Key fingerprint 9EF0 C41A FBA5 64AA 650A 0259 9C6D CD17 283E 454C

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQQBBGBjDtIBH6DJa80zDBgR+VqlYGaXu5bEJg9HEgAtJeCLuThdhXfl5Zs32RyB
I1QjIlttvngepHQozmglBDmi2FZ4S+wWhZv10bZCoyXPIPwwq6TylwPv8+buxuff
B6tYil3VAB9XKGPyPjKrlXn1fz76VMpuTOs7OGYR8xDidw9EHfBvmb+sQyrU1FOW
aPHxba5lK6hAo/KYFpTnimsmsz0Cvo1sZAV/EFIkfagiGTL2J/NhINfGPScpj8LB
bYelVN/NU4c6Ws1ivWbfcGvqU4lymoJgJo/l9HiV6X2bdVyuB24O3xeyhTnD7laf
epykwxODVfAt4qLC3J478MSSmTXS8zMumaQMNR1tUUYtHCJC0xAKbsFukzbfoRDv
m2zFCCVxeYHvByxstuzg0SurlPyuiFiy2cENek5+W8Sjt95nEiQ4suBldswpz1Kv
n71t7vd7zst49xxExB+tD+vmY7GXIds43Rb05dqksQuo2yCeuCbY5RBiMHX3d4nU
041jHBsv5wY24j0N6bpAsm/s0T0Mt7IO6UaN33I712oPlclTweYTAesW3jDpeQ7A
ioi0CMjWZnRpUxorcFmzL/Cc/fPqgAtnAL5GIUuEOqUf8AlKmzsKcnKZ7L2d8mxG
QqN16nlAiUuUpchQNMr+tAa1L5S1uK/fu6thVlSSk7KMQyJfVpwLy6068a1WmNj4
yxo9HaSeQNXh3cui+61qb9wlrkwlaiouw9+bpCmR0V8+XpWma/D/TEz9tg5vkfNo
eG4t+FUQ7QgrrvIkDNFcRyTUO9cJHB+kcp2NgCcpCwan3wnuzKka9AWFAitpoAwx
L6BX0L8kg/LzRPhkQnMOrj/tuu9hZrui4woqURhWLiYi2aZe7WCkuoqR/qMGP6qP
EQRcvndTWkQo6K9BdCH4ZjRqcGbY1wFt/qgAxhi+uSo2IWiM1fRI4eRCGifpBtYK
Dw44W9uPAu4cgVnAUzESEeW0bft5XXxAqpvyMBIdv3YqfVfOElZdKbteEu4YuOao
FLpbk4ajCxO4Fzc9AugJ8iQOAoaekJWA7TjWJ6CbJe8w3thpznP0w6jNG8ZleZ6a
jHckyGlx5wzQTRLVT5+wK6edFlxKmSd93jkLWWCbrc0Dsa39OkSTDmZPoZgKGRhp
Yc0C4jePYreTGI6p7/H3AFv84o0fjHt5fn4GpT1Xgfg+1X/wmIv7iNQtljCjAqhD
6XN+QiOAYAloAym8lOm9zOoCDv1TSDpmeyeP0rNV95OozsmFAUaKSUcUFBUfq9FL
uyr+rJZQw2DPfq2wE75PtOyJiZH7zljCh12fp5yrNx6L7HSqwwuG7vGO4f0ltYOZ
dPKzaEhCOO7o108RexdNABEBAAG0Rldpa2lMZWFrcyBFZGl0b3JpYWwgT2ZmaWNl
IEhpZ2ggU2VjdXJpdHkgQ29tbXVuaWNhdGlvbiBLZXkgKDIwMjEtMjAyNCmJBDEE
EwEKACcFAmBjDtICGwMFCQWjmoAFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQ
nG3NFyg+RUzRbh+eMSKgMYOdoz70u4RKTvev4KyqCAlwji+1RomnW7qsAK+l1s6b
ugOhOs8zYv2ZSy6lv5JgWITRZogvB69JP94+Juphol6LIImC9X3P/bcBLw7VCdNA
mP0XQ4OlleLZWXUEW9EqR4QyM0RkPMoxXObfRgtGHKIkjZYXyGhUOd7MxRM8DBzN
yieFf3CjZNADQnNBk/ZWRdJrpq8J1W0dNKI7IUW2yCyfdgnPAkX/lyIqw4ht5UxF
VGrva3PoepPir0TeKP3M0BMxpsxYSVOdwcsnkMzMlQ7TOJlsEdtKQwxjV6a1vH+t
k4TpR4aG8fS7ZtGzxcxPylhndiiRVwdYitr5nKeBP69aWH9uLcpIzplXm4DcusUc
Bo8KHz+qlIjs03k8hRfqYhUGB96nK6TJ0xS7tN83WUFQXk29fWkXjQSp1Z5dNCcT
sWQBTxWxwYyEI8iGErH2xnok3HTyMItdCGEVBBhGOs1uCHX3W3yW2CooWLC/8Pia
qgss3V7m4SHSfl4pDeZJcAPiH3Fm00wlGUslVSziatXW3499f2QdSyNDw6Qc+chK
hUFflmAaavtpTqXPk+Lzvtw5SSW+iRGmEQICKzD2chpy05mW5v6QUy+G29nchGDD
rrfpId2Gy1VoyBx8FAto4+6BOWVijrOj9Boz7098huotDQgNoEnidvVdsqP+P1RR
QJekr97idAV28i7iEOLd99d6qI5xRqc3/QsV+y2ZnnyKB10uQNVPLgUkQljqN0wP
XmdVer+0X+aeTHUd1d64fcc6M0cpYefNNRCsTsgbnWD+x0rjS9RMo+Uosy41+IxJ
6qIBhNrMK6fEmQoZG3qTRPYYrDoaJdDJERN2E5yLxP2SPI0rWNjMSoPEA/gk5L91
m6bToM/0VkEJNJkpxU5fq5834s3PleW39ZdpI0HpBDGeEypo/t9oGDY3Pd7JrMOF
zOTohxTyu4w2Ql7jgs+7KbO9PH0Fx5dTDmDq66jKIkkC7DI0QtMQclnmWWtn14BS
KTSZoZekWESVYhORwmPEf32EPiC9t8zDRglXzPGmJAPISSQz+Cc9o1ipoSIkoCCh
2MWoSbn3KFA53vgsYd0vS/+Nw5aUksSleorFns2yFgp/w5Ygv0D007k6u3DqyRLB
W5y6tJLvbC1ME7jCBoLW6nFEVxgDo727pqOpMVjGGx5zcEokPIRDMkW/lXjw+fTy
c6misESDCAWbgzniG/iyt77Kz711unpOhw5aemI9LpOq17AiIbjzSZYt6b1Aq7Wr
aB+C1yws2ivIl9ZYK911A1m69yuUg0DPK+uyL7Z86XC7hI8B0IY1MM/MbmFiDo6H
dkfwUckE74sxxeJrFZKkBbkEAQRgYw7SAR+gvktRnaUrj/84Pu0oYVe49nPEcy/7
5Fs6LvAwAj+JcAQPW3uy7D7fuGFEQguasfRrhWY5R87+g5ria6qQT2/Sf19Tpngs
d0Dd9DJ1MMTaA1pc5F7PQgoOVKo68fDXfjr76n1NchfCzQbozS1HoM8ys3WnKAw+
Neae9oymp2t9FB3B+To4nsvsOM9KM06ZfBILO9NtzbWhzaAyWwSrMOFFJfpyxZAQ
8VbucNDHkPJjhxuafreC9q2f316RlwdS+XjDggRY6xD77fHtzYea04UWuZidc5zL
VpsuZR1nObXOgE+4s8LU5p6fo7jL0CRxvfFnDhSQg2Z617flsdjYAJ2JR4apg3Es
G46xWl8xf7t227/0nXaCIMJI7g09FeOOsfCmBaf/ebfiXXnQbK2zCbbDYXbrYgw6
ESkSTt940lHtynnVmQBvZqSXY93MeKjSaQk1VKyobngqaDAIIzHxNCR941McGD7F
qHHM2YMTgi6XXaDThNC6u5msI1l/24PPvrxkJxjPSGsNlCbXL2wqaDgrP6LvCP9O
uooR9dVRxaZXcKQjeVGxrcRtoTSSyZimfjEercwi9RKHt42O5akPsXaOzeVjmvD9
EB5jrKBe/aAOHgHJEIgJhUNARJ9+dXm7GofpvtN/5RE6qlx11QGvoENHIgawGjGX
Jy5oyRBS+e+KHcgVqbmV9bvIXdwiC4BDGxkXtjc75hTaGhnDpu69+Cq016cfsh+0
XaRnHRdh0SZfcYdEqqjn9CTILfNuiEpZm6hYOlrfgYQe1I13rgrnSV+EfVCOLF4L
P9ejcf3eCvNhIhEjsBNEUDOFAA6J5+YqZvFYtjk3efpM2jCg6XTLZWaI8kCuADMu
yrQxGrM8yIGvBndrlmmljUqlc8/Nq9rcLVFDsVqb9wOZjrCIJ7GEUD6bRuolmRPE
SLrpP5mDS+wetdhLn5ME1e9JeVkiSVSFIGsumZTNUaT0a90L4yNj5gBE40dvFplW
7TLeNE/ewDQk5LiIrfWuTUn3CqpjIOXxsZFLjieNgofX1nSeLjy3tnJwuTYQlVJO
3CbqH1k6cOIvE9XShnnuxmiSoav4uZIXnLZFQRT9v8UPIuedp7TO8Vjl0xRTajCL
PdTk21e7fYriax62IssYcsbbo5G5auEdPO04H/+v/hxmRsGIr3XYvSi4ZWXKASxy
a/jHFu9zEqmy0EBzFzpmSx+FrzpMKPkoU7RbxzMgZwIYEBk66Hh6gxllL0JmWjV0
iqmJMtOERE4NgYgumQT3dTxKuFtywmFxBTe80BhGlfUbjBtiSrULq59np4ztwlRT
wDEAVDoZbN57aEXhQ8jjF2RlHtqGXhFMrg9fALHaRQARAQABiQQZBBgBCgAPBQJg
Yw7SAhsMBQkFo5qAAAoJEJxtzRcoPkVMdigfoK4oBYoxVoWUBCUekCg/alVGyEHa
ekvFmd3LYSKX/WklAY7cAgL/1UlLIFXbq9jpGXJUmLZBkzXkOylF9FIXNNTFAmBM
3TRjfPv91D8EhrHJW0SlECN+riBLtfIQV9Y1BUlQthxFPtB1G1fGrv4XR9Y4TsRj
VSo78cNMQY6/89Kc00ip7tdLeFUHtKcJs+5EfDQgagf8pSfF/TWnYZOMN2mAPRRf
fh3SkFXeuM7PU/X0B6FJNXefGJbmfJBOXFbaSRnkacTOE9caftRKN1LHBAr8/RPk
pc9p6y9RBc/+6rLuLRZpn2W3m3kwzb4scDtHHFXXQBNC1ytrqdwxU7kcaJEPOFfC
XIdKfXw9AQll620qPFmVIPH5qfoZzjk4iTH06Yiq7PI4OgDis6bZKHKyyzFisOkh
DXiTuuDnzgcu0U4gzL+bkxJ2QRdiyZdKJJMswbm5JDpX6PLsrzPmN314lKIHQx3t
NNXkbfHL/PxuoUtWLKg7/I3PNnOgNnDqCgqpHJuhU1AZeIkvewHsYu+urT67tnpJ
AK1Z4CgRxpgbYA4YEV1rWVAPHX1u1okcg85rc5FHK8zh46zQY1wzUTWubAcxqp9K
1IqjXDDkMgIX2Z2fOA1plJSwugUCbFjn4sbT0t0YuiEFMPMB42ZCjcCyA1yysfAd
DYAmSer1bq47tyTFQwP+2ZnvW/9p3yJ4oYWzwMzadR3T0K4sgXRC2Us9nPL9k2K5
TRwZ07wE2CyMpUv+hZ4ja13A/1ynJZDZGKys+pmBNrO6abxTGohM8LIWjS+YBPIq
trxh8jxzgLazKvMGmaA6KaOGwS8vhfPfxZsu2TJaRPrZMa/HpZ2aEHwxXRy4nm9G
Kx1eFNJO6Ues5T7KlRtl8gflI5wZCCD/4T5rto3SfG0s0jr3iAVb3NCn9Q73kiph
PSwHuRxcm+hWNszjJg3/W+Fr8fdXAh5i0JzMNscuFAQNHgfhLigenq+BpCnZzXya
01kqX24AdoSIbH++vvgE0Bjj6mzuRrH5VJ1Qg9nQ+yMjBWZADljtp3CARUbNkiIg
tUJ8IJHCGVwXZBqY4qeJc3h/RiwWM2UIFfBZ+E06QPznmVLSkwvvop3zkr4eYNez
cIKUju8vRdW6sxaaxC/GECDlP0Wo6lH0uChpE3NJ1daoXIeymajmYxNt+drz7+pd
jMqjDtNA2rgUrjptUgJK8ZLdOQ4WCrPY5pP9ZXAO7+mK7S3u9CTywSJmQpypd8hv
8Bu8jKZdoxOJXxj8CphK951eNOLYxTOxBUNB8J2lgKbmLIyPvBvbS1l1lCM5oHlw
WXGlp70pspj3kaX4mOiFaWMKHhOLb+er8yh8jspM184=
=5a6T
-----END PGP PUBLIC KEY BLOCK-----

		

Contact

If you need help using Tor you can contact WikiLeaks for assistance in setting it up using our simple webchat available at: https://wikileaks.org/talk

If you can use Tor, but need to contact WikiLeaks for other reasons use our secured webchat available at http://wlchatc3pjwpli5r.onion

We recommend contacting us over Tor if you can.

Tor

Tor is an encrypted anonymising network that makes it harder to intercept internet communications, or see where communications are coming from or going to.

In order to use the WikiLeaks public submission system as detailed above you can download the Tor Browser Bundle, which is a Firefox-like browser available for Windows, Mac OS X and GNU/Linux and pre-configured to connect using the anonymising system Tor.

Tails

If you are at high risk and you have the capacity to do so, you can also access the submission system through a secure operating system called Tails. Tails is an operating system launched from a USB stick or a DVD that aim to leaves no traces when the computer is shut down after use and automatically routes your internet traffic through Tor. Tails will require you to have either a USB stick or a DVD at least 4GB big and a laptop or desktop computer.

Tips

Our submission system works hard to preserve your anonymity, but we recommend you also take some of your own precautions. Please review these basic guidelines.

1. Contact us if you have specific problems

If you have a very large submission, or a submission with a complex format, or are a high-risk source, please contact us. In our experience it is always possible to find a custom solution for even the most seemingly difficult situations.

2. What computer to use

If the computer you are uploading from could subsequently be audited in an investigation, consider using a computer that is not easily tied to you. Technical users can also use Tails to help ensure you do not leave any records of your submission on the computer.

3. Do not talk about your submission to others

If you have any issues talk to WikiLeaks. We are the global experts in source protection – it is a complex field. Even those who mean well often do not have the experience or expertise to advise properly. This includes other media organisations.

After

1. Do not talk about your submission to others

If you have any issues talk to WikiLeaks. We are the global experts in source protection – it is a complex field. Even those who mean well often do not have the experience or expertise to advise properly. This includes other media organisations.

2. Act normal

If you are a high-risk source, avoid saying anything or doing anything after submitting which might promote suspicion. In particular, you should try to stick to your normal routine and behaviour.

3. Remove traces of your submission

If you are a high-risk source and the computer you prepared your submission on, or uploaded it from, could subsequently be audited in an investigation, we recommend that you format and dispose of the computer hard drive and any other storage media you used.

In particular, hard drives retain data after formatting which may be visible to a digital forensics team and flash media (USB sticks, memory cards and SSD drives) retain data even after a secure erasure. If you used flash media to store sensitive data, it is important to destroy the media.

If you do this and are a high-risk source you should make sure there are no traces of the clean-up, since such traces themselves may draw suspicion.

4. If you face legal action

If a legal action is brought against you as a result of your submission, there are organisations that may help you. The Courage Foundation is an international organisation dedicated to the protection of journalistic sources. You can find more details at https://www.couragefound.org.

WikiLeaks publishes documents of political or historical importance that are censored or otherwise suppressed. We specialise in strategic global publishing and large archives.

The following is the address of our secure site where you can anonymously upload your documents to WikiLeaks editors. You can only access this submissions system through Tor. (See our Tor tab for more information.) We also advise you to read our tips for sources before submitting.

http://ibfckmpsmylhbfovflajicjgldsqpc75k5w454irzwlh7qifgglncbad.onion

If you cannot use Tor, or your submission is very large, or you have specific requirements, WikiLeaks provides several alternative methods. Contact us to discuss how to proceed.


United Nations Risk Assessment: Department of Management, 10 Jul 2008

From WikiLeaks

Jump to: navigation, search

Donate to WikiLeaks

Unless otherwise specified, the document described here:

  • Was first publicly revealed by WikiLeaks working with our source.
  • Was classified, confidential, censored or otherwise withheld from the public before release.
  • Is of political, diplomatic, ethical or historical significance.

Any questions about this document's veracity are noted.

The summary is approved by the editorial board.

See here for a detailed explanation of the information on this page.

If you have similar or updated material, see our submission instructions.

Contact us

Press inquiries

Follow updates

Release date
January 12, 2009

Summary

United Nations Office of Internal Oversight Services (UN OIOS) 10 Jul 2008 report titled "Risk Assessment: Department of Management" relating to the Audit Reports Jan-Sept 2008. The report runs to 83 printed pages.

Note
Verified by Sunshine Press editorial board

Download

File | Torrent | Magnet

Further information

Context
International organization
United Nations Office of Internal Oversight Services
Authored on
July 10, 2008
File size in bytes
282566
File type information
PDF
Cryptographic identity
SHA256 677baa4c156e75d4456b18f174faa8f04bff0f2b0353756066316eab8b2757a4


Simple text version follows

  INTERNAL AUDIT DIVISION




RISK ASSESSMENT

Department of Management

10 July 2008
Assignment No. AH2007/510/04


-----------------------------------------------------------------------------------------

                   INTERNAL AUDIT DIVISION




FUNCTION          "The Office shall, in accordance with the relevant provisions of the
                  Financial Regulations and Rules of the United Nations examine,
                  review and appraise the use of financial resources of the United
                  Nations in order to guarantee the implementation of programmes and
                  legislative mandates, ascertain compliance of programme managers
                  with the financial and administrative regulations and rules, as
                  well as with the approved recommendations of external oversight
                  bodies, undertake management audits, reviews and surveys to
                  improve the structure of the Organization and its responsiveness
                  to the requirements of programmes and legislative mandates, and
                  monitor the effectiveness of the systems of internal control of
                  the Organization" (General Assembly Resolution 48/218 B).




CONTACT     DIRECTOR:
            Dagfinn Knutsen, Tel: +1.212.963.5650, Fax: +1.212.963.2185,
INFORMATION e-mail: knutsen2@un.org

                  DEPUTY DIRECTOR:
                  Fatoumata Ndiaye: Tel: +1.212.963.5648, Fax: +1.212.963.3388,
                  e-mail: ndiaye@un.org

                  CHIEF,  HEADQUARTERS AUDIT SERVICE:
                  William Petersen: Tel: +1.212.963.3705, Fax: +1.212.963.3388,
                  e-mail: Petersen@un.org


-----------------------------------------------------------------------------------------

                               PARTICIPANTS
         The OIOS risk assessment team conducted workshops and interviews
 with the following staff members of the Department of Management to gain an
 understanding of existing organizational relationships, risks, controls and
 processes.

