Guidelines for Risk Management

The Guidelines for Risk Management provides tools for risk management that includes identifying, assessing, monitoring, making decisions on and communicating risk issues in programmes and projects supported by Danida. Risk management is already an integrated part of Danida’s program cycle and the purpose of this guideline is to facilitate a more explicit and uniform approach to Risk Management in Danida.

The target group of the guidelines is Danida staff and external partners working with preparation and implementation of development programmes and projects.

The guidelines apply (with a few exemptions as listed in Box. 1) to all bilateral and multilateral programmes and projects. However, the extent of underlying analytical work and expected level of detail depends on the scope, complexity and overall risk level of the programme or project in case. For large and complex programmes the risk assessment should be informed by thorough analysis as an integrated part of the preparation process whereas the risk assessment in preparation of support to small project could be a desk exercise.

Likewise, though the guidelines and tools applies to all programmes and projects, the content of the Risk Management Matrix will be very different depending on objective of the programme and the context, e.g. support to a multilateral organisation in a fragile environment or a country programme in a stable priority country. Due to the diversity in Danish development cooperation, guidelines do not offer specific advice in regard to how to respond to identified risks.

To the extent feasible the risk management should be carried out jointly with other donors and partners.

Risk management is defined and conducted by donor agencies in systems that vary from very simple to very complex. Also terminology and assessment methodology vary. The Danish approach is to keep risk management as simple as possible and to adopt core principles that are applied by others. The terminology used is based on the terminology that Denmark has proposed as a common terminology to a broad range of donors as follow-up to the High-Level Meeting in Busan. A common and standardised terminology has proved important in order to avoid misunderstandings in communication and cooperation in regard to risk management.

Risk Management can be summarised in the 8 steps below.

8 Steps in risk management

1. Determine the contextual risk level
2. Identify potential programmatic and institutional risks and then estimate and rate likelihood and impact of each risk
3. Prioritise and shortlist identified risks according to estimated likelihood and impact
4. Identify risk response measures to be applied to shortlisted risks
5. Qualify ratings for likelihood and impact according to expected effect of planned risk responses
6. Estimate the combined residual risk
7. Present risk assessment to granting authority as part of grant notice
8. Monitor risk development during implementation and adjust risk response measures accordingly

It should be kept in mind that risk management is not only about minimising risk but also includes balancing the risks against opportunities and results of providing support, or alternatively the negative results of not providing support.

Risk management should be seen as an iterative process where i.e. implementing risk responses influence programme design and vice versa.

Three overall core risk categories are used as the overall risk management framework. The core risk categories is a generally accepted approach originally proposed by INCAF (International Network on Conflict and Fragility, a subsidiary body of the OECD Development Assistance Committee, DAC), and later widely known as “The Copenhagen Circles” due to Denmark’s hosting of several seminars on risk management in 2011 and 2012.

Fig. 1 Core Risk Categories - The Copenhagen Circles

Contextual Risk

Contextual Risks covers the range of overall potential adverse outcomes that may arise in a particular context and hence could impact a broader range of risks at programmatic and institutional level. The context will usually be a country or region but could for certain programmes also be a global thematic or political frame. External actors usually have very limited control over contextual risk.

Programmatic Risk

Programmatic risk includes two kinds of risk: (1) the potential for a development programme to fail to achieve its objectives; and (2) the potential for the programme to cause harm in the external environment.

With regard to (1), the risk factors for programme failure include many of the contextual risks. But there are many other reasons for potential programme failure. These include inadequate understanding of the context or flawed assessment of what needs to be done; management and operational failures; and failures of planning and co-ordination. Risk is also associated with new or innovative programme approaches (although there may also be risk in failing to innovate). One common reason for failure to achieve programme objectives is that the objectives themselves are simply too ambitious, either in their nature or time frames.

With regard to (2), programme interventions may both exacerbate and mitigate contextual risks. This includes the potential for aid to do damage to the economy or to the government of the country in question, or to exacerbate conflict and social divisions.

