Skip Ribbon Commands
Skip to main content
ERM > Step 2 - Risk Assessment

Skip Navigation LinksStep 2 - Risk Assessment

Step 2: Risk Assessment

 

Policy:

Risk assessment is the iterative process of risk identification, analysis, and evaluation. The objective is to provide sufficient information at appropriate intervals for risk-informed management decisions. High quality risk assessments enable greater acceptance of risk-taking opportunities (e.g. innovation) while ensuring rigorous due diligence, treatment, monitoring and control.

Risk Identification

Risk is the effect of uncertainty on organizational and programming objectives, which could be either positive and/or negative. A risk, if realized, may enhance, prevent, degrade, accelerate or delay the achievement of objectives. Risk identification considers ‘future events’, their causes and potential impact. Therefore, risk identification requires understanding the context, historic risk patterns, and foresight thinking to reveal future scenarios and uncertainties relevant to the organizational goals and/or development results.

Potential risks across the ERM risk categories (see Appendix 2) should be considered to ensure that all relevant risks are identified.

Each identified risk, including those identified through relevant prescriptive processes listed above (e.g. HACT, SESP, Fraud risk assessment), is recorded in the Risk Register and is described in terms of cause, future event/scenario, and impact and assigned a category.

Risk Analysis

Risk analysis requires an assessment of the likelihood of a risk and the potential impact on the objectives. The ERM Criteria Model (see Appendix 3) defines the five-point scale that is used to determine likelihood and impact. At the programme/unit and corporate level, a more detailed analysis of consequences is applied to determine overall impact. The capital support required to absorb unexpected losses is defined based on financial consequences.

Risk Matrix.JPGAvailable information and evidence is considered in the assessment of likelihood and impact. Where applicable, the risk analysis includes the use of relevant thematic analyses (e.g. security risk analysis, fraud risk assessment, social and environmental impact assessment). In cases where likelihood and/or impact remain difficult to estimate and there is a potential for harm a precautionary approach is applied by estimating the worst-case scenario to ensure the risk is treated accordingly and closely monitored. The risk analysis should be adjusted if and when more information becomes available. Based on the likelihood and impact the risk significance level (High, Substantial, Moderate or Low) is determined using the ERM Risk Matrix shown below.

HIGH level risks require escalation and thorough risk analysis. Extra risk control mechanisms need to be put in place, and risk treatment measures clearly identified, budgeted, and implemented; frequent monitoring; and necessary precautions to ensure staff and personnel safety and security are not compromised and opportunities are not missed.

Both SUBSTANTIAL and MODERATE level risks require risk analysis scaled to the scope and nature of the risks with risk treatment and monitoring measures in place and budgeted. SUBSTANTIAL risks require more detailed risk analysis and risk management plans.

LOW level risks do not require further analysis or treatment.

 

 

Risk Evaluation

Based on the analyses of individual risks, together with the defined risk appetite of the Unit/Office, an evaluation is made to determine which risks can be accepted and which risks require a priority response. Risks that present a potential for fraud or misuse of funds, significant harm to people or the environment and/or the organization should be avoided where possible and otherwise minimized and mitigated. Risk evaluation requires decision-making by line management at the relevant levels.

Guidance:

Risk Identification

 

1.    What is the purpose of risk identification ?

Remember, risks that are not identified

are not managed either! 

 

 Once the context is established and well understoond,  you and your team would identify ALL risks that you'd envisage. This includes  the threats that might hinder achievement of your objective and all the opportunities that might facilitate the achievement of your objectives. It is worth mentioning that this has to be an inclusive process with due consultations of all relevant stakeholders (see more under Step 4: Risk Consultation and Communication). As a result of risk identification, you will have a list of all risks  a project or a programme or the whole organization within the agreed time horizon.

 

2.    How to identify risks?

The value of risk identification is that ALL risks are identified but quite often people tend to think about their areas of expertise and might pay less attention to the types of risks that are beyond their immediate concern area. For example, the project manager for a climate change project may have a good understanding of climate and environmental risks but may not necessarily think about or understand potential human rights, ICT, financial, and other risks.

 

We need an integrated and comprehensive perspective and joint efforts of all team members from programming and operations to identify all risks and manage them to deliver results through UNDP programming. To support this exercise, UNDP has identified risks categories that are critically important for performance (see Table 1). Those categories include a whole variability of social and environmental, financial, operational, organizational, political, regulatory, strategic, safety and security risks. Not all types of risks might be relevant for a project or a programme or country office, but it is important to remind yourself about these categories during risk identification process. More examples on each category of risk you can find in Annex 2.

 

There are various techniques on HOW to identify (and later on, analyze) risks. It could be done using different tools including  SESP,private sector due diligence, HACT, Security Risk Analysis (SRA),etc. UNDP has developed different tools and platforms that can help at all stages of risk assessment.

 

3.    How to describe risks?

The risk description reflects the level of analysis done in understanding the risk. The risk analysis includes (a) envisage the event in the future (i.e. deviation from expected or planned, an uncertain event that might or might not happen), (b) understand the causes of such an event, and (c) understand the  impact) on the objective of your project or programme should the risk materializes. Risks should be described using the following logic:

<if (the causes)> then (risk event) <impact, (the consequences)>.  

