UGANDA HEALTH MARKETING GROUP (UHMG)

Transcription

1 UGANDA HEALTH MARKETING GROUP RISK MANAGEMENT MANUAL July 2013 (Final) Drawn By: UHMG Internal Audit Department Version: Issue Date: July-2013 Page 1

2 TABLE OF CONTENTS 1.0 INTRODUCTION Background Application and Interpretation Distribution of the RMM Review and Update of the RMM PURPOSE OF THE RISK MANAGEMENT MANUAL Introduction Objectives of the RMM Nature of the RMM Key Control Processes RISK POLICY STATEMENT UHMG BOD Risk Statement ENTERPRISE RISK MANAGEMENT FRAMEWORK COSO Enterprise Risk Management-Integrated Framework Enterprise Risk Management Defined RISK MANAGEMENT ROLES AND RESPONSIBILITIES Board of Directors Managing Director Senior Management Team Risk Management Steering Committee (RMSC) Internal Audit Staff APPROACH TO RISK MANAGEMENT ERM Components ERM Limitations RISK MANAGEMENT CONTEXT The External Context The Internal Context RISK IDENTIFICATION AND CATEGORISATION Risk Identification Risk Categorization RISK ASSESSMENT 25 Version: Issue Date: July-2013 Page 2

3 9.1 Risk Rating Risk prioritisation RISK RESPONSE Risk Appetite Risk Treatment RISK MONITORING AND REVIEW Error! Bookmark not defined Documentation Error! Bookmark not defined Risk Monitoring Error! Bookmark not defined Review and Reporting Error! Bookmark not defined INFORMATION AND COMMUNICATION APPENDICES 35 Version: Issue Date: July-2013 Page 3

4 Acronyms BARC BOD COSO ERM IFRS MD NSSF PAYE RC RO RMM RMC UHMG URA VAT WHT Board Audit and Risk Management Committee Board of Directors Committee of Sponsoring Organisations of the Tread way Commission Enterprise Risk Management International Financial Reporting Standards Managing Director National Social Security Fund Pay As You Earn Risk Coordinator Risk Officer Risk Management Manual Risk Management Committee Uganda Health Marketing Group Uganda Revenue Authority Value Added Tax Withholding Tax. Version: Issue Date: July-2013 Page 4

5 Risk management glossary: The Risk Manual is aimed at streamlining the risk management communication process by promoting the use of consistent terminology across the organization. Term Risk Definition The chance of something happening that will have an impact on the achievement of UHMG s objectives. It is measured in terms of consequence and likelihood. Every risk consists of three components: an event, a probability of occurrence and an impact. Risk event: a discrete possible future occurrence that may affect the organisation for better or worse. It could be a wanted event, an opportunity with a potential positive impact, or an unwanted event or threat with a potential negative outcome. Probability: the likelihood that this event will happen. Impact: the consequence of the risk, if it occurred. Enterprise Risk Management Gross Risk Rating Management Controls Net Risk Rating Risk Appetite and Risk Tolerance A process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives An assessment of the risk before considering any actions or controls put in place to mitigate risk. Processes in place to mitigate risks. Controls may be policies, procedures, management systems and structures to assist UHMG in its operations. An assessment of the risk after considering actions or controls that have been put in place to mitigate the risk. Both Risk Appetite and Risk Tolerance set boundaries of how much risk an entity is prepared to accept. Risk Appetite is a higher level statement that considers broadly the levels of risks that management deems acceptable while Risk Tolerances are narrower and set the acceptable level of variation around specific objectives. For instance, an organization that says that it is does not accept risks that could result in a significant loss of its revenue base is expressing Appetite. When the same Version: Issue Date: July-2013 Page 5

6 Term Definition organization says that it does not wish to accept risks that would cause revenue from its top-10 customers to decline by more than 10% it is expressing Tolerance. Operating within risk tolerances provides management greater assurance that the organization remains within its risk appetite, which, in turn, provides a higher degree of comfort that, the organization will achieve its objectives. Risk Acceptance Risk management Risk Management Coordinator An informed decision to accept the likelihood and the consequences of a particular risk by UHMG management. The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects within the environment that UHMG operates in. The Officer responsible for co-coordinating the risk management process across the organization. Version: Issue Date: July-2013 Page 6

7

8 1.0 INTRODUCTION 1.1 Background Uganda Health Marketing Group is a Company Limited by Guarantee which was incorporated in 1999 and started full operations in April UHMG s vision is a good life for all Ugandans and the mission is to improve the quality of life of Ugandans through provision of superior and affordable health-care solutions. UHMG designs and implements strategic and integrated health marketing interventions intended to improve the overall wellbeing of the country's population, while stimulating and increasing commercial sector participation. The main strategic objectives of UHMG include: a) To create a consumer driven approach to health marketing through innovative marketing and social communication platform that will lead to a good life; b) To strengthen and work with the Private and Public sectors to widen and or to create new marketing, distribution and service delivery systems to increase consumer access to health products and services; c) To strengthen the internal capacity of UHMG by developing its human, material and financial resources; and d) To build UHMG into a competitive and sustainable health service provider UHMG is implementing a five year Strategic Plan with the aim of designing, implementing and mobilising resources to that effect. The organisation is now establishing an Entity-wide Risk Management Framework to ensure a successful exploitation of identified opportunities as well as timely identification and effective management of any risks that may deter the successful implementation of the Strategic Plan. 1.2 Application and Interpretation The policies and procedures in this Risk Management Manual (RMM) shall apply to all the employees of UHMG and shall be interpreted and administered by the Management of UHMG or their authorised agents The RMM shall also be interpreted in light of UHMG s Memorandum and Articles of Association and in case of conflict; the requirements contained within the Memorandum and Articles of Association shall supersede the application and interpretation of this RMM. Version: Issue Date: July-2013 Page 8

