Beruflich Dokumente
Kultur Dokumente
Risk Management
With the current global debate on making international development more effective, risk
management is becoming increasingly important.
This briefing note provides a view on risk management within the broader MfDR agenda. It
should contribute to more effective (and efficient) management of risks and as such to
increased effectiveness of development interventions.
The document provides definitions of risk management, presents some key characteristics and
explains a framework for risk management.
Page 1 (10)
Joint Learning Event on
Managing for Development Results
Defining only one good practice or can be wasted in dealing with risk that is
standard of risk management for not likely to occur. Spending too much time
development interventions is nevertheless assessing and managing unlikely risks can
not attainable. This is because the divert resources that could be used more
methods, definitions and goals vary widely beneficially. Prioritizing the risk
intrinsically and according to the context in management processes too highly could
which risk management is applied. In the keep an organization from ever completing
private sector alike, several risk a project or even getting started. This is
management standards have been especially true if other work is suspended
developed over the years. until the risk management process is
considered complete.
Some key characteristics of risk
management Pre-conditions: the following successful
applications prevail:
Use: it helps managers and policy makers - a demonstrated commitment to
in the process of identifying and controlling public accountability;
the exposure to risk of an intervention or - limited political interference in
activity. It also helps in the communication management decisions;
about risks, either to raise concern or to - an incentive structure that
prompt action; encourages public servants to
operate in the public interest;
Strength: is the systematic evaluation of - a degree of stability in staffing.
risks relating to planned activities in terms
of probability (of a threat or event actually Cultural aspects: International studies
happening) and its impact. This makes point to the fact that differences in culture,
informed choices about taking risks national as well as organizational cultures,
possible. It puts off a general tendency of do matter.
not admitting that risk is involved. Identified Some societies or organizations are
risks can be allocated to the strongly avoiding uncertainties. Uncertainty
individual/entity best placed to deal with it, avoidance is the extent to which the
so that prompt action can be undertaken in members of a society feel threatened by
the event of; uncertainty or unknown situations.
Societies with strong uncertainty avoidance
Risk Measurement: Risks are generally tend to avoid or prevent risks. Societies
measured by impacts times (x) probability. with low uncertainty avoidance often
Some types of risk, such as financial, can promote taking risks and challenging
be evaluated in numerical terms. Many activities are highly appreciated.
others can only be evaluated in subjective
ways. Also, any interdependencies or other High uncertainty avoiding organisations are
factors outside the immediate scope of the very much process oriented and function
risk analysis should be taken into like a closed normative system. Managers
consideration; should have all the answers, emotional
need for rules, inner urge to work hard,
Limitations: are that risk management is resistance to innovation, motivation by
to a large extent based on human security and esteem or belongingness,
estimates and decisions (and therefore belief in experts and specialisation.
often lacks consistency). When deficient While the organisations with weak
knowledge or experience are applied to a uncertainty avoidance are more result
situation, a risk may be entirely overlooked oriented and function as an open pragmatic
or under-, overestimated. Also, if risks are system. Managers may say they dont
improperly assessed and prioritized, time know the answer; there should be no more
Page 2 (10)
Joint Learning Event on
Managing for Development Results
rules than strictly necessary, hard working makes cost-effective use of its risk
only when needed, tolerance for deviant process.
and innovative ideas and behaviour, 3. For the effective management of risks a
motivation by achievement and esteem or Risk Management Framework needs
belongingness, belief in generalists and to be developed. The framework
common sense. (Geert Hofstede, 1991. provides decision making processes
Cultures and Organisations: Software of that are understood by all involved and
the mind. McGraw-Hill, London) which are supported by the framework
of risk analysis and evaluation. The
These cultural dimensions are of course framework sets out the rules for: In the
critical in considering Managing for box below details are given about the
Development Results in general and risk management framework.
management of risks in particular.
A. Identifying risks and categorizing risks
Capacity: Another significant factor seems B. Assessing their probability and potential
the level of capacity, particularly at mid and impact
lower management levels to identify and C. Quantifying risks (not necessarily
financially)
analyse risks as well as to manage the
D. Deciding on how to deal with risks
relevant risks properly. E. Making decisions on risk management,
such as further risk reduction
F. Implementing decisions about risk
Guiding principles how to manage risks G. Evaluating how effectively risks are
managed
Obviously, as explained above, risk H. Communication about risks
management should be an integral part of I. Engaging stakeholders throughout the
Managing for Development Results. process
Coming to effective risk management, a
series of well defined steps are developed A framework for management of risk sets
to support better decision making regarding the context in which risks will be identified,
risks, the so called Risk Process. assessed, controlled, monitored and
reviewed. It must be seamlessly integrated
1. The first phase in this process is about with everyday management and
identifying risks and making a Risk operational practices.
Analysis. It involves the identification
and systematic evaluation of all risks to Below the different practical steps of the
prevent the achieving of the results. Risk Framework will be further elaborated:
Risk analysis is carried out during the
planning stage or so-called design A. Identifying and Categorizing Risks
phase of an intervention.
2. Once identified and assessed, risk can Risk identification means establishing
be managed. This second phase in the exactly what is at risk for example,
process is called Risk Management. It agreed activities cannot be completed
is about identifying and implementing within the planned timeframe or budgets
ways to ensure that the risks identified are at risk of being overrun or withdrawn.
do not prevent or adversely impact the Risk has to be considered in a variety of
outcome of the activity. Important is to forms during the life cycle of an
be aware that risks may change over intervention.
time and new risks may occur. So risk
management should be regarded as a A risk analysis or assessment is generally
continuous process. However, it is comprised of two separate parts, that of
important to ensure that an organization Framing and Forecasting.
