This Annex refers to the risk assessment that the Fund Operator should regularly undertake, including as part of the Annual Programme Report.
Risk description
The Fund Operator identifies and describes the most important risks to programme implementation progress and results in the coming year. List these in rank order from most important to least important. Only the most important risks should be selected for active risk management. Low risks do not need to be included, as they can be adequately managed through normal programme management processes. Too many identified risks often mean few are managed well in practice.
Risk categories
After describing the risk in sufficient detail, the risk should be categorised. Based on experience in the previous Financial Mechanism, nearly all risks fall into one of the categories pre-defined by the FMO. Having pre-defined categories helps the FMO to analyse patterns of risks across the entire programme portfolio.
Risk score
To further understand the importance of each risk, the Fund Operator scores the likelihood of each risk occurring and the consequence for the programme if it did occur. We use a three-point scale from low (1) to high (3) for both likelihood and consequence. These ratings require some subjective judgement. As much as possible, consider the available data and evidence and discuss the rating with others. The risk score is automatically calculated in GrACE by multiplying the likelihood by the consequence. For instance, a risk that has a medium likelihood and a medium consequence scores 4.
Planned risk response
The next step is for the Fund Operator to consider the planned response to manage each identified risk. Essentially there are four risk management strategies that may apply:
- Mitigate the risk: The most common risk response which involves specific actions that could reduce either the likelihood or the consequences of a risk.
- Terminate: This means that the (parts of) the programme would need to be terminated. For instance, this might mean suspending payments to clarify issues that may represent risks.
- Transfer: This involves sharing the risk with other partners/funders to minimise the risk to the Fund Operator. This means that the actions taken to deal with the risk should be taken by someone external to the programme such as the National Focal Point or an entity in the Donor States.
- Accept: Risks always exist in some form, and sometimes these need to be accepted to achieve the planned results. Nevertheless, accepting a risk still requires that it is monitored and managed in case the risk level increases. Accepting major/critical risks should always be documented and justified. Typically, only low-level risks have ‘accept’ as the planned response.
The Fund Operator should manage the identified risks throughout the year as part of normal programme management practices. Mitigating measures should as far as possible be incorporated in the regular work plans of the programmes or projects. This way, risk management can become part of the daily working routines. In the subsequent Annual Programme Report (APR), the Fund Operator should be able to note how risks affected the programme, or how good risk management practices mitigated the effects of certain risks.
The Fund Operator should not wait to conduct an annual risk assessment if a new risk is an obvious threat to programme results. For example, the Covid-19 pandemic was an unexpected event that created risks to travel for project exchanges and supply chain issues. Later, the war in Ukraine contributed to high inflation. These risks needed to be managed as soon as they were identified and responded to promptly. It is good practice to keep track of previous risks/responses, track if they have been done, and log new risks as necessary.