What is it?
The EC defines a risk as 'Any event or issue that could occur and adversely impact the achievement of the Commission's political, strategic and operational objective. Lost opportunities are also considered as risks' (European Commission, 2018. Risk Management in the Commission. Implementation Guide [2018-2019 Edition]). In other words, risk is a potential problem which might happen but has not yet.
Risk management refers to the 'continuous, proactive and systematic process of identifying, assessing and managing risks in line with the accepted risk levels, carried out at every level of the Commission to provide reasonable assurance as regards the achievement of the objectives' (European Commission, 2018. Risk Management in the Commission. Implementation Guide [2018-2019 Edition]). It comprises a set of techniques to ensure proactive management of potential problems and to mitigate the possible negative effects arising from risks which have materialized.
What can it be used for?
A risk management strategy increases the likelihood of achieving objectives efficiently and effectively. Anticipating risks will help in:
- making more reasoned decisions (justifying why certain decisions were taken, what risk factors were considered, etc.);
- improving efficiency (aligning risk levels and resource and control system allocations);
- reinforcing the reliability of management systems (ensuring key risks have been taken into consideration and that internal control systems have been adequately reinforced).
When can it be used?
Risk management is particularly relevant in the design phase (identification and formulation) of an intervention, when the risk management response and plan are defined. The risk management plan (and mitigation measures, if any) will become part of the intervention implementation.
Who can use it?
- Everyone involved in each activity's performance should assess and manage the risks associated with it.
- Different actors should intervene at different hierarchical levels as appropriate. In the INTPA context, this can include government counterparts and implementing partners.
What are its strengths?
- Allows time and resources to be saved when begun early in the design phase, as critical risks may be immediately assessed and an intervention whose risks cannot be mitigated can be promptly discarded.
What are its limitations?
- Risks are not always easy to identify and assess in a systematic, objective way; risk analysis is often based on subjective judgement, and different stakeholders may have different sensibilities and levels of risk acceptance.
- Risk management should, whenever possible, be sustained by evidence, taking into account lessons to be learned in similar contexts and interventions.
Risk management follows a five-step approach, summarised in Figure 1.
[Figure 1: Summary of Risk Management]
Step 1: Identify intervention objectives and outputs – What do we want to achieve? If the analysis does not begin with the objectives of the intervention, it is likely to focus on current risks instead of potential risks, which makes it difficult to judge the importance of risks.
Step 2: Identify and assess the risks – What can stop us from fully achieving our objectives? Depending on the nature of the intervention, risks can be very diverse encompassing political and/or legal aspects, in addition to operational and/or financial. The aim of assessing risks is to make sure that the most significant risks are addressed and adequately managed. As per the INTPA mandate, risk analysis should also cover any unintended negative consequences of the proposed intervention, such as disadvantaging certain groups; perpetuating gender inequalities; interfering with participation, labour or other human rights; or contributing to forced displacement [Depending on the context, nature and scale of the intervention, more specific analysis (e.g. conflict or resilience analysis) may be needed. Risks related to Cross-cutting issues should also be assessed with specific methodologies as recommended, i.e. in the Action Document, Action Document instructions. March 2019 (INTPA Companion 9.0)]. The Commission's Risk Typology (see Annex 1 of the Risk Management Implementation Guide, which is summarised in Table 1) should be used to ensure that the most common risk aspects are covered.
Table 1: Example of risks-based on the risk typology (a summary) [The Commission's risk typology is mandatory, and all risks must be classified according to the main risk groups. Such an approach helps ensure that the most common risk aspects are covered and provides for a consistent basis for analysis across the Commission'. European Commission, 2018. Risk Management in the Commission. Implementation Guide (2018-2019 Edition). Annex 1].
Main risk groups
Dimensions and examples
Risks related to the external environment
Macro environmental risks
Risks related to planning, processes and systems
2.1 Risks related to the strategy, planning and policy, including internal political decisions
Risks related to people and the organisation
3.1 Risks related to human resources (staffing, competences, collaboration)
Risks related to legality and regularity aspects
4.1 Risks related to the clarity, adequacy and coherence of applicable laws, regulations and rules
Risks related to communication and information
5.1 Risks related to the communication methods and channels
Before assessing a risk, it must be clearly formulated, and explained in terms of impact on the intervention, root causes and possible consequences (see Table 2).
