Adapting Internal Audit to a

maturing risk landscape

The Global Fund’s evolving Risk Appetite journey and implications for Internal Audit

Mouhamadou Diagne
Inspector General
The Global Fund
Geneva, Switzerland
Agenda

1. The Global Fund: A snapshot

2. The business case for risk appetite and its benefits
3. The Global Fund journey to setting risk appetite
4. Key principles and approach
5. How risk appetite drives business decisions – illustrative examples
6. Implications for Internal Audit
7. Takeaways: general and for Internal Audit

2
The Global Fund: A snapshot…
 Global partnership organization to end the epidemics of AIDS, Tuberculosis and Malaria.
 Partners: governments, civil society, private sector and people affected by the diseases.
 Provides grants of approximately US$4 billion a year to qualified countries

HIV
• 35 million deaths cumulatively
• 37 million people living with HIV today
• 22 million on lifesaving ARVs
• High infection rate in key populations
Global Fund in the HIV fight:
• 20% of all international financing
• US$18.5 billion for HIV programs
• Annual treatment cost per patient slashed from
> US$10,000 to just US$72 between 2000-17
• AIDS-related deaths cut by nearly half and new
infections by 43%, since 2000
TB
• World’s leading infectious disease killer
• Approximately 10 million people affected per year
• 1.6 million deaths in 2017 alone
• Drug-resistant TB on the rise – a major global
health security threat
The Global Fund in the TB fight:
• 65% of all international financing
• More than US$6.2 billion invested
• Over 5 million people treated in 2017
Malaria
• 219 million cases of malaria in 2017
•
435.000 annual deaths
• Largest cause of death for children <5
• Death rates have dropped by 60% since 2000
The Global Fund in the malaria fight:
• 57% of all international financing
• More than US$9.1 billion invested
• ~ 200 million mosquito nets distributed and 108
million cases treated in 2017

Resilient and Sustainable Systems for Health

$1 billion annually to strengthen countries’ systems for health: Procurement; Supply chain; Health workers; Facilities; Data systems; financial management; etc.

3
The business case for risk appetite
"Amount of risk an organization is willing to accept in pursuit of its objectives” – Risk tradeoffs inherent in business

Very mature in certain industries, e.g. Fin. Services where limits/thresholds well understood (credit, market, counterparty, liquidity, etc.)

Equally relevant in other industries. Examples of tradeoffs for The Global Fund:
▪ Use of resources: program delivery vs. Safeguarding of funds
▪ Program focus: narrow diseases vs. broader health systems strengthening
▪ Implementation model: country ownership vs. delivery focus
▪ Target countries: Achieve biggest impact (high disease burden countries) vs. leave-nobody-behind (transition countries)

False dichotomies - not one or the other, but both. Real challenge is: how much of one risk, how little of another? Risk appetite question!

Risk is a constant, but responses are variable: Avoidance? Transfer? Acceptance? Mitigation? For GF, avoidance and transfer generally not
an option

Not just academic question, but fundamental business implications: strategic choices; business model; operational priorities; program
implementation arrangements; risk management framework; etc.

4
Benefits of defining risk appetite
Decision framework for evaluating alternative choices, trade-offs and resource allocations

Alignment of stakeholder expectations

Tone-setting through clear formulation of organizational risk philosophy and culture

Use of common language and taxonomies

Rich and qualitative dialogue between Board/Management and across 3 Lines of Defense

Useful reference to provide context (not justification!) when things do go wrong- as they inevitably will, on occasion.

Reduction of counterproductive risk behaviors: risk avoidance and reckless or idiosyncratic risk-taking

5
The Global Fund journey

May 2018 - Present:

Ongoing operationalization
2017: OIG review of and business embedding
Global Fund Risk
2016: Enterprise Management Processes,
Risk Committee including Agreed
established Management Action to
2015: Board approval
of a Risk
establish Risk Appetite
Management Policy
and Framework

