Professional Documents
Culture Documents
Mouhamadou Diagne
Inspector General
The Global Fund
Geneva, Switzerland
Agenda
2
The Global Fund: A snapshot…
Global partnership organization to end the epidemics of AIDS, Tuberculosis and Malaria.
Partners: governments, civil society, private sector and people affected by the diseases.
Provides grants of approximately US$4 billion a year to qualified countries
HIV TB Malaria
• 35 million deaths cumulatively • World’s leading infectious disease killer • 219 million cases of malaria in 2017
• 37 million people living with HIV today •
• Approximately 10 million people affected per year 435.000 annual deaths
• 22 million on lifesaving ARVs
• 1.6 million deaths in 2017 alone • Largest cause of death for children <5
• High infection rate in key populations
• Drug-resistant TB on the rise – a major global • Death rates have dropped by 60% since 2000
health security threat
Global Fund in the HIV fight:
• 20% of all international financing The Global Fund in the malaria fight:
The Global Fund in the TB fight:
• US$18.5 billion for HIV programs • 57% of all international financing
• 65% of all international financing
• Annual treatment cost per patient slashed from • More than US$9.1 billion invested
> US$10,000 to just US$72 between 2000-17 • More than US$6.2 billion invested
• ~ 200 million mosquito nets distributed and 108
• AIDS-related deaths cut by nearly half and new million cases treated in 2017
infections by 43%, since 2000 • Over 5 million people treated in 2017
3
The business case for risk appetite
"Amount of risk an organization is willing to accept in pursuit of its objectives” – Risk tradeoffs inherent in business
Very mature in certain industries, e.g. Fin. Services where limits/thresholds well understood (credit, market, counterparty, liquidity, etc.)
Equally relevant in other industries. Examples of tradeoffs for The Global Fund:
▪ Use of resources: program delivery vs. Safeguarding of funds
▪ Program focus: narrow diseases vs. broader health systems strengthening
▪ Implementation model: country ownership vs. delivery focus
▪ Target countries: Achieve biggest impact (high disease burden countries) vs. leave-nobody-behind (transition countries)
False dichotomies - not one or the other, but both. Real challenge is: how much of one risk, how little of another? Risk appetite question!
Risk is a constant, but responses are variable: Avoidance? Transfer? Acceptance? Mitigation? For GF, avoidance and transfer generally not
an option
Not just academic question, but fundamental business implications: strategic choices; business model; operational priorities; program
implementation arrangements; risk management framework; etc.
4
Benefits of defining risk appetite
Decision framework for evaluating alternative choices, trade-offs and resource allocations
Rich and qualitative dialogue between Board/Management and across 3 Lines of Defense
Useful reference to provide context (not justification!) when things do go wrong- as they inevitably will, on occasion.
Reduction of counterproductive risk behaviors: risk avoidance and reckless or idiosyncratic risk-taking
5
The Global Fund journey
6
Key principles for defining GF risk appetite (*)
7
(*) GF Board Paper GF/B39/07, “Risk Appetite Framework: Progress Update and Steps for Advancement”, May 2018
Key steps in setting Global Fund risk appetite
Risk level segmentation: Very high; High; Moderate; Moderate/Low; Low
Management (business units and Risk Department) assesses and measures current risk levels
Determine key risk drivers and country cohorts that have the most impact on aggregate risk level for the organization!
Iterative bottoms-up risk ratings from individual grants to countries and aggregation to overall portfolio risk levels:
Portfolio level
Country level
Grant level
8
How risk appetite drives business decisions
Supply Chain risk illustration (*)
Supply Chain Risk Example: High Impact country with a high supply chain related risks caused by poor physical
infrastructure and demand forecasting resulting in expiries of health products, stock outs andleakage.
Current Risk Target Risk
# Risk Appetite [Time] Mitigating Actions Consequences / Trade-Off
No actions implemented
No trade-off. Material consequences on
delivering results, i.e. expiries and stock-
4 [N/A]
outs
- Very High | - High | - Moderate | - Low/Moderate | - Low
(*) GF Board Presentation GF/B38/23, “Advancing Risk Appetite”, November 2017
9
How risk appetite drives business decisions
Fraud & Fiduciary risk illustration (*)
Fraud and Fiduciary Risk Example: High Impact country with high Fraud and Fiduciary risks, characterized by previous
instances of and opportunity for fraud, poor management capacity and weak internal controls.
