4 of 32

Risk

What is risk?

Effect of uncertainty on objectives (ISO31000)

Negative (threat) or positive (opportunity)

Why do we need to manage risks?

Increased ability to reach objectives in an effective and consistent way
Better informed strategic decision taking with respect to opportunities and threats
Maintain compliance and support governance and assurance activities

Managing risk is an integral part in managing any organization

Risk management starts with strategy setting and objectives an should not be a standalone matter

Good risk management is not only about mitigating risk, but good risk management is also about good risk taking

For more on risk, watch our video on CGIAR Risk Infopoint

www.cgiar.org

5 of 32

Mission of Risk Management across CGIAR

To foster practices, capabilities and culture in effective risk management tied to strategy-setting and performance

Risk management across CGIAR

Monitor risks and risk activities across CGIAR

Ensure aligned approach to risk management across CGIAR

Assist executives and the board in taking better informed decisions

Support risk, governance, assurance and compliance activities and work closely with relevant functions

Provide guidance and training on effective risk management practices

Lead efforts to support CGIAR in managing risk in preserving and creating value

www.cgiar.org

6 of 32

Risk Community of Practice (CoP) and risk workgroups

The Risk CoP comprised of members of all Entities is responsible for promoting alignment, collaboration, cooperation, coordination and consistency relating to risk management approaches and practices in the CGIAR Centers and on a CGIAR-wide basis

Risk CoP

Risk Workgroups

Risk CoP members from different entities participate in Risk Workgroups. The purpose of the Risk Workgroups is to improve the risk process across CGIAR and carry out hands-on work on a voluntary basis. Output of this work is brought for discussion and/or decision to the Risk CoP

CGIAR is an extended enterprise, “a structure where a number of organisations come together in a joint endeavour in order to achieve outcomes that none of them could have achieved on their own”

www.cgiar.org

7 of 32

Members of the Risk CoP

Entity	Designated Representative(s)	Alternate members
AfricaRice	Marcel Nwalozie
ABC	Vanessa Riveros and Carlos Ernesto Paredes
CIMMYT	Roberto Rocha Correa
CIP	Jonathan Mackey
ICARDA	Janet Muir	Ahmed Nasr
IFPRI	James Fields
IITA	Rasheed Fagbenro (Chair)	Helen Adeniji and Alick Mulenga
ILRI	Michael Gerba	Andres Palau
IRRI	Marichu Bernardo
IWMI	Nilantha Sangapalaarachchige	Gamini Halvitige
WorldFish	Azira Azmi
System Organization	Yorgos Solomos (Convener)	Michael Odhiambo

www.cgiar.org

8 of 32

How we systematically manage and monitor risk

A review cycle with the Executives, aiming to meaningful discussions on top risks 4 times per year with 1:1 interactions in-between the reviews

CGIAR’s

top risks

Risk review with EMT Quarterly

CGIAR’s top risks

Top risks from the Centers
Research Initiatives key risks
SO risks
1:1 risk discussions with EMT and SLT members
Risks from other assessments and audits

After quarterly reviews, reports provide visibility to different bodies and audiences

CGIAR’s top risks shared with the System Board

To be put in place:

Annual AFRC deep dive to review risk process, deliverables, issues and approve risk assessments plan for year ahead

Annual discussion with stakeholders to identify areas and engagements where risk management can deliver value

Risk review with EMT Quarterly

www.cgiar.org

9 of 32

Participants of the Executive Risk Review meeting

Senior Advisor, Risk Management, Governance & Institutional Risk

Executive Team

Executive Managing Director

Managing Director, Genetic Innovation

Managing Director, Resilient Agri-Food Systems

Managing Director, Systems Transformation

Managing Director, Institutional Strategy & Systems

Managing Director, Regions & Partnership

Managing Director, Communications & Outreach

Review meeting chair

Group General Counsel

Senior Director, Governance & Institutional Risk

CGIAR System Organization Chief Audit Executive until global Chief Audit Executive is appointed

