Skip Ribbon Commands
Skip to main content
ERM > Step 3 - Risk Treatment

Skip Navigation LinksStep 3 - Risk Treatment

Step 3: Risk Treatment

 

Policy:

Risk Treatment Options
For each High, Substantial or Moderate level risk one or more risk treatment measures must be identified.
In case of threats to organizational objectives, risk treatment may be of four types: terminate (seeking to eliminate activity that triggers such a risk), transfer (passing ownership and/or liability to a third party), mitigate (reducing the likelihood and/or impact of the risk below the threshold of acceptability), and tolerate (tolerating the risk level).
In case of opportunities, risk treatment may be of four types: exploit (making the opportunity happen), experiment (testing new solutions in uncertain contexts), enhance (enhance the likelihood or impact through reinforcing the trigger condition or increasing exposure), and accept (no proactive actions).

Risk Ownership and Escalation
All risks are assigned a Risk Owner, the individual who is ultimately accountable for ensuring the risk is managed appropriately. Each treatment measure is assigned a Treatment Owner, the individual who is responsible for executing the risk treatment. The Risk Owner and Treatment Owner may or may not be the same individual. Ownership is assigned based on the principle of who is ‘best suited’ to take accountability for managing the risk, noting that many people may need to be involved.
A risk is escalated when circumstances pertaining to the treatment itself may exceed the authority/mandate or expertise of the Risk Owner. If one or more of the following “escalation” conditions is met, the Risk Owner must escalate the risk:

  • Risk treatment requires expenditures that are beyond what the Risk Owner is authorized to decide; and/or
  • Risk cuts across, or may impact, multiple offices (e.g. reputational risk, changes to corporate policies); and/or
  • Grievances from stakeholders have been received to which the Risk Owner cannot impartially and/or effectively respond (e.g. through UNDP’s Stakeholder Response Mechanism); and/or
  • A serious security incident has occurred which has impacted UNDP personnel, facilities or programmes or the security environment has deteriorated requiring additional treatment measures and/or security advice; and/or
  • When risk significance level is determined to be High.

When risks are escalated, the original Risk Owner must provide complete information to the receiving manager. The change of ownership takes place only after the receiving manager has confirmed that he/she accepts the ownership. A response to the request for risk transfer should be provided within 5 working days of receipt, in which period the risk ownership remains with the original Risk Owner. The escalation of the risk and the change of ownership must be noted in the Risk Register. If and when escalation is urgent, risk transfer should be completed within 24 hours and it is acceptable to communicate escalation using phone or e-mail and update the Risk Register afterwards.

Escalation follows the applicable line management, i.e. from project to programme to relevant Bureau (central/regional) and ultimately to the corporate level.

Guidance:

1.    What is the purpose of risk treatment?

The purpose of risk treatment is to manage the risk's significance, by addressing either the likelihood or impact or both. For each High, Substantial or Moderate level risk one or more risk treatment measures must be identified.

When a risk poses a threat to organizational objectives, the risk treatment may be of four types: terminate (seeking to eliminate activity that triggers such a risk), transfer (passing ownership and/or liability to a third party), mitigate (reducing the likelihood and/or impact of the risk below the threshold of acceptability), and tolerate (accepting the risk level).

When a risk presents an opportunity, the risk treatment may be of four types: exploit (making the opportunity happen), experiment (testing new solutions in uncertain contexts), enhance (enhance the likelihood or impact through reinforcing the trigger condition or increasing exposure), and accept (no proactive actions).

How to know which treatment is sufficient? In order words, what is the threshold of acceptance of each risk, after which there is no need to moniter and manage  it any further? Risk threshold level is applicable to individual risks and defines how much of risk the project, programme, or organization at whole is ready to bear after risk treatment in order to achieve its objectives. In other words, risk acceptance or tolerance is a practical application of risk appetite. For each risk, the decision must be reached  by risk owners in consultation with the different stakeholders. The team discussion could be guided by the risk analysis and internal/external context, by the collective decision on what might be considered acceptable.

 

2.    How to treat risk?

Risk treatment implies activities that the team put in place to change either the likelihood or the impact of each risk. These activities must be reflected in the Risk Register, which must be verified and approved by Risk Owner, for projects – Project Manager, for programmes – Country Director, for Bureau –

Both planning for risk treatment and actual risk treatment require decision based on the input from all relevant stakeholders both internal and external. All risks must have a designated Risk Owner, the individual who is ultimately accountable for ensuring the risk is managed appropriately. Each treatment measure is assigned a Treatment Owner, the individual who is responsible for executing the risk treatment, i.e. an activity agreed within the team to modify the risk. The Risk Owner and Treatment Owner may or may not be the same individual. Ownership is assigned based on  the accountability for managing the risk, noting that many people may need to be involved.

Risk Register  should include activities, deadlines for their implementation, Risk Owners and Treatment Owners, , andas part of the project/programme/unit planning exercise to ensure are allocated for the risk response.

 

3.    How to escalate risk?

Not all risks can be managed at the level where they are identified. A risk is escalated when circumstances pertaining to the treatment itself may exceed the authority/mandate or expertise of the Risk Owner. If one or more of the following "escalation" conditions is met, the Risk Owner must escalate the risk:

  • Risk treatment requires expenditures that are beyond what the Risk Owner is authorized to decide; and/or
  • Risk cuts across, or may impact, multiple offices (e.g. reputational risk, changes to corporate policies); and/or
  • Grievances from stakeholders have been received to which the Risk Owner cannot impartially and/or effectively respond (e.g. through UNDP's Stakeholder Response Mechanism); and/or
  • A serious security incident has occurred which has impacted UNDP personnel, facilities or programmes or the security environment has deteriorated requiring additional treatment measures and/or security advice; and/or
  • When risk significance level is determined to be High.

To escalate a risk, the Risk Owner must provide complete information about the risk to the receiving manager. The change of ownership takes place only after the receiving manager has confirmed that he/she accepts the ownership. A response to the request for risk transfer should be provided within 5 working days of receipt, in which period the risk ownership remains with the original Risk Owner. The escalation of the risk and the change of ownership must be noted in the Risk Register. If and when escalation is urgent, risk transfer should be completed within 24 hours and it is acceptable to communicate escalation using phone or e-mail and update the Risk Register afterwards.

Escalation follows the applicable line management, i.e. from project to programme to relevant Bureau and ultimately to the corporate level.