|
RAPPORTEUR GROUP |
Programme, Budget |
12 January 2021[1] |
|
Oversight Advisory Committee – Annual Report 2020 – Follow-up to recommendations Information document Item to be considered by the GR-PBA at its meeting on 2 February 2021 |
This document summarises the action the Secretary General intends to take with regard to the recommendations of the Oversight Advisory Committee (OAC) contained in their annual report (CM(2021)5).
Many of the recommendations build on those made in the 2019 report and take into account discussions with management during 2019/2020.
Recommendation 1: The Secretary General should implement a succession plan for the development of the work of the Ethics Office.
A successor for the current Ethics Officer has been appointed by the Secretary General as of 1 January 2021 and will carry out the function in addition to his duties as Deputy Executive Secretary of GRECO pending the outcome of the ongoing reflections on how to further develop and enhance the ethics function for the future. As the review of the Organisation’s ethics framework will evolve, so will the role and functions of the Ethics Officer. The future Code of Conduct and Council of Europe Policy on reporting wrongdoing and protecting those who report (so-called “Speak Up Policy”) represent key milestones in this respect and will have an impact on the Ethics Officer’s work and terms of reference.As the Ethics Officer’s mandate will evolve, the introduction of a fully-fledged Ethics Officer position may be considered.
Timeframe: end 2021
Recommendation 2: The Secretary General should ensure that the new whistle-blowing rules within the Organisation (and by consequence the Terms of Reference of the Ethics Office) foresee that the Ethics Office has the ability to assess and offer protection to internal complainants who may have been subject to retaliatory measures by other staff.
The current draft “Speak up: Council of Europe policy on reporting wrongdoing and protecting those who report” is consistent with this recommendation. The draft provides for new whistle-blowing rules and internal regulations are being reviewed with a view to introducing related changes. These initiatives take largely into account the specific recommendations made by the Ethics Officer in his first annual report. The terms of reference of the Ethics Officer may evolve accordingly.
Timeframe: end 2021
Recommendation 3: The Organisation should step up efforts to monitor, report on and evaluate results. Programme managers should be responsible for monitoring and reporting results also at intermediate outcome and impact levels (when possible and realistic to do so). DIO should give priority to conduct one evaluation of each one of the Programme and Budget’s (presently 13) programmes once during a five-year period.
The Council of Europe has adopted a three-level outcome approach to formulate how the Organisation seeks to influence change. These levels are contained in the Programme and Budget document under:
• sub-programme’s expected results (immediate outcome level);
• sub-programme’s objectives (intermediate outcome level);
• programme descriptions of intended long-term change (impact level).
The monitoring and reporting are currently performed at the immediate outcome level which is the level at which the Organisation has control and full attribution of the result. For 2019, some indicators such as “evidence of change” were included in some programmes and the 2019 Progress Review Report included an assessment of these indicators at “intermediate outcome” level.
Indicators at intermediate outcome for all the programmes have now been included in the Programme and Budget for 2020-2021. Programme managers will assess this level of results in the Progress Review Report at the end of the biennium by giving indications on whether action had the intended intermediate effect.
Concerning the impact level, further considerations will be given to this recommendation to see whether it is possible and realistic to have some elements at this level during the monitoring and reporting phases.
It is considered, however, that impact assessment goes beyond the scope of the programming cycle and should be subject to evaluation as it is the outcome of a combination of factors and of the work of many diverse actors. The results of evaluations should then feed back into the programme cycle.
DIO will review a selection of topics for evaluation and types of evaluation to be carried out in order to ensure adequate coverage of programmes over a period of time, taking into account the availability of resources and the differing nature of programmes and the number of sub-programmes they encompass.
Timeframe: mid 2022
Recommendation 4: The Organisation should ensure a closer link between Results Based Management and risk management, the risks of not meeting pillar and programme objectives should be monitored.