Table 1: List of participants
        Focus Area                               Name and Function
 Strategic Management and � Alicia Barcena , former Under-Secretary-General, Department of
 Governance
                              Management (DM)
                            � Simona Petrova-Vassileva, Director and Principal Officer, Office
                               of the Under-Secretary-General (OUSG), DM
                            � Lena Dissin, Principal Officer, OUSG
                            � Nancy Hurtz Soyka, Audit Compliance and Management
                               Performance Unit, OUSG
                            � Jonathan Childerley, Senior Management Analyst and Chief,
                               Audit Compliance and Management Performance Unit, OUSG
                            � Cass Durant, Senior Management Analyst, OUSG
 Executive Office           � Venketachalam Krishnan, Executive Officer
                            � Nancy Tan Van Der Mark, Administrative Officer
                            � Gudrun Fosse, Finance Officer
 Financial Management       � Warren Sach, Assistant-Secretary-General (ASG) of Office of
                               Programme Planning, Budget and Accounts (OPPBA) and
                               Controller
                            � Jayantilal Karia, Director, Accounts Division and O-I-C,
                               Peacekeeping Financing Division, OPPBA
                            � Frances Zainoeddin, OPPBA
                            � Lionelito Berridge, Chief, Contributions Service, Accounts
                               Division
                            � Moses Bamuwamye, Office of the ASG, OPPBA
                            � Raj Rikhy, Deputy Director, Accounts Division
                            � Vera Rajic, Chief, Insurance & Disbursement Service, Accounts
                               Division
                            � Chulmin Kang, Chief, Central Accounts, Accounts Division
                            � Sejong Lee, Chief, Peacekeeping Accounts Section, Accounts
                               Division
                            � Esther Boxill, Chief, Trust funds and Tech Cooperation Accounts
                               and Revenue Accounts Section, Accounts Division
                            � Rana Venugopalan, Chief Payroll Section, Accounts Division
                            � Sunitha Korithiwada, Chief Payroll Operations Unit, Accounts
                               Division


-----------------------------------------------------------------------------------------

                  � Wai-sing Eddie Lee, Chief, Income Tax Unit, Accounts Division
                  � Patricio Gimarino, Chief, Travel and Vendors Claims Processing
                     Unit, Accounts Division
                  � Tana Lambrakos, Secretary, Advisory Board on compensation,
                     Accounts Division
                  � Unis Williams-Baker, IPSAS Implementation Accountant
                  � Jasminka Haznadar, Chief, Risk Management Unit, Accounts
                     Division
                  � Mavis Carroll-Emory, Chief, Health and Life Insurance Section,
                     Accounts Division
                  � Christopher Monier, Chief, System Support Section, Accounts
                     Division
                  � George Kyriacou, Chief, IMIS Help Desk, Accounts Division
                  � Sharon Van Buerle, Director , Programme Planning and Budget
                     Division (PPBD)
                  � Thuy Basch Chief, System Control Unit, Programme Planning
                     and Budget Division (PPBD)
                  � Dennis Thatachaichawalit, Chief, Substantive Services I, PPBD
                  � Linda Wong, Chief, Substantive Services II , PPBD
                  � Katrina Nowlan, Chief, Substantive Services III, PPBD
                  � Sophie Veaudour, O-I-C, Policy Coordination Unit, PPBD
                  � Farooq Chowdhury, Senior Investment Officer and O-I-C
                     Treasury
                  � Teklay Afeworki, Senior Finance Officer, Oil-For-Food Section,
                     Treasury
                  � Susan Bajardi, Senior Investment Officer, Investment Section,
                     Treasury
                  � Kyoko Maki, Cashier, Treasury
                  � Igor Vallye, Peacekeeping Financing Division
                  � Maria Felisa Shearhouse, Peacekeeping Finance Division
                  � Michael Chappel, Peacekeeping Financing Division
                  � Aamir Awan, Peacekeeping Finance Division
Human Resources   � Serguei Agadjanov, Chief, Planning Administration and
Management
                     Monitoring Service
                  � Andree Chami, Chief, Common Services Activities at HQ Section
                  � Norma Castillo Guerrero, Econ., Soc., Pol., Legal and Info.
                     Activities Section
                  � Sumiyo Sudo Rao, OIC, Offices at HQ with Field Activities
                     Section
                  � Monique Vikati, Acting Chief, Operational Support Division,

                                                                                     2


-----------------------------------------------------------------------------------------

                            OHRM
                         � Maha El-Bahrawi (William Mudiwa), Chief, Overseas Offices
                            Section
                         � Ying-Y Tang, Chief, Staffing Services
                         � Yves Michels, Deputy Director, Operational Service Division
                         � John Lee Ericson, Chief, Professional and Above Staffing
                            Services
                         � Yukihiro Mizutami, General Service & Related Categories
                            Staffing Section
                         � Ozzier Khan (Jean Kinda, Human Resources Information
                            Technology Section
                         � Sandra Mary Haji-Ahmed, Director, Operational Service Division
                         � Anne Gunning, Chief Learning Section
                         � Marianne Brzak-Metzer, Chief, Conditions of Services Section
                         � Tine Tyner, OIC, Policy Support Unit
                         � Geraldine Gourves-Fromigued, Administrative Officer
                         � Dorretta Miraglia, Personnel Officer
                         � Brian John Davey, Director, Medical Service
                         � Serguei Oleinikov, Office of the Director
                         � Michel Pelsise, Chief, Examinations and Tests Section
                         � Ana Parrondo, Examinations Officer
                         � Justine Rubira,, Associate Examination Officer
                         � Weicheng Lin, Secretary of the Joint Appeals Board
                         � Adele Grant Chief, ALU
                         � Alexandria Toth, Panel on Discrimination and Other Grievances
                         � Cathrine Claxton, Secretary, Panel of Counsel
Procurement Management   � Paul Buades, Director, Procurement Service
                         � Jennifer Branche, Chief, Procurement Service Section
                         � Yavar Khan, Chief, Headquarters Procurement Section
                         � Kiyohiro Mitsui, Chief, Support Services Unit
                         � Mathias Meyerhans, Chief Logistics & Transport Section
                         � Frank Eppert, Senior Contracts Officer
                         � Michiko Kuroda, Senior Management Analyst
Information Technology   � Soon-Hong Choi, Chief Information Technology Officer
Management
                         � Eduardo Blinder, Director , ITSD
                         � John Campbell, Chief, Operation Service
                         � Anthony Wilson, Chief, Systems Management Section
                         � Thomas Baxter, Chief, Network Operations Section
                         � Curling Smith, Chief, Technical Infrastructure and Operation Plan


                                                                                           2


-----------------------------------------------------------------------------------------

                               Section
                            � Christian Saunders, Chief, Coordination and Support Service
                            � Merceditas Ycasiano, Service Coordination Section
                            � Peer Just, ICT Quality Assurance & Risk Mgmt. Section
                            � Vladimir Reyes, IT Service/Service Desk
                            � Chandramouli Ramanathan, Chief, Information Management
                               Service
                            � Alexander Ezhkov, IMIS Strategy Section
                            � Dat Chi Luong, Content Mgmt Solution Section
                            � Michael Clark, Chief, Software Solution Service
                            � Pedro Guarda, Resources Mgmt System Section
                            � Emile Oberwetter, Knowledge Mgmt System Section
Facilities and Commercial   � Joan McDonald, Director, FCSD
Management
                            � Andrew Nye, Chief. Facilities Management Services
                            � Luis Enrique Calzada, Admin., Finance & Personnel Section
                            � Claudio Santangelo, Planning, Design & Overseas Properties
                               Section
                            � Florin Ionescu, Chief, Planning, Design & Overseas Properties
                               Section
                            � Liana Santoro, Chief, Office Space Planning
                            � Christian Gottlicher Palafox, Property Management
                            � Vivian Patron-Acevedo, Garage Administration
                            � Zoran Markovic, Broadcasting & Conference Support Service
                            � Lamin Jobe
                            � Anton Bronner, Chief, Commercial Activities Service
                            � Robert Gray, Chief, United Nations Postal Administration
                            � Bridget Sisk, Chief, Archives and Records Mgmt. Section
                            � Thomas Hanley, Travel and Transportation Service
                            � Toshio Mikami, Chief, Travel Section
                            � Melanie De Leon, Special Service Section
                            � Barbar Christiani , Commercial Activities Services
                            � Ricardo Mena, Chief, Business Continuity Management Unit
                            � Daniela Wuerz, Business Continuity Management Unit
                            � Joseph Pezillo, Mail Operations




                                                                                              2


-----------------------------------------------------------------------------------------

             SUMMARY OF RISK RATINGS
         The risk assessment identified the following areas as Higher, Moderate
and Lower Risk. A summary of the identified risks is shown below. Full details
of the identified risks are listed in the attached risk register.

         The overall risks have been rated as "higher risk", "moderate risk", or
"lower risk" based on OIOS' assessment of the likelihood and impact of the
occurrence of events or actions that might adversely affect the Organization's
ability to successfully achieve its objectives and execute its strategies, after
taking into account the representations made by programme managers
concerning actions they have taken to prevent or mitigate the identified risks.

Table 2: Summary of identified risks

                  Focus Area                              Overall Risk
i. Strategic Management and Governance                   Higher Risk
ii. Human Resource Management
iii. Procurement and Contract Administration
iv. Information Technology Management

i. Financial Management                                  Moderate Risk
ii. Property and Facilities Management

                                                         Lower Risk


-----------------------------------------------------------------------------------------

RISK REGISTER


-----------------------------------------------------------------------------------------

                                    Risk Assessment of : Department of Management
     1                                             Focus Area: Strategic Management and Governance                                       Possible High   Higher Risk
                                                                                                                             Strategic

                                                                                                                                Risk     Likeli-
         Interview/Review Summary (Description of risk)                               OIOS Assessment                                            Impact Overall Risk
                                                                                                                              Category    hood
No
I        Executive direction                                                                                                             Possible Medium Moderate Risk
         E(i) The implementation of the Capital Master Plan (CMP)                                                            Operational Possible High   Higher Risk
         represents a risk to business continuity given the
         proximity of the CMP project to the Security Council,
         Secretary-General (SG), and General Assembly (GA).

         B(i) The lack of understanding of the Department of              DM's communication strategy. i.e., to use i-seek   Governance Possible Medium Moderate Risk
         Management's (DM) objectives, mandates and scope of to provide information on DM initiatives. In
         responsibilities by its clients (i.e. other organizational units addition, DM issues administrative instructions
         of the Secretariat) may result in unrealistic expectations (AIs).
         that cannot be satisfied by DM.

         E(ii) The lack of effective mechanisms to ensure              Office of Programme Planning, Budget and           Operational Possible High      Higher Risk
         compliance with financial rules and regulations or            Accounts (OPPBA) issues allotments, approves re-
         judicious use of Member State funds may result in             deployment of funds from one category to
         diminished public confidence in the use of the funds.         another, monitors use of resources, prepares
                                                                       budget performance reports. OPPBA is also
                                                                       responsible for financial accounting and reporting
                                                                       of the Secretariat. The Financial Regulations and
                                                                       Rules of the UN (ST/SGB/2003/7) govern these
                                                                       activities.

         B(ii) Lack of clarity about responsibilities and              DM monitors its delegated authority; however,     Governance Possible High   Higher Risk
         accountability of delegation of authority given to            additional monitoring tools are needed. DM posts
         managers and duty stations (e.g. the Departments of           a guidebook on Delegation of Authority on its
         Peacekeeping Operations (DPKO) and Field Support              website which provides some guidance, however,
         (DFS)).                                                       it is incomplete and not precise.
         A(i) Lack of strategic vision regarding overall staffing      The SG report on investing in people. Also, DM is Strategy   Possible Medium Moderate Risk
         management may result in the failure to fulfill mandates.     piloting strategic workforce initiatives.




                                                                                       Page 1                                                            10/07/2008


-----------------------------------------------------------------------------------------

     1                                            Focus Area: Strategic Management and Governance                                     Possible High   Higher Risk
                                                                                                                          Strategic

                                                                                                                             Risk     Likeli-
         Interview/Review Summary (Description of risk)                              OIOS Assessment                                          Impact Overall Risk
                                                                                                                           Category    hood
No
         A(ii) Lack of integrated mobility strategy may result in      SG report on investing in people. Also, DM is      Strategy    Possible Medium Moderate Risk
         failure to fulfill mandates.                                  piloting strategic workforce initiatives.
         B(iii) Negative perception of procurement function may        Procurement reforms are ongoing.                   Governance Possible Medium Moderate Risk
         result in ineffective and inefficient procurement
         management practices.
         B(iv) Negative perception of Human Resources (HR)             Heads of Departments' Compact with the SG          Governance Possible Medium Moderate Risk
         function may result in ineffective and inefficient human      concerning HR recruitment process may switch
         resource practices. DM is criticized for certain delays       the emphasis from DM.
         which it cannot correct, such as length of time taken by
         PCO.
         A(iii) Lack of strategic view by requisitioning departments   Procurement Service trained and is training        Strategy    Possible Medium Moderate Risk
         along with the lack of training provided to requisitioners    requisitioners.
         exacerbate the time required to complete a procurement.

         E(iv) Resolutions put forth by the GA require significant                                                        Operational Possible High   Higher Risk
         interpretation in order to be operationalized. Risks
         include:
         - Misinterpreting Member States' intentions
         - GA mandates being compromised
         B(iv) Lack of clarity about DSS and DM roles and                                                                 Governance Possible High    Higher Risk
         responsibilities for safety/security creates inefficient use
         of resources and potential duplication of efforts.
         D(i) Balancing "Greening" of the UN and the associated                                                           Financial   Possible Medium Moderate Risk
         costs will be a challenge to the CMP.
         B(v) Various funds and programmes are operating under                                                            Governance Possible High    Higher Risk
         the UN brand when they are really only tangential to the
         Secretariat. UN has no visibility into their operations
         which creates significant reputation risk ( e.g., UNDP,
         UNEP, UNICEF).
         A(iv) Lack of strategic planning regarding recruitment and Strategic workforce initiative and the SG report on   Strategy    Possible Medium Moderate Risk
         mobility policies                                            investing in people.




                                                                                      Page 2                                                          10/07/2008


-----------------------------------------------------------------------------------------

     1                                                Focus Area: Strategic Management and Governance                                    Possible High   Higher Risk
                                                                                                                            Strategic

                                                                                                                               Risk      Likeli-
         Interview/Review Summary (Description of risk)                               OIOS Assessment                                            Impact Overall Risk
                                                                                                                             Category     hood
No
         A(v) Lack of strategic vision towards clustering activities                                                        Strategy     Possible Medium Moderate Risk
         that could be shared across departments (ex: HR and
         Budgets), that are currently creating inefficiencies.

         C(i) ST/AIs issued by the USG/DM may violate the              ST/AIs are reviewed by the Administrative Law        Compliance Possible Medium Moderate Risk
         principles of the UN and thus diminish the reputation of      Unit (ALU) and the Office of Legal Affairs (OLA)
         the UN.                                                       before issuance.
II       Support to the Office of the USG                                                                                                Possible Medium Moderate Risk
         D(i) The concurrent implementation of multiple                Substantive offices with specialized expertise in all Financial   Possible High   Higher Risk
         transformative initiatives exerts pressure on existing        areas of management to perform the technical
         resources. This may result in delay in the                    tasks connected with specific requests of the GA.
         implementations of General Assembly mandated reports          The USG has support staff that is responsible to
         and reforms.                                                  ensure a coordinated, effective response to the
                                                                       requests of the GA. The budgetary process
                                                                       provides for the preparation of a Programme
                                                                       Budget Implication for each mandate or
                                                                       substantially modified mandate. This process
                                                                       should ensure that appropriate amounts of
                                                                       resources are authorized by the GA for each new
                                                                       initiative. However, the OUSG stated that the GA
                                                                       sometimes makes requirements without providing
                                                                       new resources.

         F(i) Loss of institutional memory may result in inefficient According to the OUSG, there are neither policies Human             Possible Medium Moderate Risk
         and ineffective support to the USG. This may impede the nor procedures for the effective capturing,           Resources
         implementation of reforms/initiatives.                      creation, sharing, leveraging, preservation, and
                                                                     dissemination of knowledge both internally and
                                                                     externally.

                                                                       New initiative for knowledge management.
         E(i) Inability to fulfill all mandates due to the lack of     DM administers the budgetary process for the         Operational Possible Medium Moderate Risk
         adequate resources.                                           Secretariat.




                                                                                       Page 3                                                            10/07/2008


-----------------------------------------------------------------------------------------

      1                                            Focus Area: Strategic Management and Governance                                       Possible High   Higher Risk
                                                                                                                             Strategic

                                                                                                                                Risk     Likeli-
          Interview/Review Summary (Description of risk)                               OIOS Assessment                                           Impact Overall Risk
                                                                                                                              Category    hood
No
          E(ii) Failure to implement critical recommendations of                                                             Operational Possible High   Higher Risk
          oversight bodies - i.e. Joint Inspection Unit (JIU), OIOS,
          Board of Auditors (BOA) may result in persistent
          inefficiencies and loss of public confidence in United
          Nations.
          B(i) Unclear delineation of responsibilities between the      The OUSG stated that it anticipates re-              Governance Possible High    Higher Risk
          OUSG and other organizational units of DM (e.g. OHRM)         organization.
          may result in duplication of functions.
          E(iii) There are no training programmes and career path                                                            Operational Possible Medium Moderate Risk
          for staff and this makes it difficult to recruit/retain
          technical staff.
          Administrative support to the organizational units of                                                                          Possible Medium Moderate Risk
III       DM - Executive Office (EO)
          F(i) Inaccurate, inefficient reporting regarding DM's         The Executive Office (EO) is required to report      Human       Possible High   Higher Risk
          human resources management practices may impede the           periodically regarding the ages, genders, and        Resources
          ability of DM to obtain appropriate levels of resources to    nationalities of DM staff as well as vacancy rates
          implement its mandates/programmes. Vacancy rates and          and length of time of vacancies.
          other HR statistics of the DM may not be accurate.

          F(ii) Slow and ineffective recruitment of all categories of   Recruitment of all categories of staff including  Human          Possible Medium Moderate Risk
          staff may impede the delivery of programmes. This may         short-term consultants must comply with policies Resources
          in turn frustrate efforts to obtain funding for other         and procedures promulgated by the Office of
          priorities. Authorized posts are often not encumbered for     Human Resources Management (OHRM). For
          a long period of time.                                        example, Senior Management Compacts and
                                                                        Human Resource Action Plans (HRAP) require
                                                                        heads of departments to indicate progress on
                                                                        agreed-upon goals including HR actions.
                                                                        Compacts will be published on "i-seek" which will
                                                                        promote transparency and accountability.

          F(iii) The poor performance of some staff may result in       The electronic performance appraisals system         Human       Possible High   Higher Risk
          low levels of programme performance.                          (ePAS) is used as the tool for performance           Resources
                                                                        management.




                                                                                        Page 4                                                           10/07/2008


-----------------------------------------------------------------------------------------

     1                                            Focus Area: Strategic Management and Governance                                      Possible High   Higher Risk
                                                                                                                          Strategic

                                                                                                                              Risk     Likeli-
         Interview/Review Summary (Description of risk)                               OIOS Assessment                                          Impact Overall Risk
                                                                                                                            Category    hood
No
         D(i) The delivery of programmes and mandates may be            The EO uses instructions provided by the Office of Financial   Possible Medium Moderate Risk
         impeded due to inadequate resources. If the resources          Programme, Planning, Budget and Accounts
         required to implement the programmes and mandates of           (OPPBA). According to the EO, the instructions
         the DM are not accurately determined and convincing            are also provided to the managements of
         justification provided, legislative bodies may refuse to       substantive units of DM. The Budget Information
         provide the requested resources.                               System (BIS) and Integrated Monitoring &
                                                                        Documentation System (IMDIS) in preparing the
                                                                        strategic framework, programme budget
                                                                        implications of new/modified mandates, the
                                                                        proposed budget outlines and proposed
                                                                        programme budgets.
         D(ii) Inaccurate, unreliable financial/programme               The EO plays the central role in preparing the     Financial   Possible High   Higher Risk
         performance reporting may impede the delivery of               programme/financial performance reports. The
         programmes and mandates. If the EO fails to properly           EO uses instructions provided by the Programme
         explain how previously authorized resources are used,          Planning and Budget Division (PPBD), BIS,
         legislative bodies may refuse the DM's requests for            IMDIS, and IMIS in preparing its performance
         additional resources.                                          reports. For reporting purposes, adjustments are
                                                                        often made to reallocate/align funds.

         D(iii) Inaccurate, unreliable information on the status of Financial authorizations are monitored manually.      Financial    Possible Low    Lower Risk
         financial authorizations ties up resources and thus
         impedes the delivery of competing programme priorities.

IV       Risk Management and internal controls
         A(i) Lack of a formal anti-corruption strategy may result in                                                     Strategy     Possible High   Higher Risk
         higher risk of corruption and fraud and possible financial
         losses and damage to the UN's reputation

         B(i) Lack of effective Enterprise Risk Management (ERM) DM in process of developing comprehensive                Governance Possible High     Higher Risk
         and Internal Control Framework could result in ad hoc   accountability architecture including ERM and
         and inconsistent analysis of business risks to the      internal control framework
         Organization




                                                                                       Page 5                                                          10/07/2008


-----------------------------------------------------------------------------------------

     1                                           Focus Area: Strategic Management and Governance                                  Possible High   Higher Risk
                                                                                                                      Strategic

                                                                                                                         Risk     Likeli-
         Interview/Review Summary (Description of risk)                            OIOS Assessment                                        Impact Overall Risk
                                                                                                                       Category    hood
No
         E(i) Ineffective monitoring of internal controls in the      DM in process of developing comprehensive       Operational Possible High   Higher Risk
         Organization may result in breakdown of controls and         accountability architecture including ERM and
         consequently inability to meet objectives, financial loss or internal control framework
         fraud.




                                                                                    Page 6                                                        10/07/2008


-----------------------------------------------------------------------------------------

                                  Risk Assessment of : the Department of Management
     2                                           Focus Area: Financial Management                                                       Possible Medium Moderate Risk
                                                                                                                         Fin

                                                                                                                            Risk         Likeli-
         Interview/Review Summary (Description of risk)                             OIOS Assessment                                              Impact Overall Risk
                                                                                                                          Category        hood
No
I        Accounting system and standards                                                                                                Possible High   Higher Risk
         D(i) Non-conformity with internationally recognized          The UN is adopting the International Public        Financial      Possible Medium Moderate Risk
         accounting standards could impact the reliability and        Accounting Standards (IPSAS).
         integrity of the UN financial reports.
         G(i) Inadequate information systems' support may             The Accounts Division implements additional         Information   Likely   Medium Higher Risk
         impede the reliability and integrity of financial reports.   manual procedures. For example, in preparing        Resources
         Financial information used in reporting is generated in      financial reports, accounting staff perform various
         several systems (e.g. SUN Accounting System used by          analyses and routinely follow up with approving
         peacekeeping and political missions) that are not            officers at offices away from Headquarters for
         integrated with IMIS and are not under the purview of the    clarification.
         Accounts Division.
                                                                   The UN is in the process of implementing an
                                                                   Enterprise Resource Planning (ERP) System
                                                                   which is expected to address the current
                                                                   impediments to accounting and reporting.
         G(ii) Delay in implementing ERP may impact the timely     ERP and IPSAS teams have been established.         Information       Possible High   Higher Risk
         implementation of IPSAS. This in turn may result in cost- Full-time staff has been allocated to the IPSAS    Resources
         overruns and negatively impact the reputation of the      project. The IPSAS team stated that it will
         United Nations. The public may think that the UN is not develop and conduct training of users and
         committed to implementing best practice in financial      stakeholders. The Chief Executive Board (CEB),
         management.                                               which includes representatives of the Secretariat,
                                                                   UN agencies, funds and programmes, provides
                                                                   the oversight to the IPSAS project.




