2. Global Commitments –WVI
WVI will seek to deliver 50% of its humanitarian
aid through a multi-sectoral and multi-purpose
cash first approach by 2020, where context is
appropriate, such as in urban settings.
2019 achievements –WV Somalia
✓ 67% of the assistance was given through Cash
and Voucher compared to 33% assistance given
through food (in kind)
✓ $24.5 M value of C&V distributed to over
280,000 people
4. Enterprise Risk Management (ERM)
World Vision has adopted ERM
Enterprise Risk Management as a discipline is
designed to be a high-level “umbrella” to unify
all specialized forms of Risk Management (
Project, IT, Financial, insurance, security,
strategic)
4
5. Enterprise Risk Management Process
Establish the Context
Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment
Communication
And
Consultation
Monitoring
And
Review
6. 1. Establishing the Context
Internal context
• The social, cultural, political, natural environment
• E.g. PESTLE Analysis, Fraud/Corruption Index
• Community interviews, FGD, KIIs
• Internal Audits, Peer Reviews, security risk assessme
Child Protection risk assessments
• WVI ERM Policy
• WVI RM Framework
• Local / Industry Requirements
• Risk Appetite
• Risk Tolerance
• Risk Capacity
Defining risk criteria
External context
Context of the RM process
6
7. • There are two main sources for risk identification:
• Forward looking: what possibly could happen?
• Historic: what has already happened?
Scope of Risk Assessment
Context and culture
Programming
Finance
Contractual
Responsiveness/ readiness
2. Risk Identification
7
8. Project implementation is disrupted by insecurity
that makes it difficult to move and disrupts markets
Breach of fraud protection policies and standards
by staff, contractors and partners engaging in
fraudulent and corruption activities
Less assistance to the registered beneficiaries
due to pipeline breaks or due to technical
challenges resulting in beneficiaries not receiving
their stipulated rations.
Terrorism financing
Protection issues
Taxation of beneficiaries
Examples of Risks in WV Somaia
8
9. Purpose:
• Risk Analysis is the process by which we comprehend the
nature of risk and to determine the level of risk. Another
way to say this is risk is a combination of:
• The Impact of an event if it were to occur and
• The Likelihood of that event occurring at that magnitude
3. Risk Analysis
9
10. Purpose:
To determine if a risk is acceptable or unacceptable
Assists in making decisions, which areas are in need of the
most attention?
Identify Key Controls, and assign the cumulative set of
Controls a “Control Effectiveness Rating.”
4. Risk Evaluation
10
11. Guideline for Impact Rating: Sample impact ratings across different dimensions. (A risk can have an impact on
multiple dimensions, use these as a guideline to select one overall impact rating.)
Rate Impact Operational People Financial Reputation
5 Critical
Extreme impact on
operations and ability to
achieve ministry objectives
on a longterm basis.
Recovery may not be
possible.
Multiple fatalities or
permanent total
disabilities from an
accident or occupational
illness.
Direct loss >
$3 million
Partnership-wide
international impact:
International public &
media attention
4 Severe
Major impact on operations
and ability to achieve
ministry objectives and
outcomes on a medium
term basis. Difficult
recovery.
Single fatality or
permanent total
disability from an
accident or occupational
illness
Direct loss
$250k - 3
million
Regional impact:
Negative regional
public and media
attention
3 Moderate
Moderate impact on
operation ability to achieve
ministry objectives. Medium
duration, and ability to
recover.
Major injury or health
effects (absences,
irreversible health
damage chronic
condition)
Direct loss of
$25k - 250k
National impact:
Considerable negative
public and media
attention
2 Minor
Minor impact on operations
and ability to achieve
outcomes. Short duration,
no long term impact.
Recovery possible.
Minor injuries or health
effects (restricted work
case or lost time).
Limited reversible health
effects.
