Transcription
RISK FRAMEWORK REVIEWGAP ANALYSIS AND RECOMMENDATIONSMARCH 20, 2018 Oliver Wyman
CONFIDENTIALITYOur clients’ industries are extremely competitive, and the maintenance of confidentiality with respect to our clients’ plans anddata is critical. Oliver Wyman rigorously applies internal confidentiality practices to protect the confidentiality of all clientinformation.Similarly, our industry is very competitive. We view our approaches and insights as proprietary and therefore look to our clients toprotect our interests in our proposals, presentations, methodologies and analytical techniques. Under no circumstances shouldthis material be shared with any third party without the prior written consent of Oliver Wyman. Oliver Wyman
1 Project objectives, scope & approach
The Global Partnership of Education brought in Oliver Wyman to perform anexternal review of its Risk Management FrameworkProject objectives The Secretariat of the Global Partnership of Education engaged Oliver Wyman to review its risk policiesand practices with a view to identifying gaps and areas for improvement The key objectives for this work were to– Review current GPE Secretariat risk policies and practices to assess gaps and areas for improvement– Benchmark current GPE Secretariat risk policies and practices against policies and practices of othercomparable organizations– Make recommendations and propose concrete solutions to help the GPE Secretariat improve its riskassessment methodologies and monitoring of risk mitigation actions The core engagement took place over a four week period in February and March of 2018 Oliver Wyman3
The project was completed in four stepsFoundation setting Initial review of GPE policydocumentation andreporting, covering alldocuments and reportsidentified in the GPE RFP Current StateAssessmentRecommendationsand Roadmap Identification of key gapsbetween GPE currentpractices and either GPEdesired practices/targetstate or market best Outreach and interviews ofpracticesInterviews with selectedbenchmarking targets Additional interviews withmembers of senior Identification and evaluationselected members of senior Synthesis of marketleadership and riskof possible tactics forleadership, GPEpractices, highlighting bothmanagement functionaddressing these gapscommittees, Grant Agents,‘standard” best practicesbased on costs,and risk managementDevelopment of a reviewand also specific practicesimplementation difficulty,function, as well as selectedframework andof potential interest to andand downside risksstaff likely to be impacted byassessment dimensionsapplicability at GPErisk management policies Development of high-levelHigh level articulation ofimplementation plan Evaluation of GPE currentGPE risk managementdefining recommendedstate, highlighting wheregoals and objectivesinitiatives and timingcurrent policies andPreparation and delivery ofpractices do not support Preparation of diagnosticthe inception report to GPErisk managementreport, includingobjectives and/or imposerecommendationsinefficiencies on theorganization Oliver Wyman Detailed review of GPEframework/policydocumentation andreporting and historicalperformanceBenchmarking Identification andagreement of targetbenchmarkingorganizations4
The analysis and detailed findings are structured along the dimensionsof a typical Enterprise Risk Management FrameworkKey components of an Enterprise Risk Management Framework1. Governanceand culture2. Strategy1Governance: Oversightstructure, risk ownership,roles and responsibilities, riskappetite and culture2Strategy: Risk managementincorporated into strategicdecision making3Risk Processes: Processesfor identifying, assessing,controlling/mitigating andreporting/monitoring risks4Systems and Infrastructure:For supporting ERMframework3. ProcessesRisk Category CRisk Category BRisk Category A (e.g. Operational Risk)A RiskidentificationRiskB assessmentControlMonitoringC and mitigation D and reporting4. Systems and Infrastructure Oliver Wyman5
Three main sources were used to review GPE’s risk landscapeincluding frameworks/polices, interviews with GPE management,and analogue ED GPE risk management framework, 2013 Finance and Risk Committee Risk management policy, 2014 Grant and PerformanceCommittee Risk management report #1, May 2015 Report from the Governance Committee: Riskmanagement report, Nov. 2015 Report from the Governance Committee: Riskmanagement dashboard, Nov. 2015 Risk management report #2, December 2015 Report from the Governance Committee: Riskmanagement report #3, June 2016 Operational risk framework: Report to theCountry Grants and Performance Committee,October 2016ANALOGUEDISCUSSIONS Grant Agents (World Bank,UNICEF) CFO and Secretariat RiskManagement Country Leads GPE Management– Alice Albright– Margarita Focas Lich– Karen Mundy– Padraig Power Risk management report #4, December 2016 Risk management report # 5. June 2017 Operational risk framework #2. June 2017 Oliver Wyman6
