Council Working Group on Financial and Human Resources Tenth meeting – Geneva, 18 September 2019 Document CWG-FHR-10/8 4 September 2019 English only Strengthening ITU Risk Management Framework Council Working Group on Financial and Human Resources (CWG-FHR) 27 August 2019

Risk Management - status

Risk Management Policy & Risk Appetite Statement Adopted in Council 2017 Risk Management Policy - C17/74 Outlines the ITU approach towards strategic and operational risks Defines principles, risk categorization & assessment, monitoring & reviewing and roles & responsibilities Risk Appetite Statement – C17/73 Illustrates amount of risk ITU is willing to take to attain its goals and objectives, e.g.: High appetite for risks related to innovation and technological advancement No appetite (i.e. zero tolerance) in the areas of fraud, corruption, illegal acts, and misconduct Complements the ITU risk management policy

Risk Management in the context of Strategic and Operational Planning ITU is addressing risk management in the context of the strategic and operational planning processes PP-18 ITU strategic risks analysis Risk mitigation strategies ITU Strategic Plan 2020-2023 ITU Council 2019 ITU-wide operational risks Key risk mitigation measures Sector-specific risk analysis ITU Operational Plans (for Sectors and the GS) Plan next steps based on: Council discussions IMAC Recommendation Systematic Risk Management

Roles and responsibilities (based on the policy) Title Role Responsibilities Risk owner The risk owner is accountable for the management of the risk, having the highest interest in the risk being correctly treated, and has the right level of authority to treat the risk accordingly Accountable for the overall management of the risk, including when the risk is transferred Decides on the risk mitigation measures Allocates resources/budget for mitigation actions Manages risk (re)assessment process Manages risk reporting process Risk management focal point Coordinates risk management process within respective Bureau or the General Secretariat Facilitates risk management within Bureau or the General Secretariat Maintains and updates risk list Consolidates and submits information for management review and risk reporting Responsible person/unit for implementing mitigation measure Implements mitigation measure and reports on their implementation to the risk owner Implements mitigation measure Provides input for management review and risk list update Senior management team Reviews risk on a regular basis and takes decisions related to risk management Regularly reviews risks, as part of the organization’s business processes Takes decisions on the implementation and review of the risk management strategy

Synergies with ORMS project Organizational Resilience Management System (ORMS) Business impact analysis based on the risk registers Assessment and prioritization of key business processes undertaken  Need for alignment and creating synergies

Council 2019 on Risk Management

Council 2019 – outcomes related to Risk Management Request to further develop the ITU risk model in the context of operational plans, the fraud case and the building project IMAC Report: IMAC will look into what is known as the Three Lines of Defence model in effective risk management and control, and the assignment of appropriate risk ownership The Three Lines of Defence approach represents emerging good practice and is designed to ensure a simple and effective way to enhance communications on risk management and control by clarifying essential roles and duties Rec. 2/2019: IMAC recommends that the secretariat prepare a risk register identifying clear risk owners across Sectors, regions and the General Secretariat ITU management committed to support further developments of the ITU risk model and to improve governance and risk management

Developments at UN level

Developments at the UN level HLCM had set up a Cross Functional Task Force on Risk Management Reference Maturity Model for Risk Management Enterprise Risk Management (ERM) Framework and Policy: are the collection of policies, procedures and other documents that together describe how the organisation undertakes its risk management Governance and organisational Structure: sets out the internal risk governance structure, the appropriate delegated authority, roles and responsibilities, and organisational entities to assure the effective management of risk Process and Integration: Process ensures that risks and opportunities that may affect the delivery of organisational results are effectively identified, assessed, responded to, communicated and monitored as per the ERM framework. Integration ensures that the interaction / interlinkages with related risk sub-processes or other organisational processes are clearly established. Systems and Tools: are the IT components used to record, analyse, integrate and communicate/report on risk information Risk Capabilities: are the skills, ability, knowledge and capacity that an organisation has to effectively manage risks to delivery of its results Risk Culture: is evidenced by the shared values, beliefs, and behaviours of the staff and senior management, together with the organisation’s demonstrated attitude to risk