Direct loss of
$5k - $25k
Localized impact:
Some local public
attention, some local
media attention
Minimal impact to
operations and ability to Slight injury or health
Slight impact: Public
Risk Evaluation: Impact
11
12. Guideline for Likelihood Rating: The potential for problems to occur at The
impact level identified.
Rating Likelihood
5 Certain Happens often
Could occur within days to
weeks
4 Very Likely Could easily happen
Could occur within weeks to
months
3 Likely
Could happen, has
happened before
Could occur within a year or
so
2
Moderately
Likely
Has not happened, but
could
Could occur after several
years
1 Unlikely
Conceivable but only in
extreme circumstances.
A 100-year event
Risk Evaluation: Likelihood
12
13. Control Effectiveness Rating Scales
Rating Guidelines
Fully Effective
Requires no further action beyond monitoring current controls in
place. Controls are well designed for the risk and address the root
causes. Management believes they are effective and reliable at
all times.
Substantially
Effective
Most controls are designed correctly, are in place, and are
effective. Some more work could be done to improve operating
effectiveness. -OR- Management has doubts about operational
effectiveness and reliability.
Partially Effective
While the design of controls may be largely correct in that they
treat most of the root causes of the risk, they are not currently
very effective - OR- Some of the controls do not seem correctly
designed in that they do not treat root causes; those that are
correctly designed are operating effectively.
Largely Ineffective
Significant control gaps exist. Either controls do not treat root
causes or they do not operate effectively.
Totally Ineffective
Virtually no credible controls exist. Management has no
confidence that any degree of control is being achieved due to
poor control design and/or very limited operational effectiveness.
Risk Evaluation: Control
Effectiveness
13
14. • World Vision conduct block party screening (BPS) on all transactions
where funds are spent
• Airlifting or use of contracted transporters to deliver the supplies/
equipment in areas with accessibility challenges
• WV conduct annual partner capacity assessment and carry out capacity
development alongside regular review of partner project and financial
documents. These partners cover the areas where WV cannot implement
directly
• Policy enforcement to zero fraud, regular documents review
• Third party Monitors engaged to support in hard to reach/ Insecure areas
• Back ground checks on all and potential employees and vendors/ partners
• Humanitarian Accountability Partnership (HAP) /Complaint Response
Mechanism training for WV/communities to help community give their
feedback/complaints
• Continuous community sensitization
• Aging analysis of invoices, follow up of long outstanding invoices
• Market assessments on prices and availability of goods in the markets
• Post Distribution monitoring
Examples of controls in Somalia
14
15. Purpose:
• This is where Risk Management turns into action, and ultimately creates
value to the organization.
Examples of Risk treatment
• Regular engagement with WV regional ofiice and support
offices on the changing context
• Quarterly partnership meetings with donors to review the
projects progress
• Staff and partners training on quality registration
The results of the risk assessments, including controls and
treatment plans, are recorded in a risk register.
5. Risk Treatment
15
16. Risk Category Risk Title Description of Risk Inherent Risk Rating Controls Control
Effectiveness
Net Risk Rating Risk Owner Risk
Treat
ment
(Select One Category under
Tab 2)
(Select one Title under the category
chosen on Tab 2)
Describe the Risk following this model: "Something
happens…impactingsomething…causedby something."
Impact:
1 =
Negligible
2 = Minor
3 =
Moderate
4 =
Significant
5 = Critical
Likelihood:
1 = Unlikely
2 =
Moderately
Likely
3 = Likely
4 = Very
Likely
5 = Certain
Risk Rating
(Impact x
Likelihood)
See Tab 3
List all systems,processes, and controls in place to prevent
this risk from occurring or reducing it's impact.
Rate the total effectiveness
of all controls for each risk
(see Tab 4)
Impact:
1 =
Negligible
2 = Minor
3 =
Moderate
4 =
Significant
5 = Critical
Likelihood:
1 = Unlikely
2 =
Moderately
Likely
3 = Likely
4 = Very
Likely
5 = Certain
Risk Rating
(Impact x
Likelihood)
See Tab 3
(Person responsible
for Risk item)
List Ref#
of the
applicable
Risk
Treatment
Conclusion
s from Tab
5 that
apply to
each Risk.