The remainder of this report is structured in 3 sections1Section 1: Project objectives, scope & approachDescribes project objectives and scope, approach undertaken to perform the gap assessment,including a list of documents reviewed and employees at GPE and analogue organizations interviewed2Section 2: Summary results and recommendationsEstablishes the context, identifies key gaps vs. aspiration/best practices, and introduces OliverWyman’s recommendations3Section 3: Summary ERM framework gap assessment findings and roadmapSummarizes key gaps identified for each of the ERM framework components (governance & culture,strategy, processes, systems and infrastructure) and suggests a roadmap on how to address these4Section 4: Detailed ERM framework gap assessment findings and recommendationsProvides a detailed overview of all gap assessment findings for each ERM framework component aswell as detailed recommendations on how to address these Oliver Wyman7
2 Summary resultsand recommendations
The assessment of GPE’s risk management framework needs to be viewedin the context of its unique institutional set-up and governance The unique organizational structure of both the Global Partnership for Education andother similar institutions creates challenges for both risk management and other governance related issues As a partnership, the organization is composed of multi-stakeholders made up of developing countries,donors, international organizations, civil society, teacher organizations, the private sector and foundations Significant risk for the partnership comes from the reliance on Local Education Groups, i.e. low performancefrom them may lead to GPE not achieving their impact goals as per the Strategy 2020 To support the partnership, The Secretariat provides administrative and operational support to thepartnership and facilitates collaboration with all partners The Secretariat is hosted within a larger organization (World Bank) and relies on the World Bank to provideinternal and external audit services, which creates operational complexity In addition, the Board of Directors which is made up of members of the partnershipprovides support for the objective of the partnership including resourcing, monitoring of financial resources,advocating for the partnership, and overseeing the secretariat budgetand work plan These complexities, compared to traditional corporations, create challenges that extend to operationalissues and risk management which is what has been explored in this engagement Oliver Wyman9
Among other implications, this has led to confusion around the appropriateallocation of risk management accountability within the 3 LoD frameworkGrant Agents,Partnership,Local EducationGroup ,GovernmentsSecretariatincludingcountry leadsSecretariat includingcountry leads3rd line of defense2nd line of defense1st line of defenseCurrent risk management governance and structure Oliver WymanBoard/CommitteesBoard/Committees GPE has no staff on the ground locally; it relies on local thirdparties (e.g. grant agents, local education sector groups) toidentify and manage risks At the same time, GPE did not feel comfortable assigning riskownership to third parties, hence many of the (locally managedrisks) are currently owned by the GPE Secretariat (predominantlythe Risk Management team) and or its committees However, the GPE Secretariat (Risk Management and CountryTeams) together with the FRC, GPC and SIC committees arecurrently also tasked with the 2nd line of defense function– GPC is responsible for approval of new grants but also with therisk ownership of the Operational Risk Framework– FRC is responsible for GPE strategic and funding risks butowns oversight of the Risk Management processes– SIC is responsible for partnership level risks related to strategyand impact as defined by the GPE 2020 strategic plan Hence, we see a strong overlap between 1st and 2nd line roles atthe moment, which leaves a lot of unclarity around who should beresponsible for what and can trigger double work as well as blindspotsWorld Bank Audit In terms of the third line, GPE does not have its own internal auditfunction but currently relies on the World Bank’s internal auditfunction which is not customized to the needs of GPE10
Many ERM design choices depend on whether GPE is striving for acentralized or decentralized approachDecentralized approachGPE risk management approachCentralized approach Heavy reliance on local grant agents andother third parties to perform not only firstbut also second line of defense tasks Tendency of GPE Risk Management Teamto strive for centralized model and playsecond line of defense role by challengingand overseeing work performed by the localfirst line Local grant agents and other third parties toperform only first line tasks GPE secretariat’s role is to provide riskpolicies and guidelines in addition to thirdparty’s own policies, but very limited actualchallenge and oversight role Lower importance of third line than indecentralized model (although