Friday, December 19, 2014

Embedding Risk Management at AfricaRice

Organizations face many risks that can impact the outcome of their operations. The events that may impact an organization may inhibit its objectives (hazard risks), enhance them (opportunity risks) or create uncertainty about the outcomes (control risks). Risk management offers an integrated approach to evaluation, control and monitoring of the three types of risk.

Conscious of the benefits of integrating risk management in its modus operandi, AfricaRice’s Board of Trustees approved the first version of the Center’s Risk Management Policy in 2005. The revised version of the Policy was approved by the Board at its meeting in September 2014. The document has since been placed on the AfricaRice website:

Training was subsequently provided to senior management in 2006 and 2008. The operationalization of the policy was reviewed in 2008 and 2012 and the corporate Risk Management Committee was established in 2012.

With the aim of obtaining the best returns from risk management activities at AfricaRice, the Risk Management Committee set up the Risk Management Unit in August 2013 to ensure that the Center’s risk management plan of activities gets full attention by the Center’s constituencies. The specific role of the Unit is to significantly improve AfricaRice’s risk management processes, and help the organization to understand, evaluate and take action on all its key risks with a view to increasing the probability of success and reduce the likelihood of failure. 

The expected outcome from the activities of the Unit is to contribute to taking the Center’s level of risk maturity from novice (risk management freshly embedded), to normalized (structured risk management) or to natural (the organization has a risk-aware culture with a pro-active approach to risk management in all its activities; risk information is actively used and communicated to improve processes and gain comparative advantage) in the next 5 years.

The following activities were implemented between September and December 2014:

Sensitization/training of staff

In order for AfricaRice to attain to the highest level of risk maturity, a number of steps have to be taken:
  • Sensitization of all staff on risk management and their roles and responsibilities in the risk management process
  • Development of a risk register for each unit and station
  • Development of a comprehensive risk register for AfricaRice
  • Monitoring and review of the risk registers on a regular basis
  • Development of a business continuity plan, including an evacuation plan, for headquarters and the stations
  • Regular communication of risk management information at all levels within AfricaRice

While much progress has been made in the past on each of these steps, the current attempt is to conduct all activities in a more systematic and well documented manner.  This started with the sensitization of staff at all levels and at all stations and units on risk management. The exercise was conducted by members of the Risk Management Unit (RMU), which comprises the Risk Management Officer, Internal Auditor and Legal Advisor.

All staff in each unit and at each outstation participated in the exercise. Each sensitization/training session lasted typically three working days. Day 1 provided the theory and principles of risk management while days 2 and 3 were devoted to the development of a risk register for each unit/outstation. Topics covered included:
  1. Definition of risk;
  2. Definition of risk management;
  3. Roles and responsibilities of management and staff in risk management
  4. Risk management life cycle
    • Identification
    • Assessment
    • Evaluation
    • Treatment
    • Reporting and communication
    • Record keeping
    • Monitoring and review
  5. Development and maintenance of a risk register

 Participants went away with the impression that each staff at the Center:
  • can substantially expose the center to various losses if they do not undertake due diligence in the management of the risks inherent within the business processes under their care;
  • is responsible for the risks that accrue due to the roles that they are responsible for;   
  • ought to consider the risks that are inherent given each of the business processes and the responsibilities assigned to them;
  • should consider the nature and level of risk and also identify possible mitigation strategies accordingly;
  • should understand, accept and implement risk management processes;
  • should report inefficient, unnecessary or unworkable controls;
  • should report loss events and near-miss incidents;
  • should ensure that visitors and contractors comply with risk management procedures.

Risk registers

The risk registers were subsequently vetted by the Risk Management Unit and incorporated into the comprehensive AfricaRice risk register. However, each unit/outstation reviews its risk register on a monthly basis with a view to updating it based on developments in and around the unit/outstation. Now that the comprehensive risk register has been validated by the corporate Risk Management Committee and Board of Trustees, it will be placed on the AfricaRice Intranet.

Risk management officers

After the sensitization, Risk Management Officers were appointed for each unit at headquarters and the outstations. The roles of the Risk Management Officers include the following:
  • Monthly review of the risk register, including identification of new risks, analysis, evaluation and documentation of risks specific to the unit/station.
  • Monthly meeting of the unit/station Risk Management Committee 
  • Monthly report on risk management in the unit/station to the Risk Management Officer at the headquarters – these reports should indicate actions taken as per the deadlines in the Risk Register and outstanding actions.
  • Continuous monitoring of the implementation of actions recommended for improving risk management in the unit/station.
  • Any other relevant action.

1 comment: