Guidelines on Risks and Opportunities Assessment

December 6, 2017

DFA DEPARTMENT ORDER NO. 12-17

GUIDELINES ON RISKS AND OPPORTUNITIES ASSESSMENT

SECTION 1. Legal Basis and Objectives. —

To ensure compliance with Department Order No. 06-2016, "Establishment and Implementation of an ISO-Certifiable Quality Management System in the Department of Foreign Affairs," this Order is being issued with the main objective of effectively implementing risks and opportunities assessment by the Department's offices, resulting into the identification, analysis and evaluation of risks and opportunities related to the QMS processes and the formulation of action plans that would address risks and take advantage of opportunities. EATCcI

SECTION 2. Scope and Application. —

All offices will conduct risks and opportunities assessment taking into consideration the context of the organization, i.e., internal and external issues, the requirements of relevant interested parties or stakeholders, and the services extended by the Department.

SECTION 3. Definition of Terms. —

• Risk — the negative effect of an uncertainty:

Risk = IMPACT on objectives X PROBABILITY of occurrence

• Opportunity — desirable and viable possibility to address the needs of the organization and/or its customers. Ex. adoption of new procedures, using new technology, building partnerships.

• Context — the environment in which the Department operates and seeks to achieve its objectives. Ex. External — political, regulatory, legislative, social, cultural, and financial environment; Internal — objectives, governance, structure, roles and accountabilities, capability of people, systems and processes.

• Risk Assessment — the process at the core of risk management, which, in turn, is made up of the following 3 processes:

1. Risk Identification — determining sources of risk, their causes, potential consequences, and areas of impact. This process also aims to generate a list of risks;

2. Risk Analysis — process to understand the nature, sources, and causes of the risks that have been identified and to estimate the level of risk; and

3. Risk Evaluation — process used to compare risk analysis with risk criteria in order to determine whether or not a specified level of risk is acceptable or not.

• Risks and Opportunities Registry — records identified risks and opportunities, their impact and the actions to be taken.

• Root Cause — factor that contributes to the occurrence of a problem.

• Root Cause Analysis — method used to address a problem or non-conformance in order to eliminate or prevent the problem/non-conformance from recurring. Examples of Root Cause Analysis techniques are the Ishikawa (or fish-bone) cause and effect diagram, 5 Whys, and the Fault tree analysis.

• Common risk responses:

1. Mitigation — action to reduce impact of risk.

2. Elimination — avoiding the risk by deciding not to continue with the activity.

3. Accept — no corrective action is taken.

4. Transfer — sharing or shifting the impact to or with another entity.

• Preventive Action — action to eliminate the cause of a potential nonconformity or a needed improvement. Ex. a new procedure added to the management system or a change implemented to address a weakness.

• Action Plan — plan of activities that will prevent the occurrence of the risk or that will maximize the benefits of the opportunity.

SECTION 4. Risk Assessment Tools. —

The following tools shall be used to support the risk assessment process:

Tools	Description
• SWOT Analysis	Method of identification and classification of internal and external factors that may affect the Department's/office's fulfillment of its objectives. Factors are classified into: strengths, weaknesses, opportunities, and threats.
	SWOT analysis is undertaken at the Department level every three years as part of the Strategic Planning process and its Mid-term Review. It is undertaken at the office level annually as part of the preparation of the respective Annual Business Plans of each office.
• PESTLE Analysis	Method of identification and classification of factors that may affect the unit's fulfillment of its objectives. These factors are classified into: Political, Economic, Social, Technological, Legal, and Environmental.
	PESTLE analysis is undertaken at the Department level every three years as part of the Strategic Planning process and its Mid-term Review. It is undertaken at the office level annually as part of the preparation of the respective Annual Business Plans of each office.
	Please refer to the attached format for PESTLE Analysis.
• Risks and Opportunities Registry	Please refer to the attached Risks and Opportunities Registry Form.
• Risk Assessment Table	Please refer to the Risk Assessment Table under Risk Analysis and Evaluation.

