In its annual report for 2016, the Office of the Inspector General (OIG) said that although significant gaps remain, distinct progress is being made across the six key areas of the risk architecture (see figure below).
We reported on this briefly in GFO #311 in our article on five significant themes that emerged from the OIG’s work in 2016. In the present article, we take a closer look at what the OIG had to say about how the Global Fund has managed risk.
Editor’s note: On 16 May 2017, the OIG published a report on an audit it has conducted on Global Fund risk management processes. We plan to publish an article on the audit report in the next issue of GFO.
Figure 1: How the Global Fund is performing in the six key components of the risk management architecture
Source: Office of the Inspector General 2016 Annual Report
The balance of this article follows the structure used in the above figure.
According to the OIG, the Global Fund is moving in the right direction with respect to risk governance at both Board and Secretariat levels. The charters of the new standing committees adopted in 2016 articulate their specific areas of risk accountability and the scope of their mandate (i.e. oversight, decision-making or advisory). The discussion of risk is now a standing agenda item at Board and committee meetings. The Chief Risk Officer regularly updates the Board and its committees on key risk areas and provides an annual risk assurance statement to the Board.
Nevertheless, the OIG said, two areas of risk governance still require significant improvement: (a) accountability and processes for oversight of cross-cutting risk areas; and (b) risk appetite and tolerance.
Accountability and processes for oversight
Unlike organizations that have a dedicated risk committee within the Board structure, the OIG said, the Global Fund model allocates specific risk areas to different committees based on their mandate. This approach is appropriate in the context of the Fund’s business model, the OIG added, but it also presents a challenge because many significant risks faced by the organization straddle functional boundaries (e.g. procurement and supply chain, challenging operating environments, low absorption).
Risk appetite and tolerances
The OIG stated that the Board has generally shied away from risk appetite discussions. This is partly because of the lack of common understanding of the concept, the OIG said, and partly because of a concern that articulating specific appetites for risks may send the wrong signal that the organization is willing to accept certain losses or failures. This often leads to inconsistent risk-taking as individual judgment or perceptions replace institutional norms and guidance.
2. Risk culture
Both the Board and executive management are setting the right “tone at the top” by emphasizing the importance of effective risk management to the success of the organization, the OIG stated. There has been a significant increase in resources allocated to the risk management function, as well as meaningful changes in operational procedures “to give presence and voice to the risk function in the operational decision-making process.”
Nevertheless, the OIG said, key elements of building an effective risk culture are still at an early stage. Although the value of risk management is increasingly being acknowledged across the organization, the OIG added, there remains a widespread perception (although a false one) that there is an inherent contradiction between practicing risk management and ensuring compliance, on the one hand, and operational efficiency and speed of business, on the other. “Although this culture is evolving,” the OIG said, “a key to shifting it meaningfully will be through incentive mechanisms and performance management frameworks that reward good risk-taking, effective risk management and sound control compliance, as much as it recognizes excellence in operational delivery.”
3. Foundational components
According to the OIG, over the past two years the Global Fund has made several important improvements in its risk policy framework. The Board has approved a Risk Management Policy which, among other things, defines responsibilities for risk oversight and provides a high-level framework for risk differentiation. At the Secretariat level, the OIG said, an operational policy note (OPN) was approved in 2016 which outlines the overall objectives of risk management of grants, lays out driving principles to embed risk management in the grant lifecycle, and outlines accountability and key processes for risk identification, mitigation, assurance and reporting.
Editor’s note: The full title of this OPN is “Risk Management Across the Grant Lifecycle.” Finding specific OPNs on the Global Fund website can be tricky. First, you need to search for “Operational Policy Manual.” Within the manual, the quickest way to find the OPN on risk management is to search for this phrase: “identification, mitigation” (without the quotes).
The next step, the OIG explained, is for the Global Fund to articulate a common language for risk and to develop consistent methodologies. Fundamental concepts such as risk categories, inherent and residual risks, risk tolerances, and ratings scales need to be defined in a consistent manner, and need to be understood relatively clearly by all risk actors across the organization. “Such a common understanding is still lacking in the Global Fund,” the OIG said.
As for methodologies, the OIG stated, risk and assurance workshops have been useful in framing a structured dialogue around risk assessment using a common set of tools and approaches. “However, as the methodology and related practices are new, the Secretariat has not yet formally evaluated lessons learned from these pilots, refined the process and methodologies, and more importantly, embedded the approaches to risk identification and mitigation in a consistent manner.”
4. Processes and practices
The OIG said that the OPN has clarified the roles and responsibilities for risk management in the grant lifecycle: Country teams have primary responsibility for risk identification and management; global risk owners provide technical advice on risk identification and prioritization in their respective functional areas; and the Risk Department provides overall coordination and oversight. “With policies and standards now in place, methodologies are being instituted, roles and responsibilities are being clarified, and overall processes to identify and mitigate risks are increasingly being formalized.”
However, the OIG, said, several improvements are needed. Risk identification remains a relatively static process at specific milestones of the grant cycle, such as during grant-making, rather than a dynamic ongoing process informed by real time performance feedback throughout the life of the grant. In addition, the OIG believes there is room to significantly improve mitigation measures, the ownership and accountability for their implementation and the monitoring of their progress.
Finally, the OIG said, the lack of clearly articulated risk appetite and tolerance is a limiting factor in the effectiveness of current risk management practices. The Secretariat has acknowledged this gap, the OIG said. Work has recently been initiated by the Chief Risk Officer to begin articulating a risk appetite framework, starting with key risk areas such as supply chain, challenging operating environments, and sustainability and transition.
5. Monitoring and reporting
Since 2013, formal risk reporting tools have been developed, including a Corporate Risk Register and an Operational Risk Report, the OIG said. Risk presentations are now made at every Board meeting.
However, the OIG added, risk reporting remains relatively fragmented, often without a clear articulation of the linkages among related sources such as the Corporate Risk Register, the operational risk reports, Prioritized Action Plans, OIG risk-related reports, and individual updates on various initiatives. “As the organization strengthens its risk management, increasing consideration should be given to designing an integrated risk reporting framework that brings together these disparate elements and provides the Board with a holistic view of risk across the organization,” the OIG stated.
Global Fund assurance mechanisms are still largely concentrated on fiduciary risks, in large part as a reaction to low donor tolerance for financial misuse, the OIG said, while assurance over key programmatic risks remains weaker and insufficiently prioritized.
6. Risk tools
Multiple operational risk tools have been developed over time to assess and track risks in the portfolio of grants – for example, the Qualitative Risk Assessment, the Action Planning and Tracking Tool (QUART), the Capacity Assessment Tool, and the Risk Dashboard. Although each of these tools serves a different and valid purpose, the OIG stated, “this proliferation has also led to analytical fragmentation, overlap, sometimes inconsistent assessments, and passive resistance on the part of frontline teams frustrated by the significant administrative burden of what is often perceived as low-value-add form filling.”
An integrated risk tool is being developed as part of the Accelerated Integration Management (AIM) project, and is expected to be rolled out during 2017.
The Office of the Inspector General 2016 Annual Report, Document GF-B37-12, should shortly be available at www.theglobalfund.org/en/board/meetings/37.