2014 Enterprise Risk Management (ERM) Risk Assessment Results ERM Risk Assessment Results and Reporting

Transcription

1 2014 Enterprise Risk Management (ERM) Risk Assessment Results ERM Risk Assessment Results and Reporting August 2014

2 Supply of Services for Acceleration of ERM Implementation at UNFPA We are pleased to provide the attached report as a result of certain consulting services performed for the United Nations Population Fund (UNFPA) in accordance with the Corporate Contract dated January 7th, 2014 and amendment from June 23rd, 2014 between Deloitte & Touche LLP ( Deloitte & Touche ), and UNFPA. This report is intended solely for UNFPA s use, and is not intended to be relied upon by any person or entity other than UNFPA. UNFPA should not disclose the report, or refer to the report, except as specifically set forth in the Corporate Contract. Our services were performed in accordance with the Statement on Standards for Consulting Services issued by the American Institute of Certified Public Accountants (AICPA) and did not constitute an engagement to provide audit, compilation, review, or attestation services as described in the pronouncements on professional standards issued by the AICPA, the Public Company Accounting Oversight Board, or other regulatory body and, therefore, we did not express an opinion or any other form of assurance with respect to our services. We look forward to the opportunity to work with you in the future. Please do not hesitate to contact me directly at bssherman@deloitte.com if you need additional information or clarification about any aspect of this report. Sincerely, Deloitte & Touche LLP Brett Sherman, Partner

3 Contents Objectives and Process Overview UNFPA s Top Risks - an Evolution Top Risks Details Sustaining ERM

4 ERM Programme Acceleration Steps ENTERPRISE RISK MANAGEMENT AT UNFPA Operationalization of a repeatable process to prioritize risks based on perceptions of impact, and management preparedness/focus on the stated risk Prioritization of preliminary top risks with supporting risk definitions and understanding of risk drivers and consequences Obtaining consensus of UNFPA Leadership as to the top risks facing the organization, after consideration of level of focus/preparedness Assigning risk monitoring owners with defined expectations to monitor and report on the changing risk profile of their assigned risk Develop a template that promotes such ongoing monitoring activities Identifying longer-term ERM Programme continuity elements 4

5 Process Overview Step 1 Determined preliminary risk universe Step 2 Executed organizational-wide Risk Assessment at UNFPA Step 3 Review risk assessment results and recommendations Developed a risk register of potential enterprise risks at UNFPA Determined preliminary risk universe which included the following risk categories: Accounting / Internal Controls, Compliance, Donor Management, Governance/Strategy/Reputation, Information Technology, Operations, Programme Management Key Activities Top-down: Conducted UNFPA Executive and other interviews Bottoms up: Developed and conducted a organizational-wide Internet-based risk assessment survey Facilitated workshop with senior leadership aimed at driving consensus on the Enterprise Risk Assessment (ERA), prioritizing UNFPA s top risks and identifying risk owners Documented ERA workshop results and recommendations in this document Timeline: January February/March June/July 5

6 UNFPA Top Risks an evolution Top 10 Risks Survey Top 15 Risks Survey & Interview Executive Workshop / Finalized Risks Risk Hiring / retention of key personnel Programme resource allocation Risk Score Succession planning Risk of defunding Coordination between HQ, RO, CO and IPs Donor relationship management Mission / programme Continuity UNFPA brand perception / reputational risk Vendor / partner management Country imposed constraints 9.99 Risk Policy and procedure compliance *Donor relationship management *Brand perception / reputational risk *Coordination between HQ, RO, CO, IP Lack of or negative media exposure Planning and budgeting *Risk of defunding *Succession planning IT continuity *Hiring / retention of key personnel *Mission / programme continuity *Vendor partner management *Country imposed constraints *Program resource allocation Selection and monitoring of key partners Rank Risk TOP TIER 1 Donor relationship management Vacancies and succession planning Misalignment of staff to UNFPAs objectives Risk of non-delivery of programme results Brand and Reputation Management Management of strategic and operational partnerships SECOND TIER Policy and procedure compliance *Coordination between HQ, RO, CO, IP Business continuity Country imposed constraints Planning and budgeting 6 Results of a survey of 129 UNFPA personnel ranked these risks highest, based on the rating of impact and the current level of preparedness (Risk score = product of impact score and level of preparedness) Based on survey and interview results, these risks were identified as potential top risks and discussed at the Executive Risk Workshop on June 24 in Geneva (*Risks ranked Top 10 based on survey results; others were added based on executive interview feedback) Based on survey and interview results, these risks were finalized as top risks at the Executive Risk Workshop on June 24 in Geneva. (Note: Color coding shows where two risks were consolidated to one, or where risks were renamed during the Executive Risk Workshop)

