DFID’s approach to managing fiduciary risk in conflict-affected environments

ICAI score

ICAI score Green Amber

Good achievement on risk identification, mitigation and learning, but weaker performance on monitoring residual risk and decision-making on risk appetite

 

Our review finds that DFID staff working in conflict-affected countries are aware of fiduciary risks and are actively seeking to manage them, often in challenging circumstances. This reflects the strength of DFID’s decentralised and flexible approach to risk management.

We identified a number of areas of good practice. However, these efforts are not yet anchored in a fully comprehensive risk management system – although this is under development – that ensures consistency of approach, gives clarity on risk appetite and provides a strategic overview of fiduciary risks across its high risk country portfolio.

Overall we have awarded a Green-Amber rating, indicating that DFID’s fiduciary risk management in conflict-affected states is satisfactory in most areas, but requires urgent attention in others. This rating reflects DFID’s recognition of these areas of concern and its work to address them. Had it not been for these ongoing reforms, our rating would have been lower. We urge DFID to press ahead as a matter of urgency with addressing the remaining areas of weakness. The review sub-scores are presented below.

 

Individual question scores

 

ICAI score Green Amber

Question 1

How effectively does DFID identify and assess fiduciary risk in conflict-affected environments at country portfolio, individual project delivery and partner levels?

 

 

ICAI score Green Amber

Question 2

How efficiently does DFID mitigate risk in its programme designs and choice of delivery channels?

 

 

 

Amber Red score

 

Question 3 

How effectively does DFID monitor residual risk through the programme life-cycle?

 

 

Amber Red score

Question 4 

To what extent does DFID make clear and defensible choices as to what types and levels of fiduciary risk to tolerate in its programming?

 

 

ICAI score Green Amber

 

Question 5
How effectively is DFID capturing and applying learning in the development of its systems and processes for fiduciary risk management in conflict-affected environments?

Executive Summary

This review explores how well the Department for International Development (DFID) manages fiduciary risk in conflict-affected environments. Fiduciary risk is the likelihood that aid entrusted to others to deliver is not used for its intended purposes or cannot be properly accounted for. DFID has committed to spending at least half of its budget in fragile states and regions.[1] These include extremely challenging operating environments, such as Syria, Somalia and Yemen, where DFID’s access is constrained and the risk of fraud or misuse of funds may be heightened. Effective management of fiduciary risk is key to achieving value for money and ensuring that UK aid makes maximum impact.

In this performance review, we assess fiduciary risk management at corporate, country portfolio and programme levels. We explore the different aspects of fiduciary risk management (identification and assessment of fiduciary risk, mitigation and monitoring), how DFID sets its fiduciary risk appetite and makes risk-based decisions, and how well it learns about fiduciary risk management.

Our methodology included a review of DFID’s overall fiduciary risk management systems and guidance, desk reviews of ten country strategies, and detailed case studies of fiduciary risk management practices in five conflict-affected countries.[2] Countries were selected to ensure that we looked at a range of conflict, insecurity and accessibility challenges, while focusing on the conflict-affected states that receive significant DFID expenditure.

DFID has a decentralised approach to fiduciary risk management, reflecting its decentralised management structure. Fiduciary risk management functions are delegated to country offices and to the staff responsible for individual programmes, known as senior responsible owners. Senior responsible owners are given the autonomy to make management decisions in a flexible manner, subject to certain overarching principles, rules and guidance.[3]

In 2014, DFID’s internal audit department identified important weaknesses in DFID’s overall risk management system.[4] Since then, DFID has been developing a new comprehensive approach to risk management, including fiduciary risk management. Instead of establishing specific rules and procedures for fragile states, DFID says its aim is to make its core management systems robust enough for all environments.

Our evidence shows that DFID has made important progress in risk management since 2014. Across our country sample we observed a number of areas of good performance, notably in the following:

  • strong consideration of fiduciary risks in programme design and              implementation and as a driver of value for money
  • high awareness and understanding of fiduciary risks among staff
  • good practices in identifying, assessing and mitigating fiduciary risk at country and programme level.

We also found a high degree of variation in the way country offices categorise and rate risks, which has a bearing on how risks are overseen at a more strategic level. In addition, there is limited evidence of clear and effective processes for escalating fiduciary risk concerns from country offices to corporate level.

For conflict-affected countries included in our sample, we found inconsistent performance in the following areas:

  • monitoring of residual risks (ie those risks remaining after mitigation)
  • oversight of multilateral implementing partners
  • clarity in how and when fiduciary risk is transferred to partners
  • decision-making on fiduciary risk appetite.

We have given DFID a Green-Amber rating overall, reflecting a mixed performance across different aspects of fiduciary risk management. We have awarded a Green-Amber score for practices around risk identification, risk mitigation and learning, but an Amber-Red score for the monitoring of residual risk and for decision-making on risk appetite. Our recommendations mainly focus on these areas of deficiency.

DFID’s practices for identifying and assessing fiduciary risks in conflict-affected states are largely effective at country and portfolio level

Fiduciary risk assessment is built into programme design and implementation across all the cases we reviewed. All business cases across our five case study countries include consideration of fiduciary risk as part of the ‘financial case’, in line with DFID guidance. The risk assessments demonstrate a good degree of country-relevant knowledge. Each of the ten country offices in our wider sample use up-to-date risk registers to identify and assess risk at country portfolio level. In each case we examined, the risk register covers fiduciary risks, with a particular focus on fraud and corruption and diversion of aid. DFID’s devolved risk management systems depend heavily on the judgment of individual senior responsible owners. We found that they have a good understanding of the issues, demonstrating a hands-on familiarity with fiduciary risks and risk management processes and an awareness of the need for evidence-based decisions.

Risk mitigation is well incorporated into programme design and implementation

In the individual programmes reviewed, fiduciary risks identified in business cases are consistently addressed in programme design. Recommendations from due diligence assessments and annual reviews are taken forward in delivery plans. Our interviews with country office staff showed that heads of office, senior responsible owners and programme managers are aware of the risks within their spheres of responsibility and actively engaged in risk mitigation. Close working relationships with partners were noted by country staff as critical for effective risk mitigation.

A wide range of mitigating actions are used to address fiduciary risk across countries

Most DFID programmes across our case study countries are taking appropriate and proportionate action to mitigate risk. Senior responsible owners are able to explain specific risks and how these are mitigated. This suggests an improvement in understanding since a 2014 review by DFID’s internal audit department,[5] although our findings are focused on fiduciary risk, rather than risk management as a whole. We saw evidence of mitigating actions being proactively followed through, such as payments withheld until grant conditions are satisfied. These measures are primarily targeted at lead partners, who are then responsible for enforcing them through the delivery chain.

DFID is working to address weaknesses in its risk management framework, but its sharing of good practice is uneven

The 2014 internal audit report identified a range of fundamental weaknesses in DFID’s risk management system. DFID accepted these findings and has since been working to develop a comprehensive risk and assurance framework for making risk-based decisions and managing risks in an appropriate way to achieve objectives.

We saw evidence that DFID staff are aware of these ongoing reforms and are engaging actively with new risk management concepts, such as risk appetite and risk-return balance. The team leading the changes has engaged with a number of countries, including conflict-affected states, to ensure that their learning is incorporated into its new approaches and guidance. It is also piloting new tools in several locations. Through this interaction, some countries have begun to incorporate the new guidelines even before their publication, which suggests high demand for change.

We observed good examples of learning within and between country offices on fiduciary risk management. Country offices have been given the flexibility to develop their own approaches to managing fiduciary risks in their geographic contexts. This facilitates innovation, at the expense of consistency. We saw evidence of good practices being shared among country offices, mainly through informal networks. However, these learning processes are relatively unstructured and result in an uneven uptake of good practice.

Inconsistent approaches across country offices make it difficult to compare the treatment of risk across countries

Country offices in our sample consistently include fiduciary risks in their risk registers, but use different categorisations and rating systems. We found this makes it difficult for senior management to assess whether risk management practices are adequate and in line with corporate objectives.

At the programme level, we found that staff lack a common understanding of when risk is transferred to partners and to what degree. Due diligence assessments of implementers, that are mandatory for grant agreements, are also inconsistent in depth and quality. Information on the past performance of implementing partners is available in annual reviews, but is not systematically used for analysing fiduciary risk. DFID does not currently have systems in place to ensure that appropriately skilled programme management staff are matched to higher risk programmes and countries. In DFID’s early response to the Syria crisis, for example, there was a shortage of senior programme management staff with experience of fiduciary risk issues in high-risk environments.

DFID has introduced some innovative remote monitoring practices in conflict-affected environments, but is not systematically monitoring residual fiduciary risk

In recent years, DFID has strengthened its monitoring of programmes in conflict-affected environments through the use of remote monitoring and other innovative practices. In a number of countries (eg Afghanistan, Yemen and Somalia), DFID outsources its monitoring to third parties to track results. These third-party monitors are not directly tasked with monitoring the full range of fiduciary risks, even though they could readily do so. Ideally, third-party monitors would spot check whether controls remain in place, whether mitigating actions are being followed through and cross-reference other sources of fiduciary risk information, including any reports of fraud and corruption.

There are specific challenges involved in monitoring fiduciary risk of multilateral implementing partners at country level

Monitoring of multilateral implementing partners is a particular area of concern. By international agreement, multilateral organisations usually manage funds according to their own rules and systems, without additional oversight from bilateral donors. This means that DFID has no automatic right to oversee their management of  fiduciary risks in specific programmes, even though their programme management capacity can vary significantly from country to country. In some cases, DFID is able to negotiate additional oversight arrangements. In our sample countries, there were instances where multilateral partners resisted DFID oversight. For example, in Sudan, the United Nations Environment Programme (UNEP) resisted the inclusion of provisions for early reporting of fraud to DFID in its memorandum of understanding with DFID as this was considered inconsistent with the central United Nations’ Office of International Oversight Services procedures for reporting and investigating allegations of fraud. In the Democratic Republic of the Congo, the United Nations Office for Project Services (UNOPS) was reluctant to share information on fiduciary risks and resisted DFID pressure for an independent programme audit, due to the United Nations single audit principle. Senior responsible owners informed us that, while they remain responsible for overseeing how multilateral implementers manage fiduciary risk, they do not feel empowered to do so.

DFID has variable oversight of fiduciary risk issues down its delivery chain

In recent years, the size of DFID’s largest programmes in fragile states has increased steadily, with a corresponding increase in the department’s reliance on multilateral partners, large contractors and international nongovernmental organisations (NGOs). These lead partners often work through local organisations to deliver activities. DFID works closely with the lead partner on fiduciary risk management, but usually has no direct relationship with sub-grantees or subcontractors. Fiduciary risk management down the delivery chain is the responsibility of the lead partner. While there may be sound practical or programmatic reasons for this approach, it not only reduces DFID’s direct interaction with local civil society organisations and businesses and the possibility of increasing the capacity of these organisations to manage risk, it also distances DFID staff from some of the practical risks and challenges that emerge during programme implementation.

DFID staff and partners lack clarity about when risk is transferred to implementers

DFID staff and partners lack a consistent understanding of when and to what extent the responsibility for fiduciary risk is transferred from DFID to others, where delivery chains are complex. In our sample, we found clear awareness of possible risks but a lack of collective understanding among DFID staff of the implications of transferring risk to fiduciaries. We also found some uncertainty about when and how risks were being transferred down the delivery chain.

