session 2 – risk management - united...

Module 6. Analyzing, Disseminating, and Using the InformationOn-line Training Course on Results-Based Monitoring and Evaluation for MDG Implementation

Session 2 – Risk Management

1. Describe the necessary conditions that must exist if the cause-effect relationships between levels of results are to behave as expected.

2. Conditions over which management has no or very little control of

3. Should be identified during the planning/design stage,and monitored and reviewed during implementation

1. The first step in risk management 2. Identifying assumptions and accompanying

indicators needs participation of stakeholders

EXTERNAL LOGIC

1. Risk is defined as “threat to an assumption not taking place/happening”

2. Risk management refers to the “process of managing uncertainties related to a threat, or in the context of the logframe, the threat of the assumptions not actually taking place.”

1. In results-based M&E, the approach is to accept the presence of risk and plan accordingly by attempting to bring the internal and external factors under management control.

2. The further one progresses along the performance framework the less control one has over these factors and the ability to bring risk within manageable control becomes increasingly difficult.

ASSESSING AND MONITORING RISKS

1. Communicate and consult2. Establish the context3. Identify risks4. Analyze risks5. Evaluate risks6. Treat risks7. Monitor and review8. Document and report

1. Stakeholders should have good knowledge of the risks likely to face the organization/program and why certain actions are undertaken.

2. Should occur at each stage of the risk management process

3. Communication and consultation with stakeholders demonstrate the integrity of the risk management process, facilitate acceptance of the process, and generate constructive solutions to identified risks.

1. Defines the boundaries and parameters within which risk must be managed

2. Sets range for the rest of the risk management process

3. Involves understanding the broader environment surrounding the program/project/organization and how it affects the achievement of program/organizational outcomes

4. Involves identifying key stakeholders, who may either be allies in the management of risks or may be sources of risks.

1. Strategic context2. Organizational context3. Project context4. Risk management context5. Risk appetite

1. Identifies the strengths, weaknesses, opportunities and threats of the environment within which the organization operates

2. Determines elements that support or impair its ability to manage risks

3. Includes financial, operational, competitive, political (public perceptions/image), social, cultural and legal aspects of the organisation’s functions.

1. Looks into the: Relationship between the organisation and its' environment; Organisations strengths and weaknesses; Internal stakeholders and their objectives/perceptions External stakeholders and their objectives/perceptions Communication between stakeholders

1. Refers to the agency structure, goals, objectives and functions including its capabilities and how to achieve these

2. Goals assist in defining criteria to determine risk acceptability and to decide on options for treatment.

3. Examines the following: Link between service delivery and Government outcomes; Compliance with legislative and Statutory requirements; Conformance to Whole-Of-Government policy; and Conformance to agency policy.

1. Defines the activity or issue under scrutiny and includes the objectives, scope, boundaries and agencies' business units involved.

2. Involves identifying the following: risk project scope and parameters; risk project extent in time and location; studies needed; resources needed (Human Resources, Financial Resources, IT Resources); budget - need to balance costs, benefits and opportunities; and specific issues (Special roles and Responsibilities, Risk Project/Risk Project Dependences).

1. Analysis is based on the type of risk, the information that needs to be conveyed and the best method for communicating this information.

1. Outlines the relationship and business need of the proposed project/program to the intended outputs of the agency's Service Delivery Plan

2. Looks into the following: Relationship of Risk Project to Government Outcomes; Relationship of Risk Project to Agency outputs; Change in involved management teams; and Business process changes and/or related work procedures.

1. Determines the amount of risk the agency is prepared to bear

2. The tolerable extent of risk varies according to the perceived significance of particular risks.

3. ExampleA tolerable financial loss may vary in accordance with a range of features including the size of the relevant budget, the source of loss, or associated other risks such as adverse publicity or public perception/image issues.Where a particular risk can give rise to a number of effects, aneffect of quite large financial loss may be acceptable, whereas an associated effect of damage to health and/or safety may not be tolerable at all.

1. Involves identifying all potential risks, examining the sources, and understanding the likelihood and consequences of each risk

2. Should get the perspective of all stakeholders3. Requires the use of relevant, comprehensive,

accurate, and timely information 4. Requires expert knowledge of the subject

Answers the following questions: • what can happen• when and where it can happen• how and why it occurs• what are potential outcomes

1. Separates the minor acceptable risks from the major risks

2. Risks are analysed in terms of likelihood and consequence.

Likelihood is used as a description of probability or frequency, or simply: 'What is the chance of the risk occurring?' Consequence is the potential outcome or impact of a risk occurring. In determining the consequence of a particular risk, one should consider the number of people involved, and the possible cost to the organisation.

1. Consequence and likelihood may be determined using

statistical analysis and calculations. where no historical data is available, estimates may be made which reflect a degree of belief that a particular event or outcome will occur.

2. Also involves assessing the adequacy of existing controls (e.g. systems, processes and procedures), the effectiveness of controls in preventing or reducing risks and the frequency of implementation.

