The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk...

22
The Grant Risk Assessment and Management (GRAM ) Tool Guidance note for in-country implementers August 2015

Transcript of The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk...

Page 1: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

The Grant Risk Assessment and Management (GRAM ) Tool

Guidance note for in-country implementers

August 2015

Page 2: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

List of Abbreviations

CCM Country Coordinating Mechanism CT Country Team GRAM Grant Risk Assessment Management GF The Global Fund LFA Local Funding Agent M&E Monitoring and Evaluation NFM New Funding Model NGO Non-Governmental Organization PR Principle Recipient QUART Qualitative Risk Assessment Tool SR Sub-Recipient SSR Sub-Sub Recipient

Page 3: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

6 | P a g e

The purpose of this document is to:

Introduce Global Fund Principal Recipients/Implementers to the Grant Risk

Assessment Management tool known as GRAM.

Provide guidance on the GRAM tool and to assist in strengthening implementer’s

risk management capacities.

1. Introduction

The Global Fund’s mission is to fight AIDS, Tuberculosis, and Malaria in those countries

where there is the greatest need. The Global Fund’s operations involve multiple

partnerships, challenging humanitarian and development contexts and extensive geographic

scope. Risk is an everyday part of programs that are supported by the Global

Fund. Managing those risks improves the probability of the grants achieving its objectives.1

Managing risks is one of the key priorities of The Global Fund and its partners. A consistent

roll out of risk assessments and discussions on risk will help to manage grants more

effectively. In-country implementers may have a number of tools at their disposal to assess

and monitor risks. If implementers have their own tools for highlighting risks and risk

ratings and these are working effectively, they are encouraged to continue using existing risk

assessment tools. The Global Fund has developed one such qualitative risk assessment tool

for its in-country implementers. The following document explains the rationale and

processes for developing in-country risk management plans using the Global Fund’s

qualitative risk assessment tool known as GRAM.

2. GRAM: The PR (implementer) risk management tool:

GRAM (Grant Risk Assessment and Management) is a tool designed specifically for in-

country implementers to assess the risks they face in their programs funded by the Global

Fund. The GRAM examines 4 broad categories of risk and provides a concise risk overview

based on the determination of the likelihood and severity of each risk. GRAM generates a

risk heat map, providing an overview of all rated risk levels, and an action tracker, allowing

risk mitigation actions to be prioritized and tracked. This qualitative tool can be an effective

way of capturing risks, proposing prevention and mitigation actions, and implementing

action planning for implementers conducted by implementers. This risk assessment tool can

also bridge informational gaps between the Global Fund and in-country actors.

At the Global Fund Secretariat level, Country Teams (CTs) are expected to complete a

Qualitative Risk Assessment Tool known as QUART. QUART identifies, prioritises, and

integrates risk in the management of a grant using the CTs knowledge as well as gathered

perspectives from the Country Coordinating Mechanism (CCM), PRs, and SRs.

1 According to the Global Fund’s definition, a risk is the effect of uncertainty on the achievement of the organization or program objectives.

Page 4: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

6 | P a g e

2.1 Key objectives of GRAM include:

Increased consistency and pro-

activeness in risk management

activities including: risk identification

and assessment, risk prevention &

mitigation, reporting and monitoring,

risk response and corrective action.

Increased capacity for effective grant

management

Greater openness, transparency and

accountability in decision-making

between all actors in the grant

management process.

Stronger communication channels

between CTs, LFAs, partners, and in-

country PRs in dealing with and

prioritising risks. This will significantly

impact and improve programming.

More effective strategic planning as a

result of increased knowledge and

understanding of these risks

Better prioritization and focus on the

most material risks

3. GRAM and its Structure:

The GRAM provides a comprehensive, structured framework to identify and assess

operational risks faced in grant management and program implementation. The tool’s

structure details several main elements:

Risk Types and Risks

Likelihood and Severity Ratings

Time Horizon

Risk Levels

While the GRAM tool provides a structured analysis it also allows for the necessary flexibility

to account for any risks specific to an implementer or country context. Considering risk

management is a dynamic process, implementers can update the assessment during various

milestones of the grant (i.e. signing, disbursements and renewals).

Ultimately, the aim of GRAM is to allow operational risks to be more systematically and

holistically assessed, and better linked to risk prevention and mitigation measures and

decision-making more generally. This should allow better prioritization and differentiation

of risk management activities and strengthen implementer’s risk management capacities.

3.1 Implementing GRAM into the Grant Cycle:

In order to understand the implications of the GRAM, it is important to understand how this

risk assessment can be carried out during the Global Fund grant cycle. The GRAM can be

completed as part of the grant making (country dialogue) for new grants or during

Actions by

Secretariat & LFA

Actions by Partners

Actions by CCM and PRs

Graph 1.1: Level of influence on actions

for achieving objectives of a grant

Page 5: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

3 | P a g e

implementation (for ongoing grants). Deciding on a timeline regarding the implementation

of the GRAM should be determined jointly between implementers, CCM, and CTs.