Risk description must be sufficiently detailed to explain the risk and trigger response actions.

 

Important: Earlier we agreed that risk event is a deviation or a change in the future that might or might not happen. It's an action. Therefore, it must be described as an action, hence, using a verb with reference to uncertainty: might, might not, possible, maybe, etc.

 

Ensure that risks are described with clarity so that the description itself does not create confusion of what is meant to be stated by it. The reader must get clear understanding of the risks described and therefore, understand why and how the organization will be investing in managing each risk.

 

4.    Risks to or Risk from?

Also, it is important to address both risks to and risks from the project and programmes. 'Risk to' refers to the risks towards the objectives of the project. 'Risk from' refers to the risks the project or programme might trigger by its activities. For example, social and environmental standards (SES) of UNDP might not be stipulated in the objectives of each and every project or programme, but due attention to the social and environmental risks from the project or programme is critically important.

 

A project might trigger disputes over limited local resources or unintentionally cause favorable conditions for one group of local partners over the others or result in advertent environmental degradation. It is important to envisage such situations and to avoid potential harm to people and the environment wherever possible and ensure risk management measures are in place otherwise.  This requires careful consideration of UNDP's Social and Environmental Standards (2015) The Social and Environmental Screening Procedure is applied to support the identification of social and environmental risks, which need to be incorporated into the broader risk management process.

 

Guidance:

Risk Analysis

 

1.    What is the purpose of risk analysis?

After risks are identified, each risk needs to be analyzed from the perspective of the likelihood of it happening and the impact (both positive and negative) it might cause - if and when it happens. UNDP ERM methodology requires that both Impaact and likelihood are measured on a 5-point scale as defined in the ERM Policy. UNDP Criteria Model is a tool to guide both consequences and likelihood analysis.

 

Please, note that available information and evidence are considered in the assessment of likelihood and impact. Where applicable, the risk analysis includes the use of relevant thematic analyses (e.g. security risk analysis, fraud risk assessment, social and environmental impact assessment). In cases where likelihood and/or impact remain difficult to estimate and there is a potential for harm a precautionary approach is applied by estimating the worst-case scenario to ensure the risk is treated accordingly and closely monitored for any adjustment.

 

2.    How to determine risk likelihood?

In risk analysis various criteria are used, both for likelihood and for impact analysis. The ERM Policy identifies several degrees of likelihood on 5-point scale of the risk happening might be based on the past experience (how often you've witness similar risk happening in the past) or on your indicative understanding of the likelihood of a novel risk (that has never happened before but you might have some expectations about its likelihood based on your best knowledge).

 

Important to note:

The application of risk criteria is an indicative process that is not aimed at maximum precision. It is often very challenging to draw a definitive line between different scales of likelihood and impact. How does one define if the risk is of 'low likelihood' or of 'moderate likelihood'?  How to differentiate between 'negligible' or 'minor' impact? The more evidence you'd have, the easier it would be. But often, it's a matter of perception and gut feeling. Don't be afraid to trust your gut feeling, it is the combination of knowledge and feelings that your brain makes over time. In the meantime, don't forget that others might have different perception about the same risk. That is why the most important part in risk analysis is to discuss and reconcile different risk perceptions.

 

3.    How to determine risk impact?

The ERM Policy identifies several types of Impact: consequences to development results, operations, compliance, safety & security, and reputation. Each consequence can be analyzed using the 5-point scale: negligible, minor, intermediate, extensive, and extreme. However, not all impacts might be relevant for each risk therefore, there is no need to rate impact for each consequence per se but only those that are relevant. 

 

While there can be different categories of risks (financial, operational, strategic, etc.) somerisks might have some financial consequences, if they materialize. The risk that donor might withdraw funding due to some political reasons might be categorized as a strategic risk. However, this risk would have financial impact on the project that the project budget might be reduced equal to the volume of funding donor might withdraw. Hence, the direct financial impact will be the exact amount the donor might withdraw from the project or programme.

 

Quantification of the financial consequence is not a straightforward exercise. Qualitative data analysis as well as in depth understanding of the context are important factors when calculating risk's financial loss. These include key stakeholders' tolerance to identified risks, source of risk and when it occurs, as well as its likelihood and impact. According to our ERM policy, financial consequence is defined as "the amount of fund that the organization needs to commit to rectify the situation once the risk materialized." In that regards, financial consequence is not: 1) The "opportunity loss" that the organization suffers when the risk materializes; for instance, if a risk undermines the possibility to mobilize resources, the realization of the risk will impact the possibility to achieve development results, but it will not translate in a financial impact equal to the resources which were not mobilized. 2)The cost of prevention and risk mitigation measures; 3)- Monetized amount of loss of productivity (e.g. staff time, running cost, etc.); or 4) The loss generated from exchange rate from non-core rescores.