Risk management is an integral part of the RBM approach as set out in the RBM Practical Guide. The Secretariat has taken due note of the OAC’s comments whereby there needs to be a clearer distinction of risks of the Organisation not achieving expected results or demonstrating the value of its actions. In order to ensure a closer link between the two aspects, during the preparation of the next Programme and Budget, synchronisation of workshops on programming and risk management will be sought. As regards project management, the PMM trainings will continue to strengthen the need to integrate fully risk management in project management.
Timeframe: end 2021
Recommendation 5: The OAC recommends that the Organisation’s action plan in response to the audit on IT Governance is given priority and that recommendations are implemented within the dates committed.
During an SMG meeting on 15 October 2020, the Deputy Secretary General drew the SMG’s attention to the recent internal audit report on IT Governance and the importance of ensuring the participation of the Heads of MAEs in the IT Governance board meetings, so as to ensure accountability for strategic orientations taken by the latter. During the IT Governance Board meeting held on 19 October 2020, the importance of the Organisation’s action plan in response to the audit on IT Governance was emphasised. A dedicated working group is being set up in order to make proposals for the implementation of these recommendations. Due to the Covid-19 second lockdown, this had to be postponed to beginning of 2021.
Timeframe: Mid 2021
Recommendation 6: The Organisation should prepare and implement an action plan to address the recommendations of the audit report as a matter of priority. Risks at the IT Security level should be discussed regularly by the IT governance board and included at the organisational risk register level.
During the IT Governance Board (ITGB) meeting held on 19 October 2020, the Deputy Secretary General informed the ITGB that there will be a regular point on information security at each ITGB meeting. A first draft of the action plan on the Security Audit recommendations was attached to the agenda of the ITGB meeting of 19 October 2020. This initial draft will be further reviewed in the first quarter of 2021 in collaboration with the IT Departments of the European Court of Human Rights and EDQM via a planned COSI meeting. The final action plan will then be validated during one of the ITGB meetings as of the second quarter of 2021. The implementation timescale of the recommendations will be in accordance with the validated action plan.
Main IT risks (including an IT security risk) are included in the draft organisational risk register for 2021 and specific mitigating actions have been identified.
Timeframe: end 2021
Recommendation 7: Top management commitment towards the implementation of risk management needs to be continued. The OAC recommends, in the short term, to consolidate risk management practices across the Organisation, with the specific objectives of:
- further increasing the proportion of projects covered;
- increasing the quality of operational risk registers;
- preparing a further enhanced organisational risk register document;
- making available an IT tool for risk management.
Since the adoption of the Risk Management Policy in 2016, the Council of Europe has deployed significant efforts to train and support relevant Council of Europe staff. The Directorate General of Administration (DGA) and the Office of the Directorate General of Programmes (ODGP) will continue to co-ordinate the implementation of the Risk Management Policy within the Organisation, duly taking into account the actual situation and its absorption capacity.
· Risk management is an obligatory part of the co-operation sector’s project management method (PMM), staff training as well as further development of the risk management IT module will be pursued in 2021.
· Sub-programme teams will be supported for the review of their operational risk registers. Workshops will be synchronised with the Directorate of Programme and Budget (DPB) within the framework of the preparation of the next Programme and Budget document in order to enhance the risk management culture within the Organisation.
· Based on previous OAC recommendations, the organisational risk register for 2021 has been further enhanced in terms of relevance of identified risks and completeness of the register.
· The working group on the IT tool will resume its work in 2021.
Timeframe: end 2021
Recommendation 8: The OAC recommends that an improved consideration should be given to the risk management information in the RBM process and to RBM when developing risk registers and that the Secretary General reports annually to the Committee of Ministers on major and strategic risks.
Risk management is an integral part of the RBM approach as set out in the RBM Practical Guide. The guide has been widely distributed within the Organisation and a number of trainings/workshops have been carried out with programme staff over 2020 and will continue in 2021. In order to ensure a closer link between Results Based Management and Risk Management, synchronisation of workshops on programming and risk management will be sought in the preparation of the next Programme and Budget. Teams will be invited to develop their theory of change during the programming workshops which will constitute the basis for developing risk registers during risk register workshops. Major risks impacting the achievement of expected results will be reported in the Progress Review Report.