9 1.3 Distribution of the RMM The Master copy of the RMM in use should be under the custody of the Risk Coordinator (RC). Other controlled copies shall be issued to the MD and other Directors The soft copy of the RMM shall be saved on a central server accessible to all staff as read only. The RC shall retain the password required to edit any of the sections of the RMM. 1.4 Risk management overview Risk A risk is any factor that has a possibility of causing harm and /or loss or prevents UHMG from achieving its objectives. Risk is measured in terms of consequences and likelihood combined to arrive at a rating from Low to Very high (see the Risk Assessment Matrix on appendix 2 page What is Risk Management (RM)? RM is the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects within UHMG operational environment. RM is an integral part of UHMG approach to decision-making and accountability. RM involves the following risk phases: Risk Identification Risk Analysis Risk Mitigation and Planning Risk response Thus, the RMM documents the procedures that will be used to manage risk throughout UHMG Why is Risk Management Important to UHMG? An effective RM system shall safe guard UHMG s resources and ensure their best utilization. Recognition of RM as a central element of good corporate governance, and as a tool to assist in strategic and operational planning, has many potential planning benefits in the context of the changing operating environment of UHMG core business. The aim of the RM framework is not to eliminate Risk, rather to assist UHMG personnel to manage the risks involved in all UHMG s activities to maximise opportunities and minimise adverse consequences. 1.5 Review and Update of the RMM This Manual shall be subject to amendment from time to time. Amendments may result from key omissions, changes in the nature of key operations or changes in the environment UHMG operates in. Version: Issue Date: July-2013 Page 9

10 1.5.2 The Risk Management Committee (RMC) shall identify the sections of the manual that require amending after consultation with the relevant persons and document the proposed amendment Amendments to the manual may also be identified by any user of the manual who should submit a written request to their respective Risk Officer (RO) for review and submission to the RMC The written request should include the following minimum information: a) The section to be amended; b) The proposed amendments; c) The reason for the proposed amendment; and d) The signature of the preparer and reviewer (RO) All proposed procedural amendments should be submitted through the RMC to the MD for review and approval. All proposed policy amendments should be submitted by the RMC through the MD to the BOD for approval On approval of the amendments, the RC shall update the relevant sections of the RMM and the Summary of RMM Changes which will act as a reference trail for management The RC shall distribute the new approved sections to the appropriate people (see distribution list above) and retain the Master Copy of the same The RMM shall be reviewed regularly, at least annually by Senior Management and approved by the BOD to ensure that the procedures remain relevant to the operations of UHMG. For effectiveness, this review process should be aligned with the annual strategic plan review exercise. Version: Issue Date: July-2013 Page 10

11 2.0 PURPOSE OF THE RISK MANAGEMENT MANUAL 2.1 Introduction UHMG management and BOD understand that risk is inherent in all programmatic, administrative and business activities, and therefore, the successful operation of any organisation depends on effective risk management. UHMG recognises the challenge for promoting risk awareness and culture in a broad sense across the organisation so that line managers and employees understand and accept their accountability for identifying business threats and opportunities. In order to incorporate risk management into UHMG's operations, the BOD and management of the UHMG has developed a framework for systematically identifying, categorising, assessing and managing risks at all levels of the organisation. The adoption of a strategic and formal approach to risk management will: improve decision making; enhance outcomes; reduce surprises; and ultimately enhance accountability. The aim of this framework is not to eliminate risk, but rather to manage the risks involved in all UHMG activities in order to maximise opportunities and minimise adversity. 2.2 Objectives of the RMM To provide staff, management and BOD of UHMG with guidance on their risk management roles, responsibilities and authority Support a common understanding of Risk management in UHMG Provide some general guidance and tools to use when integrating risk management into work implementation To ensure significant risks are known and monitored, thus empowering management and the BOD to make more effective decisions To give a sound basis for strategic planning since key elements of risk will have been identified and appropriate mitigating strategies defined To ensure that the risk management policies and procedures of UHMG are applied consistently and do not contradict other existing policies. Version: Issue Date: July-2013 Page 11