Assessments of fiduciary risk appetite at country level are still at an early stage

Country offices set their own risk appetite. We found that country offices are beginning to articulate evidence-based rationales for their decisions on the appropriate level of risk appetite, though these decisions are not always documented. Formal statements of risk appetite are beginning to appear in operational plans and risk registers (as in Pakistan), but remain at an early stage across the sample as a whole.

The combination of a high risk appetite and zero tolerance approach to fraud and corruption is not consistently understood across DFID

DFID asserts that it has a high risk appetite. We found that staff were aware of this – an improvement from the 2014 internal audit report – and of DFID’s zero tolerance approach to fraud and corruption. However, we found that staff interpreted these two principles in a variety of ways. Some felt that DFID chose to work in high-risk areas, but had a low appetite for fiduciary risk within those areas. Others thought that fiduciary risks could be taken if justified by the potential benefits. Among more senior staff, a common view was that, while DFID had a relatively high appetite for fiduciary risk where justified by the returns, it had a low appetite for reputational risk, and these reputational considerations often drove decision-making rather than fiduciary risk itself. Staff need a clear understanding of the department’s risk appetite and risk tolerance in order to judge which risks are justified in pursuit of development objectives and to assess what level of effort or expenditure is appropriate to mitigate particular risks.

We have given DFID a Green-Amber rating overall. This rating recognises the conscientious efforts of DFID country level staff to manage fiduciary risks in challenging environments, giving us a sufficient level of confidence that UK funds are being protected. The rating also reflects the fact that DFID is in the process of putting in place a more comprehensive risk management system. Had it not been for these ongoing reforms, our overall rating would have been lower. We also note that it has taken considerable time for elements of the system to be put in place. We therefore urge DFID to press ahead as a matter of urgency with addressing reforms on fiduciary risk appetite and risk transfer in fragile and conflict-affected environments.

Recommendations

DFID’s new risk assurance framework and its ongoing reforms are intended to address some of these challenges. We have made a number of recommendations to shape those reforms. While our work focused on fiduciary risk in conflict-affected environments, there is learning that may be more widely relevant. We encourage DFID to consider their applicability for managing fiduciary risk in other contexts.

Recommendation 1

DFID should accelerate the timetable for implementing its central guidance on risk appetite and work quickly to articulate its risk-return approach to decision-making.

Recommendation 2

DFID should clarify rules and expectations around risk transfer to fiduciaries, and the residual fiduciary risk responsibilities of senior responsible owners and senior management.

Recommendation 3

DFID should urgently explore ways to improve the transparency and monitoring of fiduciary risk in bilateral programmes implemented by multilateral partners.

Recommendation 4

DFID should implement measures to match appropriate fiduciary risk management skills and expertise with its highest risk countries, partners and programmes.

Introduction

This review examines how well the Department for International Development (DFID) manages fiduciary risk in its most challenging operating environments. The UK government has committed to spending half of DFID’s budget in fragile states and regions.[6] Many of these are affected by conflict and insecurity. Such environments pose significant challenges to the effective delivery and oversight of humanitarian and development aid, yet are often where needs are greatest.

Where access is limited by insecurity and state institutions are ineffective or unreliable, DFID has fewer options for delivering and monitoring its programmes, leading to increased reliance on third parties. This can heighten the risk of fraud, corruption and misuse of funds, while making accountability harder to ensure. DFID’s effectiveness and value for money in these environments is linked to its ability to understand and manage these risks.

In this review, we assess how DFID manages fiduciary risk in conflict-affected states.[7] Fiduciary risk is just one of a number of risks that DFID faces. The other categories of risk used by DFID are: context (changes in the operating environment), delivery (factors affecting the delivery chain), safeguarding (the risk of doing inadvertent harm), operational (relating to DFID’s own management capacity), and reputational.[8]

Capture fid def

In light of DFID’s level of expenditure in such challenging environments (more than £5.5 billion in 2015-16), this performance review explores how DFID manages fiduciary risk at the corporate, country and programme levels. This includes how it balances fiduciary risks against the potential benefits of its assistance. It explores what it means for DFID to have ‘a high risk appetite’ in pursuit of its objectives, and how this fits with DFID’s approach to ‘zero tolerance to fraud and corruption’.[9] These issues are examined within the context of the evolution of DFID’s overall approach to risk management in recent years, to assess the extent to which lessons have been learned and applied.

Our review questions  cover the main processes involved in fiduciary risk management – namely, how risk is identified, assessed, mitigated and monitored through the programme management cycle, including through complex delivery chains. We look at how DFID decides which risks are acceptable in different contexts. Finally, we explore how well DFID is learning to manage fiduciary risk in conflict-affected environments.

Review criteriaReview question
1. EffectivenessHow effectively does DFID identify and assess fiduciary risk in conflict-affected
environments at country portfolio, individual project delivery and partner levels?
2. EfficiencyHow efficiently does DFID mitigate risk in its programme designs and choice of delivery
channels?
3. EffectivenessHow effectively does DFID monitor residual risk through the programme life-cycle?
4. EffectivenessTo what extent does DFID make clear and defensible choices as to what types and levels
of fiduciary risk to tolerate in its programming?
5. LearningHow effectively is DFID capturing and applying learning in the development
of its systems and processes for fiduciary risk management in conflict-affected
environments?

 

Methodology

Our methodology for this review had three main components:

i. Systems review: a review of DFID’s risk management systems, processes and tools at the corporate level, together with a literature review on risk in conflict-affected environments and good practices in fiduciary risk management.

ii. Country strategy reviews: a high-level review of how fiduciary risk management is incorporated into DFID country strategies across a sample of ten conflict-affected countries and regions.

iii. Country case studies: five detailed case studies of fiduciary risk management at the country level, looking at the effectiveness of DFID’s management of fiduciary risk in practice.

We focused on conflict-affected countries where DFID’s physical access to implementation sites is severely constrained, as this is where DFID is most reliant on others to deliver and monitor its programmes. This is a subset of fragile states.

The five countries selected as country case studies were the Democratic Republic of Congo (DRC), Somalia, South Sudan, Syria and Yemen. These were chosen to ensure the review covered different types of conflict, insecurity and accessibility challenges (see Figure 1). We undertook field visits to DRC and Somalia, where we interviewed DFID staff and implementing partners and examined a sample of individual programmes. The remaining case studies were conducted from the UK. Our country strategy reviews covered these five countries, together with Afghanistan, Libya, Nigeria, Pakistan and Sudan. For the countries that we did not visit, we conducted interviews in the UK and by telephone with DFID personnel and implementing partners.

Our methodology was designed to explore the effectiveness of DFID’s fiduciary risk management approach, rather than to detect actual instances of fraud and corruption. We did not set out to audit DFID’s programmes or look specifically for misappropriation or diversion of funds. We did not have access to information on individual fraud and corruption cases.

More details of our methodology are included in Annex 2. The full methodology is available in our Approach Paper.[10]

 

Figure 1: DFID’s fragile state list and our country case study selection

DFID's fragile state list

South Sudan – 2015/16 expenditure: £172 million

South SudanSituated in a region suffering long-term insecurity, South Sudan became an independent country in 2011 but with new internal conflict breaking out in 2013. DFID has relatively free access to many implementation areas – although this varies significantly by geographic area and over time.

 

Priorities:

  • Humanitarian response and strengthening resilience
  • Basic services in health and education
  • Focused work on governance where we can support reconciliation and peacebuilding
  • Underpin all programmes with a strong focus on conflict sensitivity.

DRC – 2015/16 expenditure: £134 million

DRC

Another longer-term conflict environment with severe access restrictions but where we could access programmes in conflict-affected and other remote areas.

 

 

 

Priorities:

  • Support the establishment of peace and stability and ensure humanitarian needs are met
  • Invest in infrastructure and basic service provision, while promoting better governance
  • Support sound economic management.

Somalia – 2015/16 expenditure: £130 million

Somalia

A protracted conflict environment. DFID’s operations are managed primarily from Nairobi with severely limited access to the field although DFID maintains a permanent presence at the British Embassy in Mogadishu.

 

 

Priorities:

  • Investing in strengthening political settlements, accountable
    governance, security and local reconciliation
  • Addressing immediate social development needs among the most vulnerable populations
  • Expanding work on growth and growth transmission.

 

 

Map 2

Syria – 2015/16 expenditure: £208 million

Syria

A more recent conflict and highly challenging environment where access
in country by DFID staff is not feasible and where DFID’s operations are primarily managed from London.

 

 

Priorities:

  • Meet the needs of the most vulnerable groups
  • Build resilience at all levels
  • Strengthen the moderate opposition’s capacity to provide governance and services
  • Improve the effectiveness of the overall international community’s response to the crisis.

 

Yemen – 2015/16 expenditure: £90 million

Yemen

Suffering a recent deterioration resulting in a withdrawal of DFID staff so that DFID’s operations are primarily managed from London.

 

 

 

 

Priorities:

  • Respond to and manage conflict by addressing immediate and underlying humanitarian needs, building resilience, and delivering basic services
  • Tackle the drivers of instability by supporting the political transition and
    political reform
  • Support economic reform.

 

 

Background

What is risk management?

HM Treasury provides guidance on risk management, including fiduciary risk, in government. It defines risk management as “all the processes involved in identifying, assessing and judging risks, assigning ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing progress”.[11]

Capture HMT quote

Based on this guidance, effective fiduciary risk management must include the following components:

i. Identification of risk: finding and describing the risks related to using third parties that could affect the achievement of objectives.
ii. Assessment of risk: evaluating the significance of the fiduciary risks identified by considering what their likelihood and/or impact might be.

iii. Mitigation of risk: taking steps to reduce the likelihood and/or impact of the risk.

iv. Monitoring of risk: keeping track of risks to identify changes in their impact and/or likelihood, and to identify any new risks.

v. Risk-aware decision-making: considering fiduciary risks in relation to the potential development benefits/returns and pre-determined risk appetite and using this to inform decision-making.

For DFID’s fiduciary risk management to be effective, processes to identify, assess, mitigate and monitor risks must take into account the varied contexts in which DFID operates, and the variety of implementing partners through which it operates. Furthermore, it requires an organisational culture that supports risk-aware decision-making at every level, in line with a clear risk strategy and risk policies.

Table 2: Risk management terminology

Capture TABLE 2

Effective risk management is essential to achieving UK aid objectives

Under its Aid Strategy, the UK government has set tackling instability, insecurity and conflict as one of the main strategic objectives of UK aid.[13] In November 2015, the UK government announced that 50% of DFID’s budget would be spent in fragile states and regions in every year of the current parliament.[14] This means that more than £5.5 billion was budgeted for fragile states and regions in 2015-16.[15]

Working in such environments inevitably entails heightened fiduciary risk. This includes fraud and theft, looting and aid diversion, protection rackets and informal taxation. These are not just risks to DFID funds, but can also deny aid to intended beneficiaries. The literature also highlights the potential for diversion of aid to prolong or exacerbate conflict by supplying or enriching the combatants. [16]To achieve its objectives, DFID needs to manage these risks effectively.

Risk management entails trade-offs among competing risks, including missed opportunities to help people with urgent needs or to achieve longer-term stabilisation and development outcomes.[17] An excessively risk-averse stance would not be consistent with the UK’s strategic objectives. Our review therefore looks not just at how DFID prevents diversion of funds, but how it balances fiduciary risk against the need to maximise results and value for money.

