ICARS Project Risk Management Policy
Approved by the Board of Directors , 10 June 2022
1. Introduction
ICARS is committed to ensuring that all projects limit the potential risks and their impact to ensure successful project implementation. Therefore, all ICARS projects are required to undergo a risk assessment to help them prepare for potential problems, manage risk, and implement mitigation procedures. The risk management policy seeks to provide guidance and support in reaching project objectives and minimising vulnerability. It employs two tools to facilitate this process: A risk matrix and a risk register, and rates risks according to likelihood and potential impact.
2. Purpose
The policy establishes the steps for the management of risks faced by ICARS projects. The policy also establishes the process whereby ICARS reviews cumulative risk across projects.
3. Scope
This policy forms part of the ICARS project framework and applies to all activities and processes within and across with ICARS demonstration projects and other project-related activities.
4. Definition/ explanation
Risk: An unplanned event or condition that influences the project’s ability to reach its objectives.
Risk assessment: The systematic process of evaluating the potential risks that may be involved in a project activity or undertaking.
Risk matrix: A matrix used to gage the level of risk by visually depicting the likelihood of the risk occurring and the potential impact of that risk. See Appendix 1 for a risk matrix template.
Likelihood: A qualitative characterization of probability.
Impact: A qualitative characterisation of the consequence of an event.
Risk register: A log of all risks that could impact a project. Specifically, a risk register is a table that seeks to capture and track risks and contains all information relating to identified risk events, including a description of the risk, the owner of the risk, the impact of the risk, and the mitigation measures. See Appendix 2 for a risk register template.
Risk owner: The project team member in charge of managing and monitoring an identified risk.
5. Risk Management Process
The risk management process is initiated during the project proposal phase of the co-development process. It is an ongoing process, which is monitored throughout the project life cycle and includes the following steps:
a) Identify
A risk identification exercise must take place during the co-development of the project proposal. This exercise involves analysing the consequences and likelihood of potential risks, which can be done through various means including workshops, surveys, and brainstorming sessions. It is at this stage of the process that the project team should begin to develop the risk register (Annex 2). Risks can be categorised in various ways, which will change depending on the type of project being implemented. Some risk categories could include: Financial, Schedule, Infrastructure, Political, and Technological etc. Examples of specific risks may include Covid-19, delays, lack of commitment, insufficient budget etc.
b) Evaluate
The impact of all identified risks, the project team should be evaluated according to probability and impact. The risk matrix (Appendix 1) is a tool used to help measure the impact.
c) Prioritize
Each risk should be ranked according to the risk matrix created in the previous step. In other words, considering the likelihood of the risk happening and the potential impact on the project. This will help the project team direct their focus.
d) Respond
The next step is to decide on the particular response for each identified risk. The response should be tailored to the specific risk level (likelihood and impact) ensuring it is suitable and attainable. Risk responses include:
- Avoid:
This response involves avoiding the risk altogether by removing the activity that gives rise to the risk.
- Accept:
Accepting is a passive action, which involves taking on the risk by doing nothing and enduring the potential impact. This option should be used rarely and only in cases where the impact is minimal to nothing and where attempts to mitigate have been explored.
- Mitigate:
This response involves implementing measures to reduce the likelihood of the risk occurring and/ or reducing the severity of the impact it will have.
e) Monitor
The risk register should be monitored on a regular basis.
6. Responsibility
Risk management within the project is the overall responsibility of the in-country Project Coordinator, who is responsible for the development, coordination and monitoring of the risk management process. The Project Co-ordinator should, in addition, periodically review project activities to identify new risks if and when they emerge during project implementation. The Project Coordinator will work closely with the ICARS Advisor assigned to the project. The ICARS Advisor will inform the ICARS Executive Management of all major identified risks on a regular basis. See section 7 below.
Risk management on a programme-wide level is the responsibility of the Executive Management, who are responsible for reviewing the top risks across all projects in order to assess cumulative risk and balance overall risk portfolio. This should be in the form of a programme-wide risk register following the same process as above.
7. Reporting
The risk register will be the primary means of recording, reporting and monitoring risks within projects. The ICARS Executive Management will notify the Board of Directors of significant risk management issues within the ICARS projects and other project-related activities as well as the actions employed to manage the risks where appropriate. In addition, the ICARS Executive Management will inform the Board of Directors of all programme-wide risks. The following reporting process is in place:
- The Project Coordinator and their team will regularly monitor the risk register and update the response and risk likelihood as and when needed.
- The project team will maintain a “Top 10 Risk List” of those with the highest potential impact and the greatest probability of occurring. This list will be reported to the ICARS Advisor and is considered an element of the project status reporting process for each project.
- The ICARS Advisor will inform the Executive Management of those risks on a regular basis to get input and direction.
- The Board of Directors must be informed of identified major risks by the ICARS Executive Management at each board meeting. In addition, the Board of Directors must be informed of the top risks across all projects to assess cumulative risk.
8. Communication
All ICARS staff, ICARS project teams and the ICARS Board of Directors will be informed of the Risk Management Policy and training will be provided where necessary.
9. Policy Review
It is important to regularly assess the effectiveness of risk management strategies. As such a formal review of this Risk Management Policy will take place at least every two years. The review will be conducted by the Executive Management who will assess the Risk Management Policy according to its effectiveness in managing risk within a project framework as well as its integration with other ICARS processes. The results will be communicated to the Board of Directors and the policy will be amended where necessary.