A76/17
25
The Internal Control Framework and risk management
WHO’s Corporate Risk Management Policy embeds risk management in WHO’s strategic and operational planning
and budgeting cycles, as well as in the accountability and internal control frameworks. The key objective is to ensure
that all the risks inherent to the Organization’s activities are fully understood, and that appropriate strategies are
chosen to manage them. Well-grounded risk management and internal control policies, systems and processes help
to understand better the risks to which the Organization is exposed, to ensure that appropriate accountabilities and
controls are in place to address those risks, and effectively to carry out the Organization’s activities.
WHO country offices and departments have continued to identify and evaluate risks with the aid of WHO’s risk
management tool and to develop response plans to deal with them. At the global level, the risks that WHO faces in
achieving its strategy and mission are reflected in a corporate-level risk register (the “WHO Principal Risks”). An
annual report on the state of risk management, compliance and ethics is subsequently submitted to the Health
Assembly for consideration through the Executive Board.
As the Director-General of the Organization, I have the ultimate responsibility for assessing the risks associated with
the implementation of the General Programme of Work and WHO’s overall activities. I am assisted in this task by the
Regional Directors, senior management and the WHO Global Risk Management Committee. The Committee plays a
key role in ensuring that the most critical risks are identified and addressed in an efficient manner. Furthermore, I am
supported by the Office of Compliance, Risk Management and Ethics, which facilitates and guides the
Organization-wide risk management process. Finally, as highlighted in the WHO’s Corporate Risk Management Policy,
every WHO staff member has the responsibility to identify risks at his or her own level of work.
Review of the effectiveness of internal controls
My review of the effectiveness of WHO’s system of internal control is based on the following.
(a) An annual “letter of representation”. This is reviewed and signed by all Regional Directors, Deputy
Directors-General and Assistant Directors-General, and confirms the importance of ensuring that
adequate internal controls are in place, along with other assurances. All issues raised in the letter of
representation feed into the annual audit and financial statements.
(b) The internal control self-assessment checklist, which is completed and submitted by all WHO
country offices and departments. The checklist is used by each office manager (country office and
departments) to review all key controls and to rate compliance. The consolidated results for 2022 show
that overall, throughout the Secretariat internal controls have been self-assessed as robust. A total of
254 WHO country offices and departments across the Organization completed the exercise for 2022 as at
February 2023. Although the areas of risk management and monitoring remain the weakest, it is to be
noted that slight improvements are visible in the scores reported for these areas, reflecting the efforts
undertaken in the course of 2022. Further progress is expected with the implementation of the Enterprise
Risk Management strategy which should provide the Organization with sustainable improvements by
institutionalizing and strengthening risk management and assurance processes across its three levels. In
relation to inventory management and more broadly supply-chain management, the Organization is
investing in a new enterprise resource planning system and associated business process reviews in order
to streamline processes and related controls across the three levels.
(c) Reports issued by the Office of Internal Oversight. The reports of internal audits, conducted under
the 2022 audit workplan, provide objective information on compliance and control effectiveness, together
with recommendations for improvement. The major findings from these reports are summarized in the
Annual Report of the Internal Auditor to the Health Assembly. Individual audit reports are available for
review by Member States on request.
(d) Reports issued by the External Auditor. The external audit provides independent oversight and
reporting on WHO’s compliance with the Financial Regulations and Financial Rules. The external auditors