Guide on Grants, Contributions and Other Transfer Payments

7 Managing risk

This section applies to the entire cycle of a transfer program and its agreements. Consideration of potential risks at the earlier development stage of a new transfer program ensures that proper controls, checks and balances are built in the design. Risk management should be part of overall program management and administration and influence the design of internal administrative, operational and financial controls.

The entire concept of risk management is presently under review in both the public and private sectors. Management is encouraged to have a proactive approach towards risk and to consider it as being an opportunity. This section restricts itself to the basic element of risk management.

Most activities carry some kind of risk, and this is true, of course, for programs such as transfer payments. In a few cases, risk can be totally suppressed but in general, this option is unachievable or too costly. Risk is here to stay and must be managed. Risk management involves:

• risk detection,
    
• risk assessment and
    
• response to risk.

Risk management should allow a dynamic workforce to take and accept risks while knowing where the risks are, how serious they are, and keep them under control. Risk reduction or suppression may have negative side effects such as loss of program flexibility or diminution of individual creativity and initiative. Risk can also be the flip side of an opportunity. For instance, in the stock market, risk is generally associated with increased return on an investment.

For the purpose of this Guide, only the negative side of risk will be considered-the possibility that something unwanted may happen or that something wanted may not take place. The guide addresses what management can do to get an early warning of problems, to assess the probability of an unwanted event happening or a desired event not happening, its consequences, and how to respond to this situation.

7.1 Risk detection

Risk detection is crucial. Everything else being equal, a known risk is much less threatening than an unknown one. There are several tools and processes to detect risk.

7.1.1 Business process analysis

A business process is an integrated sequence of operations, actions and decisions leading to a desired result. In other words, it's the processing of inputs to produce desired outputs. Examples of business processes are preparing a TB submission for a new transfer program, approving a new agreement or making a field-monitoring visit.

To detect risks in a business process, every key operation, action and decision is examined and for each one of them, the examiners must consider if there is a possibility that something may go wrong, and if so, what would be the consequences on the subsequent steps or on the final output or outcome.

For instance, if the operation is a calculation, the examiner will consider whether it is done automatically or manually. In the first case, is there a possibility that the calculation routine will fail or that the wrong data will be used for the calculation? If the calculation is done manually, then the risk of human error must be considered. How will a calculation error impact the end result or product? At the end, the examiner does a global analysis of all the risks detected and documents their collective or individual potential impact on the success or failure of the process.

7.1.2 Information and data analysis

In many cases, a risk can be detected through existing information and data. Excessive variations in quality or performance indicators may show that control is being lost and there is a risk of process collapse. If performance indicators show a significant increase in productivity without a corresponding increase in resources, then consider the possibility of a rise in the error rate.

7.1.3 Interviews

Group or individual interviews are very effective in detecting risk. In many cases, managers and staff involved in a process have a fair knowledge of the risks they are facing. They may have chosen to live with the risk, but generally, they will at least recognize its existence. To effectively detect risk, the interviewer and participants must know the programs and processes well and the interviewees must be willing to disclose all relevant information even if that may be compromising or embarrassing.

7.2 Risk assessment

Once a risk has been detected, it must be assessed. A risk is characterized by two factors: the probability that it will materialize and the consequences of that happening.

7.2.1 Estimating or measuring the likelihood of materialization

The probability that a risk will not materialize cannot always be measured precisely, but in most cases, it can be estimated objectively. To estimate the likelihood of a risk, one must review the historical or theoretical pattern of occurrence and adjust to all the known factors that may influence this pattern, positively or negatively.

For example, the risk that an ordinary project file will be stolen is very small: who would be interested in fraudulently acquiring such a file? But the risk may be higher if the project is very controversial and used by individuals or groups to promote their position. The probability that a project file will be lost does not depend on the content but on the frequency of such losses in the past, on the adjustments to filing systems, on the project officers' discipline, and on specific events such as changes in the workplace.

In some cases, risk materialization can be calculated using probabilistic and statistical instruments. This would be the case, for instance, for a transfer program that provides financial support to unemployed individuals who accept training as bookkeepers. If labour market statistics indicated at the time the program was created, that three out of four qualified persons in this trade found a job within six months, then there is a 25% probability that an individual who participated in the program will not find a job within six month. This risk may be considered acceptable, but, if at a later date, it becomes obvious that changes in the labour market have brought down the probability of finding a job to one person out of four, then the risk of failure may become unacceptable and the program's continuation may be questioned.

