Login with Netlify Identity

Risk assessment

As per UNDP’s Enterprise Risk Management (ERM) framework and ISO 31000:2018, risk assessment consists of three steps:

  1. Risk identification,
  2. Risk analysis, and
  3. Risk evaluation

Risk assessment is an ongoing and iterative process, completed no less than once a year, through risk reviews. The risk review process is described in the Risk monitoring and review section of this Manual.

Risk identification: this is the process to identify and describe risks and opportunities that can affect the achievement of objectives (either positively or negatively). UNDP has a number of predefined and prescriptive tools that can inform the various stages of the risk management process. These are available here. However, given each context is unique, it is a good practice to ensure that risk identification leverages a variety of data, sources of information, and methods.

Common risk identification approaches include:

  1. Review of the context, scope planning, preliminary schedule planning, and resource plan. This is a critical step in any project management process, and includes a mapping of all the unknowns, strengths, and weaknesses, identified in the work breakdown structure, critical path, detailed project costing, market analysis, estimates, dependencies, etc. This is a multi-functional process and requires technical inputs from the broader Country Office, and regional/global teams.
  2. Brainstorming, Delphi technique with multi-dimensional teams. This goes beyond discussions with project/programme team. It includes a brainstorming of what could go wrong with technical teams, such as procurement, security, human resources, finance, as well as gender specialist, health, human rights and peace and development advisors, etc. both in country and regional/global offices, inside or outside UNDP.
  3. Retrospective analysis of earlier projects, past performance, evaluations, reviews, lessons learned. This includes a review of past Global Fund or health implementation projects, both in country and globally. Data can be extracted from risk register/dashboard, evaluations, reviews, lessons learned, audits, interviews, progress reports, etc.
  4. Risk assessments. These are usually conducted when high/significant or moderate risks are estimated from a preliminary screening and are used to extract more qualitative and quantitative information on the risk exposure and to design the required treatment actions. Both Global Fund and UNDP have a number of required assessments that must be conducted before designing a strategy or signing agreements. A mapping of key UNDP risk management tools is available here.
  5. Interviews, consultations. UNDP ensures meaningful, effective, and informed participation of stakeholders in the formulation and implementation of development interventions. Stakeholder engagement is an ongoing gender-responsive, culturally sensitive, non-discriminatory, and inclusive process, ensuring that potentially affected vulnerable and marginalised groups are identified and provided opportunities to participate and to share their views and concerns. This is both embedded in the UNDP project quality standards and a risk management process.
  6. Scenario analysis, assumption analysis. It allows exploring potential futures and alternative scenarios to account for the uncertainty of the future conditions and their impact on project objectives. At the project level, scenario planning can be done through the design of the project theory of change, stress tests, wargaming, etc.
  7. Questionnaire and surveys. These can be used to collect information on opinions or feelings about a project or a risk. They can also be a set of standardised questions to assess strengths and potential vulnerabilities.

Risk analysis is the process to understand the nature of the risk, the source, the causes, and to estimate the level. This step allows writing a risk statement that captures the causes and consequences of the risk for the project objectives.

There are a number of techniques that allow analysing and visualising risks and their causes – fault tree analysis, event tree analysis, Swiss cheese, bow tie analysis, etc.

The Bow Tie Diagram is a simple and effective analytical tool that allows to visually identify the potential causes leading to a risk event/critical incident and to map out the proactive measures to control the occurrence of the risk event. Should the controls fail, and a risk event occur (which represents an issue), the diagram also maps out potential consequences and the reactive actions that can limit the negative consequences of the event. Figure 9 shows a standard Bow Tie Diagram, while Figure 10 shows an example of a Bow Tie Diagram for a risk frequently identified in Global Fund projects for a deeper understanding of the causal chain and when actions should be put in place.

Bow Tie Diagram

Figure 9. Bow Tie Diagram

International development projects focus on bringing change in complex environments, where a risk event can be linked to a layer of causes - primary and secondary causes - and can lead to a layer of consequences - primary and secondary. It is useful to map the causal relationship to gain a better understanding of the causal relations, without trying to minimise the complexity.

Example of a Bow Tie Diagram for one Global Fund Project risk event

Figure 10. Example of a Bow Tie Diagram for one Global Fund Project risk event>

The example above is not context specific, so it can include generalities. For an effective risk analysis, if possible, ensure context-specific information is available when building the scenarios for a risk analysis.

Risk evaluation: the use of risk criteria to determine risk prioritisation, and the level of acceptance and tolerability of the risk event.

UNDP ERM Risk Matrix

Figure 11. UNDP ERM Risk Matrix

Risk evaluation includes 3 key steps:

  1. Risk rating: The risk is given an overall rating using the risk criteria model, the 5-point scale listed in the ERM policy and in Figure 11, that looks at the likelihood and the impact of a risk. By giving a rating to the impact and the likelihood, the risk can be rated as low, moderate, substantial, or high. Substantial or high risks may require further technical expertise to assess the likelihood/impact.
  2. Risk category: Once the risk is evaluated, the risk consequences are assessed against the 8 ERM risk categories and sub-categories.
  3. As of Dec 2023 As of Dec 2023

  4. Risk significance and escalation: The risk is now compared against the risk significance in the corporate risk appetite for that category. See the UNDP Risk Appetite Statement (RAS), UNDP RAS Guidance on how to apply the RAS. If needed, and if the risk is above the ERM escalation conditions, the risk is escalated following the process in the Risk escalation process section of this Manual.

Additional guidance to support this area of work are also available through a number of resources listed below:

Loading resources