Table 2: Examples of risk formulation
Risk that implemented projects will be of inadequate quality
Cause: Staff inadequacy (in number, in competences?); Third party deficiencies? Availability?
Due to low number of qualified staff, risk that implemented projects will be of inadequate quality, which may result in criticism from European Parliament about the use of funds
Cause: Low number of qualified staff
Source: Adapted from Risk Management in the commission, 2018.
The impact/likelihood approach is recommended to assess the significance of risk (see Figure 2). The impact is the potential consequence should the risk materialise. It can be both quantitative and qualitative in nature. The likelihood is the estimated probability that the risk will materialise, even after mitigating measures are put in place (the residual risk). A five-point scale is used for this assessment, ranging from 1 (very low impact, little likelihood) to 5 (very high impact, extremely likely to happen). Risk can then be represented in a risk map, allowing deeper understanding and risk prioritisation (See Annex 4 of Risk Management in the Commission for a risk register) .
Figure 2: Example of impact/likelihood risk map
Source: Risk management in the Commission, p.12
Step 3: Decide how to deal with the identified risks (risk response) – How will identified risks be managed? To what extent can risks be accepted? Each risk must have a defined response which should be documented in an action plan at the appropriate management level (where the residual risk is judged to be lower) or centrally (where the risk is considered sufficiently important by management). The most common risk responses are:
- acceptance (risk tolerance), which implies that no action will be taken to mitigate the risk;
- avoidance, which usually implies redesign actions by adding activities, outputs or, if necessary, reformulating the outcome(s) of the intervention;
- transfer, aimed at sharing the risk with other parties (e.g. outsourcing, insurance);
- reduction, on the basis of mitigation measures aimed at either addressing the cause or mitigating the consequence of the risk – attention is paid to residual risks.
Step 4: Implement the risk response (action plans) – What concrete actions are needed to address the risks? Based on the risk response, an action plan should be developed including concrete, tailored and manageable actions/mitigation measures, and deadlines and responsibilities aimed at improving risk management. Action plans should serve as the basis for monitoring and reporting.
Step 5: Monitoring and reporting – Do the action plans remain relevant and effective? Like all intervention components, the risk action plan should be monitored and evaluated, become part of the organisational learning process, and be subject to an evaluation which will inform subsequent interventions.
The technical assessment of risk is a mandatory exercise and, as such, must always be performed. However, in open conflict situations or contexts of political volatility or fragility – which are not uncommon settings for INTPA interventions ––risk tolerance may, within clearly defined limits, be a higher priority than assessment of the impact and likelihood of risks. The reputational risks linked to avoidance option, for example, can be deemed of higher value than financial risks.
Data/information. Risks need to be identified to the greatest extent possible: a deep knowledge of context and stakeholders as well as lessons from the past are key inputs. The starting point is often a literature review (context and sector analysis, lessons learned from previous interventions, recent evaluations, etc.), followed by more focused assessments.
Time. For all interventions, the time devoted to risk management must be integrated into the design phases. Under the budget support modality, operational managers must develop a specific risk management framework (see Action Document); this might be a separate exercise and involve additional time/resources.
Facilities and materials. N/A
Financial costs and sources. The risk analysis is a mandatory part of the intervention design and implementation. If external expertise is required, funds should be made available to cover the costs associated with fees, travel expenses and logistics. These funds may come from the project itself or through other EC instruments such as a framework contract or a technical cooperation facility.
Tips and tricks
- Risk management embraces all intervention domains and management aspects – strategic decision-making, activity planning, operational effectiveness and efficiency, protection of assets and information, business continuity and staff management. Across all domains and aspects, the same basic question applies: Are the mitigation measures sufficient to reduce risk to an acceptable level?
- Risks (and assumptions) stem from the logic of an intervention. Hence, assessing and managing risks is an iterative process that can affect the design and the expected results. As necessary, such possible impacts need to be reflected in the intervention logic. Monitoring arrangements are critical in this regard.
Where to find it
The European Commission, 2018. Risk Management in the Commission – Implementation guide 2018-2019