Standing Invitees

Overall Process Sponsor

Senior Advisor, Risk Management, Governance & Institutional Risk and Risk Consultant engage with functional experts prior to meeting as needed

Convener

www.cgiar.org

10 of 32

Top CGIAR risks – Q2 2023

Risk #5: Inability to maintain partnerships and engage effectively with partners

Risk #6: Financial model not fit for purpose

Risk #4: Funding interruption, loss or decline

Risk #10: Capacity challenges at Science Groups, ISS, Regions & Partnership and Comms & Outreach

Risk #11: Cyber risk

Risk #9: Lack of adherence to and enforcement of CGIAR’s Core Ethical Values

Risk #1: Inability to implement CGIAR vision

Risk #3: Poor operationalization of the matrix structure and IFA

Risk #2: Failure to deliver a high-quality research portfolio

Risk #7: Inability to communicate effectively on One CGIAR across the board

Risk #8: Inability to implement unified governance

Strategic, research and governance

Operational

(incl. compliance)

Overarching risk, consequence of all other top risks

Financial

Risk #12: Failure to comply with legal and regulatory requirements

Risk #14: Failure to provide a healthy and safe work environment

Risk #13: Business interruption risk

www.cgiar.org

11 of 32

2. Overview of the risk process for Initiatives

12 of 32

Background of the risk process for Initiatives

End 2021, the Initiatives teams undertook a risk assessment exercise to identify and evaluate the Top 5 risks to impact, and mitigating actions for the Initiative prior to approval

At that phase, the risk assessment was used to highlight areas of concern and improvement recommendations for the Initiative
It also provided visibility to different bodies that is needed from a good governance perspective in line with the principles set out in the Risk Management Framework of the CGIAR System

Risk assessment in 2021

Current status

In 2023, guidance established for risk monitoring and update, and overview presented to the Initiatives in April
The work and process that Initiatives followed in the end of 2021 has been built into a tool (in 2021 risks we submitted through the submission template in MS Word). This will bring efficiencies at different levels and with different groups, as well as visibility and transparency.
Pilots on the Risk Management Module and process took place with five volunteering Initiatives (Ukama Ustawi, Mitigate+, Nexus Gains, Gender Platform, and Market Intelligence) and we incorporated changes as needed. Additional feedback gathered from the Senior project managers

www.cgiar.org

13 of 32

The risk assessment process

Define scope, context and criteria

Risk assessment

Identify risks

Analyze risks

Evaluate risks

Treat risks

Report and maintain records

Monitor and review

Communicate and consult

Risk management process, adapted from ISO 31000:2018 the international standard on Risk management - Guidelines

www.cgiar.org

14 of 32

What is new compared to 2021 and why

We made minor additions to make the process more robust in relation to best practices and to provide better visibility to our management, governing bodies and their committees, including the AFRC – Audit Finance and Risk Committee of the System Board, and AOC – Assurance and Oversight Committee of the System Council

That is needed for them to be able to provide assurance on risk management and fulfil their obligations according to their terms of reference.

Additions:

Risk Categories e.g. Operations, Funding and other
Risk targets and due dates
Risk owners
Status of actions to manage risk

www.cgiar.org

15 of 32

3. Key concepts

16 of 32

�Writing a risk statement: 1st visualize the risk as a full set of different elements

An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.

Objectives can have different aspects and categories and can be applied at different levels.

Risk is usually expressed in terms of risk sources, potential events, their consequences, and their likelihood.

Event: occurrence or change of a particular set of circumstances

Source: element which alone or in combination has the potential to give rise to risk

Consequence: outcome of an event affecting objectives

Likelihood: chance of something happening

Control: measure that maintains and/or modifies risk

www.cgiar.org

17 of 32

Writing a risk statement: 2nd try to capture the most important of the elements in a risk statement

Writing Good Risk Statements (isaca.org)

Risk statement:

[Event: Occurrence or change of a particular set of circumstances that has an effect on objectives] caused by [sources/s]. This may result in [consequence/s].

