Strengthening ITU Risk Management Framework - CWG-FHR Meeting Report
The document outlines the Risk Management Policy and Risk Appetite Statement adopted by the Council in 2017, defining ITU's approach towards strategic and operational risks. It addresses risk management in the context of strategic and operational planning, emphasizing key mitigation measures and roles and responsibilities of stakeholders involved in the process.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Council Working Group on Financial and Human Resources Tenth meeting Geneva, 18 September 2019 Document CWG-FHR-10/8 4 September 2019 English only Strengthening ITU Risk Management Framework COUNCIL WORKING GROUP ON FINANCIAL AND HUMAN RESOURCES (CWG-FHR) 27 August 2019
Risk Management Policy & Risk Appetite Statement 3 Adopted in Council 2017 Risk Management Policy - C17/74 Outlines the ITU approach towards strategic and operational risks Defines principles, risk categorization & assessment, monitoring & reviewing and roles & responsibilities Risk Appetite Statement C17/73 Illustrates amount of risk ITU is willing to take to attain its goals and objectives, e.g.: High appetite for risks related to innovation and technological advancement No appetite (i.e. zero tolerance) in the areas of fraud, corruption, illegal acts, and misconduct Complements the ITU risk management policy
Risk Management in the context of Strategic and Operational Planning 4 ITU is addressing risk management in the context of the strategic and operational planning processes PP-18 ITU strategic risks analysis Risk mitigation strategies ITU Strategic Plan 2020-2023 ITU Council 2019 ITU-wide operational risks Key risk mitigation measures Sector-specific risk analysis ITU Operational Plans (for Sectors and the GS) Plan next steps based on: Council discussions IMAC Recommendation Systematic Risk Management
Roles and responsibilities (based on the policy) 5 Title Role The risk owner is accountable for the management of the risk, having the highest interest in the risk being correctly treated, and has the right level of authority to treat the risk accordingly Responsibilities - Accountable for the overall management of the risk, including when the risk is transferred - Decides on the risk mitigation measures - Allocates resources/budget for mitigation actions - Manages risk (re)assessment process - Manages risk reporting process - Facilitates risk management within Bureau or the General Secretariat - Maintains and updates risk list - Consolidates and submits management review and risk reporting - Implements mitigation measure - Provides input for management review and risk list update Risk owner Coordinates risk management process within respective Bureau or the General Secretariat Risk management focal point information for Responsible person/unit for implementing mitigation measure Implements mitigation measure and reports on their implementation to the risk owner Reviews risk on a regular basis and takes decisions related to risk management - Regularly reviews risks, as part of the organization s business processes Takes decisions on the implementation and review of the risk management strategy Senior management team -
Synergies with ORMS project 6 Organizational Resilience Management System (ORMS) Business impact analysis based on the risk registers Assessment and prioritization of key business processes undertaken Need for alignment and creating synergies
Council 2019 on Risk Management
Council 2019 outcomes related to Risk Management 8 Request to further develop the ITU risk model in the context of operational plans, the fraud case and the building project IMAC Report: IMAC will look into what is known as the Three Lines of Defence model in effective risk management and control, and the assignment of appropriate risk ownership The Three Lines of Defence approach represents emerging good practice and is designed to ensure a simple and effective way to enhance communications on risk management and control by clarifying essential roles and duties Rec. 2/2019: IMAC recommends that the secretariat prepare a risk register identifying clear risk owners across Sectors, regions and the General Secretariat ITU management committed to support further developments of the ITU risk model and to improve governance and risk management
Developments at the UN level 10 HLCM had set up a Cross Functional Task Force on Risk Management Reference Maturity Model for Risk Management I. Enterprise Risk Management (ERM) Framework and Policy: are the collection of policies, procedures and other documents that together describe how the organisation undertakes its risk management II. Governance and organisational Structure: sets out the internal risk governance structure, the appropriate delegated authority, roles and responsibilities, and organisational entities to assure the effective management of risk III. Process and Integration: Process ensures that risks and opportunities that may affect the delivery of organisational results are effectively identified, assessed, responded to, communicated and monitored as per the ERM framework. Integration ensures that the interaction / interlinkages with related risk sub-processes or other organisational processes are clearly established. IV. Systems and Tools: are the IT components used to record, analyse, integrate and communicate/report on risk information V. Risk Capabilities: are the skills, ability, knowledge and capacity that an organisation has to effectively manage risks to delivery of its results VI. Risk Culture: is evidenced by the shared values, beliefs, and behaviours of the staff and senior management, together with the organisation s demonstrated attitude to risk