12 2.3 Nature of the RMM Given that UHMG operates in a constantly changing environment, this RMM will have to be periodically updated in order to ensure that it remains relevant It is the responsibility of all users to ensure that the policies and procedures in the RMM are adequate for their operations The relevant parties that have a responsibility to coordinate the updating of existing procedures and adding of new procedures to the RMM have been identified in Section 1.5 of this document All changes to this RMM shall be carried out in line with the procedures laid out in Section 1.5 of this document. 2.4 Key Control Processes The MD (Overall Risk Owner), Management and Staff of UHMG shall refer constantly to the RMM when executing their duties to ensure that possible threats and opportunities have been managed accordingly. Version: Issue Date: July-2013 Page 12

13 3.0 RISK POLICY STATEMENT 3.1 UHMG BOD Risk Statement The BOD of UHMG is committed to implementing a proactive risk management approach to embed risk management practices in the operations of UHMG and hence give reasonable assurance of achievement of the overall goals of the organisation UHMG s Policy on Risk Management shall be based on the following Principles : a) Risk management shall be integrated into UHMG strategic and business planning processes and shall give guidance for decision-making on day to day activities of UHMG; b) As far as possible, UHMG will anticipate and take proactive actions to risks rather than react to surprises. c) The management of UHMG shall ensure that significant emerging risks are escalated to the BOD and operational risks are reported to the relevant departments in a timely manner. d) UHMG will seek to mitigate and manage risks effectively to enhance achievement of organizational objectives. e) A consistent approach to the identification, assessment and management of risks shall be maintained throughout UHMG. f) All staff shall endeavor to understand and execute their risk management roles, responsibilities and accountabilities. UHMG shall commit resources to implement risk responses that are effective and whose costs do not outweigh the benefits. Version: Issue Date: July-2013 Page 13

14 4.0 ENTERPRISE RISK MANAGEMENT FRAMEWORK 4.1 Enterprise Risk Management Definition ERM deals with risks and opportunities affecting value creation or preservation. UHMG shall adopt the COSO definition of ERM stated below: The adopted definition reflects certain fundamental concepts. ERM is: a) A process, ongoing and flowing through an entity. It shall not be a one-off event in UHMG; b) Effected by people at every level of an organization. Everyone in UHMG shall have a role in ERM; c) Applied in strategy setting; d) Applied across the organization, at every level and unit, and includes taking an entity level portfolio view of risk; e) Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite; f) Able to provide reasonable assurance to an entity s management and board of directors; and g) Geared to achievement of objectives in one or more separate but overlapping categories ERM shall enable UHMG management to effectively deal with uncertainty and associated risk and opportunity, enhancing the organization s capacity to build value. UHMG shall maximize value when the set objectives and strategies strike an optimal balance between risk and return during resource allocation The ERM framework in UHMG shall include the following: a) Aligning risk appetite and strategy UHMG Management shall consider the entity s risk appetite in evaluating strategic alternatives, set related objectives, and develop mechanisms to manage related risks. b) Enhancing risk response decisions ERM shall provide the rigor to identify and select among alternative risk responses including: risk avoidance, reduction, sharing, and acceptance. c) Reducing operational surprises and losses over time, UHMG will gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses. d) Identifying and managing multiple and cross-organizational risks UHMG faces a myriad of risks affecting different parts of the organization, and ERM will facilitate effective response to the interrelated consequences, and integrated responses to multiple risks. Version: Issue Date: July-2013 Page 14

15 e) Seizing opportunities By considering a full range of potential events, UHMG management shall be positioned to identify and proactively realize opportunities. f) Improving deployment of funding Obtaining robust risk information will allow UHMG management to effectively assess overall funding needs and enhance fund allocation These capabilities inherent in the ERM framework will enable UHMG BOD and management to achieve the organization s performance targets and prevent loss of resources. ERM shall ensure effective reporting and compliance with laws and regulations, and shall help to avoid damage to the entity s reputation and associated consequences. In sum, the ERM framework will help UHMG achieve its objectives while avoiding surprises en route. 4.2 Committee of Sponsoring Organizations of the Tread way Commission (COSO )-Enterprise Risk Management-Integrated Framework UHMG management shall adopt the COSO ERM-Integrated Framework to provide a comprehensive approach for the organization to identify and manage risks that could deter UHMG from achieving its goals. The framework shall present an organization-wide perspective of risk and standardize terms and concepts to promote effective implementation across the organization The implementation of a robust and transparent risk management program has become increasingly important given that UHMG operates in a challenging environment characterized by: Increasing competition; greater accountability requirements; higher quality standards for both product and service delivery; and a complex business model that combines profit and non-profit elements The changing and challenging environment, places more pressure on UHMG resources and presents risk and uncertainty to the organization and hence the need for a structured approach to continually align priorities and objectives The COSO framework describes the critical principles and components of an effective ERM process. The framework shall: a) Allow UHMG to proactively manage its risks in a systematic and structured way and to continually refine its processes to reduce UHMG s risk profile thereby maintaining a safer environment for all its stakeholders; b) Provide a common language, so that when executives, directors and others talk about risk management, they are truly communicating; c) Embed the risk management process and ensures it is an integral part of UHMG s planning process at a strategic and operational level; d) Ensure appropriate strategies are in place to mitigate risks and maximize opportunities; and e) Describe the roles of key players in the ERM process. Version: Issue Date: July-2013 Page 15

