GLOSSARY
Risk management is the process of identifying, prioritizing, and responding to risks across an organization. Risk management includes activities to realize opportunities while mitigating threats.
Risk is a potential event or occurrence beyond the control of the responsible Budget Centre, which could affect the achievement of the Organization’s stated results. It is an expression of the likelihood that such a potential event or occurrence may happen and of the impact it may have.
Impact is the consequence of a risk event materializing
Probability is the likelihood that a risk will occur (per year)
Risk criticality is a function of risk impact and probability (impact * probability)
Risk appetite is the amount of risk WHO as an Organization is willing to take on in pursuit of its mission and objectives, based on risk criticality and proportionality (i.e. effort invested in risk treatment must be proportional to criticality and expected benefit). It varies for different types of risk.
Risk acceptance is the amount of risk that a Budget Centre is willing to take at the individual risk level, within the risk appetite of the Organization. Risk acceptance thresholds are determined for the most critical risks for which action is required.
Risk response includes the decisions made to bring the level of criticality of a given risk within the risk acceptance level. The Organization can make the decision to respond to a risk by either tolerating it, treating it (mitigating, transferring, or terminating), or exploiting it.
Approval authority is the organizational entity with the level of delegated authority required to make a decision on the risk response required for a given risk
Risk Register is a repository or risk log of identified risks by Budget Centre/Country Office, which includes priority ratings, escalation level and risk response strategy
This policy is based on the framework presented to WHO governing bodies in 20132. Risk is not a new concept in WHO, and has been practiced notably with the introduction of results-based management and of the Programme Budget (PB) since 2002-2003, the Medium Term Strategic Plan (MTSP) 2008-2013, the 2006 accountability framework and its 2015 revision3, and the consideration of business continuity plans in the management and administration of Budget Centres (BCs). There has however thus far not been a systematic corporate risk management process that goes beyond the risks connected to PB outputs to encompass all aspects of WHO operations. The Office of Compliance, Risk Management and Ethics (CRE) was established with a clear mandate to develop such a mechanism. This policy builds upon and integrates WHO’s existing risk management practices into a consistent corporate policy. It also leverages on leading current risk practices in other organizations, particularly within the UN system.
1 Introduction: Purpose and objectives
Risks arise out of uncertainty in all aspects of operations and management: they are a matter of fact in all spheres of human activity. While some risks must be avoided, others may need to be taken in order to effect change. In some cases, not taking a risk may even be the highest risk. To enable WHO to make forward-looking rather than reactive decisions, this corporate risk management policy provides a mechanism to identify and differentiate between these very different types of risk and to better respond to change by addressing threats and embracing opportunities, while avoiding underestimating risk or overreacting. Accordingly, the intent is not to avoid all risks, but to ensure that WHO understands the risks that are inherent to its operations and chooses the appropriate strategy to manage them.
1.1 Purpose
The purpose of this policy is to establish a robust risk management system that supports decision making when setting objectives, prioritizing strategic alternatives, selecting and managing the appropriate course of action, and evaluating results. This policy also serves to improve the quality of management and to calibrate WHO internal controls in the context of continuous improvement of operational processes, instructions, guidance, tools, and management information systems.
This policy is rooted in a systematic and consistent approach to risk management across WHO, fostering a culture that encourages open dialog about risk, based on a common language that articulates how staff are expected to approach risk, and strike an adequate balance between treating, tolerating and exploiting risk. To this end, this policy outlines a structured and transparent process that will ensure a coherent and complete risk reporting to inform decision-making. The premise is (i) to build a regular, systematic and iterative process that includes all Budget Centres, that is (ii) approved and supported by senior management in order (iii) to inform decision making adequately. Consequently, this policy:
• Outlines the objectives of WHO’s risk management process;
• States the principles of WHO risk management;
• Provides common definitions across the Organization;
• Establishes a clear, coherent and inclusive methodological approach designed to support decision- making, composed of a bottom up phase of risk identification/assessment/proposed response, and a top down phase to validate risks and determine a risk response;
• Defines roles and responsibilities;
• Spells out monitoring and reporting requirements; and
• Lays out an approach to communication and training.