                                                                                     Page 7                                                              10/07/2008


-----------------------------------------------------------------------------------------

     2                                              Focus Area: Financial Management                                                 Possible Medium Moderate Risk
                                                                                                                         Fin

                                                                                                                            Risk     Likeli-
         Interview/Review Summary (Description of risk)                                OIOS Assessment                                       Impact Overall Risk
                                                                                                                          Category    hood
No
         B(i) Financial reports may not be completed in a timely         The Financial Regulations and Rules of the UN      Governance Possible Medium Moderate Risk
         manner and may not accurately present the financial             (ST/SGB/2003/7) govern. OAHs have delegation
         position of the United Nations due to insufficient visibility   of accounting and reporting responsibility, while
         of the Accounts Division over the accounting and                the Accounts Division is responsible for preparing
         reporting activities of offices away from Heaquarters           and presenting the Secretariat's Accounts. In
         (OAHs) and peacekeeping/political missions. OAHs may            preparing financial reports, accounting staff
         incorrectly interpret and apply established accounting          perform various analyses and routinely follow up
         standards.                                                      with approving officers at OAHs for clarification.

                                                                         The annual gathering of finance officers from
                                                                         OAHs and missions are used to share
                                                                         experiences, best practices and for training.

                                                                         Audits/reviews by BOA, OIOS and JIU are
                                                                         additional controls.

II       Programme planning and budgeting                                                                                            Possible High    Higher Risk
         D(i) Proposed cost estimates submitted to DM may not        Three key processes are implemented prior to the Financial      Remote High      Moderate Risk
         be in line with programmes' priorities thereby resulting in preparation of the cost estimates and the budgets.
         GA mandated programmes not being implemented.               They include: (a) the preparation of the strategic
                                                                     framework, which establishes indicators of
                                                                     achievement and identifies outputs for each
                                                                     programme; (b) preparation of the programme
                                                                     budget implications of new/revised mandates; and
                                                                     (c) preparation of the budget outline, reflecting the
                                                                     overall estimated resource requirements outputs
                                                                     identified in the strategic framework. These
                                                                     require the involvement of the GA, DM and the
                                                                     substantive programmes.




                                                                                        Page 8                                                        10/07/2008


-----------------------------------------------------------------------------------------

     2                                          Focus Area: Financial Management                                                    Possible Medium Moderate Risk
                                                                                                                       Fin

                                                                                                                           Risk     Likeli-
         Interview/Review Summary (Description of risk)                            OIOS Assessment                                          Impact Overall Risk
                                                                                                                         Category    hood
No
         D(ii) Lack of sufficient understanding by substantive      For each budget cycle, DM issues budget             Financial   Possible Medium Moderate Risk
         programes of the relevant mandates and United Nations      instructions (i.e. separate instructions are issued
         Financial Regulations and Rules on programme planning      for the regular budget and the extrabudgetary
         and budgeting (including the budgetary process) may        (XB) that are used by substantive programmes in
         result in unreasonable cost estimates being submitted to   preparing their respective cost estimates. These
         DM.                                                        instructions are based on DM's interpretations of
                                                                    the relevant mandates of the GA; the Regulations
                                                                    and Rules Governing Programme Planning, the
                                                                    Programme Aspect of the Budget, the Monitoring
                                                                    of Implementation and the Methods of Evaluation
                                                                    (ST/SGB/2000/8); Financial Regulations and
                                                                    Rules of the United Nations; and additional
                                                                    requirements of the ACABQ.

         C(i) Non-compliance of substantive programmes with         Financial Regulations and Rules of the United      Compliance Possible Medium Moderate Risk
         budget instructions may result in over/under budgeting.    Nations - e.g. see Rule 105.5.
         Substantive programmes may submit cost estimates late,
         without complete data, with incorrect data, and without
         regard to the budget outlines. This may overwhelm the
         DM resulting in its inability to accurately identify all
         anomalies during its review of the received cost
         estimates.
         E(i) Lack of adequate procedures to be implemented by      The Programme Planning and Budget Division      Operational Remote      Medium Lower Risk
         DM during its review of cost estimates and the             (PPBD) of the Office of Programme Planning,
         preparation of budgets may result in over/under-           Budget and Accounts (OPPBA) is responsible for
         budgeting.                                                 reviewing cost estimates of substantive
                                                                    programmes and preparing the budgets. PPBD
                                                                    has dedicated staff and standardized procedures
                                                                    for reviewing the proposed cost estimates of
                                                                    substantive programmes. Follow-up procedures of
                                                                    the PPBD are standardized.




                                                                                   Page 9                                                           10/07/2008


-----------------------------------------------------------------------------------------

     2                                           Focus Area: Financial Management                                                      Possible Medium Moderate Risk
                                                                                                                           Fin

                                                                                                                              Risk     Likeli-
         Interview/Review Summary (Description of risk)                              OIOS Assessment                                           Impact Overall Risk
                                                                                                                            Category    hood
No
         B(i) Political pressures may impede DM's ability to ensure                                                        Governance Possible Medium Moderate Risk
         compliance with the budget outline and therefore result in
         over/under-budgeting. Some substantive programmes
         sometimes provide cost estimates over and above their
         allocated planning figure based on the GA-approved
         budget outlines hoping that they will exert political
         pressure on DM.
         C(ii) Non-compliance of substantive programmes with the      (a) PPBD implements mechanisms for monitoring Compliance Possible High           Higher Risk
         Financial Regulations and Rules of the UN may result in      the use of allotments by substantive programmes.
         fraud, waste and abuse. This may negatively impact the       IMIS and BIS are the critical IT systems used.
         reputation of the UN and also affect future budgetary
         processes.                                                   (b) PPBD performs periodic reviews and prepares
                                                                      budget performance reports for the regular
                                                                      budget.

                                                                      (c) PPBD ensures that programme managers
                                                                      perform periodic reviews and report on their use
                                                                      of XB resources.

                                                                      (d) The Controller designates a certifying officer
                                                                      for each account/sub account in accordance with
                                                                      ST/SGB/2003/7.

         G(i) Inadequate IT support may impede proper budgeting       IMIS and NOVA are used but according to PPBD, Information        Possible Medium Moderate Risk
         and control of XB resources.                                 these systems are not adequate.               Resources
         F(i) Inadequate human resources (in terms of skill sets                                                    Human              Possible Medium Moderate Risk
         and skill-mix, quantity and quality) may impede proper                                                     Resources
         budgeting and monitoring. This in turn may impact the
         delivery of mandates and programmes.
         E(ii) Delays in presenting the SG's proposed programme       There are slot dates for submission of proposed      Operational Remote   High   Moderate Risk
         budget to legislative bodies may negatively impact on the    programme budgets to legislative bodies. These
         implementation of mandates.                                  dates which are established and monitored by
                                                                      legislative bodies (ACABQ, 5th Committee) must
                                                                      be complied with.



                                                                                     Page 10                                                           10/07/2008


-----------------------------------------------------------------------------------------

      2                                            Focus Area: Financial Management                                                    Possible Medium Moderate Risk
                                                                                                                          Fin

                                                                                                                              Risk     Likeli-
          Interview/Review Summary (Description of risk)                              OIOS Assessment                                          Impact Overall Risk
                                                                                                                            Category    hood
No
III       Peacekeeping financing                                                                                                     Possible Medium Moderate Risk
          B(i) Lack of clearly delineated roles and responsibilities of                                                   Governance Likely   Low    Moderate Risk
          DM, DPKO, and DFS regarding the financial
          management of peacekeeping/political missions may
          result in duplication of effort between the three
          departments.
          D(i) Proposed cost estimates submitted to PFD by              Periodic planning activities are implemented by   Financial    Possible High   Higher Risk
          missions may not be in line with the missions' mandates DPKO and DFS for each mission.
          thereby resulting in mandates not being implemented.

          D (ii) Lack of sufficient understanding by missions of the   For each budget cycle, DM issues budget             Financial   Possible Medium Moderate Risk
          relevant mandates and United Nations Financial               instructions that are used by missions in preparing
          Regulations and Rules on programme planning and              their respective cost estimates. These
          budgeting (including the budgetary process) may result in    instructions are based on DM's interpretations of
          unreasonable cost estimates being submitted to DM.           the relevant mandates of the GA; the Regulations
                                                                       and Rules Governing Programme Planning, the
                                                                       Programme Aspect of the Budget, the Monitoring
                                                                       of Implementation and the Methods of Evaluation
                                                                       (ST/SGB/2000/8); Financial Regulations and
                                                                       Rules of the United Nations; and additional
                                                                       requirements of the ACABQ.

          C(i) Non-compliance by missions with budget instructions Financial Regulations and Rules of the United          Compliance Possible Medium Moderate Risk
          may result in over/under budgeting.                         Nations - e.g. see Rule 105.5.
          Peacekeeping/political missions may submit cost
          estimates late, without complete data, with incorrect data,
          and without regard to the budget outlines. This may
          overwhelm the DM resulting in its inability to accurately
          identify all anomalies during its review of the submitted
          cost estimates.




                                                                                      Page 11                                                          10/07/2008


-----------------------------------------------------------------------------------------

     2                                         Focus Area: Financial Management                                                   Possible Medium Moderate Risk
                                                                                                                      Fin

                                                                                                                         Risk     Likeli-
         Interview/Review Summary (Description of risk)                         OIOS Assessment                                           Impact Overall Risk
                                                                                                                       Category    hood
No
         E(i) Lack of adequate procedures to be implemented by   PFD is responsible for reviewing cost estimates of Operational Remote    High    Moderate Risk
         DM during its review of cost estimates and the          substantive programmes and preparing the
         preparation of budgets may result in over/under-        budgets. PFD has dedicated staff and
         budgeting.                                              standardized procedures for reviewing the
                                                                 proposed cost estimates of substantive
                                                                 programmes.
         D(ii) Inflexible fund management policies may result in                                                    Financial   Remote
                                                                                                                                     High Moderate Risk
         some mandates not being implemented. Some
         mandates may not be adequately funded while others
         may be excessively funded. However, DM is not allowed
         to use the resources designated for one mission for
         another.
         E(ii) Delays in presenting the SG's proposed programme There are slot dates for submission of proposed Operational Remote Medium Lower Risk
         budget to legislative bodies may negatively impact on the programme budgets to legislative bodies. These
         implementation of mandates.                               dates, which are established and monitored by
                                                                   legislative bodies (ACABQ, 5th Committee), must
                                                                   be complied with.
         C(ii) Non-compliance of missions with the Financial       (a) PFD implements mechanisms for issuing and Compliance Possible High Higher Risk
         Regulations and Rules of the United Nations may result in monitoring the use of allotments by substantive
         fraud, waste and abuse. This may negatively impact the programmes. IMIS and Funds Management Tool
         reputation of the United Nations and future budgetary     (FMT) are the critical IT systems used in issuing
         processes.                                                and monitoring allotments.

                                                                 (b) PFD performs periodic reviews and prepares
                                                                 budget performance reports.

                                                                 (c) The Controller designates a certifying officer
                                                                 for each account/sub account in accordance with
                                                                 UN Financial Regulations and Rules
                                                                 ST/SGB/2003/7.

                                                                 (d) Audits performed by OIOS and BOA.




                                                                                Page 12                                                           10/07/2008


-----------------------------------------------------------------------------------------

     2                                            Focus Area: Financial Management                                                     Possible Medium Moderate Risk
                                                                                                                          Fin

                                                                                                                              Risk     Likeli-
         Interview/Review Summary (Description of risk)                               OIOS Assessment                                          Impact Overall Risk
                                                                                                                            Category    hood
No
         E(iii) Lengthy process for completing memoranda of           The preparation and negotiation of MOUs involves Operational Possible Medium Moderate Risk
         understanding (MOUs) for troop contribution may result in several departments including DPKO, DFS, OLA,
         wrong payments being made to troop contributing              and DM.
         countries (TCCs). This may in turn create an opportunity
         cost (funds that could be used for other activities are tied
         up for an extended period of time) or result in possible
         loss of resources. According to PFD, payments are
         sometimes made to TCCs prior to the signing of the
         related MOU. In such situations, the agreed cost per the
         MOU may differ from the prepayment.

         E(iv) Inadequate procedures for processing troop related Troop strength reports are prepared monthly by          Operational Possible Medium Moderate Risk
         payments may result in delays and erroneous payments peacekeeping/political missions and provided to
         being made to TCCs.                                      PFD and FMSS simultaneously.

                                                                       PFD maintains a troop cost database which is
                                                                       used in processing (certifying) payments made to
                                                                       TCCs.
IV       Contribution services                                                                                                         Possible Medium Moderate Risk
         D(i) Delays in Member States paying their                     Revenue is recognized only when contribution        Financial   Possible High   Higher Risk
         assessments/pledges may impede the delivery of                letters are mailed to Member States. Due to
         mandates and programmes. This may also impact the             political reasons, which are not within the control
         relationship of the United Nations with its vendors and its   of the Secretariat, Member States sometimes
         reputation.                                                   refuse to pay their assessments. There is a
                                                                       reserve fund that is used as a stop gap measure.
                                                                       Cross borrowing is allowed, subject to legal
                                                                       considerations. Follow-up communications are
                                                                       often sent to Member States in a timely manner.
                                                                       In rare circumstances, DM seeks to evoke Articles
                                                                       17 and 19 of the United Nations Charter on voting
                                                                       rights.




                                                                                      Page 13                                                          10/07/2008


-----------------------------------------------------------------------------------------

     2                                           Focus Area: Financial Management                                                  Possible Medium Moderate Risk
                                                                                                                     Fin

                                                                                                                        Risk       Likeli-
         Interview/Review Summary (Description of risk)                           OIOS Assessment                                          Impact Overall Risk
                                                                                                                      Category      hood
No
         G(i) Inaccurate information on contributions, status of     There are multiple assessments with different   Information   Remote   High    Moderate Risk
         assessments and delays in making this information           cycles. Currently, MS Excel Spreadsheets are    Resources
         available to stakeholders may impede the delivery of        used for the Contributions Service.
         mandates and programmes. This may also impact on
         the relationship of the United Nations with its vendors and
         its reputation. Assessment letters may be inaccurate.

         F(i) Inadequate human resources (in terms of quality and The Contributions Service currently has four     Human           Possible Medium Moderate Risk
         quantity) creates pressure on staff and may thus impact professional staff. The posts are funded from the Resources
         on the timeliness, reliability and integrity of information peacekeeping support account.
         provided to Member States regarding contributions and
         status of assessments. The assessments levied on
         Member States to support the growing number of
         peacekeeping activities have increased. However, no
         additional resources have been provided to the
         Contributions Service from the peacekeeping support
         account over the past ten years. The regular budget is
         now $2 billion, peacekeeping operations around $7 billion,
         and CMP is about $2 billion.

         E(iv) Inadequate systems for monitoring pledges may                                                              Operational Possible Medium Moderate Risk
         result in delays in collection. This may in turn impede the
         delivery of mandates and programmes.
V        Cash and investment management                                                                                               Possible High   Higher Risk
         D(i) Trading with counterparties whose rating has           (a) Before trading, Treasury collects and reviews Financial      Possible High   Higher Risk
         deteriorated may result in financial losses and             information to determine if the rating of the
         reputational damage.                                        counterparty (e.g. bank) is within the risk appetite
                                                                     of the United Nations. (b) The Common
                                                                     Principles and Policies for Investments (CPPI)
                                                                     establishes credit limits/the risk appetite of the
                                                                     United Nations System. This policy must be
                                                                     complied with.




                                                                                  Page 14                                                           10/07/2008


-----------------------------------------------------------------------------------------

     2                                            Focus Area: Financial Management                                                   Possible Medium Moderate Risk
                                                                                                                         Fin

                                                                                                                            Risk      Likeli-
         Interview/Review Summary (Description of risk)                             OIOS Assessment                                           Impact Overall Risk
                                                                                                                          Category     hood
No
         D(ii) Lack of adequate and effective procedures for           (a) The CPPI provides guidance on the principles Financial    Likely   Medium Higher Risk
         liquidity management may result in loss of revenue            that must be followed in making decisions to
         (opportunity cost) resulting from excessive liquidity levels. invest. (b) The Treasury prepares cash positions
                                                                       and forecasts cash flows. The Cash position for
                                                                       UNA account is prepared on a daily basis, while
                                                                       the cash position for the peacekeeping account is
                                                                       prepared on a quarterly basis. (c) OPIC, the
                                                                       system used in the Back Office for settlement etc,
                                                                       has a maturity schedule, which is the primary tool
                                                                       used in determining the cash positions and to
                                                                       forecast cash flows. (d) Although contributions
                                                                       should be received in the first two months of a
                                                                       new year, in practice, they are received
                                                                       throughout the year. Therefore, they are not
                                                                       predictable. Estimates of expenditures are based
                                                                       on observed trends and averages.

         D(iii) If gains/losses and interest income are not           Gains/losses and interest income is allocated to   Financial   Remote   Low    Lower Risk
         accurately determined and allocated to the related funds     funds on a daily basis by OPIC.
         in a timely manner, the financial positions of those funds
         will be inaccurate. This may result in faulty decisions
         based on the financial reports.
         C(i) Non-compliance with established policies and            The CPPI governs the Treasury activities of the    Compliance Possible High    Higher Risk
         procedures on investment may results in losses to the        UN. There is an Investment Committee.
         United Nations and negatively impact its reputation.




                                                                                     Page 15                                                          10/07/2008


-----------------------------------------------------------------------------------------

     2                                            Focus Area: Financial Management                                                      Possible Medium Moderate Risk
                                                                                                                            Fin

                                                                                                                               Risk     Likeli-
         Interview/Review Summary (Description of risk)                               OIOS Assessment                                           Impact Overall Risk
                                                                                                                             Category    hood
No
         D(iv) Lack of adequate and effective procedures to            (a) The Treasury matches bank account                Financial   Remote   High   Moderate Risk
         ensure that payments are properly reviewed and                transactions with investment transactions.
         authorized may result in losses to the UN. Treasury
         makes disbursements using the SWIFT system that is            (b) Direct deposits are made to staff members'
         not interfaced with IMIS, which contains the master files     accounts based on payment instructions issued by
         of the banking particulars vendors/staff.                     Treasury. The instructions are in turn based on
                                                                       payrolls generated by the Accounts Division.

                                                                       (c) The majority of payments to vendors are made
                                                                       using the SWIFT system. All payment particulars
                                                                       which are already available in the Vendors' Master
                                                                       File in IMIS are manually keyed into the SWIFT
                                                                       system by Treasury staff at the time of
                                                                       disbursement.

         D(v) Delays in confirming the receipt of contributions may    Depending on the nature of the receipt, the         Financial    Possible Low    Lower Risk
         impact on the delivery of mandates/programmes. If             Treasury aknowledges contributions. Otherwise,
         contributions are not confirmed, they are not available for   the Accounts Division acknowleges the
         use.                                                          contributions even if the funds are received by the
                                                                       Treasury.
         D(vi) Lack of adequate and effective procedures to            The Treasury manages bank relationships of all      Financial    Possible Low    Lower Risk
         ensure proper review and approval of banking                  HQ banks and investment accounts. The
         arrangements may result in excessive charges/losses to        Treasury is responsible for opening and/or
         the UN.                                                       authorizing the opening of all bank accounts of the
                                                                       Secretariat including OAHs and peacekeeping
                                                                       and political missions. The Treasury transfers
                                                                       funds only to accounts it has opened or
                                                                       authorized. The Treasury is also responsible to
                                                                       assist the Controller in designating bank
                                                                       signatories. The Investigation Division of OIOS
                                                                       clears individuals that are designated as bank
                                                                       signatories.
         D(vii) Inadequate custodial arrangements may result in        The criteria for a custodian are defined by the     Financial    Remote   High   Moderate Risk
         excessive charges/losses to the United Nations.               CPPI.



                                                                                      Page 16                                                           10/07/2008


-----------------------------------------------------------------------------------------

     2                                            Focus Area: Financial Management                                                        Possible Medium Moderate Risk
                                                                                                                            Fin

                                                                                                                               Risk       Likeli-
         Interview/Review Summary (Description of risk)                              OIOS Assessment                                              Impact Overall Risk
                                                                                                                             Category      hood
No
         G(i) Lack of adequate technology support (including lack      Banking particulars of vendors/payees are entered Information      Possible High   Higher Risk
         of integration of systems) may result in inefficiencies and   in the Vendors' Master File in IMIS by the          Resources
         errors in disbursement processing. Treasury makes             Procurement Service, the Accounts Division and
         disbursements using the SWIFT system which is not             the Treasurer. The Accounts Division approves
         interfaced with IMIS which contains the master files of the   payments in IMIS where the master files of the
         banking particulars vendors/staff. This may result in         banking particulars are maintained. All payment
         payments being made to the wrong parties or in the            particulars which are already available in IMIS are
         wrong amounts.                                                manually entered into the SWIFT system by
                                                                       Treasury staff (i.e. four staff).

