Risk response design

The risk response design identifies and suggests measures regarding risks for which current risk levels have been assessed as operating outside the established risk appetite levels. The heads of the units and UNFPA personnel at all levels are primarily responsible for an effective risk response to fulfill their day-to-day tasks. They remain fully accountable for ensuring that risks related to their areas of responsibility are managed within the defined risk appetite levels. 

Depending on the nature and potential impact of the risks and the technical, programmatic, operational or financial management expertise and decision-making authority required for adequate risk response decisions, the escalation process must also involve the managers responsible for global and regional programmes and business processes impacted by the risks.

1. No Action: Where the Business Unit proposes to take no action as the risk assessment is within the appetite of risk for UNFPA. 

2. Mitigation: Where the business unit proposes to reduce the risk’s impact and probability and/or strengthen existing controls to develop new controls to reduce risk to acceptable levels.

3. Avoiding: Where the business unit proposes to avoid carrying out risky activities and thereby not taking potential risks due to those activities.

4. Transfer: Where the business unit proposes to transfer or share the risk with a third party. Transferring risk works well with financial risk or risks to assets by, for example, taking conventional insurance or engaging a third party to bear the risk. 

5. Escalate: Where the business unit proposes to escalate the risk by accepting based on the escalation conditions described above with supporting documentation to the respective risk committee and the Chief Risk Officer.

6. Mitigate-Escalate: Where the business unit proposes to mitigate the risk by suggesting actions and also escalating for support with the budget or skill set required to implement the proposed mitigating actions.

• • The current risk exceeds the established risk appetite, and no additional mitigating measures are available;

  • The residual risk level, after risk mitigation measures, still exceeds the established risk appetite and metrics (if available).

  • The estimated impact of the risk is significant, even if mitigation measures are available;

  • A decision is required to accept risks above established risk appetite if essential to achieving key programme objectives;

  • Required risk responses exceed the decision-making authority or expertise of the manager or the managed resources;

  • Risks cuts across or may impact multiple business units; or

  • An adequate risk response would require changes or exceptions to corporate policies.