DFID has a flexible, decentralised risk management system

There are three notable features to DFID’s system for managing risk, which includes fiduciary risk. First, for DFID, working in fragile and conflict-affected environments is the ‘new normal’. With 50% of its expenditure in fragile states, DFID aims to ensure that its entire risk management system is robust enough to manage risk in any context, however challenging.

Second, compared to most major donors, DFID has a highly decentralised system for managing risk.[18] For most DFID bilateral aid, fiduciary risk management (as an aspect of programme management) is delegated to country offices, supported by corporate structures, oversight and assurance functions (see Figure 2). Heads of country offices are responsible for managing fiduciary risk across their portfolios, while the responsibility for individual programmes rests with senior responsible owners, supported by programme management staff.

Third, DFID has recently moved from a rules-based to a principles-based programme management system. Individuals with delegated authority are given the autonomy to make management decisions in a flexible manner, but subject to a set of overarching principles. These are set out in DFID’s Smart Rules, which were introduced in July 2014 and are updated regularly.[19] The introduction of the senior responsible owner role was a key part of this change. These officials are empowered to make programme-level decisions and held accountable for those decisions. DFID’s Smart Rules include 37 mandatory rules and a range of non-mandatory guidance on how they should be implemented. See Box 3 for examples relating to fiduciary risk management.

In principle, such a devolved approach to fiduciary risk management means that DFID is able to make context-specific decisions. In conflict-affected environments, where the risks and challenges are diverse and can change rapidly, this can be an advantage.[20]

Figure 2_ (2)

 

DFID is in the process of redesigning its overall risk management framework

DFID has acknowledged weaknesses in its approach to risk management and is currently introducing wide-ranging reforms.

During 2013 and 2014, a number of fiduciary risk issues came to light. These included accountability concerns raised by ICAI and DFID’s internal audit department about the Trademark Southern Africa programme and suspected fraud within a Tanzanian voucher scheme. Both programmes were terminated.[21] Later in 2014, internal audit assessed DFID’s overall risk management framework (for all types of risk) using a risk management assessment tool for government departments published by the Treasury in 2009.[22] It found that much of DFID’s risk management was informal and undocumented and that, although country offices were handling difficult and challenging risk management contexts with significant success, DFID’s overall risk management framework was inadequate to ensure risks were properly managed.[23]

Following internal audit’s review, DFID has gone through an extensive period of developing a new risk management framework. The framework was introduced into DFID’s Smart Rules in April 2016[24]  and the new risk management system is gradually being introduced through additional guidance, structures, staff training and measures designed to change the organisational culture. In this review, we address these reforms in so far as they have begun to impact on current practice, and we look at the reform process as a whole under our review question on learning.

Risk identification and assessment

We rated the effectiveness of DFID’s identification and assessment of fiduciary risks in conflict-affected states as Green-Amber: satisfactory in most areas but with improvements required in others.

Fiduciary risk assessment is built into programme design and implementation

For individual programmes, senior responsible owners are responsible for ensuring that fiduciary risks are identified and assessed during the design phase and summarised in the business case. The risk assessment is updated over the life of the programme, primarily through annual reviews. Both documents have well-established formats. We saw evidence of sign-off by heads of office and ministerial approval for higher-value and higher-risk programmes, as required by DFID’s Smart Rules.

All of the business cases that we reviewed across our five case study countries included consideration of fiduciary risk as part of the ‘financial case’, in line with DFID guidance. We compared the fiduciary risks that were identified with DFID’s analysis of the country context and issues identified in our literature reviews for each country. The risk assessments were consistent with these sources and demonstrated a good degree of country-specific knowledge. For example, DFID’s humanitarian programmes in each of our case study countries considered the merits of providing beneficiaries with cash or vouchers that can be exchanged for food and other humanitarian supplies. The business cases were explicit about the risk that the cash or vouchers might be diverted or stolen and included a range of measures to mitigate this risk, such as those in Box 4.

In addition, when implementing partners submit proposals, they are asked to identify fiduciary risks and propose mitigating strategies. In our sample, examples included risks relating to restricted access and to the capacity of downstream partners. In this way, DFID also draws on the expertise and experience of its suppliers.

 

Fraud and corruption risks receive a high level of attention in business cases in line with DFID’s Smart Rules and fraud and corruption guidance. Business cases include an assessment of the lead partner’s capacity to manage risks. Our country visits confirmed close attention by DFID staff to a range of risks under DFID’s direct responsibility. We did find, however, that more indirect risks, such as those affecting partners down the delivery chain, received less attention in business cases. While DFID usually has good quality contextual analysis to inform its programme design, it was less clear that such analysis was being used systematically to deepen its identification and assessment of fiduciary risks down the delivery chain.

Throughout business case development, the usual practice in DFID country offices is to hold ‘challenge meetings’. Team members have the opportunity to challenge the value for money case and risk assessment. This process was taking place in all our case study countries, and teams told us that it is useful for identifying risks. However, we were told that it was rare for challenge meetings to involve finance staff who could help to identify fiduciary risks and weaknesses at an early stage. An exception was DFID Afghanistan, which had recently begun to involve finance staff in programme design, to ensure that fiduciary risks are identified, assessed and addressed earlier and more efficiently (see Box 5).

Due diligence assessments are important tools for identifying fiduciary risks

Before any funding can be provided, due diligence checks must be undertaken on the lead partner (although there are exceptions for humanitarian emergencies, outlined in Box 7). Due diligence assessments are used for grant recipients, and fiduciary risk assessments for direct funding of government bodies. A separate process is used for contractors. The head of office or delegate is responsible for ensuring that due diligence and fiduciary risk assessments are undertaken. Contractor due diligence is undertaken by DFID’s Procurement Group, using information provided by the contractor during the bidding and contracting processes. In practice, this means that programme staff are less engaged in the due diligence of contractors. Several commented that this gives them less understanding of contractors’ strengths and weaknesses.

Fiduciary risk assessments of government systems are mandatory before direct funding can be provided. In our sample, only DFID Pakistan funds directly through the host government,[25] while several other countries contributed to World Bank-administered trust funds that supported government functions and salaries. As compared to general budget support, which DFID is phasing out,[26] funding governments in fragile contexts for specific interventions or via multilateral trust funds enables donors to impose additional fiduciary controls. In all cases, fiduciary risk assessments had been carried out in accordance with DFID rules and guidance.

DFID provides funding through multilateral partners, such as the World Bank or UN agencies, in two ways: centrally, known as ‘multilateral aid’; and for specific bilateral programmes, known as ‘multi-bi programmes’. DFID conducts Central Assurance Assessments at head office level, to assess whether each multilateral partner has appropriate policies, systems and controls to manage funds. This assessment informs country level due diligence assessments and is also used when staff provide core funding. Country offices, however, must consider whether additional, country-level due diligence is required. We discuss this in more detail later in this report.

DFID staff have a good understanding of fiduciary risk issues

DFID’s devolved risk management systems depend heavily on the judgment of individuals. We interviewed over 20 senior responsible owners and more than 20 programme management staff across our five case study countries, as well as heads of office, support staff and junior team members. This allowed us to assess how well they could articulate the fiduciary risks in each country context. Staff displayed a hands-on knowledge of fiduciary risks and risk management processes, alongside an awareness of their obligation under DFID’s Smart Rules to make evidence-based decisions.

During our visits to DRC and Somalia, senior responsible owners reported that they felt empowered to make programming decisions and were appropriately supported by their country office heads. An area of common concern, however, related to the due diligence of multilateral partners, which is discussed later.

The level of experience with fiduciary risk issues, though, varies significantly across DFID staff. There is no formal process for allocating senior responsible owners with relevant experience to the highest risk contexts or programmes. Several country offices told us they do this informally, but we were unable to confirm this with documentary evidence. DFID is considering whether to introduce additional management requirements for its largest and riskiest programmes.

Induction training for senior responsible owners includes a half-day session on risk management. Since our field work, DFID has piloted a more in-depth, two-day risk management training course as part of the process of embedding its new risk management framework across the department.

While key fiduciary risks are identified at country portfolio level, the categorisation of risk is not consistent

Heads of office are responsible for identifying and assessing risk at country portfolio level. Each of the ten country offices in our sample uses risk registers as their main tool for documenting this. These registers address a range of risks to country-level objectives (including delivery and operational risks), although the way that risks are categorised (eg as fiduciary, reputational) was not standardised. In the examples we examined, the risk registers covered fiduciary risks, with a particular focus on fraud and corruption and diversion of aid. All had been recently updated.

Country offices use a range of information sources to identify risks. This includes their team members’ knowledge and experience of the local context, evidence from current and past programmes and discussion with implementing partners, other donors and UK Foreign and Commonwealth Office (FCO) staff. Each country office had its own method for identifying and collating these risks.

In most cases, we found that country risk registers were not clearly linked to risk management at programme level, making it difficult to trace how risks identified at the programme level influence risk identification at the country level. Only DFID Nigeria and, more recently, the Syria Crisis Unit, had a documented process for identifying which risks in programme risk registers should be escalated to the country level. In other cases, we were told that the decision to escalate was left to individual judgment.

There is no common system for rating fiduciary risk

At the time of our fieldwork, there was no detailed central guidance or standardised methodology about how to rate fiduciary or other risk categories. Each country had therefore developed its own approach. Table 3 shows examples of the variation in risk categorisation approaches from our analysis. Although diverse, each method considered both the likelihood of the risk occurring and its impact.

While the methods used by each country were reasonable for the context, without a standardised rating system the results are not easily comparable between countries. This means that, for managers at the regional and corporate levels, it is difficult to compare risk levels or assess whether risk-based decision-making aligns with departmental objectives. This was most evident in the case of Syria, discussed later in the report.

Table 3: Methods of rating risks across our case studies

Capture - Table 3

In April 2016, DFID updated its Smart Rules with clearer guidance on assessing risks which, although not mandatory, aims to improve the consistency of risk assessments. This promotes the approach used by internal audit and the Treasury (which was already used in several country offices). In addition, the guidance changed the risk categories used by DFID and updated the description of fiduciary risk (see Box 6).

Inconsistencies in fiduciary risk identification and assessment were most notable for Syria

The UK’s response to the Syrian war has been DFID’s largest ever humanitarian response. Since 2012, the UK has committed £2.3 billion to the crisis, of which around £1.1 billion was spent by April 2016 on humanitarian aid. Around half is allocated for programmes inside Syria.[30] DFID staff cannot travel to Syria due the security conditions and the absence of diplomatic ties. In the absence of a Syrian country office, the response was managed from a Syria Crisis Unit, created in the Middle East and North Africa Department in London with some presence in the region. Many of DFID’s programmes are run from the neighbouring countries of Turkey, Lebanon and Jordan.

Despite the high risk of fraud and aid diversion in a situation of live conflict, we found that, out of our nine sample countries, Syria was the only one to rate this risk as ‘possible’ in its risk register. Other countries in our sample rated it as ‘likely’ or ‘certain’. Furthermore, in the three due diligence assessments we examined for Syria programmes, fiduciary risk issues were rated as ‘medium’, while the evidence presented in the body of the reports was more consistent with ‘high’ priority ratings.