Timeframe: end 2021
Recommendation 9: The OAC recommends that DIO gives priority to the audit of the risk management in its 2021 Work Programme.
As stated in the 2021-2022 DIO work programme:
“Audit and other work carried out by DIO in previous years (notably the audit on crisis management and business continuity and the review of the internal control framework) revealed shortcomings in relation to how risk management operates within the Organisation. The Oversight Advisory Committee has also made a number of comments and recommendations addressing the level of maturity of risk management.
In 2021, the audit team will carry out a benchmarking across international organisations to obtain examples of governance structures, policies, guidelines, resources, IT tools and elements of good practice and success factors that can help the Council of Europe develop further risk management within the Organisation. An audit of the risk management function will be carried out in a future work programme.”
Timeframe: January – April 2021
Recommendation 10: The OAC recommends that the Organisation further develops the crisis management system considering the conclusions and recommendations of the high-level review report and the experience gained during the Covid-19 crisis.
In accordance with the action plan agreed with DIO within the framework of the audit “Crisis management and business continuity at the Council of Europe”, the Secretary General/Deputy Secretary General will discuss the results of the consultant’s assessment with senior management and decide on the follow-up to be given. The experiences gained during crises, in particular the current sanitary crisis, and the results of the “lessons learned” exercise jointly carried out by DIO and DGA, will likewise feed into the discussions.
Timeframe: The discussion will take place in 2021, once the circumstances allow.
Recommendation 11: The OAC recommends that the existing Business Continuity arrangements and processes be extended and further tested to ensure their robustness and repeatability.
A pragmatic and comprehensive approach will be adopted in order to put in place a business continuity and crisis management system for the Council of Europe that addresses the various audit recommendations on the subject.
The business continuity system will in particular rely on the adaptation and co-ordination of the functioning of the Council of Europe Security Management Team, the Risk Management System and the IT Disaster Recovery Plan.
Timeframe: end 2021
Recommendation 12: The OAC recommends that the Organisation gives high priority to developing a comprehensive internal control framework in compliance with the COSO standards. The weaknesses in risk management should be given special attention.
Work on a policy paper on the internal control framework will be initiated as soon as the necessary resources can be mobilised. The framework will be tailored to the specificities of the Organisation and include risk management, as necessary.
Timeframe: end 2021
Recommendation 13: The OAC recommends that the Organisation’s senior management clearly demonstrates responsibility and ownership for the Organisation’s control and risk management processes and proactively initiates work to bring the Organisation in line with the COSO standards.
The discussion on the internal audit report “Crisis management and business continuity at the Council of Europe” that will be organised by the Secretary General/Deputy Secretary General in 2021, in accordance with the action plan agreed with DIO, will be an occasion to also highlight the importance of a solid internal control framework, including risk management, to senior management and to build on the current heightened awareness of the importance of related processes with a view to anticipating future crisis and enhancing the resilience of the Organisation in general.
Timeframe: mid 2021
Recommendation 14: The OAC recommends that DIO regularly reviews and updates the risk-based audit methodology and, in this connection, continues to integrate relevant external factors and emerging risks. Furthermore, DIO should regularly assess if the internal audit function capacity is sufficient to perform the required assurance work.
The risk-based methodology is continuously reviewed and updated and external factors and emerging risks are considered. The DIO annual report contains an overall audit opinion. In giving this opinion, consideration is given as to whether or not sufficient audit work has been carried out in order to be able to provide it.
Recommendation 15: The OAC recommends that DIO prioritise reviewing and updating the Internal Audit Charter and developing a Charter covering all three functions of the Directorate.
The review of the audit charter and consideration of development of a charter for the Directorate will take place in 2021.
Timeframe: first half 2021
Recommendation 16: The DIO evaluation function needs to focus on its core mandate of commissioning, managing and conducting evaluations, including at the programme level for the purpose of accountability, quality assurance and learning. This recommendation is a repeat of a recommendation from 2019.