Page 3 (10)
Joint Learning Event on
Managing for Development Results
Page 4 (10)
Joint Learning Event on
Managing for Development Results
To achieve benefits and To achieve and demonstrate true To avoid the impact of failure
exploit opportunities, governance and address other (perceived or actual) through
including incorporation (policy) guidelines material, reputational, financial,
of lessons-learned environmental, social, quality
loss
To adapt to changes in
sector / beneficiairies needs Delivering Results To demonstrate
conformance to best
practice and
To maintain operations standards
continuity and delivering
results through adversity To comply with legal and
To control development of regulatory standards
new approaches and methods
To manage external through appropriate To manage
changes in culture, procurement and contractual partnerships, suppliers
political environment arrangements and ongoing
etc. performance delivery
Risk categories:
- External (e.g. environmental factors, political, societal factors)
- Financial (e.g. economic, financial, sectoral)
- Activity (e.g. technical, operational, infrastructure, legal,)
- Human Resources (e.g. organisational management, human factors)
Figure 1: Areas/categories where risk can be
encountered and needs to be managed
Page 5 (10)
Joint Learning Event on
Managing for Development Results
Risk Matrix
Probability of occurrence
Very seldom
Improbable
12131.042
D and E. Deciding on how to deal with Treat the risk by taking corrective
risks / risk response planning actions to reduce the probability or
impact of the risk. By far the greater
Once a risk assessment has been number of risks will belong to this
undertaken, or when it is being reviewed, it category. The purpose of treatment is
is important to develop actions that will be not necessarily to obviate the risk, but
put in place on how to best respond to risks more to contain it at an acceptable
that have been identified. Responses can level.
be developed in four ways: Terminate the risk by doing things
Transfer the risk or some aspect of risk differently thus removing the risk where
to the party best placed to manage it. it is feasible to do so.
This might be conventional insurance,
or by supporting a third part to take the For each risk it is to be decided which
risk in another way. response is most appropriate. Criteria that
Tolerate the risk, because the ability to are used to assess the responses are:
do anything about some risks may be effectiveness, efficiency, minimization of
limited or nothing can be done at a external side-effects, sustainability etc. For
reasonable cost to mitigate it. This this phase the term Risk appetite is
course of action is common for large relevant.
external risks, but they must continue to Risk appetite is the amount of risk to which
be tracked. Tolerance levels the organization is prepared to be exposed
determining how much risk can be before it judges action to be necessary. All
taken need to be set out and should identified risks have to be documented in a
inform the decisions made. so called risk register. It provides the
Page 6 (10)
Joint Learning Event on
Managing for Development Results
basis for prioritization, action, control and G. Reviewing and evaluating how
reporting. The Risk Register must be effectively risks are managed
continually updated and reviewed A crucial component of effective risk
throughout the lifecycle of a development management is the review and the
intervention. evaluation. The regular reviewing and
evaluation of the risks should be an integral
F. Implementing decisions about risk part of each monitoring and evaluation
One of the most important steps of system of the intervention. Risk
implementing risk management is the management strategies should be
definition of the roles (and, if possible, assessed to determine how well risks have
named individuals) who are responsible, been managed, whether risks have actually
called Risk owner. A risk owner is a role or been identified and how effectively they
individual who is in a position to manage were treated. Recent studies have shown
the risk and ensure its control. Risk owners that there may be tendency to neglect the
can be internal or external to the proper management of risks. In risky
intervention situations there is often need to rush to find
quick solutions. There is a crucial need for
When managing risk one should also more systematic ex post evaluation, so that
consider the cost implication. The cost lessons learned can put in place new
should be accounted for separately from intuitions and methodologies for risk
the main program, setting aside a so-called assessment and management. A properly
risk allowance. This is a budget specifically maintained risk register should help here.
for the cost of managing risk, which The details in the register can be used to
includes: Development, maintenance and track and monitor the successful
dissemination of the risk policy, creation management as part of the activity to
and maintenance of the supporting deliver the required, anticipated benefits.
infrastructure for use across the Also quality assurance arrangements need
organization, development and/or to be established to ensure that risk
acquisition of relevant skills (including management reflects current good practice.
training) and loss of capability while
implementing.
Page 7 (10)
Joint Learning Event on
Managing for Development Results
Define a framework
Page 8 (10)
Joint Learning Event on
Managing for Development Results
Page 9 (10)
Joint Learning Event on
Managing for Development Results
- What are the key external and - Identify the risk you are or expect to
internal risks to our objectives? encounter.
- What is the impact and probability - Break the risks into different
of each risk? categories (such as external,
- Do we understand the financial, activity, human resources
interdependencies between risks? and also internal and external)
- Have we taken a long-term view, to - Set the risks into a risk matrix.
identify possible future risks? - Set the risks in a context of
- Who is the risk owner for each risk? opportunity so costs and benefits or
- How much of this risk can be payoffs can be examined together.
tolerated? - Sort the risks according to their
- Have we a clear way to report on importance (criticality).
the risk especially if it starts to - Evaluate the risks to establish 1)
escalate? the probability of those risks
- Have new risks emerged that occurring, 2) their potential impact
should be added to the risk matrix and 3) your attitude to those risks in
(and added to the risk strategy)? terms of willingness to accept them
- Has the probability of the risk or not.
occurring changed?
- Has the likely impact of the risk on
the policy altered?
- Should any changes be made to
plans or management strategies to
address the risk?
- Should the risk category of the
policy be altered?
- What is our overall exposure to
risk?
Page 10 (10)