16 5.0 RISK MANAGEMENT ROLES AND RESPONSIBILITIES Everyone in UHMG - the board, senior management and staff - is responsible for the effective management of risk in the organization. The specific responsibilities are articulated in the following sections: 5.1 Board of Directors The risk management roles and responsibilities of the UHMG BOD include the following: Providing oversight of risk management within UHMG including ensuring that management has established an appropriate risk management framework; Reviewing and approving the overall risk management policy and risk appetite management of UHMG Ensuring that the risk management framework established by management enables the UHMG to identify all material risks on an on-going basis; Reviewing, on a semi-annual basis, the significant strategic risks that may materially affect the operations of UHMG Ensuring that management has designed and implemented timely, adequate and cost effective risk responses to ensure that all the identified material risks are effectively managed and are within acceptable risk appetite Seeking input from internal audits, compliance audits, external audits and relevant consultancy engagements to evaluate the risk management framework The BOD may delegate certain risk management activities to the Board Audit and Risk Management Committee, although ultimate responsibility of risk management oversight rests with the BOD. 5.2 Managing Director The risk management roles and responsibilities of the UHMG MD include the following: The MD is ultimately accountable to the BOD for ensuring that there is a risk management program in place as part of UHMG s Corporate Governance framework Ensuring that a risk management framework is established implemented and maintained in accordance with this policy. Assignment of responsibilities in relation to risk management is the prerogative of the MD Creation of an integrated risk management structure that enables identification of interdependences among cross functional risks and thus synergies and coordination of risk responses. Version: Issue Date: July-2013 Page 16

17 5.2.4 Through consistent communication and actions, ensure growth of a risk culture in UHMG to enhance embedment of risk management in all operations of UHMG Ensure that UHMG commits adequate resources to cost effectively manage identified risks Ultimately, the MD is the arbitrator between pursuing opportunities and holding back due to excessive risk. 5.3 Senior Management Team The risk management roles and responsibilities of the Senior Management Team include the following: Devolution of the risk management process to operational managers within their units Identifying, communicating and managing operational risks within their areas of control Promoting the desired risk culture within their units and promoting compliance with the agreed risk appetite Collectively the Senior Management Team is responsible for: a) The design of UHMG s ERM framework ; b) The formal identification of risks that impact upon UHMG s mission; c) The development of risk management plans; and d) Establishing the risk appetite for UHMG. 5.4 Risk Management Committee (RMC) The RMC shall be headed by the (Risk Coordinator) RC, who will be a Director, appointed and fully backed by the MD The RMC shall have 5 member representatives from each directorate called Risk Officers (ROs) who shall be headed by the Risk Coordinator The ROs, with the support of their respective Directors, shall have the responsibility of embedding risk management principles within their directorates and to facilitate seamless coordination between them and the RMC The RMC shall be charged with the following responsibilities and roles: a) Developing terms of reference for the RMC and submitting them to the MD for approval; Version: Issue Date: July-2013 Page 17

18 b) Rolling out the approved risk management framework and promoting risk management awareness through periodical education to management and staff; c) Ensuring consistent assessment of risks from a broad organizational perspective and coordinating periodical risk assessment exercises undertaken at departmental level; d) Updating the risk register and ensuring that all risks have accountable managers who have developed action plans for addressing the risks; e) Reviewing progress against agreed risk management plans and reporting to management on a monthly basis and the BOD on a quarterly; and f) RMC is NOT responsible for identifying or managing risks but coordinating the processes. 5.5 Internal Audit While they do not have primary responsibility for establishing or maintaining ERM, internal auditors contribute to its effectiveness by carrying out independent evaluation of the adequacy and effective operation of the risk management processes, methodologies, internal controls Specific ways in which internal auditors can add value to ERM include: a) Providing advice in the design and improvement of control systems; b) Implementing a risk-based approach to planning and executing the internal audit process; c) Ensuring that internal audit resources are directed at those areas that are most important to the organization; d) Challenging the basis of UHMG risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies. e) Facilitating ERM workshops. 5.6 Staff The staff of UHMG shall be responsible for executing ERM in accordance with this RMM and other established directives and protocols. Version: Issue Date: July-2013 Page 18

19 6.0 APPROACH TO RISK MANAGEMENT 6.1 ERM Components UHMG shall maintain procedures to provide the organisation with a systematic view of the risks faced in the course of its activities. The ERM framework selected by UHMG consists of eight interrelated components that are integrated with the management process. These components include: a) Internal Environment: The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. b) Objective Setting: Objectives must exist before management can identify potential events affecting their achievement. ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity s mission and are consistent with its risk appetite. c) Event Identification: Internal and external events affecting achievement of an entity s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management s strategy or objective-setting processes. d) Risk Assessment: Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. e) Risk Response: Management selects risk responses avoiding, accepting, reducing, or sharing risk developing a set of actions to align risks with the entity s risk tolerances and risk appetite. f) Control Activities: Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. g) Information and Communication: Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. h) Monitoring: The entirety of ERM is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. ERM is not strictly a serial process, where one component affects only the next. It is a multidirectional, iterative process in which almost any component can and does influence another. Version: Issue Date: July-2013 Page 19