All offices are required to submit their respective PESTLE Analysis and Risks and Opportunities Registry to OSEC-Risk Management Team. Any question on the use of the above Risk Assessment Tools may be forwarded to the Office of the Secretary (OSEC-Coordination).

SECTION 5. Risk Identification. —

• Each office identifies risks and opportunities using the above risk assessment tools during planning. DHITCc

• Risks and opportunities are identified in consideration of their potential impact on, but not limited to, the following: achievement of intended and/or desirable results, prevention or reduction of undesired effects, achievement of improvement.

• The identified risks form a baseline to initiate risk management activities.

• The Heads of Offices must ensure a retained and updated risks and opportunities registry.

SECTION 6. Risk Analysis and Evaluation. —

• Involves prioritizing risks and determining which risks require preventive action/mitigation strategies and/or contingency plans.

• Risks are prioritized based on their probability of occurring and corresponding impact on objectives. The probability of occurrence and impact of each identified risk can be assessed using the following table:

IMPACT/BENEFIT

Impact	Rating	Risk	Opportunity
Insignificant/Minor (Low)	1	• Minimal impact on objectives • Day-to-day activities of the Department will not be disrupted	• No perceived value for improvement and sustainability
Moderate (Medium)	2	• Moderate impact on objectives • Will affect the business-as-usual or day-to-day activities of the Department • Minor regulatory consequences	• Pursuing opportunity will add value to the Department and objectives
Major (High)	3	• Will cause major delays in the provision of services to stakeholders • Failure to achieve desired outputs • Failure in the delivery of services • Major regulatory consequences	• This opportunity must be pursued

PROBABILITY

Probability	Rating	Frequency
Unlikely (Low)	1	Event that is very unlikely to occur during the lifetime of an operation/project
Likely (Medium)	2	Event that may occur frequently during the lifetime of an operation/project
Certain (High)	3	Recurring event during the lifetime of an operation/project

Risk Assessment Table:

IMPACT/BENEFIT
		Low	Medium	High
PROBABILITY	Low	1	2	3
	Medium	2	4	6
	High	3	6	9

Determine the risk rating of an identified risk by multiplying the IMPACT score by the PROBABILITY score. A score of 3 and above is deemed actionable and requires root cause analysis to arrive at a decision about risk treatment.

SECTION 7. Actions to Address Risks and Opportunities. —

Actions to address risks and opportunities should be included in the Annual Business Plan of each office. Discussions on these actions during office meetings should be recorded.

SECTION 8. Review and Monitoring of Risks. —

• The risks and opportunities should be reviewed quarterly to re-examine possible sources of risk and changing conditions and to uncover risks that may have been previously overlooked. Submit updated risks and opportunities registries, as applicable, to OSEC. cEaSHC

• The risks and opportunities registries submitted by each office will be consolidated by OSEC.

• Relevant information generated from risk registries will be reported by OSEC during the Management Review (MR).

SECTION 9. Occurrence of Identified Risks and Opportunities. —

Occurrence of identified risks and opportunities should be reported to OSEC through a memorandum, with the updated RAOR as an attachment, which will then be discussed during the MR.

SECTION 10. Repealing Clause. —

All other Department Orders, Memoranda, rules and regulations inconsistent with the provisions of this Department Order are hereby modified accordingly.

SECTION 11. Separability Clause. —

If any provision of this Department Order is declared invalid or unconstitutional, the other provisions not affected thereby shall remain valid and subsisting.

SECTION 12.

This Department Order shall take effect after fifteen (15) days from the date of its deposit with the Office of the National Administrative Register (ONAR) of the UP Law Center.

Pasay City, December 6, 2017.

By authority of the Secretary of Foreign Affairs:

(SGD.) JOSE LUIS G. MONTALES

Undersecretary

ATTACHMENT

ISO31000 Risk Management Framework

Office Pestle

 

Risks and Opportunities Registry