WTO SECRETARIAT Risk Management System
1 BACKGROUND
1.1. This document presents to the Committee on Budget, Finance, and
Administration the key elements of the risk management system implemented by
the WTO Secretariat for the year 2015.
1.2. A risk management policy for the entire Secretariat was established in
December 2012 and is presented as an Annex to this document.
1.3. The WTO's revised Financial Regulations include risk management to
ensure the functioning of an effective and efficient internal control system.
2 Critical Risks Identified at YEAR-enD 2015
2.1. During the third year of implementation of the organization-wide
risk management system, the Secretariat identified three new risk issues under
the financial, management, and political categories.
2.2. Management has reviewed the risk register, which now contains some
60 risk issues, and the updated risk assessment following mitigation actions
and controls implemented in 2015.
2.3. The Deputy Director-General in charge of Administration presented to
the Director-General the current risk register in December 2015.
2.4. The comprehensive risk register remains an internal management tool
and is not designed to be an official and publicly available document. The
Secretariat is presenting in the table below the critical risks; in other
words, a high likelihood of the risk event occurring and the serious impact
should the risk event occur. These important risks may represent also a substantial
financial risk to the Organization. Out of the total risks contained in the risk
register at the end of 2015, only 2 risks are considered "critical",
which have the highest risk score of 9, as presented below.
Critical Risks Identified at Year-End 2015
|
|
|
FINANCIAL
RISK
|
|
Inability to
fully fund the actuarial deficit of the After Service Health Insurance (ASHI)
|
|
TECHNOLOGICAL
RISK
|
|
Targeted
skilled cyber-attack, advanced persistent threat
|
2.1 Financial Risk
2.5. The critical financial risk concerns the difficulty of fully funding
the after service health insurance (ASHI) in light of its long-term commitments.
It was decided during the February 2014
meeting of the CBFA to create a working group on ASHI to evaluate the funding
situation and detailed measures to reduce risk exposure.
2.6. The extensive report of the Working Group on ASHI was presented to
the CBFA on 28 July 2015[1]. The Working Group recommendations included
the establishment of a working group to monitor the Secretariat as it develops
a long-term sustainable approach on ASHI liabilities[2]. The Secretariat will periodically report and
update the CBFA on plans, actions, and results, with regard to the development
of the ASHI strategy.
2.2 Technological
Risk
2.7. The identified risk "targeted skilled cyber-attack, advanced
persistent threat" remains a critical risk in the area of IT security. Cyber threat is a key risk globally and a big
challenge in terms of safeguarding organization information, reputation, and in
light of the costly consequences of data breaches.
2.8. Some sensitive data handled by the Secretariat could be considered
as of significant value to certain outside parties. Cybersecurity and advanced
persistent threat activities could represent a serious threat to the Organization's
information systems.
2.9. Under strategic governance of the Information Technology and
Security Steering Committee, additional operational and technical security
controls will be implemented to detect and prevent potential breaches, and
specifically shield sensitive information assets. Carrying out additional security controls
will reduce the likelihood of an attack's success and the extent of its
impact. Mitigation activities will be an
on-going process following technology evolution, threat landscape, and changes
in the WTO information and communications technology (ICT) environment and
working procedures.
3 Risk Management Process
3.1. In accordance with the risk management policy, the Risk Officer carried
out qualitative discussions in 2015 with key members of senior management.
3.2. The cross-divisional consultations facilitated proactive discussion on
the risk management system, the identification and re-assessment of a number of
the risks faced by the Organization, and risk response and monitoring.
3.3. A critical financial risk previously identified in years 2013 and
2014 was addressed; namely, the funding difficulty on the actuarial deficit of
the WTO Pension Plan (WTOPP). The WTOPP
Management Board submitted recommendations to the General Council (through the
CBFA) to ensure the long term viability of the Plan[3]. These recommendations included amendments to
the Pension Plan's Regulations and were approved by the General Council at its
last meeting in 2015. These actuarial
measures took effect on 1 January 2016[4].
3.4. Thirteen (13) risks are now considered "closed", following
treatment actions and remediation efforts that addressed the likelihood of an
event occurrence and its impact.
4 Next steps
4.1. In 2016, the Secretariat will continue to further develop its risk
management capabilities and techniques in order to report significant emerging risks
in a timely manner. Continuous monitoring
of the risk and threat landscape and their potential effects on the
organization remain a challenge. Reduction
of risks, improvement of and putting into place additional checks and controls,
and identification of potential efficiencies and cost benefits will be
evaluated.
4.2. The Organization's risk management system enhances good governance,
encouraging senior management to anticipate and address emerging risks to the
Organization.
4.3. The Secretariat will continue to provide an annual update on risk
management to the Committee on Budget, Finance, and Administration.
ANNEX
Version
1.1
07 March 2014
RISK MANAGEMENT POLICY FOR THE WTO SECRETARIAT
1 PURPOSE
1.1. This policy establishes the risk management
system for the WTO. Risk management is
part of the internal control system established by the Secretariat.
