Background

The draft proposal for a reference Risk Management, Oversight & Accountability Model was developed by a working group led by UNFPA and UNOPS and approved by the Finance & Budget Network in June 2014, in response to the mandate contained in the HLCM Strategic Plan 2013-2016,  which includes "Strengthening the risk management and oversight architecture" as one of its five priorities. The consultative process that led to the finalization of this proposal included all HLCM Networks, as well as UN-RIAS.

The HLCM Strategic Plan calls “for the development of a consolidated and trust-based relationship with Member States on the level and quality of controls in place in Organizations to allow for rationalized oversight, focus on key risks and better internal resource allocation”. The QCPR resolution A/RES/67/226 paragraph 167 also calls “for further efforts to ensure coherence and complementarity in the oversight functions, audit and evaluations across the United Nations development system”.

The HLCM Chair recalled that the objective of this work was to strengthen the common positioning of UN organizations with Member States in an environment with increasing pressure to expand oversight and monitoring, and to develop a strong and defendable reference model which all organizations can adhere to, with the necessary adjustments and variations that their differences require.

The Chair also noted the value of having collectively recognized the applicability of a model – the Three Lines of Defence - developed by a professional body, the Institute of Internal Auditors, building on work by the Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA). As it is the case for IPSAS, the adoption of internationally recognized standards adds to the credibility and legitimacy of our work.

He finally pointed to further steps that HLCM had also envisaged to undertake in its Strategic Plan, which would follow naturally from the work on the Reference Model, namely; a) an attempt at quantifying the costs that our organizations incur to maintain their oversight and accountability structures and; b) the development of a UN System Risk Register.

The draft Model was introduced to the Committee by the Chair of the working group.  The Model endorses the Institute of Internal Auditors’ “Three Lines of Defence Model” as a suitable governance and oversight model of reference for the common positioning of the UN System.  The “Three Lines” consist of: (i) functions that own and manage risks; (ii) functions that oversee risks; and (iii) functions that provide independent assurance.

Results from an extensive survey across a sample of HLCM member organizations had guided the development of the Model. One of the key findings of the survey was that quality of risk management in the UN system has improved over the last five years.  Furthermore, the introduction of IPSAS has considerably enhanced the transparency and oversight in the area of financial management.

The “Three Lines of Defence Model” provides a useful framework for organizations to map out their own processes and identify relationships and responsibilities of different actors with respect to the different lines of defence. This helps all levels of management to fulfill their responsibilities with clarity.

Although there are differences between organizations, most can fit into the framework, which can be applied to any organization as a reference model and used to educate stakeholders on the rationale of UN system’s approach in this area. 

Discussion

In the ensuing discussion, the Committee noted that the risk management and oversight functions are a core component of being fit for purpose, as they respond to the need of a trust-based partnership with member states.  Risk is a recognized component of any relationship with both donors and implementing partners.  Therefore, clarity in regards to risk and oversight is important to ensure that risk is not transferred instead of being shared in a transparent manner.  Furthermore, the reference Model can be used as a powerful communications tool when dealing with stakeholders, as it provides a clear picture of how the risk management and oversight functions are structured.

While supporting the strengthening of risk management and oversight structures, the Committee stressed the need to concurrently enhance compliance as a key requirement to enable a trust-based relationship with stakeholders.

Concern was also expressed regarding the relationship between independent assurance activities, particularly the Internal Audit function and the other components of the Model. The application of the Model by organizations should consider the risk of weakening the role of the Internal Audit function in support of senior management and of creating an additional external audit-like layer.  In this respect, the Committee acknowledged that the Three Lines of Defence was a “reference” model which could be adjusted to the specific characteristics and needs of each organization.

On the quantification of the costs of oversight and accountability structures, the Committee noted the sensitivity of this matter, but judged that an indicative assessment of these costs would be a necessary element of any analysis of the value and benefit that such structures bring. The Committee also agreed that any such costing exercise should include labour costs for staff engagement in oversight activities, as well as the cost of additional reporting requirements imposed by member states.

HLCM members noted that the UN system is trying to, and needs to, move in the direction of risk management instead of risk avoidance.  With sound systems, a part of which is the proposed reference Model, managers would have tools to take calculated risks based on good information. This is essential in order to be able to capitalize on opportunities within acceptable risk boundaries.

On the establishment of a system-wide risk register, the Committee discussed its potential benefits, desirable scope, and how to manage and effectively maintain it. 

UN-RIAS, who had participated in the development of the proposed framework, confirmed their agreement with the adoption of the Three Lines of Defence Model.

Action

 The Committee:

 

  • Adopted the reference Risk Management, Oversight & Accountability model as approved by the Finance & Budget Network and outlined in document CEB/2014/HLCM/14.
  • Encouraged member organizations to communicate the adoption of the Model with internal and external stakeholders, in line with the original objective of strengthening the common positioning of UN organizations in the discussions on monitoring and oversight. In this respect, the Committee requested the CEB Secretariat to prepare a note of this discussion and transmit it to the Panel of External Auditors in advance of their annual meeting of 8-9 December 2014.
  • Requested the HLCM Working Group on Risk Management, Oversight and Accountability to conduct an assessment of costs related to the oversight and accountability structures and mechanisms, for the entire UN system.
  • Requested the existing Enterprise Risk Management Community of Practice to conduct, under the leadership of the UN Secretariat, a preliminary assessment of the feasibility of developing a UN system Risk Register, focusing on systemic risks, and within the scope of the post 2015 Fit for Purpose discussion.