Risk management processes at the Global Fund need significant improvement, OIG audit report says
In its annual report, prepared for the Board meeting on 3-4 May 2017, the Office of the Inspector General (OIG) said that the Global Fund is making “significant progress” in managing risks (see GFO article). Two weeks later, on 16 May, the OIG released an audit report in which it rated the design and operating effectiveness of the Fund’s risk management processes as “needing significant improvement.” This is the second lowest rating in the OIG’s four-tier rating scheme. The four tiers are “effective”; “partially effective”; “needs significant improvement”; and “ineffective.”
Did the OIG contradict itself? Not really. It simply chose to emphasize the positive in its annual report, and to focus on the work that still needs to be done in its audit report. In both cases, the OIG said that although there have been achievements in risk management, significant gaps remain.
In terms of detail, there is considerable overlap between what the OIG said about risk management in its annual report and in the audit report. Since we have already covered what the OIG said about risk management in its annual report in our earlier article, we have chosen to focus the present article on three specific areas of risk management that the OIG addressed in more detail in its audit report:
- accountabilities for risk management;
- mitigation of risks; and
- risk appetite.
Accountabilities for risk management
The OIG said that the risk management function within the Global Fund has been strengthened by, among other things, the establishment of a Risk Department and the creation of a Chief Risk Officer position in 2012; the creation of an Operational Risk Committee (ORC) in 2012 to oversee grant-level risks; and the creation of an Enterprise Risk Committee (ERC) in 2016 to oversee corporate level risks. (Editor’s note: In addition, a Risk Management Policy was adopted by the Board in 2014.)
The OIG said the design of risk management structures within the Global Fund is now generally adequate, and that roles and responsibilities at each level have been delineated. However, the OIG noted that weaknesses remain in the execution of oversight and accountability for risk management.
Accountability at Board level
The OIG stated that although significant progress has been made in setting the appropriate structure and policies at Board level, the effectiveness of the Board’s execution of its risk management responsibilities needs improvement in two areas: (1) defining risk appetite; and (2) developing a structured process for following up on risk issues.
For a discussion of risk appetite, please see the separate section below.
With respect to a process for following up on risk issues, the OIG said that there are gaps in the processes of the Board and its committees for recording and escalating key risk issues. For example, the OIG said, at its 34th meeting in November 2015, the Board requested an update from the Secretariat on the integration of risk management into its operations and culture; however, the multiple challenges raised by the Board were incompletely addressed in the Secretariat’s update at the following Board meeting.
The OIG said that effective follow-up on Board requests and concerns is needed to ensure that relevant issues are continuously tracked. The OIG cited the end-of-term reports issued by the “outgoing” Board committees (i.e. the previous committees, prior to the reorganization of committees in 2016), which noted the need for an action tracker to ensure that issues discussed by committees are followed up appropriately. (The end-of-term reports have not been made public.) The OIG said that follow-up processes have been strengthened lately and that action trackers were developed in late 2016. However, it said, further improvements are needed.
The OIG said that addressing these gaps would enhance the Board’s ability to perform an effective oversight role, as described in the Fund’s Risk Management Policy, and would also bolster the trust between the Board and the Secretariat.
Accountability at senior management level
The OIG said that at the senior management level:
- risk accountabilities need to be clarified;
- strong key performance indicators (KPIs) need to be developed; and
- the risk decisions of the ORC should be documented and consolidated into risk themes.
We explain each of these points below.
Although risk-related roles have been defined, the OIG said, related accountabilities for risk decisions are generally not clearly documented. The need for an accountability framework in the Global Fund was identified in 2013. According to the OIG, the Secretariat prioritized the accountability framework in 2016, and it was finalized and approved by the Management Executive Committee in early 2017. (The accountability framework is an internal document and so has not been made public.)
With respect to KPIs, the OIG said, in the KPI framework that was in effect for the Fund’s 2012-2016 Strategy there was a corporate KPI based on a Portfolio Risk Index. The OIG said that this indicator had multiple gaps in terms of both quality and content, and that it was not much used by senior management when making decisions. “However,” the OIG said, “instead of improving or replacing this risk indicator with a better one, this risk indicator has been removed from the proposed performance indicators in the 2017-2022 corporate KPI framework, without any replacement at this stage, although the risk team is exploring solutions.”
Concerning the documentation of the ORC’s risk decisions, the OIG said that the ORC provides an opinion on whether each country’s risks have been appropriately prioritized and adequately mitigated. The OIG said that this is consistent with the ORC’s mandate but it added that “it is also important that recurring risk themes or emerging trends across different grants be tracked and periodically evaluated to provide broader portfolio-level insights and inform higher-level risk analysis at the ERC level.”
In addition, the OIG said, explicit decisions on acceptance, mitigation or escalation of risks should be documented. The OIG explained that although risk dashboards are prepared and presented by the country teams, the ORC does not explicitly decide on risk responses. For example, The OIG said that when the ORC reviewed the dashboard for the grants from Nigeria in May 2016, the country team noted that the residual risk (i.e. the risk remaining after risk mitigations measures were taken) regarding capacity issues was high, with specific contextual challenges. “However,” the OIG said, “the discussion did not determine how those risks would be escalated and monitored, whether the risks were acceptable, or how mitigation measures would be monitored and, if necessary, escalated to other governance bodies.”
