UPDATE ON RISK MANAGEMENT AT THE GLOBAL FUND
Kate MacintyreArticle Type:
Article Number: 8
ABSTRACT A risk policy and an over-arching enterprise risk management framework were approved at the 32nd Board meeting in Montreux. The leadership of the Fund has agreed that the portfolio risk index score of 1.86 (on a scale of 1 to 4) is appropriate. The most common risks itemized in the organizational risk register were: poor program quality; treatment disruptions; inadequate grant oversight; Community, Rights and Gender-related risk; failure to deliver on mission; and failure to provide a new Secretariat culture.
At its meeting on 20-21 November, the Board approved a new risk management policy to replace the Risk Management Framework it had adopted in 2009. The Board also adopted a risk differentiation framework: a way to identify risk tolerance or risk appetite.
The risk management policy and the risk differentiation framework are two of the six inter-related elements of the Enterprise Risk Management Framework. The other four elements are:
· governance arrangements around risk management
· operational risk management
· the organizational risk register
· internal controls applied to Secretariat processes
All six elements of the Enterprise Risk Management Framework are discussed in Annex 1 to Board Document GF-B32-13 Risk Management Policy. The risk management policy itself is contained in Annex 3 of the same document.
According to the Secretariat, for the most part the policy codifies risk management practices that have been put in place, or significantly strengthened, over the past three years, so its approval will not have a material impact on risk management practices.
The risk differentiation framework covers both the operational risks related to the Secretariat’s management of the grant portfolio and the risks inherent in the Secretariat’s various supporting functions.
The Global Fund’s portfolio risk index (PRI) will be adapted to determine acceptable levels of risk in the grant portfolio. (The PRI is the aggregate of all individual grant risk assessments in the Fund’s portfolio weighted by the annual budget amount. The current value of the PRI is 1.86 (2014). The Global Fund says that the acceptable range is +/- 10% which, given the current value, is 1.7 – 2.0. A PRI target is set annually as part of the Fund’s key performance indicator (KPI) process.). To give some perspective the portfolio risk index for 2013 was higher at 2.01.
Countries in the grant portfolio have been categorized into four levels – very high, high, medium and lower – based on a composite of indicators designed to measure the contextual risk in each country. Fifteen countries have been classified as very high; 25 as high; 50 as medium and 36 as lower.
Next, within each contextual risk category, thresholds have been established across individual grants; the country disease portfolio; and the overall country portfolio. Acceptable risk threshold ranges have been established for each of these entities. These ranges are illustrated in Figure 1.
Figure 1: Risk threshold levels
Source: Global Fund Board document GF-B32-14
The Global Fund says that when these risk threshold levels are applied to the more than 180 grants for which detailed risk assessments are maintained, 30 are outside the ranges (14 above and 16 below) (see Figure 2, left hand column). In addition, 14% of disease portfolios and 7% of country portfolios are outside the risk threshold ranges.
Figure 2: Risk threshold levels
Any grant, disease portfolio or country portfolio outside the risk threshold ranges will be reviewed by the Regional Operational Risk Committee for a decision on the appropriate course of action. This could mean more intense management or control, which would be designed to reduce the underlying risk exposure; accepting the higher (or lower) risk levels; or some combination of the above. It is designed to make the management of risk as realistic and logical as possible.
In its decision on the risk differentiation framework, the Global Fund re-affirmed that it does not tolerate corruption, fraud, misappropriation or abuse of any kind in its grants.
With respect to the Secretariat’s supporting processes, the degree of risk is measured by assessing the state of compliance of each main process with the COSO Framework, the standard for internal control that has been adopted by the Global Fund.
Reports on how the Global Fund is performing with respect to managing risk will be prepared for the Board twice a year.
Linked to risk management, the Chief Financial Officer, Daniel Camus, in his report on the Fund’s operational budget (GF-B32-03), said that for 2015 the proportion of the OPEX being spent on cost of control and assurance was $75 million. This is made up of the cost of LFAs and Risk and OIG. As Camus says, this proportion can be seen as high or low, but it is in the nature of the Global Fund’s model of not having permanent country presence that the cost of risk management is relatively high.
For all of the emphasis on risk management at the global level, many countries are having trouble absorbing the new requirements and accommodating the controls and oversight that the new framework requires. In a report, the French civil society group Solthis highlighted some of the challenges confronting countries as they work to meet the Fund’s stringent controls. With case studies from Guinea, Niger, Mali and Sierra Leone, Solthis examined the extent to which program implementation has been affected by risk management protocols.
Other criticisms expressed to GFO by several participants said that they thought the process of operationalizing the risk management in terms of getting results was slow. A fellow-observer said there had been no independent verification of the risk assessment – i.e., no parallel assessment by the inspector general. Ideally, one assumes, this means that the Board may expect a report from the Risk Management department and a separate report from the OIG: both independent assessments of the operational risks on a semi-annual basis.
The paper on Risk Management Policy (Document GF-B32-13) and the paper on Applying Risk Differentiation (GF-B32-14) are available at www.theglobalfund.org/en/board/meetings/thirtysecond. Other documents related to risk that will be available at the same site are the Report on Risk Management (GF-B32-12) and Global Fund Risk and Assurance Policies (GF-B32-14). More information on the COSO Framework is available here.