In line with the new Evaluation Policy, the purposes of evaluations are to contribute to decision-making, learning and accountability. After a number of years where other priorities or circumstances (development of policy, guidelines, contribution to reform process, budgetary/programmatic uncertainty) has impacted on the capacity of the Directorate to carry out core mandate evaluations, the 2021 DIO Work Programme foresees four evaluations.
Timeframe: DIO Work Programme 2021-2022
Recommendation 17: Criteria for evaluation of development co-operation programmes and action plans should be established and an annual workplan developed, by ODGP, for the evaluation of co-operation programmes and action plans. As part of the quality assurance framework in relation to decentralised evaluations DIO should be informed about all planned decentralised evaluations in a timely manner. Evaluation budgets should be allocated for strategically important, innovative or large-scale programmes and projects, including joint programmes and action plans. A repository of decentralised evaluations should be established by DIO.
Criteria for evaluation partially exist and will be further developed, resources allowing. Similarly, an annual evaluation workplan for co-operation programmes and action plans will be established, whilst bearing in mind the limits imposed by the continuous evolution of these programmes and the importance of beneficiary and donor demands.
The new Evaluation Policy foresees a repository of decentralised evaluations which DIO will establish in 2021. The Policy foresees that DIO is informed of all planned evaluations in order that quality assurance support can be provided. The Evaluation Guidelines taken note of by the Ministers’ Deputies on 8 December 2020 provides advice to those conducting decentralised evaluations in respect of both the quality assurance framework and the budget to be allocated to evaluations.
Timeframe: ongoing
Recommendation 18: DIO should do quality assurance of decentralised evaluations, including reviewing the selection of consultants, the terms of reference for evaluations and evaluation reports.
The new Evaluation Guidelines taken note of by the Ministers’ Deputies on 8 December 2020 foresees quality assurance by DIO of decentralised evaluations, in line with the Evaluation Policy, including reviewing and providing support for the selection of consultants, the terms of reference for evaluations and evaluation reports.
Timeframe: ongoing
Recommendation 19: DIO should continue to engage staff on fraud awareness issues during periods of remote working and thereafter both as a deterrent and a reminder of the reporting facilities available to address misconduct.
DIO has a communication plan for awareness raising and prevention of fraud and corruption; it publishes several times per year news (surveys, videos, questions) and carries out other activities (reports on declarations of interests, fraud risk assessments, etc.). DIO will continue to carry out its prevention and awareness-raising activities in future years.
Timeframe: ongoing
Recommendation 20: The Secretary General should initiate measures to ensure that recommendations are acted upon in a timely manner.
The Secretary General will ask the Directorate of Internal Oversight for an analysis of the possible reasons for the decrease in implementation rates as compared to the previous reference period. DIO is currently in the process of replacing the IT tool used for the follow up of recommendations, which should aid the process of more regular reporting, monitoring and analysis of recommendations. As a further consequence of the introduction of the new tool, the target and calculation methods will be reviewed by DIO during the course of 2021. Furthermore, the Secretary General will continue to act upon the DIO reports on high risk or strategic recommendations that have been outstanding for a long period of time.
Timeframe: end 2021
Recommendation 21: The Organisation should develop a baseline for the administrative reform as well as expected results and targets for the various reform areas and furthermore develop pertinent indicators to measure change. An evaluation of the administrative reform should be planned.
The formulation of expected results for reform initiatives will be enhanced; progress will be captured both through qualitative and quantitative indicators, baselines and targets will be developed whenever possible. An evaluation of the administrative reform will be considered for future evaluation work programmes.
Timeframe: mid 2021
Recommendation 22: The OAC recommends that needs of and opportunities for reforms in substantive areas of the Organisation are considered in the development of the medium-term strategic framework.
The Secretary General’s proposal for the strategic framework was presented to the Committee of Ministers in November 2020 and will be discussed in January 2021. The strategic framework provides points for reflections on the Organisation’s relevance in delivering on key mandates and effectiveness in achieving organisational objectives in an evolving world with democracy under threat in some countries and where socio-economic consequences can be expected from the Covid-19 pandemic.
Timeframe: mid 2021