Current Risk Target Risk
# Risk Appetite [Time] Mitigating Actions Consequences / Trade-Off
No actions implemented
Consequences on delivering results,
because of fraud and reputational risk
4 [N/A]
- Very High | - High | - Moderate | - Low/Moderate | - Low
(*) GF Board Presentation GF/B38/23, “Advancing Risk Appetite”, November 2017
10
Resulting approved risk appetites for 9 key risks (*)
Risk Levels
Proposed
Indicative
Current Proposed
Organizational Risks Proposed Target
Timeframe
Risk Risk for
Risk Level Appetite Achieving
Level
Target Risk
4-5
1. In-Country Supply Chain
years
4-5
2. Program Quality
years
3. Strategic Data Quality and Availability 3 years
4. Grant-Related Fraud & Fiduciary N/A
5. Procurement N/A
6. Accounting and Financial Reporting by
N/A
Countries
7. Grant Oversight and Compliance (at PR Level) N/A
8. Quality of Health Products N/A
9. Foreign Exchange N/A
(*) GF Board Paper GF/B39/07, “Risk Appetite Framework: Progress Update and Steps for Advancement”, May 2018
11
Risk oversight infrastructure to support operationalization
Processes
▪ Portfolio Performance Committee (Operational level)
▪ Enterprise Risk Committee (Executive level)
Tools
▪ Integrated Risk Management Tool (assessment, rating, and ongoing tracking of risks)
▪ Organizational Risk Register (Snapshot of key risks facing the organization)
▪ Individual country risk dashboards
People
▪ CRO co-chairs or participates in key Management committees making business decisions, thus embedding risk considerations in
decision-making lifecycle
▪ Risk Management focal points assigned to key business areas and country portfolios, providing risk inputs, advising, challenging, and
monitoring
12
Implications for key internal audit processes
Risk assessment: Incorporation of risk appetite considerations in internal Audit's risk assessment process, both at organizational level and
for individual countries and processes
Audit scoping: Nature and scope of testing for various risk areas impacted not only by current assessed risk levels but also, in some cases,
target risk levels and status of mitigating actions to reach those target levels.
Reporting: Explicit comparison of management's view on current risk levels to internal audit's view of residual risks based on the audit
evidence
Agreed Management Actions: Linkage, where applicable, to mitigating actions towards achieving target risk levels
Assurances to the Board: beyond assurance on specific countries, processes and controls, is the organization operating within Board-
approved risk appetites? What is the gap between current and target risk levels? What’s the overall quality of risk management and
oversight?
13
How audit reports evolved to incorporate risk appetite (*)
Explanation of risk
appetite
methodology and
audit considerations
Risk appetite
background
Comparative analysis of
OIG’s views vs.
Management’s views on
current levels of risk
14
(*) See OIG “Audit of Global Fund Grants in Nepal”, GF-OIG-19-015, August 2019
General takeaways
1 Organizational context and specific needs are critical: no cookie cutter approach
2 Importance of objective risk metrics and indicators, but quantitative formulae never a substitute to good qualitative judgment
3 Risk is the flip side of opportunity: consider both downside and upside dimensions (What could go wrong? What opportunities
missed?)
4 Holistic vs myopic view of risk: narrow focus on reducing one risk type (e.g., Fiduciary) may increase another risk (e.g. Programmatic)
Importance of a cultural paradigm shift in organizational risk culture through carrot-and-stick levers: awareness-building; reward
5 system with incentives and disincentives; accountability mechanisms; and alignment of performance metrics.
7 From academic concept to actual management tool: risk appetite useful only if well embedded to inform day-to-day business decisions
8 Not allowing the perfect to be the enemy of the good: defining and, more importantly, operationalizing risk appetite is a long journey.
The journey itself may be as important as the destination, through the learning opportunities it enables.
15
Takeaways for Internal Audit
1 Learn and/or enhance knowledge: general risk management concepts and principles, specific organizational approaches and
methodologies, contextual nuances
2 Evolve and adapt: risk assessment, audit scoping, issue framing, impact consideration, nature and scope of mitigating actions,
Board/Committee reporting
Question and Challenge: approaches/methodologies may have flaws, risk pictures may be biased or myopic, legitimate differences in
3 judgment may exist
Engage and partner: As risk environment matures, 2nd and 3rd lines should become natural allies. Effective partnership with Risk
4 Management upstream (to zero-in on key risk exposures) and downstream (to complement Internal Audit's periodic assurance with
Risk Management's continuous monitoring)
5 Practice objectivity, but also value humility: stay firm with the "facts" based on the evidence, but be flexible with "opinions" on risk
decisions and postures: hindsight is 20/20, yet risk decisions aren't generally made with benefit of hindsight.
6 Advise and assure: Ongoing feedback to management in spirit of mutual learning and continuous improvement; Unbiased assurance
to the Board not just on specific risk areas but also on overall extent to which organization is indeed managing key risks effectively
within Risk Appetite.
16
Q&A