Maturity Model for Risk Management in the UN system 11 Advanced LEVEL 4 Leading LEVEL 5 Initial LEVEL 1 Developing LEVEL 2 Established LEVEL 3 - Fragmented/ limited ERM framework - Framework developed but not approved by appropriate authority - ERM framework and risk appetite in place - Escalation processes, ERM integrated in strategic planning - All operational entities - Risk scales for different levels - ERM framework reflects RBM and addressing all operational elements ERM Framework & Policy - Fragmented and informal structure - Accountability for ERM is informal - Risk Governance structure (based on Three Lines of Defense) to oversee ERM - ERM governance structure in place - ERM Committee and entity to oversee is in place - Fully integrated risk governance structure - Chief Risk Officer - Structure applied across all operations - Accountability at each level Governance and Org. Structure - Inconsistencies in methodology - Limited process to assess, monitor and report - Systematic process for risk assessment, response, monitoring, escalation and reporting - Links between internal controls & risks / control effectiveness & risk assessment - RBM and ERM fully aligned - Optimized with pre-defined indicators - Fully integrated risk & opportunity analysis Process and Integration - Risks recorded in various documents - Manual risk assessment / response (spreadsheet) - Consolidated risk register - ERM monitoring and reporting capabilities - Dynamic risk dashboards - Financial risk modelling - Semi-automated operations - Advanced modelling, forecasting and scenario planning tools Systems and Tools - Risk competencies perceived to have little value - Knowledge for certain managers - Indicators presented to senior mgmt. annually - Recognized mgmt. competency - Accurate risk mgmt. information available - Core competency for staff - Dynamic risk information reports across organization - Perfecting risk skills - Dynamic dashboards across organization Risk Capabilities - Limited commitment - Partial consideration of risk factors - Clear expectations, info systematically collected - Risk mgmt. assessed in Staff Performance mgmt. - Risk mgmt. integrated into strategic activities - Systematically collect and communicate information - Org.-wide awareness - Dynamic risk information - Learning from success and failures Risk Culture
Maturity Model for Risk Management in the UN system Current assessment Desired status 13 Advanced LEVEL 4 Leading LEVEL 5 Initial LEVEL 1 Developing LEVEL 2 Established LEVEL 3 - Fragmented/ limited ERM framework - Framework developed but not approved by appropriate authority - ERM framework and risk appetite in place - Escalation processes, ERM integrated in strategic planning - All operational entities - Risk scales for different levels - ERM framework reflects RBM and addressing all operational elements ERM Framework & Policy - Fragmented and informal structure - Accountability for ERM is informal - Risk Governance structure (based on Three Lines of Defense) to oversee ERM - ERM governance structure in place - ERM Committee and entity to oversee is in place - Fully integrated risk governance structure - Chief Risk Officer - Structure applied across all operations - Accountability at each level Governance and Org. Structure - Inconsistencies in methodology - Limited process to assess, monitor and report - Systematic process for risk assessment, response, monitoring, escalation and reporting - Links between internal controls & risks / control effectiveness & risk assessment - RBM and ERM fully aligned - Optimized with pre-defined indicators - Fully integrated risk & opportunity analysis Process and Integration - Risks recorded in various documents - Manual risk assessment / response (spreadsheet) - Consolidated risk register - ERM monitoring and reporting capabilities - Dynamic risk dashboards - Financial risk modelling - Semi-automated operations - Advanced modelling, forecasting and scenario planning tools Systems and Tools - Risk competencies perceived to have little value - Knowledge for certain managers - Indicators presented to senior mgmt. annually - Recognized mgmt. competency - Accurate risk mgmt. information available - Core competency for staff - Dynamic risk information reports across organization - Perfecting risk skills - Dynamic dashboards across organization Risk Capabilities - Limited commitment - Partial consideration of risk factors - Clear expectations, info systematically collected - Risk mgmt. assessed in Staff Performance mgmt. - Risk mgmt. integrated into strategic activities - Systematically collect and communicate information - Org.-wide awareness - Dynamic risk information - Learning from success and failures Risk Culture
Recommended actions Current assessment Desired status 14 Advanced LEVEL 4 Leading LEVEL 5 Initial LEVEL 1 Developing LEVEL 2 Established LEVEL 3 1. All org. & operational entities involved (HQ, programmes, ROs) 2. Risk registers and org-wide scale levels (assessment & rating) ERM Framework & Policy Governance and Org. Structure 3. Setting up a risk governance structure 4. Staff accountability for managing risks Process and Integration 5. Establish systematic risk mgmt. process 6. Review internal control effectiveness against risks 7. Develop org. wide risk register and risk mgmt. dashboards 8. Strengthen capacity of staff to manage risks 9. Integrate risk management in Staff Performance Management system 10.Systematically communicate and report on risk information Systems and Tools Risk Capabilities Risk Culture
Way forward 15 By Council 2020: Develop a risk model incorporated into the ITU planning framework Sep 2019: CWG- FHR feedback from membership Review the framework and Report to PP-22 By end of 2019: Review the ITU RM framework (incl. benchmarking with UN model) By Council 2021: Develop the Plan and Implement the new framework Status reports to IMAC, CWG-FHR and Council