1.2. A risk in the context of this policy is an
event that may or may not occur and could have a detrimental impact upon the
achievement of the Secretariat's objectives if it were to occur.
2 RISK MANAGEMENT APPROACH
2.1. The
Secretariat adopted a risk management policy based on the following key
principles:
a.
The management of
risks is an integral part of the Secretariat's governance process.
b.
Risks that could
potentially affect achievement of the Secretariat's objectives are identified,
analysed and monitored. A risk register of the key risks faced by the
Secretariat is maintained and regularly reviewed and updated.
c.
Appropriate risk
mitigation measures are implemented to reduce risk exposure to acceptable
levels.
3 RESPONSIBILITIES
3.1. The Deputy Director-General in charge of
Administration is responsible to: 1) Supervise the Secretariat's risk
management system; 2) Submit to the Director-General at least annually a report
with the key risks faced by the Secretariat; and 3) Alert the Senior Management
at any time of serious and/or imminent risks that are identified.
3.2. The Risk Officer is responsible to: 1) Consult
regularly staff across the Secretariat to identify, analyse and monitor risks;
and 2) Maintain the Secretariat's risk register.
3.3. Any staff member wishing to bring a perceived
risk to the attention of the Secretariat can contact the Risk Officer or the
Deputy Director-General in charge of Administration.
3.4. A Risk Owner is assigned for each risk included
in the risk register. The Risk Owner is usually the division that manages
directly the risk and is best placed to execute a mitigation plan.
4 RISK MANAGEMENT PROCESS
4.1. The purpose of the risk management process is
to ensure that risks are addressed at the earliest possible time and that
action plans are developed to reduce the likelihood of a risk adversely
affecting achievement of the Secretariat's objectives.
4.1 Risk Identification
4.2. The identification of risks takes place
throughout the year. Risks can be identified by any staff and reported to the
Risk Officer. The Risk Officer regularly meets with management and staff to
discuss and identify risks that the Secretariat is potentially facing.
4.2 Risk Analysis
4.3. The Risk Officer, after consulting with the
Risk Owner, will propose a score for each risk according to the following
formula: Likelihood x Impact = Score.
Risk Scoring Matrix
|
Impact if the event occurs
|
High (3)
|
Moderate 3
|
High 6
|
Critical 9
|
|
Moderate (2)
|
Low 2
|
Moderate 4
|
High 6
|
|
Low (1)
|
Low 1
|
Low 2
|
Moderate 3
|
|
|
Low (1)
|
Moderate (2)
|
High (3)
|
|
Likelihood of the event occurring
|
4.4. The analysis of a risk event is assessed based on the likelihood of
the risk event occurring and the impact should the risk event occur. The
likelihood and impact are assessed on three levels: Low, Moderate or High.
|
Risk Likelihood
|
|
Low
|
An event may
occur at some time
|
|
Moderate
|
An event will
probably occur in many circumstances
|
|
High
|
An event is
expected to occur in most circumstances
|
4.5. The impact of a particular event is measured based on the potential
damage to the credibility, reputation and the capacity of the Organization to
fulfil its mandate.
|
Risk Impact
|
|
Low
|
Less
significant impact on main activities, reputation, or funding status
|
|
Moderate
|
Significant
impact on main activities, reputation, or funding status
|
|
High
|
Serious
impact on main activities, reputation, or funding status
|
4.6. The scoring process includes a certain amount of subjectivity.
Therefore the risk score only provides an indication of the relative importance
of each risk identified.
4.7. The risks that have a score of 6 (high) and 9 (critical) may involve
a substantial financial risk to the organization.
4.8. The Risk Officer also categorizes each risk according to one of the
following type: financial, management, occupational safety and health in the
workplace (OSH), compliance (with regulations such as the WTO Financial Rules
& Regulations, Staff Rules & Regulations, or Procurement Policy and
Procedures), political or technological.
4.9. The Risk Register provides the risk score and type for each
identified risk.
4.3 Risk Monitoring
4.10. The monitoring of risk requires first determining actions that can
be taken to mitigate risks. The following are possible risk treatment options or
mitigating measures: avoid (prevent), accept, reduce likelihood, reduce impact
or transfer.
4.11. The Risk Officer then maintains and regularly updates a register of
major risks faced by the Secretariat.
4.12. The Deputy Director-General in charge of
Administration reviews and endorses the risk register, including the actions
taken to mitigate risk. He/She submits to the Director-General at least
annually a report with the key risks faced by the Secretariat. This report is
discussed in the Senior Management Meeting. He/She also alerts Senior
Management at any time of serious and/or imminent risks that are identified.
__________
[1] WT/BFA/W/370. Report of the Working Group on After Service Health
Insurance (ASHI).
[2] WT/BFA/W/375. Working Group on ASHI Strategy Development.
[3] WT/BFA/W/367. WTO Pension Plan Report.
[4] WT/BFA/W/376. Actuarial Position of the WTO Pension Plan.