A 2015 internal audit report noted that the Syria Crisis Unit lacked sufficient information about its key implementing partners and analysis of the principal fraud risks. We are informed that DFID has updated its risk register to increase the likehood rating for fraud and diversion, although we have not seen the updated version.

While DFID has longstanding mechanisms for deploying humanitarian specialists to respond to emergencies, the same does not apply for programme management staff. According to DFID staff involved and internal assessments, the Syria response was under-resourced and lacked experienced programme managers, especially during the scale-up phase. Following successive decisions to scale-up the response, increases in the administrative resources assigned to the Unit followed with a time lag, leading to persistent deficits in staffing. This also led to excessive reliance on junior staff, including new staff from the graduate entry scheme, to manage challenging programmes in a high-risk and volatile context. DFID has subsequently increased the number of programme managers with risk management experience in the Syria Crisis Unit and is developing new risk management procedures for its next round of grants. It is too early to assess whether this is a sufficient response.

DFID identified a similar lack of early programme management experience in its response to the West African Ebola epidemic.[31] A recent National Audit Office report on DFID’s response to crises also raised concerns about how DFID assesses the skills required when scaling up its response.[32] These cases raise questions about DFID’s capacity to ensure adequate levels of fiduciary risk management expertise when scaling up rapidly and, as was the case in Syria, during the transition from emergency response into protracted crisis.

It is notable that our other four case study countries each had an established country presence with experienced programme-management staff and strong local knowledge and relationships. Even DFID Yemen, which is managed from the UK for security reasons, had the benefit of a historic presence in Yemen. DFID Yemen staff reported to us that the Syria experience influenced their decision to retain Yemeni staff outside of the country to advise on the portfolio, so as not to lose continuity and contextual understanding. DFID’s Conflict, Humanitarian and Security Department (CHASE) told us that they were looking at ways to ensure enough staff with experience in fiduciary risk management were available to support emergency responses.

The quality of DFID’s due diligence assessments is variable

DFID has conducted due diligence assessments in certain circumstances for many years, but they only became compulsory for all grant funding in 2013. DFID published guidance on due diligence in 2013 and published it externally in October 2014 following the Smart Rules rollout.[33] The assessments should cover four main areas, all of which are critical to fiduciary risk management: (i) governance and internal control (ii) ability to deliver (iii) financial stability and (iv) downstream activity.

Due diligence guidance is broad, giving senior responsible owners discretion to decide on the scope and depth of the assessment. While we found some shortcomings with DFID’s due diligence practice, the assessments are useful for identifying partner-level risks. Across our sample, where high-priority risks were identified during the due diligence process, this resulted in conditions being imposed on grants and monitored over the life of the programme.

In practice, we found that the quality of assessments across our sample varied significantly. Of 11 assessments that we reviewed in detail across our five case study countries, only one clearly cross-referenced the questions in the guidance, making it difficult to see whether the other assessments had covered the right areas. The assessments are often undertaken by relatively junior programme staff. Given this, we would expect the guidance and templates to be more prescriptive. DFID has recognised the need to update its due diligence framework and guidance, to ensure greater consistency. This was due to be published in April 2016, but was delayed until July 2016. It was not available for review during our work.

The quality of the due diligence assessments in our sample corresponded with the seniority or level of experience of the staff who had conducted them. In some cases, country offices had introduced additional quality-control measures. For example, in DRC, each due diligence assessment was prepared by two people – a deputy programme manager and either a risk manager or governance advisor. It was then signed off by the head of office following discussion of the findings. In Somalia, the assessments were prepared by programme managers and signed off by the head of office, leading to more consistent and robust practice. In Syria, where we had concerns about quality, assessments were conducted by more junior staff (deputy programme managers), and signed off by a senior responsible owner. In our other case study countries, the practice was inconsistent, with quality depending on the seniority of the staff involved.

DFID’s due diligence guidance advises staff to review prior due diligence assessments for each partner before conducting a new assessment, so as to minimise duplication of effort and the burden on partners. If the prior due diligence was for a similar intervention and is less than three years old, the senior responsible owner is entitled to rely on this and not conduct a new assessment. However, given the volatile context and rapid turnover of personnel among partners in conflict-affected environments, relying on due diligence assessments for as long as three years could result in risks being missed or reliance on outdated material.

DFID has variable oversight of fiduciary risk issues down its delivery chain

For large programmes in conflict-affected environments, DFID’s lead partners often work through local organisations to deliver activities. In insecure environments, local NGOs or companies may be able to work in areas that expatriate staff cannot access. The delivery chain can at times become complex, geographically dispersed and involve several layers of subcontracting.

While DFID only conducts due diligence of the lead partner, its grant conditions require the lead partner or a third party to conduct due diligence of sub-grantees. Although DFID has a right to access these due diligence assessments, DFID staff informed us that this is usually only exercised if an issue is identified. We only identified one instance across our case studies where this was done. It also lacks processes for ensuring the quality or consistency of due diligence at the sub-grantee level. As a result, DFID may have limited knowledge of fiduciary risks further down the delivery chain. This concern was also highlighted by an internal audit of DFID/CHASE in 2015, which found that fraud risks in portfolio risk matrices focused on the lead partner and that downstream risks were not well understood.[34]

In Somalia, DFID did require lead partners on some of its programmes to provide copies of their due diligence assessments. This is a useful practice that, if replicated at each level, has the potential to drive improvements in due diligence and associated controls down the delivery chain. While it would be onerous for DFID to review the due diligence assessments of all sub-grantees, periodic reviews would provide both additional accountability and a useful source of information for DFID about its delivery partners.

Information on past performance is not used effectively in DFID’s risk identification processes

Due diligence assessments do not systematically take account of the past performance of the partner. There is a significant amount of performance information available across DFID, particularly in annual reviews, which is not systematically used to identify risks. DFID staff informed us that, in practice, it is difficult to find such information on DFID’s document management system. In conflict-affected environments, this means that DFID is not making use of available information about how well implementers have managed fiduciary risks in similar environments, to help identify risks.

There is also limited sharing of fiduciary risk information between donors except where funds are formally pooled. In conflict-affected environments, it is common to find many donors separately funding programmes through the same group of implementers. Each conducts its own form of due diligence assessment, which is inefficient and burdensome to partners. Where risks are identified, they are not regularly shared with other donors (although informal networks may be used to communicate major issues). At the World Humanitarian Summit in May 2016, UN agencies and donors, including DFID, committed to simplifying and harmonising donor reporting requirements. This also increased multilateral transparency, as part of a suite of initiatives to improve the effectiveness and efficiency of humanitarian aid.[35] A more harmonised approach across donors could result in stronger due diligence and monitoring while reducing the burden on partners.

 

Risk mitigation

We rated DFID’s mitigation of fiduciary risks in conflict-affected states as Green-Amber: satisfactory in most areas but with improvements required in others.

Risk mitigation is incorporated into programme design and implementation

Having identified and assessed risks at the country portfolio level and in individual programmes, each country office develops its own strategies for mitigating those risks. Following an earlier ICAI recommendation, each country also has an anti-corruption and counter-fraud strategy.[36] These documents guide the design of individual programmes, which should include measures to mitigate identified risks. These measures should in turn follow through into programme delivery plans, which set out in detail how fiduciary risks will be managed. These are updated over the life of the programme.

Capture - risk

We reviewed 27 individual programmes across our five case-study countries, comparing documentation to DFID’s rules and guidance and our understanding of the country context based on DFID documentation and country-specific literature reviews. We found that fiduciary risks identified in business cases we reviewed were consistently addressed in programme design, and that recommendations from due diligence assessments and annual reviews, alongside any internal audit recommendations, were taken forward in delivery plans. Our interviews with country office staff in our five case study countries suggest good levels of interaction between heads of office, senior responsible owners and programme managers: each level was aware of risks relevant to them and there was active discussion of risks and mitigation strategies.

A wide range of mitigating actions are used to address fiduciary risk across countries

We found varied examples of appropriate and proportionate action to mitigate risk in the large majority of programmes across our case study countries (see Box 8). Staff were able to explain the rationale for their choice of mitigating action, even if these were not always clearly documented. Conversely, we found that poor fiduciary risk mitigation was rare (see Box 9 for an example from DRC).

In our interviews with senior responsible owners and programme managers, they were able to explain the residual risks in each programme and how these were mitigated. This suggests an improvement in understanding since internal audit’s December 2014 review,[37] although our findings are limited to fiduciary risk, rather than risk management as a whole. We saw evidence of mitigating actions being followed through, such as funds being withheld if grant conditions were not met or if evidence of expenditure was not provided within agreed timelines. From our interviews, we found that these measures were primarily targeted at the lead partner, who was then held responsible for enforcing them down the delivery chain.

We also saw examples of DFID using its programmes to address some of the broader risks involved in operating in conflict-affected states. In Yemen for example, the country is heavily reliant on commercial imports for food, medicine and fuel. However, imports are restricted by measures designed to control the flow of arms. DFID is currently funding a programme that facilitates the passage of essential supplies through the country’s ports, while preserving arms control measures.

DFID also shared examples with us of working across government (primarily with the FCO) to mitigate fiduciary risks. We observed cases where the UK government engaged with national governments on challenges such as improper taxes and allegations of harassment of implementing partners by local authorities. Cross-government collaboration was most evident where the UK had stronger working relationships with the host government (such as in DRC and Somalia). DFID’s country-level fraud and anti-corruption strategies also include plans for working with other departments on fraud and corruption. In Nigeria, for example, the strategy includes working with the FCO and UK Trade and Investment to engage with UK firms to identify and address the fraud and corruption challenges they face.

DFID has a largely reactive approach to the wider fiduciary risks faced by its implementers

Corruption is endemic in conflict-affected environments and has to be carefully managed by DFID programmes.[38] Evidence from our case study countries confirms that DFID has strong measures in place to mitigate the risk of fraud and corruption that directly affects UK funds. Beyond its sphere of direct responsibility, however, DFID’s engagement with fiduciary risks faced by its implementers is more limited, and tends to be reactive rather than strategic.

The challenges faced by DFID’s partners in conflict-affect environments are varied and can change rapidly. These can include requests for improper fees and taxes, facilitation payments and extortion at illegal checkpoints which might be absorbed by implementing partners as operating costs, rather than reported to DFID as losses. They may also be invisible to the lead implementer if they are borne by local contractors (eg extortion of drivers bringing goods across borders) or sub-grantees. The financial scale of these types of indirect costs/losses remains unknown yet such losses could ultimately impact on the value for money of UK aid in high-risk environments.

We encountered a few instances where DFID was working with its implementers to address indirect losses. In DRC, for example, DFID partners are frequently targeted by national and provincial authorities and their agents and pressured to pay illegitimate taxes and charges. An international NGO forum in DRC worked together to collect information on this problem and then requested donors, including the UK, to take the issue up with government at a senior level (DFID supported this initiative, although the issue remains unresolved). We also learned of examples in several countries where DFID supported NGO networks and forums to provide a safe space to discuss what and how to manage these sensitive issues. However, in our case study countries, DFID was not systematically collecting and analysing information on the risks faced by its implementers and making informed decisions as to where to target its mitigation efforts. We saw only limited evidence of cooperation between donors in this area.