20 6.1.2 The eight ERM components must be continuously assessed to ensure they are present and functioning effectively. For the components to judged effective there should be no material weaknesses, and risks should have been brought within UHMG s risk appetite. 6.2 ERM Limitations While ERM provides important benefits, limitations exist due to the inherent weaknesses in human judgement and the possibility of simple errors/mistakes. It is also possible for controls to be circumvented by collusion of two or more people, and management has the ability to override ERM decisions These limitations preclude the BOD and management from having absolute but rather reasonable assurance as to achievement of UHMG s objectives. Version: Issue Date: July-2013 Page 20

21 7.0 RISK MANAGEMENT CONTEXT The context in which UHMG s risk assessment criteria is set shall involve understanding and appraising: UHMG s external environment and relationships; its own internal environment; and the risk management context. This will provide guidance as to whether the risks are acceptable or not. 7.1 The External Context Prior to undertaking a risk assessment, UHMG shall seek to understand the external environment in which it operates. From a strategic perspective, UHMG will consider social, political, economic, demographic, ecological, regulatory, legislative and cultural factors that have an impact on the organisation UHMG s strengths, weaknesses, opportunities and threats shall be assessed and consultations made from external stakeholders, such as donors, relevant government departments, the community, sub-grantees, contractors and suppliers. This will provide a more complete assessment UHMG s Strategic Plan will be reviewed annually to identify changes in UHMG s external strategic environment, measure performance against set targets and adjust strategies, as required. Strategic Risk Profile of UHMG and proposed risk responses shall be aligned to the Strategic and Business Plans during this exercise. 7.2 The Internal Context Before undertaking a risk assessment, the internal and operational context should be established which shall include an understanding of UHMG s goals and objectives, management and organisational structures, systems, processes, resources, key performance indicators, and other drivers Internal stakeholders including management and staff shall be consulted and their views and perceptions considered accordingly The Directors shall ensure that the annual departmental plans are geared towards achieving UHMG s overall strategic objectives and that the departmental strategic and operational risk assessments are aligned to their respective operational plans. Version: Issue Date: July-2013 Page 21

22 8.0 RISK IDENTIFICATION AND CATEGORISATION 8.1 Risk Identification The main objective of this section is to develop a systematic approach to identifying risks and provide a basis for categorising identified risks and linking them to the business targets or values they impact The risk identification stage shall involve identifying events that can impact on the achievement of UHMG s objectives either negatively (threats) or positively (opportunities) UHMG Management will channel opportunities back to the strategic planning processes to ensure that the organisation takes full advantage of them. The threats on the other hand shall be recorded in the risk register and managed In order not to exclude critical risks, UHMG shall undertake a systematic and comprehensive identification of all risks including those not directly under the control of UHMG. The following approaches may be used for risk identification: a) Review of strategic plans, operational plans, policy manuals and other key documents; b) Team-based brainstorming, structured interviews, focus groups; c) Self-assessments and other facilitated workshops; d) Past organizational experiences; e) Carrying out SWOT (Strengths, Weaknesses, Opportunities, Threats) analyses; f) Comparison with similar organizations, discussion with peers, benchmarking, engaging risk consultants; g) Carrying out processes mapping, scenario analyses; h) Carrying out business diagnostics and organizational assessments; i) Internal and external reports The risk approaches above shall be used to identify risks from a variety of perspectives or categories, including: a) Sources of risk:- governance, strategic, operational/program, financial, external, compliance, and information technology (see Appendix 3 page 31 for generic sources of risk); b) Objectives: - the risks that could keep the organization from achieving each of its objectives: e.g. planned events, programs, building projects, etc. Version: Issue Date: July-2013 Page 22

23 c) Areas affected:- reputation, assets, revenues, costs, performance, staff, volunteers, customers and other stakeholders; d) Specific hazards: - fire, theft, earthquake, etc. The hazard-based approach is usually based on the policy coverage available from insurers; e) Capacity gaps: - inexperienced or inadequate human resources or inadequate systems and processes to track performance; f) Risk drivers: - pressure points that if left unchecked contribute to increased risk exposure, for example, high rate of expansion, culture or degree of information flow within the organization; g) Degree of Control:- the degree of control that the organization has over the risk, e.g.: No control- e.g. natural disasters, political, economic, social. Some influence or little control- e.g. public expectations, reputation, competition, and changes to legislation. Controllable- e.g. choice of programs, events and major projects Once the risks are identified, they should be documented in the Risk Register (Ref Appendix 5 page 33). 8.2 Risk Categorization Within the context of UHMG s established mission or vision, management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the organisation. This ERM framework is geared to achieving UHMG s objectives, and seeks to identify and manage risk in the following four categories: a) Strategic risk: The risk of having inappropriate or unrealistic strategies and programs, and includes: External Risk: the risk of becoming irrelevant, losing the support of the public and funding sources, and failing to respond to external factors such as economic, demographic, political and other trends; Governance risk: the risk of ineffective oversight and poor decisionmaking; Reputation risk: the risk of losing goodwill, status in the community, and appeal to prospective partners. b) Operational risk: The risk of poor service delivery, and misuse of human capital and other resources; Version: Issue Date: July-2013 Page 23

