FOLLOW-UP TO DECISIONS AND RESOLUTIONS ADOPTED BY THE EXECUTIVE BOARD AND THE GENERAL CONFERENCE AT THEIR PREVIOUS SESSIONS

Transcription

1 Executive Board Two hundred and second session 202 EX/5.INF.4 PARIS, 2 October 2017 English and French only Item 5 of the provisional agenda FOLLOW-UP TO DECISIONS AND RESOLUTIONS ADOPTED BY THE EXECUTIVE BOARD AND THE GENERAL CONFERENCE AT THEIR PREVIOUS SESSIONS PART III MANAGEMENT ISSUES PROGRESS REPORT ON ENTERPRISE RISK MANAGEMENT (ERM) DEPLOYMENT SUMMARY This document presents a progress report on Enterprise Risk Management (ERM) deployment as requested in 201 EX/Decision 5.III.B. It complements document 202 EX/5 Part III (F) and is a follow-up to 200 EX/5.INF.2. Job:

2 I. Background 1. During the past decade, the expansion of UNESCO s operations and activities coupled with an unstable environment has resulted in an increasing complexity of risks encountered. UNESCO s wide-ranging mandate, limited resources, complex and decentralized organizational structures has made it face a risk climate that is growing increasing more complex and prone to significant operational surprises. 2. Every choice made by in the accomplishment of the Organization s strategy and objectives has its risks: from day-to-day operational decisions to fundamental trade-offs made by the Director- General and the Senior Management Team, dealing with uncertainty in these choices as a part of decision-making. Furthermore, organizations need to become more adaptive to change in a globalized world. As the Organization seeks to optimize a range of uncertain outcomes, decisions are rarely binary, with a right and wrong answer. Thus, when uncertainty is considered in the formulation of the Organization s strategy and objectives, ERM may help optimize outcomes, by linking strategy and objectives to both risks and opportunities and provide an effective way for the Senior Management Team (SMT) to fulfill its risk oversight role by knowing that the Organization is attuned to risks that impact and are managed well. II. Risk Management at UNESCO 3. Applying risk management approaches and techniques is not new at UNESCO, although the term was only recently introduced. It is an integral part of the daily planning and implementation of programmes. It was implicitly used during the preparation of the Organization s Medium-Term Strategy (34 C/4). Specific risk management activities have been carried out by different entities, such as the risk control framework pursued by the Bureau of the Comptroller. 4. Risk management at UNESCO originated officially in November 2008 when the then college of ADG s endorsed the establishment of a Risk Management Committee (RMC), chaired by BSP. Key milestones and achievements that resulted are presented below: Key risks at the corporate level identified and action plans formulated Risk management embedded in the Medium Term Strategy Risk management handbook drafted by BSP and training dispensed in a pilot phase Presentation to field office Heads on risk management concepts and methodology to facilitate the setting up of local risk registers 5. An Internal Oversight Advisory report identified a number of good risk management practices at the programme planning and implementation level, at entity and organizational level. 6. The RMC was active until 2013 and has since been revitalized mid-july Internal Oversight Service had noted in July 2016 that notwithstanding the above progress, UNESCO s ERM practices need to advance considerably in order to embed a robust and relevant risk management framework. III. Milestones and achievements to date 1. Ivory Notes DG/Note/17/02 7. Following the Director-General s decision, the RMC is chaired by the Deputy Director-General (DDG). BSP represented by D/DIR/BSP will lead the implementation of the roadmap. BFM, IOS and ODG/SEC provide seconded staff to support ERM framework. BSP provides the secretariat to the RMC.

