Committee on Budget, Finance and Administration - WTO Secretariat Risk Management System
作者:Committee on Budget, Finance and Administration

WTO SECRETARIAT Risk Management System


1.1.  This document presents to the Committee on Budget, Finance, and Administration the key elements of the risk management system implemented by the WTO Secretariat for the year 2015. 

1.2.  A risk management policy for the entire Secretariat was established in December 2012 and is presented as an Annex to this document. 

1.3.  The WTO's revised Financial Regulations include risk management to ensure the functioning of an effective and efficient internal control system.    

2  Critical Risks Identified at YEAR-enD 2015

2.1.  During the third year of implementation of the organization-wide risk management system, the Secretariat identified three new risk issues under the financial, management, and political categories.

2.2.  Management has reviewed the risk register, which now contains some 60 risk issues, and the updated risk assessment following mitigation actions and controls implemented in 2015.

2.3.  The Deputy Director-General in charge of Administration presented to the Director-General the current risk register in December 2015.

2.4.  The comprehensive risk register remains an internal management tool and is not designed to be an official and publicly available document. The Secretariat is presenting in the table below the critical risks; in other words, a high likelihood of the risk event occurring and the serious impact should the risk event occur. These important risks may represent also a substantial financial risk to the Organization. Out of the total risks contained in the risk register at the end of 2015, only 2 risks are considered "critical", which have the highest risk score of 9, as presented below. 

Critical Risks Identified at Year-End 2015



Inability to fully fund the actuarial deficit of the After Service Health Insurance (ASHI)


Targeted skilled cyber-attack, advanced persistent threat


2.1 Financial Risk

2.5.  The critical financial risk concerns the difficulty of fully funding the after service health insurance (ASHI) in light of its long-term commitments.  It was decided during the February 2014 meeting of the CBFA to create a working group on ASHI to evaluate the funding situation and detailed measures to reduce risk exposure. 

2.6.  The extensive report of the Working Group on ASHI was presented to the CBFA on 28 July 2015[1].   The Working Group recommendations included the establishment of a working group to monitor the Secretariat as it develops a long-term sustainable approach on ASHI liabilities[2].   The Secretariat will periodically report and update the CBFA on plans, actions, and results, with regard to the development of the ASHI strategy.

2.2   Technological Risk

2.7.  The identified risk "targeted skilled cyber-attack, advanced persistent threat" remains a critical risk in the area of IT security.  Cyber threat is a key risk globally and a big challenge in terms of safeguarding organization information, reputation, and in light of the costly consequences of data breaches. 

2.8.  Some sensitive data handled by the Secretariat could be considered as of significant value to certain outside parties. Cybersecurity and advanced persistent threat activities could represent a serious threat to the Organization's information systems.

2.9.  Under strategic governance of the Information Technology and Security Steering Committee, additional operational and technical security controls will be implemented to detect and prevent potential breaches, and specifically shield sensitive information assets.  Carrying out additional security controls will reduce the likelihood of an attack's success and the extent of its impact.  Mitigation activities will be an on-going process following technology evolution, threat landscape, and changes in the WTO information and communications technology (ICT) environment and working procedures.

3  Risk Management Process

3.1.  In accordance with the risk management policy, the Risk Officer carried out qualitative discussions in 2015 with key members of senior management.

3.2.  The cross-divisional consultations facilitated proactive discussion on the risk management system, the identification and re-assessment of a number of the risks faced by the Organization, and risk response and monitoring.

3.3.  A critical financial risk previously identified in years 2013 and 2014 was addressed; namely, the funding difficulty on the actuarial deficit of the WTO Pension Plan (WTOPP).  The WTOPP Management Board submitted recommendations to the General Council (through the CBFA) to ensure the long term viability of the Plan[3].  These recommendations included amendments to the Pension Plan's Regulations and were approved by the General Council at its last meeting in 2015.   These actuarial measures took effect on 1 January 2016[4].

3.4.  Thirteen (13) risks are now considered "closed", following treatment actions and remediation efforts that addressed the likelihood of an event occurrence and its impact. 

4  Next steps

4.1.  In 2016, the Secretariat will continue to further develop its risk management capabilities and techniques in order to report significant emerging risks in a timely manner.  Continuous monitoring of the risk and threat landscape and their potential effects on the organization remain a challenge.  Reduction of risks, improvement of and putting into place additional checks and controls, and identification of potential efficiencies and cost benefits will be evaluated.

4.2.   The Organization's risk management system enhances good governance, encouraging senior management to anticipate and address emerging risks to the Organization.

4.3.  The Secretariat will continue to provide an annual update on risk management to the Committee on Budget, Finance, and Administration.