24 c) Financial risk: The risk of fraud, financial failure and financial decisions based on inadequate or inaccurate information; d) Compliance risk: The risk of fines and other regulatory penalties due to failure to comply with relevant laws and regulations, including donor requirements This categorization of UHMG s objectives allows a focus on separate aspects of ERM. These distinct but overlapping categories address different entity needs and help to ensure a comprehensive coverage of all the potential risks and opportunities facing UHMG.Refer to Risk Register-Appendix 5 page The adopted risk categories and their definitions represent the meaning of risk for UHMG. Over time, this shall be modified to reflect the changing environment and organisational strategic outlook. Version: Issue Date: July-2013 Page 24

25 9.0 RISK ANALYSIS 9.1 Risk Rating UHMG shall assess the identified risks to determine their effect on the organisation and its objectives Assessment of risk shall involve consideration of two key parameters: a) Risk Likelihood: the chances of a particular risk occurring. This may involve considering how frequently the risk is likely to occur. b) Risk Impact: the severity or consequences to UHMG if the risk actually occurred, in particular, the impact on areas such as business continuity, human and financial resources, the community, the environment, corporate image, reputational damage, legal and political implications etc The criterion for determining Likelihood of Occurrence of a particular risk and Magnitude of Impact in case it occurs is set out in Appendix 1page UHMG shall adopt a risk mapping technique that assesses each identified risk by displaying the relationship between its Likelihood of Occurrence and Magnitude of Impact (Ref Appendix 2: Risk Assessment Matrix page 30) The risk assessment matrix shall enable management to rank risks and form a basis for determining how these risks should be managed UHMG shall evaluate risks at two levels: a) Gross/Inherent risk rating: - i.e. before considering controls management has put in place to mitigate the risk; and b) Net/Residual risk rating: - i.e. assessment of the risk after considering the strength of management controls put in place As part of their activities, internal audit shall evaluate whether the established management controls are as robust as assessed by management in bringing the gross risk down to the residual risk The residual risk rating will determine further risk responses that management needs to take depending on whether the residual risk is within the acceptable limits. 9.2 Risk prioritization UHMG shall prioritize risks according to the level of residual risk and document them in the Risk Response Plan: Appendix 6 Page 62. Version: Issue Date: July-2013 Page 25

26 10.0 RISK MITIGATION AND PLANNING RISK MONITORING AND REVIEW Risk Management is a dynamic process and, to be effective, requires ongoing monitoring and review to ensure that the risk environment in which UHMG operates is constantly up to date and reflects the general operating environment Documentation Documentation of the UHMG risk management process shall be carried out at each stage for the following reasons: a) It gives integrity to the process and is an important part of good corporate governance; b) It provides an adequate audit trail and evidence of a structured approach to risk identification and analysis; c) It provides a record of decisions made which can be used and reviewed in the future; d) It provides a record of risks for UHMG which can be continuously updated UHMG s risk management process will be mainly captured using a Risk Register (see Appendix 5 page 33) and a Risk Response Plan (see Appendix 6 page 62) The Risk Register will be reviewed and updated throughout the year on a regular basis to provide comfort that identified risks are managed within acceptable levels. It shall be owned by the BOD and CEO/MD albeit maintained by the RMC. It shall contain the following information: Risk category Risk ID Description of the risk event Specific discussion and concerns Gross/Inherent Risk Rating Risk mitigation strategies in place Net/Residual Risk Rating Early warning and reporting triggers Responsible officer Version: Issue Date: July-2013 Page 26

27 The Risk Response Plan shall include: Risk ID to provide a cross reference to the risk register Risk description Treatment option chosen by management Risk rating after treatment Responsible officer Implementation timetable Monitoring mechanisms Risk Monitoring This process shall involve: a) Monitoring residual risks; b) Checking that new risks are identified, evaluated and reported; c) Ensuring that any significant failures of control systems are properly reported and appropriate actions taken; d) There is an adequate level of understanding of individual responsibilities for both implementation and monitoring of the control systems; e) Ensuring that the BOD is provided with relevant up to date information f) Executing the risk reduction plans; and g) Evaluating the effectiveness of the risk management programme as a whole. h) Documentation of any planned action, along with the manager accountable for the action and its expected completion date The BOD will monitor risk by: a) Ensuring that the identification, assessment and mitigation of risk is linked to the achievement of UHMG s operational objectives; b) Ensuring that the assessment process reflects the BOD s view of acceptable risk; c) Reviewing and considering the principal results of risk identification, evaluation and management; d) Reviewing and considering update reports where the need for further action is identified; e) Considering any significant new activities or opportunities as they arise to ensure any risks are identified and managed; and f) Considering, periodically, external factors such as new legislation or new requirements from funders. Version: Issue Date: July-2013 Page 27