3 page 2 2. The RMC Roadmap 8. The roadmap of the phase 1 has been presented to RMC members and It has subsequently been amended and endorsed to better reflect hierarchy in priority tasks. 3. Risk Management Committee terms of reference 9. They have been developed and circulated to RMC members for their review and approval. The TORs have also been annexed to the policy. 4. ERM organigram and structure 10. Organigram is established (Annex I) covering institutional and project mechanisms and structures: these include leadership, advisory, implementation, monitoring and oversight. Also appointment of DDG and DDIR/ BSP to steer ERM implementation and chair the RMC as follows: Risk management Committee o o Supports the SMT in the implementation and monitoring of risk management policy: this will include the validation of project deliverables during ERM implementation phase, namely risk management policy, global risk register, ERM procedures and ERM training content; Contributes to raising awareness of risk management across the Organization. IOS advisory o o Supports the RMC in achieving deliverables; Controls quality through independent assessment. ERM Project Coordination Group o o o o o Defines and prioritizes deliverables within the project to avoid overload; Reviews project deliverables and provides first line of control to ensure UNESCO compatibility; Facilitates the acceleration of the ERM implementation; Works daily with external experts to ensure the key milestones identified within the approved the roadmap are met on a timely basis; Prepare and submit reports to RMC and SMT. 5. UNESCO Risk Management Policy 11. Risk management policy (Annex II) has been finalized and formally endorsed by the Director- General on 22 February The current policy takes into account all observations and recommendations formulated by the RMC members and IOS in their 2016 evaluation of UNESCO s Enterprise Risk Management. 6. Top global risks and top list risks as basis of risk register 12. During March and April 2017, with the assistance of external expertise, two surveys were completed with a group composed of Headquarters and field office/others senior staff. These were designed to assess the level of maturity of risk management in UNESCO and to collate the biggest perceived risks facing the Organization; participants were also asked to identify so-called inconvenient truths about risk management in UNESCO.

4 page The following key points emerged from the survey results: The level of maturity of risk management in UNESCO is perceived to be relatively low: Surveys of both Headquarters and the extended group suggest a low level of maturity (detailed results are available in earlier reports); This assessment is confirmed by the responses of the Headquarters group in its attitude to a series of risk statements; The so-called inconvenient truths about risk management also corroborate this view (see Table 3 overleaf). UNESCO personnel appear just as vulnerable to cognitive bias as other organizations (the survey results supporting this view were reported in earlier, separate reports) Both groups identified a wide range of risks; the Headquarters group identified more strategic and reputational risks than the extended group. 14. After the surveys had been completed, SMT members were interviewed by the external expert for their observations and reactions to the results. The perspectives they provided (including additional perceived risks) were then integrated with the survey results and a distilled list of 16 key risks generated. 15. A repeated message from the SMT was to focus efforts on a smaller number of risks and to prioritize their treatment rather than tackle too many risks, with too little impact. Those meetings were followed by a final workshop with the objective of finalizing the risk register. Sixteen (16) risks have been identified along with the corresponding probability and impact. Action plans are to be finalized. The two lists have already been presented to RMC members. This exercise is expected to be completed by the end of October Training session for RMC and the field focal point of the regional offices and category 1 institutes 16. With the assistance of external expertise, a modular approach has been chosen in the development of UNESCO ERM training package. SMT, RMC and managers share a common corpus of ERM knowledge. Regional sessions are foreseen in the second phase of the project. 17. RMC members had a series of workshops with the external expert and were presented mechanisms and capacities to better their role in ERM implementation and specific training was dedicated to the members of the RMC on 16 June The second group targeted by the training is field office Directors and Heads and category 1 institutes during their presence at Headquarters for the General Conference (October 2017). 8. Communication and Information 19. A collaborative space via UNESTEAM has already been created to accommodate the required online resources and tools: Studies are underway to enhance its scope to enable proper dissemination of ERM culture, goals and objectives through the organization. 20. The RMC members also had the opportunity to exchange views with Mr Mlitzke, Director, Office of Compliance, Risk Management and Ethics, World Health Organization who had initiated the implementation of ERM at WHO. He gave detailed explanations on issues faced during their journey. He stressed the importance of having governing bodies and senior management team involved in the process.