Institutional Risk

Institutional risk is sometimes also called political risk and includes “internal” risk from the perspective of the donor or it’s implementing partners. It includes the range of ways in which an organisation and its staff or stakeholders may be adversely affected by interventions. Institutional risk will often be related to operational security or reputational risk parameters. The risk parameters are usually the same as for programmatic risk but the perceived impact is often different at institutional level. Perceived impact might also differ considerably depending on whether the viewpoint is from the perspective of an implementing partner or a donor headquarters. While contextual risk and programmatic risk often can be managed jointly, the institutional risk management is typically individual for different stakeholders.

Identifying relevant risks is to a high degree subjective, and different people might have different estimations of likelihood and impact of a risk outcome. Preparation and management of a risk profile is done by the mission or department responsible for the programme or project in case. It is important that at least two staff members participate in the choice of risk factors and following assessment of the level of associated likelihood and impact and the pertinent risk response. It is recommended to anchor verification of the risk management with a local program committee or similar. This not only supports a more consistent assessment of the local risk profiles but also enables a knowledge sharing in the unit, reinforcing this consistency of the individual view of likelihood and impact.

Whenever possible it is advised to seek joint risk assessment with likeminded donors active along with Danida on ground. In most cases it is possible to apply a joint assessment on both contextual and programmatic risk factors. It may be less feasible to do a joint assessment of the institutional risk factors as individual partners often will assess risk impact differently.

Annex A provides a structured overview over a broad range of risk parameters and provides examples of risk outcomes in each of the three Core Risk Categories. The table do not in any way amount to a complete list of risk parameters and not all parameters listed are relevant in all settings. The concrete risk outcomes will depend on the actual situation. The Annex also provides a (still) few proposals for external sources for assessment of various risks. When feasible it is advised to use external, independent and regularly updated sources for risk assessment as such practise ease the burden of regular reassessment and to some extend provide a neutral basis for discussing risks with partners.

For each programmatic and institutional risk, the likelihood of their occurrence as well as the potential impact should be determined. The risk level is the combined assessment of the likelihood that risk factor is released and the impact of the released risk. Danida uses a four level scale of likelihood and impact as indicated below. The scale for the combined risk uses the same terminology as the scale for impact.

Often a risk factor carries both programmatic and institutional risks; the likelihood of the risk factor occurring remains the same, irrespectively if it has programmatic and/or institutional risk, but the impact might be different at the two levels.

The methodology of combined assessments of likelihood and impact is quite universal but local and international partners can be expected to use more or less different scales and terminology. Denmark does not insist on using its own terminology in cooperation with partners but the Danida terminology is mandatory for the use of presenting Concept Notes to the Programme Committee or grant proposals to the Danida Grant Committees.

An important part of risk management is to identify and implement appropriate risk responses. In general the response can be categorised as one of the four main strategies:

1. Avoidance (do not go through with the activity or part of the activity),
2. Mitigation / Reduction (take actions that reduce the likelihood or impact of the risk),
3. Sharing or insuring (reducing risk by sharing or insuring, also called transferring), and
4. Acceptance (accepting the risk based on a cost benefit or cost-effectiveness analysis)

It should be noted that implementing a risk response might give cause to other risks, e.g. mitigating fiduciary risks by imposing additional control mechanisms could lead to failure in achieving the programme's objectives; or extensive management of security risks could limit access to beneficiaries, thus increasing the programmatic risk of not achieving objectives or causing harm; or acceptance of programmatic risk could increase the institutional risk.

Mitigating measures can contribute to reduce risks, either by reducing likelihood of the risks occurring or by reducing the impact that they will have if they occur. The simplest form of removing a risk is by avoiding the action. However, this measure should only be applied when the risk does not justify the benefits of providing support. 

Continuous assessment of risks during implementation, whether changes in identified risks or occurrence of new risks, is in itself a risk response.

Prior to adopting mitigating measures it needs to be considered if the effects of the mitigating measures warrant their cost. Mitigating measures should preferably be in place prior to allocation of funds, but this might not always be feasible, in which case the establishment or development of mitigating measures might be part of the activities, preferably with a clear and reasonable deadline. An example could be improving the national audit body or other controlling body of public finances when working through national systems.

The Risk Management Matrix has three sections:

• A section with a matrix for contextual risks, which is the same for all programmes and projects within that particular context. The matrix should be read from left to right. Levels for likelihood and impact must be selected from drop-down list in each cell. In the right hand column risk response can be indicated if applicable. At context level individual actors can rarely provide an adequate risk response but EU-cooperation or other joint or multilateral mechanisms could be relevant.

