objectives.

e) A consistent approach to the identification, assessment and management of risks shall be maintained throughout UHMG.

f) All staff shall endeavor to understand and execute their risk management roles, responsibilities and accountabilities.

UHMG shall commit resources to implement risk responses that are effective and

whose costs do not outweigh the benefits.


(UHMG)


4.0 ENTERPRISE RISK MANAGEMENT FRAMEWORK

4.1 Enterprise Risk Management Definition

4.1.1 ERM deals with risks and opportunities affecting value creation or preservation. UHMG shall adopt the COSO definition of ERM stated below:

4.1.2 The adopted definition reflects certain fundamental concepts. ERM is:

a) A process, ongoing and flowing through an entity. It shall not be a one-off event in UHMG;

b) Effected by people at every level of an organization. Everyone in UHMG shall have a role in ERM;

c) Applied in strategy setting;

d) Applied across the organization, at every level and unit, and includes taking an entity level portfolio view of risk;

e) Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite;

f) Able to provide reasonable assurance to an entity‟s management and board of directors; and

g) Geared to achievement of objectives in one or more separate but overlapping categories.

4.1.3 ERM shall enable UHMG management to effectively deal with uncertainty and associated risk and opportunity, enhancing the organization‟s capacity to build value. UHMG shall maximize value when the set objectives and strategies strike an optimal balance between risk and return during resource allocation.

4.1.4 The ERM framework in UHMG shall include the following:

a) Aligning risk appetite and strategy – UHMG Management shall consider the entity‟s risk appetite in evaluating strategic alternatives, set related objectives, and develop mechanisms to manage related risks.

b) Enhancing risk response decisions – ERM shall provide the rigor to identify and select among alternative risk responses including: risk avoidance, reduction, sharing, and acceptance.

c) Reducing operational surprises and losses – over time, UHMG will gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.

d) Identifying and managing multiple and cross-organizational risks – UHMG faces a myriad of risks affecting different parts of the organization, and ERM will facilitate effective response to the interrelated consequences, and integrated responses to multiple risks.


(UHMG)


e) Seizing opportunities – By considering a full range of potential events, UHMG management shall be positioned to identify and proactively realize opportunities.

f) Improving deployment of funding – Obtaining robust risk information will allow UHMG management to effectively assess overall funding needs and enhance fund allocation.

4.1.5 These capabilities inherent in the ERM framework will enable UHMG BOD and management to achieve the organization‟s performance targets and prevent loss of resources. ERM shall ensure effective reporting and compliance with laws and regulations, and shall help to avoid damage to the entity‟s reputation and associated consequences. In sum, the ERM framework will help UHMG achieve its objectives while avoiding surprises en route.

4.2 Committee of Sponsoring Organizations of the Tread way Commission

(COSO )-Enterprise Risk Management-Integrated Framework

4.2.1 UHMG management shall adopt the COSO ERM-Integrated Framework to provide a comprehensive approach for the organization to identify and manage risks that could deter UHMG from achieving its goals. The framework shall present an organization-wide perspective of risk and standardize terms and concepts to promote effective implementation across the organization.

4.2.2 The implementation of a robust and transparent risk management program has become increasingly important given that UHMG operates in a challenging environment characterized by: Increasing competition; greater accountability requirements; higher quality standards for both product and service delivery; and a complex business model that combines profit and non-profit elements.

4.2.3 The changing and challenging environment, places more pressure on UHMG resources and presents risk and uncertainty to the organization and hence the need for a structured approach to continually align priorities and objectives.

4.2.4 The COSO framework describes the critical principles and components of an effective ERM process. The framework shall:

a) Allow UHMG to proactively manage its risks in a systematic and structured way and to continually refine its processes to reduce UHMG‟s risk profile thereby maintaining a safer environment for all its stakeholders;

b) Provide a common language, so that when executives, directors and others talk about risk management, they are truly communicating;

c) Embed the risk management process and ensures it is an integral part of UHMG‟s planning process at a strategic and operational level;

d) Ensure appropriate strategies are in place to mitigate risks and maximize opportunities; and

e) Describe the roles of key players in the ERM process.


(UHMG)


5.0 RISK MANAGEMENT ROLES AND RESPONSIBILITIES

Everyone in UHMG - the board, senior management and staff - is responsible for the

effective management of risk in the organization. The specific responsibilities are

articulated in the following sections:

5.1 Board of Directors

The risk management roles and responsibilities of the UHMG BOD include the following:

5.1.1 Providing oversight of risk management within UHMG including ensuring that management has established an appropriate risk management framework;

5.1.2 Reviewing and approving the overall risk management policy and risk appetite management of UHMG.

5.1.3 Ensuring that the risk management framework established by management enables the UHMG to identify all material risks on an on-going basis;

5.1.4 Reviewing, on a semi-annual basis, the significant strategic risks that may materially affect the operations of UHMG.

5.1.5 Ensuring that management has designed and implemented timely, adequate and cost effective risk responses to ensure that all the identified material risks are effectively managed and are within acceptable risk appetite.

5.1.6 Seeking input from internal audits, compliance audits, external audits and relevant consultancy engagements to evaluate the risk management framework.

5.1.7 The BOD may delegate certain risk management activities to the Board Audit and Risk Management Committee, although ultimate responsibility of risk management oversight rests with the BOD.

5.2 Managing Director

The risk management roles and responsibilities of the UHMG MD include the following:

5.2.1 The MD is ultimately accountable to the BOD for ensuring that there is a risk management program in place as part of UHMG‟s Corporate Governance framework.

5.2.2 Ensuring that a risk management framework is established implemented and maintained in accordance with this policy. Assignment of responsibilities in relation to risk management is the prerogative of the MD.

5.2.3 Creation of an integrated risk management structure that enables identification of interdependences among cross functional risks and thus synergies and coordination of risk responses.


(UHMG)


5.2.4 Through consistent communication and actions, ensure growth of a risk culture in UHMG to enhance embedment of risk management in all operations of UHMG.

5.2.5 Ensure that UHMG commits adequate resources to cost effectively manage identified risks.

5.2.6 Ultimately, the MD is the arbitrator between pursuing opportunities and holding back due to excessive risk.

5.3 Senior Management Team

The risk management roles and responsibilities of the Senior Management Team include the following:

5.3.1 Devolution of the risk management process to operational managers within their units.

5.3.2 Identifying, communicating and managing operational risks within their areas of control.

5.3.3 Promoting the desired risk culture within their units and promoting compliance with the agreed risk appetite.

5.3.4 Collectively the Senior Management Team is responsible for:

a) The design of UHMG‟s ERM framework ;

b) The formal identification of risks that impact upon UHMG‟s mission;

c) The development of risk management plans; and

d) Establishing the risk appetite for UHMG.

5.4 Risk Management Committee (RMC)

5.4.1 The RMC shall be headed by the (Risk Coordinator) RC, who will be a Director, appointed and fully backed by the MD.

5.4.2 The RMC shall have 5 member representatives from each directorate called Risk Officers (ROs) who shall be headed by the Risk Coordinator.