28 The risk monitoring process shall provide an opportunity for UHMG to learn from risk and shall involve questions such as: a) Are we achieving the results we planned? b) Are we monitoring and learning from control breakdowns and losses? c) What are we doing about the major risks we have identified? d) Do we have the necessary guidelines or policies and procedures? Are they working effectively to mitigate the risks? e) How well are we doing in managing risk? f) Are near misses recorded, tracked and used for learning? Review and Reporting Progress on the action plans will be reported monthly to senior management and quarterly to the BOD by the Risk Co-ordinator through the Risk Management Committee An annual report will also be prepared by the RMC and form part of the annual strategic plan review process. Once the revised targets have been established the various Directors, together with their managers and staff, will identify and rank the potential risks that might affect achievement of these targets The nature of reporting will vary depending on the level. For instance, the quarterly reporting to the BOD shall focus on UHMG s key (say, top 10) risks and any significant developments during the period Specific issues to report to the BOD shall include: a) The status of major risks including current exposure and effectiveness of risk management techniques; b) How the strategic environment is changing, what new risks and opportunities are appearing, how they are being managed and what, if any, modifications in strategic direction should be adopted; c) Progress on closing major gaps in risk management capabilities; d) Reviews of compliance with risk tolerance policy limits; e) Any litigation against the organization; and f) The status of any crises currently being managed and any potential crises. Version: Issue Date: July-2013 Page 28

29 Risk Planning involves the use of the following tools in the following areas: (a) Risk context involves developing a stakeholder consultation and a communication plans (b) Risk identification involves the risk universe, brainstorming, scenario analysis, process mapping, system analysis, operational modeling and expert opinion.. The analysis of risks includes qualitative analysis, semi quantitative and quantitative analysis. (d) Evaluating risks covers the heat map, numerical ranking of risks and decision trees. (e) Treating risks involves risk transfer and outsourcing, risk mitigation stated above and having a cost benefit analysis. Version: Issue Date: July-2013 Page 29

30 11.0. RISK RESPONSE Risk Appetite Risk appetite is a high level statement that considers broadly the levels of risk that an organisation deems acceptable in pursuit of its objectives. Risk appetite has two components: a) Risk tolerance: - this refers to how much risk the organization is willing to take i.e. what probability it is prepared to accept that specified objectives will not be met. Operating within risk tolerances provides management greater assurance that UHMG remains within its risk appetite, which, in turn, provides a higher degree of comfort that the organization will achieve its objectives; and b) Risk capacity: - this refers to the absolute limit of risk that the organization is able to bear. It is based on the strength of its finances, donor support, reputation, and competence of staff. A well-financed organization with experienced, competent and well-equipped staff is in a good position to succeed in new initiatives and to survive setbacks The BOD of UHMG shall communicate to management the boundaries and limits set by their policy to ensure a clear understanding of the risks that can be accepted and those that the BOD would consider unacceptable UHMG shall consider some of the following questions in determining its risk appetite: a) What risks will UHMG not accept? (e.g. environmental or quality compromises) b) What risks will UHMG bear as it takes on new initiatives? (e.g. new product lines, new business units) c) What amount of money is UHMG prepared and able to lose if a strategy or project is less successful than anticipated? d) What is the potential risk to UHMG s reputation and credibility if a strategy or project is poorly received or otherwise unsuccessful? e) What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share for the product facility?) f) What are the limits of the MD s authority beyond which BOD approval is needed? Version: Issue Date: July-2013 Page 30

31 g) What information should the BOD receive before making decisions/granting approvals? E.g. for every proposal or action requiring BOD approval, information should be provided about: The potential risks and how they will be managed, as well as the potential opportunities; The alternatives that were rejected as well as the proposal being advanced; The worst case scenario; and Management s concerns and uncertainties as well as its optimistic expectations The BOD may choose to discuss and approve risk factors on an unstructured, case-by-case basis, or to formulate a formal risk appetite statement. In either case, the basis for decisions shall be recorded for future reference The RMC will help to translate the overall risk appetite of UHMG, approved by the BOD, into a set of limits and risk metrics that can be tied to particular business strategies and risks, and flow down through the various departments. These metrics shall be defined using quantitative or qualitative terms The level of risk UHMG is willing to accept shall provide a benchmark against which the organisation s risk assessment is undertaken. The risk assessment and evaluation in turn shall inform the BOD of the overall risk profile of UHMG and the steps taken to manage major risks identified Risk Treatment Having identified and assessed the major risks, decisions shall be made regarding how to manage each of them. For example, minor risks that occur frequently can often be managed by good procedures and training. Major but infrequent risks may also require insurance and/or contingency planning in addition to established procedures UHMG recognises that it is unlikely that risks will ever be entirely eliminated, however, that the risks can be reduced to a more acceptable level. UHMG shall draw from the commonly accepted risk treatment options below in light of their cost effectiveness: a) Accepting risk: Provided that the risk is unlikely or would not cause serious harm to UHMG, management will accept and monitor it. A risk may also be accepted if it is identified as unavoidable or no suitable treatment plans are available. Version: Issue Date: July-2013 Page 31

