title: Risk Management for Health | United Nations Development Programme
subtitle: Risk Management for Health
menutitle: Risk Management
Risk management is important across the health system to build and strengthen resilient health systems which ensure healthy lives and promote wellbeing at all ages
- Risk can be defined as the effect of uncertainty on the achievement of an organization’s objectives.
- Risk management is the process of identifying and managing this uncertainty, or risk, with the goal of achieving the system or programme objectives.
- Effective risk management enables an organization or individual to increase the likelihood of achieving their goals/objectives, by enabling them to identify potential future events that may affect the achievements of their targets, and, where possible, put in place measures to reduce their impact.
Risk management approach
- UNDP’s Enterprise Risk Management is based on the International Organization for Standardization Internal Risk Management Standard (ISO 31000).
- UNDP works with Government Ministries and CSOs to understand and document the wide range of uncertain internal and external factors that may affect achievement of their objectives. These include: strategic, operational and financial factors.
- UNDP works with management to focus on recognising actual and potential threats and opportunities, assessing the impact of those risks and then prioritising them.
- UNDP works with management to understand its risk appetite and identify and implement risk mitigation measures.
- UNDP approach assists in identifying appropriate risk management and internal controls to assist organisations in making informed decisions about the level of risk that they want to take and implementing the necessary controls to effectively pursue their objectives.
- UNDP works with Government Ministries and CSOs to strengthen internal controls, including financial management systems to help counter threats and take advantage of opportunities.
- For projects directly implemented by UNDP, Standard Operating Procedures (SOPs) have been developed to facilitate timely responses to crisis. These include fast track policies and procedures, and financial resources for crisis response. Through the availability and use of these tools, UNDP is able to respond quickly to a rapid change in the operating environment.
- The HACT framework is a risk-based management tool that supports
- closer alignment of development aid with national priorities
- moves to strengthen national capacities for management and accountability,
- with the ultimate objective of gradually shifting to national systems.
a. Establish the context
- Programme sets its objectives, detailing what it wants to achieve
- Defines the external and internal parameters to be taken into account when managing risk,
- Sets the scope and criteria for the other risk management process.
External parameters include:
- Number and nature of project partners;
- Relationship with key stakeholders; presence of donors (which may provide opportunities for complementary work or greater collaboration to avoid duplication);
- Broader political and regulatory framework of the programme
Internal context parameters include:
- Roles and accountability within the organization,
- Organizational culture, and
- Resources and knowledge.
b. Risk assessment
Figure: The components for assessing risk and the difference between “impact” and “risk” World Bank Global Facility for Disaster Reduction and Recovery 2014
- Risk assessment is the overall process of risk identification, risk analysis and risk evaluation.
- Main product of the risk assessment is the risk log / risk register which contains key information produced during risk assessment (for each risk: the event, cause, impact, probability, owner and treatment).
- Risk identification includes identifying relevant risks and describing them.
- Aim is to generate a comprehensive list of risk that might enhance, prevent, degrade, accelerate or delay the achievement of programme objectives.
Tools and techniques for risk identification include:
- Interviews and self-assessment
- Facilitated risk workshops
- Scenario analysis and
- Risk questionnaire and survey
The following documents can help to identify risks:
- Programme workplans and budgets;
- Audits of the programme or similar programme
- Programme evaluations
- Reports from the Supreme Audit Institution on the wider environment
c. Risk treatment
- Robust planning, strong internal controls and systems in the implementing organization contribute to reductions of certain types of risks.
- Risk treatment involves identifying one or more treatment options and implementing the options considered most effective. Risk treatment options include:
- Risk termination, which can involve
- changing aspects of the overall health programme to eliminate the threat,
- isolating project objectives from the risk’s impact, or
- relaxing the objectives that are threatened (e.g. extending the schedule or reducing the scope).
- In extreme cases this can include eliminating objectives, deciding not to start a project or terminating the project.
- Risks identified early in the programme can be avoided by clarifying requirements, obtaining more information, improving communications, or obtaining expertise
- Risk mitigation involves reducing the probability and/or the impact of risk threat to an acceptable level.
- Taking early and proactive action against a risk is often more effective than attempting to repair the damage a realized risk has caused.
- Modifying programme strategies at the planning stage and developing contingency plans are examples of risk mitigation
- Risk Transfer involves shifting the negative or positive impact of the uncertain event (and ownership of the response) to a third party.
- Risk transfer does not eliminate a threat; it simply makes another party responsible for managing it.
- For example, logistics can be outsourced to a logistics company with a national network for the distribution of health commodities and medicines to health facilities, while the capacity of the national logistics systems in being strengthened.
- Risk tolerance may be adopted as a risk strategy. This should normally only be used for low-priority risks.
d. Monitoring and review
Each risk should be assigned to a risk owner, who is responsible for reporting the risks and assuring that they are treated appropriately. Once implemented, treatments need to be monitored and continuously reviewed in order to make sure they had the intended effect.
- Recognising the dynamic nature of health systems, the operational context will likely change as will the risks to the achievement of expected results.
- Risks may disappear or shift, and new risks may arise, which will necessitate adjusting risk definitions and the corresponding risk responses.
- Risk registers and logs must be reviewed regularly.
- Monitoring risks involves identifying whether the likelihood of each risk occurring, or its potential impact, is increasing or decreasing.
- If a risk trend proves to be unstable, the risk response(s) should be adjusted accordingly.
- situations that could become risks to the programme objectives should be highlighted and addressed in a timely manner.
e. Communication and consultation
Communication and consultation with relevant stakeholders should take place at all stages of the risk management process and at regular/planned intervals.
- Sharing information on risks within the organisation promotes trust and ownership and contributes to more effective risk treatment and overall decision making.
- Communication is particularly essential when significant contextual/external risks occur, since it can facilitate quick alignment of programme efforts, redefinition of objectives and allocation of resources for critical risk mitigation activities.
Key terminology and definitions
- Risk is an effect of uncertainty on objectives.
- This effect can be positive (supporting the organization or programme to achieve planned objectives) or negative (preventing the organization or programme from achieving its objectives).
- Uncertainty refers to deficiency of information or lack of understanding or knowledge about events.
- It is best practice to formulate risk in terms of “future event”.
- Objectives can have different aspects (such as financial, health and safety, and environmental goals), and can apply at different levels (such as strategic, organization-wide or project).
- Consequence is the outcome of an event affecting objectives. An event can lead to a range of consequences, and initial consequences can escalate through knock-on effects.
- Event is the occurrence or change of a particular set of circumstances. An event can be one or more occurrences, have several causes, and consist of something planned not happening
- Likelihood is the chance of something happening. Likelihood can be measured or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period).
- Risk owner is the person or entity with the responsibility and authority to manage a risk.
- Risk register is a risk management tool that serves as a record of all risk identified by the project. For each risk identified, it should include information including likelihood, consequences, treatment options.
- Risk treatment is a measure to modify risk exposure, to provide reasonable assurance of achieving
Health and Disaster Risk
A contribution by the United Nations to the consultation leading to the Third World Conference on Disaster Risk Reduction, 2014.