ICARS Organisational Risk Management Policy
Approved by Board of Directors on 12th December 2022
1. Introduction, Purpose and Scope
1.1. Introduction
Risks are an everyday part of ICARS activities. The realisation of the ICARS mission and strategy depends on the organisation’s ability to recognise and address risks.
ICARS must be able to manage risk proactively and take responsibility for risk management processes. Therefore, to be effective, risk management at ICARS follows these principles:
- Ensuring that the process for managing risks is dynamic, transparent, inclusive and fit for purpose
- Establishing legal compliance as a minimum standard
- Ensuring that roles and responsibilities are explicit and clear
Risk management aims firstly to anticipate risks. Then, in the case of negative risks, it aims to prevent them from realising or to minimize their impact if they do. In the case of positive risks, it aims to capitalise on these opportunities. This document is mainly concerned with managing negative risks.
Risk management is important at all levels. While this policy focuses on the organisational level, the ICARS Project Risk Management Policy focuses on the project level. The key tool for effective risk management at both the project and organisational levels are the respective risk registers.
This policy[1] is supported by related policies and processes, principally in the following areas: Financial processes and controls, project management, human resources and information services and technology. Key complementary policies include the Anti-bribery, Fraud and Corruption Policy, the internal Travel Policy and the Conflict-of-interest Policy.
1.2. Purpose
The purpose of organisation-wide risk management is to enable ICARS to be better prepared for the potential realisation of organisational risks, following an analysis of the likelihood and impact and management of those risks.
1.3. Scope
This policy applies to all processes at the organisational level.
2. Key definitions
Organisational Risk: Uncertainties which may impact ICARS’ ability to achieve its objectives.
Risk Management: All activities performed by ICARS to anticipate, identify, assess and control the risk
Likelihood: A qualitative characterization of probability.
Impact: A qualitative characterisation of the consequence of an event.
Organisational risk register: Critical risks are detailed in a log of all risks that could impact a project. Specifically, a risk register is a table that seeks to capture and track risks and contains all information relating to identified risk events, including a description of the risk, the owner of the risk, the likelihood of the risk, the impact of the risk, and the mitigation measures.
Risk owner: the person/team in charge of managing and monitoring an identified risk.
3. The Risk management process
Risk management and internal control elements are embedded in processes throughout ICARS, for example in processes related to finance, grant management, legal issues and compliance.
The standard risk management process consists of four stages:
- Risk classification and identification
- Risk assessment
- Risk management action
- Monitoring and review
3.1. Risk classification and risk identification
Systemic classification of risks is useful for ensuring key areas of risk are identified. The identified categories are:
- Implementation/Technical Risks
- Financial Risks
- Staff, systems and structures
- Political/governance
These categories are not mutually exclusive. For example, any major damage to reputation is also likely to become a financial risk because of the loss of donor confidence; a technical error might also lead to reputational damage.
Risk identification requires understanding the external and internal context relevant for the realisation of objectives at the organisational level. Therefore, communication and consultation are key. The identification of all organisational risks requires an inclusive communication and consultation approach with all relevant stakeholders, including all key staff members as well as relevant external stakeholders. Communication and consultation need to take place at regular/planned intervals to inform all steps of the risk management process.
3.2. Risk assessment
The objective of risk assessment is to provide sufficient information at appropriate intervals for risk-informed management decisions.
For each significant risk area, every specific risk and its implications are noted, and an assessment is made of the Impact (I) of that risk and the Likelihood (L) of it occurring.
Available information and evidence are considered in the assessment of likelihood and impact. In cases where likelihood and/or impact remain difficult to estimate and there is a potential for harm, a precautionary approach is applied by estimating the worst-case scenario to ensure the risk is treated accordingly and closely monitored. The risk analysis should be adjusted when more information becomes available.
Impact and likelihood will be scored as follows:
Score | Impact | Likelihood |
5 | Critical | Expected >90% |
4 | Severe | Highly Likely <90% |
3 | Moderate | Likely <60% |
2 | Minor | Not likely<30% |
1 | Negligible | Slight <10% |
3.3. Risk management action
In a first step, all existing procedures in place to manage each identified risk will be captured.