7.2.2 Estimating or measuring the impact

Most managers or employees know intuitively the probable consequences of a negative event occurring. Managers responsible for transfer payments must consider the transfer's size, the program's visibility, and the social, economic and political context for proper risk assessment.

The financial loss related to a risk materializing can generally be estimated with more precision and sometimes accurately measured. For example, a $10,000 grant given to an individual to engage in a new trade, or to an NGO (non-governmental organization) to build a school is a net loss if the individual does not do anything to find a job or if the NGO representatives pocket the money for their own personal use. But if the individual uses the money to relocate in an area where he finds a job in his trade, or if the NGO uses the money to hire new teachers, is the money totally misspent?

7.2.3 Combining probability and consequences to assess risk

A risk is assessed by combining the probability and the consequences of its materialization. A risk with a high probability of occurrence and limited consequences could be considered equivalent, in terms of assessment, to one with a low probability of occurrence and devastating consequences. However, the final assessment would generally depend on the context of the whole project: it is ultimately a judgement call.

The following chart illustrates this concept.

Risk Classification Schedule

The content of the boxes is not prescriptive. The decision as to what measure will be taken belongs to the managers responsible for that program or activity.

7.3 Responding to risk

As discussed above, unwanted risk can seldom be completely avoided. Sometimes it can be transferred, for example by covering it with risk insurance, but then the greater the risk, the higher the premium. Alternatively, the risk can be reduced through operational changes or by introducing new or better controls. Yet, as discussed above, drastic risk reduction may have a negative impact on the workplace. Management can decide, after considering all alternatives, to "live with it" instead of reducing or suppressing it. It may also be decided that the risk is linked to an opportunity that outweighs the possible negative impact of the risk materialization.

Yet, every organization has a tolerance limit to risk; if this limit is exceeded, the risk must be reduced or eventually suppressed. The tolerance level tends to vary with time, changes to the environment, or even a change in management. The following are tools or strategies that can be used to mitigate or reduce risk.

7.3.1 Preventive and corrective controls

Controls are basic tools that managers can use to maintain risks at an appropriate level. Controls are preventive if designed to prevent risk materialization. They are corrective if they are designed to inform after the fact that the risk has materialized, which should lead to measures to redress the situation and prevent its reoccurrence in the future.

7.3.2 Effectiveness, efficiency and economy of controls

Controls come with a cost; they use resources, and generally slow down processes. This can be mitigated by designing controls for maximum efficiency and economy.

A control's effectiveness is the likelihood that it will prevent or detect the materialization of the risk it is designed to cover. A control's effectiveness is optimized by proper design and diligent application.

Generally, there is a trade-off between the effectiveness on the one part, and efficiency and economy on the other part. While a control's efficiency and economy can be imputed from its design and measured thereafter, its effectiveness can generally not be assumed until it has been tested independently.

7.4 Self-assessment

7.4.1 Risk self-assessment

Despite its name, risk self-assessment is a process that generally deals with all aspects of risk management: detection, assessment and response. Its main characteristic is that it is driven by the managers and employees instead of by external resources such as auditors or internal control specialists.

It is generally applied to a program or to one or more of its components rather than to a single agreement. Groups of managers and/or employees work together in a facilitated session to identify and assess risks in their area of responsibility or expertise and are often asked to propose courses of action.

A session is generally composed of one or more brainstorming exercises where the participants share all the risks they are aware of. Following each brainstorming session, the group votes to sort the risks by probability and impact. They may then discuss what actions to take, or vote on various options.

Facilitators can be program officers or managers, specialists from human resources, internal auditors or professionals from the public or private sector hired for that purpose. In some cases, risk self-assessment includes some degree of validating the findings by an independent party, generally the department's internal auditors.

7.4.2 Control self-assessment

The same approach and techniques used in risk self-assessment can be used to identify and assess controls. This control self-assessment exercise can provide useful information on the existence of controls and their design, costs and impacts on operations. However, the exercise has one major limitation: unless its results are validated independently, it will not provide conclusive evidence on the controls' effectiveness.