3.2 Context Information and Analysis: Before analysing risk types and risk, users of

the GRAM tool will provide a country overview and contextual information relating to the

grant. This contextual information and analysis is featured on the second sheet of the tool,

after the instructions page. The objective of the contextual information and analysis section

is to provide a sound background to the specific risk analyses. This is similar to the

“Implementation Map Analysis” that the implementers would have submitted as a part of the

concept note.

The big picture: Before the assessment, the team is expected to summarize various

contextual elements briefly. This should help in focusing the discussions and should link

subsequently to the detailed assessments.

Risk Analysis of the Activities and Stakeholders - these two analyses are very qualitative and

expected to contribute to providing a comprehensive context and facilitate “triangulation”,

when individual risks are discussed later in the tool.

3.3 Risk Types and Risks:

The GRAM tool features 23 standard risks associated

with GF grants. These standard risks grouped into four

main Risk Type categories, derived from the Global

Fund's mission and objectives in grant-making. In this

framework a risk is defined as a future adverse outcome

which the Global Fund seeks to avoid in a given Grant.

Additionally, the GRAM allows implementers to include 2

additional, customized risks per risk category or to

rename some of the 23 standard risks should they wish. Customizing additional risks can be

useful in explaining grant, country, or implementer-specific risks but should generally be

avoided for 2 reasons:

Adding further risks can amount to up to 31 risks. Increasing the number of risks

displayed may make it difficult to focus and prioritize.

Renaming the 23 standard risks to accommodate grant, country, or PR specific risks

can result in a dilution of the strategic level risks in the GRAM. This dilution could

New grants (NFM)

The CCM and implementers are expected to identify key risks and mitigations to be included as a part of the concept note. Conducting a risk assessment using GRAM or a similar tool is recommended. This is an opportunity for the CCM and implementers to reflect on the key risks identified in the concept note against the portfolio analysis and risks identified by the Country Teams. The information in a risk assessment tool should be updated as a part of the discussions during grant making. It is important to review the residual risks in the grants as a part of the grant signature.

Ongoing grants

GRAM or other similar tools can also be introduced anytime during the implementation.

GRAM is not expected to

comprehensively cover all the risk in

all grants, but provides a list of

maximum plausible risks, which

needs to be addressed. The

implementer and CCM can add any

new risks which they find applicable

to the particular context of grant

implementation

Page 6: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

4 | P a g e

lead to the risk heat map becoming dominated by low level risks, diminishing the

importance of high level, strategic risks.

The 4 Risk Types and 23 Standard Risks are detailed below:

Risk Type Description

1. Programmatic & Performance Risks Risks related to programs having limited relevance, not achieving shorter-term performance or longer-term impact, being unsustainable, or being assessed with inadequate M&E or data quality

2. Financial & Fiduciary Risks Risks related to Global Fund investments and other resources not being used for the intended purposes, according to policies, or efficiently, or not being properly recorded and accounted for

3. Health Services & Health Products Quality Risks

Risks related to timeliness, safety, quality, and accessibility of health services, including pharmaceuticals and health products and equipment, negatively impacting beneficiaries and key populations

4. Governance, Oversight & Management Risks

Risks related to poor governance, inadequate oversight and monitoring, or poor program and grant management in terms of quality, timeliness, efficiency and compliance

Risk Type Risks 1. Programmatic & Performance Risks

1.1 Limited Program Relevance

1.2 Inadequate M&E & Poor Data Quality

1.3 Not Achieving Grant Output Target

1.4 Not Achieving Grant Outcome & Impact Targets

1.5 Poor Sustainability

1.6 Other (please specify)

2. Financial & Fiduciary Risks

2.1 Low Absorptive Capacity or Over-commitment

2.2 Poor Financial Efficiency

2.3 Fraud, Corruption, or Theft of Global Fund Funds

2.4 Theft or Diversion of Non-financial Assets

2.5 Financial Non-compliance

2.6 Market and Macro-economic Losses

2.7 Poor Financial Reporting

2.8 Other (please specify)

3.Health Services & Health Products Quality Risks

3.1. Treatment Disruptions

3.2 Substandard Quality of Health Products

3.3 Poor Quality of Health Services & Use of Health Products

3.4 Human Rights barriers in accessing Health Services

3.5 Other (please specify)

4.1 Inadequate Security and Stability at the national/subnational level

4. Governance, Oversight & Management Risks

4.2 Limited PR Governance & Oversight

4.3 Limited PR Reporting & Compliance

4.4 Limited Secretariat oversight and LFA verification

4.5 Inadequate SR Governance & Oversight

4.6 Inadequate SR Reporting & Compliance

4.7 Ineffective CCM Oversight

Page 7: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

5 | P a g e

3.4 Contributing Factors: In addition to the risk types and the standard risks, the

contributing factors describe the key drivers of each of the 23 standard risks. The success of

the GRAM depends on the ability of the implementer to take into consideration the key

contributing factors for each risk mentioned in the tool and to complete the risk assessment

with candour and honesty. Keep in mind, this list is not comprehensive but rather a set of

indicative factors used to help guide implementers which can be found in Annex 2 of this

document. Implementers are advised to think through the contributing factors thoroughly

by using the indicated list as a checklist when completing the GRAM.