2 EB 133/10 “Corporate risk register – organization-wide management in WHO”
3 The identification of risks and assumptions is a key element of results based management.
1.2 Objectives
The key high level objectives of WHO’s risk management process are twofold:
• Inform effective decision-making to improve delivery of results; and
• Embed risk management in operational processes: in the results-based management cycle (planning, performance assessment, budgeting), and the accountability and internal control frameworks.
1.2.1 A tool to support decision-making
The ultimate aim of risk management is to inform and support more effective decision-making. To this end, this policy has been drafted to:
• Introduce a systematic and planned approach to risks
• Determine accountability for risk management
• Clarify governance in matters of risk management whereby:
Budget Centre Heads
identify and assess the risks they see in their routine operations, propose ways to respond to them and identify the authority level to which risks beyond their responsibility need escalating on a subjective basis;
manage risks related to their activities by implementing the approved risk response strategy;
update the risk register on a regular basis.
Approval authorities define responses to risk and make decisions on risks based on their criticality and the “proportionality” principle (i.e. the effort invested to respond to a risk must be in proportion to its criticality and to expected benefits);
CRE supports entities throughout the risk management processes, oversees the appropriate application of the risk policy, monitors the risk register, escalates systematically the most critical risks for decision on a risk response, monitors the implementation of mitigation plans and reports on the most critical corporate risks to the DG and WHO governing bodies.
All staff members support the identification and management of risks, in particular the risks that affect their direct activities and responsibilities. Staff members are invited to inform CRE of any additional risks they identify in their daily operations, or to supplement the data provided by their Budget Centre in the risk register.
•Provide management with appropriate information about risks and ensure an effective reporting process is in place to support decision-making
1.2.2 Embedding risk management in operational processes
To ensure that risk enables operational decision-making, risk management must be fully integrated into operations. WHO’s risk management mechanism is therefore embedded into the results-based management process (strategic and operational planning, budgeting and performance assessment) and the accountability and internal control frameworks.
1.2.2.1 Results-based management: planning, budgeting and performance monitoring
Risk management is closely embedded in WHO’s results-based management cycle. Both processes feed into and build on each other in order to ensure that risks are addressed consistently at the appropriate level and mitigation strategies are implemented to respond to risks. To this end, the risk management process has been designed to identify risks at the PB output level in order to provide inputs into the planning cycle.
Risks of an operational or administrative nature also feed back into the budgeting cycle to ensure that decisions regarding risk responses can be implemented in upcoming budget exercises. Implementation of risk response measures is integrated into Budget Centres’ workplans as appropriate, in order to identify and plan for the resources that may be required to implement a risk response action.
CRE’s monitoring of the risk register is timed in order to provide inputs to the mid-term review (MTR) of the implementation of the PB in the assessment of progress towards the achievement of outputs by BCs. It serves to update the status of the risks associated with PB outputs with particular attention to the expected results that are judged “not on track”, and any decisions to be made on required re-programming. The risk monitoring process also provides inputs to the PB performance assessment (PBPA) undertaken at the end of the biennium to document the actual achievements of BCs towards expected results.
CS 340 Milestone One Guidelines and Rubric Overview: For this assignment, you will implement the fundamental operations of create, read, update,
Retail Transaction Programming Project Project Requirements: Develop a program to emulate a purchase transaction at a retail store. This
7COM1028 Secure Systems Programming Referral Coursework: Secure
Create a GUI program that:Accepts the following from a user:Item NameItem QuantityItem PriceAllows the user to create a file to store the sales receip
CS 340 Final Project Guidelines and Rubric Overview The final project will encompass developing a web service using a software stack and impleme