Based on the analyses of individual risks, together with the accompanying risk appetite, an evaluation is made to determine which risks can be accepted and which risks require a priority response.
The options described below should be considered for each identified risk:
- Tolerate: accept the risk by keeping activities unchanged. This option may be applied when exposure is tolerable, control is impossible, or the cost of control exceeds the potential benefit. It may be supplemented by contingency planning for handling the potential impact.
- Treat/ Mitigate: adjust (add or revise) relevant activities.
- Transfer: share the risk by involving stakeholders. Transferring risk works especially well for financial risks or risks to assets and includes taking conventional insurance or paying a third party to take the risk. This option is not possible for reputational risks.
- Terminate: avoid or cancel the activities that give rise to the risk, especially when the cost/benefit relationship is in jeopardy.
3.4. Monitoring and reviewing risk
After the establishment of an initial detailed risk register, each risk will have to be regularly monitored, which will include noting the following:
- any change in the assessment of the risk;
- any suggested changes to the risk mitigation strategy;
- progress made regarding the detailed plan of action so far.
4. Roles and responsibilities
Risk management is embedded throughout ICARS.
Role of the Board
The ICARS Board has a fundamental role to play in the management of risk. The role is to:
- approve and monitor the risk management strategy and demonstrate the commitment to effective risk management.
- set the tone and influence the culture of risk management within ICARS. This includes determining what types and levels of risk are acceptable (the so-called risk appetite) and which are not.
- approve major decisions affecting ICARS’s risk profile or exposure.
- annually review ICARS’ approach to risk management and, if appropriate, recommend changes or improvements to key elements of its processes, policies and procedures.
Role of the Executive Management
The Executive Management is responsible for:
- day-to-day risk management: The Executive Director delegates responsibility for risk management through a management structure designed to ensure effective leadership, accountability and decision making
- ensuring that the major risks have been properly considered and can be appropriately managed following the guidance provided by the Board or seeking additional guidance where needed.
- communicating the policy and information about risk management to all staff and making it transparent and publicly available.
Roles of Staff
ICARS staff should:
- understand that risk management and risk awareness are a key part of ICARS’ culture.
- report promptly to the Executive Management any perceived new risks or failures of existing control measures.
- follow ICARS’s Whistleblowing Policy if they have concerns that actions are not being taken properly through normal channels.
5. Organisational risk register
Critical risks are detailed in the organisational risk register. This register states the risk, the level of risk (analysis of the impact and likelihood of occurrence of a risk), actions for managing the risk, lead risk owner and date for review. The register serves as the repository of the most important risks that impact on the organisation’s ability to reach its objectives. It allows the Executive Management and the Board of Directors to monitor these risks both individually and taken together, to strengthen procedures where needed and otherwise to be assured that appropriate mitigation actions are being taken.
The following format will be applied as a starting point but can be refined where appropriate following guidance by the Board of Directors.
Risk Identification | Risk Assessment | Risk Mitigation | Risk owner | ||||
Risk Category | Risk Name | Description
|
Impact Score | Probability score | Existing procedures in place to manage risk | Required action | |
6. Recording, periodic review and ad-hoc reporting
The organisational risk register will be revised and updated at least annually at the time of preparing the annual budget for review by the Board of Directors. The Board will consider any significant risks which may affect the achievement of ICARS objectives.
The first ICARS organisational risk register is included in Annex A and will be regularly reviewed and updated in accordance with this policy.
All incidents (where risks have materialised), or factors that lead to a significantly higher risk level (impact or likelihood) and therefore are time sensitive and require a new assessment and management action will be reported promptly to the Board of Directors.
7. Policy review
The policy will be reviewed at least every two years, i.e., regularly every two years or whenever the need arises.
[1] Inspired amongst others by CABI’s Policy for Risk Management, the 2019 Global Alliance for Improved Nutrition (gain)’ Risk Management Policy, WHO’s Corporate risk register, the 2014 Global Fund’s Risk Management Policy and the 2019 UNDP Enterprise Risk Management (ERM) Policy and Procedures.