3.5 Risk Heat Map: The tool has been developed using MS excel which consolidates inputs

and presents these in several formats to allow validation and prioritization. It then

summarizes the results of the assessment in the form of a heat map as well as a tracking

sheet for any actions proposed from the assessment.

The various output sheets from the MS Excel Tool should be seen as dynamic products. As

such, they will be regularly updated to support discussions between implementers, CCM, and

CTs on risk and grant management on an ongoing basis.

The table below is an example of a generated risk heat map created once all inputs are

tracked in the GRAM:

3.6 Likelihood, Severity and Time Horizon

In order to generate the risk heat map above, GRAM users must assess the 23 standard risks

in terms of their Likelihood and Severity. Likelihood refers to the chance that the future

negative outcome occurs, while Severity refers to the estimated impact of the negative

outcome assuming it does occur. The purpose of introducing these two dimensions in

assessing risks is to:

Page 8: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

6 | P a g e

• improve consistency and granularity of

risk assessment

• take into account materiality of risks

for more effective prioritization

• encourage and facilitate robust

discussion

The Time Horizon over which Likelihood and Severity should be assessed for each risk is the

following one year (twelve months) from the date of the assessment. In other words, the

user should be assessing how likely the risk may occur in the coming 12 months, and

estimating how severe it would be if it the relevant risks were to occur.

Likelihood Ratings

What is the chance of the risk occurring within the time horizon, based on the contributing factors?

Severity Ratings

Assuming the risk occurs, how severe is its impact expected to be, based on the contributing factors? In rating the severity of the risks, consider the impact on the following 4 areas:

• Wastage of grant funds • Poor program performance, data quality, impact or sustainability • Negative health outcomes from program activities • Reputational issues and threats to future funding

Minor Moderate Major Critical

No or only minor impact expected in all areas

At most moderate impact expected in all areas

At most major impact expected all areas

Critical impact expected in at least one area

Both the likelihood and the severity should be assessed based on consideration of the

contributing factors which have been identified as the main drivers or indicators for each of

the 23 standard risks. The user is also expected to provide a written description to justify the

likelihood rating, severity ratings and the key contributing factors they have selected. If the

lowest possible likelihood and/or severity ratings are chosen, no contributing factors need to

be listed (to justify the low ratings). Keep in mind that the tool has a very generic view of

likelihood and severity definition. A written description explaining each determined rating

will add more value and detail to the assessment.

Highly Unlikely Unlikely Likely Highly likely

less than 10%

chance of happening

between 10-40%

chance of happening

between 40-70% chance of happening

+70% chance of happening

Page 9: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

7 | P a g e

The following color-coded heat chart signifies the determined risk rating based on the

combination of the likelihood rating and the severity rating. Likelihood and severity combine

to signify the level of risk for each standard risk which is then added the overall heat map.

4. GRAM Rollout – Process

For effective use of the GRAM, the following broad steps are recommended. Please note that

these steps are general guidelines and at the discretion of implementers. Implementers can

adapt this process depending on their preparedness and capacity to effectively integrate risk

management into their respective programs. In order to understand the tool fully and come

to an agreement on a realistic “baseline,” implementers will receive training support by CTs

or an experienced facilitator who can answer any questions and concerns.

4.1 Appreciating the objective of risk assessment: There is usually a sense of

apprehension when it comes to detailing risks affecting the roll out and success of a

grant, such as risk ratings related to CCM and GF Secretariat effectiveness, for

example. Some implementers may feel as though providing such information can

negatively impact the CT’s perception of their work. On the contrary however, for the

Global Fund, knowing and agreeing on the key risks is a constructive and collective

effort that should involve many stakeholders (e.g.: partners/CCM/ others) who

support in finding solutions and mitigating risks. Therefore, providing as much

honest information as possible will strengthen risk mitigation measures for all actors

involved in the grant management and risk management process.

4.2 PR preparedness to undertake a risk assessment. The use of the GRAM

itself will be a self-assessment. However, some prior review of contributing factors or

risk will prepare implementers for the GRAM workshop.

Minor Moderate Major Critical

Highly

Unlikely Low Low Medium Medium

Unlikely Low Medium High High

Likely Medium High High Very High

Highly

Likely Medium High Very High Very High

Severity

Likelihood

Likelihood Unlikely

Severity Major

Risk Level Medium

Example of a combined likelihood

& security rating which determines

a risk level

Page 10: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

8 | P a g e

4.3 Risk Self-Assessment – In preparation for the workshop, implementers are

encouraged to conduct their own risk self-assessments. The objective of the self-

assessment is to have better alignment within an implementer on the key risks and

should facilitate better focus during the GRAM workshop discussions. A risk self-

assessment template is attached in Annex 1.

4.4 Workshop: The GF CTs or an experienced consultant will facilitate an in-

country workshop on how to use the GRAM tool. This brief, two-day workshop will

allow in-country implementers, PRs and CCM to familiarise themselves with the tool

and a chance for initial stakeholder dialogue on how to appropriately administer risk

assessments.

