ICARS Project Risk Management Policy
Approved by the Board of Directors, 14 October 2024
1. Introduction
ICARS is committed to ensuring that all projects limit the potential risks and their impact to ensure successful project implementation. Therefore, all ICARS projects are required to undergo a risk assessment to help them prepare for potential problems, manage risk, and implement mitigation procedures. The risk management policy seeks to provide guidance and support in reaching project objectives and minimising vulnerability. It employs two tools to facilitate this process: A risk matrix and a risk register, and rates risks according to likelihood and potential impact.
2. Purpose
The policy establishes the steps for the management of risks faced by ICARS projects. The policy also establishes the process whereby ICARS reviews cumulative risk across projects.
The policy complements several other ICARS policies that further strengthen our risk management efforts. Among these are the Organisational Risk Management Policy, which provides overarching risk management guidance at the organisational level, and the Whistleblowing Policy, which enables ICARS staff as well as ICARS partners to report unethical or illegal practices that may pose risks. Additionally, the Anti-bribery, Fraud, and Corruption Policy safeguards the reputation and financial viability of ICARS through improved management of bribery, fraud and corruption risk. while the Standard Operating Procedure (SOP) for Quarterly Project Performance Reviews provides a structured process for internal assessment and mitigating risks throughout the project lifecycle. Together, these policies create a comprehensive framework for managing risks and enhancing the resilience of ICARS and ICARS’ projects.
3. Scope
This policy forms part of the ICARS project framework and applies to all activities and processes within and across ICARS Implementation and Intervention Research projects and other project-related activities.
4. Definition/ explanation
Risk: An unplanned event or condition that influences the project’s ability to reach its objectives.
Risk assessment: The systematic process of evaluating the potential risks that may be involved in a project activity or undertaking.
Risk matrix: A matrix used to gauge the level of risk by visually depicting the likelihood of the risk occurring and the potential impact of that risk. See Appendix 1 for a risk matrix template.
Likelihood: A qualitative characterisation of probability.
Impact: A qualitative characterisation of the consequence of an event.
Risk register: A log of all risks that could impact a project. Specifically, a risk register is a table that seeks to capture and track risks and contains all information relating to identified risk events, including a description of the risk, the owner of the risk, the impact of the risk, and the mitigation measures. See Appendix 2 for a risk register template.
Risk owner: The project team member in charge of managing and monitoring an identified risk.
5. Risk Management Process
The risk management process is initiated during the project proposal phase of the co-development process. It is an ongoing process, which is monitored throughout the project life cycle and includes the following steps:
a) Identify
A risk identification exercise must take place during the co-development of the project proposal. This exercise involves analysing the consequences and likelihood of potential risks, which can be done through various means such as workshops, surveys, and brainstorming sessions. It is at this stage of the process that the project team should begin to develop the risk register (Annex 2). Risks can be categorised in various ways, which will change depending on the type of project being implemented. Examples of risk categories are: Financial, Schedule, Infrastructure, Political, and Technological etc. Examples of specific risks may include Covid-19, delays, lack of commitment, insufficient budget etc.
b) Evaluate
The impact of all identified risks should be evaluated according to probability and impact. The risk matrix (Appendix 1) is a tool used to help measure the impact.
c) Prioritise
Each risk should be ranked according to the risk matrix created in the previous step. In other words, considering the likelihood of the risk happening and the potential impact on the project. This will help the project team direct their focus.
d) Respond
The next step is to decide on the particular response for each identified risk. The response should be tailored to the specific risk level (likelihood and impact) ensuring it is suitable and attainable. Risk responses include:
- Avoid: This response involves avoiding the risk altogether by removing the activity that gives rise to the risk.
- Accept: Accepting is a passive action, which involves taking on the risk by doing nothing and enduring the potential impact. This option should be used rarely and only in cases where the impact is minimal and where attempts to mitigate have been explored.
- Mitigate: This response involves implementing measures to reduce the likelihood of the risk occurring and/ or reducing the severity of the impact it will have.
e) Monitor
The risk register should be monitored on a regular basis.
6. Responsibility
Risk management within the project is the overall responsibility of the in-country Project Coordinator, who is responsible for the development, coordination and monitoring of the risk management process. The Project Co-ordinator should, in addition, periodically review project activities to identify new risks if and when they emerge during project implementation. The Project Coordinator will work closely with the ICARS Advisor assigned to the project. An annual review of the risk register—focused on identifying emerging risks and evaluating previously recognized risks—is mandatory for all ICARS projects. The ICARS Advisor will inform the ICARS Science Director of all major identified risks on a regular basis. See section 7 below.
Risk management on a programme-wide level is the responsibility of the Executive Management, who are responsible for reviewing the top risks across all projects in order to assess cumulative risk, and balance the overall risk portfolio. This process is carried out through the Standard Operating Procedure (SOP) for project performance reviews ensuring that cumulative risks are systematically identified, evaluated, and effectively managed.
7. Reporting
The risk register will be the primary means of recording and monitoring risks within projects. Additionally, the “challenges section” in the regular narrative progress reports to ICARS will be the main channel for reporting project-specific risks, challenges, and the corresponding mitigation actions implemented by country teams.
ICARS Executive Management will notify the Board of Directors of significant risk management issues within the ICARS projects and other project-related activities as well as the actions employed to manage the risks where appropriate. In addition, the ICARS Executive Management will inform the Board of Directors of all programme-wide risks. The following reporting process is in place:
- The Project Coordinator and their team will regularly monitor the risk register and update the response and risk likelihood as and when needed.
- The project team will maintain a risk register of those risks with the highest potential impact and the greatest probability of occurring.
- The ICARS Advisor/Officer will inform the Science Team Lead and/or the Science Director of those risks regularly either through the regular project performance reviews or other appropriate channels to get input and direction.
- The Board of Directors must be informed of identified major risks by the ICARS Executive Management at each board meeting. In addition, the Board of Directors must be informed of the top risks across all projects to assess cumulative risk.
8. Communication
All ICARS staff, ICARS project teams and the ICARS Board of Directors will be informed of the Risk Management Policy and training will be provided where necessary.
9. Policy Review
It is important to regularly assess the effectiveness of risk management strategies. As such a formal review of this Risk Management Policy will be conducted every two years. The review will be conducted by the Executive Management who will assess the Risk Management Policy according to its effectiveness in managing risk within a project framework as well as its integration with other ICARS processes. The results will be communicated to the Board of Directors and the policy will be amended where necessary.