5 page 4 9. IOS and OAC recommendations follow-up 21. The roadmap has been updated to incorporate IOS and OAC recommendations. Wherever applicable, the definition of ERM procedures will take into account the corresponding conclusions derived from those recommendations. 10. Budget 22. A total of US $ 614,000 (Efficient Delivery Fund, BSP, FSC and HRM) has been secured for the implementation of the Enterprise Risk Management Framework. The additional budget will allow the implementation of phase I and II and the remaining activities in the next phase. 11. Reporting 23. Three levels of reporting have been defined and are being followed during the project: - Operational level: Since July 2016, 10 RMC meetings took place and minutes have been prepared. Frequent briefings and updates have been provided to RMC members; - Managerial and strategic level: On 25 January 2017 and 22 June 2017, DDIR/BSP reported its work to OAC. In February 2017, he also presented the progress report to the SMT members; - Institutional and governance: In April, the Chairman of the RMC reported the progress of ERM activities at the 201st session of the Executive Board. The representative of the Secretariat gave detailed explanations on Enterprise Risk Management implementation. He highlighted key decisions made by the Director-General to speed up the process. The representative of the Secretariat emphasized that a complete training plan is being developed. It was also reiterated that the Secretariat is committed to regularly inform Member States on all developments of enterprise risk management implementation at UNESCO. 12. Next steps 24. As recommended by OAC members during January meeting, the RMC secretariat has prepared a detailed plan for phase II for a period of 12 months which includes: Risk Register (a) (b) (c) Establishment of risk register, operational and unit (in progress); Complete the manual of procedures (in progress); Introduction of IT system to support ERM efforts (RFP in preparation). Training (d) (e) (f) (g) (h) Review of risk management training handbook (in progress); Training session for SMT members and the field focal point of the regional offices and category 1 institutes; Development of training contents package for managers and field offices; Development of e-learning risk management materials; Conduct six ERM regional training sessions to cover all field offices

6 page 5 Communication and Information (i) Finalization and deployment of a communication plan and strategy (in progress) 25. A successful enterprise risk management requires a complete involvement of governing bodies, notably that of the Executive Board. In its oversight role, the Executive Board plays a critical role in overseeing an enterprise-wide approach to risk management. Because the Secretariat is accountable to the General Conference through the Executive Board, the Board s focus on effective risk oversight is essential to setting the tone and culture towards effective risk management through strategy setting, formulating high-level objectives, and approving broad-based resource allocations. 26. Particular attention should be paid to risks identified in the governance architecture of the Organization. Such risks are likely to lead to serious failures in terms of corporate strategies. It is therefore essential for governing bodies to embrace the culture of risk management. The Secretariat s efforts, if not supported by Member States, cannot produce significant results in the field of risk management. 27. While the corporate risk register will be presented to the Executive Board as soon as finalized for an in-depth discussion, it is important for the Board to already take cognizance of the following that would be incumbent on the Board: The Executive Board understands and approves the Organization s risk appetite, and is clear on how the level of risk taken by the Organization is measured and how it relates to the organizational strategy (C/4 and C/5 in our case) Alignment of strategy, risks and financial objectives. The Board should make sure that the financial objectives of the Organization (assessments, funding, outlays) are compatible with the level of risk embedded in the business strategy and the constraints faced by the Organization such as operational limitations. Drivers of risk. The Board should be aware of the relationships between various risks and revenue and expenditure drivers.

7 ANNEX I 202 EX/5.INF.4 Annex I

8 Annex II ANNEX II UNESCO Risk Management Policy Table of Contents I. Introduction II. Definitions III. UNESCO s Objective for Managing Risks IV. Principles of Risk Management at UNESCO V. Responsibilities in UNESCO s risk management framework VI. Process VII. Monitoring of Risks VIII. Risk Documentation IX. Policy Review Annex I: Terms of Reference of the Risk Management Committee Annex II: Risk Appetite Statement Annex III: Risk Assessment Scale Annex IV: Risk Register Template