While these are positive examples of risk mitigation, our interviews with partners and DFID staff suggested that some implementing partners are still reluctant to report such losses or to discuss these kinds of risk with DFID. They fear that doing so might lead to suspension of funding or additional administrative burdens, or affect their reputations. During our visits to Somalia and DRC, partners told us that DFID had made a significant effort to reassure them that early reporting of such issues was encouraged. DFID staff also informed us that most implementing partners were becoming more willing to share their experiences, although some remained reluctant, particularly further down the delivery chain. Both DFID and its partners noted the importance of funding agreements and implementation practices creating positive incentives
for sharing of information.

Larger programmes in conflict-affected states lead to greater reliance on large implementers

In recent years, the size of DFID’s largest programmes in fragile states has increased steadily. This has resulted in increasing reliance on multilateral partners or large NGOs and contractors, who in turn manage multiple local partners. This has the effect of transferring a large share of the responsibility for fiduciary risk management to the implementer. However, it also reduces the level of direct interaction between DFID and local civil society organisations and businesses.

A 2013 study on localising aid recommended that donors provide more aid through local suppliers. It concluded that localising aid was no more risky than using international implementing partners, and can often deliver equal or greater development returns.[39] However, DFID informed us that it does not always have the capacity to work directly with multiple small partners in all the countries it operates in. This can result in less visibility of the implementation risks and challenges facing partners down the delivery chain. The trend towards larger projects may also create strong incumbency advantages for large implementers able to absorb the risks transferred by DFID. This could have the effect of narrowing the pool of potential suppliers, reducing value for money and hiding fiduciary risks within extended delivery chains.

DFID funding agreements set out the legal requirements of implementers

DFID’s funding agreements with implementing partners are tailored to different delivery channels and include compliance with the UK Bribery Act 2010 and the Terrorism Act 2006.[40] They contain additional obligations around financial accountability and the reporting of fraud and corruption. They specify the payment modalities, which are adjusted to the level of fiduciary risk and the financial status of the organisation. Across our sample, payment in arrears against proof of delivery was the preferred modality.

Staff in our case study countries told us that they rarely have to revert to legal measures and that active and ongoing dialogue and engagement with partners was the most practical way of mitigating risks. In the two countries we visited, Somalia and DRC, DFID’s relationships with partners seemed to be based on open discussion of fiduciary issues, combined with clear expectations around early reporting of problems. Partners told us that they considered DFID to be among the most engaged of donors in this regard, noting that some other bilateral donors prefer their partners to deal with smaller fraud and corruption cases in-house before reporting them.

But there is still a lack of clarity around when risk is transferred to implementers

We found that DFID staff and partners lacked a consistent understanding of when and to what extent the responsibility for risk is transferred from DFID to others. This uncertainty manifested itself in several ways.

In interviews with DFID programme staff, we identified uncertainty about when and how risks were transferred down the delivery chain in four of the five case study countries. In one country office, senior staff expressed the view that the way in which DFID’s new risk management framework and terminology was being introduced had contributed to this confusion. Although the partners we interviewed in our case study countries were aware that DFID was not obliged to reimburse them for funds used improperly, three major DFID partners said that it was less clear in practice. They highlighted inconsistencies in how DFID treats certain losses.

For example, where goods were accidentally lost or damaged, or misappropriated by combatants in conflict zones, it usually led to a negotiation between DFID and the partner to determine how the loss would be allocated. In some instances, partners told us that they were expected to absorb losses for which they believed they were not contractually liable, such as losses incurred by downstream partners where appropriate due diligence and management procedures had been in place.[41]

We noted a lack of understanding among DFID staff of the full implications of transferring risk to fiduciaries. For example, transferring risk may have the effect of increasing costs. Contractors may charge higher fees to take on additional risk (as we confirmed in interviews with several contractors). Alternatively, partners may insure against the risks (such as theft of assets) and pass on the insurance costs in the form of increased administrative overheads (observed in one of our sample programmes, although use of insurance remains relatively limited).

We cannot judge how widespread these problems are, due to the lack of data on downstream losses. Uncertainties about risk transfer, its costs and visibility down the supply chain were identified by internal audit in 2014. These challenges have been discussed in recent meetings of DFID’s audit and risk committee. The issue was also raised in a National Audit Office report and a subsequent Public Accounts Committee report on DFID’s response to crises.[42] In 2015, DFID began piloting a new method of mapping risks in its delivery chains, with a view to developing new guidance on what risks can and cannot be transferred, together with the associated costs. This work is ongoing. In the meantime, the current lack of clarity remains a concern.

Processes for escalating fiduciary risk issues are unclear and rely on individual judgement

DFID is still in the process of developing a system for escalating risks from programmes and country offices to division and corporate level, in order to link bottom-up risk management practices with the top-down management of strategic risks. This has been identified as a priority in ongoing reforms.

At the corporate level, the executive management committee reviews a strategic risk register on a regular basis. Strategic risks are those that threaten the achievement of DFID’s strategic objectives. The register does not use the same risk classifications as DFID’s Smart Rules, but it does include relevant fiduciary-related risks, including major fraud and the capture of resources by terrorists. The register is updated monthly by the better delivery department, in consultation with director generals.

The escalation process is currently based on monthly discussions between country and division and division and corporate levels. DFID is considering a more systematised process to enable it to trace risks both upwards and downwards across the four management levels – corporate, business unit, country office/spending team and programme. However, this is not currently possible, due to the different terminology and classifications used at different levels and the absence of formal processes for collating risks. This raises concerns about DFID’s ability to ensure corporate-level oversight of fiduciary risk.

Monitoring of fiduciary risk

We rated the efficiency of DFID’s monitoring of fiduciary risks in conflict-affected states as Amber-Red as, despite some good practices, substantial improvements are required.

DFID has introduced some innovative remote monitoring practices, but fiduciary risk is not systematically monitored

It is good risk management practice to monitor identified risks during the delivery of programmes, to assess whether mitigating actions are effective and to identify any changes in the likelihood of the risk or the severity of its consequences.

In recent years, DFID has strengthened its programme monitoring systems in conflict-affected environments through the use of remote monitoring and other innovative practices. However, its monitoring has been focused on holding implementers to account for their progress and tracking emerging results. These practices are not sufficiently monitoring the full range of fiduciary risks, although they could readily do so. This is a key gap in contexts where DFID’s own access is constrained.

In programmes where DFID is able to conduct field visits, it meets with downstream implementing partners, community leaders, intended beneficiaries and other stakeholders, to gain a holistic view of programme implementation. These field visits can provide valuable information on fiduciary risk – for example, feedback from beneficiaries on the quantity, quality or price of goods.

However, in conflict-affected environments, field visits to implementation areas are often highly restricted, increasing DFID’s exposure to fiduciary risk. Among our case study countries, DFID staff were unable to access implementation sites in Syria, Yemen and much of Somalia. With sufficient planning and support from security forces, staff were able to visit field locations in DRC, South Sudan and parts of Somalia. However, security and logistical requirements make such visits costly and time consuming. In contrast, DFID Nigeria told us that it does not fund implementation in areas too insecure to conduct monitoring visits or where other monitoring processes are not in place. A 2015 review of DFID’s remote management in Somalia and north-east Kenya identified specific risks due to limited access, which are summarised in Table 4.[43]

Capture - Table 4

In the face of access constraints, DFID often uses third-party monitoring agents who are specialised in operating in insecure environments (eg in Afghanistan, Yemen and Somalia). They work with local staff who have access where expatriates do not. The 2015 review found that third-party monitoring “has the potential to be a useful remote management tool”, but was not yet being used to its full potential.[44]

In most cases, third-party monitors are not tasked to assess the full range of fiduciary risks, even though they could readily do so. Third-party monitors could assess whether controls remained in place and whether mitigating actions were being followed through, cross-check other sources of fiduciary risk information and collect accounts of fraud and corruption.

To address acute fiduciary risks in specific programmes, DFID uses a range of additional monitoring techniques, such as vehicle trackers, bar codes on humanitarian supplies and satellite imaging. In Somalia, DFID also used call centres to follow up directly with beneficiaries to ensure they had received their full entitlement. In one health programme in DRC, DFID’s implementing partner installed internet access in remote health centres, to track medicine usage and identify possible fraud or theft. Some of these techniques are capable of generating real-time information on fiduciary risks. At present, they are only being used in a few contexts, but there is considerable potential to expand their use.

Choices over which fiduciary risks to monitor are not clearly documented or supported by evidence

DFID’s implementing partners are required to submit regular financial reports (eg quarterly) and to undergo periodic audits. These provide a level of assurance that funds have been spent and accounted for, and can be used to monitor compliance with grant conditions or other areas of concern to DFID. However, they are usually produced with a significant time lag and are largely dependent on information provided by the implementer. They need to be accompanied by timely monitoring of key fiduciary risks to enable DFID to respond to changes and new risks in a timely way.

Country offices and centrally managed programmes determine the scope and focus of programme audits and select their own auditors. While this allows flexibility in addressing challenges in different operating contexts, it results in a wide variety of audit firms and approaches being used across DFID, giving limited ability to build up a cumulative picture of fiduciary risk performance. Other donors follow a more centralised approach. The EU Humanitarian Aid and Civil Protection (ECHO), for example, manages all its grant audits from the centre, using dedicated teams from two audit firms, accompanied on occasion by a core group of ECHO staff. The findings feed into ongoing monitoring of the strengths and weaknesses of different partners and programmes and help to inform future audits and mitigation measures. DFID’s more decentralised approach allows for greater flexibility at the expense of consistency and opportunities for learning.

According to DFID guidance, programme delivery plans should specify how different risks are monitored. The main tool for monitoring risk across all programmes is the annual review, which should follow up on risks and update risk registers and delivery plans as required. In our sample, we found that annual reviews focused primarily on programme and delivery risks and did not systematically address fiduciary risk and partner capacity in the same way. Programme documentation does not specify what types of risk should be monitored, or require a justification for the choice of monitoring arrangements.

There are specific challenges involved in monitoring fiduciary risk in country-level programmes implemented by multilateral partners

Monitoring of multilateral implementing partners was cited as a key concern by a substantial majority of programme staff in four out of five of our case study countries. Staff consistently reported being unable to do as much due diligence or monitoring of multilateral partners or exercise as much oversight of their programmes as they considered necessary to actively manage fiduciary risks.

We were told by DFID and other donor staff that multilateral partners often try to resolve fraud and corruption cases internally, before reporting them. In DRC, for example, the United Nations Office for the Coordination of Humanitarian Affairs (OCHA) identified corruption in the Common Humanitarian Fund in 2008, but this was only reported to donors during an advisory board meeting in 2013 when the OCHA humanitarian coordinator had decided to write off the losses.

This is a key concern in conflict-affected states, where multilateral partners are often the preferred delivery channels because of their access and because they enable donors to pool funds and share risk (see the proportion of funds to multilaterals in Figure 1). For example, when funding public-sector salaries in
Afghanistan and Somalia, DFID prefers to work through the World Bank.

By international agreement, DFID is often restricted in its ability to monitor multilateral implementing partners at country level. Some multilaterals insist on a single central audit process, to avoid the burden of multiple audits by separate donors. It is acceptable under DFID’s Smart Rules to rely on an overall organisational audit, rather than a specific programme audit, providing the senior responsible owner determines that it gives sufficient assurance.[45] However, country-office staff expressed the view that some multilateral partners often use the one-audit principle to resist external monitoring. This is of particular concern in conflict-affected environments, where DFID is restricted in its ability to visit programme sites.
Senior responsible owners in our case study countries reported that, while they are accountable for managing programme risks, they did not feel empowered to do so in respect of multilateral implementing partners.