still high) Strong reliance on third line (audit function) Small Risk Management team at Secretariatlevel ( 1 FTE) GPE secretariat staff to perform second linetasks, providing risk policies and guidelinesAND challenging and overseeing the workof the first line More Risk Management resources availablethan required in a decentralized model, butnot enough to perform the tasks required ina centralized model Medium Risk Management Team atSecretariat level ( 5-15 gApproaches to risk management and GPE’s current positioning Fewer FTE costs Higher FTE costs Less control over risk management, morereliance on third-parties More control over risk management, lessreliance on third-parties Analogues focus on delivery of goods notservices Analogues focus on delivery of services andsupport direct givingThe choice of model should not be made on the basis of risk management effectivenessalone but rather on the basis of the overall ability to deliver on GPE’s mission Oliver Wyman11
The review surfaces six key findings; how, and how effectively, they can beaddressed will depend on GPE’s future institutional structure and governanceKey Risk Management Framework gaps we identifiedRisk appetite statement: Risk appetite is broadly defined within GPE’s RiskManagement Policy. Leading practice is, that this is defined in more detail for themain risk categories with a structured and documented process involving theboard. Risk Appetite is not equal to the residual riskRisk appetite statement either in place orcurrently being developed by all threeanalogue organizationsRisk governance: Overlaps between 1st and 2nd line of defenseresponsibilities. Greater clarity needed on who challenges and whoowns/mitigates risks. Risks should be assigned ownership to staff withoperational responsibility and/or co-ownership with e.g. country teamsPredominantly, 1st line defined as a jointresponsibility between local third partiesand some kind of country team atSecretariat levelIncorporation of risk into business decisions & strategic planning: Linkbetween risk management framework and business decisions, such as strategicplanning and grant allocations could be strongerOnly one out of three analogues describethe link between risk and strategicdecisions as strong, others think it stillhas to be strengthenedRisk taxonomy: Limited categorization of risks into key risks and subrisks/risk drivers. Risk taxonomy should be mutually exclusive andcollectively exhaustive to ensure full risk coverage without overlappingrisk types or categories Oliver WymanAnalogue practicesMixed analogue practices. One with avery clear, streamlined taxonomy. Otherswith room for improvementsMonitoring & Reporting: No systematic identification and active monitoring ofKey Risk and Control Indicators (KRIs/KCIs) that are compiled into reporting.Additionally, no separate reports with differing level of detail and use of dashboardfor Committees and BoardLimited use of KRIs/KCIs and visualdashboards, however at one organizationcurrently being developedFramework and policy documents: Documents could benefit fromgreater clarity and simplicity, clear separation between reportingdocuments and framework/policy documentsGreater clarity at analogue organizations,incl. e.g. version / documentadministration tracker for policydocuments12
Based on our review, we have 4 recommendations that can beimplemented immediately Our review has identified key recommendations to GPE’s risk management to allow them to align to theirstrategic plans and ambitions:– Revisions to Risk Appetite Statement including a greater link to strategy and a risk by risk evaluation ofpartnership-wide risk tolerance– Implementation of a risk governance structure with clear role ownership across the three lines of defenseto provide a structured approach to risk management, oversight and audit within the organization– Simplification of the risk taxonomy at GPE in order to streamline risk management processes– Identification of key risk indicators and key control indicators are needed to objectively manage risk Addressing the first two recommendations on Risk Appetite Statement and risk governance, would bringGPE in line with analogue practices The second two recommendations will create a clear linkage to the strategic ambitions of the partnershipwith objective and efficient measures of risk which are currently lacking In addition GPE should determine if they need to adopt a more centralized approach to risk to provide bettercontrols over risks managed and owned by third parties GPE works with locally, which would likely requirean increase in Risk Management staff resources at the Secretariat level Oliver Wyman13
3 Summary ERM framework gapassessment findings,recommendations and roadmap