Event: occurrence or change of a particular set of circumstances

www.cgiar.org

18 of 32

Risk Categories for Initiatives �Useful for reporting purposes

Risks associated with budget and financing

Funding

Risks associated with internal processes and systems and external socio-political, economic, or environmental events (instability, interruptions, and disruptions), or health and safety.

Operations

Risks to effective partnerships, and risks which lie with CGIAR’s partners.

Partners and Partnerships

Risks to identifying and delivering pathways and activities which can take the resulting innovations to scale. This may include intended and unintended consequences of technologies/innovations for natural resources, GHG emissions, and social and economic aspects.

Scaling Impact

Risks to efficiently and effectively producing high quality knowledge products, technologies, and services to develop innovations, including the identification of high impact potential research, addressing research questions, and use of appropriate methods and tools.

Research Innovation

Risks related to attraction, engagement, development and retention of talent, and enhancement of diversity.

Talent

Risks arising from not adhering to legal requirements (e.g., force majeure) or ethical concerns.

Legal

www.cgiar.org

19 of 32

Ratings tables used in 2021 – remain the same

www.cgiar.org

20 of 32

Rating a risk – current and target level

Target likelihood:

The targeted likelihood of the risk occurring within a given time horizon that could result into the targeted impact level assigned. Target likelihood could be achieved by putting in place additional controls and actions to manage the risk likelihood

Target impact:

The targeted expected impact on objectives if the risk materialises. Target impact could be achieved by putting in place additional controls and actions to manage risk impact

Current likelihood:

The likelihood of the risk materializing within a given time horizon that could result into the impact level assigned, considering any existing controls and actions in place and working

Current impact:

The expected impact on objectives if the risk materialises, considering any existing controls and actions in place and working

Added in 2023

As in 2023

www.cgiar.org

21 of 32

Setting current and target levels

Let’s look at risk #1 rated as 4 (high) likelihood, 5 (very high) impact. There is a “high” likelihood that risk will materialise leading to “very high” impact.

Is the current risk profile accepted moving forward?

Are there any risks that should be reduced or may have to be increased to achieve objectives based on risk appetite?

We decide that moving forward we cannot not accept risk #1 at its current level

Example:

In this example, for risk #1 we target to reduce likelihood from 4 (high) to 2 (low) while we cannot do anything to reduce its impact if risk materialises. Therefore target impact remains 5 (very high) and target likelihood is 2 (low). Next step is to set actions to get the risk to these level.

www.cgiar.org

22 of 32

Actions/Controls to Manage Risks�Useful for tracking, monitoring and reporting purposes

The action is underway, has not been completed but it is considered to be on track according to schedule

Ongoing and on track

The action has been completed (could be an one-off action taken or the establishment of a control to manage risk i.e. a standing review introduced or a process has been put in place

Completed

The action is planned or underway, has not been completed but running behind schedule

Delayed

The action has not started yet but not considered to be delayed. It has not started but this is according to plan

Not started

At the point of the review information on action planned is not available. This may be an action owned by another group but an update is missing (i.e. not known if delayed, ongoing and on-track, completed or not yet started)

Unknown/No visibility

www.cgiar.org

23 of 32

Redundant

The term "redundant" in the context of this approach refers to risks that are no longer valid or relevant due to changes in the internal or external environment.

While there is no official definition for a redundant risk, it is useful to keep track of such risks for audit purposes or lessons learned, even if they are no longer actively managed or displayed in reports.

www.cgiar.org

24 of 32

4. Timeline�

25 of 32

Timeline

8 November 2023

Risk Management Module Opens

November - January

Drop Ins Scheduled

15 March 2024

Deadline for Risks

April 2024

2024 Reporting Phase open for edits and submission

Official reporting on Initiatives risks will be required through a mandatory annual review. The Initiatives should review and submit their Top 5 risks annually including adjustment to descriptions, likelihood and impact, actions to manage risk, and risk owners.