9 Annex II page 2 I. INTRODUCTION 1. The Director General has determined Enterprise Risk Management as a priority to strengthen the overall governance and accountability in UNESCO. It is crucial to connect all risk areas and treat them strategically to achieve better results. A proactive and strategic approach, taking into account the broad spectrum of risks, will help UNESCO to be more present within the UN system, to further focus our efforts and resources on areas where the Organization has a comparative advantage, where it can achieve a real impact and have a lead role, while streamlining our administration to facilitate our work. 2. An enterprise risk management framework is being progressively implemented to embed risk management into the organization's overall governance, strategy and planning, management, reporting processes, policies, values and culture. 3. This document presents UNESCO s risk management policy and sets forth UNESCO s overall intentions and direction related to risk management and provides a framework to ensure that risk management processes (i) are consistently applied across the Organization and (ii) provide reasonable assurance regarding the achievement of the Organization s objectives. 4. This policy elaborates the rationale for risk management, the responsibilities and accountabilities for managing risks as well as the way in which risk management will be monitored and reported as an integral part of the governance structure. 5. This policy together with the Risk Management Committee (RMC) s Terms of Reference (Annex I), UNESCO s Risk Management Training Handbook and the risk information provided on the BSP website and Unesteams form UNESCO s Risk Management Framework. 6. UNESCO s Risk Appetite statement is annexed to this policy (see Annex II) II. DEFINITIONS 7. The following commonly used risk terms are defined below to promote a consistent understanding: Risk Risk Owner A potential event that, if it materializes, may have a positive or negative impact on the achievement of UNESCO s objectives. Risk is as much a potential threat as a missed opportunity. A risk can have consequences beyond failure to deliver on results. It may negatively impact on reputation, integrity, credibility and trust from donors and stakeholders. A risk has a cause and effect. A risk owner is a person or entity that has been given the authority to manage a particular risk and is accountable for doing so. Risk Focal Point The risk focal point in each Sector/Service/Field Office/Division/Category 1 Institute, generally the principal officer of the unit, is the contact point for a risk owner in case the treatment of the risks exceeds his/her mandate. He/she is responsible for raising risks to the RMC in accordance with the risk escalation process. Risk Register A risk register is used as a risk management tool and acts as a repository for all risks identified and includes additional information about each risk e.g., nature of the risk, reference and owner, mitigation measures. The register should be revised regularly to assess residual risks and update mitigation measures (see Annex IV for risk register template).

10 Annex II page 3 Risk Category Impact Likelihood Risk Significance Risk Tolerance Inherent Risk Control Residual Risk Risk Response Risk Appetite Risk Matrix Risk Profile The risks faced by an organization should be categorized according to the organization s needs. In risk management terms, the effect of a risk relative to the achievement of the objective. The possibility that a risk will occur. The overall importance of a risk considering both the impact of the event and the likelihood of its occurrence. Risks can be ranked according to their significance. Risk Significance is also referred to as Risk Level. (see Annex III for UNESCO s Risk Assessment Scale). Risk tolerance is the amount of risk an organization can withstand. The line of tolerability depends on impact and likelihood. It separates the low and medium risks an organization is willing to take from the medium and high risks it is not willing to take. Tolerance levels may be set out in relevant policies and procedures; if not, the head of unit makes the judgment. The risk without considering the application of any mitigating measures including controls. An activity or measure that may be part of the risk response. A control may reduce the likelihood of the risk occurring or its impact, or both. Good controls provide assurance over the achievement of objectives. The risk after the application of mitigating measures or controls. Decisions made and actions taken to bring the residual risk within the accepted risk tolerance. The organization can make the decision to accept, control, avoid, or transfer/share the risk. The degree of risk, on a broad based level, that UNESCO is willing to accept in pursuit of its mission and objectives. For different categories of risk, UNESCO may have different levels of tolerance. A graphical representation of key risks or risk categories in relation to each other, reflecting their individual significance in relation to objectives and defined risk tolerance levels. A Risk Matrix can be visualized through a heat map depicting the likelihood and impact of each major risk. It helps determine and prioritize risk responses. An organization-wide inventory of risk categories, from internal and external sources, assessed in terms of significance in relation to objectives and defined risk tolerance levels.