7 Top Risks Details 7

8 Top Risk: Details 1.) Donor Relationship Management Risk of being unable to retain existing or attract new donors UNFPA dependent on very few donors and has no guaranteed revenue stream External factors (political change, economy) or non-compliance to donor requirements could lead traditional donors to reduce/eliminate funding Increasing demand from donors for UNFPA to provide additional reporting, details/data and transparency Many traditional donors fund activities only in a limited number of crisis or low-income countries; therefore need to start approaching new and innovative funding channels (e.g. private sector, middle income countries); Need to improve procedures to allow flexibility to work with new funding sources (e.g. expedite approvals, allow private sector entities to use UNFPA s logo) Need to assess the ability to deliver and report on results Babatunde Osotimehin 2.) Vacancies and Succession Planning Risk of UNFPA being unable to attract and retain qualified and experienced professionals to fill key positions Aging workforce Long vacancy periods because hiring process can take months Culture of keeping non-performers on the staff, rather than firing them, negatively impacting morale Loss of personnel to sister agencies or other international organizations Need to improve the induction / orientation program(s) for key positions Lack of succession plan for key positions in certain countries, regions, roles (technical and management skill sets) Lack of proper training & development for leadership succession No document management system to ensure continuity of operations during leadership transitions An HR transformation initiative is underway, but resultant change will take time Kate Gilmore 8

9 Top Risk: Details 3.) Misalignment of Staff to UNFPAs Objectives Risk of inadequate alignment of people, skills and funding to deliver programme Risk Overview : 70% of funds are used for personnel expenses; therefore proper alignment of staffing to programme needs is crucial Limited flexibility (at regional and country level) to prioritize programme staffing resources, since resource allocation for GRI and HQ non-core is determined at headquarters Improved and faster re-alignment (change management) of Country offices needed, supported by strengthened HR at regional level Staff who no longer fit or exiting staff can cause political barriers to the organizations work. Need to use training resources more effective for re-alignment purposes (existing or new resources) Many programme-funded positions are vacant; most positions are time-bound and do not align to long term interests 4.) Risk of Non-Delivery of Programme Results Risk of not properly monitoring, delivering or reporting programme results. Need to review monitoring processes and strengthen performance indicators to improve performance monitoring and timely reporting to donors Insufficient monitoring of key partners due to safety concerns, limited access to government data and statistics or small offices with limited capacity Unsystematic application of financial and programming capacity assessment tools due to lack of commitment and ownership Headquarters intends to make financial and programming capacity assessments compulsory; regular spot checks and monitoring is performed for IPs Need to identify strategic partners to improve programme delivery Benoit Kalasa Dianne Steward 9