5.4.3 The ROs, with the support of their respective Directors, shall have the responsibility of embedding risk management principles within their directorates and to facilitate seamless coordination between them and the RMC.

5.4.4 The RMC shall be charged with the following responsibilities and roles:

a) Developing terms of reference for the RMC and submitting them to the MD for approval;


(UHMG)


b) Rolling out the approved risk management framework and promoting risk management awareness through periodical education to management and staff;

c) Ensuring consistent assessment of risks from a broad organizational perspective and coordinating periodical risk assessment exercises undertaken at departmental level;

d) Updating the risk register and ensuring that all risks have accountable managers who have developed action plans for addressing the risks;

e) Reviewing progress against agreed risk management plans and reporting to management on a monthly basis and the BOD on a quarterly; and

f) RMC is NOT responsible for identifying or managing risks but coordinating the processes.

5.5 Internal Audit

5.5.1 While they do not have primary responsibility for establishing or maintaining ERM, internal auditors contribute to its effectiveness by carrying out independent evaluation of the adequacy and effective operation of the risk management processes, methodologies, internal controls.

5.5.2 Specific ways in which internal auditors can add value to ERM include:

a) Providing advice in the design and improvement of control systems;

b) Implementing a risk-based approach to planning and executing the internal audit process;

c) Ensuring that internal audit resources are directed at those areas that are most important to the organization;

d) Challenging the basis of UHMG risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies.

e) Facilitating ERM workshops.

5.6 Staff

5.6.1 The staff of UHMG shall be responsible for executing ERM in accordance with this RMM and other established directives and protocols.


(UHMG)


6.0 APPROACH TO RISK MANAGEMENT

6.1 ERM Components

6.1.1 UHMG shall maintain procedures to provide the organisation with a systematic view of the risks faced in the course of its activities. The ERM framework selected by UHMG consists of eight interrelated components that are integrated with the management process. These components include:

a) Internal Environment: – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity‟s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.

b) Objective Setting: – Objectives must exist before management can identify potential events affecting their achievement. ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity‟s mission and are consistent with its risk appetite.

c) Event Identification: – Internal and external events affecting achievement of an entity‟s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management‟s strategy or objective-setting processes.

d) Risk Assessment: – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.

e) Risk Response: – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity‟s risk tolerances and risk appetite.

f) Control Activities: – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.

g) Information and Communication: – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.

h) Monitoring: – The entirety of ERM is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. ERM is not strictly a serial process, where one component affects only the next. It is a multidirectional, iterative process in which almost any component can and does influence another.


(UHMG)


6.1.2 The eight ERM components must be continuously assessed to ensure they are present and functioning effectively. For the components to judged effective there should be no material weaknesses, and risks should have been brought within UHMG‟s risk appetite.

6.2 ERM Limitations

6.2.1 While ERM provides important benefits, limitations exist due to the inherent weaknesses in human judgement and the possibility of simple errors/mistakes. It is also possible for controls to be circumvented by collusion of two or more people, and management has the ability to override ERM decisions.

6.2.2 These limitations preclude the BOD and management from having absolute but rather reasonable assurance as to achievement of UHMG‟s objectives.


(UHMG)


7.0 RISK MANAGEMENT CONTEXT

The context in which UHMG‟s risk assessment criteria is set shall involve understanding

and appraising: UHMG‟s external environment and relationships; its own internal

environment; and the risk management context. This will provide guidance as to

whether the risks are acceptable or not.

7.1 The External Context

7.1.1 Prior to undertaking a risk assessment, UHMG shall seek to understand the external environment in which it operates. From a strategic perspective, UHMG will consider social, political, economic, demographic, ecological, regulatory, legislative and cultural factors that have an impact on the organisation.

7.1.2 UHMG‟s strengths, weaknesses, opportunities and threats shall be assessed and consultations made from external stakeholders, such as donors, relevant government departments, the community, sub-grantees, contractors and suppliers. This will provide a more complete assessment.

7.1.3 UHMG‟s Strategic Plan will be reviewed annually to identify changes in UHMG‟s external strategic environment, measure performance against set targets and adjust strategies, as required. Strategic Risk Profile of UHMG and proposed risk responses shall be aligned to the Strategic and Business Plans during this exercise.

7.2 The Internal Context

7.2.1 Before undertaking a risk assessment, the internal and operational context should be established which shall include an understanding of UHMG‟s goals and objectives, management and organisational structures, systems, processes, resources, key performance indicators, and other drivers.

7.2.2 Internal stakeholders including management and staff shall be consulted and their views and perceptions considered accordingly.

7.2.3 The Directors shall ensure that the annual departmental plans are geared towards achieving UHMG‟s overall strategic objectives and that the departmental strategic and operational risk assessments are aligned to their respective operational plans.


(UHMG)


8.0 RISK IDENTIFICATION AND CATEGORISATION

8.1 Risk Identification

8.1.1 The main objective of this section is to develop a systematic approach to identifying risks and provide a basis for categorising identified risks and linking them to the business targets or values they impact.

8.1.2 The risk identification stage shall involve identifying events that can impact on the achievement of UHMG‟s objectives either negatively (threats) or positively (opportunities).

8.1.3 UHMG Management will channel opportunities back to the strategic planning processes to ensure that the organisation takes full advantage of them. The threats on the other hand shall be recorded in the risk register and managed.

8.1.4 In order not to exclude critical risks, UHMG shall undertake a systematic and comprehensive identification of all risks including those not directly under the control of UHMG. The following approaches may be used for risk identification:

a) Review of strategic plans, operational plans, policy manuals and other key documents;

b) Team-based brainstorming, structured interviews, focus groups;

c) Self-assessments and other facilitated workshops;

d) Past organizational experiences;

e) Carrying out SWOT (Strengths, Weaknesses, Opportunities, Threats) analyses;

f) Comparison with similar organizations, discussion with peers, benchmarking, engaging risk consultants;

g) Carrying out processes mapping, scenario analyses;

h) Carrying out business diagnostics and organizational assessments;

i) Internal and external reports.

8.1.5 The risk approaches above shall be used to identify risks from a variety of perspectives or categories, including:

a) Sources of risk:- governance, strategic, operational/program, financial, external, compliance, and information technology (see Appendix 3 page 31 for generic sources of risk);

b) Objectives: - the risks that could keep the organization from achieving each of its objectives: e.g. planned events, programs, building projects, etc.


(UHMG)


c) Areas affected:- reputation, assets, revenues, costs, performance, staff, volunteers, customers and other stakeholders;

d) Specific hazards: - fire, theft, earthquake, etc. The hazard-based approach is usually based on the policy coverage available from insurers;

e) Capacity gaps: - inexperienced or inadequate human resources or inadequate systems and processes to track performance;

f) Risk drivers: - pressure points that if left unchecked contribute to increased risk exposure, for example, high rate of expansion, culture or degree of information flow within the organization;

g) Degree of Control:- the degree of control that the organization has over the risk, e.g.:

No control- e.g. natural disasters, political, economic, social.

