Every organisation needs to take risk to achieve its objectives. Sometimes the greatest risk is inaction. Effective risk management optimises outcomes by balancing risk versus reward and the cost of mitigation versus the potential benefit. The Alliance’s risk appetite statement broadly defines the level of risk the Alliance is willing to take, accept or tolerate to achieve its goals.
In December 2014, the Gavi Board adopted a comprehensive approach to risk management covering strategic, operational, programmatic and corporate risks, and approved the risk policy. Since then, we have continued to embed risk management practices in daily operations, planning and decision-making across the Alliance.
In 2015, we reorganised our risk management and assurance functions around a best-practice "three lines of defence" model:
- First line: understanding, monitoring and active management of risk in core business activities and country programmes.
- Second line: specialist support and objective monitoring through control and oversight functions, providing an additional "check and balance" on first-line activities.
- Third line: independent auditing of the first and second lines of defence to provide assurance that their risk management is effective.
A dedicated "risk function" coordinates, facilitates and monitors the implementation of effective risk management practices across the Alliance. The Secretariat’s Risk Committee, chaired by the CEO with senior leadership from across the organisation, systematically reviews the top risks allocated to risk owners in the organisation.
Risk is a standing item on the agenda of all Gavi Board meetings, and the Audit and Finance Committee of the Board oversees the effectiveness of risk management systems and processes.