USAID FORWARD Objective 1/Use of Country Systems “LESSONS LEARNED” ICGFM June, 2012 PAST EXPERIENCE WITH G2G FUNDING 2 Introduction to Risk and Risk Management • There are various standards, references and frameworks for risk and the risk management process. • These are some of the organizations that have established and published standards: o Australian and New Zealand Standard in Risk Management (AS/NZ 4360) o UK Institute for Risk Management o International Organization for Standardization Principles and Risk Management Standard (ISO 31000) o National Institute of Standards and Technology o Project Management Institute o Software Engineering Institute 3 Definition of Fiduciary Risk • The risk that funds will: o Not be controlled properly o Not be used for intended purposes o Produce inefficient or uneconomic programmatic results 4 What Does the PFMRAF Assess? Program Management Shared Risk Budgeting Civil Service Training Accounting Operational Risks Reporting Audit Human Resources Reputational Risks Procurement Donor image Financial Risks Civil Service Laws (Accountability) Cash Management Internal Controls Contracting Media Freedom Oversight Quality Institutional Capacity CSO Vibrancy Democratic Risks (Accountability) Governance PFM Reform Risks Capacity Development Agenda Political Will Public and CSO participation 5 NOTE: This is illustrative and not a comprehensive account of all risks included in the PFMRAF. Risk Management Process Plan Risk Management • Develop risk management policy and plan Identify Risks • • Analyze Plans and Assumptions Develop Risk Register Analyze Risks • • Qualitative and Quantitative Analysis Update Register Plan Risk Responses • • • Strategies Contingencies Update Register Monitor and Control Risks • • • • • Track Risks Implement Responses Update Register Request Changes Evaluate Effectiveness Continuous Communication and Collaboration • This process is a basic risk management process and very similar to the Project Management Institute’s process • Regardless of the industry, organization, or standards used, there are common themes for the risk management process • USAID applies this process and themes in its risk management process 6 Risk Appetite – Stage 2 Impact Catastrophic High Critical Critical Critical Serious High High Critical Critical Marginal Medium Medium High High Negligible Low Low Medium Medium Remote Occasional Probable Probability Frequent Risk Treatment Score USAID G2G Mitigation Requirement Detail Critical Terminate exposure or subject to stringent mitigating measures. Critical requires stringent mitigating measures only if these have a high probability of success. Otherwise, we will terminate our exposure by delivering the assistance through other means. In rare cases where an effective transfer of risk mechanism exists and is deemed effective, we will consider transfer of the risk, albeit with a risk assessment of the ability of the transferor to deliver on its obligation (a central bank guarantee of a deposit in a local bank is an example of a transfer mechanism). Mitigating measures are likely to include concurrent audit, reimbursement-only mechanisms, tranching, affirmative transaction approval, co-signature requirements on disbursements, and other active and continuous control features. The risk mitigation plan will be extensive. High Serious mitigating measures High requires serious mitigating measures to treat the risk, but we will conduct G2G. Treatment may include a wide variety of risk mitigation measures that likely to be constantly in place. Requires a written risk mitigation plan. Medium Mitigating measures Medium requires mitigating measures but these may be periodic, such as semi-annual audits or no objection processes for procurement approval. Third party oversight, such as an arrangement with national procurement oversight body, could be considered. Requires a written risk mitigation plan. Low Monitoring Low requires monitoring and audit, but treatment of specific risks, such as payroll controls, will not be an ex ante requirement for G2G, as they might be under Medium risk conditions. Routine controls and oversight are appropriate. A separate risk mitigation plan is not required. In some cases, terms and conditions in the agreement may be sufficient provided that performance of the terms and conditions is monitored. OIG on IPR • “The OIG is fine with taking calculated risks.” • “No organization can eliminate risk.” • “The concept of risk management is fundamental to the concept of internal control.” • “The concept of risk management” . . . Is fundamental to what auditors do. . . “where auditors provide reasonable assurance, but not absolute assurance. . . “ “Risk management is thoroughly integrated into everything that USAID does and into the work that the IG does. We won’t object to managers taking thoughtful, calculated risks. Risks should be taken within a carefully thought out, cost-effective system of internal control.” Lessons Learned • It is possible to apply state-of-the-art management techniques, such as risk management, in the public sector. • It is not easy. Persistence and dedication are key. • You have to respect the power of the bureaucracy, but not be defeated by it. • Identify your friends and give them the credit for all accomplishments. • Anticipate opposition. Identify, then isolate or defeat your enemies. • Communicate. Communicate. And then Communicate. • This is not a game for sissies. Lessons Learned • Partner countries welcome our initiative – – – – Communicate the objective to the partner “Partnership” requires informed commitment on both sides Non-donor dependent countries may have lower G2G appetite Harmonization reduces burdens on partners • Other donors welcome us to this space – We are sharing the burden, and cost, of risk management • Mismatch between risk bearing capacity of the United States and that of the partner countries – Imposes a moral and ethical burden on the risk assessment effort to protect the partner with the lower risk bearing capacity Lessons Learned • An unforeseen, but major, red flag is a failure of the partner country to accept our fiduciary responsibility to our taxpayers • Other USG agencies have resisted when their diligence is less rigorous than ours • Skepticism about ability to implement a rigorous PFMRAF over the long term – MCC experience • Partnership, not patronage. • “Certification” is a flawed approach both from risk management and development viewpoints. Lessons Learned • Thus far, few countries actually “fail” the PFM aspects – But the sample is questionable – self-selected missions prioritized by the regional bureaus. We may see more PFM “fails” when the process is opened to the entire agency • “Fails” are due to democratic accountability limitations • Whole-of-Mission effort – Democracy, governance, economic growth are linked with transparent and accountable public financial management – Risk management begins at the strategic (CDCS) level and proceeds throughout the project design process – Poor prior planning produces poor products • Evidence-based and data-driven – not just words but deeds • The PFMRAF has feedback loops designed into that are on the critical path to long term success. • We believe in the goal of working ourselves out of a job through sustainable development grounded in country ownership.