11 Annex II page 4 III. UNESCO S OBJECTIVE FOR MANAGING RISKS 8. Risk management is a broad strategic approach to provide better control over the future and ultimately improve UNESCO s chances to reach programme performance within budget and specified timeline. The Organization can be successful only if risks are anticipated, carefully measured and adequately managed against set objectives. 9. The core objective of enterprise risk management is to assess the uncertainty of the future in order to make the best possible decision today. It enables staff at all levels across the Organization to: a. Be aware of the need to identify and manage risks b. Anticipate and treat potential risk events that may affect the achievement of objectives c. Facilitate risk informed decisions d. Maintain forward looking rather than reactive management e. Reassure UNESCO s stakeholders and partners about the Organization s capacity to meet its objectives, manage key risks and achieve its objectives. IV. PRINCIPLES OF RISK MANAGEMENT AT UNESCO 10. The following principles underpin UNESCO s risk management: a. The effectiveness of Enterprise Risk Management is dependent on adequate resources. Senior Management is committed to make the necessary resources available to assist those accountable and responsible for managing risk. b. Risk management should not only be procedural, but should also initiate change and seek to increase performance. It should enable moving from ex post crisis management to anticipating risks and opportunities. c. Visible ownership by management is a critical factor. It is therefore important to inform and get buy in from the senior management. d. Risk management should be embedded in the programme management cycle. The risk framework should be relevant i.e., linked to objectives and developed in the context of the accountability framework. The overall risk framework should seek to make responsible officers risk aware and more accountable when taking decisions. e. The approach should be flexible and simple, focusing on the risks that can be managed. f. The corporate risk register lists risk information from all sources (including legal and security) that have been escalated by risk focal points. g. Risk responses should be actionable with clear ownership and agreed time bound mitigation plans. Mitigation plans requiring a substantial investment of resources should be subject to project management principles such as budgets, milestones and performance metrics. h. Communication to Member States and donors needs to take place regularly, once a risk management process along with mitigation plans and a monitoring mechanism is in place. V. RESPONSIBILITIES IN UNESCO S RISK MANAGEMENT FRAMEWORK Risk management is everyone s business. The primary responsibility for identifying risks and managing them lies with management at all levels.

12 Annex II page 5 i. Each Responsible Officer, at the project design stage and during the course of implementation, should assess potential risks and formalize them. Risks identified in project documents of extrabudgetary projects will serve as a basis for risk discussion with Donors. ii. iii. iv. Each ADG/Director/Head/Chief of a Sector/Bureau/Field Office/Institute/Division/Unit is responsible for managing risks which pose the greatest challenge to the achievement of the objectives under her/his purview and of its continuing functions. The Risk Management Committee reports to the Senior Management Team and shall contribute to raising awareness of risk management generally across the Organization and to maintaining the profile of risk management. It is in charge of organization wide risk management policy, of continuous risk identification and assessment, including of the risks escalated by Sector/Bureau/Field Office, of defining the risk appetite, of addressing risks and incidents and of reporting and communicating on risks. The Risk Management Committee reports to the Senior Management Team. The Senior Management Team should endorse the risk management policy, identify new emerging corporate risks and address the major risks brought to its attention, including by proposing or supporting the implementation of the mitigation plans proposed by the risk management committee. The Senior Management Team should include risk management in its agenda as and when required. VI. v. The Director General approves the outcomes of the work of the Risk Management Committee and takes decision and arbitrates points of attention formalized by the Risk Management Committee and the Senior Management Team. The Director General is accountable to the Governing Bodies for the development and achievement of UNESCO strategy and objectives, including the overall management of risks to these objectives. vi. The Governing Bodies, notably the Executive Board in its oversight role, plays a critical role in overseeing an enterprise wide approach to risk management. Because the Secretariat is accountable to the General Conference through the Executive Board, the Board s focus on effective risk oversight is critical to setting the tone and culture towards effective risk management through strategy setting, formulating high level objectives, and approving broadbased resource allocations. vii. The Internal Oversight Services (IOS) provide assurance on the risk management framework. It specifically provides assurance that controls are well designed and applied to mitigate risks or take opportunities. In addition, IOS has a consulting role regarding management tools and techniques to analyze and control risks. viii. The Oversight Advisory Committee (OAC), as an external group of audit and evaluation experts, considers the functioning, accomplishments and matters for follow up of the Risk Management Committee as well as the status of key risks. The Committee also considers the integration of Risk Management principles into the Organization s processes. The role of the OAC includes advising the Director General on the effectiveness of risk management. PROCESS 11. Risks should be identified at least at the programming and monitoring phases of the management cycle. They should therefore be an integral part of the preparation of the Draft C/5 and of the monitoring information provided for the Programme Implementation Report (PIR) in the EX/4. Moreover, Responsible Officers are to factor risks when planning extrabudgetary projects.