2011-12: High Level Panel

report, setup of Risk Mgmt
Dept and development of
Risk assessment tool

6
 Key principles for defining GF risk appetite (*)

Provide useful direction for management decisions and assist in allocation

of resources

22222 key organizational risks

Reflect importance of the risk to achieving the Global Fund's mission

Create alignment between various stakeholders Apply principles

Reflect ability to mitigate

2229 key risks selected for Appetite setting

Data/information for measuring the risk is readily available

7
(*) GF Board Paper GF/B39/07, “Risk Appetite Framework: Progress Update and Steps for Advancement”, May 2018
Key steps in setting Global Fund risk appetite
Risk level segmentation: Very high; High; Moderate; Moderate/Low; Low

Management (business units and Risk Department) assesses and measures current risk levels

Board defines for each risk type:

▪ Current risk appetite (same as current levels, signaling Board willingness to continue programs at current risk level, in short run)
▪ Future target risk levels (where the Board wants the organization to get to, in a longer agreed timeframe)
▪ Timeframe to reach target (varies for each risk, based on nature and complexity of required actions to reach the target risk level)

Determine key risk drivers and country cohorts that have the most impact on aggregate risk level for the organization!

Iterative bottoms-up risk ratings from individual grants to countries and aggregation to overall portfolio risk levels:

Portfolio level
Country level
Grant level
8
How risk appetite drives business decisions
Supply Chain risk illustration (*)
Supply Chain Risk Example: High Impact country with a high supply chain related risks caused by poor physical
infrastructure and demand forecasting resulting in expiries of health products, stock outs andleakage.
Current Risk Target Risk
# Risk Appetite [Time] Mitigating Actions Consequences / Trade-Off

   Scale back the program or reprogram away from

health products because there isn’t a feasible short
Exposure to High risk of not achieving
1 [3 - 6 m] strategic objectives
term option.

   Go for a parallel supply chain

Accepting higher cost and not building
2✓ [1 year] national capacity

   Work on a combination of short and medium term

solutions to reach the target level balancing risks with Exposure to High risk, while building
3 [2-3 years] our objectives/principles national capacity and mitigating risk

   No actions implemented
No trade-off. Material consequences on
delivering results, i.e. expiries and stock-
4 [N/A]
outs
 - Very High |  - High |  - Moderate |  - Low/Moderate |  - Low
(*) GF Board Presentation GF/B38/23, “Advancing Risk Appetite”, November 2017
9
 How risk appetite drives business decisions
Fraud & Fiduciary risk illustration (*)
Fraud and Fiduciary Risk Example: High Impact country with high Fraud and Fiduciary risks, characterized by previous
instances of and opportunity for fraud, poor management capacity and weak internal controls.
Current Risk Target Risk
# Risk Appetite [Time] Mitigating Actions Consequences / Trade-Off

   In countries with high levels of corruption, inadequate

financial management capacity and weak detective and Exposure to High risk of not achieving
1 [3 - 6 m] preventive controls, Low Risk Appetite presents no good strategic objectives
options short of disengagement

   Restricted Cash Policy and/or Fiscal Agent, if

Accepting higher cost, delay in
implementation and limited
2✓ [1 year] necessary capacity building

   Work on a combination of short and medium term

solutions, including technical assistance to strengthen
Accepting High fraud risk in the
short/medium term, while
3 [2-3 years]
financial capacity and internal control environments building capacity

   No actions implemented
Consequences on delivering results,
because of fraud and reputational risk
4 [N/A]
 - Very High |  - High |  - Moderate |  - Low/Moderate |  - Low
(*) GF Board Presentation GF/B38/23, “Advancing Risk Appetite”, November 2017
10
Resulting approved risk appetites for 9 key risks (*)

Risk Levels
Proposed
Indicative
Current Proposed
Organizational Risks Proposed Target
Timeframe
Risk Risk for
Risk Level Appetite Achieving
Level
Target Risk

4-5
1. In-Country Supply Chain
years
4-5
2. Program Quality
years
3. Strategic Data Quality and Availability 3 years
4. Grant-Related Fraud & Fiduciary N/A
5. Procurement N/A
6. Accounting and Financial Reporting by
N/A
Countries
7. Grant Oversight and Compliance (at PR Level) N/A
8. Quality of Health Products N/A
9. Foreign Exchange N/A

- Very High - High - Moderate - Moderate/Low - Low

(*) GF Board Paper GF/B39/07, “Risk Appetite Framework: Progress Update and Steps for Advancement”, May 2018