Maturity Model for Risk Management in the UN system Initial LEVEL 1 Developing LEVEL 2 Established LEVEL 3 Advanced LEVEL 4 Leading LEVEL 5 ERM Framework & Policy - Fragmented/ limited ERM framework - Framework developed but not approved by appropriate authority - ERM framework and risk appetite in place - Escalation processes, ERM integrated in strategic planning - All operational entities - Risk scales for different levels - ERM framework reflects RBM and addressing all operational elements Governance and Org. Structure - Fragmented and informal structure - Accountability for ERM is informal - Risk Governance structure (based on Three Lines of Defense) to oversee ERM - ERM governance structure in place - ERM Committee and entity to oversee is in place - Fully integrated risk governance structure - Chief Risk Officer - Structure applied across all operations - Accountability at each level Process and Integration - Inconsistencies in methodology - Limited process to assess, monitor and report - Systematic process for risk assessment, response, monitoring, escalation and reporting - Links between internal controls & risks / control effectiveness & risk assessment - RBM and ERM fully aligned - Optimized with pre-defined indicators - Fully integrated risk & opportunity analysis Systems and Tools - Risks recorded in various documents - Manual risk assessment / response (spreadsheet) - Consolidated risk register - ERM monitoring and reporting capabilities - Dynamic risk dashboards - Financial risk modelling - Semi-automated operations - Advanced modelling, forecasting and scenario planning tools Risk Capabilities - Risk competencies perceived to have little value - Knowledge for certain managers - Indicators presented to senior mgmt. annually - Recognized mgmt. competency - Accurate risk mgmt. information available - Core competency for staff - Dynamic risk information reports across organization - Perfecting risk skills - Dynamic dashboards across organization Risk Culture - Limited commitment - Partial consideration of risk factors - Clear expectations, info systematically collected - Risk mgmt. assessed in Staff Performance mgmt. - Risk mgmt. integrated into strategic activities - Systematically collect and communicate information - Org.-wide awareness - Dynamic risk information - Learning from success and failures Reference Maturity Model for Risk Management Enterprise Risk Management (ERM) Framework and Policy: are the collection of policies, procedures and other documents that together describe how the organisation undertakes its risk management Governance and organisational Structure: sets out the internal risk governance structure, the appropriate delegated authority, roles and responsibilities, and organisational entities to assure the effective management of risk Process and Integration: Process ensures that risks and opportunities that may affect the delivery of organisational results are effectively identified, assessed, responded to, communicated and monitored as per the ERM framework. Integration ensures that the interaction / interlinkages with related risk sub-processes or other organisational processes are clearly established. Systems and Tools: are the IT components used to record, analyse, integrate and communicate/report on risk information Risk Capabilities: are the skills, ability, knowledge and capacity that an organisation has to effectively manage risks to delivery of its results Risk Culture: is evidenced by the shared values, beliefs, and behaviours of the staff and senior management, together with the organisation’s demonstrated attitude to risk