LEGAL,
REGULATORY &
COMPLIANCE
Non-compliance with
external / country
laws and regulations
WV Xanadu gains registration status
but due to various restrictive
government requirements on
registration, WV Xanadu faces
challenges in maintaining its current
mode of operation in Xanadu, leading
to unsustainable WV programming at
ADP level.
4 4 16 1. Change in Operating models from
direct management of ADP to working
through local partners within WV
Development Programming Approach
(DPA) contextualized to Xanadu
context in line with local legislation.
3. Partially
Effective
4 3 12 SLT,
including
ND Jose
Garcia and
Ops
Director
Julia Brown
#1
HUMAN
RESOURCES
Insufficient
recruitment,
retention, and
succession of key roles
Due to unattractive remuneration
when compared with technical
qualifications required and limited
recruitment efforts, staff recruitment
does not reaching the manpower
plan, leading to many departments
unable to achieve their operations as
planned.
5 4 20 1. Engage Universities and churches
for recruitment
2. Engage with other NGOs to find
suitable candidates
3. Internal recruitment
3. Partially
Effective
3 4 12 P&C
Director,
John Smith;
P&C
Manager
Maria
Juarez; and
Payroll
Department
Manager,
Grace
Okeke
#2
FINANCE Financial losses due to
fraud and corruption
(refer to fraud and corruption)
Due to the structure at the project-
level and non-segregation of roles and
responsibilities between accountant
and finance officers, there is a risk of
fraudulent behavior of our staff,
which has a negative impact to our
organization, including reputational
damage and loss of trust and
reduction of donation in addition to
untrustworthy staff and declining
office morale.
4 4 16 1. Corruption reporting channels are
in place
2. Project disbursement needs to be
reviewed and approved by IPM
3. Bookkeeper randomly reviews
accounting and financial activities
4. Regular Internal audits
5. Financial and resource reports to
the board
6. Board Stewardship Committee
meet quarterly
3. Partially
Effective
3 3 9 Finance and
Accounting
Manager,
David Jones
#3
Sample of a Risk Register
16
17. • Risks are always changing, either through Risk treatment activities or
through changing environments, and therefore this step is essential to
good risk management.
• The risk management committee update the risk register regularly
(Quarterly), and agree on which of the risks should be reported to
Snr. Management and/or the Board.
• Identify and prioritize new risks and take into account the changing
context.
6. Monitor and Review
17
18. Purpose:
• Helps to establish the context appropriately
• Takes place during all stages of the risk management
process
• Stakeholders interests understood & considered
• Risks from all areas of the organization are identified
• Bring expertise together for risk analysis
• Ensure different views are considered when defining risk
criteria and in evaluating risks
• Secure support for risk treatment plans
• Utilize process for team & capacity building
7. Communication and Consultation
18
19. In Practice:
• Consult with Senior management to secure support for the
ERM program
• Engage management from all major operational areas, on
the Risk Committee to ensure their input and risks are
captured in the process
• Listen to your stakeholders, and adapt your program as
necessary to be relevant to your office context! RM is not
useful if we don’t have engagement and partnership.
Communication and Consultation, cont.
19
20. Conclusion - Key Elements
People:
• Risk Primes – One in every office (national,
Regional, Global)
• Management – Risk Owners/”Clients”
• Board Members – Holds Management responsible
for managing risk in line with policy.
Committees:
• The Risk Committee – Oversees the process of Risk
Management. Ensures it’s success, acts on behalf of
management.
Processes:
• The Risk Assessment
• Risk Reporting
• Risk Escalation 20
22. Recommendation on Risk Management
• Have a risk framework
• Have tools for use for in risk management
• Regular monitoring
• Continuous consultation with community and other
stakeholders
• Escalation mechanism from the field office to the
global level
• Have resources for personnel
22