Initiatives are encouraged to identify and manage risks as part of good project management daily activities, even if when official reporting on risks is not taking place and update their risk register.

In future years the timing of these process may be adjusted, the intention is to keep the processes of reflect, budget forecast update and plan of results and budget update, and risk management synchronised.

Between November 2023 and 15 March 2024, Initiatives can update risks:

www.cgiar.org

26 of 32

5. Over to D&D for Virtual Tour�

27 of 32

Live Demo – D&D

How to access?

https://risk.cgiar.org/

Any user having CGIAR credentials will be able to access the tool in view mode

What is the tool?

The Risk Management Module is a component of the Performance and Results Management System (PRMS) developed to assist the Initiatives in developing, managing and reporting risks related to the delivery of the CGIAR 2030 Research and Innovation Strategy

What data contains the tool now?

The tool contains the risks which were submitted in the Initiative proposals, pending any updates which were made in the Online Submission Tool (OST).

However, please take note that there are some new fields that need to be completed (Risk owner, Target risk level, Due date, etc). It is also possible to modify the existing information as well.

www.cgiar.org

28 of 32

Live Demo – D&D

User roles

Leader/Coordinator

• Add/edit/delete team members for the assigned initiative.

• Add/edit/delete risks for the assigned initiative.

• Can submit the risk template.

• Can assign himself/herself/other users within the Initiative team to be a Risk Owner.

• View Team members involved in the Initiative.

• View the template of any Initiative.

• Tag risks “Targets cannot be set” when it is challenging to identify targets.

• Export to Excel/PDF.

Risk Owner

• Can make edits in the risks assigned to him/her including actions to manage risks.

• Can’t submit the risk template.

• Other roles similar to Leader/Coordinator

Team Member (view only)

• Can’t make edits.

• Can’t submit the template (even if he/she is a Risk Owner).

Other roles similar to Leader/Coordinator

www.cgiar.org

29 of 32

Live Demo – D&D

Notifications

Email subject	Sent to	Description
Risk update	Leader/coordinator	The email is sent to the/leader/coordinator once the risk owner updates the risk that is assigned to him/her. �The email will NOT be sent to the risk owner if he/she updates his/her own risk.
Top Five Risks Submitted for 2023	Leaders/Coordinators/Admins	The email is sent to the Leader/Coordinator and all the admins once the Initiative submits the template
You have been assigned to a risk	Team member	The email is sent to the team member who was assigned a risk by Leader/Coordinator/admin
The due date to reach the risk target level is today.	Leaders/Coordinators/Risk owners	The email is sent to Leaders/Coordinators/Risk owners informing the user that the due date to reach the risk target level is today. The emails are sent daily.
You are added as team member to Risk management module	Leaders/Coordinators/Team member	The email is sent to the Leaders/Coordinators/Team member informing him/her about the Initiative that he/she was added to by admin/Leader/Coordinator

www.cgiar.org

30 of 32

6. Resources�

31 of 32

Additional Resources

Drop Ins

Monthly drop ins to be scheduled�

Risk Management Module

https://risk.cgiar.org/

Support Materials

Risk Management Guidance for Initiatives l PDF
Risk Management Module User Guide l PDF�

Contact

General QA support email: PRMSTechSupport@cgiar.org
For general enquiries on the Risk Management Process, the Risk Team will reply

Please see the P&R Hub for further updates including event recording, PPT slides, Guidance documents and FAQs.

1 of 32

2 of 32

3 of 32

4 of 32

5 of 32

6 of 32

7 of 32

8 of 32

9 of 32

10 of 32

11 of 32

12 of 32

13 of 32

14 of 32

15 of 32

16 of 32

17 of 32

18 of 32

19 of 32

20 of 32

21 of 32

22 of 32

23 of 32

24 of 32

25 of 32

26 of 32

27 of 32

28 of 32

29 of 32

30 of 32

31 of 32

32 of 32