Way forward

Maturity Model for Risk Management in the UN system Current assessment  Desired status Initial LEVEL 1 Developing LEVEL 2 Established LEVEL 3 Advanced LEVEL 4 Leading LEVEL 5 ERM Framework & Policy - Fragmented/ limited ERM framework - Framework developed but not approved by appropriate authority - ERM framework and risk appetite in place - Escalation processes, ERM integrated in strategic planning - All operational entities - Risk scales for different levels - ERM framework reflects RBM and addressing all operational elements Governance and Org. Structure - Fragmented and informal structure - Accountability for ERM is informal - Risk Governance structure (based on Three Lines of Defense) to oversee ERM - ERM governance structure in place - ERM Committee and entity to oversee is in place - Fully integrated risk governance structure - Chief Risk Officer - Structure applied across all operations - Accountability at each level Process and Integration - Inconsistencies in methodology - Limited process to assess, monitor and report - Systematic process for risk assessment, response, monitoring, escalation and reporting - Links between internal controls & risks / control effectiveness & risk assessment - RBM and ERM fully aligned - Optimized with pre-defined indicators - Fully integrated risk & opportunity analysis Systems and Tools - Risks recorded in various documents - Manual risk assessment / response (spreadsheet) - Consolidated risk register - ERM monitoring and reporting capabilities - Dynamic risk dashboards - Financial risk modelling - Semi-automated operations - Advanced modelling, forecasting and scenario planning tools Risk Capabilities - Risk competencies perceived to have little value - Knowledge for certain managers - Indicators presented to senior mgmt. annually - Recognized mgmt. competency - Accurate risk mgmt. information available - Core competency for staff - Dynamic risk information reports across organization - Perfecting risk skills - Dynamic dashboards across organization Risk Culture - Limited commitment - Partial consideration of risk factors - Clear expectations, info systematically collected - Risk mgmt. assessed in Staff Performance mgmt. - Risk mgmt. integrated into strategic activities - Systematically collect and communicate information - Org.-wide awareness - Dynamic risk information - Learning from success and failures Reference Maturity Model for Risk Management Enterprise Risk Management (ERM) Framework and Policy: are the collection of policies, procedures and other documents that together describe how the organisation undertakes its risk management Governance and organisational Structure: sets out the internal risk governance structure, the appropriate delegated authority, roles and responsibilities, and organisational entities to assure the effective management of risk Process and Integration: Process ensures that risks and opportunities that may affect the delivery of organisational results are effectively identified, assessed, responded to, communicated and monitored as per the ERM framework. Integration ensures that the interaction / interlinkages with related risk sub-processes or other organisational processes are clearly established. Systems and Tools: are the IT components used to record, analyse, integrate and communicate/report on risk information Risk Capabilities: are the skills, ability, knowledge and capacity that an organisation has to effectively manage risks to delivery of its results Risk Culture: is evidenced by the shared values, beliefs, and behaviours of the staff and senior management, together with the organisation’s demonstrated attitude to risk

Recommended actions Current assessment  Desired status Initial LEVEL 1 Developing LEVEL 2 Established LEVEL 3 Advanced LEVEL 4 Leading LEVEL 5 ERM Framework & Policy Governance and Org. Structure Process and Integration Systems and Tools Risk Capabilities Risk Culture All org. & operational entities involved (HQ, programmes, ROs) Risk registers and org-wide scale levels (assessment & rating) Setting up a risk governance structure Staff accountability for managing risks Establish systematic risk mgmt. process Review internal control effectiveness against risks Develop org. wide risk register and risk mgmt. dashboards Strengthen capacity of staff to manage risks Integrate risk management in Staff Performance Management system Systematically communicate and report on risk information Reference Maturity Model for Risk Management Enterprise Risk Management (ERM) Framework and Policy: are the collection of policies, procedures and other documents that together describe how the organisation undertakes its risk management Governance and organisational Structure: sets out the internal risk governance structure, the appropriate delegated authority, roles and responsibilities, and organisational entities to assure the effective management of risk Process and Integration: Process ensures that risks and opportunities that may affect the delivery of organisational results are effectively identified, assessed, responded to, communicated and monitored as per the ERM framework. Integration ensures that the interaction / interlinkages with related risk sub-processes or other organisational processes are clearly established. Systems and Tools: are the IT components used to record, analyse, integrate and communicate/report on risk information Risk Capabilities: are the skills, ability, knowledge and capacity that an organisation has to effectively manage risks to delivery of its results Risk Culture: is evidenced by the shared values, beliefs, and behaviours of the staff and senior management, together with the organisation’s demonstrated attitude to risk

Way forward Status reports to IMAC, CWG-FHR and Council Sep 2019: CWG-FHR – feedback from membership By end of 2019: Review the ITU RM framework (incl. benchmarking with UN model) By Council 2020: Develop a risk model incorporated into the ITU planning framework By Council 2021: Develop the Plan and Implement the new framework Review the framework and Report to PP-22 Status reports to IMAC, CWG-FHR and Council