10 Top Risk: Details 5.) Brand and Reputation Management Risk of insufficient positive media coverage and the potential for negative publicity to lead to negative public perception of UNFPA The mandate / mission and its association with controversial and sensitive issues creates significant inherent risk; this can lead to conflicts and attacks by certain groups There is a need for more proactive brand and reputation management to drive more positive media coverage Continue to monitor media and public perception This is a declining risk in terms of traditional media; specifically need to capitalize on the opportunities associated with social media (and prepare for adverse outcomes of the growth of social media) The organization itself does not attract a lot of negative media, the mandate does A negative reputational event (e.g. caused by staff behavior or non-compliance) could lead to programme delivery impacts and / or defunding by donors Marcela Suazo 6.) Management of Strategic and Operational Partnerships Risk of reliance on individual rather than corporate holders of strategic partnership, and reliance on limited numbers of operational partners may result in a disruption of operations individuals leave or services are discontinued/reduced quality. Lack of corporate overview of high value partnerships, the health of those partnerships and strategies for improving them. High reliance and dependency on external operational partners such as UNDP for Finance, HR, and IT services Programmatic, technical, advocacy and operational partnerships may not be delivering expected benefits (leveraging resources (incl. information and knowledge) and influence, improved delivery, timely and value for money support services) MOUs, Service Level Agreements etc. needed to mitigate risks with existing partners Alternative partnerships may be required to mitigate risks Identification of and improved governance of strategic partnership should be one of the priorities for 2015 Anne-Birgitte Albrectsen 10

11 Second Tier Risk: Details 7.) Policy and Procedure Compliance Risk of not fully complying with voluminous and time consuming UN and UNFPA policy and procedural requirements or outdated / conflicting policies making compliance impossible or unfeasible Policies and procedures are known but staff has difficulty complying Increasing complexity of policies and procedures Instances of outdated policies Non-compliance is very likely because of the small staffs in some offices, as well as highly manual processes Need to clearly define roles and responsibilities on Head quarter (HQ), Country Office (CO) and Regional Office (RO) level and to monitor compliance to policies ERP system (Atlas) does not enable automated controls to enforce compliance with policies Need to review, update, translate, streamline and communicate policies and procedures Need to improve the culture around accountability, encouraging managers to highlight the good and bad associated with compliance Julitta Onabanjo 8.) Coordination between HQ, RO, CO and IPs Risk of failure to coordinate effectively between HQ, RO, COs and IPs Regionalization can lead to lack of coordination and ineffective communication between HQ, RO, CO and IPs Overlap between HQ and RO/CO responsibilities exists Ineffective coordination and communication has been identified as an issue during internal and external audits and can lead to reputational consequences if not resolved in a timely manner Lines of accountability are sometimes unclear Failure to coordinate and information share creates inefficiencies that a resource constrained entity cannot afford Opportunity / need to rotate personnel through different roles (country, region, HQ) to improve understanding and communication Michael Emery 11

12 Second Tier Risk: Details 9.) Mission/Business/IT Continuity Risk of major natural or conflict calamity (e.g. fire, flood, earthquake, attacks) disrupting operations Disruption of operations due to natural disasters or local conflicts A business continuity test has been performed at HQ, but a formal program has not been rolled out throughout the organization There is no single person / team accountable for business continuity planning Strong security measures are in place Business continuity plans exist in most offices but may not be upto-date, tested or communicated throughout the organization Higher fraud risk during period of disruption due to expedited decision making and execution increased frequency of crises affecting business operations in many country offices Lack of sufficient IT infrastructure to ensure compliance to policies and procedures in some areas IT disaster recovery and business continuity plans are in place in most countries, but may not be current, tested or not effectively implemented and communicated in certain countries Need for electronic archiving to protect paper-documents from loss in the event of a crisis Mabingue Ngom 10.) Country Imposed Constraints Risk of unreasonable restriction of UNFPA's ability to operate by country or local governments Some governments do not support UNFPA s mission and will create barriers to some UNFPA activities that can potentially impact programme delivery Programme delivery and proper resource allocation may be impaired (e.g. Visas may not be available for certain UNFPA employees) Complex administrative and political structures, as well as frequent changes of national counterparts in the course of a programme can create challenges This risk is partially mitigated through leverage of local institutions and organizations for programme delivery Should be a key consideration in selecting country reps Rarely creates an enterprise-level outcome; impacts are felt locally Subhash Gupta 12

13 Second Tier Risk: Details 11.) Planning & Budgeting Risk of failure to maintain an effective operations/programme planning model to support overall strategy and execution. Already working towards a more effective planning and budgeting model Lack of oversight and guidance on systematic value-for-money budgeting for programmes Perspectives between local and corporate level might be different Many different owners overall planning and budgeting Planning and budgeting policies and procedures, tools and systems are available, but may need more streamlined and integrated approach Bruce Campbell 13