Summary of ERM framework gap assessment findings (1 of 5)Governance and cultureERM ComponentsGPE practices in line with analogues1GOVERNANCE AND CULTURE1ARisk appetite GPE defines the risk appetite for certainkey risks and connects these directly tothe strategic goals with the RiskManagement PolicyGaps/potential areas for improvement RA does not directly set guidance with partnershipexpectations in mind such as how significant risks couldimpact the goals and strategy of GPE, no sharedunderstanding of RAOversight Board and Finance and Risk Committee in Challenge for the board to provide effective oversight asplace who’s main role is to challenge andall risks are presented to them with littleoversee risks and GPE’s Risk Management prioritization/little focus on higher priority risksFramework similar to analogue Finance and Risk Committee struggles to provideorganizationseffective oversight and challenging due to overlapbetween the 1st and 2nd line of defense responsibilities1CRoles andResponsibilities Duties of the Board, GPC, FRC, andsecretariat are defined with respect to riskmanagement in the Risk ManagementPolicy Overlap between the 1st and 2nd LoD responsibilities,some roles appear to be assigned to multiple partiescreates unclarity, risk of double-work and/or blind spots Not enough time is being dedicated to review of riskprocesses due to competing priorities/responsibilities The role of audit (to some extent provided by the WorldBank audit unit) is not defined in the risk managementpolicy providing scope of their work and associatedresponsibilities for GPEGAP TO BEST PRACTICESmall Oliver WymanMediumCriticality No Risk Appetite Statement in place; Risk Appetite (RA)is not defined at a risk-by-risk or risk category level1B Key risks, including the operational riskframework and the corporate risk matrix,have assigned owners responsibleensuring completion and participation fromneeded partiesGapCRITICALITY OF GAPSLargeLowModerateHigh15
Summary of ERM framework gap assessment findings (2 of 5)Governance and cultureERM Components1DRisk ownershipGPE practices in line with analogues Risk owners are assigned for all risks within both the risk matrix and the operationalrisk frameworkGaps/potential areas for improvementGapCriticality Risk ownership often not assigned to those with actualcontrol over the outcomes, esp. third parties at countrylevel such as Local Education Group and grant agents Ownership of risks and the associated Process for determining risk ownership is not clearlyresponsibilities are aligned with appropriateoutlined in the process documents for the operationalpartiesrisk framework and corporate risk matrix1ERisk culture Risk based principles, which were presentat all analogues, of management and aculture of risk awareness are described inthe risk management policy Discussion of communication and risk isdescribed including an emphasis on clearcontinuous communication between GPEand its partners Risk appetite does not set risk level thresholds to allowthe organization to understand which risks should befocused on that may impact GPE’s strategy Risk not seen as a priority to majority of staff as many donot see how risk would influence grant allocation,strategy decisions or day-to-day operationsGAP TO BEST PRACTICESmall Oliver WymanMediumCRITICALITY OF GAPSLargeLowModerateHigh16
Summary of ERM framework gap assessment findings (3 of 5)Strategy and ProcessesERM ComponentsGPE practices in line with analoguesGaps/potential areas for improvement2STRATEGY2AIncorporation of Risk and the associated accountability such There is no direct link between risk appetite/outcomesrisks intoas monitoring and mitigation are describedand GPE’s strategystrategic planningin the Risk Policy and how they relate to No soft link into GPE’s strategic plan includingstrategyinformation of how risks could impact the plan GPE describes how risk and opportunities No hard link into grant allocation decisions and/or grantare linked due to the organization operatingpay-outsin vulnerable and high-risk areas Risk mitigations are also not considered in light of costsassociated with them and expected return – i.e.prioritization of resources often not sufficiently made3PROCESSES3ARisk Identification A total of 36 risks are assessed through acorporate risk self assessment templateGapCriticality The current taxonomy is too granular and hinders easeof use and effectiveness of risk management The operational risk template assesses 6 New risks have been added to the corporate risk matrixrisks, which form a subset of the Corporatewhich has grown the number risks without sufficientRisk Matrix, filled in by local third partiesdiscussion or vetting, no regular period reviews in place Users can identify and make suggestionsfor new risks to be added It is a forward looking assessment thatlooks at the next 3 yr. periodGAP TO BEST PRACTICESmall Oliver WymanMediumCRITICALITY OF GAPSLargeLowModerateHigh17