Some influence or little control- e.g. public expectations, reputation, competition, and changes to legislation.

Controllable- e.g. choice of programs, events and major projects. 8.1.6 Once the risks are identified, they should be documented in the Risk Register

(Ref Appendix 5 page 33).

8.2 Risk Categorization

8.2.1 Within the context of UHMG‟s established mission or vision, management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the organisation. This ERM framework is geared to achieving UHMG‟s objectives, and seeks to identify and manage risk in the following four categories:

a) Strategic risk: – The risk of having inappropriate or unrealistic strategies and programs, and includes:

External Risk: the risk of becoming irrelevant, losing the support of the public and funding sources, and failing to respond to external factors such as economic, demographic, political and other trends;

Governance risk: the risk of ineffective oversight and poor decision-making;

Reputation risk: the risk of losing goodwill, status in the community, and appeal to prospective partners.

b) Operational risk: – The risk of poor service delivery, and misuse of human capital and other resources;


(UHMG)


c) Financial risk: – The risk of fraud, financial failure and financial decisions based on inadequate or inaccurate information;

d) Compliance risk: – The risk of fines and other regulatory penalties due to failure to comply with relevant laws and regulations, including donor requirements.

8.2.2 This categorization of UHMG‟s objectives allows a focus on separate aspects of ERM. These distinct but overlapping categories address different entity needs and help to ensure a comprehensive coverage of all the potential risks and opportunities facing UHMG.Refer to Risk Register-Appendix 5 page 33.

8.2.3 The adopted risk categories and their definitions represent the meaning of risk for UHMG. Over time, this shall be modified to reflect the changing environment and organisational strategic outlook.


(UHMG)


9.0 RISK ANALYSIS

9.1 Risk Rating

9.1.1 UHMG shall assess the identified risks to determine their effect on the organisation and its objectives.

9.1.2 Assessment of risk shall involve consideration of two key parameters:

a) Risk Likelihood: – the chances of a particular risk occurring. This may involve considering how frequently the risk is likely to occur.

b) Risk Impact: – the severity or consequences to UHMG if the risk actually occurred, in particular, the impact on areas such as business continuity, human and financial resources, the community, the environment, corporate image, reputational damage, legal and political implications etc.

9.1.3 The criterion for determining Likelihood of Occurrence of a particular risk and Magnitude of Impact in case it occurs is set out in Appendix 1page 28

9.1.4 UHMG shall adopt a “risk mapping” technique that assesses each identified risk by displaying the relationship between its Likelihood of Occurrence and Magnitude of Impact (Ref Appendix 2: Risk Assessment Matrix page 30).

9.1.5 The risk assessment matrix shall enable management to rank risks and form a basis for determining how these risks should be managed.

9.1.6 UHMG shall evaluate risks at two levels:

a) Gross/Inherent risk rating: - i.e. before considering controls management has put in place to mitigate the risk; and

b) Net/Residual risk rating: - i.e. assessment of the risk after considering the strength of management controls put in place.

9.1.7 As part of their activities, internal audit shall evaluate whether the established management controls are as robust as assessed by management in bringing the gross risk down to the residual risk.

9.1.8 The residual risk rating will determine further risk responses that management needs to take depending on whether the residual risk is within the acceptable limits.

9.2 Risk prioritization

UHMG shall prioritize risks according to the level of residual risk and document them in

the Risk Response Plan: Appendix 6 Page 62.


(UHMG)


10.0 RISK MITIGATION AND PLANNING

RISK MONITORING AND REVIEW

Risk Management is a dynamic process and, to be effective, requires ongoing monitoring and review to ensure that the risk environment in which UHMG operates is constantly up to date and reflects the general operating environment.

10.1. Documentation

10.1.1. Documentation of the UHMG risk management process shall be carried out at each stage for the following reasons:

a) It gives integrity to the process and is an important part of good corporate governance;

b) It provides an adequate audit trail and evidence of a structured approach to risk identification and analysis;

c) It provides a record of decisions made which can be used and reviewed in the future;

d) It provides a record of risks for UHMG which can be continuously updated.

10.1.2. UHMG‟s risk management process will be mainly captured using a Risk Register (see Appendix 5 page 33) and a Risk Response Plan (see Appendix 6 page 62)

10.1.3. The Risk Register will be reviewed and updated throughout the year on a regular basis to provide comfort that identified risks are managed within acceptable levels. It shall be owned by the BOD and CEO/MD albeit maintained by the RMC. It shall contain the following information:

Risk category

Risk ID

Description of the risk event

Specific discussion and concerns

Gross/Inherent Risk Rating

Risk mitigation strategies in place

Net/Residual Risk Rating

Early warning and reporting triggers

Responsible officer


(UHMG)


10.1.4. The Risk Response Plan shall include:

Risk ID to provide a cross reference to the risk register

Risk description

Treatment option chosen by management

Risk rating after treatment

Responsible officer

Implementation timetable

Monitoring mechanisms

10.2. Risk Monitoring

10.2.1. This process shall involve:

a) Monitoring residual risks;

b) Checking that new risks are identified, evaluated and reported;

c) Ensuring that any significant failures of control systems are properly reported and appropriate actions taken;

d) There is an adequate level of understanding of individual responsibilities for both implementation and monitoring of the control systems;

e) Ensuring that the BOD is provided with relevant up to date information

f) Executing the risk reduction plans; and

g) Evaluating the effectiveness of the risk management programme as a whole.

h) Documentation of any planned action, along with the manager accountable for the action and its expected completion date.

10.2.2. The BOD will monitor risk by:

a) Ensuring that the identification, assessment and mitigation of risk is linked to the achievement of UHMG‟s operational objectives;

b) Ensuring that the assessment process reflects the BOD‟s view of acceptable risk;

c) Reviewing and considering the principal results of risk identification, evaluation and management;

d) Reviewing and considering update reports where the need for further action is identified;

e) Considering any significant new activities or opportunities as they arise to ensure any risks are identified and managed; and

f) Considering, periodically, external factors such as new legislation or new requirements from funders.


(UHMG)


10.2.3. The risk monitoring process shall provide an opportunity for UHMG to learn from risk and shall involve questions such as:

a) Are we achieving the results we planned?

b) Are we monitoring and learning from control breakdowns and losses?

c) What are we doing about the major risks we have identified?

d) Do we have the necessary guidelines or policies and procedures? Are they working effectively to mitigate the risks?

e) How well are we doing in managing risk?

f) Are “near misses” recorded, tracked and used for learning?

10.3. Review and Reporting

10.3.1. Progress on the action plans will be reported monthly to senior management and quarterly to the BOD by the Risk Co-ordinator through the Risk Management Committee.

10.3.2. An annual report will also be prepared by the RMC and form part of the annual strategic plan review process. Once the revised targets have been established the various Directors, together with their managers and staff, will identify and rank the potential risks that might affect achievement of these targets.