         G(ii) Inadequate general and application controls relating    (a) The Treasury matches bank account                Information   Possible High   Higher Risk
         to IT systems used in cash and investment mangement           transactions with investment transactions.           Resources
         could result in unauthorized transactions/losses. Poor
         application and general controls over IT systems could        (b) Direct deposits are made to staff members'
         result in unauthorized changes to vendor particulars and      accounts based on payment instructions issued by
         thus permit payment to wrong parties. Treasury believes       Treasury. The instructions are in turn based on
         that it lacks the security expertise to manage the risks      payrolls generated by the Accounts Division.
         associated with an integrated system. The systems used
         include OPIC, IMIS, SWIFT, Chase Insight, etc. The            (c) The majority of payments to vendors are made
         systems are not integrated. For example, according to         using the SWIFT system. All payment particulars
         Treasury, the trading platform is Bloomberg while OPIC is     which are already available in the Vendors' Master
         used by the Back Office for settling trades. These two        File in IMIS are manually keyed into the SWIFT
         systems are not integrated.                                   system by Treasury staff at the time of
                                                                       disbursement.




                                                                                      Page 17                                                             10/07/2008


-----------------------------------------------------------------------------------------

     2                                            Focus Area: Financial Management                                                    Possible Medium Moderate Risk
                                                                                                                         Fin

                                                                                                                             Risk     Likeli-
         Interview/Review Summary (Description of risk)                              OIOS Assessment                                          Impact Overall Risk
                                                                                                                           Category    hood
No
VI       Cash and investment management (Continues)
         D(viii) Unexpected volatility in the financial markets    The CPPI prohibits speculative trading and thus     Financial      Possible Medium Moderate Risk
         impacts revenues. Volatility in exchange rates may result identifies specific instruments, mainly bonds, that
         in losses/gains.                                          must be used for investment purposes. Trading in
                                                                   currencies, which occurs routinely, is done to
                                                                   meet operational needs since the accounts of the
                                                                   UN are overwhelmingly in US dollars. Demands
                                                                   for such currencies ideally driven by operational
                                                                   needs of UN operations throughout the world -
                                                                   e.g. peacekeeping operations.

         D(ix) Trading by unauthorized individuals and                Communications are sent to all counterparties       Financial   Remote   High   Moderate Risk
         unauthorized trading by authorized officials may result in   notifying them about the authority of each
         losses to the United Nations and negatively impact its       investment officer. Counterparties are not allowed
         reputation.                                                  to complete an investment transaction for which
                                                                      the investment officer is not authorized. There are
                                                                      access controls over workstations used in trading.

         E(I) Inadequate segregation of front, middle, and back                                                          Operational Possible High    Higher Risk
         office functions (e.g. execution of trade, verification,
         recording, monitoring, reconciling and reporting) may
         result in losses to the UN.
         D(x) The absence of a business continuity and disaster                                                          Financial    Possible High   Higher Risk
         recovery plan may impede Treasury functions in the
         event of a disaster.




                                                                                     Page 18                                                          10/07/2008


-----------------------------------------------------------------------------------------

      2                                          Focus Area: Financial Management                                                   Possible Medium Moderate Risk
                                                                                                                        Fin

                                                                                                                           Risk     Likeli-
          Interview/Review Summary (Description of risk)                             OIOS Assessment                                        Impact Overall Risk
                                                                                                                         Category    hood
No
          Processing of payments to vendors and travel claims                                                           Financial   Possible Medium Moderate Risk
VII       of staff
          D(i) Errors/irregularities may result in payments being     Applicable policy included the Financial          Financial   Possible Medium Moderate Risk
          made (a) to the wrong parties; (b) in the wrong amounts;    Regulations and Rules of the UN.
          (c) through the wrong channel (e.g. bank account); and
          for goods/services not received. These may result in        The Accounts Division implements procedures
          financial losses and possible fraud/reputational damage     that are followed by processors and approving
          to the UN.                                                  officers.

                                                                      The Vendors' Master File in IMIS contains the
                                                                      personal information including bank details of
                                                                      payees.

                                                                      Receipt and inspection (R&I) reports are prepared
                                                                      in IMIS by the Office of Central Support Services
                                                                      and requisitioners/end users of the goods being
                                                                      procured in IMIS. The R&I reports then form the
                                                                      basis for approvals of the payments by approving
                                                                      officers.
          D(ii) Delays (there is a policy that each invoice must be   R&I reports, which are used by the Accounts       Financial   Possible Low    Lower Risk
          paid within 30 days) in approving payments may create       Division as the basis for approving payments are
          opportunity costs (loss of discounts) and reputational      prepared by other organizational units throughout
          damage to the UN.                                           the Secretariat.
          D(iii) Lack of adequate controls may result in payments     Payments are posted when approved in IMIS.        Financial   Possible Medium Moderate Risk
          being posted to the wrong accounting period. This may in
          turn result in inaccurate financial reporting.




                                                                                     Page 19                                                        10/07/2008


-----------------------------------------------------------------------------------------

     2                                            Focus Area: Financial Management                                                   Possible Medium Moderate Risk
                                                                                                                         Fin

                                                                                                                            Risk     Likeli-
         Interview/Review Summary (Description of risk)                             OIOS Assessment                                          Impact Overall Risk
                                                                                                                          Category    hood
No
         D(iv) Payments may be made by UNDP on behalf of the           The Secretariat provides advances to UNDP and Financial       Possible Low    Lower Risk
         Secretariat that are recorded in IMIS based on inter-office   subsequently issues financial authorizations
         vouchers (IOV)which may not be for goods/services             requesting UNDP to disburse funds as specified in
         benefiting the UN.                                            the financial authorizations. UNDP provides
                                                                       periodic IOV reports showing the expenditure
                                                                       incurred on behalf of the Secretariat.

                                                                       The Accounts Division peforms reconciliations
                                                                       and seeks clarifications from UNDP when
                                                                       necessary before accepting and posting payments
                                                                       made by UNDP.

         E(i) Individuals (i.e. approving officers) approving      Applicable policy included the Financial         Operational Remote       Medium Lower Risk
         payments may not be properly authorized or if authorized, Regulations and Rules of the United Nations. The
         may exceed their authority.                               Controller designates approving officers.

                                                                  The Accounts Division implements procedures
                                                                  that are followed by processors and approving
                                                                  officers.
         D(v) Lack of adequate review and resolution of delays in The Accounts Division implements procedures            Financial   Possible Medium Moderate Risk
         delivery of goods and services may result in not         that are followed by processors and approving
         recovering liquidated damages and other penalties        officers.
         against vendors.
         D(vi) Lack of adequate controls over invoices may result The Accounts Division implements procedures            Financial   Possible Medium Moderate Risk
         in duplicate payments being made for goods and           that are followed by processors and approving
         services.                                                officers.
         D(vii) The lack of adequate procedures/guidelines to be Requests for remittances are initiated by OAHs          Financial   Possible Medium Moderate Risk
         used by offices away from Headquarters (OAHs) and the and vetted by DM before the remittances are
         DM in processing remittances may result in excessive     made.
         cash being held by the OAHs. This will negatively impact
         on the management of cash.




                                                                                     Page 20                                                         10/07/2008


-----------------------------------------------------------------------------------------

       2                                           Focus Area: Financial Management                                                      Possible Medium Moderate Risk
                                                                                                                            Fin

                                                                                                                               Risk      Likeli-
           Interview/Review Summary (Description of risk)                              OIOS Assessment                                           Impact Overall Risk
                                                                                                                             Category     hood
No
VIII       Payroll processing                                                                                                            Possible Medium Moderate Risk
           D(i) The lack of adequate and effective procedures in        The Payroll Unit has 10 examiners who perform        Financial   Possible Medium Moderate Risk
           generating payroll may result in errors/irregularities not   audit functions on the payroll. They are all trained
           being detected and prevented. Possible sources of            in the use of PARADOX, the software used for
           errors/irregularities include OHRM where personnel           data analyses. They observe trends and perform
           actions handled and related data entry in IMIS is            month-to-month comparisons.
           performed. OHRM issues personnel actions and enters
           all related data in IMIS. The Payroll Unit does not
           receive/use personnel actions.
           F(i) Lack of adequate procedures may result in               Each of the eight OAHs has its own database.        Human        Possible Medium Moderate Risk
           overpayment being made to separated staff. There is no                                                           Resources
           common system and training that would ensure automatic       Annual leave balances of staff members (mainly
           calculation of leave balances before staff members           mission employees) are manually entered into
           separate from the UN.                                        IMIS by OHRM typically after the staff member
                                                                        separates from the UN.
           F(ii) Inadequate coordination amongst duty stations may                                                          Human        Possible Low    Lower Risk
           result in duplicate payments being made to staff                                                                 Resources
           members who move from one duty station to the other.
           If a personnel action is not promptly communicated to the
           concerned duty station and entered in the database, the
           staff member may be paid twice.

IX         Health and life insurance payments                                                                                            Possible Medium Moderate Risk
           F(i) The lack of adequate procedures for enrolling           OHRM advises staff to enroll in the United Nations Human         Remote Medium Lower Risk
           qualified staff in the UN Health Insurance Programme         Health Insurance Programme when employment Resources
           may result in coverage being provided to staff members       is offered. In addition, OHRM conducts an annual
           who do not contribute to the premium fund. This may          insurance campaign to provide staff members the
           impact on the amount of funds available to settle actual     opportunity to enroll in the Plan or make changes
           claims of providers.                                         to their plans.




                                                                                       Page 21                                                           10/07/2008


-----------------------------------------------------------------------------------------

     2                                           Focus Area: Financial Management                                                     Possible Medium Moderate Risk
                                                                                                                          Fin

                                                                                                                             Risk     Likeli-
         Interview/Review Summary (Description of risk)                              OIOS Assessment                                          Impact Overall Risk
                                                                                                                           Category    hood
No
         E(i) Failure of the UN insurance administrators to            Insurance administrators are provided with staff   Operational Possible Medium Moderate Risk
         implement adequate policies for processing claims made       eligibility notices, which are generated by IMIS.
         by providers may result in fraudulent claims being paid by   These notices should help prevent the UN from
         the UN. The UN is self insured. It relies on                 settling claims of individuals who have not
         administrators to vet the claims made by providers.          properly enrolled in the Health Insurance
                                                                      Programme.
X        Commercial insurance risk management                                                                             Operational Possible Medium Moderate Risk
         E(i) The lack of adequate, effective risk assessment         The Risk Management Unit reviews all major          Operational Possible Medium Moderate Risk
         procedures may result in insufficient insurance coverage     commercial insurance contracts and makes
         for UN assets and staff. This may result in financial        recommendations for improvement.
         losses to the UN.
         E(ii) The lack of adequate procedures for vetting and        The Risk Management Unit reviews reviews            Operational Possible Medium Moderate Risk
         processing claims could result in fraudulent and             claims before they are approved for payment.
         erroneous claims being paid by the UN.
XI       Tax services                                                                                                     Financial   Possible Medium Moderate Risk
         D(i) Tax returns prepared by staff members and used to       The Income Tax Unit has staff who review tax        Financial   Possible Low    Lower Risk
         offset previous advances may be inaccurate resulting in      returns prepared by staff members.These staff
         losses to the UN.                                            are trained by H&R Block.

                                                                      The Income Tax Unit has an improved computer
                                                                      system which provides more accurate human
                                                                      resources and account information for United
                                                                      States taxpayers. This system helps in the review
                                                                      of tax returns prepared by staff members.

         D(ii) Tax advances provided to staff members may not be      OHRM has checkout procedures that should            Financial  Possible Low    Lower Risk
         recovered due to premature separation of staff resulting     ensure that all assets are recovered from
         in a loss to the UN.                                         separated staff.
         C(i) The Tax Equalization Fund may not be used for the       Staff assessments, which are withheld from          Compliance Possible Medium Moderate Risk
         intended purposes. This may impair the ability of the UN     payrolls, are credited to the Tax Equalization
         to settle the tax obligations of its staff and damage the    Fund. The Fund is used to settle the verifiable tax
         reputation of the UN.                                        liabilities of staff members through direct
                                                                      payments to some staff or credit to Member
                                                                      States' accounts.



                                                                                     Page 22                                                          10/07/2008


-----------------------------------------------------------------------------------------

       2                                           Focus Area: Financial Management                                              Possible Medium Moderate Risk
                                                                                                                     Fin

                                                                                                                        Risk     Likeli-
           Interview/Review Summary (Description of risk)                            OIOS Assessment                                     Impact Overall Risk
                                                                                                                      Category    hood
No
XII        Compensation payment                                                                                                  Possible Medium Moderate Risk
           D(i) Lack of adequate and effective procedures in            There is a Compensation Board that reviews   Financial   Possible Medium Moderate Risk
           reviewing compensation payments may result in                claims and recommends payments.
           inaccurate or fraudulent claims payments being made.

           D(ii) Lack of adequate, effective procedures for payment                                                  Financial   Possible Medium Moderate Risk
           processing may result in payments being made to the
           wrong party.
XIII       Voluntary Trust Fund                                                                                      Financial   Possible Medium Moderate Risk
           E(i) The lack of adequate and effective policies and    The following policies and procedures govern: the Operational Possible Low    Lower Risk
           procedures on the mobilization of voluntary contributions
                                                                   Financial Regulations and Rules of the UN;
           may result in mandated programmes not being properly    ST/SGB/188 on the establishment and
           funded and hence not implemented.                       management of trust funds; ST/AI/284 on the
                                                                   establishment, administration, and control of
                                                                   general trust funds; and ST/AI/286 on the
                                                                   approval, administration and control of
                                                                   programme support costs.
           D(ii) The lack of adequate accounting policies and      The following policies and procedures govern: the Financial   Possible Medium Moderate Risk
           procedures regarding contributions may result in        Financial Regulations and Rules of the UN;
           mandated programmes not being properly funded and       ST/SGB/188 on the establishment and
           hence not implemented.                                  management of trust funds; ST/AI/284 on the
                                                                   establishment, administration, and control of
           - Contributions may not be promptly acknowledged and/or general trust funds; and ST/AI/286 on the
           applied to proper account in the proper amounts thereby approval, administration and control of
           reducing the availability for funds to the relevant     programme support costs.
           programmes.

           - Contributions may not be properly accounted for, not
           used for the intended purposes, or misappropriated.

           - Financial reports on the use of contributions may not be
           in line with programme implementation thereby causing
           donors to reduce their support of those programmes.




                                                                                      Page 23                                                    10/07/2008


-----------------------------------------------------------------------------------------

     2                                            Focus Area: Financial Management                                                   Possible Medium Moderate Risk
                                                                                                                         Fin

                                                                                                                            Risk     Likeli-
         Interview/Review Summary (Description of risk)                              OIOS Assessment                                         Impact Overall Risk
                                                                                                                          Category    hood
No
         D(iii) The lack of adequate monitoring of implementing        The following policies and procedures govern: the Financial   Possible Medium Moderate Risk
         partners may result in funded programmes not being            Financial Regulations and Rules of the UN;
         implemented. Excessive advances to some                       ST/SGB/188 on the establishment and
         implementing partners may result in insuficient funding for   management of trust funds; ST/AI/284 on the
         other programmes. Advances to implementing partners           establishment, administration, and control of
         may not be used for the intended purposes or not              general trust funds; and ST/AI/286 on the
         properly accounted for. Excessive advances may result         approval, administration and control of
         in loss of interest income.                                   programme support costs.




                                                                                     Page 24                                                         10/07/2008


-----------------------------------------------------------------------------------------

                                    Risk Assessment of : the Department of Management
     3                                              Focus Area: Human Resource Management                                                Possible High   Higher Risk
                                                                                                                           HR

                                                                                                                              Risk       Likeli-
         Interview/Review Summary (Description of risk)                                  OIOS Assessment                                         Impact Overall Risk
                                                                                                                            Category      hood
No
         Staffing Plans                                                                                                   Human          Possible High   Higher Risk
I                                                                                                                         Resources
         A(i) Office of Human Resources Management (OHRM)                  OHRM objectives and strategies are based on GA Strategy       Remote   High   Moderate Risk
         could pursue objectives and strategies that are                   mandates.
         inconsistent with GA mandates which may result in failure
         to accomplish mandated human resources goals.             HRAP are based on UN Secretariat targets and
                                                                   GA mandates.

                                                                           Human Resources policies and procedures are
                                                                           established and implemented in line with GA
                                                                           mandates.
         F(i) Inadequate OHRM staffing levels could lead to                New strategic workforce planning concept is being Human       Possible High   Higher Risk
         important tasks remaining undone. This could have                 implemented to anticipate future vacancies and    Resources
         adverse effects such as delays in processing                      prepare for them. OHRM has deployed this
         recruitments or untimely responding to staff queries.             concept in 3 offices/departments: OHRM; Office
                                                                           for the Coordination for Humanitarian Affairs
         F(ii) Inadequate analysis/assessment of staffing needs            (OCHA) (decentralized) and OLA (centralized) to
         may result in inadequate preparations to meet future              determine its viability and usefulness.
         human resources needs.

         F(iii) Inability to fill posts during freeze periods aggravates
         understaffing of offices. This may result in work
         overloads which could lead to staff burnouts.

         F(iv) Inadequate automation of human resources tasks
         may result in inefficient and ineffective use of staff time




                                                                                             Page 25                                                        10/07/2008


-----------------------------------------------------------------------------------------

     3                                             Focus Area: Human Resource Management                                           Possible High   Higher Risk
                                                                                                                      HR

                                                                                                                         Risk      Likeli-
         Interview/Review Summary (Description of risk)                               OIOS Assessment                                      Impact Overall Risk
                                                                                                                       Category     hood
No
         F(v) Lack of succession planning resulting in loss of           DM has been obtaining input from stakeholders   Human     Possible High   Higher Risk
         institutional memory when key staff leave the                   on the management of mobility. The department Resources
         Organization without adequate preparation for                   has also communicated the policy through I-seek
         replacements. (All positions in the Organization are            to complement the adminsitrative issuance.
         subject to competition whenever vacancies arise.
         Therefore, the Organization cannot and does not plan for
         succession.)

         F(vi) There are no clear training and development plans
         to enable staff to take up future tasks.

         F(vii) Inadequate preparation for mobility could result in
         loss of institutional memory when key staff move to other
         locations/positions without transferring knowledge to
         replacement staff. Furthermore, this could create the
         departments' inability to implement resource planning.

         B(i) Lack of global oversight of staffing table could                                                        Governance Possible High     Higher Risk
         impede ability to make holistic choices concerning:
         - adherence to gender/geographic programs
         - identification of positions available for G to P candidates
         - mobility and succession planning

         B(ii) Centric changes being made at Headquarters only                                                        Governance Possible Medium Moderate Risk
         rather than globally may lead to lack of support from other
         offices.




                                                                                         Page 26                                                      10/07/2008


-----------------------------------------------------------------------------------------

     3                                            Focus Area: Human Resource Management                                              Possible High   Higher Risk
                                                                                                                         HR

                                                                                                                            Risk      Likeli-
         Interview/Review Summary (Description of risk)                              OIOS Assessment                                          Impact Overall Risk
                                                                                                                          Category     hood
No
II       Recruiting & staffing                                                                                                       Likely   High   Higher Risk
         F(i) Recruitment delays may result in important tasks        Recruitments are done as a result of vacancies   Human         Likely   High   Higher Risk
         remaining undone for long periods of time.                   that arise. OHRM is piloting anticipation of     Resources
                                                                      vacancies and placement of candidates on rosters
         F(ii) Vacancy rate data not readily available hence time     in order to reduce recruitment delays.
         consumed in getting the information to quickly make
         recruitment decisions.

         F(iii) Vacancies are not anticipated and prepared which
         could result in delays in recruitment of replacements.

         F(iv) Human resources reforms addressing recruitment
         delays not being implemented.

         F(v) OHRM and programme managers have lengthy
         recruitment procedures that prevent timely recruitment of
         staff.

         E (i) Recruitment of candidates without background           OHRM conducts background checks for                Operational Possible High   Higher Risk
         checks may expose the organization to the risk of            professional staff recruited for appointments of
         recruiting candidates: (i) without required qualifications   over one year.
         resulting in incompetence; (ii) with backgrounds that are
         incompatible with the Organization's core values hence
         could cause reputational damage; and (iii) that could
         cause financial losses to the Organization through
         inappropriate actions in sensitive areas such as
         procurement and finance.