During a scheduled in-country workshop, implementers will be introduced to the GRAM

tool. There are four main steps to completing the GRAM which will be described and

enacted during the proposed workshop.

1. Fill in the specific contextual information in the General Info sheet

Assess risks and propose actions in the four risk and action input sheets -

(i) Programmatic & Performance, (ii) Fiduciary & Financial, (iii) Health

Services & Products, (iv) Governance, Oversight & Management

2. Rate Likelihood and Severity for each risk

3. Explain the Likelihood and Severity ratings and the most significant causes for

each risk

4. Where appropriate, propose actions to prevent and/or mitigate risks

Use the Risk Heat Map to validate the risk assessment across the different

areas and to prioritize risks to address through action planning.

Use the Action Tracker sheet to decide which actions to pursue to address

key risks, and input the relevant tracking information next to these:

existing actions, cost, source of resources, responsible person

After becoming familiar with the GRAM tool, participants of the workshop will complete the

tool and share their completed GRAM including the risk heat map and proposed action plan

to the group for further understanding and discussion. It is possible that the workshop will

identify risks and possible mitigating strategies which

require further information or consultation before the

strategy can be confirmed. For instance, a proposed

strategy may require consultation with external agencies

or ministries to develop a coordinated approach to

reducing a specific risk. Therefore, some follow-up may

be required prior to the GRAM tool being finalized.

Additionally, it may be critical that senior management

collate and review the recommended actions for

consistency, calibration and to identify linkages with

other activity underway in the country. This may lead to

KEEP IN MIND: The workshop is

generally a one-time activity to

introduce the tool and train

implementers on its use. A key

objective of the workshop is to

plan to update the tool regularly

and use the information from it

for decision making purposes.

Page 11: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

9 | P a g e

identification of 10-15 priority actions. Accordingly, at the end of the workshop, it may be

appropriate to schedule a follow-up meeting, possibly in one or two week’s time, when the

final GRAM action plan is confirmed.

During the workshop, implementers will be provided contact information and follow-up

guidance so as to ensure that the GRAM tool can be an effective and sustainable tool for GF

implementers.

NOTE: Careful consideration needs to be given to how many grants should be covered in a

single workshop. This will vary considerably dependent upon the grant and country context.

While grants may have common risks, obviously programmatic risks may vary considerably

and including all grants in a single workshop may result in “nuances” between grants being

lost. On the other hand, there can be valuable insights gained by sharing ideas between

grants

4.5 Follow up: During the workshop, stakeholders will

discuss and come to an agreement concerning a number of

points. After the workshop, implementers should be in

agreement and aware of:

1. Time frames for completing the assessment of the full

portfolio

2. Ways of ensuring quality check and validation

3. Identification of point persons in each implementer who can support on-going

implementation of this.

4. Overall frequency of updates of GRAM (recommended every 6 months – along with

the disbursement request)

5. Next grant milestone which will provide an update on the implementation of the risk

mitigation and prevention actions.

Refer to the chart below that describes the risk assessment follow up process:

• Done by implementer

Grant Risk Self-Assessment

• Sharing GF perspectives

• Sharing of Grant risk self- assessment outcome

• Partners experience• Introduction to tools• Group work - use of tools (facilitated by

the Country Team) • Sharing of Group work outcome• Alignment of Risk Prevention mitigation

mechanisms between CT, LFA and implementer

In country workshop / discussions

• Instituting a mechanism to support the implementers in follow ups and integration of risk assessment in grant management

Implementer owned follow up mechanism

REMEMBER: Joint

prioritization of a shortlist of

actions and follow up points is

a key for effective risk

management

Page 12: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

10 | P a g e

REMEMBER: The GRAM is a simple tool for implementers who wish to introduce a

mechanism for prioritizing action for risk management and for detailing risk mitigation

measures for their grants. All implementers are expected to have comprehensive risk

management plans as part of effective grant governance.

5. Annexures

Annex 1: Self-Assessment Template

Annex 2: Risk and indicative list of major contributing factors

Annex 1: Self-assessment Template

Grant Risk self-assessment (This template captures discussions within the implementer on various risks as perceived by them at a grant level). Name of the PR………………………………………………………………………………………………………… Grant No: …………………………………………………………………………………………………………….

Programmatic & Performance Risks

Definition: Operational risk is the possibility of reduced program impact, not achieving targets,

and/or wastage or misuse of resources due to specific processes or actors in our Performance-

Based Funding model not operating as intended. In this framework a risk is a future adverse

outcome which the PR is seeking to avoid in a given Grant

This is a broad area encompassing programmatic, monitoring and evaluation and performance

related risks. Typically, this includes risks related to grants and the broader programs having

limited relevance in relation to epidemiological and programmatic context, not being aligned to

the national context, systems and other donors, and other aspects which may impede relevance

or sustainability. In addition, issues related to inadequate monitoring and valuation and data

quality should also be considered in this section. Finally, key drivers of the risk that the grant

does not achieve targets agreed in the Performance Framework or longer-term impact should be

explored.