10.3.3. The nature of reporting will vary depending on the level. For instance, the quarterly reporting to the BOD shall focus on UHMG‟s key (say, top 10) risks and any significant developments during the period.

10.3.4. Specific issues to report to the BOD shall include:

a) The status of major risks including current exposure and effectiveness of risk management techniques;

b) How the strategic environment is changing, what new risks and opportunities are appearing, how they are being managed and what, if any, modifications in strategic direction should be adopted;

c) Progress on closing major gaps in risk management capabilities;

d) Reviews of compliance with risk tolerance policy limits;

e) Any litigation against the organization; and

f) The status of any crises currently being managed and any potential crises.


(UHMG)


10.3.5 Risk Planning involves the use of the following tools in the following areas:

(a) Risk context involves developing a stakeholder consultation and a communication

plans

(b) Risk identification involves the risk universe, brainstorming, scenario analysis,

process mapping, system analysis, operational modeling and expert opinion.

©. The analysis of risks includes qualitative analysis, semi quantitative and quantitative

analysis.

(d) Evaluating risks covers the heat map, numerical ranking of risks and decision trees.

(e) Treating risks involves risk transfer and outsourcing, risk mitigation stated above and

having a cost benefit analysis.


(UHMG)


11.0. RISK RESPONSE

11.1. Risk Appetite

11.1.1. Risk appetite is a high level statement that considers broadly the levels of risk that an organisation deems acceptable in pursuit of its objectives. Risk appetite has two components:

a) Risk tolerance: - this refers to how much risk the organization is willing to take i.e. what probability it is prepared to accept that specified objectives will not be met. Operating within risk tolerances provides management greater assurance that UHMG remains within its risk appetite, which, in turn, provides a higher degree of comfort that the organization will achieve its objectives; and

b) Risk capacity: - this refers to the absolute limit of risk that the organization is able to bear. It is based on the strength of its finances, donor support, reputation, and competence of staff. A well-financed organization with experienced, competent and well-equipped staff is in a good position to succeed in new initiatives and to survive setbacks.

11.1..2.The BOD of UHMG shall communicate to management the boundaries and limits set by their policy to ensure a clear understanding of the risks that can be accepted and those that the BOD would consider unacceptable.

11.1.3. UHMG shall consider some of the following questions in determining its risk appetite:

a) What risks will UHMG not accept? (e.g. environmental or quality compromises)

b) What risks will UHMG bear as it takes on new initiatives? (e.g. new product lines, new business units)

c) What amount of money is UHMG prepared and able to lose if a strategy or project is less successful than anticipated?

d) What is the potential risk to UHMG‟s reputation and credibility if a strategy or project is poorly received or otherwise unsuccessful?

e) What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share for the product facility?)

f) What are the limits of the MD’s authority beyond which BOD approval is needed?


(UHMG)


g) What information should the BOD receive before making decisions/granting approvals? E.g. for every proposal or action requiring BOD approval, information should be provided about:

The potential risks and how they will be managed, as well as the potential opportunities;

The alternatives that were rejected as well as the proposal being advanced;

The worst case scenario; and

Management‟s concerns and uncertainties as well as its optimistic expectations.

11.1.4. The BOD may choose to discuss and approve risk factors on an unstructured, case-by-case basis, or to formulate a formal “risk appetite statement”. In either case, the basis for decisions shall be recorded for future reference.

11.1.5. The RMC will help to translate the overall risk appetite of UHMG, approved by the BOD, into a set of limits and risk metrics that can be tied to particular business strategies and risks, and flow down through the various departments. These metrics shall be defined using quantitative or qualitative terms.

11.1.6. The level of risk UHMG is willing to accept shall provide a benchmark against which the organisation‟s risk assessment is undertaken. The risk assessment and evaluation in turn shall inform the BOD of the overall risk profile of UHMG and the steps taken to manage major risks identified.

11.2. Risk Treatment

11.2.1. Having identified and assessed the major risks, decisions shall be made regarding how to manage each of them. For example, minor risks that occur frequently can often be managed by good procedures and training. Major but infrequent risks may also require insurance and/or contingency planning in addition to established procedures.

11.2.2. UHMG recognises that it is unlikely that risks will ever be entirely eliminated, however, that the risks can be reduced to a more acceptable level. UHMG shall draw from the commonly accepted risk treatment options below in light of their cost effectiveness:

a) Accepting risk:

Provided that the risk is unlikely or would not cause serious harm to UHMG, management will accept and monitor it.

A risk may also be accepted if it is identified as unavoidable or no suitable treatment plans are available.


(UHMG)


b) Mitigating risk:

This shall involve developing control activities and procedures to detect and reduce the likelihood and/or severity of risks.

For mitigating strategies to be effective, they must fit well with UHMG‟s corporate strategy.

UHMG may reduce the likelihood and Impact of risks by considering the following actions:

Structured training and supervision of staff; Periodic testing of controls, e.g. fire alarms Enhanced management controls such as reviewing policies and

procedures, quality control checks; Improved compliance monitoring and audit programs Contingency planning such as Disaster Recovery plans, Business

Continuity plans Fraud and Corruption control programs; Better contractual arrangements; Preventive maintenance; Establishing financial reserves; Phased commitment to large projects; Public relations; Succession planning, etc

c) Transferring risk:

This shall involve other parties bearing or sharing the risk either partially or in full.

UHMG shall consider transferring risk by buying insurance policy to mitigate perils such as fires and thefts.

UHMG may transfer risk through establishing contractual relationships with other organizations that have the expertise and resources to handle specialized issues and risks. This could be through arrangements such as outsourcing, partnerships, joint ventures among others.

Sharing of risks may however expose UHMG to other risks such as reputational or litigation risks if the party taking on the risk does not meet their obligations. As such, UHMG shall take great care in identifying parties with whom to hare risk and clearly document expectations and responsibilities of each party.

d) Avoiding risk:

This involves taking a decision not to start or continue with a particular activity (e.g. potential grant, project, product line, market etc) that gives rise to the risk.


(UHMG)


This can be a legitimate strategy that UHMG may opt for as a last resort after weighing the potential costs and benefits, and exploring control activities and other ways to manage the risks.

UHMG shall bear in mind that if UHMG‟s objectives are to be met, some risks cannot be avoided regardless of the risk levels, due to their inherent nature.

11.2.3. In some instances more than one approach may be used. For example, UHMG may establish procedures and controls to mitigate some risks and then buy insurance to cover the residual risk where the established procedures cannot adequately bring the risk within the acceptable limits or where the potential losses may not be easily absorbed from UHMG‟s operating budget or financial reserves.

11.2.4. While evaluating various risk treatment options, UHMG shall consider the following factors:

a) Comparison of the cost of establishing the risk response to the potential magnitude of the consequences to ensure that it makes business sense to finance the risk response;

b) The extent of risk reduction gained by the risk response; and

c) The extent to which there is an ethical or legal duty to implement a risk treatment option which may override any cost/benefit analysis.