13 Annex II page UNESCO s risk management process is based on the COSO model of enterprise risk management. More details on the methodology to identify, assess, treat and report on risks is available in UNESCO s risk management training handbook. 13. As a general principle, risks should as far as possible be handled and treated by the Risk Owner. In some cases, circumstances pertaining to the treatment itself may exceed the mandate of the Risk Owner or also involve actions by other managers not under the authority of the Risk Owner. Often these risks are common to multiple operational units and are best addressed through a corporate solution. Therefore, major risks that cannot be effectively treated by the Risk Owner must be escalated to a level with sufficient authority to deal with the risk and take appropriate decisions. 14. The escalation of risks from an operational level for consideration and treatment at the corporate level is detailed below: a. A risk focal point is designated for each Sector / Service / Field Office /Category 1 Institute. The risk focal point is normally the principal officer of the Sector / Service / Field Office / Institute. [Programme ADGs may designate a senior level official as the Sector s risk focal point.] The focal point is the contact person for a Risk Owner in case the treatment of the risks he/she faces exceeds his/her authority. b. The risk focal point for Headquarters Sectors and Services is responsible for recording these risks in the unit s risk register and transmitting the risk register at least annually, or upon request, to the Risk Management Committee highlighting any significant unmitigated risks (see Annex IV Risk Register template). The risk focal point will also monitor the progress in the implementation of the mitigation plans of the Sector / Service. c. The risk focal point for each Field Office [and Liaison Office] is responsible for recording these risks in the Office s risk register and transmitting the risk register at least annually, or upon request, to the Bureau of Field Support and Coordination (FSC) highlighting any significant unmitigated risks (see Annex IV Risk Register template). FSC will consider these and raise significant unmitigated risks common to the field network, and significant unmitigated risks associated with individual Field Offices, to the Risk Management Committee. The risk focal point will also monitor and ensure that mitigation plans of the Office are implemented. d. The risk focal point for each Category 1 Institute is responsible for recording these risks in the Institute s risk register and transmitting the risk register at least annually, or upon request, to the cognizant Programme Sector ADG or, in the case of UIS, to the Risk Management Committee, highlighting any significant unmitigated risks (see Annex IV Risk Register template). The Programme Sector will consider these and raise significant risks that cannot be mitigated at the Sector level to the Risk Management Committee. The Institute s risk focal point will also monitor and ensure that mitigation plans of the Institute are implemented. e. UNESCO management committees will identify and escalate unmitigated risks under their purview to the RMC. f. The Risk Management Committee shall consider the unmitigated risks escalated to the Committee, advise on Risk Ownership and the formulation of mitigation plans and ensure that these are recorded in the corporate risk register or in the risk register of the Sector / Service / Field Office or Category 1 Institute that is to manage the mitigation plan.

14 Annex II page 7 VII. MONITORING OF RISKS 15. The progress made in mitigating the risks listed in the risk register will be monitored regularly in order to determine the residual risk, need further action(s) or acceptance. a. The RMC will conduct an annual review of corporate risks and identify new threats/opportunities in light of the current context, latest trends, and findings from oversight bodies such as the Internal Oversight Service, External Auditor and Joint Inspection Unit. The results of this review will be submitted to the Senior Management Team for discussion and transmittal to DG for final approval. b. The Risk Management Committee will, twice a year and as necessary, provide a report to the Senior Management Team. The report shall inform the progress: (i) in implementing the risk management framework, (ii) on the corporate risks treated and (iii) seek the decision or the approval of the Senior Management Team when required (e.g., to accept a specific risk, approve a proposed mitigation measure or request funding to implement a mitigating measure). VIII. RISK DOCUMENTATION 16. Risk documentation is available to all staff with information on risk management (including policy, templates, training handbook, presentations, RMC minutes, corporate risk register, Executive Board documents). The information is available on UNESTEAMS. IX. POLICY REVIEW The Risk Management Committee will organize an evaluation of this policy and its implementation within three years of the effective date. Review and update of this policy and the related Risk Management Framework elements will consider the evolving needs of UNESCO and the environment in which it operates as well as the direction of risk management programmes of other UN agencies, leading practice developments, and updates to applicable standards such as COSO or ISO.