Page 13: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

11 | P a g e

Brainstorming: Where are the risks in this area that you foresee for a period of next 12 months? Please provide specific details of the risk that you identified by listing the contributing factors.

Guidance: Please try to elicit the contributing factors and consequences i.e. risks. Please find some examples of two 2 risks identified (e.g.: (i) misalignment between proposal objectives and program strategies leading to the risk of not achieving the impact, (ii)Malfunctioning HMIS (Health Management Information System), unfilled vacancies, inadequate training of existing data entry operators contributing to inaccurate data collection from ARV centres etc.)

1 2 3

4 5

6

Priority: From the above, please select three most important risks (i.e. have a high likelihood or a high negative impact or both)?

1 2 3

Management: What can you do to avoid these risks or mitigate their impact? (Please specify the action, timeframe, person(s) responsible)

Risk 1 : …………………………………………………………………………………………………………………………

Action 1 Action 2 Action 3

Risk 2 …………………………………………………………………………………………………………………………

Action 1 Action 2 Action 3

Risk 3 …………………………………………………………………………………………………………………………

Action 1 Action 2 Action 3

Page 14: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

12 | P a g e

Fiduciary & Financial Risks

Brainstorming: Where are the risks in this area in the next 12 months? Please provide specific details of the risk that you identified by listing the contributing factors. (E.g. Insufficient understanding of Global Fund reporting requirements, inadequate financial accounting software, lack of management supervision over financial system leading to the inadequate Financial Reporting)

Guidance: Please try to elicit the contributing factors and consequences i.e. risks.

1 2 3 4 5

Priority: From the above, please select three most important risks (i.e. have a high likelihood or a high negative impact or both)?

1 2 3

Management: What can you do to avoid these risks or mitigate their impact? (Please specify the action, timeframe, person(s) responsible)

Risk 1 …………………………………………………………………………………………………………………………

Action 1 Action 2 Action 3

Risk 2 …………………………………………………………………………………………………………………………

Action 1 Action 2 Action 3

Risk 3 …………………………………………………………………………………………………………………………

Action 1 Action 2 Action 3

Fiduciary and financial risks address the possibility of funds and other resources not being used

for the intended purposes, according to policies, or efficiently, or not being properly recorded,

accounted for or reported. This area therefore includes financial management and fiduciary

control risks such as: low or ineffective absorption of funds; weak internal controls and the risk of

fraud, corruption, theft or diversion of funds or non-financial assets including pharmaceuticals

and health products and equipment; and wastage of funds or non-financial assets due to poor

management by implementing entities, foreign exchange or market price changes. Risks related

to financial misreporting should also be explored here.

Page 15: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

13 | P a g e

Health Services & Health Products Quality Risks

Brainstorming: Where are the risks in this area in the next 12 months? Please provide specific details of the risk that you identified by listing the contributing factors. (E.g. Lack of reliable consumption data, inadequate MIS and lack of coordination and reconciliation between inventory and patient information to leading to inadequate forecasting and quantification for 2013 ) Guidance: Please try to elicit the contributing factors and consequences i.e. risks.

1 2 3 4 5

Priority: From the above, please select three most important risks (i.e. have a high likelihood or a high negative impact or both)?

1 2 3

Management: What can you do to avoid these risks or mitigate their impact? (Please specify the action, timeframe, person(s) responsible) Risk 1 …………………………………………………………………………………………………………………………

Action 1 Action 2 Action 3

Risk 2 …………………………………………………………………………………………………………………………

Action 1 Action 2 Action 3

Risk 3 …………………………………………………………………………………………………………………………

Action 1 Action 2

Broadly, this risk area is defined as risks related to quality and accessibility of health services

provided to beneficiaries. This includes risks related to timeliness, safety, quality, and

accessibility of health services, including pharmaceuticals and health products and equipment,

negatively impacting beneficiaries and key populations. Risks of diagnostic or treatment

disruptions including supply chain management issues should be considered here.

Additionally, human rights barriers may impede access to health services. Human rights risks

arising from the operating context as well as risks of rights violations affecting grant recipients

should be considered.

Page 16: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

14 | P a g e

Action 3

Governance, Oversight & Management Risks

Brainstorming: Where are the risks in this area in the next 12 months? Please provide specific details of the risk that you identified by listing the contributing factors. (e.g.: Ineffective functioning of the CCM oversight committee, poorly defined oversight plans and lack of proactive upwards reporting by PR to CCM leading to inadequate CCM governance and oversight ) Guidance: Please try to elicit the contributing factors and consequences i.e. risks.

Inadequate CCM Governance & Oversight

1 2 3 4 5

Priority: From the above, please select three most important risks (i.e. have a high likelihood or a high negative impact or both)?