11.2.5. Once each risk has been evaluated, the RMC will draw up a combined plan for actions to be taken to cover the risks. This action plan shall be approved by the MD and the BOD.


(UHMG)


11.0 INFORMATION AND COMMUNICATION

a) Communication and consultation shall be carried out at each stage of the UHMG Risk Management process with all relevant stakeholders. Strong communication and consultation shall enhance buy-in from the BOD, senior management and specific risk owners across the entire organisation.

b) UHMG recognizes that when people know what they are expected to do and understand how to recognize and respond to risks, problems are less likely to occur and easier to resolve. The RMC shall ensure that people know and understand the risks that affect other departments and the organisation as a whole, and the consequences of their own actions to others.

c) This shall enable management and/or the RMC to provide training and guidance to staff and volunteers as well as written policies, procedures and job descriptions. The goal shall be to create a “risk-aware culture” in which people are encouraged to take appropriate action to manage risks or report them to others.

d) The Enterprise Risk Management - Integrated Framework requires feedback of information from throughout the organisation. This information must be current and accurate and must be robust enough to support the analysis of different risk responses. Management of UHMG, therefore shall identify, capture, and communicate pertinent information in a form and timeframe that enables people to carry out their responsibilities.

e) Risk management results shall be communicated in different forms including:

Dashboard of risks and related responses (visual status of where key risks stand relative to risk tolerances);

Flowcharts of processes with key controls noted;

Narratives of business objectives linked to operational risks and responses;

List of key risks to be monitored; and

Management understanding of key business risk responsibility and communication of assignments.


(UHMG)


12.0 APPENDICES

Appendix 1: Risk Rating Criteria – Impact and Likelihood

Magnitude of Impact

Description Examples of impact

Major Loss of major donor

Major disruption of business with severe impact on operational performance and achievement of objectives

Serious erosion of brand value and reputation with adverse publicity

Litigation with potential for major loss

Event requires Board and Senior Management attention

Moderate Significant impact on the business – projects delayed; beneficiaries affected

Brand value affected in the short-term

Litigation with potential for minor loss

Event requires Senior and Middle Management intervention

Minor Impact on internal business only

Minor potential impact on brand value

Issue delegated to Middle Management for resolution

Likelihood of occurrence

Description Examples of likelihood

Likely Event will probably occur in most circumstances

Event will probably occur at least once a year

Possible Event might occur at some time, moderate probability of occurrence

Event might occur, say once every 2 or 3 years

Unlikely Event could occur at some time, low probability of occurrence

Event could occur, say once every 5 years

NOTE: These criteria are only guidelines and management can modify them with time, to better reflect UHMG‟s risk profile.


(UHMG)


Appendix 2: Risk Assessment Matrix

Management Action

High (7–9)

Unacceptable risk – Management must take action to lower the risk

Medium (4-6)

Judgmental Boundary – Should be dealt with on a case by case basis

Low (1-3) Acceptable Risk – No further management action required


(UHMG)


Appendix 3: Generic Sources of Risk and Their Areas of Impact

Identifying sources of risk and areas of impact provides a framework for risk identification and analysis. A generic list of sources and impact will focus risk identification activities and contribute to more effective risk management.

I) Generic Sources of Risk

Each generic source has numerous components, any of which can give rise to a risk. Generic sources of risk may include:

a) Commercial and Legal Relationships: including but not limited to contractual risk, product

liability, professional liability and public liability.

b) Economic Circumstances: These can include such sources as currency fluctuations,

interest rate changes, taxation and changes in fiscal policy.

c) Human Behavior: such as riots, strikes sabotage.

d) Natural Events: These can include fire, water damage, earthquakes, vermin, disease and

contamination.

e) Political Circumstances: such as legislative changes or changes in government policy that

may influence other sources of risk.

f) Technology and Technical Issues: Examples of this include innovation, obsolescence and

reliability.

g) Management Activity and Control: such as poor safety management, the absence of

control and inadequate security.

h) Individual Activity: including, misappropriation of funds, fraud, vandalism, illegal entry,

information misappropriation and human error.

II) Areas of Impact

A source of risk may impact on one or more areas. Areas of impact may include:

a) Asset and resource base including personnel;

b) Revenue and entitlements;

c) Costs both direct and indirect;

d) People;

e) The community;

f) Performance;

g) Timing and schedule of activities;

h) The environment;

i) Intangibles such as reputation, goodwill and the quality of life; and

j) Organisational behavior.

RISK MANAGEMENT POLICY MANUAL OF THE UGANDA HEALTH MARKETING GROUP (UHMG)


Appendix 4: Risk Register format

Category Risk ID

Risk Event

Discussion and

Concerns

Inherent Risk Risk Mitigatio

n strategy/controls in place

Residual Risk Early warning

and reporting triggers

Responsible Officer Likeli

hood Impact Rating Likeli

hood Impact Rating

Appendix 5: UHMG RISK REGISTER

The risks have been categorized in 7 sub-sections

1. Strategic Risks

2. Operational Risks



3. Financial risks

4. Reputation Risks

5. IT and Information Risks

6. Regulatory Risks

7. People Risks

Explanatory Note on these Risks with examples

1. Strategic Risks- PESC- Political (government policy), Economic( inflation and interest rates, Social( demography and social

economic trends) and Customers( failure to meet the current and changing needs of customers)

2. Operational Risks- Competitive ( value for money, product and quality), Physical( fire, security , health and safety, Contractual (

failure to deliver goods, services on time, cost and specifications)

3. Financial Risks- Failure of financial planning, budgetary controls, funding shortfall, mismanagement of resources, inaccurate or

inadequate monitoring and reporting).

4. Reputation Risks- Media coverage or inaction to damage UHMG’s good name.

5. IT and Information Risks-Technological; lack of capacity to deal with pace and scale of change, Physical: IT equipment.

6. Regulatory Risks: Legislative: acting contrary to legislation, Environmental: failure to assess environmental consequences, Legal:

failure related to breaches to legislation.

7. People risks: Professional: financial acumen, initiation, Staff and management: Loss of key staff or inability to retain them.

Components of a Risk Register

1. Reference Number of the Risk

2. Risks- Clear idea of what the risk is.

3. Consequence- Defining the possible if the risk is not mitigated. Consequences that will remain after adopting the control measures

to be listed in the first column.

4. Probability:

- 5- Definite.

- 4-Very likely



- 3- Likely

- 2-Occassional

- 1- Rare.

5. Rating- Each of the risks must be assigned a certain rating based on the extent of the damage it can cause.

- 5-Disastrous

- 4- Serious damage

- 3- Moderate damage

- 2- Minor damage

- 1-Insignificant

6. Risk Score. The risk score is obtained by multiplying the risk rating with the risk probability. This represents the importance or

urgency of mitigating the risk.

7. Control Measures: It is reserved for enlisting the control measures that have been identified for handling the risk.

8. Control Score; Makes it clear whether the proposed control measures are enough to mitigate the risk completely. They are rated

as follows:

- 3- Significant –the control measures will annul the risk

- 2- Reasonable –can reduce the risk significantly but not completely.