14 Sustaining ERM 14

15 Next Step for Consideration Key activities ENTERPRISE RISK MANAGEMENT AT UNFPA Elevate the Executive Committee roles and responsibilities to include risk management and make relevant additions to the Executive Committee TOR if necessary Identify risk monitoring ownership (individual owns the monitoring and reporting of the changing risk conditions related to their assigned risks. May or may not be the executive responsible for the specific functional area that the risk relates to UNFPA leadership expressed preference for some independence in such assignments) Formally add this responsibility to individuals other responsibilities Develop a risk monitoring and/or reporting template and process related to collating, reporting and reviewing risks by the Risk Committee Pilot risk reporting for top risks and roll out for other risks in a phased manner UNFPA to define number / frequency of executive meetings to re-visit top risks and identify emerging risks UNFPA to define process to update the ERA (surveys, interviews, workshops) and frequency of updating (annual or every two years) Deloitte & Touche s DeepDive approach to risk strategy/mitigation Risk Response / Mitigation Plan Document Assemble Team Brainstorm and Develop Prototype The Frenzy Develop Final Prototypes Present Bold Ideas Preference Vote Risk : Financial Impact: Speed of Onset: Non-Financial Impact: Likelihood: Illustrative Vulnerability: Risk Management Effectiveness: Frequency: Overall Risk Response (Mitigate, Share, Accept, etc.):z Leading Indicators: Risk Response Actions Owner Timing Resources Needed 15

16 Implementing, Operating and Continuously Improving the ERM Process Key activities Continue to develop and deploy tools and resources Risk response and reporting dashboards ERM technology ERM training ERM communication plan and key content Continue change enablement (communication, training, project management) Monitor overall ERM progress and report to executive board Implement enhancement initiatives Risk Response and Reporting E. Work Environment Risks include the potential loss of core competencies and capability. There are a wide variety of issues that impact retention (e.g., compensation, geographic cost of living, and risks related to outsourcing). Additional Risk Response Actions Needed 1. Periodic HR planning process to identify at risk to leave personnel 2. Quarterly Human Resource planning exercises 3. Quarterly and Talent Acquisition Strategy Setting 4. Bi-annual Functional strategy and people reviews 5. Bi-annual Recognition and rewards programs 6. Annual Development Plans for career planning with key personnel Owner J. Smith T. Hall T. Hall J. Smith A. Pal J. Smith Timing Q1 05 Quarterly Quarterly Bi-annually Bi-annually Annually Resources Needed Retention bonus ($10K year) HR executives College recruiting contacts Functional leaders 1.5% gross salaries Key executive reviews ERM Training Action # 1 Very High Actions #2,3 Actions #2,3 Incremental Mitigated Value (Perform Cost/Benefit Analysis) High Med Low NET RISK Actions #2,3,4,5,6 Planned Actual Very Low Q1 05 Q2 05 Q3 05 Q4 05 Q1 06 Q2 06 Q3 06 Illustrative 16

17 Integrating ERM and Strategic Decision Making Processes Key activities Development of risk appetite and other risk decisioning tools Integration of risk management into: Short- and long-term strategic planning; and Day-to-day decision-making Understanding and addressing changes in the strategic risk profile Integration of risk management capability into budgeting, resource allocation and incentive compensation Escalation Level Executive Level Director Level Risk Manageme Mgmt nt Function Within Business Risk Level Crisis High Medium Low Risk Score > < 9 Action/Response Notify and escalate to Executive (e.g. Executive Director) Notify and escalate to Director level immediately. Depending on nature of the risk event, relevant risk functions should be notified. Manage in Risk Management program. Manage in relevant office or risk function. If escalation attempt is made, de-escalate to the office or function to manage per their standard operating procedures. Deadlines for Required Actions IMMEDIATELY WITHIN 2 HOURS WITHIN 48 HOURS WITHIN 5 BUSINESS DAYS Expected Enterprise Value Insufficient risk taking Optimal risk taking Sweet Spot Risk Level Excessive risk taking 17