Guidance:

Risk Evaluation

 

1.    What is the purpose of risk evaluation?

In risk management, risk evaluation process is about risk prioritization. Out of all risks that have been identified and then analyzed, the team decides on which risks should be considered priority for response. Based on the two-dimensional analysis of likelihood and consequences, the risks are mapped  and prioritized according to their risk significance level (High, Substantial, Moderate or Low) in the ERM Risk Matrix.

Remember, high level risks can present opportunities to be taken advantage of!

High level risks in the top right corner should not be treated as something to be avoided (unless there is a potential for harm). In programing, high level risks can present tremendous opportunity to drive change. In a complex context of development cooperation, it is rather difficult to separate purely negative impact, as uncertainties are often mutually interdependent and might cause both positive and negative effect to different groups at the same time, or at different time period. It is therefore critical to identify the uncertainties and describe their impact and likelihood to support decision-making, rather than label all risks as a potential danger.

 Low significant risks may not require any treatment measures, they can be tolerated, in other words, only monitored. Moderate significant risks need to be treated and monitored and minimum investment might be required to modify risk.

2.    How to evaluate risks?

To understand what guides risk evaluation, we need to introduce two concepts, the risk appetite and the risk capacities.  

Risk Capacities: maximum amount of risk that an organization is able to tolerate. Risk capacity must be defined at the beginning of the project and can be expressed in financial terms. For instance, Project A is able to tolerate risks of total 500,000USD. Project B instead, decided to tolerate risks up to 20,000USD. This numbers indicate the share of the budget the project is willing to invest to mitigate to negative consequences or to explore opportunities. NB. This is NOT the budget allocated for risk management which isrelated to implementation of risk management processes within an organization!

Risk Appetite: maximum amount of risk that an organization is willing to tolerate. Naturally, this should be lower than the maximum amount of risk it can take on. Risk appetite provides a threshold for the organizations to take risks.

The Eisenhower Matrix or Urgent-Important Matrix

Dwight D. Eisenhower, the 34th President of USA, invented the world-famous Eisenhower principle, which helps to prioritize by urgency and importance.

 UrgentNot Urgent
Important

DO

Do it now!

DECIDE

Schedule time to do it

Not Important

DELEGATE

What's urgent but less important delegate to others

DELETE

What's neither urgent nor important, don't do at all

Risks of HIGH urgency and importance require immediate attention, additional analysis, and must be escalated to the attention of the next in line management. Extra risk control mechanisms need to be put in place, and risk treatment measures clearly identified, budgeted, and implemented; frequent monitoring; and (if applicable) necessary precautions to ensure staff and personnel safety and security are not compromised and opportunities are not missed.

The risks of SUBSTANTIAL and MODERATE urgency too require additional analysis, adequate risk response measures and close monitoring to manage and treat risks to the desired threshold of acceptance.

The risks of LOW urgency and importance can be tolerated as they are, without any treatment. Useful tips for risk prioritization could be found in the Eisenhower Matrix. As all other risk management process, risk prioritization too is an inclusive process, with active engagement of the team members and when relevant and feasible in consultation with stakeholders.

 

3.    What is additional risk analysis? 

After the risks are analyzed with their likelihood and impact defined, the risks that scored HIGH or SUBSTANTIAL in significance must be analyzed from the perspective of their FINANCIAL and REPUTATIONAL impact, if materialized.

Financial impact from a risk is focused on direct financial losses and includes the following:

  • The cost of prevention and risk mitigation measures, and
  • Monetized amount of loss of productivity (e.g. staff time, running cost, etc.) [DR2] 
Important: Financial impact is NOT about the "opportunity loss" that the organization suffers when the risk materializes. For instance, if a risk undermines the possibility to mobilize resources, the financial impact DOES NOT equal to the resources which were not mobilized.

 

UNDP safeguards effective implementation of its projects and programmes, and therefore, any risk that might have significant financial impact must be prioritized. Hence, the risks with financial impact above 3 must be prioritized.

Reputational impact from a risk includes the level of negative consequences from external stakeholders towards the organization that can be expected. The reputational impact is very difficult to quantify but some indicative scoring is possible to give based on your best understanding of the risk. Organization has no tolerance to reparational risks, therefore, any risk that might have significant reparational impact must be prioritized. Hence, the risks with reputational impact that score above 2 must be prioritized.

Both financial and reputational impact of the risks must be analyzed using the ERM Criteria Model.

Financial consequence using the 5-scale measurement:

  1. Less than 5% of applicable budget
  2. 5-20% of applicable budget
  3. 20-30% of applicable budget
  4. 30-50% of applicable budget
  1.  More than 50% of applicable budget

 

Reputational consequence using the 5-scale measurement:

  1. Isolated negative comments from external stakeholders
  2. Several negative comments from external stakeholders
  3. Negative reports/articles in national, regional and /or international media
  4. Negative reports/articles in several national, regional, and/or international media for a period of a week or more, and/or international media for a period of a week or more, and /or criticism from key stakeholders
  5. Negative reports/articles in several national, regional and/or international media for a period of a month or more, and/or strong criticism from key stakeholders