Summary of ERM framework gap assessment findings (4 of 5)ProcessesERM ComponentsGPE practices in line with analoguesGaps/potential areas for improvement3BRisk Assessment Each risk in both the corporate risk and No systematic use of Key Risk Indicators (KRIs) tooperational risk matrix/template aremonitor and assess risks, which would be needed toassessed by the 1st LoD, who istrigger mitigating actions and/or a discussion onresponsible for filling in the risk assessment justification of cost/effort put into mitigationstemplates, they: Risk materiality ratings may not be filled out in a provide a risk assessment rationaleconsistent manner and are currently not thoroughlyreviewed and challenged assess probability and impact for each riskbased on standardized scores, leading to Due to overlap between 1st/2nd LoD (refer toan overall materiality risk levelcomponent 1C), potential overlap/blind spots inreviewing risk assessments Assessments are reviewed by RM team,Country team and FRC3CControl andmitigation 1st LoD is responsible for identifying,mitigating, and implementation as part ofthe RCSA as well as associated owners Summary of sector and grant risks alongwith mitigation actions taken for focuscontexts are well detailed and provideguidance on the current risk levels Oliver WymanMediumCriticality Some owners of mitigations are not the partyresponsible for the actual mitigation (e.g. 1st LoD) butare actually 2nd LoD members of the Secretariat thatoversee the risk mitigation but do not perform them Controls/mitigations are not linked to Key ControlIndicators (KCIs) to monitor how well the control isimplemented; also no assessment of the effectiveness ofcontrols, which creates a risk of time and resourceswasted on ineffective controlsGAP TO BEST PRACTICESmallGapCRITICALITY OF GAPSLargeLowModerateHigh18
Summary of ERM framework gap assessment findings (5 of 5)Processes, Systems and infrastructureERM Components3DMonitoring andreportingGPE practices in line with analogues All risk reports currently provide a viewof the current risk level across all levelsof reporting Analogue organizations all had riskreporting that is transparent with fulloutputs of the RCSAs available for reviewby the board and committees4SYSTEMS AND INFRASTRUCTURE4ASystems andInfrastructureGaps/potential areas for improvement Many policy documents are mixed into Board orCommittee reports – clear differentiation betweenreports and policy documents needed to ensure easeof use Current RCSAs are simple excelreports which are in line with allanalogues in reporting Operational risk RCSAs need assistance by risk to befilled out properly by the country leads or the results areoften stale or not consistent Reporting is centralized within the riskdepartment and shows historical changesin risk from the prior assessment Current reporting is manual and requiressignificant additional work to aggregate responses andpresent them for management, committees, and boardof directors Oliver WymanMediumCriticality No customized reporting to Board and FRC, withdifferent level of detail/focus, little use ofdashboards/visualization to help focus on top risks,limited education on risk framework/importance includedin reporting, no use of KRIs/KCIs and longer-term trendsGAP TO BEST PRACTICESmallGapCRITICALITY OF GAPSLargeLowModerateHigh19
We think that the majority of gaps could be addressed withinthe next 18 monthsRoadmap – assumes current GPE resources w/o external support1-2 monthsPhase 1: Foundation12-18 monthsGovernance &cultureStrategy ProcessesSystems &Infra.Review and simplifyrisk taxonomy Oliver WymanDevelop Risk Appetite framework andstatement, set appetite per major risk,develop framework governanceDevelop a clear risk governance structurebased on the three-lines of defenseprinciples (assign 1st, 2nd and 3rd line rolesand responsibilities per risk) Strengthen risk culture bycommunicating and providingtraining on revised RiskManagement Framework – esp. onthe Risk Appetite Framework, newrisk governance and how results willimpact GPE‘s strategy Discuss options of how to strengthen the link between risk and strategy (soft vs. hardlink) and agree on link typeIn case a soft link is preferred:Implement soft link between riskand strategy Develop initial set of KRIs, Controls andKCIs per riskRe-design Risk-Control-Self-Assessment(RCSA) template – make use of newtaxonomy and initial KRIs, Controls, KCISFurther develop risk dashboard into acomprehensive monitoring and reporting toolAgree limits for each KRI in linewith Risk Appetite StatementDevelop customized risk reportsfor Secretariat Mgmt., Committeesand Board based on informationcontained in Risk DashboardCreate separate report and policydocuments Re-design existing manual riskidentification and assessment toolsto increase ease of use for 1st lineusers and RM teamOn-goingPhase 3: ImplementationPhase 2: Design 6 months Phase 4: Enhancement Introduce periodic reviewcycles of Risk AppetiteFramework and riskgovernanceContinue communicationand training efforts Potentially re-visitdecision to introduce hardlink (in case soft link in thefirst instance) Introduce periodic reviewcycles of processes andrisk taxonomy Develop/buy software toautomate/system supportmanual processes and tools,start with front-end20