                                                                                         Page 27                                                        10/07/2008


-----------------------------------------------------------------------------------------

     3                                           Focus Area: Human Resource Management                                               Possible High   Higher Risk
                                                                                                                         HR

                                                                                                                            Risk      Likeli-
         Interview/Review Summary (Description of risk)                            OIOS Assessment                                            Impact Overall Risk
                                                                                                                          Category     hood
No
         E(ii) The absence of written procedures for recruitment of OHRM intends to establish and promulgate             Operational Possible Medium Moderate Risk
         staff for general temporary assistance (GTA) leading to     procedures for recruitment of staff under general
         risks of : (i) lack of transparency in the recruitment      temporary assistance by June 2008.
         process; (ii) inconsistency in recruitment practices; (iii)
         difficulty in determining if intended recruitment purposes
         are being achieved; (iv) use of short-term recruitment to
         meet long-term requirements; and (v) extension of
         appointments without compelling reasons.

         C(i) Not abiding by the principles that the Organization    The Organization is developing guidelines to        Compliance Possible High    Higher Risk
         promulgates such as prioritization of recruitment of        adopt a code of practice that will cover, among
         equally qualified candidates that are physically challenged other things, recruitment of persons with
         may damage the reputation of the Organization.              disabilities.


         D(i) New staff members who are required to file financial Ethics office reminds staff members that do not       Financial   Possible Medium Moderate Risk
         disclosure statements may not timely do so hence could file financial disclosure statements.
         carry out duties where they have actual or apparent
         conflicts of interest for longer periods of time. There are
         no timelines by which new staff members should file their
         financial disclosure statements hence the risk is ongoing.

         F(v) The Organization may not be able to recruit and       The Organization is able to attract the right people Human       Possible Medium Moderate Risk
         retain talented people which could result in important     for most of the positions.                           Resources
         tasks not being done or being done inappropriately.
         E(iii) Ineffective roster management may result in         OHRM is piloting a new roster concept in OHRM, Operational Possible Medium Moderate Risk
         rostered candidated pursuing alternative job offers.       OCHA, and OLA to determine its viability and
         Therefore, the roster may not represent the true           usefulness.
         population of truly available candidates (eg language
         candidates).
         F(vi) The use of casual daily workers in peacekeeping                                                           Human       Likely   High   Higher Risk
         missions could be deemed exploitative by the public and                                                         Resources
         hence could damage the reputation of the Organization.




                                                                                        Page 28                                                          10/07/2008


-----------------------------------------------------------------------------------------

      3                                             Focus Area: Human Resource Management                                       Possible High    Higher Risk
                                                                                                                    HR

                                                                                                                      Risk      Likeli-
          Interview/Review Summary (Description of risk)                           OIOS Assessment                                      Impact Overall Risk
                                                                                                                    Category     hood
No
          F(vii) Over-reliance on short term staff and consultants                                                  Human       Possible Medium Moderate Risk
          could result in disruption of work plans once temporary                                                   Resources
          assistance is no longer available.
III       Policies and Procedures                                                                                              Possible Medium Moderate Risk
          C(i) Non compliance with OHRM policies and procedures      On going supervisory and management controls   Compliance Possible Medium Moderate Risk
          could result in:                                           ensure compliance with set policies and
          - lack of transparency in recruitment and promotion of     procedures.
          staff which could lead to loss of reputation of the
          Organisation.                                              Additional monitoring provided by oversight
                                                                     bodies.
          - failure to recruit the best available candidates and

          - retention of nonperforming staff.
          C(ii) Some OHRM policies and procedures may result in                                                     Compliance Possible Medium Moderate Risk
          inefficient and innefective operations. Compliance with
          certain policies and procedures, such as the 15, 30, and
          60 day rules, could be deemed to contribute to
          inefficiency and ineffectiveness. External candidates
          cannot be viewed or interviewed before the 60 day
          vacancy announcement period is completed.


          C(iii) Complexity of Human Resources policies and        Administration guidelines provided on how to         Compliance Possible Medium Moderate Risk
          procedures may result in inappropriate implementation of implement rules within available resources
          the rules and waste of time in resolving                 constraints.
          grievances/disputes.
                                                                   OHRM staff provide explanations of the rules both
                                                                   orally and in writing. Staff constraints prevent the
                                                                   office from providing written responses.




                                                                                        Page 29                                                      10/07/2008


-----------------------------------------------------------------------------------------

     3                                              Focus Area: Human Resource Management                                            Possible High   Higher Risk
                                                                                                                         HR

                                                                                                                            Risk      Likeli-
         Interview/Review Summary (Description of risk)                                 OIOS Assessment                                       Impact Overall Risk
                                                                                                                          Category     hood
No
         C(iv) Inability of UNHQ to properly monitor the delegation OHRM conducts periodic monitoring using one         Compliance Possible Medium Moderate Risk
         of authority given to offices away from HQ and other duty dedicated monitoring professional and drawing on
         stations regarding hiring, firing, and training may result in available OHRM staff.
         delegated offices' failure to properly comply with rules and
         regulations deliberately or inadvertently.                    OHRM can withdraw the delegation of authority on
                                                                       HR activities as necessary.
         C(v) No recourse for non-compliance with delegation of
         authority by department managers could contribute to
         culture of non-compliance by duty stations and
         inconsistent HR practices across the UN.

         E(i) Lack of adequate knowledge management policies                                                             Operational Likely   Low    Moderate Risk
         leading to insufficient sharing and dissemination of
         knowledge, resulting in the loss of institutional memory.

         Inability to overlap posts during transitions and for retiring
         employees, does not provide opportunities for knowledge
         transfer and may result in loss of institutional memory.


         C(vi) Absence of procedures for implementing the post-           OHRM is drafting procedures for implementing   Compliance Possible Medium Moderate Risk
         employment restrictions in ST/SGB/2006/15, hence risk            post employment restrictions.
         of staff members forgetting and violating the restrictions.

         E(i) Lack of policy for the mandatory use of Generic Job Utilization of GJP expedites the recruitment           Operational Likely   Low    Moderate Risk
         Profiles (GJP) results in underutilization of GJP which  process.
         could lead to waste of resources during recruitment.

         F(i) Lack of harmonization in the conditions of service and OHRM has undertaken studies on harmonisation        Human       Possible High   Higher Risk
         employment contracts negatively impacts morale of some of different contracts and recommendations are           Resources
         employees.                                                  being considered for implementation.




                                                                                            Page 30                                                     10/07/2008


-----------------------------------------------------------------------------------------

     3                                            Focus Area: Human Resource Management                                             Possible High    Higher Risk
                                                                                                                         HR

                                                                                                                           Risk      Likeli-
         Interview/Review Summary (Description of risk)                              OIOS Assessment                                         Impact Overall Risk
                                                                                                                         Category     hood
No
IV       Performance Management                                                                                                     Possible High    Higher Risk
         F(i) Programme managers may not meet set objectives Performance appraisal (ePAS) system is in place. Human                 Likely   High    Higher Risk
         due to poor performance/incompetence of staff members                                                Resources

         F(ii) ePAS is not an effective appraisal or staff
         development tool because:
         - It does not result in advancement or reprimands
         -Performance Management not ingrained or valued in UN
         culture
         -There are no consequences for non-compliance.

         F(iii) Implementation of new compact to increase
         compliance of ePAS may result in compliance in terms of
         completion rather than utilizing the system as a
         management tool.

V        Examinations                                                                                                                Possible Medium Moderate Risk
         E(i) Lack of access controls to examination papers could Access to examination information and papers           Operational Remote Medium Lower Risk
         lead to loss of confidentiality of the papers and may result restricted to designated staff.
         in unsuitable candidates passing the examinations and
         being recruited.                                             Controls in place regarding examination paper
                                                                      preparation, printing, storage and distribution.

                                                                     Controls in place for administration of
                                                                     examinations, collection of scripts, marking, and
                                                                     compilation of results.




                                                                                         Page 31                                                        10/07/2008


-----------------------------------------------------------------------------------------

     3                                            Focus Area: Human Resource Management                                                 Possible High   Higher Risk
                                                                                                                            HR

                                                                                                                              Risk      Likeli-
         Interview/Review Summary (Description of risk)                             OIOS Assessment                                             Impact Overall Risk
                                                                                                                            Category     hood
No
         F(i) People could sit for examinations on behalf of others Candidates' identity verified by checking photo        Human        Remote   Medium Lower Risk
         which may result in unsuitable candidates being recruited. identity cards with dates of birth at the              Resources
                                                                    examination centres. Candidates are also required
                                                                    to present letters of invitation for the examinations.

                                                                     Successful candidates are required to fax copies
                                                                     of passport and certificates for qualifications held
                                                                     for verification before attending subsequent
                                                                     interviews. Verification includes, inter alia,
                                                                     nationality and age due to nature of NCE.


         F(ii) Lack of adequate dissemination of examination         Member States hold outreach meetings at their          Human       Possible Medium Moderate Risk
         schedules could result in good candidates not being         respective relevant missions to the UN to              Resources
         aware of the examinations and hence not participating.      disseminate information about language
         This could limit the pool of available candidates.          examinations.


         F(iii) Long examination and recruitment procedures could                                                           Human       Possible Medium Moderate Risk
         result in loss of successful candidates as they take up                                                            Resources
         alternative appointments.

         F(iv) Lack of financial resources to employ full time
         graders could contribute to delays in completion of
         examination procedures hence delay recruitment of
         successful candidates.
         F(v) Limited number of posts set aside for successful                                                              Human       Possible Medium Moderate Risk
         candidates could discourage suitable staff from                                                                    Resources
         participating in G to P examination and demoralize staff,
         particularly after completing examination process
         repeatedly but having no opportunity to take up a
         professional post.




                                                                                         Page 32                                                            10/07/2008


-----------------------------------------------------------------------------------------

     3                                             Focus Area: Human Resource Management                                                  Possible High   Higher Risk
                                                                                                                            HR

                                                                                                                               Risk       Likeli-
         Interview/Review Summary (Description of risk)                               OIOS Assessment                                             Impact Overall Risk
                                                                                                                             Category      hood
No
VI       Information and Technology                                                                                                       Possible High   Higher Risk
         G(i)Lack of reliable data submitted by field offices which     ERP project to be implemented in order to have      Information   Likely   High   Higher Risk
         could lead to sub-optimal decision making.                     an integrated IT solution for OHRM.                 Resources

         G(ii) Lack of automation creates need for extensive         Data used for GA reporting is reconciled once a
         manual manipulation of data. This is prone to human         year.
         errors that could adversely affect data integrity and
         reliability and the quality of decision made from the data.

         G(iii) Late submission of data from field offices leading to
         delays and/or inaccuracy of reports to the GA.

         G(iv) The various IT systems supporting OHRM
         operations are not integrated hence opportunities for
         efficiency and effectiveness are lost

         G(v) Inadequate data input controls in IMIS, such as
         mandatory fields, leading to inconsistent collection and
         potentially inaccurate reporting or misinterpretation of
         data. This could result in poor decision making.


         A(i) Lack of adequate planning during period of transition     ERP implementation teams, which include OHRM Strategy             Possible Medium Moderate Risk
         to new sytems after the implementation of ERP may              have been set up.
         result in lower productivity
         G(vi) Emergency data system is utilized to collect             If absolutely necessary, Galaxy can be accessed     Information   Possible Medium Moderate Risk
         employee emergency contact information in Galaxy, but          to extract this information in critical situatons   Resources
         this output is not interfaced, updated in IMIS, or easily
         accessible.This may adversely affect the timeliness of
         responses to emergencies involving staff members.




                                                                                           Page 33                                                            10/07/2008


-----------------------------------------------------------------------------------------

      3                                             Focus Area: Human Resource Management                                               Possible High   Higher Risk
                                                                                                                          HR

                                                                                                                             Risk       Likeli-
          Interview/Review Summary (Description of risk)                              OIOS Assessment                                           Impact Overall Risk
                                                                                                                           Category      hood
No
          G(vii) Lack of maintenance of available systems leading       HR Information Technology (HRIT) is doing         Information   Possible Medium Moderate Risk
          to deterioration in the quality of monitoring and reporting   workarounds of the current systems and            Resources
          capability that the system provides.                          applications as necessary.

          G(viii) Impending ERP implementation is creating
          reluctance to update systems or take any interim
          corrective actions though implementation is still years
          from completion.
          G(ix) Inadequate business continuity and disaster                                                               Information   Possible High   Higher Risk
          recovery planning with risk of disruption of service                                                            Resources
          provision and loss of vital online resources (eg online
          handbook)
          G(x) Business processes may be too lengthy, ineffective HR, Finance and Procurement have teams who              Operational Possible Low      Lower Risk
          and inefficient.                                            work on Business Process Re-engineering (BPR)
                                                                      to identify and re-evaluate the the need for each
                                                                      step in the business process.
          D(i) HRIT budget may be insufficient to effectively support ERP will address some of the IT needs               Financial     Possible Medium Moderate Risk
          operational requirements.
          A(i) Inability to do a piecemeal rollout of IPSAS may lead                                                      Strategy      Possible Medium Moderate Risk
          to ineffective implementation and migration between
          UNSAS and IPSAS.
VII        Human Resources Finances                                                                                                     Possible High   Higher Risk
          D(i) Systems in place may not effectively support benefits Surveys are conducted once a year with staff to      Financial     Possible Medium Moderate Risk
          administration resulting in financial losses through        validate information on benefits.
          overpayments of staff entitlements and grants.

          C(i) Lack of compliance with rules regarding special posts SPA must be approved every three months.             Compliance Possible Low       Lower Risk
          allowance (SPA) period of two years, may result in HR
          benefits being incorrectly allocated to employees.         A SPA panel meets to consider proposed SPA.




                                                                                          Page 34                                                           10/07/2008


-----------------------------------------------------------------------------------------

       3                                           Focus Area: Human Resource Management                                             Possible High   Higher Risk
                                                                                                                         HR

                                                                                                                            Risk     Likeli-
           Interview/Review Summary (Description of risk)                            OIOS Assessment                                         Impact Overall Risk
                                                                                                                          Category    hood
No
           D(ii) Over or underexpenditure on staff remuneration and                                                      Financial   Possible High   Higher Risk
           benefits due to inaccurate data for decision making.
           OHRM does not have adequate resources to conduct the
           required salary surveys in 180 countries. Therefore, the
           unit responsible depends on duty stations to provide data
           that cannot be verified hence risk of erroneous salary
           data being utilized in calculating future salary rates,
           revision of MSA.
VIII       Record Keeping                                                                                                            Possible High   Higher Risk
           E(i) Physical loss of HR documents thereby making future                                                      Operational Possible High   Higher Risk
           references to the records difficult and possible loss of
           institutional knowledge.
           E(ii) Loss of confidentiality of HR documents resulting in Authorisation required before staff members        Operational Possible High   Higher Risk
           reputation damage to the Organization or individual staff access records. A register is also maintained of
           members.                                                   staff that access the records.
IX         Training                                                                                                                  Likely   High   Higher Risk
           D(i) Inadequate training budgets resulting in inadequate                                                      Financial   Possible High   Higher Risk
           skills to meet Organizational mandate requirements.

           D(ii) Gap in needs assessment by Heads of Departments
           and decreasing training budget may affect Heads of
           Departments' ability to meet their HRAP goals.


           E(i) Lack of dedicated training space may hinder the         Facilities Management Service (FMS) is           Operational Possible Medium Moderate Risk
           delivery of training programs required to enhance staff      responsible for management of office space for
           members' skills to meet mandate requirements.                the Organization.
           C(i) Inability to monitor the administration of the training                                                  Compliance Possible Medium Moderate Risk
           programmes may lead to inconsistencies in training which
           could result in non-compliance with core values.

           F(i) Challenges to retaining technical personnel due to the                                                   Human       Possible Medium Moderate Risk
           lack of training development program as well as clear                                                         Resources
           career development plan



                                                                                         Page 35                                                         10/07/2008


-----------------------------------------------------------------------------------------

     3                                            Focus Area: Human Resource Management                                               Possible High   Higher Risk
                                                                                                                          HR

                                                                                                                             Risk     Likeli-
         Interview/Review Summary (Description of risk)                              OIOS Assessment                                          Impact Overall Risk
                                                                                                                           Category    hood
No
          F(ii) Wastage of resources on training short term staff      OHRM has defined the type of training that short   Human       Possible Low    Lower Risk
         that are not permitted to stay under UN short-term            term staff can attend.                             Resources
         employment rules.
X        Administration of justice                                                                                                    Possible High   Higher Risk
         F(i) Unavailability of qualified counselors may affect the                                                       Human       Likely   Medium Higher Risk
         timeliness and quality of due process. Due process could                                                         Resources
         be compromised as a result of attempting to clear
         backlog of cases during 2008 before the new system of
         administration of justice is implemented effective January
         2009. This may negatively impact the reputation of the
         UN.
         F(ii) Inadequate resources may negatively impact the     The Panel makes recommendations to OHRM                 Human       Possible High   Higher Risk
         timeliness and quality of investigations into complaints by
                                                                  and, depending on the nature of the case, to the        Resources
         the Panel on Discrimination and other Grievances. This   SG. Copies of its reports are provided to the
         may negatively impact the reputation of the UN.          concerned heads of departments and to
                                                                  complainant. The concerned department may
                                                                  provide a written reaction to OHRM. The Panel
                                                                  follows up on cases.
         C(i) Delays by program managers in providing their       The Senior Management Compact with the SG               Compliance Possible High    Higher Risk
         reaction to reports of the ALU, Joint Appeals Board      now requires timely response by programme
         (JAB), JDC (Joint Disciplinary Committee), and PDG may managers.
         negatively impact the due process.
         C(ii) Delays in OHRM acting on recommendations of the The Department performs a follow up three                  Compliance Possible High    Higher Risk
         ALU, JAB, JDC, and PDG may result in a reputational risk months later with other departments, SG, and
         for the UN.                                              OHRM, on their reaction and actions based on the
                                                                  report.
         E(i) Investigations may be delayed or the quality of     Programme managers and DSS investigate type 2           Operational Possible High   Higher Risk
         investigations may be poor resulting in injustice to     cases while OIOS investigates the others.
         concerned parties.




                                                                                         Page 36                                                          10/07/2008


-----------------------------------------------------------------------------------------

     3                                            Focus Area: Human Resource Management                                           Possible High    Higher Risk
                                                                                                                       HR

                                                                                                                         Risk      Likeli-
         Interview/Review Summary (Description of risk)                             OIOS Assessment                                        Impact Overall Risk
                                                                                                                       Category     hood
No
XI       Medical services                                                                                                          Possible High   Higher Risk
         E(i) Individuals who are medically cleared and selected       ST/AI/2005/12 governs medical clearance and     Operational Possible Medium Moderate Risk
         for employment with the UN may not be physically fit to       examination.
         perform the functions for which they have been selected
         and may therefore risk their own health and safety or the  The UN Medical Service provides screening at
         health and safety of others.                               certain duty stations (e.g. OAHs, regional
                                                                    commissions, and New York) where the capacity
                                                                    and technology exist. It also relies on medical
         E(ii) Inadequate technology used by medical personnel, professionals throughout the world to perform
         lack of adequate training in medical screening, fraud, and medical examinations and medically clear
         inadequate procedures for evaluating and interpreting      applicants (Section 5 of ST/AI/205/12).
         medical results may result in clearance being provided to
         individuals who have medical conditions that could         The Medical Service implements procedures
         impede their ability to perform as required.               including standard forms for determining if
                                                                    individuals are fit to perform the functions for
                                                                    which they are being considered for recruitment.

         B(i)Lack of effective support, oversight and monitoring of                                                    Governance Remote   High    Moderate Risk
         medical services at OAHs, regional commissions, and
         field locations may impede the effective delivery of
         necessary medical services. UN medical professionals
         may provide suboptimum services to staff. This may
         impact on the productivity of staff.

         B (ii) Lack of monitoring of continual professional
         education could result in medical professionals not having
         up to date skills to provide appropriate services to staff
         members
         B(iii) Lack of a global UN-wide health policy may result in                                                   Governance Possible High    Higher Risk
         fragmented approach to specific healthcare issues (e.g.
         malaria, Flu, HIV). This may impede the effectiveness of
         how the UN addresses other emerging healthcare risks.




                                                                                        Page 37                                                       10/07/2008


-----------------------------------------------------------------------------------------

     3                                             Focus Area: Human Resource Management                                             Possible High   Higher Risk
                                                                                                                         HR

                                                                                                                            Risk     Likeli-
         Interview/Review Summary (Description of risk)                                OIOS Assessment                                       Impact Overall Risk
                                                                                                                          Category    hood
No
         F(i) The lack of harmonized human resources                   UN staff rules and human resources management Human       Possible Medium Moderate Risk
         management practices may impact on the morale of              policies govern.                              Resources
         medical professionals throughout the UN. Post levels
         vary from location to location for same work making it
         difficult to retain and motivate staff. Exacerbated by
         contract structure.
         E(iii) Legal considerations regarding the use of medical                                                    Operational Remote Medium Lower Risk
         clearance as the basis for employment may impede the
         objectivity of medical professionals and thereby result in
         the recruitment of individuals who are not fit for the duties
         for which they have been recruited or possible lawsuits

         B(iv) Lack of independence of the UN Medical Service                                                            Governance Possible Medium Moderate Risk
         from OHRM may impact medical professionals' ability to
         make objective medical decisions.
         E(iv) Lack of formal written policy protecting                                                                  Operational Possible Low    Lower Risk
         confidentiality of medical records exposes the United
         Nations to litigation.
         C(i) The UN medical professionals may be engaged in             The type of services to be provided by UN medical Compliance Remote   Low   Lower Risk
         activities that violate national regulations. This may          professional are defined.
         negatively impact the reputation of the UN.
         E(vi) Medical evacuation may not be properly approved.          The Chief Medical Office at HQ retains the      Operational Possible High   Higher Risk
         The absence of proper procedures/criteria may result in         authority to approve all medical evacuations.
         inefficiencies and denial of effective medical attention to
         UN staff. This may result in financial losses, injury or loss
         of life, and reputational damage to the UN.