The OIG noted that the Risk Department has grown from four positions when it was established in 2012 to 16 positions in 2016. In terms of skills and experience, the OIG said, there has been a concerted effort to recruit new risk resources and to improve the skills of existing staff. However, the OIG said, the Chief Risk Officer is the only staff person in the department with directly relevant, specialist risk experience prior to joining the team.
The Risk Department has recently initiated a series of in-country reviews under the Risk and Assurance project. This is a significant development in the team’s capacity to oversee grant management at the country level, the OIG commented. “However, the oversight of non-grant processes is not as effective as there is minimal formal monitoring of other enterprise risks such as finance, treasury or IT activities, with the risk team dependent on information provided to them.”
In an agreed management action (AMA) in response to the OIG’s findings with respect to accountabilities for risk management, the Secretariat said it will design and implement a standard format for ORC discussions, and standard outputs, including justification of ORC risk ratings adjustments and risk responses, which can include mitigation or risk acceptance.
Mitigation of risks
The OIG noted that initiatives to mitigate risk have historically been documented and followed up using internal tools such as QUART (Qualitative Risk Assessment Tool), and external communications such as management letters to implementers. The OIG identified three areas where it said improvements were required to enhance the effectiveness of the mitigation initiatives, as follows:
- Corporate mitigation initiatives should be translated into measurable actions. For example, the OIG said, poor quality of programs and services is listed in the Organizational Risk Register for the first quarter of 2016, with the current risk rating measured as high, and the target risk rating set as medium. Corporate mitigation initiatives identified in the risk register include the development of a holistic program quality and effectiveness strategy, routine monitoring and national surveillance, strengthened patient follow-up and expansion of the public-private mix. However, the OIG said, these are broad objectives which do not translate into specific action points and clear targets that can be tracked and evaluated on a systematic basis. On the other hand, the OIG stated, progress is being made in translating some organizational risk mitigation initiatives into operational targets. For example, it said, transition planning is being based on specific readiness assessments that will lead to country-level targets.
- Mitigations at grant level have in some cases focused on symptoms, and should instead tackle root causes, the OIG said. It cited the example of Tanzania, where in an attempt to resolve the country’s storage challenges, additional warehouses were created. That did not work, the OIG said, because the root causes of the challenges were the country’s decision to hold large stocks and its failure to dispose of large volumes of expired stocks. This issue is expected to be resolved through the ongoing Supply Chain initiative, the OIG said.
- Complex mitigations have had joint owners, but clear individual accountabilities and effective monitoring are needed. For example, the OIG explained, supply chain–related risks have been included in the risk register since 2013, but systematic solutions were not prioritized until 2016. A Risk and Assurance project, designed to address risk mitigation and assurance issues, was initiated in 2014 and concluded in mid-2016. In both cases, the OIG said, the initiatives required efforts from both operational and functional teams, but the roles were not clearly defined. And, in both cases, effective monitoring likely would have lessened some of the delays that were experienced in addressing the issues.
In the context of the Global Fund, “risk appetite” is the amount of risk the Fund is willing to accept in pursuit of its objectives.
The OIG said that the report on the Five-Year Evaluation of the Global Fund, completed in 2009, the report of the High-Level Independent Review Panel in 2011, and the Consolidated Transformation Plan that resulted from the High-Level Panel report all emphasized the need for the Board to define a risk appetite. However, the OIG said, the Board has been reluctant to do so.
The OIG said that its review of Board and committee minutes indicated that sometimes there was a reluctance to use language such as “risk appetite” and “risk tolerance.” For example, the OIG said, the Risk Differentiation Framework approved in November 2014 was initially presented to Board committees as a “risk tolerance framework.” However, three Strategy, Investment and Impact Committee members expressed “strong concern” about the use of the words “tolerance” or “appetite” together with the word “risk” since it could “send the message that there is a tolerance or even an appetite for risk rather than zero tolerance.” All mentions of “risk tolerance” were amended to “risk differentiation” before the framework was presented to the Board for approval in November 2014.
Articulation of risk appetites allows an organization to explicitly consider trade-offs across a spectrum of risk choices and in relation to a desired level of impact, the OIG stated. “For example,” it said, “in the case of the Global Fund, such trade-offs might involve the acceptance of a higher risk of over-stocked drugs expiring, and the related financial loss, in return for a desired lower risk of stock-outs that might lead to treatment disruption and potentially higher programmatic costs.”
In general, the OIG said, a sound framework of risk appetite and tolerances allows the Global Fund to explicitly consider these important trade-offs. In the absence of such a framework, the OIG added, risk decisions can be inconsistent because “different teams and individuals exhibit different behaviors and responses to similar risks based on their own level of comfort rather than based on a unifying set or organizational principles.”
In response to these findings, the Secretariat said it will present a paper to the Board recommending a risk appetite for the key risks involved in delivering the 2017-2022 Strategy. It said that the paper will include broad principles regarding risk appetite that can be used when making decisions concerning the grant portfolio. For this AMA, there is a target date of 30 June 2018 for presentation of the principles to the Board; and a target date of 31 December 2018 for implementation of the risk appetite principles.
In a separate AMA, the Secretariat has agreed to develop and implement an enhanced risk measurement and reporting framework which will:
- measure risks for countries while considering their materiality to disease impact;
- consolidate a holistic picture of risks across the Global Fund; and
- assess whether risks in countries are in line with the risk appetite, to inform decision-making.
The framework will ensure adequate portfolio coverage, and consistency of measurement approaches over time. This AMA has a target date of 30 June 2018 for development of the framework; and a target date of 31 December 2018 for its implementation.