15 Annex II page 8 ANNEX I: TERMS OF REFERENCE OF THE RISK MANAGEMENT COMMITTEE I. Purpose of the Risk Management Committee 1. The purpose of the Risk Management Committee (RMC) is to: a. Support the Senior Management Team (SMT) on the implementation and monitoring of the risk management policy. The scope of risk management covers strategic risks, operational (or programmes/projects) risks, financial and control, compliance risks as well as reputational and external risks. b. Contribute to raising awareness of risk management generally across the Organization and to maintaining the profile of risk management. II. 2. Composition and structure The members of the RMC are: a. [Deputy Director General] (Responsible Officer and Convener) b. Director, Bureau of Strategic Planning c. Chief Financial Officer d. Senior level staff from each of the Programme Sectors and ODG, FSC, ERI, HRM, KMI, MSS, LA and GE. e. Field Offices will be represented by ODG/FSC. 3. Other participants may be invited to meetings of the RMC as required, in particular Field Office Directors and Directors of Category 1 Institutes when deemed necessary by the Chair of the RMC on the basis of the Agenda to be discussed 4. The Internal Oversight Service will participate as an observer. III. Frequency of meetings 5. The RMC will meet as required to fulfil its remit and will meet no less than once every two months and engage in submitting periodic reporting to the SMT. 6. Minutes, agendas and papers will normally be circulated to members of the RMC at least five days in advance of the meeting. Late papers may be circulated up to two days before the meeting. Only in the case of extreme urgency and with the agreement of the Convener will papers be tabled at meetings of the RMC. 7. Formal minutes will be kept of proceedings and submitted for approval at the next meeting of the RMC. The draft minutes will be agreed to with the Convener of the Committee. 8. The Committee may also function between meetings through correspondence and any decision/s taken formally ratified at the next meeting of the Committee. IV. Standing agenda 9. The Committee meetings will be conducted in accordance to the following agenda: a. b. c. d. Advice on SMT decisions relevant to risk management Review of new and emerging risks for potential inclusion in the corporate risk register Review and update the corporate risk register (including monitoring of risk treatment) Review the overall effectiveness of ERM at UNESCO. V. Functioning/Responsibilities 10. The Committee will undertake the following functions/responsibilities in line with the Risk Management Policy:

16 Annex II page 9 a. Ensuring that the identification and evaluation of key risks that threaten achievement of the mandate is carried out, and that a register of these risks is maintained; b. Identifying the strategy in place to manage risks, including identification of appropriate risk owners, and monitoring the satisfactory operation of the management strategy; c. Being satisfied that other risks are being actively managed, within the appropriate thresholds and kept to an acceptable level; d. Embedding the risk assessment approach into future planning, management, and reporting; e. Advising SMT on the UNESCO s overall risk appetite, tolerance and strategy, taking account of the current and prospective internal and external factors; f. Establishing risk assessment criteria; g. Reviewing regularly and approving the parameters used in risk assessment measures and the methodology adopted; h. Receiving and reviewing reports on any material breaches of risk limits and the adequacy of proposed action; i. Addressing such other matters related to risk management as may arise from time to time. VI. Authority 11. The Committee is authorized to: a. Raise to the Director General matters of risk ownership and mitigation not resolved to the satisfaction of the Chair; b. Advise on ownership of corporate risks and on the adequacy of mitigation plans for corporate risks; c. Seek information it requires from staff in order to perform its duties; d. Obtain professional advice on matter within its terms of reference where required; e. Request the attendance of staff at a meeting of the Committee as and when required. VII. Reporting responsibilities 12. The Committee will report to the SMT at least twice a year or more frequently depending on the changes in the risk environment regarding (i) unmitigated critical risks and (ii) the effectiveness of risk mitigation plans. 13. The Committee will also submit an annual biennial report to the Director General, for transmittal to the Executive Board, on the key risks facing the Organization. VIII. Review of performance 14. The Committee will from time to time undertake a review of its own performance and effectiveness and report thereon to the SMT. IX. Secretariat: 15. The RMC Secretariat will be provided by the Bureau of Strategic Planning and will perform the following tasks: a. Preparation of agenda and background material b. Recording and presentation of escalated risks c. Ensuring proper documentation of the Committee s decisions d. Facilitating the work of the Committee with regard to supporting information and communication, tools and training.