         Sick leave may not be properly vetted and authorized.           Substantive programmes are required to have       Compliance Possible Medium Moderate Risk
         This may result in fraud and abuse and impact on                time keekpers who maintain records of absences.
         programme delivery.                                             Sick leave must be certified by qualified medical
                                                                         professional. Extended sick leave must be
                                                                         certified by the UN Medical Service.




                                                                                            Page 38                                                      10/07/2008


-----------------------------------------------------------------------------------------

                                    Risk Assessment of : the Department of Management
     4                                              Focus Area: Procurement and Contract Administration                          Possible High     Higher Risk
                                                                                                                     Proc

                                                                                                                        Risk      Likeli-
         Interview/Review Summary (Description of risk)                               OIOS Assessment                                     Impact Overall Risk
                                                                                                                      Category     hood
No
I        Procurement service                                                                                                          Possible High Higher Risk
         E(i) Lack of adequate controls may result in payments          Rule 105.5 of the Financial Regulations and Rules Operational Remote Medium Lower Risk
         being made to vendors whose contracts have expired.            of the UN governing Certifying Authority.
         This may result in financial loses to the UN.

         E(ii) Delays in procurement caused by the following            Majority of contracts for DFS are systems    Operational Likely    High    Higher Risk
         events may impede effective and efficient delivery of          contracts; therefore once established
         programmes:                                                    procurements are streamlined.

         - lack of integrated workflow system across
         Departments;

          - Procurement Service (PS) is not asked to participate in
         the planning stages;

         - required sign-off of controller;

         - OLA review due to UN's low appetite for risk; and

          - requisitioner officers do not have sufficient training on
         procurements policies and procedures and are not
         qualified to adequately address vendor's needs. .




                                                                                          Page 39                                                      10/07/2008


-----------------------------------------------------------------------------------------

     4                                           Focus Area: Procurement and Contract Administration                              Possible High       Higher Risk
                                                                                                                     Proc

                                                                                                                        Risk       Likeli-
         Interview/Review Summary (Description of risk)                            OIOS Assessment                                         Impact Overall Risk
                                                                                                                      Category      hood
No
         E(iii) Inadequate contract management may result in         Contracts have NTE thresholds which are          Operational Likely     Medium Higher Risk
         vendors delivering suboptimum services to the UN and        programmed and used as limit checks. Systems
         circumvention of the procurement process. Increasing        contracts require action (re-bid, extension,
         public scrutiny of UN procurement activities complicates    amendment) once expenditure reaches 75%. The
         the recruitment of qualified staff.                         Mercury system used in field missions has a
                                                                     control that does not allow further requisitions
                                                                     when 75% of the NTE amount of a system
                                                                     contract is reached.

                                                                         For large contracts, regular meetings of
                                                                         representatives from PS, the vendor, and user
                                                                         department of the service are held to review
                                                                         vendor performance.
                                                                         The Information Technology Services Division
                                                                         (ITSD) has a dedicated contract management unit
                                                                         which handles contract management and
                                                                         administration for contracts of information
                                                                         technology goods and services.
         F(i) Lack of qualified, sufficient staff to fulfill procurement PS received 17 additional posts for the              Human      Possible High   Higher Risk
         needs may impede timely procurement and compliance Procurement Reform team and other activities.                     Resources
         with procurement policies.
         C(i) Excessive number of policies and controls around                                                                Compliance Possible Medium Moderate Risk
         procurement process may result in non-compliance and
         override of such policies.
         C(ii) The complexity of the "best value for money"              Best value for money training has been launched Compliance Possible High        Higher Risk
         concept provides the opportunity for subjective                 by PS to educate requisitioners and procurement
         interpretation during its application. This may result in       staff, however, still more time is required for full
         non-compliance with the concept in all procurements.            comprehension of the concept.

         D(i) The need to achieve geographical balance in                                                            Financial    Remote     Medium Lower Risk
         procurement (a requirement of the GA) may delay
         procurement actions and result in selecting vendors that
         lack the capacity to fulfill needs or do not ensure "best
         value for money".



                                                                                       Page 40                                                             10/07/2008


-----------------------------------------------------------------------------------------

     4                                              Focus Area: Procurement and Contract Administration                                     Possible High   Higher Risk
                                                                                                                                Proc

                                                                                                                                   Risk     Likeli-
         Interview/Review Summary (Description of risk)                                  OIOS Assessment                                            Impact Overall Risk
                                                                                                                                 Category    hood
No
         C(iii) Non-compliance with acquisition plans may result in       Substantive programmes are required to prepare Compliance Possible High           Higher Risk
         the procurement of goods/services not needed. This               acquisition plans that are linked to their respective
         could result in losses to the UN through                         budgets.
         excessive/obsolete inventory, theft and abuse.
         B(i) Lack of clarity in the delegation of authority to offices   At HQ, PS is responsible for all procurement.         Governance Possible High    Higher Risk
         (e.g. DFS, DPKO) along with the inadequacy of                    Delegation of Procurement Authority to
         monitoring procedures may result in non-compliance with          DFS/missions should establish clear limits. For
         UN Procurement and Contract Management Policies.                 example, there should be no delegation of
                                                                          authority for the procurement of special items
                                                                          such as IT and pharmaceutical products.
                                                                          Delegation of authority for non-core items is
                                                                          limited to $200K while delegation of authority for
                                                                          core items is $1m.

                                                                          PS and DFS now have posts for the management
                                                                          of delegation of procurement authority.

                                                                          Oversight activities of OIOS and BOA are
                                                                          additional controls.

                                                                          Procurement staff at field missions are technically
                                                                          cleared by PS before recruitment by DFS. They
                                                                          report to CAO, however, they also deal with PS,
                                                                          HQ in procurement and contractual matters


         C(iv) Lack of consistency in use of vendor performance Vendors' performance assessments are                            Compliance Possible High    Higher Risk
         metrics may result in contracting with vendors whose   performed by requisitioning offices.
         performance has been assessed as poor. This may result
         in financial and reputational losses to the UN.




                                                                                             Page 41                                                           10/07/2008


-----------------------------------------------------------------------------------------

     4                                            Focus Area: Procurement and Contract Administration                                      Possible High   Higher Risk
                                                                                                                             Proc

                                                                                                                                Risk       Likeli-
         Interview/Review Summary (Description of risk)                              OIOS Assessment                                               Impact Overall Risk
                                                                                                                              Category      hood
No
II       Procurement service
         D(ii) Liquidated damages clause and other provisions in PS stated that it is working with OLA to make the           Financial     Possible Medium Moderate Risk
         contracts may not reflect best industry practice and may liquidated damages clause more flexible.
         therefore result in inflated prices being paid by the UN. If
         liquidated damage and performance bond clauses are
         required in contracts, vendor may build this into price.

         B(ii) Governance structure impedes the efficiency of                                                                Governance Possible High      Higher Risk
         procurement activities. Procurement process is lengthy
         and it is subject to many rules and regulations.
         Procurement Manual, a guidance document with 319
         pages, has many detailed steps and procedures that
         need to be followed.
         G(i) The use of multiple, unrelated vendor rosters within                                                           Information   Possible High   Higher Risk
         the UN may result in contracting with vendors that have                                                             Resources
         been barred. This may result in financial and reputational
         losses to the UN.
         E(iv) The absence of clear criteria in determining when to Best value for money training has been launched          Operational Possible High     Higher Risk
         use ITB and RFB may result in inconsistent use and           by PS to educate requisitioners and procurement
         ineffective, inefficient procurement activities.             staff, however, still more time is required for full
                                                                      comprehension of the concept.
         E(v) Failure to implement an effective staff rotation policy Procurement staff rotation is currently informal.      Operational Possible High     Higher Risk
         may result in fraud.
         F(i) Lack of properly trained requisitioner offices delays   PS plans on giving training to requisitioning          Human       Possible High   Higher Risk
         the procurement process.                                     offices.                                               Resources
         E(vi) Lack of sufficient facilities to accommodate                                                                  Operational Likely   Medium Higher Risk
         procurement staff impacts efficiency and no ability for
         procurement officer to carry-out routine negotiations in
         relative privacy.




                                                                                          Page 42                                                              10/07/2008


-----------------------------------------------------------------------------------------

      4                                            Focus Area: Procurement and Contract Administration                                   Possible High   Higher Risk
                                                                                                                             Proc

                                                                                                                                Risk     Likeli-
          Interview/Review Summary (Description of risk)                               OIOS Assessment                                           Impact Overall Risk
                                                                                                                              Category    hood
No
          Oversight of procurement - Headquarters Committee                                                                    Possible High             Higher Risk
III       on Contracts
          E(i) Inadequate training of members of LCCs and         Training courses have been rolled out to 12      Operational Possible High             Higher Risk
          monitoring of the activities of LCCs may result in non- locations since September 2007 with plan to
          compliance with UN procurement policies.                complete all locations by end of May 2008.
                                                                  -Internal certifications are being issued for
                                                                  completion. Training would increase the capacity
                                                                  development of staff in the field and LCC
                                                                  members. Training would allow faster processing
                                                                  of both local cases and cases referred to HQ.

          E(ii) Complexity and lack of clarity of procurement           Training courses have been rolled out to 12      Operational Possible High       Higher Risk
          policies may lead to misinterpretation and incorrect          locations since September 2007 with plan to
          application by LCC.                                           complete all locations by end of May 2008.
                                                                        -Internal certifications are being issued for
                                                                        completion. Training would increase the capacity
                                                                        development of staff in the field and LCC
                                                                        members. Training would allow faster processing
                                                                        of both local cases and cases referred to HQ.

          C(i) Delays in submitting cases for review by HCC             HCC carry out a Q&A if the presentation of cases Compliance Likely       High    Higher Risk
          creates the need for expedited approvals. This may            and procedures are not transparent.
          impede a thorough review of cases by HCC and could
          result in financial losses to the UN.
          B(i) Inadequate delineation of the roles and                  Roles and responsibilities are set in the terms of   Governance Possible Low     Lower Risk
          responsibilities of Procurement Officers, HCC and the         reference of each function.
          LCC may result in inefficiencies in procurement.
          B(ii) Conflict of interest of members of LCC and HCC          Members of the HCC are nominated by the              Governance Possible High    Higher Risk
          may impede objectivity in the review of procurement           various departments and appointed by the
          cases and could result in financial and reputational losses   Controller. There are guidelines which must be
          to the UN.                                                    complied with. All committee members are
                                                                        appointed for a 3 year term with an option for
                                                                        another 3 years, renewable after 1 year break.




                                                                                           Page 43                                                          10/07/2008


-----------------------------------------------------------------------------------------

     4                                            Focus Area: Procurement and Contract Administration                                   Possible High   Higher Risk
                                                                                                                            Proc

                                                                                                                               Risk     Likeli-
         Interview/Review Summary (Description of risk)                             OIOS Assessment                                             Impact Overall Risk
                                                                                                                             Category    hood
No
         C(ii) Due to the complexity of procurement policies        In some cases HCC identifies and recommends             Operational Possible Medium Moderate Risk
         coupled with the increasing complexity of procurement      areas where savings can be achieved, such as
         cases, procurement officers may not be able to identify    splitting an award to achieve cost saving.
         major opportunities for cost avoidance. This may result in
         opportunity costs to the UN.

         B(iii) The inability of HCC to monitor the implementation   There is a plan to develop a monitoring                Governance Possible High    Higher Risk
         of its decisions may impede compliance with UN              tool/process at some point.
         Procurement and Contract Manageemnt Policies.

         C(iii) Inconsistencies between the documents provided to                                                           Compliance Possible High    Higher Risk
         and used by the HCC in making decisions and the
         documents used for actual procurement may inhibit
         adequate oversight of the procurement function and could
         result in financial losses.
         F(i) Lack of resources impede the training of LCC             HCC currently has two trainers that have             Human       Possible High   Higher Risk
         members and knowledge sharing. This may hinder the            participated in a "training the trainer" course to   Resources
         efficiency and effectiveness of procurement.                  ensure consistency in providing training in HCC
                                                                       issues
         Review of procurement - Headquarters Committee on                                                                              Possible Medium Moderate Risk
IV       Contracts
         E(i) Lack of streamlined procurement workflow for local                                                            Operational Possible Medium Moderate Risk
         procurement , similar to that implemented at HQ, may
         result in delays in procurement.
         B(i) The delegation of procurement authority to Directors                                                          Governance Possible Medium Moderate Risk
         of Mission Support creates the need for effective
         monitoring which if not performed may result in non-
         compliance with UN Procurement Policies.
         F(i) The lack of recognition given to HCC members for         Members are nominated by their department            Human       Possible Medium Moderate Risk
         the time spent and significant number of committee tasks heads for a 3 year term, with an option for another       Resources
         they are responsible for in addition to their regular duties. 3 years, renewable after a 1 year break.
         This may create morale issues and thus negatively
         impact on the quality of the HCC's decisions.




                                                                                         Page 44                                                            10/07/2008


-----------------------------------------------------------------------------------------

     4                                          Focus Area: Procurement and Contract Administration                             Possible High   Higher Risk
                                                                                                                    Proc

                                                                                                                       Risk     Likeli-
         Interview/Review Summary (Description of risk)                          OIOS Assessment                                        Impact Overall Risk
                                                                                                                     Category    hood
No
         E(ii) The increasing public scrutiny of UN procurement                                                     Operational Possible Medium Moderate Risk
         may lead to excessive, unnecessary documentation of
         procurement actions. This may further delay
         procurement.
         E(iii) Inadequate policies and procedures around global   Mandatory training on contract management,       Operational Possible High   Higher Risk
         contract management creates risk that contracts, once     updated and clarified procurement policies and
         procured, are not being monitored and enforced to         procedures, ethics training of mission
         protect the interests of the UN globally.                 procurement staff, LCC members.

         B(ii) Lack of strategic placement of the HCC to perform                                                    Governance Likely    Medium Higher Risk
         contract review process may result in lengthier
         procurement process.
         E(iv) Lack of follow up by HCC on questions posed to                                                       Operational Possible High   Higher Risk
         presenters may allow for a procurement that should not
         have occurred or could have provided better value to the
         Organization
         C(i) Inadequate training of the members of Local Property HQ Property Survey Board has no responsibility   Compliance Possible Medium Moderate Risk
         Survey Boards (LPSBs) may result in non-compliance        for LPSBs. It has done some presentations to
         with UN Financial Rules in the disposition of assets.     LPSBs but no training. HCC is submitting
                                                                   guidelines to management on how to process
                                                                   property actions.




                                                                                     Page 45                                                        10/07/2008


-----------------------------------------------------------------------------------------

                                  Risk Assessment of : the Department of Management
     6                                           Focus Area: Information Technology Management               Possible High   Higher Risk
                                                                                                 IT

                                                                                                    Risk     Likeli-
         Interview/Review Summary (Description of risk)                 OIOS Assessment                              Impact Overall Risk
                                                                                                  Category    hood
No
I        Strategic                                                                                           Possible High   Higher Risk
         A(i) Since the formulation of a new Secretariat-wide ICT                                Strategy    Possible High   Higher Risk
         strategy and governance structure is still in progress,
         there is a risk that departments may make operational
         and financial ICT decisions that benefit solely their own
         departments. Strategic leadership of ICT is new to the UN
         with the creation of the CITO role. The development of a
         new ICT strategy is one of the key objectives of the new
         CITO.
         Potential risks:
         a) Uncoordinated approach to the Secretariat-wide ICT
         strategy;
         b) Mismatch between Secretariat-wide and departmental
         strategies, which could also lead to poor value-for-money
         decisions and performance;
         c) Inconsistent approach to ICT security priorities
         throughout the Secretariat; and
         d) Duplication of acquisition and development initiatives.




                                                                           Page 46                                              10/07/2008


-----------------------------------------------------------------------------------------

     6                                         Focus Area: Information Technology Management                                   Possible High     Higher Risk
                                                                                                                  IT

                                                                                                                     Risk       Likeli-
         Interview/Review Summary (Description of risk)                         OIOS Assessment                                         Impact Overall Risk
                                                                                                                   Category      hood
No
         B(i) The organizational details of the new CITO office,   In his report A/62/502, the SG requested to afford Governance Possible High   Higher Risk
         including the reporting line with DM/ITSD, DFS/CITS and   the CITO more time to "Develop the ICT
         the ICT components in other departments (i.e. DESA,       governance framework...including the
         DPI, OCHA, etc.) have not been defined yet. Reporting     establishment of decision-making bodies, advisory
         lines for ICT staff outside of DM fall within their       groups, as well as the articulation of functions,
         departments and as a result, may not be aligned with      authority, structure and resource requirements of
         Secretariat-wide strategic priorities and objectives.     the envisioned OICT..."
         Potential risk(s):                                        In the same report the SG proposed that "...a
         a) Unclear accountabilities for the management of ICT     comprehensive report on the ICT...governance
         resources and implementation of new ICT solutions;        framework be submitted to the General Assembly
         b) Undefined or confusing accountability and              at the second part of its resumed sixty-second
         responsibility;                                           session."
         c) Misalignment between ICT solutions and the needs of
         the Organization; and
         d) Inadequate management of the portfolio of ICT
         investments.

         B(ii) There is currently no centralized authority for    The current approach towards ICT investments is Governance Possible High       Higher Risk
         planning and monitoring ICT initiatives across the       based on ITSD providing guidance and
         Secretariat.                                             encouragement on a collaborative basis.
         Responsibility for determining and controlling ICT
         initiatives lie with departmental managers. There is no
         formal procedure in support of a horizontal planning
         process across the Secretariat.
         Potential Risks:
         a) Lack of standardization;
         b) Diverging implementation practices and increased risk
         to ICT projects;
         c) Information and indicators to monitor ICT's
         performance not available; and
         d) Deviations in ICT plans not identified.




                                                                                    Page 47                                                         10/07/2008


-----------------------------------------------------------------------------------------

     6                                               Focus Area: Information Technology Management                                         Possible High   Higher Risk
                                                                                                                               IT

                                                                                                                                  Risk      Likeli-
         Interview/Review Summary (Description of risk)                                   OIOS Assessment                                           Impact Overall Risk
                                                                                                                                Category     hood
No
         A(ii) There is a disconnect between the approval of the                                                               Strategy    Likely   High   Higher Risk
         strategic framework and the approval of funding.
         The approval of resources to fund the implementation of
         the strategic initiatives endorsed by the governing bodies
         is uncertain. Potential risks:
         a) Inadequate and untimely allocation of resources;
         b) Inefficient planning;
         c) Inability to recruit staff with the necessary skill set; and
         d) Inability to initiate and complete the procurement
         process within reasonable timeframes.

         B(iii) There is a risk that with the current ICT Governance                                                           Governance Possible High    Higher Risk
         structure, all relevant stakeholders do not have adequate
         representation in relation to the development and support
         of applications and systems (i.e. OPPBA Financial
         Information Operations Services). Potential risks:
         a) Incomplete identification of solutions
         b) Significant requirements discovered later, causing
         costly reworking and implementation delays

         A(iii) The current ICT strategic initiatives (ERP, CRM, and       The main ICT initiatives currently in progress in   Strategy    Possible High   Higher Risk
         ECM) do not ensure an adequate response to the critical           the Secretariat are:
         strategic risk areas of: a) Management of time series             - ERP to manage resources
         data; and b) Data privacy.                                        - CRM to manage services
                                                                           - ECM to manage un-structured information




                                                                                              Page 48                                                         10/07/2008


-----------------------------------------------------------------------------------------

     6                                              Focus Area: Information Technology Management                                         Possible High   Higher Risk
                                                                                                                              IT

                                                                                                                                 Risk      Likeli-
         Interview/Review Summary (Description of risk)                                  OIOS Assessment                                           Impact Overall Risk
                                                                                                                               Category     hood
No
II       Finance - ITSD                                                                                                                   Likely   High   Higher Risk
         D(i) ICT budgets for applications and services throughout        The benefits of ICT are well understood, but the    Financial   Likely   High   Higher Risk
         the Secretariat are not integrated into one comprehensive        budgeting, costing and delivery of initiatives is
         budget proposal. ICT initiatives are included in the             fragmented. The ICT Board is the central review
         departmental budgets with no one office/entity                   body only for the ICT initiatives above $200K.
         responsible for consistency, standardization and
         monitoring. Potential Risks:
         a) Ineffective and inefficient use of resources;
         b) Costs, benefits and risks of ICT initiatives unclear or
         misunderstood;
         c) Decisions that are not aligned with the organizations
         objectives;
         d) Under-funding;
         e) ICT seen as a technical and not a management issue;
         f) Failure to exploit ICT resources to the fullest; and
         g) Opportunity cost of not funding critical ICT initiatives is
         not clearly understood.



         D(ii) Costs of ICT may not be fully charged to user                                                                  Financial   Likely   High   Higher Risk
         departments, resulting in a lack of transparency of ICT
         costs, and a risk of under-funding ICT support operations.
         Without central control and monitoring of budgets relating
         to ICT, the UN may not have a clear view of the true cost
         of ICT, resulting in cost inefficiencies, as departments
         have less incentive to minimise or manage costs relating
         to ITSD. Potential risks:
         a) Inappropriate allocation of financial resources of ICT
         operations;
         b) Incorrect/incomplete cost information; and
         c) ICT value contribution not transparent.