- 1- Insufficient –the control measures are not enough.

PROPOSED NEW FORMAT FOR THE RISK REGISTER:

Reference

Number-

1.

Risks-2. Consequences/Concerns

3.

Likelihood/

Probability5

to 1 4. A

Impact/Rating

5 to 1

5.B

Risk Score

1. A*B

Control

Measures

identified

for

dealing

with the

Risk

7.

Control

Score

8.

Current

Status and

Ownership.

9.



(A) Strategic Risks

Risk Event (Discussions)/Current

Practices, short

comings (concerns) in

place.

Likelihood Impact Rating Risk mitigation strategy/controls proposed to be put in

place

1. Strategic plan not well understood and not reviewed on a regular basis. It can become static Managing Director

Strategic plan

duration and

relevance to the

current operations

of UHMG

Inadequate

utilization of

research data and

analysis

Poor analysis of

the environment in

which UHMG

operates (PEST)

and the inherent

SWOT analysis of

the strategic plan

Need for clarity of

UHMG’s mandate

that underpins its

broad strategies ,

business plan and

work plans

Likely Major Disaster Updated strategic plan and logical framework

Periodic monitoring and review of strategic plan

Succinct Board meetings that address PEST, SWOT

and the strategic direction of UHMG.

Management meetings focusing of performance

improvement.

Be used as a reference by top management in decision

making.

Reference by staff and stakeholders

Used in annual work plans by all the staff.

Current Status:

Strategic Plan and Logical framework are not

reviewed half yearly

PEST,SWOT are not given regular performance

review

The work plans, KRAs and KPIs are not

referenced to the strategic Plan as a matter of

procedure.




Practices, short


place.


place

2. UHMG not meeting donor reporting requirements- -Managing Director

Failure to report in

line with donor

agreements

Failure to meet

different

stakeholders’

requirements in

time.

Unlikely Major Moderate Develop summaries for donor reporting guidelines for

easy follow up and encourage staff to attend trainings

on donor reporting requirements.

Standardized reporting mechanisms put in place as per

the signed agreements and contracts.

Current Status

No audit finding that donor reporting

requirements are not adhered to.

3. Performance

management not

adequate- to

have the right

people and

skills for the

positions

Director of

Human

Resources

There is a performance management system in place which is not very comprehensive

Possible Major High Improve the system for managing performance by introducing progressive performance monitoring meetings. This should be done on a monthly basis by each directorate.

Performance management system that is working and

transparent

Periodic staff assessments and feedback

Relevant trainings for staff for continuous

improvement

Tone at the top required for effective implementation

Risk management and controls be monitored regularly.

HR review required to align objectives, positions and

skills to determine those to train, promote or retire.

Current Status

It is an area of concern raised by KPMG and in

AFFORD capacity building plan.

Objective tool not in place based on agreed




Practices, short


place.


place

targets, KRAs and KPIs.

4. Business unit in UHMG may not complement each other as required in the Business Plan-Managing Director

Complementarity

of the two business

units required.

Investment

decisions need

harmonization

Competition

required for the

commercial units

Procedural

required for the

NGO unit

Possible Major High Clear vision, mission and objectives

Synergy enhancement

Clear policies and procedures

Review possibility of strengthening PF sales to

compete favourably, and marketing MSI competences

for UHMG’s sustainability

No internal politics and favouritism be allowed.

Current Status

Need for stand- alone PF rather than relying on the

support of programs

Compete with other service /product suppliers to

get the best supplier for the products.

5. Stakeholder and Partners having a conflict of interest and relationship is not mutually

Membership

register not in

place

Ownership status

required for

clarification

Possible Managea

ble

Moderate Clarity of stakeholder interest, concerns and value

enhancement

Carry out a comprehensive stakeholder analysis for

value enhancement.

Establish external register for partners and outside




Practices, short


place.


place

beneficial.-Managing Director

Value

enhancement be

demonstrated for

each partner and

stakeholders

stakeholders.

Current Status

Register required for all partners and stakeholders

Stakeholders analysis required to be done annually

6. UHMG not achieving the objective of being a leading health marketing hub in the region-Director of Marketing and Strategic Information

Health

Communication

strategies not yet

in place for the

region.

Possible Major High Build capacity of a leading health communication hub

in the country and replicate it in the region

Put in place skilled internal staff to drive the process

Adopt best practices health marketing in social

marketing.

Create awareness about UHMG so that its members

can get their work published through journals or in-

house magazines.

Current Status

Lack of skilled manpower internally to drive

the process

Communication strategy done and approved

by the Board

Knowledge Manager hired to drive the

intellectual level process.




Practices, short


place.


place

7. Disease pandemic-as this can have an impact on UHMG’s service delivery-Director of Programs and Services

In the past, disease outbreaks in the different parts of the region (Cholera, Ebola, etc) have paralyzed UHMG business in those regions. Future incidences could dent company revenues.

Possible Major High Build safeguards to ensure quick action to minimize costs when unexpected diseases break out.

Put for such eventualities in the work plans with corresponding budgets for emergencies.

Assess internal capacity before taking on new projects.

Invest in hiring multi skilled program staff

Hire program assistants where the qualified staff cannot be obtained.

Current Status :

Internal Capacity not well developed to handle such emergencies when they occur.

Work plans and contingency budgets are not in place.

8. Likely shift in government policy and/or donor priorities-Managing Director

Government

policies affecting

social marketing

e.g. family

planning products

Unlikely Managea

ble

Moderate Influence policy where possible through net working

Keep up to date with developments in government

policies

Attend forums where invited on Government Policies.

Current Status

Managing Director and Senior Level Management

are aware of any shift in Government Policy.

9. Negative Tarnished Possible Critical Disaster Staffs are made aware of UHMG reputation and




Practices, short


place.


place

publicity from a partner or member-Managing Director

corporate image

leading to loss of

goodwill,

community status,

and appeal to

prospective donors

and partners

Over exposure

(media)

Pursuit of

partnerships that

may erode

goodwill and

reputation

Partner shared

values

Shared mission

Shared objectives

Partner confidence

surrounding risks.

Design clear guidelines to all stakeholders on UHMG’s involvement in various community activities.

Information to media should be vetted internally before being publicized

All partners should be vetted and accepted on the basis

of a pre-designed criteria

Proper screening of projects to undertake

Proper evaluation of additional resources required

Compliance with statutory and legal framework

Regular meetings with partners and stakeholders.

Current Status

Risk Management awareness required in the whole

company.

Information sharing is done through the shared

drive

UHMG has close relationship with the advertising

agencies in town (SCANAD and

METROPOLITAN REPUBLIC).

10. Aggressive

expansion not

properly

planned.-

Over trading

possible

Expanding beyond

capacity in certain

Possible Major High Proper feasibility studies - Evaluation of investment

plans

Matching resources with expansion plans




Practices, short


place.


place

Managing

Director

areas

Thinly spread in

areas with no

synergies

Constitution of a committee to oversee expansion

programs

AS UHMG develops its next strategic plan 2014-2019,

the MD will ensure that a clear growth plan

commensurate to the organization’s capacity will also

be developed as a guide for institutional business

growth

Current Status:

Board and SLM retreats are to ensure proper

growth plans are put in place and implemented.