1 2 3

Management: What can you do to avoid these risks or mitigate their impact? Risk 1 …………………………………………………………………………………………………………………………

Action 1 Action 2 Action 3

Risk 2 …………………………………………………………………………………………………………………………

Action 1 Action 2 Action 3

Risk 3 …………………………………………………………………………………………………………………………

These risks relate to inadequate governance, oversight and monitoring, or program and

grant management including complying with Global Fund policies and reporting

requirements. Governance encompasses effective institutional structures and leadership,

management of competing interests and stakeholders, and sufficient management controls

and information of the organization's activities and staff as well as key partners to ensure

satisfaction of the organization's objectives. Oversight relates to the ability of the overseeing

body or actor to proactively identify and rectify issues that can materially impact attainment

of these objectives, and can range from audit, inspection and investigation, to evaluation and

monitoring, to risk management activities. Program and grant management risks should

consider the quality, timeliness, efficiency and compliance by CCM, PR, SR, LFA and the

Global Fund Secretariat, with Global Fund policies and reporting requirements.

Page 17: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

15 | P a g e

Action 1 Action 2 Action 3

Annex 2: Major Contributing Factors by Risk

REMEMBER: The following list is NOT comprehensive but rather a set of

indicative factors used to help guide implementers in completing the GRAM tool.

1. Programmatic & Performance Risks

Risk Main contributing factors

Limited Program Relevance

1.1 Program goals and objectives are not aligned with agreed and most current national / international strategies, policies and guidelines

1.2 Insufficient attention by CCM to ensuring programs are designed based on sound analysis of key population needs and remain needs-based

1.3 Overall proposal has not been well translated into the grant 1.4 Grant targets are inconsistent with the proposal, other grants,

national targets or GF strategic objectives 1.5 Indicators are not appropriate or effective for measuring output,

outcome, or impact consistently with the goals and objectives of the program

1.6 Evidence that program SDAs, coverage, reach and intensity are not effective to achieve the proposed goals and objectives

1.7 Epidemiological or program context situation in country has significantly evolved since the TRP reviewed the proposal

1.8 Significant delays in grant implementation from approval of the proposal

Inadequate M&E and Poor

Data Quality.

2.1 Inadequate indicator measurement framework 2.2 Inadequate routine/programmatic data collection 2.3 Inadequate data management 2.4 Inadequate data quality assurance mechanisms in place 2.5 Inadequate program reviews and evaluations regularly conducted 2.6 Inadequate M&E Human Resources capacity 2.7 Inadequate M&E budget allocation or spending for the national

health sector, disease program or PR M&E system 2.8 Inadequate data analysis, dissemination and use 2.9 Inadequate progress made on the implementation of M&E system

strengthening activities

Not Achieving Grant Output Targets

3.1 Number and materiality of conditions precedent and management actions assigned during the grant negotiation and signing processes, or during implementation, and progress against these to date.

3.2 Insufficient budget to support implementation 3.3 High complexity of grant implementation arrangements 3.4 Previous, current, or expected delays in procurement and supply

chain management activities (PHPM & non-PHPM) 3.5 Previous and current delays in disbursements 3.6 Shortages in global drug supplies 3.7 Poor performance against Output Targets in current and previous

periods for the grant, as well as other grants to PR and in this country, or other indications that current targets may be set unrealistically high.

3.8 Insufficient capacity of the PR Program Management Unit (PMU) for effective program and grant implementation

3.9 Overall stability of country, enabling environment, and health sector 3.10 PR and/or major SRs were not involved in development of the

proposal, program implementation plan, or budget

4.1 Poor performance against Outcome and/or Impact Targets in current and previous periods for the grant, as well as other grants to PR and in this country, or other indications that current targets may be set unrealistically high.

Page 18: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

16 | P a g e

Not Achieving Grant Outcome & Impact Targets

4.2 Overall capacity of health systems, strength of national health strategy, and government spending on health sector

4.3 Overall stability of country, enabling environment, and health sector 4.4 Lack of effective coordination by parties involved in grant

implementation including national health bodies, national and sub-national governments, donors, and partners

4.5 Lack of effective coordination between grants and disease programs 4.6 SDAs or Outputs are not sufficiently well-linked to Outcomes and

Impact, or Output targets are not sufficiently well-linked to Outcome and Impact Targets

4.7 Quality of training, systems strengthening activities, and other non-health service related Outputs

Poor Sustainability

5.1 Alignment with national systems - GF supported programs do not use public financial management systems

5.2 Alignment with national systems -GF supported programs do not use public procurement systems

5.3 Alignment with national systems - GF supported programs do not use national M&E systems

5.4 Alignment with national systems - GF-financed remuneration is not aligned to national or interagency frameworks

5.5 Alignment with national systems - Lack of capacity building and systems strengthening to support sustainable impact

5.6 Harmonization and Coordination - Lack of CCM and PR coordination with other health bodies, donors, and partners.

5.7 Harmonization and Coordination – GF financing is implemented through a Project management Unit (PMU) parallel to existing government structures

5.8 Transparency-Predicted GF financing is not accurately reported in

the country budget, aid information management system or other such aid tracking tools

5.9 Sustainability - Inadequate counterpart financing

2. Fiduciary & Financial Risks

Low Absorptive Capacity or Over-commitment

6.1 Inadequately defined implementation arrangements 6.2 Poor budgeting, including especially budget assumptions 6.3 Inadequate budget monitoring and forecasting 6.4 Delays in SR reporting and implementation 6.5 History of low absorptive capacity and over commitment 6.6 Delays in procurement (PHPM specific) 6.7 Delays in procurement (other than PHPM) 6.8 Undisclosed counterpart funding or partner contributions