                                                                                             Page 49                                                         10/07/2008


-----------------------------------------------------------------------------------------

     6                                            Focus Area: Information Technology Management               Possible High   Higher Risk
                                                                                                  IT

                                                                                                     Risk      Likeli-
         Interview/Review Summary (Description of risk)                  OIOS Assessment                               Impact Overall Risk
                                                                                                   Category     hood
No
         D(iii) Budget constraints may negatively impact the ability                              Financial   Likely   High   Higher Risk
         of ITSD/DM to meet business objectives. Consistent
         failures to meet business objectives or expectations may
         result in an increase of ICT expenditures outside of ITSD,
         resulting in an increased risk due to the use of a "shadow
         IT" infrastructure. Perception from outside of ITSD/DM is
         that they are not able to deliver and meet business
         needs, resulting in an increased level of ICT spending
         outside of ITSD/DM. Potential risks:
         a) Resource conflicts
         b) Financial resources not aligned with the Organization's
         goals

         D(iv) The length of the budget cycle and the untimely                                    Financial   Possible Medium Moderate Risk
         communication of available funds may impact the ability
         of ITSD/DM to procure services required to support
         strategic ICT initiatives. ITSD/DM may not be able to take
         advantage of supplier initiatives or comply with licence
         renewal requirements due to the timing of funding being
         available.
         Potential risks:
         a) Loss of opportunity cost in terms of foregone
         contractual benefits and
         b) Inefficient and costly use of operational resources.




                                                                            Page 50                                               10/07/2008


-----------------------------------------------------------------------------------------

     6                                             Focus Area: Information Technology Management               Possible High   Higher Risk
                                                                                                   IT

                                                                                                      Risk      Likeli-
         Interview/Review Summary (Description of risk)                   OIOS Assessment                               Impact Overall Risk
                                                                                                    Category     hood
No
         A(i) There is currently no capital budget for major ICT                                   Strategy    Likely   High   Higher Risk
         projects. This could result in a short term focus, and a
         risk that long term project objectives are not met. The
         lack of stable long term funding may result in a focus on
         "keeping the lights on" and doing the minimum required
         to keep operations running without the appropriate level
         of forward planning or strategic insight. Potential risks:
         a) ICT plans inconsistent with the organisation's
         expectations or requirements;
         b) ICT plans not focused on the right priorities

         D(v) There is no central review of ICT budgets across the                                 Financial   Likely   Medium Higher Risk
         Secretariat. Departmental budgets, which contain
         significant sums for ICT, are managed in isolation and the
         ICT components may not be reviewed for consistency in
         the context of the UN ICT strategy. Potential risks:
         a) Fragmented and inefficient allocation of resources;
         b) Insufficient capabilities, skills and resources to achieve
         desired goals;
         c) Strategic objectives not achieved; and
         d) Inappropriate priorities used for allocation of resources.




                                                                             Page 51                                               10/07/2008


-----------------------------------------------------------------------------------------

      6                                            Focus Area: Information Technology Management               Possible High   Higher Risk
                                                                                                   IT

                                                                                                      Risk      Likeli-
          Interview/Review Summary (Description of risk)                  OIOS Assessment                               Impact Overall Risk
                                                                                                    Category     hood
No
III       HR - ITSD                                                                                            Likely   High   Higher Risk
          F(i) UN job classifications and salary scale may not                                     Human       Likely   High   Higher Risk
          reflect the realities of the market for ICT professionals.                               Resources
          Long lead times and specific qualification requirements
          may reduce the ability of ITSD/DM to attract and retain
          the most appropriate personnel for their business needs.
          Turn-around time for the recruitment of ICT staff may
          take up to a year. Retention is problematic due to a
          misalignment between UN system and the current ICT
          market. Potential Risks:
          a) Delays in recruitment; and
          b) Over-reliance on consultants and temporary staff.


          F(ii) Skills models for ICT roles may not match the                                      Human       Likely   High   Higher Risk
          existing UN guidelines for hiring. Adherence to existing                                 Resources
          hiring policies, which require degree level education for
          professional level roles, may reduce the ability of
          ITSD/DM to attract the most appropriate individual for a
          given position. UN ICT job profiles are not aligned with
          the skills currently available in the ICT marketplace.
          Potential risks:
          a) ICT services not supported adequately and
          b) Ineffective ICT solutions.




                                                                             Page 52                                              10/07/2008


-----------------------------------------------------------------------------------------

     6                                           Focus Area: Information Technology Management               Possible High   Higher Risk
                                                                                                 IT

                                                                                                    Risk      Likeli-
         Interview/Review Summary (Description of risk)                 OIOS Assessment                               Impact Overall Risk
                                                                                                  Category     hood
No
IV       Procurement - ITDS                                                                                  Likely   High   Higher Risk
         E(i) The current procurement lifecycle is not responsive                                Operational Likely   High   Higher Risk
         and flexible enough to meet the demands of ICT
         purchasing within the UN. Procurement leadtimes which
         are longer than the industry norm may increase risk to the
         UN as a result of opportunities to procure services being
         lost (whether through vendors or loss of funding),
         additional costs being incurred or a potential breach of
         software licensing agreements. Potential Risks:
         a) Piecemeal development of ICT solutions;
         b) Duplications of procurement efforts;
         c) Incompatible solutions;
         d) Lack of integration between software and hardware
         solutions to ICT related needs; and
         e) Under or over funding.

         E(ii) Procurement of ICT services, software and hardware                                Operational Likely   High   Higher Risk
         may be performed outside of the control of ITSD/DM.
         Procurement of ICT systems may be classified as
         consultancy in order to bypass controls designed to
         detect purchases of ICT by other departments, or larger
         investments may be split into smaller amounts to avoid
         scrutiny of spending over $200k. Uncoordinated spending
         may result in:
         a) An increased risk of diversion of standards;
         b) Duplication of effort; and
         c) Inability of the UN to gain from economies of scale.




                                                                           Page 53                                              10/07/2008


-----------------------------------------------------------------------------------------

     6                                           Focus Area: Information Technology Management                                   Possible High   Higher Risk
                                                                                                                    IT

                                                                                                                       Risk       Likeli-
         Interview/Review Summary (Description of risk)                           OIOS Assessment                                         Impact Overall Risk
                                                                                                                     Category      hood
No
V        IT - ITSD                                                                                                               Likely   High   Higher Risk
         B(i) ITSD/DM maintains and supports a standard             ITSD established a system of ICT Focal Points for Governance Likely   High   Higher Risk
         infrastructure for application development. However,       each Department with the aim of creating
         ITSD/DM does not have the authority to monitor and         standards based on a relationship / best
         enforce compliance of these standards in other             endeavours.
         departments of the Secretariat. Potential Risks:
         a) Lack of common understanding of organizational and
         ICT priorities, leading to conflicts about allocation of
         resources and priorities; and
         b) Missed opportunities to exploit new ICT capabilities
         and gain efficiencies from shared skills and resources.




                                                                                      Page 54                                                       10/07/2008


-----------------------------------------------------------------------------------------

     6                                            Focus Area: Information Technology Management               Possible High   Higher Risk
                                                                                                  IT

                                                                                                     Risk     Likeli-
         Interview/Review Summary (Description of risk)                  OIOS Assessment                              Impact Overall Risk
                                                                                                   Category    hood
No
         B(ii) There is no central risk assessment covering all                                   Governance Possible High    Higher Risk
         applications/systems used across the Secretariat in order
         to identify the most critical business applications required
         to support the needs of the Organization. Shadow ICT, or
         ICT that is acquired / managed outside of the control of
         ITSD/DM increases the risk of duplication of effort and
         data inconsistency. Similar applications may be
         duplicated in multiple locations with no consistency or
         coordination between the owners. ICT or business
         owners for applications are not clearly & formally defined.
         Potential Risks:
         a) Information skills pertaining to the various
         applications/systems concentrated in specific areas of the
         Secretariat;
         b) Economies of scale cannot be achieved because of
         single departmental arrangements;
         c) Inability to maintain a consistent data architecture
         schema; and
         d) Inability to ensure adequate solutions for protection,
         business continuity, and disaster recovery of all critical
         data.




                                                                            Page 55                                              10/07/2008


-----------------------------------------------------------------------------------------

     6                                           Focus Area: Information Technology Management               Possible High   Higher Risk
                                                                                                 IT

                                                                                                    Risk      Likeli-
         Interview/Review Summary (Description of risk)                 OIOS Assessment                               Impact Overall Risk
                                                                                                  Category     hood
No
         E(i) Application change management for the existing                                     Operational Likely   High   Higher Risk
         enterprise system (IMIS) is a hybrid of centrally controlled
         processes and many locally (OAHs) managed processes
         and controls. A number of ancillary applications,
         developed and supported in the OAHs, feed data to or
         from IMIS, including e-Leave, treasury and procurement
         modules. This condition could expose the Secretariat to
         the risk of changes to add-ons applications impacting ICT
         reliability / integrity. In addition, the migration of data
         during the upcoming implementation of the new ERP
         system could be hampered by the limited knowledge and
         status (i.e. readiness for data migration) of the ancillary
         systems. Offices Away from Headquarters have
         developed many ancillary applications to IMIS. Due to
         decentralized application development outside of
         ITSD/DM, testing of changes to assess the impact on
         downstream applications is not possible centrally, but is
         left to each local entity to perform. This testing may not
         be performed on a timely or consistent manner by each
         entity. Potential Risks:
         a) Incorrect implementation of new solutions on the basis o
         E(ii) The Information Security Policies, Procedures and                                 Operational Likely   High   Higher Risk
         Practices implemented by DM/ITSD may not be adequate
         to meet the needs of the data owners in other
         Departments of the Secretariat. The level of infrastructure
         / number of applications outside the direct control of
         ITSD/DM increases the risk that security vulnerabilities
         are introduced and not detected or remediated timely.




                                                                           Page 56                                              10/07/2008


-----------------------------------------------------------------------------------------

     6                                           Focus Area: Information Technology Management               Possible High   Higher Risk
                                                                                                 IT

                                                                                                    Risk     Likeli-
         Interview/Review Summary (Description of risk)                 OIOS Assessment                              Impact Overall Risk
                                                                                                  Category    hood
No
         E(iv) Continued progress towards ISO certifications in                                  Operational Possible Medium Moderate Risk
         ICT Service Management and Information Security may
         be impacted by a lack of resources. A limited
         implementation of the ISO certification campaign across
         all duty stations may expose the Secretariat to the
         following potential risks:
         a) Uncoordinated ICT security governance and
         b) Inconsistent levels of security over data and
         information assets.
         B(ii) The current governance structure supporting the UN                                Governance Possible High    Higher Risk
         web site does not ensure adequate management of the
         security risks threatening the public internet presence of
         the Secretariat. Lack of clear responsibilities and
         resources for information security assessments and
         monitoring (e.g. vulnerability assessments and security
         monitoring of the www.un.org website) may expose the
         Organization to serious risks.
         Potential risks:
         a) Security breaches;
         b) Reputational damage; and
         c) Unavailability of services.




                                                                           Page 57                                              10/07/2008


-----------------------------------------------------------------------------------------

     6                                           Focus Area: Information Technology Management               Possible High   Higher Risk
                                                                                                 IT

                                                                                                    Risk      Likeli-
         Interview/Review Summary (Description of risk)                 OIOS Assessment                               Impact Overall Risk
                                                                                                  Category     hood
No
         E(v) ITSD/DM has limited capability to support and                                      Operational Likely   Medium Higher Risk
         service ICT applications that have been selected and
         implemented in other departments. The complete
         autonomy in the choices made by other departments with
         regard to ICT investments exposes the day-to-day
         operations of the Secretariat to serious risks.
         Potential risks:
         a) Inadequate help-desk support for critical ICT
         applications and services
         b) Gaps between expectations and capabilities;
         c) Incompatible systems and solutions;
         d) Increased likelihood of problem recurrence; and
         e) Ineffective and inefficient use of resources.

         E(iv) Procedures in place to remove former employees                                    Operational Possible High   Higher Risk
         and contractors from ICT and Physical Access systems
         may not be sufficient to provide assurance that physical
         and logical access is removed in a timely manner once
         an individual has been terminated. Currently there is no
         adequate synchronization between the removal of access
         rights in both physical and logical domains.
         Potential risks:
         a) Security breaches;
         b) Users failing to comply with security standards; and
         c) Incidents not solved in a timely manner.


VI       Property and facilities management                                                                  Possible High   Higher Risk
         E(i) Current office accommodation in New York is not                                    Operational Possible Medium Moderate Risk
         sufficient for the number of ICT professionals employed.
         Potential risk is inefficient ICT operations.




                                                                           Page 58                                               10/07/2008


-----------------------------------------------------------------------------------------

      6                                            Focus Area: Information Technology Management               Possible High   Higher Risk
                                                                                                   IT

                                                                                                      Risk      Likeli-
          Interview/Review Summary (Description of risk)                  OIOS Assessment                               Impact Overall Risk
                                                                                                    Category     hood
No
VII       Safety - ITSD                                                                                        Likely   High   Higher Risk
          E(i) The existence of ICT systems not managed by                                         Operational Likely   Medium Higher Risk
          ITSD/DM increases the risk that, in the event of an
          incident, technology infrastructure and applications
          cannot be recovered in a timely fashion through existing
          Business Continuity arrangements. Applications and
          infrastructure which were not developed or procured by
          ITSD/DM may not be adequately backed up or have
          plans in place to enable recovery in a manner which
          meets business needs.
          Potential Risks:
          a) Failure to recover ICT systems and services in a timely
          manner;
          b) Failure of alternative decision-making processes;
          c) Lack of required recovery resources; and
          d) Failed communication to internal and external
          stakeholders.

          E(ii) Current data center arrangements are not sufficient                                Operational Possible High   Higher Risk
          to fully support the business requirements for recovery in
          the event of an incident. The Secretary General's report
          A/62/477, "Information and communications technology
          security, disaster recovery and business continuity for the
          United Nations", presented a detailed proposal for a
          global operational framework for information and
          communications technology (ICT) security, business
          continuity and disaster recovery. Pending the approval of
          the SG report by the General Assembly, the Secretariat is
          exposed to following risks:
          a) Unavailability of critical ICT resources
          b) Increased costs for continuity management
          c) Prioritisation of services recovery not based on
          organizational needs




                                                                             Page 59                                               10/07/2008


-----------------------------------------------------------------------------------------

     6                                             Focus Area: Information Technology Management               Possible High   Higher Risk
                                                                                                   IT

                                                                                                      Risk      Likeli-
         Interview/Review Summary (Description of risk)                   OIOS Assessment                               Impact Overall Risk
                                                                                                    Category     hood
No
         E(iii) Current contingency arrangements may not support                                   Operational Likely   High   Higher Risk
         the restoration of email (Blackberry) services in the same
         timeframe as other business applications and
         infrastructure. This presents a risk based on the criticality
         of email to the UN, with it being considered one of the
         most critical business applications. Potential Risk is
         failure to recover the organization's critical systems and
         services in a timely manner




                                                                             Page 60                                              10/07/2008


-----------------------------------------------------------------------------------------

                                    Risk Assessment of : the Department of Management
     9                                              Focus Area: Property and Facilites Management                                    Possible Medium Moderate Risk
                                                                                                                         Prop

                                                                                                                            Risk     Likeli-
         Interview/Review Summary (Description of risk)                              OIOS Assessment                                         Impact Overall Risk
                                                                                                                          Category    hood
No
I        Organizational structure                                                                                               Possible High        Higher Risk
         B(i) Lack of substantive, full-time heads of organizational The Facilities and Commercial Services Division Governance Possible High        Higher Risk
         units such as the Office of Central Support Services        (FCSD) is headed by a Director at the D-2 level.
         (OCSS) may impede the implementation of its mandated As of the time of this risk assessment, the Director
         activities. For example, OIOS was informed that OCSS of FCSD reported to the Director of the CMP.
         has been without a full-time ASG for more than two years.

         B(ii) The lack of appropriate structures for the Facilities                                                     Governance Possible High    Higher Risk
         Management Service (FMS) may result in suboptimum
         services to substantive programmes and reduce the
         profitability of revenue generating activities such as the
         postal service, catering service, and garage
         administration. If a unit is not assigned to a division
         where the appropriate expertise/skills exist at the
         director's level, that unit might not be provided with
         adequate supervision. OIOS was informed that the
         Garage Administration, which is a revenue generating
         activity, is part of the Facilities Management Service
         Division while the Archiving and Records Unit, which
         generates no revenue, is located in the Commercial
         Activities Service.
II       Safety and health                                                                                                           Possible High   Higher Risk
         F(i) The increasing demand for space as a result of the       According to FCSD, internal expertise exists      Human       Possible High   Higher Risk
         growth of the Secretariat (e.g. two new departments -         which are used for ensuring that the highest      Resources
         DFS and DSS were created in the past two years) and           standards for safety and health are adhered to.
         the simultaneous execution of the CMP may result in
         compromised safety and health of staff and
         representatives of Member States.




                                                                                          Page 61                                                        10/07/2008


-----------------------------------------------------------------------------------------

      9                                            Focus Area: Property and Facilites Management                                      Possible Medium Moderate Risk
                                                                                                                          Prop

                                                                                                                             Risk     Likeli-
          Interview/Review Summary (Description of risk)                             OIOS Assessment                                          Impact Overall Risk
                                                                                                                           Category    hood
No
          F(ii) Lack of adequate resources may result in                New York State and Federal codes govern.          Human       Possible High   Higher Risk
          suboptimum maintenance of facilities, which could                                                               Resources
          endanger the safety and health of staff and                   The DM-administered budgetary process
          representatives of Member States.                             empowers substantive programmes (i.e. FCSD) to
                                                                        prepare the initial cost estimates based on GA
                                                                        approved strategic framework, budget outlines
                                                                        and OPPBA-issued instructions. The Regulations
                                                                        and Rules Governing Programme Planning, the
                                                                        Programme Aspect of the Budget, the Monitoring
                                                                        of Implementation and the Methods of Evaluation
                                                                        and Financial Regulations and Rules of the UN
                                                                        govern the budgetary process.

III       Contract management                                                                                                         Possible High   Higher Risk
          E(i) Lengthy contracting process may result in the loss of    The UN Procurement and Contract Management        Operational Possible High   Higher Risk
          required services.                                            Policies govern.
          E(ii) The lack of adequate contract management                The UN Procurement and Contract Management        Operational Possible High   Higher Risk
          procedures may result in suboptimum services being            Policies govern. For most contracts, regular
          provided to the UN, delays in initiating renewal and/or re-   meetings are held involving the Procurement
          bidding processes, excessive cost to the UN, and non-         Service, FCSD and the contractor. These
          compliance of vendors with contracts. Contracts may be        meeting are used to assess implementation of
          extended more often than originally anticipated thereby       contracts and compliance by contractors.
          creating a dependency on one supplier, or compromising
          competion.
          Provision of facility management services to                                                                                Possible High   Higher Risk
IV        substantive programmes
          E(i) Lack of adequate systems and procedures for              FCSD stated that it was planning to develop a Operational Possible High       Higher Risk
          effectively and efficiently managing substantive              customer relationship management system soon.
          programmes' needs for facilities may impede the delivery
          of mandates.




                                                                                         Page 62                                                          10/07/2008


-----------------------------------------------------------------------------------------

     9                                            Focus Area: Property and Facilites Management                                         Possible Medium Moderate Risk
                                                                                                                            Prop

                                                                                                                               Risk     Likeli-
         Interview/Review Summary (Description of risk)                             OIOS Assessment                                             Impact Overall Risk
                                                                                                                             Category    hood
No
         E(ii) Lack of adequate resources may result in the          The DM-administered budgetary process           Operational Possible High          Higher Risk
         requirements of substantive programmes not being met.       empowers substantive programmes (i.e. FCSD) to
                                                                     prepare the initial cost estimates based on GA
                                                                     approved strategic framework, budget outlines
                                                                     and OPPBA-issued instructions. The Regulations
                                                                     and Rules Governing Programme Planning, the
                                                                     Programme Aspect of the Budget, the Monitoring
                                                                     of Implementation and the Methods of Evaluation
                                                                     and Financial Regulations and Rules of the UN
                                                                     govern the budgetary process.

V        Business continuity management                                                                                                 Possible High   Higher Risk
         A(i) Due to the lack of a comprehensive business            The Business Continuity Management Unit was         Strategy       Possible High   Higher Risk
         continuity and disaster recovery plan/strategy, the UN      established in 2007 with two professional staff and
         may lose operating capacities in the event of a disaster.   one GS staff. It is responsible for preparedness
                                                                     planning for influenza and business continuity.

         D(i) Lack of adequate funding may impede business           The SG proposed a policy for pandemic influenza Financial          Possible High   Higher Risk
         continuity management. In 2007, the Business Continuity     and business continuity planning for the approval
         Management Unit was funded through the SG's                 of the GA. Requirements for funding will be based
         Discretionary Fund.                                         on an approved policy.

                                                                     The Unit is expected to use focal points, on a part-
                                                                     time basis, in each participating UN agency and
                                                                     department of the Secretariat.