In Sudan, for example, we were informed that the United Nations Environment Programme (UNEP) had resisted the use of provisions for early reporting of fraud in its memorandum of understanding with DFID as this was considered inconsistent with the central United Nations’ Office of International Oversight Services obligations for reporting and investigating allegations of fraud. In DRC, UNOPS delayed reporting issues in the Roads in the East programme and strongly resisted pressure for an independent programme audit, despite significant concerns raised by DFID (see Box 9). After much negotiation, DFID DRC informed us that UNOPS eventually agreed to an enhanced audit using an international team from its contracted auditor and to make the report available to DFID. Similar concerns about access to information on multilateral supply chains have been raised in previous reports by the Public Accounts Committee and ICAI.[46]

Across our sample, we encountered instances where DFID country offices had been able to negotiate risk mitigation and monitoring arrangements with specific multilateral partners. For example, in DRC, UNICEF provided DFID with excellent access and information on DFID-funded programmes, while in Somalia, UNOPS agreed to allow DFID to audit its programme. OCHA in DRC has also taken steps to improve transparency since the problems with the Common Humanitarian Fund. These examples suggest that greater flexibility is possible, but that this depends upon the willingness of particular managers in multilateral partners to cooperate and on DFID’s bargaining power. It means that multilateral partners are treated differently depending on what DFID country offices can negotiate, rather than on the basis of an objective risk
assessment.

Decision-making and fiduciary risk appetite

We rated the effectiveness of DFID’s decision-making in relation to fiduciary risks in conflict-affected states as Amber-Red. This acknowledges efforts made at the country level to make risk-based decisions, while highlighting the need for urgent improvements at the corporate level to clarify risk appetite and risk and return assessments.

The combination of a high risk appetite and zero tolerance of fraud and corruption is not consistently understood across DFID

DFID staff need a clear understanding of the department’s risk appetite and risk tolerance, to judge which risks are justified in pursuit of development objectives. It also helps to assess what level of effort or expenditure is appropriate to mitigate particular risks.

DFID asserts that it has a high risk appetite. Until April 2016, DFID’s Smart Rules stated that “DFID has a high risk appetite when it comes to taking risks to achieve our key targets.” This explanation was qualified in the April 2016 update, to state: “Given the nature of our work we have a high appetite for risk but this does not mean we take risky decisions which could adversely affect our staff or our funds.” DFID’s Smart Rules also stated that DFID (in line with Treasury policy) has ‘zero tolerance’ of fraud and corruption. The April 2016
update referred to zero tolerance of instances of corruption when DFID becomes aware of it.[47] DFID’s Smart Rules also refer to guidance on the UK Bribery Act, Counter Fraud and Reporting Fraud and Corruption.

In our interviews, we found that staff were aware of DFID’s high risk appetite – an improvement since the December 2014 internal audit report – and its zero tolerance stance on fraud and corruption. However, they interpreted these two principles in a variety of ways. Some staff felt that DFID chose to work in high-risk areas, but had a low appetite for fiduciary risk within those areas. Others thought that fiduciary risks could be taken if justified by the potential benefits. Among more senior staff, a common view was that, while DFID had a relatively high appetite for fiduciary risk where justified by the returns, it had a low appetite for reputational risk, and that related reputational considerations often drove decision-making rather than fiduciary risk itself. These reflections suggest inconsistency of understanding across the department.

Capture - zero tol

Zero tolerance to fraud and corruption may result in disproportionate effort going towards following up relatively minor cases. We were told examples of DFID staff spending significant time and effort following up on small frauds reported by implementing partners, where the cost of doing so was clearly greater than the suspected loss.[48] This suggested that DFID wants to send a clear signal to its partners and beneficiaries about its zero tolerance policy and that it takes reporting seriously, no matter the amount. However, in terms of the volume of potential losses, this was disproportionate to the effort put into understanding and addressing fiduciary risks in the wider operating environment affecting DFID’s implementing partners.

Strategies for balancing fiduciary risk and return are not clearly articulated

In conflict-affected environments, DFID is likely to face trade-offs between risk and return. Some interventions lend themselves to tight fiduciary controls but may not lead to the greatest development impact, while high-risk activities may at times offer greater potential for transformative change. Ensuring good value for money in a conflict-affected environment may best be achieved by maintaining a balance of risk and return across a portfolio of programmes.

Some country operational plans contain a brief discussion of how to achieve this balance. For example, the Yemen operational plan states that DFID’s strategy, in the face of a very high-risk environment, is to maintain a mixed portfolio, with risks spread across a range of delivery partners. Prior to the recent escalation of the conflict, 90% of the portfolio was spent through partners with demonstrated capacity to deliver in challenging environments. Meanwhile, 10% was spent through ‘riskier but potentially more transformative’ channels. We are informed that this balance has shifted in 2016-17 following a change in risk appetite in light of the current conflict and urgency of humanitarian needs.

However, DFID remains at an early stage in developing tools and processes for portfolio risk management, particularly in volatile environments where the risk/return equation can change rapidly. This point has been acknowledged by DFID’s audit and risk committee, and the better delivery department has recently begun to pilot some new tools for this purpose. We found that country portfolios are in fact reasonably diverse, with a balance of risk levels. However, in the absence of clearly documented decisions, it was impossible to assess whether this was by accident or design.

At the programme-level, staff were able to explain how risks were balanced against the anticipated return. However, based on our programme sample, business cases do not yet routinely document a clear relationship between fiduciary risks and benefits. This may be partly due to fiduciary risks being treated in the financial case section, separate to other types of risk.

One area of weakness is that, following annual reviews, programme targets are often downgraded to reflect a changing context or delays in implementation. There is no routine assessment of whether the original risk/return assessment remains valid, given the lowering expectations for the programme. While we did not observe direct evidence, we are concerned that this could lead to DFID continuing programmes with unjustified risk/return levels.

 

Capturing and sharing learning on fiduciary risk management

We rated DFID’s learning in relation to fiduciary risk management in conflict-affected states as Green-Amber. This reflects ongoing efforts to strengthen DFID’s overall risk management structures, based on country experience, and some evidence of sharing good practice across country offices, although this is not
as effective as it could be.

Since a 2014 internal audit report, DFID has identified weaknesses in its risk management framework and is working to address them

In 2014, internal audit identified a range of fundamental weaknesses in DFID’s risk management system. DFID accepted these findings and has been working to develop a comprehensive risk and assurance framework. Its objectives are to enable the department to make risk-based decisions and manage its risks in an
appropriate way to achieve its objectives.

The reforms are aligned with Treasury guidelines. Internal audit used Treasury’s 2009 risk management assessment tool for its review,[49] and this has strongly influenced subsequent reforms. The initiative also draws on learning about risk management from across DFID and, albeit to a lesser extent, from external partners. A former deputy head of office from Afghanistan was brought in to manage the process, bringing relevant field experience.

So far, the reforms have led to the publication of a formal risk management framework and changes to a range of guidance (including clarifying what is meant by fiduciary risk and how it is assessed). We saw evidence in our case study countries that DFID staff were aware of the ongoing reforms and were engaging actively with new risk management concepts, such as risk appetite and risk-return balance. The better delivery department recognises that the new risk management approach will need to become embedded in the organisational culture. To that end, it is piloting a new risk and development return tool. It believes this is an important innovation in the sector, warranting an extended pilot phase to consider its effectiveness in a variety of contexts, especially humanitarian responses and in fragile and conflict-affected situations. DFID has also piloted a risk and control masterclass and is developing a new tool on delivery chain mapping.

These processes are expected to take another two years to fully embed. The better delivery department is also developing a more coordinated approach to managing risk in DFID’s 50 largest spending lines, which together account for more than 50% of its budget.[50] These changes are being driven and supported at the top level by the executive management, audit and risk and programme cycle committees.

The better delivery department has engaged with a number of DFID country offices to ensure that their learning is incorporated into its new approaches and guidance, including a range of conflict-affected countries. It is also piloting new tools in several locations. Through this interaction, some countries have begun to incorporate new guidelines, even before their publication, suggesting a high level of appetite for change. At the regional level, DFID’s Africa division carried out an assessment of risk registers across 11 countries, which fed into the reforms. The better delivery department has prioritised lessons from DFID and Treasury guidance, rather than from other donors or UK government departments.

There is evidence of learning at country level, but mainly through informal processes

DFID has numerous formal and informal processes for learning on programme management issues. These include: training, senior responsible owner conferences, on-boarding processes, programme reviews, online forums (enabling DFID staff around the world to consult colleagues on specific issues) and staff secondments. Some of the senior responsible owners we interviewed stressed the importance of both formal, centrally organised training and informal learning. However, they stressed that it was more important to incentivise staff to learn than to impose formal training requirements.

Staff rotation plays a key role in disseminating learning; we saw a number of instances of staff taking good practice from one posting to the next. Senior responsible owners are also able to spend 10% of their time working in other parts of DFID, which facilitates exchange of experience. This is not at present used to strengthen fiduciary risk management, but could readily do so.

Due to their responsibility to interpret principles and rules locally, country offices have developed their own approaches to managing fiduciary risks in their country context. This facilitates innovation, but at the cost of consistency. We saw evidence of good practices being shared among country offices, particularly through informal networks. For example, DFID Yemen learned lessons from Syria Crisis Unit, Libya team, DFID Somalia and DFID South Sudan on managing delivery challenges in rapidly escalating conflicts. DFID Somalia and DFID South Sudan had discussed the challenges of monitoring and risk management in their respective contexts. DFID Somalia had also been visited by the Syria team following the internal audit of the Syria Crisis Unit to review their systems and share learning. Heads of office in both DRC and Somalia regularly talked to other heads of office, both informally and through scheduled calls. However, these learning processes are mostly unstructured and offer an uneven method of disseminating good practice.

There are some country-specific challenges to learning and capacity building, which show that training solutions, such as e-learning, are not necessarily ‘one size fits all’. In South Sudan, decades of conflict have limited the education levels and capacity of local staff. DFID South Sudan is undertaking a training needs assessment to identify how to build staff capacity, recognising the importance of context-appropriate training solutions. A small number of programme staff in both DRC and South Sudan felt they would benefit from more regular training, with both a programme manager and the Senior Leadership Team citing financial management and accounting as areas where more training would be useful.

There are also weaknesses in how information and evidence is gathered and shared to inform due diligence and risk management. Another major donor commented that while DFID engages with it on specific issues identified in relation to implementing partners, efforts to coordinate on undertaking due diligence itself have faltered due to lack of available resources on both sides. While due diligence assessments refer to previous DFID assessments where available, there is no mechanism to incorporate information from other donors or to access relevant information from annual reviews of related programmes.

Notwithstanding evidence of learning, the pace of DFID’s risk reforms requires more urgency

It is surprising that DFID took five years to assess its risk management systems against the 2009 Treasury guidance, and another eighteen months to put in place a new risk management framework. The original timetable for implementing the new framework and associated guidance has slipped several times.