Poor Financial Efficiency

7.1 Lack of comprehensiveness and appropriateness of budget 7.2 Inadequate control framework 7.3 Undisclosed counterpart funding or partner contributions 7.4 Inefficient procurement practices (PHPM specific) 7.5 Inefficient procurement practices (other than PHPM) 7.6 Inadequate implementation arrangements 7.7 Inadequate SR management (SR selection and/or inadequate

oversight of SR management) 7.8 High materiality of previous losses due to inefficiencies 7.9 Budget contains a high proportion of budget lines susceptible to

inefficiency

Fraud, Corruption, or Theft of Global Fund Funds

8.1 Inadequate bank and cash management 8.2 Low rating of PR financial management and SR oversight and

management 8.3 Indications of collusion, fraud or corruption (from past experience

or other) 8.4 Inadequate SRs/ SSR oversight by PRs 8.5 Poor PR and SR staff capacity 8.6 Inadequate control framework

Page 19: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

17 | P a g e

8.7 Non-transparent or non-competitive PHPM procurement practices 8.8 Lack of internal controls in the PHPM procurement process 8.9 Socio political unrest and pressure 8.10 High value of previous single fraud events identified 8.11 Budget contains a high proportion of budget lines which are fraud

prone – so called “yellow-flag” budget items Theft or Diversion of Non-

financial Assets

9.1 Incomprehensive and inadequate fixed assets management 9.2 Inadequate health products stock management 9.3 Inadequate SR/ SSR oversight by PRs 9.4 High value of previous theft or diversion of non-cash assets

identified 9.5 Poor PR and SR staff capacity 9.6 Socio political unrest and pressure 9.7 History or indications of theft, diversion or unexplained losses

Financial Non-compliance

10.1 Inadequate budget monitoring and forecasting 10.2 History of reduced or delayed disbursements 10.3 History of unauthorized inter-grant borrowing 10.4 History of unauthorized reprogramming 10.5 History of other ineligible expenditures

Market and

Macroeconomic Losses

11.1 Recent or expected significant change in exchange rates 11.2 Percentage of budget subject to exchange rate fluctuations 11.3 Inadequate management and monitoring of exchange rate

fluctuations 11.4 Anticipated price increases for health products 11.5 History of unexpected significant price increases or high inflation

(excl. PHP) 11.6 History of financial and macroeconomic losses

Poor Financial Reporting

12.1 Inadequate financial information systems (PR and SR) 12.2 Inadequate financial records process and controls 12.3 Inadequate financial staff capacities and/or poor understanding of

Global Fund reporting requirements 12.4 Insufficient planning of PR & SR financial reporting and weak PR

control over SR financial reporting 12.5 Lack of budget variance analysis (SR) 12.6 History of delayed PR or SR reporting 12.7 Non-fulfillment of audit requirements

3. Health Services & Health Products Quality Risks

Treatment Disruptions

13.1 Previous stock-outs

13.2 Unpredictable or limited sources of supply 13.3 Inefficient or ineffective procurement processes 13.4 Lack of SOPs for procurement process or poor adherence to SOPs 13.5 Inadequate forecasting and quantification 13.6 Lack of coordination of pharmaceutical and health products

management activities 13.7 Inadequate storage and distribution practices/ capacity at central

(and/or peripheral) level 13.8 Inadequate inventory management practices 13.9 Inefficient Global Fund processes

Substandard Quality of Health Products

14.1 Record of past non- compliance with the Global Fund QA policies 14.2 Inadequate capacity for quality monitoring of products 14.3 Selection of a non-compliant QC laboratory with QA Policy 14.4 Inadequate temperature control and storage conditions 14.5 Presence of expired products in the supply chain 14.6 Lack of SOPs for storage and distribution or poor adherence to SOPs 14.7 Lack of capacity of national regulatory authorities (NRA) to

implement and oversee quality monitoring activities 14.8 Lack of coordinated approach in QA requirements 14.9 Insufficient resources dedicated to QA implementation at the

Secretariat

15.1 Gap in guidelines /policy framework related to prevention, diagnosis and treatment

Page 20: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

18 | P a g e

Poor Quality of Health Services & Use of Health

Products

15.2 Non- adherence to approved national or WHO guidelines when selecting products for procurement

15.3 Non-adherence of health professionals to approved prevention, treatment and care guidelines/protocols at facility level

15.4 Guidelines and protocols are not available at the facility level 15.5 Lack of mechanisms to support retention in treatment and adherence

to prescribed regimens 15.6 Insufficient monitoring/supervision of prescriber and provider

practices 15.7 Lack of capacity building/TA in rational use of medicines and health

products 15.8 Absence of functional national pharmacovigilance system 15.9 Inadequate number of qualified staff in health services

Human Rights barriers in accessing Health Services

16.1 Evidence of access issues at health facilities for securing health services

16.2 Lack of representation of key population groups on CCM or ineffective engagement of key population groups with CCM

16.3 Lack of equity assessment, poor reporting on equity-related indicators, and difficulty to assess and rely on in-country partners information or other sources to assess equity or human rights issues.