                                                                                        Page 63                                                             10/07/2008


-----------------------------------------------------------------------------------------

     9                                          Focus Area: Property and Facilites Management                                       Possible Medium Moderate Risk
                                                                                                                        Prop

                                                                                                                           Risk     Likeli-
         Interview/Review Summary (Description of risk)                           OIOS Assessment                                           Impact Overall Risk
                                                                                                                         Category    hood
No
         B(i) The absence of clearly defined governance/policy  The Business Continuity Management Unit was             Governance Possible High    Higher Risk
         framework may impede effective business continuity and established in 2007. It is currently part of OCSS
         disaster recovery management.                          and reports to the Director of FCSD.

                                                                  The activities of the unit currently fall under the
                                                                  purview of two bodies - i.e. Crisis Operations
                                                                  Group (COG) and Senior Emergency Planning
                                                                  Team (SEPT).

                                                                   The SG proposed policies for business continuity
                                                                   planning to the GA.
         E(i) Inability to maintain confidentiality of business    The Business Continuity Management Unit was        Operational Possible   High   Higher Risk
         continuity plans may hinder the effectiveness of business established in 2007. It has two professional staff
         continuity management. Risk of balancing confidentiality and one GS staff. The Chief of the Unit was
         with making sure UN employees have the information        recruited towards the end of 2007. It is
         they need in case of emergency.                           responsible for preparedness planning for
                                                                   influenza and business continuity.
         E(ii) UN procurement policies may not allow stand-by      The UN Procurement and Contract Management Operational Possible           High   Higher Risk
         vendor agreements that will be necessary for effective    policies are used.
         business continuity management.
                                                                   Critical vendors have been identified.
         B(ii) Lack of coherence and coordination within the UN                                                       Governance Possible    High   Higher Risk
         Secretariat may impede effective business continuity
         management.
VI       Asset Management                                                                                                         Possible   Medium Moderate Risk
         D(ii) Large scale relocation of assets as a result of the The UN asset management policies govern the        Financial   Possible   Low    Lower Risk
         CMP may result in loss/damage of assets.                  physical relocation and disposal of assets.

                                                                  Artworks are to be covered by the General
                                                                  Contractor's insurance policies.




                                                                                      Page 64                                                           10/07/2008


-----------------------------------------------------------------------------------------

     9                                           Focus Area: Property and Facilites Management                                Possible Medium Moderate Risk
                                                                                                                  Prop

                                                                                                                     Risk      Likeli-
         Interview/Review Summary (Description of risk)                           OIOS Assessment                                      Impact Overall Risk
                                                                                                                   Category     hood
No
         E(ii) Inadequate and ineffective information systems'       DM has delegated asset management activities to Operational Possible Medium Moderate Risk
         support may diminish the safeguarding of assets.            substantive programmes. According to FCSD, a
                                                                     new asset management system, which interfaces
                                                                     with the Procurement System, was implemented
                                                                     in 2003. As part of the implementation of the
                                                                     system, a physical inventory was conducted. A
                                                                     different system called Galileo is used by
                                                                     peacekeeping and political missions for asset
                                                                     management.
         D(iii) Inadequate inventory management practices may        (a) DM has delegated asset management              Financial  Likely Low    Moderate Risk
         result in excessive/obsolete stocks, fraud, waste and       activities to substantive programmes. According
         abuse of all categories of assets. This may have a          to FCSD, a new asset management system,
         negative impact on the reputation of the United Nations.    which interfaces with the Procurement System,
                                                                     was implemented in 2003. As part of the
         Assets in stores may not be properly safeguarded            implementation of the system, a physical inventory
         resulting in theft, fraud, waste or abuse.                  was conducted. A different system called Galileo
                                                                     is used by peacekeeping and political missions for
                                                                     asset management. (b) FCSD maintains stocks of
                                                                     each type of item. Stocks are replenished
                                                                     periodically taking into consideration past
                                                                     consumption rates.
         C(i) The lack of a proper change management                 The IPSAS project team is expected to provide      Compliance Likely Medium Higher Risk
         procedures may result in inaccurate financial reporting     leadership and guidance in IPSAS readiness.
         under IPSAS.
         E(iii) The absence of adequate, effective and efficient                                                  Operational Possible High     Higher Risk
         records retention policies may result in unnecessary
         documents being archived and the possible loss of
         valuable records including the records of peacekeeping
         missions due to inadequate resources. Many of the
         records are still hard copy and have not been transferred
         into an electronic format.




                                                                                     Page 65                                                        10/07/2008


-----------------------------------------------------------------------------------------

       9                                             Focus Area: Property and Facilites Management                                         Possible Medium Moderate Risk
                                                                                                                               Prop

                                                                                                                                  Risk     Likeli-
           Interview/Review Summary (Description of risk)                               OIOS Assessment                                            Impact Overall Risk
                                                                                                                                Category    hood
No
VII        Postal Administration                                                                                               Financial   Possible Medium Moderate Risk
           D(i) Inadequate systems of accounting and reporting may UNPA anticipates that the ERP will improve its              Financial   Possible Low    Lower Risk
           impact the reliability and integrity of financial reporting by accounting and reporting.
           the United Nations Postal Administration.
                                                                          Financial reports are prepared by Postal and
                                                                          certified by the Accounts Division and audited by
                                                                          the UN Boad of Auditors.
           D(ii) Inadequate controls over the procurement and                                                                  Financial   Possible Low    Lower Risk
           inventory of artwork used on stamps may result in fraud
           and financial losses to the UN.
           D(iii) Inadequate controls over the issuance of discounts                                                           Financial   Possible Low    Lower Risk
           and commissions may result in financial losses to the
           United Nations.
           D(iv) Stamps purchased as collection items may be used UNPA explained that currently stamps sold as                 Financial   Possible Low    Lower Risk
           later resulting in additional liabilities not previously       collection items are cancelled in order to prevent
           foreseen. Contingent liabilities may not be determined         their use in the postal system. However, it is not
           and reported due to limitation in the United Nations           clear if all stamps previously sold before the new
           System Accounting Standards.                                   system was implemented have been accounted
                                                                          for.

           D(v) Lack of a regular budget may impede the activities of The UN Postal Administration is a revenue            Financial       Possible Low    Lower Risk
           the UNPA.                                                    generating, self-financing activity. However,
                                                                        certain posts are funded by the regular budget.
           D(vi) Implementation of the CMP project may result in        Stamps are also sold in Geneva, Vienna and New Financial           Possible Low    Lower Risk
           loss of revenue from stamps as post office may not be        York.
           available.
VIII       Travel management                                                                                                               Possible Medium Moderate Risk
           E(i) Restrictive visa requirements by Member States for There is a Convention on Privileges which               Operational     Remote High     Moderate Risk
           different nationalities may create difficulties in obtaining requires member states to facilitate the travel of
           visas for official travel of UN staff. This may in turn      UN staff.
           impact on the delivery of programmes.




                                                                                            Page 66                                                            10/07/2008


-----------------------------------------------------------------------------------------

     9                                              Focus Area: Property and Facilites Management                                        Possible Medium Moderate Risk
                                                                                                                             Prop

                                                                                                                                Risk     Likeli-
         Interview/Review Summary (Description of risk)                                 OIOS Assessment                                          Impact Overall Risk
                                                                                                                              Category    hood
No
         E(ii) Due to the elevated security risk associated with         Coordination between different offices to make      Operational Possible Medium Moderate Risk
         traveling, travel arrangements for UN staff and officials       travel as efficient as possible.
         may not be efficient and economical. Inability to make
         efficient travel arrangements due to constant changes in
         countries' legislation, availability of flights (e.g. no more
         than 5 UN officials may be put on the same flight and no
         more than 30 UN staff may be put on the same flight).

         D(i) The large size and continued usage of the travel           According to FCSD, the AMEX contract is           Financial     Possible High   Higher Risk
         contract with the American Express (AMEX) may                   benchmarked against the private sector and is re-
         represent a reputational risk to the UN as a monopoly           bidded regularly. It conforms to industry best
         contract. Monopoly by travel agency - AMEX could drive          standards.
         prices up.
         E(iii) Inadequate controls over the issuance, renewal and       The UN is required to comply with International     Operational Possible High   Higher Risk
         disposal of the UN laissez passers (UNLPs) throughout           Civil Aviation Organization standards.
         the UN System may result in fraud and abuse and thus
         result in serious reputational damage to the United
         Nations.
IX       Overseas construction                                                                                               Financial   Possible Medium Moderate Risk
         D(i) Delays in completing construction projects may result      The United Nations Procurement and Contract         Financial   Possible Medium Moderate Risk
         in cost overruns as overseas constructions projects may         Management Policies govern overseas
         have difficulties finding qualified contractors.                construction activities. FCSD has a unit
                                                                         specifically dedicated to the management of
                                                                         overseas construction activities. This unit works
                                                                         with UN officials at the duty stations where the
                                                                         construction work is being performed.

X        Garage Administration                                                                                                           Possible Medium Moderate Risk
         E(i) Ineffective security arrangements for the UN garage                                                            Operational Possible High   Higher Risk
         may result in security violations and hence endanger the
         lives of staff and representatives of Member States.




                                                                                            Page 67                                                          10/07/2008


-----------------------------------------------------------------------------------------

      9                                           Focus Area: Property and Facilites Management                                       Possible Medium Moderate Risk
                                                                                                                          Prop

                                                                                                                             Risk     Likeli-
          Interview/Review Summary (Description of risk)                            OIOS Assessment                                           Impact Overall Risk
                                                                                                                           Category    hood
No
          D(i) Inadequate accounting and reporting controls at the   The garage serves UN officials but also generates Financial      Possible Low    Lower Risk
          UN garage may result in loss of revenue.                   revenue. Permits are issued to staff in
                                                                     accordance with established procedures and
                                                                     payments are made through payroll deductions.
                                                                     There are temporary parking spaces for which
                                                                     fees are collected at the gates. The garage is
                                                                     patrolled daily to prevent parking violations.
                                                                     Parking violators are fined.
XI        Human resources management                                                                                                  Possible Medium Moderate Risk
          F(i) The absence of a competitive remuneration package The United Nations Human Resources                       Human       Possible Medium Moderate Risk
          for specialized skills (e.g. trades and crafts) may result in management policies and practices are followed.   Resources
          difficulties in recruitment and high staff turnover.

          F(ii) Implementation of a mandatory mobility policy may    The UN Human Resource management policies            Human       Possible Medium Moderate Risk
          increase the need for and cost of training new staff. A    and practices are followed.                          Resources
          steep learning curve may impede the efficient effective
          delivery of programmes.
XII       Mail and pouch                                                                                                            Possible Low      Lower Risk
          D(i) The lack of adequate funding to compensate for the    The UN budgetary policies and procedures apply. Financial      Possible Low      Lower Risk
          rising cost of fuel may reduce mail/pouch operations and   The budgetary process is led by the Programme
          thus impact programme delivery.                            Planning and Budget Division of OPPBA and
                                                                     relies on the collaborative efforts of substantive
                                                                     programmes (i.e. FCSD) to adequately budget for
                                                                     programmes' needs.
          E(i) Inadequate controls over the processing of            Handling procedures for mails/pouch.               Operational Possible High     Higher Risk
          mail/pouch may result in abuse and fraud. This could
          impact the reputation of the UN particularly when banned
          items are moved through the mail/pouch system.




                                                                                        Page 68                                                           10/07/2008


-----------------------------------------------------------------------------------------

       9                                           Focus Area: Property and Facilites Management               Possible Medium Moderate Risk
                                                                                                   Prop

                                                                                                      Risk     Likeli-
           Interview/Review Summary (Description of risk)                  OIOS Assessment                             Impact Overall Risk
                                                                                                    Category    hood
No
XIII       Special services                                                                        Financial   Possible Low    Lower Risk
           D(i) Implementation of the CMP project may result in loss                               Financial   Possible Low    Lower Risk
           of revenue from catering service, news stand, visitor
           programme, and gift shop and other revenue generating
           activities. From 2009 to 2011, the UN building will be
           remodeled. Due to this, the following situations may
           occur: service providers will not wish to continue working
           with the UN, the gift shop may need to be closed, the
           dining room will not be fully used visitors will be
           minimized.




                                                                              Page 69                                              10/07/2008


-----------------------------------------------------------------------------------------

     Focus Areas

     Focus areas are the key standard processes that are typically found in United Nations operations.
     These are categories established by the risk assessment framework to facilitate understanding and
     communicating common processes or functions within the Organization (common language).
     They are based on a categorization of objectives, using a hierarchy that begins with high-level
     objectives and then cascades down to objectives relevant to organizational units, functions,
     or business processes. The IAD risk assessment framework has identified eleven focus areas
     as follows:

1    Strategic Management and Governance
2    Financial Management
3    Human Resources Management
4    Procurement and Contract Administration
5    Logistics Management
6    Information Technology Management
7    Programme and Project Management
8    Conference and Documents Management
9    Property and Facilities Management
10   Safety and Security
11   Other areas (for areas not included in 1 to 10)

     Each focus area may be broken down into sub-focus areas. Examples of
     sub-focus areas are listed below.



                                                          70                                             10/07/2008


-----------------------------------------------------------------------------------------

No. Focus Areas                  Examples of Sub Focus areas relating to principal focus
                                 Strategic planning and monitoring, Mandate and mission, Organizational structure and functions,
      Strategic Management
 1                               Start up planning, Liquidation planning, Risk management, Policies and procedures,
      and Governance             Governing/Legislative bodies, High level committees, Top level offices.
                                 Accounting and financial reporting, Results-based Budgeting, Cash management, Treasury,
 2    Financial Management
                                 Contributions, Fund raising, Payroll
                                 Recruitment, Training, Conduct and discipline, Entitlements and allowances, Performance appraisal
      Human Resources
 3                               system and Medical Services, Use of short term staff (consultants, gratis personnel etc
      Management
                                 Procurement planning, Procurement process, Local contracts committee, Administration of major
      Procurement and            contracts such as for fuel, rations, airfield services, medical supplies etc.
 4
      Contract Administration
                                 Travel services, Transport operations, Air operations, Movement control, Fleet Management and
 5    Logistics Management
                                 Maintenance
      Information Technology     Management of ICT infrastructure, software development, Communications services, ICT operations,
 6                               Business continuity and disaster recovery, IT Security
      Management
                                 Management of programmes such as Rule of Law, Human Rights, Child Protection, Public
      Programme and Project Information, Disarmament , Demobilization and Reintegration, Mine action, Protection of Civilians,
 7
      Management            Military and Civilian Police operations, and Logistics; Management of projects such as technical
                                 cooperation and quick impact projects
                                 Records management, Publications, Editorial services, Conference management, Translation and
      Conference and             interpretation services, Web sites
 8
      Documents Management
                                 Management of office premises and facilities, Contingent-owned equipment, Expendable and non-
      Property and Facilities
 9                               expendable property, Building Services, Inventory management, Local Property Service Board
      Management
                                 Security of UN staff and installations, Contingency planning, Evacuation procedures and drills,
 10   Safety and Security
                                 Occupational safety
                                 This is for illustration purposes only and is not a comprehensive audit and is included for any other
 11   Other areas                focus areas not specified in 1-10. This may include general office administration, executive offices
                                 and common services etc.




                                                                          71                                                             10/07/2008


-----------------------------------------------------------------------------------------

     Risk Categories

     Risk categories are common concerns or events, grouped together by the type of risk that will result.
     The seven (7) risks used in OIOS Risk Assessment methodology is as follows:

A.   Strategy
B.   Governance
C.   Compliance
D.   Financial
E.   Operational
F.   Human Resources
G.   Information Resources

No. Risk Category            Description
                             Impact on mandate, operations or reputation arising from inadequate strategic planning, adverse business decisions,
                             improper implementation of decisions, a lack of responsiveness to changes to the external environment, or exposure
 A   Strategy
                             to economic or other considerations that affect the Organization's madates and objectives.

                             Impact on mandate, operations or reputation as a result of failure to establish appropriate processes and structures to
                             inform, direct, manage and monitor the activities of the Organization toward the achievement of its objectives.
 B   Governance
                             Includes attributes such as leadership, tone at the top, and promotion of an ethical culture in the Organization.

                             Impact on mandate, operations or reputation from violations or non-conformance with, or inability to comply with laws,
 C   Compliance
                             rules, regulations, prescribed practices, policies and procedures, or ethical standards.
                             Impact on mandate, operations or reputation resulting from: failure to obtain sufficient funding, funds being
 D   Financial               inappropriately used, financial performance being not managed according to expectations, or financial results being
                             inappropriately reported or disclosed.
                             Impact on mandate, operations or reputation resulting from inadequate, inefficient or failed internal processes that do
 E   Operational
                             not allow operations to be carried out economically, efficiently or effectively.
                             Impact on mandate, operations or reputation resulting from a failure to develop and implement appropriate human
 F   Human Resources
                             resources policies, procedures and practices to meet the Organization's needs.
                             Impact on mandate, operations or reputation resulting from failure to establish appropriate information and
 G   Information Resources
                             communication systems and infrastructure so as to efficiently and effectively.




                                                                                                                                                       10/07/2008


-----------------------------------------------------------------------------------------

                                    Risk Assessment Ratings
The OIOS Risk Assessment Framework evaluates the likelihood of the risk occurring and the impact it will have if it occurs.
Based on the assessment of the two factors an overall risk rating is derived indicating whether the risk of a focus area is High, Moderate
or Low. The ratings used is show below:

                                    Risk Likelihood
                  Likely            Conditions within our environment indicate that an event is expected to occur in most circumstances

                  Possible          Conditions within our enviroment indicate that an event will probably occur in many circumstances
                  Remote            Conditions within our environment indicate that an event may occur at some time

                                     Risk Impact
                  High              Serious impact on operation, reputation, or funding status
                  Medium            Significant impact on operations, reputation, or funding status
                  Low               Less significant impact on operations, reputation, or funding status

                                    Overall Risk Combinations Impact and Likelihood
                                    The identified issue represents the following likelihood and impact combinations:
                   Higher Risk          � Likely and high
                                        � Likely and medium
                                        � Possible and high
                                    The identified issue represents the following likelihood and impact combinations
                  Moderate Risk         � Likely and low
                                        � Possible and medium
                                        � Remote and high
                                    The identified issue represents the following likelihood and impact combinations
                  Lower Risk            � Possible and low
                                        � Remote and low
                                        � Remote and medium




                                                                                                                                          10/07/2008


-----------------------------------------------------------------------------------------

                                  RISK SUMMARY PROFILE (Focus Area)
             Likely




                                                                                Human Resource Management

                                                                               Strategic Management and
             Possible




                                          Financial Management                 Governance

                                                                              Procurement and Contract
                                          Property and Facilites Management   Administration
                                                                                Information Technology
                                                                                Management
Likelihood


             Remote




                                 Low                   Medium                             High
                        Impact



                                                                                                            10/07/2008


-----------------------------------------------------------------------------------------

                                            RISK SUMMARY PROFILE (Sub Focus Area)
                                                                                                                                                 HR: Training
                                                                                                                                                                                            HR: Recruiting & staffing

                                                                                                                                                 IT: HR - ITSD

                                                                                                                                                                                          IT: Finance - ITSD
             Likely



                                                                                                                                                  IT: Procurement - ITDS


                                                                                                                                                                                              IT: Safety - ITSD
                                                                                                                                                  IT: IT - ITSD



                                                                 Strategic: Executive direction   Strategic: Support to the Office of the USG                     Fin: Accounting system and standards
                                                                                                                      HR: Policies and Procedures                                                                  Fin: Programme planning and budgeting
                                                       Strategic: Administrative support to the organizational                                                             IT: Strategic
                                                                                                        HR: Examinations
                                                       units of DM - Executive Office (EO)                                                            HR: Staffing Plans
                                                                                                       Proc: Review of procurement - Headquarters Committee                                                          IT: Property and facilities management
                                                                                                       on Contracts                                                                 Prop: Organizational structure
                                                                                                                                                   HR: Performance Management
             Possible




                          Prop: Mail and pouch                      Fin: Peacekeeping financing                                                                                                                      Fin: Cash and investment management
                                                                                                        Prop: Postal Administration Management
                                                                                                                         Prop: Asset                                                         Prop: Safety and health
                                                                                                                                                  HR: Information and Technology
                                                                   Fin: Contribution services                                                                                      HR: Human Resources Finances Prop: Contract management
                                                                                                                         Prop: Travel management
                                                                                                       Prop: Overseas construction
                        Prop: Special services                        Fin: Voluntary Trust Fund
                                                                                                                                                  HR: Record Keeping                                    Prop: Provision of Business continuity management
                                                                                                                                                                                                                    Prop: facility management services to
                                                           Fin: Health and life insurance payments
                                                                                            Fin: Payroll processing
                                                                                                                  Prop: Garage Administration                             HR: Administration of justice   substantive programmes
                                                                                                                                         HR: Medical services
                                                                    Fin: Commercial insurance risk managementProp: Human resources management
                                                                                                                                                                        Proc: Procurement service           Proc: Oversight of procurement - Headquarters
                                                             Fin: Tax services     Fin: Compensation payment Processing of payments to vendors and travel claims
                                                                                                          Fin:                                                                                              Committee on Contracts
                                                                                                          of staff
Likelihood


             Remote




                                                 Low                                               Medium                                                                     High

                        Impact



                                                                                                                                                                                                                                        10/07/2008


-----------------------------------------------------------------------------------------


Personal tools