                                                                                                                                                Version 1.1

                                                                                                                       07 March 2014




1      PURPOSE

1.1.  This policy establishes the risk management system for the WTO.  Risk management is part of the internal control system established by the Secretariat.

1.2.  A risk in the context of this policy is an event that may or may not occur and could have a detrimental impact upon the achievement of the Secretariat's objectives if it were to occur.


2.1.  The Secretariat adopted a risk management policy based on the following key principles:


a.    The management of risks is an integral part of the Secretariat's governance process.

b.    Risks that could potentially affect achievement of the Secretariat's objectives are identified, analysed and monitored. A risk register of the key risks faced by the Secretariat is maintained and regularly reviewed and updated.

c.    Appropriate risk mitigation measures are implemented to reduce risk exposure to acceptable levels.


3.1.  The Deputy Director-General in charge of Administration is responsible to: 1) Supervise the Secretariat's risk management system; 2) Submit to the Director-General at least annually a report with the key risks faced by the Secretariat; and 3) Alert the Senior Management at any time of serious and/or imminent risks that are identified.

3.2.  The Risk Officer is responsible to: 1) Consult regularly staff across the Secretariat to identify, analyse and monitor risks; and 2) Maintain the Secretariat's risk register.

3.3.  Any staff member wishing to bring a perceived risk to the attention of the Secretariat can contact the Risk Officer or the Deputy Director-General in charge of Administration.

3.4.  A Risk Owner is assigned for each risk included in the risk register. The Risk Owner is usually the division that manages directly the risk and is best placed to execute a mitigation plan.


4.1.  The purpose of the risk management process is to ensure that risks are addressed at the earliest possible time and that action plans are developed to reduce the likelihood of a risk adversely affecting achievement of the Secretariat's objectives.

4.1  Risk Identification

4.2.  The identification of risks takes place throughout the year. Risks can be identified by any staff and reported to the Risk Officer. The Risk Officer regularly meets with management and staff to discuss and identify risks that the Secretariat is potentially facing.

4.2  Risk Analysis

4.3.  The Risk Officer, after consulting with the Risk Owner, will propose a score for each risk according to the following formula:  Likelihood x Impact = Score.

Risk Scoring Matrix

Impact if the event occurs

High (3)

Moderate 3

High 6

Critical 9

Moderate (2)

Low 2

Moderate 4

High 6

Low (1)

Low 1

Low 2

Moderate 3


Low (1)

Moderate (2)

High (3)

Likelihood of the event occurring


4.4.  The analysis of a risk event is assessed based on the likelihood of the risk event occurring and the impact should the risk event occur. The likelihood and impact are assessed on three levels: Low, Moderate or High.

Risk Likelihood


An event may occur at some time


An event will probably occur in many circumstances


An event is expected to occur in most circumstances


4.5.  The impact of a particular event is measured based on the potential damage to the credibility, reputation and the capacity of the Organization to fulfil its mandate.

Risk Impact


Less significant impact on main activities, reputation, or funding status


Significant impact on main activities, reputation, or funding status


Serious impact on main activities, reputation, or funding status


4.6.  The scoring process includes a certain amount of subjectivity. Therefore the risk score only provides an indication of the relative importance of each risk identified.

4.7.  The risks that have a score of 6 (high) and 9 (critical) may involve a substantial financial risk to the organization.

4.8.  The Risk Officer also categorizes each risk according to one of the following type: financial, management, occupational safety and health in the workplace (OSH), compliance (with regulations such as the WTO Financial Rules & Regulations, Staff Rules & Regulations, or Procurement Policy and Procedures), political or technological.

4.9.  The Risk Register provides the risk score and type for each identified risk.

4.3  Risk Monitoring

4.10.  The monitoring of risk requires first determining actions that can be taken to mitigate risks. The following are possible risk treatment options or mitigating measures: avoid (prevent), accept, reduce likelihood, reduce impact or transfer.

4.11.  The Risk Officer then maintains and regularly updates a register of major risks faced by the Secretariat.

4.12.        The Deputy Director-General in charge of Administration reviews and endorses the risk register, including the actions taken to mitigate risk. He/She submits to the Director-General at least annually a report with the key risks faced by the Secretariat. This report is discussed in the Senior Management Meeting. He/She also alerts Senior Management at any time of serious and/or imminent risks that are identified.      


[1] WT/BFA/W/370. Report of the Working Group on After Service Health Insurance (ASHI).

[2]  WT/BFA/W/375.  Working Group on ASHI Strategy Development.

[3]  WT/BFA/W/367.  WTO Pension Plan Report.

[4]  WT/BFA/W/376.  Actuarial Position of the WTO Pension Plan.