The better delivery department’s plans target key weaknesses in current fiduciary risk management practices, but there are still elements of the new framework that need to be developed, including around risk appetite, risk-reward balance and risk transfer. Some important areas are not yet sufficiently covered by ongoing work. These include oversight of multilaterals, strengthening due diligence practices, coordination with other donors and managing risk in the context of rapid scale-up. Better delivery is also still working on linking risk management at different levels of the organisation into a coherent whole, with collation, delegation and escalation of risks.

Figure 3: DFID’s risk management reforms timeline and progress

Timeline

Issues and recommendations

The evidence gathered during this review provides a reasonable level of assurance that DFID staff working in conflict-affected countries are aware of fiduciary risks. They are also actively seeking to manage them, often in challenging circumstances. Across the programmes and countries that we examined, we found that they appear to be making sound judgments in challenging contexts. Moreover, we see them balancing the need for robust fiduciary risk management with DFID’s high-risk appetite in pursuit of its
strategic objectives.

DFID’s principles-based management approach emphasises flexibility and individual responsibility. We found that this had led to considerable diversity of approaches to risk management across country offices, which in itself creates risks and challenges. It makes it difficult for senior management to assess whether risk management practices are adequate and consistent with corporate objectives. This was particularly apparent in the case of the early Syria response and scale-up, where there were fewer experienced programme management staff in place. The system for delegating and escalating risks between programmes, country offices, business units and central management is still emerging. While there are signs of learning within country offices, the sharing of lessons and good practices across the department does not ensure that they will be available where needed most.

As a result, we conclude that there are still significant challenges ahead to ensure that DFID’s risk management processes provide sufficient assurance that fiduciary risks are being managed effectively at every level of the organisation.

We acknowledge the efforts being made through the better delivery department, with senior management support, to strengthen risk management processes and guidance and develop a risk-aware culture within DFID. This has already led to some improvements in practice. However, we are concerned that the timetable for implementing DFID’s new risk management framework has already slipped, and that it is expected to take another two years before the new system is fully embedded. Given DFID’s commitment to spending half its budget in fragile states and regions, this work needs to proceed with greater urgency.

The following recommendations are offered as a contribution to the ongoing reforms. While our work focused on fiduciary risk in conflict-affected environments, there is learning that may be more widely relevant. We encourage DFID to consider its applicability for managing fiduciary risk in other contexts.

Recommendation 1

DFID should accelerate the timetable for implementing its central guidance on risk appetite and work quickly to articulate its risk-return approach to decision-making.

Problem statements

  • DFID has rolled out key aspects of its new risk management framework but is yet to develop a consistent approach to risk appetite. It lacks tools for balancing risk and return at the portfolio level. Clearer guidance is needed to ensure that risk can be managed proportionately and to enable effective oversight at the corporate level.
  • Where programme objectives are adjusted, there is insufficient guidance for reassessing whether risks are still acceptable in relation to new objectives.
  • Fiduciary risks tend to be considered from DFID’s perspective, with less consideration given to contextual risks faced by partners and beneficiaries, even though these carry costs and consequences for DFID programmes. High corruption and security risks make this particularly relevant in conflictaffected
    states.

Recommendation 2

DFID should clarify rules and expectations around risk transfer to fiduciaries, and the residual fiduciary risk responsibilities of senior responsible owners and senior management.

Problem statements

  • Staff do not always have a clear understanding of when and to what extent risks have been transferred to partners, legally or practically.
  • DFID does not always have a clear understanding of the risks associated down the delivery chain, especially complex chains in conflict-affected situations where losses may be hidden.
  • DFID’s corporate concern with reputational risks can make staff reluctant to accept fiduciary risk transfer to implementers, which could result in an overly risk-averse approach.
  • DFID does not have a clear understanding of the costs and consequences of transferring risks to partners.

Recommendation 3

DFID should urgently explore ways to improve the transparency and monitoring of fiduciary risk in bilateral programmes implemented by multilateral partners.

Problem statements

  • In conflict-affected states, where multilateral partners are often preferred to implementing partners, senior responsible owners report having insufficient access to information from multilateral partners to manage fiduciary risks adequately.
  • DFID’s oversight of programmes implemented by multilateral partners is determined by the arrangements it can negotiate with multilateral managers at the local level, rather than by an objective risk assessment.
  • We found a number of instances in which multilateral partners had been slow to disclose instances of fraud and corruption, pending their own investigations.

Recommendation 4

DFID should implement measures to match appropriate fiduciary risk management skills and expertise with its highest risk countries, partners and programmes.

Problem statements

  • DFID has committed to spending half of its budget in fragile states, yet does not have systems to ensure appropriately skilled programme management staff and expertise are matched to higher risk programmes and countries.
  • Surge mechanisms, where programmes are scaled up rapidly in conflict/humanitarian situations, do not sufficiently include experienced programme management staff. This is particularly important in situations where there is no prior DFID presence, such as in Syria.

Annex 1 Detail of scoring

ICAI score Green AmberQuestion 1
How effectively does DFID identify and assess fiduciary risk in conflict-affected environments at country portfolio, individual project delivery and partner levels?

In DFID’s decentralised and flexible approach to risk management, responsibility for identifying, assessing and managing risk is delegated to the country level. We found that country offices in our sample had effective procedures for identifying fiduciary risks at the country level, including country risk registers that gave due attention to fraud and corruption risks. However, their methods for classifying and rating risks were not consistent. At the programme level, we found that DFID staff in our sample countries had a good understanding of the fiduciary risks facing their programmes. Due diligence of implementing partners is mandatory but varies in quality, due partly to weaknesses in the guidance. Procedures for escalating risks, from programme to country level and from country to business unit and department level, remain informal and need strengthening. Overall, we found that identification and assessment of fiduciary risk was satisfactory in most areas, but could be improved in others.

ICAI score Green AmberQuestion 2
How efficiently does DFID mitigate risk in its programme designs and choice of delivery channels?

DFID’s Smart Rules set out the key responsibilities for mitigating risk at different levels. DFID’s programme designs, including its business cases and delivery plans, incorporate risk-mitigation measures. DFID includes fiduciary risk consideration in its choice of partners and delivery channels. Its funding agreements with implementing partners set out the key responsibilities around fiduciary risk. However, we found that DFID staff were sometimes unclear as to how and to what extent the responsibility for fiduciary risks was transferred to partners. Although there were areas of weakness, evidence from our field work showed that where risks had been identified, appropriate mitigating measures were usually in place, with priority given to reducing the risk of misuse of taxpayer funds.

Amber Red scoreQuestion 3
How effectively does DFID monitor residual risk through the programme life-cycle?

DFID has systems and processes in place to monitor the delivery of its programmes in insecure or access-constrained environments. However, these monitoring arrangements are not regularly used to monitor fiduciary risks. While basic accountability mechanisms are in place, such as financial reporting and audits, these rely heavily on self-reporting by implementing partners and are not sufficient to identify problems in real time. DFID encourages its partners to report suspected fraud early, irrespective of size. However, DFID is less aware of potential losses which might occur further down the delivery chain and are outside its direct responsibility. Staff reported challenges in monitoring multilateral agencies implementing bilateral programmes, due to the nature of DFID’s multilateral partnerships. Overall, while we saw some examples of good monitoring practices, these were not widespread across our sample.

Amber Red scoreQuestion 4
To what extent does DFID make clear and defensible choices as to what types and levels of fiduciary risk to tolerate in its programming?

To work effectively in high-risk environments, DFID needs to set its risk appetite and make explicit choices as to how to balance risk and return. DFID states that it has both a high risk appetite and zero tolerance of fraud and corruption. However, these principles – and the relationship between them – are left to country offices and individual staff to interpret, without clear guidance. DFID is working to address this through the introduction of a new risk management and assessment framework. DFID country offices are beginning to make more explicit decisions about risk appetite and incorporating them into their decision-making. However, the lack of central guidance on its application means that these assessments are not done on a consistent basis and are difficult to compare. Therefore, despite some good practices at the country level and recent improvements, there is still room for improvement to ensure risk-based decision-making is embedded across the department.

ICAI score Green AmberQuestion 5
How effectively is DFID capturing and applying learning in the development of its systems and processes for fiduciary risk management in conflict-affected environments?

DFID’s internal audit department identified significant weaknesses in its risk
management in 2014. Since then, DFID has established a team to develop and
implement a risk management framework based on Treasury’s guidelines, tailored for DFID’s challenging operating environment. The reform process has collected learning from country offices and, to a lesser extent, good practices by partner organisations. Although the process has taken longer than envisaged, there is early evidence of improvements as a result of it. Over the coming period, DFID plans to target remaining areas of weakness, including risk appetite, risk-reward, risk transfer and escalation processes. At the country level, we saw evidence of learning between countries, although this was largely through informal channels and so somewhat uneven. We saw some good practices that had been introduced to ensure continuity during staff turnover, although these are not yet routinely applied and do not always involve finance staff. Internal audit plays an important role in identifying weaknesses at the country level, and we saw evidence of its recommendations being addressed.
Therefore, while DFID has taken time to respond to weaknesses identified in its risk management approach, we saw evidence that it had effectively used learning to drive improvement.

Annex 2 Methodology

Our methodology had three core components, a systems review, country strategy reviews and country case studies. The combination of these three components forms an analytical approach that has breadth (covering DFID’s overall fiduciary risk management systems and approach) and depth (assessing how fiduciary risk management affects programming and portfolio management in five countries).

1. The systems review explored the design of DFID’s controls, processes, tools and resources for managing fiduciary risk. We explored DFID’s objectives for fiduciary risk management and how well its systems and processes deliver on those objectives. Examining how DFID’s risk management framework and tools have evolved in response to past conflicts enabled us to assess how DFID
captures and applies learning.

2. The country strategy reviews involved a light, desk-based assessment of the treatment of risk in country strategies in the ten selected fragile states. They looked at strategy documents, countrylevel risk assessments and risk registers, supported by discussions with key managers in each country team on their overall approach to risk management. This enabled us to assess the way different DFID country teams understand fiduciary risk in the specific country context, how clearly they can articulate an overall approach to risk management, and their awareness of the tools and resources available to them.

3. The five country case studies were more detailed assessments of risk management practices in a variety of conflict-affected contexts (DRC, Somalia, South Sudan, Syria and Yemen). They explored the interaction between contextual analysis, portfolio planning, choice of delivery partners (eg multilaterals, civil society organisations (CSOs)), programme design and monitoring arrangements. It was possible to assess whether there was a coherent and sufficient approach to fiduciary risk management in each country context. The country case studies also enabled us to examine a sample of programmes and implementing partners in more detail and triangulate DFID’s internal evidence with feedback from country counterparts and implementers.

These three levels of analysis enabled robust triangulation of findings: strengths and weaknesses of DFID’s systems can be examined at the country strategy level and in practice in five country contexts. Although highlevel, the country strategy reviews enabled us to consider the applicability of our findings across a wider range of countries and contexts. We were also able to gain a broader view of the consistency of DFID’s incorporation of fiduciary risk into its strategy and where lessons may be learnt.

Capture - Fig 4

Country selection

The population of countries from which we sampled are those where DFID provides aid and there are significant access constraints to assistance being delivered, for reasons of safety and security. DFID has made an assessment
of which countries are considered fragile states. Of these, DFID rated the following 18 countries as highly fragile: Afghanistan, Burundi, Central African Republic, Chad, DRC, Eritrea, Iraq, Iran, Libya, Myanmar, Nigeria, North Korea, Pakistan, Somalia, South Sudan, Sudan, Syria, Yemen.