RISK ANALYSIS MATRIX – RATING THE LEVEL OF RISK

1. Unlikely 2. Possible 3. Likely 4. Almost Certain

Consequences Probability or Impact Examples: Outcome not

expected to occur Outcome might

occur at sometime Outcome could

occur occasionally Outcome will occur

often

4.Critical Managing People: Significant restrictions on resourcing key services or programs state-wide; serious FMS,CMC breach; multiple deaths Product and service delivery: State-wide cessation of multiple services or programs; greater than one month operational delay Performance/Financial: Impact on 25% of budget / $10 M plus. Major program objectives not achieved Information Management/Administrative Systems: State-wide loss of services, programs or data Infrastructure/Asset Management: Long term and possible permanent loss of property or assets Managing the environment (internal/external): Sustained adverse publicity Extreme /public outrage state-wide, permanent community/ environmental impact

Medium Ongoing

management/ monitoring of

specified improvement

activities

High Review by

senior executive &/or accountable

senior manager

Extreme Immediate

action of Senior Executive /

notification of Chief Executive

Officer

Extreme Immediate



Officer

3 Major Managing People: Noticeable restrictions on resourcing some services or programs; loss of life or permanent injury: CMC investigation Product and service delivery: Cessation of some services or programs; up to one month operational delay Performance/Financial: Impact on 10% of budget; $1M - $10M; Major activities not achieved Information Management/Administrative Systems: Loss or restrictions to key services, programs or large loss or theft of data Infrastructure/Asset Management: Sustained damage to property or assets lasting many months Managing the environment (internal/external): Significant political sensitivity, long term detrimental impact on community & the environment & stakeholder relationships

Medium Ongoing



activities

High Review by


senior manager

High Review by


senior manager

Extreme Immediate



Officer

2 Moderate Managing People: Localised restrictions on resourcing services or programs; serious injury requiring hospitalisation or medical treatment; minor code of conduct breach Product and service delivery: Disruption to a number of services or programs; up to one week operational delay Performance/Financial: Impact on 5% of budget; $100,000 - $1M; Some key deliverables not achieved Information Management/Administrative Systems: Restrictions to services, programs & loss or theft of some data Infrastructure/Asset Management: Significant but temporary damage to property or assets Managing the environment (internal/external): Significant adverse publicity state-wide, adverse community or environmental impact in some locations

Low Managed at operational level using

routine procedures

Medium Ongoing



activities

High Review by


senior manager

High Review by


senior manager

1 Minor Managing People: Minimal effect on resourcing services/programs; First-aid injury-no lost time; local workforce management issue Product and service delivery: Minimal disruption to some services or programs; up to one day operational delay Performance/Financial: Impact on 2% of budget; Loss of less than $100,000; Minimal impact on output. Information Management/Administrative Systems: Minor effect on services, programs Infrastructure/Asset Management: Slight/ temporary damage to property or assets Managing the environment (internal/external): Short term adverse community impact in particular locations; Short term local environmental issue


routine procedures


routine procedures

Medium Ongoing



activities

Medium Ongoing



activities

1. Compares estimated level of risk against predetermined criteria, and decide whether these risks require treatment.

2. Risks with a rating of Low or Medium are deemed to be acceptable and should be managed locally.

3. Risks with rating of High or Extreme are deemed to be unacceptable and require:

the development of specific treatment actionsthe attention of senior management for their mitigation

1. Identifies ways to treat risks that are unacceptable to the organisation

2. Chosen option should be able to reduce the level of risk to an acceptable level or as low as reasonably practicable.

3. Selecting the most effective treatment strategy involves:

assessing the feasibility, potential benefits and costs of each option;selecting the best option; anddetermining how the treatment will be implemented.

Risk treatment strategies may include:• Reduce the Likelihood - Limiting the chance that the

risk will occur by undertaking specific actions. • Reduce the Consequence – Minimizing the impact of

the risk, should it occur, by developing consequence reduction strategies.

• Share the Risk - Sharing responsibility for the risk with another party, who ultimately bears some of the consequences if the risk occurs.

• Avoid the Risk – Eliminating the risk by ceasing the activity or choosing an alternative, more acceptable activity, with less risky methodology or process.

1. Contains the risk treatment strategies and the process for its implementation

2. Includes: the risk to be treatedthe preferred treatment strategypriority level for the implementation of the treatmentimplementation scheduleresponsibilities - who's going to do what and by when

3. Plan should be part of the organization’s existing management plan or the program/project implementation plan.

Risk Management Plan*

Source of Risk1 Risk Event2Ranking3

Risk Treatment Responsible EntityL C R

1. Risks are constantly changing. 2. At the programme/project level, necessary

conditions underlying the causal-relationships may change requiring immediate corrective action.

3. By monitoring and reviewing risks regularly, new risks are detected and action plans are developed and implemented effectively.

1. Involves identifying the following: whether each risk previously identified is still relevant to the organisational area.the assessments given to likelihood and consequences for each risk.risk rating.adequacy of existing control strategies.treatment strategies that are currently being implemented, and discuss any strategies that have previously been considered.

1. Helps detection of new risks and effective development and implementation of action plan

2. Attention should be paid to the cost-effectiveness of the approach used, particularly for either very large, complex, innovative, or risky initiatives where the potential benefits could outweigh the additional cost of data collection and analysis.

3. Requires involvement of stakeholders in managing the implementation process.

1. Facilitates integration of risk management in normal organizational/programme management processes

2. Needs the development of a communication strategy for reporting risks to key stakeholders

Using the template presented earlier, prepare a Risk Management Plan for your program/organization.

session 2 – risk management - united...

Documents