11. Lack of proper

systems to cope

with project

and program

demands-

Managing

Director

Uncoordinated supervision and monitoring of sub-grantees.

Supervision of sub-contractors/ grantees not adequately done

Massive consultancy in projects and services due to lack of local capacity.

Possible Major High A plan to monitor and build capacity for sub-grantees

be made by hiring a Grants manager.

Strengthen the effectiveness of the sub-grantee process

through mentorship.

Internal capacity building in UHMG Programs and

Services directorate.

Have a phased reduction in the use of consultants for

Program and Service work.

Current Status:

A monitoring checklist has been put in place

followed in monitoring and evaluation

exercise.




Practices, short


place.


place

Teams are now in place covering different

functions going along to do monitoring work.

Internal capacity is still in progress with

reference to work being done by outside

consultants.

12. Failure to continuously innovate and remain relevant through ideas and technology - Director of Marketing and Strategic Information.

Relevant Products

be in place

Relevant Service

be the guiding

model

Reduction in

customer demand

cycle.

Possible Major High Innovation team establishment and empowerment

Working with like minded partners

Carrying out research/ surveys to gauge acceptability

of UHMG products and services.

Constantly seek to re-position UHMG brands based on

changing consumer tastes and preferences. Broaden the

market, hence wide customer base

Current Status

KRAs and KPIs of MSI are being aligned to

achieve UHMG’s strategic objectives.



(B) Operational Risks

Risk Event Concerns Likelihood Impact Rating Risk mitigation strategy/controls in place

1. Lack of effective credit monitoring system in PF.Director of Finance

Large, long

outstanding debtor

balances

Credit ratings

Credit limit and

overdue invoices

Failure to account for advances given to staff

Unlikely Major Moderate Credit status evaluation should be vigilantly

performed for all parties requesting for credit.

Deal with good quality customers

Establishment and operationaliation of the

credit committee

Establishment and operationalisation of credit

limits

Accountability policy

Accounts receivable management

Hiring a Credit Officer.

Current Status

The above mitigations have been implemented

2. Lack of documented Supplier relationship procedures.- Director of Product Facility

Supplier dependency – product quality, cost, delivery terms, lead times (delays); limited supplier options

Possible Major High Contracts state delivery terms and product quality.

Need to open up supplier options

Follow ISO procedure standards

Current Status

ISO certification is in progress where procedures for dealing with suppliers and third parties are well stated.




3. Lack of market knowledge- Director of Product Facility.

Business

environment

Sales volumes

Sales margins

Business practices

Inflation

Possible Major High

Market and product surveys

Diversified products and services

Diversified customers

Pricing strategies

Retail audits

Commission based sales targets

Development of marketing plans

Current Status

Retail audits are carried out

Market surveys are done

Diversified customers, products and

services is done.

4. Lack of a health and safety policy. Director of Human Resources

Staff working under hazardous conditions

Possible Major High Health and safety policy developed

Improvement in employee working conditions

Management’s constant oversight over employee working conditions

Current Status

There is room for improvement especially with waste management in PF etc.




5. Failure to achieve value for money on procurement of goods and services. Director of Product Facility

Lack of proper controls at the warehouse, storage locations, and pharmacies (monitoring and controlling movement of stock items, checking dispensing errors, and maintaining proper records)

Possible Major High Proper systems for ordering and receipt of stock

Sufficient and proper storage of stock

Recording movement of stock

Linkage of the electronic data system to

physical records

Controls over access to stock storage locations

Procurement policies and procedures

Suppliers’ pre-qualification procedures

Supplier sourcing, bidding, and selection process

Initiation, authorization, and approval of procurements

Monitoring of purchase orders

Current Status:

ISO certification is under way where all the procedures are documented to be followed.

6. Periodical customers’ complaints on product delivery –Director of Product Facility

Poor planning

Lack of resources

Incompetence

Long procedures

Poor coordination

Possible Managea

ble

Moderate Proper planning

Coordinated decision making

Delivery times for Kampala and out of Kampala documented and now adhered to.

Current Status

ISO certification is addressing most of these concerns.



(C) Financial Risks


1. Lack of adequate funding sources to fund its approved strategic objectives. –-Director of Finance

Donor dependency

and thus failure to

generate new

funding

Acceptance of

grants not aligned

to strategic

objectives

Lack of UHMG

owned assets

Negative

relationship with

bankers

Favourable debt

financing

Funding maturities

Budget is

insufficient to

maintain cost of

excellence

Failure to develop

alternative sources

of funding

Failure to establish

cost recovery

systems to match

reduction in

Possible Major High Proposal writing is now regularly done.

Positioning UHMG as a leader in social

marketing

Diversified Portfolio business based on core

competences

Plan new and replacement funding requirements

Budget allocation process done through

approved work plans

Budget and annual plans regularly done.

Management’s efforts to identify alternate

sources of funds is on going

Contribution margins of sponsored programmes

to core costs are now being done.

Acceptance criteria for sponsored programs

Management’s efforts to obtain more physical

facilities to support UHMG expansion

Identification of alternative sources of funding

Have alternative funding plans/mechanisms

through PF operations.

Current Status

UHMG is addressing this problem pro

actively through project proposal

management.

PF is to be the back bone of financial




funding

Sponsored

programs do not

make appropriate

contribution to

UHMG overheads

and financial

sustainability

stability of UHMG.

Project management t is in line with the

overall UHMG strategic objectives

2. The TALLY Accounting Package may not meet the changing requirements of the finance team-Director of Finance and Administration.

Regular updates and review of the Package required.

Move to ERP Packages

Unlikely Managea

ble

Moderate Regular IT review be done as per customers’ requirements.

Include acquisition of ERP in future budgeting requirements.

Current Status

This is being addressed within budget limitations.




3. Lower returns on investment- -Director of Finance

Proper investment

decision

evaluations

No feasibility

study for the

outlets

Investment

decisions

Unlikely Managea

ble

Moderate

PF - need to identify fast moving products;

There may be need to rethink strategy for

outlets

Investment in viable business with an optimal

return on investment

Diversified investment portfolio

Investment committee set up by SLM.

Current Status

MD and Director of Finance and

Administration as signatories are

responsible for the investment decisions.

4. Lack of fraud risk policy for detecting and preventing fraud. Director of Administration

Unauthorised

employee activity

Collusion to

defraud the

organisation

Possible Major High Whistle blowing policy

Strong internal control systems

Well defined and highly segregated roles in

procurement and payment.

An engaged finance and audit Board

Committees.

Robust internal and risk advisory services.

Staff of integrity are hired and retained.

Current Status

There is room for improvement especially

in fraud risk management to close gaps

through the internal audit process.