17 Annex II page 10 ANNEX II: RISK APPETITE STATEMENT A risk appetite is defined as the amount of risk that is judged to be tolerable and justifiable for an organization. In UNESCO, criteria may differ in different spheres of the organization, e.g. low appetite for risk in security, higher in programme areas where innovation is key. Risk appetite provides the basis for setting acceptable levels of risk tolerance and thresholds and contributes to the identification and implementation of mitigation actions. Risks are expressed as residual risk, i.e. the risk after mitigation measures and/or controls have been implemented. In that light, the Organization s risk appetite in broad terms is defined below: (i) (ii) (iii) Risks with a small impact are accepted where the likelihood of the risk event is assessed as moderate, low or minimal; Risks with a noticeable impact are accepted where the likelihood of the risk event is assessed as low or minimal; and Risks with a critical impact are accepted only where the likelihood of the risk event is minimal. When a risk exceeds the agreed risk appetite i.e. when the line of tolerability is crossed for one level of management, the escalation point is reached. The risk can then be transferred to the next higher level of management, for which it constitutes a lower level risk. The higher level of management may act on the risk directly or adjust the risk appetite and let the lower level manage the risk. The assessment of the risks in excess of this risk appetite is coordinated by the Risk Management Committee. Risks will only be accepted after ensuring that the mitigation measures in place are suitable and appropriate. Risk appetite is no constant value, it is informed by changing variables such as reported results of control mechanisms that have succeeded or failed in the past, the changing value of assets potentially to be lost, perception of stakeholders, extent of possible control etc. It has to be readapted by management corresponding to reporting from the operational level and to changes in the external environment.

18 Annex II page 11 ANNEX III: RISK ASSESSMENT SCALE Likelihood: F Frequent: likely to occur very often or continuously O Occasional: likely to occur several times S Seldom: is possible and would probably occur once at the most. Impact: C Critical: infers serious consequences that can jeopardize the achievement of result M Marginal: infers minor consequences that can slow the achievement of result N Negligible: infers a minimal effect on the achievement of result. Risk importance: The risk importance is rated as a combination of likelihood and impact and results into High, Medium or Low risk vis à vis the achievements of objectives. Likelihood Frequent Occasional Seldom Impact Critical H H M Marginal H M L Negligible M L L

19 Annex II page 12 ANNEX IV: RISK REGISTER TEMPLATE 1. A risk register aims at formalizing the risks faced which can be mitigated to some degree by taking the time to develop a risk management approach to help cope with threats and maximize opportunities. The challenge is to fully identify risks and seek to manage their impact rather than ignoring them. It should include description, ownership (a single Risk Owner) and analysis of cause and consequence of all risks along with their impact and probability. It should further include a pragmatic action plan to mitigate a particular risk or to seize an opportunity. It should lend itself to be easily maintained and updated. By remaining current and up to date, the risk register can be a valuable tool for communications and may serve as a relevant and useful management tool. The Risk register should be reviewed and updated annually. 2. If a risk cannot be effectively treated at operational level managing the respective risk register, this should be indicated and communicated in accordance with the Risk Management Policy. Risk registers should be sent to the Secretariat of the Risk Management Committee. Risk nb Risk Category Risk owner Risk description Likelihood Impact Importance Mitigation measure(s) Risk owner Residual risk Likelihood Impact To be escalated Printed on recycled paper