16.4 Evidence of inequity in service coverage (Outputs) or Outcomes and Impact

16.5 Gaps or weaknesses in programming and implementation for key population groups

16.6 Evidence of human rights violations in grant or program activities, or in country more generally from publicly available indices and reports

16.7 Conduciveness of country political, social, and legal environment to protection and promotion of Human Rights and Equity

4. Government Oversight and Management

17.1 Upcoming country elections or potential significant changes in national leadership

17.2 Security issues constraining capacity of PR to engage partners for local implementation and to ensure populations can access services

17.3 Inadequate ability to accurately monitor programme activities in conflict areas

Inadequate Security and Stability at the

national/subnational level

17.4 PR constrained in addressing specific security threats which target program providers and recipients

17.5 Significant changes in national leadership and strategies compromise continuity of health system support for grant programs

18.1 Ineffective PR & Program Management Unit (PMU) governance

Limited PR Governance &

Oversight

18.2 Upcoming country elections or potential significant changes in national leadership

18.3 Conflicts of interest within the PR senior leadership and management

18.4 Inadequate PR internal control procedures, and internal and external audit requirements, practices, and follow-up on issues identified

18.5 Lack of clear risk management responsibilities and activities within PR management

18.6 Inappropriate or ineffective SR selection by PR 18.7 Limited authority or ability of PR to respond appropriately to

identified and follow-up on SR management issues 18.8 Inadequate management information systems at PR level, or

inadequate reporting infrastructure for SRs to report to PRs, to support effective governance and oversight

18.9 Insufficient frequency and quality of communications, site visits, and verification of program activities by PRs

Page 21: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

19 | P a g e

18.10 Complexity of grant implementation arrangements 18.11 Poor PR engagement and coordination with partners, program

stakeholders and other relevant actors in the health sector, including across grants and programs

18.12 Limited Partner capacity for providing Technical Assistance related to PR Governance & Oversight

19.1 Insufficient PR and PMU staff capacity for satisfying with Global Fund reporting requirements including submitting high-quality grant deliverables in a timely manner

Limited PR Reporting & Compliance

19.2 Poor Quality, completeness and timeliness of deliverables and reporting by PR

19.3 Non-compliance with grant terms & conditions, and progress against CPs and other conditions and management actions by PRs and SRs

19.4 Non-fulfillment of audit requirements 19.5 Inadequate Management Information Systems at PR level and for

reporting from SRs to PRs, to support Global Fund reporting requirements

19.6 Complexity of grant implementation arrangements 19.7 Limited partner capacity for providing Technical Assistance related

to Global Fund reporting and other requirements 20.1 Country Team members inadequate engagement including missions

to familiarize themselves with local context, impacting on quality of oversight

Limited Secretariat oversight and LFA

verification

20.2 Frequent changes in the County Team members, which affects team’s ability to provide consistent quality oversight and support to the in-country stakeholders

20.3 Delays in and clarity of communication and guidance by Country Team to in-country partners (CCM and PRs) compromise the ability of PR to address grant management issues effectively.

20.4 Infrequent in-country LFA verifications results in limited LFA communication with CCM, PR, partners, external auditors, and relevant national bodies

20.5 Frequent changes in LFA team result in limited contextual knowledge and lack of established communication practices with PR and CCM

20.6 Lack of regular debriefing by LFA at the end of each mission resulting in delay in feedback to PR to address grant management issues

21.1 Inadequate SR internal control procedures, and internal and external audit requirements, practices, and follow-up on issues identified

Inadequate SR Governance

& Oversight

21.2 Ineffective SR & Management Unit governance 21.3 Inappropriate or ineffective SSR selection by SR 21.4 Inadequate management information systems at SR level, or

inadequate reporting infrastructure for SSRs to report to SRs, to support effective governance and oversight

21.5 Insufficient frequency and quality of communications, site visits, and verification of program activities by SRs

22.1 Insufficient SR staff capacity for submitting high-quality grant deliverables in a timely manner

22.2 Non-fulfilment of audit requirements Inadequate SR Reporting & Compliance

22.3 Inadequate Management Information Systems at SR level and for reporting from SSRs to SR

Ineffective CCM Oversight

23.1 Poor access by PRs and other stakeholders to CCM information and decision-making raising concerns regarding transparency

23.2 CCM oversight processes irregular and not systematic leading to PR being unclear of oversight support available and of schedule of oversight activities

23.3 Lack of standardized reporting format and schedule for PRs to report to CCM

23.4 Frequent changes in CCM oversight membership results in limited contextual knowledge of grant implementation challenges

23.5 Delays in and lack of clarity of CCM decision-making and communication on issues raised by PRs to strengthen grant performance compromise grant implementation

Page 22: The Grant Risk Assessment and Management (GRAM ) Tool...2. GRAM: The PR (implementer) risk management tool: GRAM (Grant Risk Assessment and Management) is a tool designed specifically

20 | P a g e