• A section with a matrix for programmatic risk and a matrix for institutional risks, which should be used at project or programme level. The identified risks that are described in the Risk Management Matrix should not be a comprehensive list of all risk factors, but rather focus on the risks of most importance to Danish support. Usually 5 -10 risks per risk category should suffice. For Country Programmes this section should be repeated for each Thematic Programme.

The matrix should be read from left to right. Levels for likelihood and impact must be selected from drop-down list in each cell. The cell for Risk Response is used for a brief presentation of planned measures and their effect on the originally assess of likelihood and impact. The column for the combined residual risk is a measure for the risk level when combining the assessment of likelihood and impact after consideration of the expected effect of the risk response measure described in the previous column.

The columns for risk factor, likelihood and background to assessment of likelihood are automatically copied from the programmatic risk subsection to the institutional risk sub section as these data usually should be replicated whereas the impact and combined residual risk normally is assessed differently.

• A section for planning and documenting regular follow-up where deviations from the original assessment are recorded during implementation.

Risk management is fully integrated in all phases of the Danida programme cycle. Generally, risk management and use of the Risk Management Matrix should be considered an iterative process throughout the programme cycle. Risk management is not an exercise for its own purpose. Considerations specific for each phase are elaborated below.

Especially during the identification and preparation should risk assessment and determination of feasible risk responses be an integrated part of the highly iterative processes at this stage. For programmes with a grant budget above DKK 35 million, at the end of the preparation phase, a preliminary Risk Management Matrix is annexed to the Concept Note to the Programme Committee and the risk assessment is expected to inform the proposals contained in the Concept Note.

For programmes with an unusually high level of risk, the Concept Note must include considerations regarding risk responses beyond standard measures, i.e. increased risk monitoring or early involvement of the political level before proceeding with preparation of the programme.

Up to appraisal the full Risk Management Matrix is developed as part of the iterative formulation process. The programmatic and institutional risks should be adequately analysed using the full matrix including risk responses with associated budgets to be included in the programme. A list of risk factors including possible indicators is found in toolbox in the column to the right. What to do about the risk - the risk response - must also be prepared as part of this exercise. The appraisal will include an assessment of the full risk profile and response.

Conclusions of the risk assessment are incorporated in the appropriation note as part of the narrative and with a standardised presentation of the 3 – 5 most important of the identified risks. The Risk Management Matrix is annexed to the appropriation note to Danida’s External Grant Committee, Danida’s Internal Grant Committee or Head of Unit as appropriate.

In extraordinary cases where the risk of a proposed programme is assessed to be unusually high, the frequency of the planned revisits of the risk matrix and possibly increased reporting will be proposed as part of the initial risk assessment as presented to the appropriation authority.

revised at least annually. Risk management will as standard be assessed as part of reviews.

An important feature of risk monitoring is that it remains flexible. In the outset the Risk Management Matrix indicates the schedule for re-assessments, but the schedule itself should be revised in case the risks change substantially. This allows the overall monitoring to adapt to the specific circumstances. It also serves as a risk response as the increase in risk impact can be mitigated by a closer monitoring.

The Risk Management Matrix should be assessed and revised as appropriate on ad hoc basis in case of substantial increase in identified risks or the emergence of new substantial risks (war breaking out, political upheaval, the partnership deteriorates or major change in the Danida strategy or policy). In the event that risks gradually or momentously increase to an extraordinary high level or significant risk outcomes are realised, the responsible unit should request the Under Secretary for Development Cooperation for an extraordinary meeting in the Programme Committee with the aim to determine the appropriate response to the situation.

For programmes with a grant above DKK 35 million changes in risk assessment is reported annually through PDB. It is the responsibility of the responsible unit to inform significant changes in a Risk Management Matrix of a Country Programme to MFA management as part of the annual strategic dialogue.

Any revised version of the risk profile should be uploaded to the PDB, allowing a history of risk profiles at hand when reviewing the documentation of the grant.

Available from the boxes in the right column.

A. List of Risk Categories, Risk Parameters and sources for external assessments

B. Risk Management Matrix