32 b) Mitigating risk: This shall involve developing control activities and procedures to detect and reduce the likelihood and/or severity of risks. For mitigating strategies to be effective, they must fit well with UHMG s corporate strategy. UHMG may reduce the likelihood and Impact of risks by considering the following actions: Structured training and supervision of staff; Periodic testing of controls, e.g. fire alarms Enhanced management controls such as reviewing policies and procedures, quality control checks; Improved compliance monitoring and audit programs Contingency planning such as Disaster Recovery plans, Business Continuity plans Fraud and Corruption control programs; Better contractual arrangements; Preventive maintenance; Establishing financial reserves; Phased commitment to large projects; Public relations; Succession planning, etc c) Transferring risk: This shall involve other parties bearing or sharing the risk either partially or in full. UHMG shall consider transferring risk by buying insurance policy to mitigate perils such as fires and thefts. UHMG may transfer risk through establishing contractual relationships with other organizations that have the expertise and resources to handle specialized issues and risks. This could be through arrangements such as outsourcing, partnerships, joint ventures among others. Sharing of risks may however expose UHMG to other risks such as reputational or litigation risks if the party taking on the risk does not meet their obligations. As such, UHMG shall take great care in identifying parties with whom to hare risk and clearly document expectations and responsibilities of each party. d) Avoiding risk: This involves taking a decision not to start or continue with a particular activity (e.g. potential grant, project, product line, market etc) that gives rise to the risk. Version: Issue Date: July-2013 Page 32

33 This can be a legitimate strategy that UHMG may opt for as a last resort after weighing the potential costs and benefits, and exploring control activities and other ways to manage the risks. UHMG shall bear in mind that if UHMG s objectives are to be met, some risks cannot be avoided regardless of the risk levels, due to their inherent nature In some instances more than one approach may be used. For example, UHMG may establish procedures and controls to mitigate some risks and then buy insurance to cover the residual risk where the established procedures cannot adequately bring the risk within the acceptable limits or where the potential losses may not be easily absorbed from UHMG s operating budget or financial reserves While evaluating various risk treatment options, UHMG shall consider the following factors: a) Comparison of the cost of establishing the risk response to the potential magnitude of the consequences to ensure that it makes business sense to finance the risk response; b) The extent of risk reduction gained by the risk response; and c) The extent to which there is an ethical or legal duty to implement a risk treatment option which may override any cost/benefit analysis Once each risk has been evaluated, the RMC will draw up a combined plan for actions to be taken to cover the risks. This action plan shall be approved by the MD and the BOD. Version: Issue Date: July-2013 Page 33

34 11.0 INFORMATION AND COMMUNICATION a) Communication and consultation shall be carried out at each stage of the UHMG Risk Management process with all relevant stakeholders. Strong communication and consultation shall enhance buy-in from the BOD, senior management and specific risk owners across the entire organisation. b) UHMG recognizes that when people know what they are expected to do and understand how to recognize and respond to risks, problems are less likely to occur and easier to resolve. The RMC shall ensure that people know and understand the risks that affect other departments and the organisation as a whole, and the consequences of their own actions to others. c) This shall enable management and/or the RMC to provide training and guidance to staff and volunteers as well as written policies, procedures and job descriptions. The goal shall be to create a risk-aware culture in which people are encouraged to take appropriate action to manage risks or report them to others. d) The Enterprise Risk Management - Integrated Framework requires feedback of information from throughout the organisation. This information must be current and accurate and must be robust enough to support the analysis of different risk responses. Management of UHMG, therefore shall identify, capture, and communicate pertinent information in a form and timeframe that enables people to carry out their responsibilities. e) Risk management results shall be communicated in different forms including: Dashboard of risks and related responses (visual status of where key risks stand relative to risk tolerances); Flowcharts of processes with key controls noted; Narratives of business objectives linked to operational risks and responses; List of key risks to be monitored; and Management understanding of key business risk responsibility and communication of assignments. Version: Issue Date: July-2013 Page 34

35 12.0 APPENDICES Appendix 1: Risk Rating Criteria Impact and Likelihood Magnitude of Impact Description Examples of impact Major Loss of major donor Major disruption of business with severe impact on operational performance and achievement of objectives Serious erosion of brand value and reputation with adverse publicity Litigation with potential for major loss Event requires Board and Senior Management attention Moderate Significant impact on the business projects delayed; beneficiaries affected Brand value affected in the short-term Litigation with potential for minor loss Event requires Senior and Middle Management intervention Minor Impact on internal business only Minor potential impact on brand value Issue delegated to Middle Management for resolution Likelihood of occurrence Description Examples of likelihood Likely Event will probably occur in most circumstances Event will probably occur at least once a year Possible Event might occur at some time, moderate probability of occurrence Event might occur, say once every 2 or 3 years Unlikely Event could occur at some time, low probability of occurrence Event could occur, say once every 5 years NOTE: These criteria are only guidelines and management can modify them with time, to better reflect UHMG s risk profile. Version: Issue Date: July-2013 Page 35

36 Appendix 2: Risk Assessment Matrix Management Action High Unacceptable risk Management must take action to lower the risk (7 9) Medium Judgmental Boundary Should be dealt with on a case by case basis (4-6) Low (1-3) Acceptable Risk No further management action required Version: Issue Date: July-2013 Page 36