11
Risk oversight infrastructure to support operationalization
Processes
▪ Portfolio Performance Committee (Operational level)
▪ Enterprise Risk Committee (Executive level)
Tools
▪ Integrated Risk Management Tool (assessment, rating, and ongoing tracking of risks)
▪ Organizational Risk Register (Snapshot of key risks facing the organization)
▪ Individual country risk dashboards

People
▪ CRO co-chairs or participates in key Management committees making business decisions, thus embedding risk considerations in
decision-making lifecycle
▪ Risk Management focal points assigned to key business areas and country portfolios, providing risk inputs, advising, challenging, and
monitoring

Risk governance structure

▪ Different Board committees delegated responsibility for monitoring different risk categories
▪ At Board level, Risk report a standing agenda item, including regular updates on risk levels relative to appetite and overall profile

12
Implications for key internal audit processes
Risk assessment: Incorporation of risk appetite considerations in internal Audit's risk assessment process, both at organizational level and
for individual countries and processes

Audit scoping: Nature and scope of testing for various risk areas impacted not only by current assessed risk levels but also, in some cases,
target risk levels and status of mitigating actions to reach those target levels.

Reporting: Explicit comparison of management's view on current risk levels to internal audit's view of residual risks based on the audit
evidence

Agreed Management Actions: Linkage, where applicable, to mitigating actions towards achieving target risk levels

Assurances to the Board: beyond assurance on specific countries, processes and controls, is the organization operating within Board-
approved risk appetites? What is the gap between current and target risk levels? What’s the overall quality of risk management and
oversight?

13
 How audit reports evolved to incorporate risk appetite (*)
Explanation of risk
appetite
methodology and
audit considerations

Risk appetite
background

Comparative analysis of
OIG’s views vs.
Management’s views on
current levels of risk

14
(*) See OIG “Audit of Global Fund Grants in Nepal”, GF-OIG-19-015, August 2019
General takeaways
1 Organizational context and specific needs are critical: no cookie cutter approach

2 Importance of objective risk metrics and indicators, but quantitative formulae never a substitute to good qualitative judgment

3 Risk is the flip side of opportunity: consider both downside and upside dimensions (What could go wrong? What opportunities
missed?)

4 Holistic vs myopic view of risk: narrow focus on reducing one risk type (e.g., Fiduciary) may increase another risk (e.g. Programmatic)

Importance of a cultural paradigm shift in organizational risk culture through carrot-and-stick levers: awareness-building; reward
5 system with incentives and disincentives; accountability mechanisms; and alignment of performance metrics.

6 Executive sponsorship: virtuous or vicious cascade? Tone-at-the-Top  Mood-in-the-Middle  Behaviors-at-the-Bottom.

7 From academic concept to actual management tool: risk appetite useful only if well embedded to inform day-to-day business decisions

8 Not allowing the perfect to be the enemy of the good: defining and, more importantly, operationalizing risk appetite is a long journey.
The journey itself may be as important as the destination, through the learning opportunities it enables.

15
Takeaways for Internal Audit
1 Learn and/or enhance knowledge: general risk management concepts and principles, specific organizational approaches and
methodologies, contextual nuances

2 Evolve and adapt: risk assessment, audit scoping, issue framing, impact consideration, nature and scope of mitigating actions,
Board/Committee reporting

Question and Challenge: approaches/methodologies may have flaws, risk pictures may be biased or myopic, legitimate differences in
3 judgment may exist

Engage and partner: As risk environment matures, 2nd and 3rd lines should become natural allies. Effective partnership with Risk
4 Management upstream (to zero-in on key risk exposures) and downstream (to complement Internal Audit's periodic assurance with
Risk Management's continuous monitoring)

5 Practice objectivity, but also value humility: stay firm with the "facts" based on the evidence, but be flexible with "opinions" on risk
decisions and postures: hindsight is 20/20, yet risk decisions aren't generally made with benefit of hindsight.

6 Advise and assure: Ongoing feedback to management in spirit of mutual learning and continuous improvement; Unbiased assurance
to the Board not just on specific risk areas but also on overall extent to which organization is indeed managing key risks effectively
within Risk Appetite.

16
Q&A