5. Lack of Foreign exchange hedging instruments.--Director of Finance

Huge transaction

forex losses

Translation losses

Pricing strategies

Possible Major High Hedging against foreign exchange risk through

Invoicing in USD;

Forward foreign exchange contracts

establishment; and

Currency swaps, futures and options.

Current Status

Finance Manual is to be reviewed to

include hedging mechanisms.

6. Lack of

appropriate

hedging

mechanisms for

Interest rate

fluctuations on

the Mortgage -

Director of

Finance

Varying/fluctuating

interest rates on the

mortgage facility

Possible Major High Mix of fixed and floating-rate debt

New or replacement debt

Lock in the interest to be changed where

possible.

Current Status

Finance Manual is to be reviewed to

include hedging mechanisms

7. The finance team at the Regional Offices and projects may not fully understanding the different Tally System functionalities .-Director of Finance and Administration

Regular training

required and

attachment at Head

Office finance for

skills

improvement.

Unlikely Managea

ble

Moderate Have training /orientation sessions to ensure

that staff understand the different systems

Current status

Being done



(D) Reputational Risks


1. Brand integrity , market ratings, transparency – Director of Marketing and Strategic Information

Brand marketing is not as effective as BCC promotion and survey results show

Tracking of brand performance not a regular feature

Value for money of advertising spends needs to be demonstrated.

Possible Major High Media coverage, action or inaction to damage

UHMG good name.

Current status

KRAs and KPIs of the Unit is being harmonized to address the concerns.



i. Regulatory Risks


1. Lack of up to date follow up on compliance issues with regulations-Director of Administration

The increasing regulatory scrutiny and rules placed on communication methods, pharmaceutical product marketing and distribution are likely to affect UHMG’s core business.

Possible Major High Stay up to date with industry regulations.

Integrate business and compliance program activities and controls in all UHMG interventions.

Regular legal briefs on new legislations.

Current Status

Legal Officer is now carrying out legal audits together with the internal auditor for compliance.

2. Product liability- Director of Product Facility

Negative side effects leading to legal action

Possible Major High Enshrine product liability conditions in MoUs

Current Status

Legal Officer is now carrying out legal audits together with the internal auditor for compliance.




(F).IT AND INFORMATION RISKS


1. Loss of company information affecting competitive advantage--Director of Marketing and Strategic Information

Theft of strategies

and concepts; loss

of sales data;

inadequate data

backup and

security (viruses

and other

malicious attacks)

Possible Critical Disaster

Development of business continuity plan and

achieves center for UHMG.

Establishment of a central information hub and

database for ease of reference.

Off –site back up services form Bitworks

Technologies who will provide Software for

cloud backup

Current Status

Off site back up is in place.

Knowledge Manager hired to co-ordinate

information hub and data base for ease of

reference.

2. Lack of a Disaster

Majorly fire and

accidents

Possible Major High Ensure periodic data backup is done

Obtain a backup system for the organization



recovery plan –-Director of Administration

Explore and implement options for storing data

backups off site

Keep proper copies of vital data

Install and regularly test UPS, fire and smoke

sensors and alarms and anti-theft alarm systems

Use anti-virus and malware removal software

Explore options of types of disaster insurance

Install fire proof cabinets

Current Status

Off site back up is in place.

Copies of vital data are kept.

3. Lack of

adequate IT

security-

Director of

Administrati

on

Unrestricted Tally usage rights

Erroneous & loss of soft documents (Tally)

Possible Major High Frequent tally updates, maintenance & audits

Tally usage trainings

Clear effective & efficient Tally rights for all

staff

IT end user refresher trainings for all staff

Current Status

This is a continuous exercise, as systems

and skills are being upgraded.

Close monitoring is being done.

(G).PEOPLE RISKS




1. Lack of capacity to attract and retain key staff-- Director of Human Resources

Low staff self esteem

Low salary compensation as compared to other organizations of a similar size

Lack of financial resources

Lack of an effective performance management system

Possible Major High Set performance targets for staff against which performance is evaluated

Ensure that staff have a realistic idea of what

their jobs entail

Provide career development opportunities

Maintain effective appraisals

Ensure that staff have a good work/ life balance

Provide a mechanism for staff to register

dissatisfaction, whether it is related to

appraisals, grievance proceedings, etc

Provide leadership training for all managers and

staff in positions of leadership

Conducive work environment

Competitive market pay rates

Transparent recruitment process

Current Status

Effective performance systems are not in

place to retain the right staff

Funding issues are a challenge given the

closure of AFFORD project.

Performance and rewards are not properly

aligned.

2. Succession plan not in place- Director of Human Resources

Poor planning

Understaffing

Possible Major High Develop employee replacement policy/

succession plan for UHMG.

Current Status

SLM is doing this.

Mentorship is not in a written form in its

documents.



3. Organizational culture not conducive to UHMG operations.-Human Resources Director

Lazier fair culture

Inability to attract

and retain

competitive staff

Internal politics

Unlikely Major Moderate Adapt to high performance and competitive

culture

High rewarding culture to reward high

performing staff

Punitive measures for non performing staff

Staff recruitment, training and retention policy

Conducive working environment

Updated human resource policies and

procedures manual

Staff hand book that is accessible to all UHMG

staff to be developed

Current Status

SLM and the Board retreats are to take

place in April and May for new UHMG, its

structure and the business it is in.

4. Poor

institutional

governance.)Ma

naging Director

Conflict of interest

issues

Board performance

Corruption, graft,

bribery

Lack of

documented Board

member induction

programme

Failure to attract

the appropriate

Board members

Board composition

– balance between

Executive and non

Executive

members and the

Possible Manageable Moderate

Board charter in place

Updated Board manual

Evaluation of Board effectiveness

Board member induction program document and

process

Board’s strategic oversight on UHMG

Succession plan for Managing Director and

senior management

Code of conduct for Board members

Current Status

SLM and the Board retreats are to take

place in April and May for new UHMG, its

structure and the business it is in.



nomination process

Lack of a

succession plan to

ensure smooth

transition without

compromising

continuity, quality, and morale

Lack of regular

performance

evaluation for the

board and its sub-

committee.

5. Board

Relationships

(senior

management

team and the

Board members.

Managing

Director

The Board of Directors hires the Managing Director and the Senior Management. Reporting expectations may not be clear apart from those in the

Unlikely Manageable Moderate Organisational structure to indicate clear

reporting lines and assignment of

responsibilities

Clear Terms of Reference communicated to the

Board members

Clear job descriptions for management team

Lobbying and fund raising be an activity for

Board Engagement.



Board Manual.

Board be involved in seeking external funds from outside parties and outside marketing and lobbying on behalf of UHMG.

Current Status

Lobbying and fund raising by the Board

Members is not actively being done.



Appendix 5: Risk Response Plan

Risk ID

Risk Event

Treatment Option

Risk Rating after Treatment Responsible Officer

Implementation Timetable

Monitoring Mechanisms Likelihood Impact Rating


(UHMG)


uganda health marketing group (uhmg) management manual... · uganda health marketing group (uhmg)...

Documents