Risk management at GIZ: minimising risk, averting damage
GIZ receives funds from the German federal budget, international organisations and other sources. In order to ensure efficient implementation of the projects financed in this way and to achieve the project objectives, GIZ employs a risk management system that covers all levels of the value creation process and therefore enables risks to be dealt with systematically throughout the company. The risk management system is laid out in GIZ’s risk management handbook, which must be used by all managers and employees.
GIZ’s risk management system aims to identify and manage risks proactively. In this way, the company prevents targets being missed and services not being provided as agreed. To achieve this, the individuals responsible need to determine the probability of a risk occurring and the potential damage that this would entail.
Taking appropriate action in good time
The risk management system promotes a conscious approach to handling risks and allows risks to be recorded and addressed efficiently and effectively. This enables the individuals responsible to take effective measures at an early stage to avoid, reduce or transfer risks, thereby limiting the scale of any damage in the event of a risk occurring. GIZ assigns risks to nine risk categories listed in its risk catalogue (e.g. commercial risks and reputational risks).
GIZ’s Corporate Development Unit has a dedicated section that deals with risk management. It engages in dialogue with a range of actors, including international consulting firms, in order to safeguard and enhance the effectiveness of GIZ’s risk management system.
Risk management process at company level
The Risk Management Section carries out a company-wide survey every six months to identify new risks and changes to known risks (e.g. damage reports and end-of-status reporting) and to keep track of risk management measures already initiated. Independently of this survey, organisational units can report risks on an ad hoc basis at any time.
At corporate level, the Risk Management Committee and the Risk Management Board deal with risks that are relevant to the company as a whole. The Risk Management Committee is comprised primarily of employees in middle management and prepares risk descriptions for discussion and/or decision-making by the Risk Management Board. The Risk Management Board is made up of one managing director and representatives of management level 1 (top management below the Management Board). The Risk Management Board can submit proposals to the GIZ Management Board concerning approaches to managing risks of relevance to the company.
The Risk Management Section prepares and runs the meetings of the Risk Management Committee and Risk Management Board, records the results and communicates them to management level 1 and the Management Board. It works on an ongoing basis to develop the formats, instruments and methods for managing risks and reporting on them at company level.
Risk management process at project and departmental level
GIZ’s risk management strategy is based on a standardised process in which risks are systematically addressed even at project level. The process is geared towards the traditional steps of risk management:
1. Identify and describe risks
2. Evaluate and analyse risks
3. Develop suitable countermeasures
4. Report risks to the next management level
1. Identify and describe risks
The first step (risk identification) involves identifying, naming and recording all uncertain events with the potential to cause negative deviation from (project) goals. The aim of identifying risks is to determine and record the causes, the risk and its potential adverse impact as early on and as comprehensively as possible. Risks can be deduced among other things from existing documents, such as the Safeguards+Gender analyses.
2. Evaluate and analyse risks (based on potential damage and probability of occurrence)
Risk assessment enables the relevance of the identified risk to be evaluated more accurately. This assessment is based on a combination of two factors: probability of occurrence and potential damage. This makes it possible to ascertain which risks should be addressed as a priority. Risk analysis involves checking for links between individual risks so that any cluster risks and/or structural risks can be identified at an early stage.
3. Develop suitable countermeasures (avoid, reduce, transfer, accept, monitor)
Managing identified and assessed risks begins with choosing a suitable management strategy. The risk manager decides on the approach to be taken with regard to the risk. The options for managing risks are to accept it, transfer it to third parties, reduce it, avoid it or monitor it. The risk manager develops effective and appropriate steering measures and/or medium- to long-term risk management strategies and implements them.
4. Report risks to the next management level
Another key element of the risk management process is the mandatory risk dialogue. This forum allows individuals responsible at different management levels to engage in dialogue about risks and how to deal with them and to decide which level should assume the task of risk management. If the person reporting the risk can no longer manage it, the risk is dealt with by the management level above. In this way, GIZ manages risks at the operational level closest to the issue in question.
Involving all management levels, from project manager to the Management Board, ensures that there is a systematic decision-making process for high-risk situations. This also ensures that steps are initiated in good time in order to minimise the identified risks.
The Safeguards+Gender Management System
When preparing and implementing international cooperation projects, it must be ensured that the desired improvements in one area do not lead to an unintentional deterioration in another. Such effects are also referred to as unintended adverse impacts. As part of the Safeguards+Gender Management System, all projects for all commissioning parties are assessed in the planning phase to identify possible unintended adverse impacts in the areas of the environment and climate (greenhouse gas reduction and climate change adaptation), conflict and context sensitivity, human rights, and gender equality. This makes it possible to detect risks at an early stage, identify suitable risk management approaches and incorporate these approaches into the project design. In the area of gender, the potential for promoting gender equality is also explored.
One example of this approach is the design of a project under the BMZ Special Initiative on Tackling the Root Causes of Displacement, Reintegrating Refugees. The project aims to help create income and employment opportunities for internally displaced people. While preparing the project, those responsible found that the original approach would have barely afforded particularly vulnerable groups such as women and young people any access to the project’s services. Language barriers, limited mobility and a lack of basic education would have meant that these groups were largely excluded. The project was then redesigned with a context- and gender-sensitive ‘do no harm’ approach. This involved adapting the measures to the specific needs of women and young people in order to actually reach this target group.
This system was used in 2019 to examine 299 project proposals and identify risk-mitigating adjustments. A total of 20 projects were classified as having the highest level of risk. This classification means that the GIZ Management Board must approve implementation of the project and regularly review the level of risk and any adjustments during the course of project implementation. In this way, GIZ’s Safeguards+Gender Management System serves both to improve risk management and safeguard project goals.
Ongoing development of the risk management system
GIZ’s risk management system is updated on an ongoing basis to meet changing internal and external requirements.
Against this backdrop, GIZ launched a project for digitalising the risk management process in 2019. The goal is to introduce integrated risk management (IRM) software. The software is set to be used throughout the company from 2022.