For each required step we are suggesting parties responsible fordevelopment and implementation and sign-off responsibility (1 of 2)ERM ComponentSub ComponentKey RecommendationImplementation responsibilitySign-offGovernance andcultureRisk appetiteDevelop Risk Appetite framework and statement,set appetite per major risk, develop frameworkgovernanceRisk Management to lead, involvingCountry Support Teams (CST),Finance and Risk Committee (FRC),Grant and Performance Committee(GPC), the Board, Representativesfrom Local Education Groups(LEG)/Grant Agents (GA)BoardOversight, rolesandresponsibilitiesand ownershipDevelop a clear risk governance structure basedon the three-lines of defense principles (assign1st, 2nd and 3rd line roles and responsibilities perrisk)Risk Management to lead, involvingCST, FRC, GPC, Board, LEG andGABoardRisk CultureStrengthen risk culture by communicating andproviding training on revised Risk ManagementFramework – esp. on the Risk AppetiteFramework, new risk governance and how resultswill impact GPE‘s strategyRisk Management to lead, withinvolvement/training targeted at allother unitsNone Oliver Wyman21
For each required step we are suggesting parties responsible fordevelopment and implementation and sign-off responsibility (2 of 2)ERM ComponentSub ComponentKey RecommendationImplementation responsibilitySign-offStrategyIncorporation ofrisks into strategicplanningDiscuss and agree whether to establish a soft orhard link between risk and strategy and in case asoft link is preferred: develop an approach how toembed this within strategic planning mechanismRisk Management and CST to lead,involving FRC and GPCBoardProcessRisk IdentificationIntroduce a simpler risk taxonomyRisk Management to lead, involvingCSTCFO/FRCIntroduce a periodic review of the risk taxonomyRisk Management to lead, involvingCSTCFO/FRCDevelop initial set of KRIs, Controls and KCIs perrisk and agree limitsRisk Management to lead, involvingCST, FRC, GPC, LEG and GABoardRe-design Risk-Control-Self-Assessment (RCSA)template – make use of new taxonomy and initialKRIs, Controls, KCISRisk Management to lead, involvingCST, FRC, GPC, LEG and GACFO/FRCFurther develop risk dashboard into acomprehensive monitoring and reporting toolRisk ManagementNoneDevelop a customized reporting for the FRC,GPC and BoardRisk ManagementFRC/BoardConsider improvements to existing manual toolsto improve ease of use for 1st line users and RMteamRisk ManagementNoneFocus on “front-end” (i.e. 1st line/risk owners)system improvements and Software should beable to compile information from all individualRCSAs into one aggregated view/dashboardRisk ManagementCFO/BoardRisk assessment,control andmitigationMonitoringand reportingSupportingsystems andinfrastructure Oliver WymanSupportingsystems andinfrastructure22
4 Detailed ERM frameworkgap assessment findingsand recommendations
Preliminary hypothesis1A Governanceand culture: Risk appetiteSignificant gap with no granular Risk Appetite Statement currently definedLeading practices observationsGPE practices in line with analoguesGaps/potential areas for improvement GPE’s risk appetite articulated at ahigh level within its Risk ManagementPolicy, defining that the organization’soverall appetite for risks as “moderate” GPE defines the risk appetite for twoexample risks and connects thesedirectly to its strategic goals– The appetite for risks related tofraud and misuse of funds isdefined as “very low”– The appetite for risks associated towork in fragile and conflict-affectedstates is defined as “moderate tohigh” No formal Risk Appetite Statementdefined besides what is articulated inthe Risk Management Policy becauseit is lacking guidance for risk limits anddoes not connect to GPE strategy Implicitly, some members of GPEcommittees and Secretariat staffunderstand Risk Appetite as theresidual risk that cannot be mitigatedaway Risk Appetite is not definedsystematically for all key riskcategories There are nostandardized/quantitative risk appetitetolerance levels defined and hencealso not part of GPE’s risk monitoringand reporting The Board is not involved in settingand monitoring risk appetite on aregular basis There is no clear link between theprospect of risk appetite breaches andgrant decisions Risk appetite breaches have noconsequenceClearly articulated Risk Appetite Statement at enterpriselevel for setting guidance for organization-wide riskmanagement and for setting stakeholder expectations The Risk Appetite Statement is linked to the institution’smandate/strategy and sets clear boundaries andexpectations by establishing quantitative limits and/orprinciple-based qualitative statement
management dashboard, Nov. 2015 Risk management report #2, December 2015 Report from the Governance Committee: Risk management report #3, June 2016 Operational risk framework: Report to the Country Grants and Performance Committee, October 2016 Risk management report #4, December 2016 Risk management report # 5. June 2017