Their assessment is based on four dimensions of fragility:

i. Capacity failures: where the state lacks the capacity to ensure that citizens have access to public services and can benefit from economic growth.
ii. Authority failures: where the state fails to project its power over all its territory and/or fails to protect its citizens from violence.
iii. Legitimacy failures: where the state fails to gain adequate acceptance of government authority among elites and citizens.
iv. The presence of stresses: destabilizing stress factors that exert pressure on the state.

To assess these factors DFID uses data from the World Bank’s Worldwide Governance Indicators, Institute for Economics and Peace, Political Terror Scale, UN High Commission for Refugees and the Inform Index. Using the latest data (from 2013), DFID identified 54 fragile states, each of which is categorised as displaying high, medium or low levels of fragility.

Our primary focus for the review was on countries with substantial levels of DFID expenditure, where there is a high fiduciary risk and where DFID has limited access due to insecurity. We therefore also considered the following parameters:

• DFID’s budget for 2015/16 which indicates the level of need and the country’s significance to DFID.
• Fund for Peace’s 2015 fragility score, security apparatus score (used as an indication of insecurity) and the change in score since 2010.
• Transparency International’s 2014 Corruption Perception Index score and the change in score since 2010 (used as an indication of fiduciary risk).

On that basis, we identified a range of countries that met our criteria. Even though it had relatively low levels of funding, Libya was included because it was considered relevant from a country strategy review perspective in comparison to countries with larger budgets. This left us with ten countries: Afghanistan, DRC, Libya, Nigeria, Pakistan, Somalia, South Sudan, Sudan, Syria, and Yemen. Each of these was included in our high-level strategy review.

From this list, we made a purposive selection of five countries for the case studies. We considered those areas with a larger DFID budget and aimed to have a balance in covering different operating environments and different DFID structures. This included consideration longer-term and more recent conflicts, the extent to which DFID is able to access intervention areas, the extent to which DFID has a local presence and our ability to access areas that DFID would not usually be able to access. This resulted in the selection of the following site visits:

Somalia – a protracted conflict environment, managed primarily from Nairobi with severely limited access to the field but the potential to travel to Mogadishu to meet local implementing and monitoring agencies and officials.[51]
DRC – another longer-term conflict environment with severe access restrictions but the potential for us to access programmes in conflict-affected areas with UN support.

The following were selected for similarly detailed country case studies but conducted from London:

Syria – a more recent conflict an environment where access in country by us is not feasible and where DFID’s operations are primarily managed from London.
Yemen – also subject to deterioration, with country access being complex and where DFID’s operations are primarily managed from London.
South Sudan – situated in a region with long-term insecurity issues, South Sudan became an independent country in 2011 but has seen conflict and instability breaking out since 2013. DFID has relatively free access to many implementation areas (although this varies by geographic area and over time) enabling us to compare South Sudan with approaches and experiences in more restricted countries.

Programme selection

For each of the five country case studies we selected a sample of four to six programmes depending on scale and complexity. Our review focused on the countries, regions and programmes that best illustrate the fiduciary risk management challenges of interest in this review, namely those with: limited delivery options, restricted access to monitor risks and controls, and heightened potential for fraud, corruption or misuse of funds to exacerbate instability and undermine higher-level objectives.

We undertook a targeted, or purposive, approach to programme selection, to focus on areas of high fiduciary risk and inaccessibility for monitoring purposes. For our two country site visits, we also considered the practicalities of visiting certain locations. It is difficult to identify a representative sample due to the variable nature of the risks and the rapidly-changing country contexts. To help us to select a sample that was focused on these areas while maintaining a broad view of different interventions, programmes were therefore purposively selected from the following categories (which may overlap):

i. programmes of high strategic importance
ii. programmes rated high risk by DFID
iii. humanitarian programmes
iv. problem cases (selected from programmes where fraud or corruption have been identified, or the programme was terminated early on grounds of fiduciary risk)
v. lower risk and/or smaller scale programmes.

We also aimed to achieve coverage of different types of delivery partner (multilateral, CSO, private or public sector) and monitoring agency. In our programme selection we ensured coverage of a range of sectors and targeted larger programmes in geographical regions or with interventions in areas that are known to be difficult to access and which may have high fiduciary risk.

Annex 3 Select bibliography

Need and greed: corruption risks, perceptions and prevention in humanitarian assistance.
Bailey, S. (2008) HPG Policy Brief 32, ODI Humanitarian Policy Group

Fiduciary Risk Assessment & Financial Management – Issues Note.
Bernasconi J-L., and Tediosi F. (2007) Swiss Centre for International Health

Cost recovery: what it means for CSOs.
Bond/Mango. (2016)

Donor Approaches to Risk in Fragile and Conflict Affected States, Case Study: Somalia.
Burke, A. (2013) Revised draft

Stocktake on Donor Approaches to Managing Risk when Using Country Systems.
Cant, J., Carter, R., Lister, S. (2008) CIPFA and Mokoro

Humanitarian Economics.
Carbonnier, G. (2015) Hurst

Fiduciary safeguards for minimising corruption risks when using budget support.
Chêne, M. (2010) U4 Anti-Corruption Resource Centre

Paradoxes of presence, Risk management and aid culture in challenging environments.
Collinson, S., Duffield, M., with Berger, C., Felix da Costa, D. and Sandstrom, K. (2013) ODI

Value for Money of Multi-year Approaches to Humanitarian Funding.
Venton, C. (2013)

Guideline to Risk Management.
DANIDA. (2013) Version 1.0

Donors and “zero tolerance for corruption”: From Principle to Practice
De Simone, F. and Taxell, N. (2014) U4 Anti-Corruption Resource Centre

Building resilience and managing risk in fragile and conflict-affected states: A thematic evaluation of DFID’s multi-year approaches to humanitarian action in the Democratic Republic of Congo, Ethiopia, Sudan and Pakistan, Evaluation Study Terms of Reference.
DFID. (2014) Evaluation Department

DFID Pooled Funding to Support Service Delivery Lessons of Experience from Fragile and Conflict-Affected States.
DFID. (2013)

Department for International Development’s settlement at the Spending Review 2015. DFID. (2015)

Smart Rules, Better Programme Delivery.
DFID. (2016)

Syria Crisis Response Sheet.
DFID. (2016)

Bribery Act 2010
HM Government. (2010)

National Security Strategy and Strategy Defence and Security Review 2015: A Secure and Prosperous United Kingdom.
HM Government. (2015)

Terrorism Act 2006
HM Government. (2006)

The Orange Book: Management of Risks – Principles and Concepts.
HM Treasury. (2004)

Risk management assessment framework: a tool for departments.
HM Treasury. (2009)

UK aid: tackling global challenges in the national interest.
HM Treasury and DFID. (2015)

Department for International Development: responding to crises.
House of Commons Committee of Public Accounts. (2016)

Breaking the Hourglass, Partnerships in Remote Management Settings – The Cases of Syria and Iraqi Kurdistan.
Howe, K., Stites, E., Chudacoff, D. (2015) Feinstein International Center

Approach Paper – Achieving impact and value for money in conflict-affected environments,
ICAI. (2016)

DFID’s Trade Development Work in Southern Africa.
ICAI. (2013)

How DFID Works with Multilateral Agencies to Achieve Impact.
ICAI. (2015)

The Scale-up of DFID’s Support to Fragile States.
ICAI. (2015)

Cross Cutting Evaluation of DFID’s Approach to Remote Management in Somalia and North-East Kenya.
Integrity, Axiom. (2015) Evaluation Report

No Longer a Last Resort: A Review of the Remote Programming Landscape
Integrity. (2015)

UN Development System Risk Management in Fragile States.
Jacquand, M. and Ranii, S. (2014) New York University, Center on International Cooperation

ACF International’s Response to the Horn of Africa Crisis, 2011.
Martínez-Piqueras, A., Ruiz Bascarán, M. (2012) ACF International

Localising Aid: Is it worth the risk?
McKechnie, A., Davies, F. (2013) ODI.

Risk in humanitarian action: towards a common approach?
Metcalfe, V., Martin, E., and Pantuliano, S. (2011) HPC Commissioned Paper, ODI

Department for International Development, Providing budget support to developing countries.
NAO. (2008)

Responding to Crises.
NAO. (2016)

Department for International Development, Providing budget support to developing countries.
NAO. (2008)

Monitoring and accountability practices for remotely managed projects implemented in volatile operating environments, A research study detailing the key issues and responding good practices.
Norman, B. (2012) Tearfund, Humanitarian Innovation Fun

Localising aid.
ODI. (2013) July
Use of country systems in fragile states.
ODI. (2015)

Principles for Good International Engagement in Fragile States and Situations.
OECD-DAC. (2007)

Aid Risks in Fragile and Transitional Contexts, Improving Donor Behaviour.
OECD. (2011)

Development Assistance and Approaches to Risk in Fragile and Conflict Affected States.
OECD. (2014)

International Support to Post-Conflict Transition.
OECD DAC Guidelines and Reference Series. (2012)

Managing Risks in Fragile and Transitional Contexts, The Price of Success?
OECD. (2011)

OECD Development Co-operation Peer Reviews: United Kingdom 2014.
OECD. (2014)

Risks in Fragile and Transitional Contexts, Improving Donor Behaviour.
OECD. (2011)

It’s a risky business, Aid and new approaches to political risk management.
Rocha Menocal, A. (2013) ODI

Risk Management: A fiduciary’s guidebook.
Russell Investments, Russell Research. (2009)

Delivering Aid in Highly Insecure Environments.
Schreter, L., Harmer, A. (2013)

Component 2, Preliminary Findings Briefing Note and Interim Report.
Secure Access in Volatile Environments (SAVE). (2015)

Component 2: Enabling Access And Quality Aid in Insecure Environments.
Secure Access in Volatile Environments (SAVE). (2015) Updated Literature Review

Evaluation and review of humanitarian access strategies in DG ECHO funded interventions.
Steets, J., Reichold, U., Sagmeister, E. (2012)

Better Aid Modalities: are we risking real results? Literature review.
Tilley, H., Tavakoli, H. (2012) ODI

Corruption Perceptions Index.
Transparency International. (2015)

Local Systems: A Framework for Supporting Sustained Development.
USAID. (2014)

Public Financial Management Risk Assessment Framework (PFMRAF) Manual, A Mandatory Reference for ADS.
USAID. (2014) Chapter 220

Risk Management, Internal USAID Literature Review.
USAID. (2011) USAID Knowledge Services Center

Donor Approaches to Risk in Fragile and Conflict Affected States, Case Study: South Sudan.
Williams, G. (2013) The Policy Practice, Revised draft

Donor Approaches to Risk in Fragile and Conflict Affected States, Case Study: Democratic Republic of Congo.
Williams G. (2013) The Policy Practice, Revised draft

Guidance Note On The Operational Risk Assessment Framework (ORAF), Risks To Achieving Results.
World Bank. (2011) Operations Policy and Country Services

“Managing Fiduciary Issues in Budget Support Operations” Shand, D., in Budget Support as More Effective Aid: Recent Experiences and Emerging Lessons,
World Bank, (2006), p. 27-44

World Development Report 2014, Risk and Opportunity, Managing Risk for Development.
World Bank. (2014)

The Grand Bargain: A Shared Commitment to Better Serve People in Need.
World Humanitarian Summit. (2016)