3. Retrospective analysis of earlier projects, past performance, evaluations, reviews, lessons learned. This includes a review of past Global Fund or health implementation projects, both in country and globally. Data can be extracted from risk register/dashboard, evaluations, reviews, lessons learned, audits, interviews, progress reports, etc.
4. Risk assessments. These are usually conducted when high/significant or moderate risks are estimated from a preliminary screening and are used to extract more qualitative and quantitative information on the risk exposure and to design the required treatment actions. Both Global Fund and UNDP have a number of required assessments that must be conducted before designing a strategy or signing agreements. A mapping of key UNDP risk management tools is available here.  
5. Interviews, consultations. UNDP ensures meaningful, effective, and informed participation of stakeholders in the formulation and implementation of development interventions. Stakeholder engagement is an ongoing gender-responsive, culturally sensitive, non-discriminatory, and inclusive process, ensuring that potentially affected vulnerable and marginalised groups are identified and provided opportunities to participate and to share their views and concerns. This is both embedded in the UNDP project quality standards and a risk management process. 
6. Scenario analysis, assumption analysis. It allows exploring potential futures and alternative scenarios to account for the uncertainty of the future conditions and their impact on project objectives. At the project level, scenario planning can be done through the design of the project theory of change, stress tests, wargaming, etc.  
7. Questionnaire and surveys. These can be used to collect information on opinions or feelings about a project or a risk. They can also be a set of standardised questions to assess strengths and potential vulnerabilities.

Risk analysis is the process to understand the nature of the risk, the source, the causes, and to estimate the level.  This step allows writing a risk statement that captures the causes and consequences of the risk for the project objectives. 

There are a number of techniques that allow analysing and visualising risks and their causes – fault tree analysis, event tree analysis, Swiss cheese, bow tie analysis, etc.  

The Bow Tie Diagram is a simple and effective analytical tool that allows to visually identify the potential causes leading to a risk event/critical incident and to map out the proactive measures to control the occurrence of the risk event. Should the controls fail, and a risk event occur (which represents an issue), the diagram also maps out potential consequences and the reactive actions that can limit the negative consequences of the event. Figure 9 shows a standard Bow Tie Diagram, while Figure 10 shows an example of a Bow Tie Diagram for a risk frequently identified in Global Fund projects for a deeper understanding of the causal chain and when actions should be put in place. 

International development projects focus on bringing change in complex environments, where a risk event can be linked to a layer of causes – primary and secondary causes – and can lead to a layer of consequences – primary and secondary. It is useful to map the causal relationship to gain a better understanding of the causal relations, without trying to minimise the complexity.

The example above is not context specific, so it can include generalities. For an effective risk analysis, if possible, ensure context-specific information is available when building the scenarios for a risk analysis.

Risk evaluation: the use of risk criteria such as the UNDP ERM Risk Matrix to determine risk prioritisation, and the level of acceptance and tolerability of the risk event.

Risk evaluation includes 3 key steps:

1. Risk rating: The risk is given an overall rating using the risk criteria model, the 5-point scale listed in the ERM policy and in Figure 11, that looks at the likelihood and the impact of a risk. By giving a rating to the impact and the likelihood, the risk can be rated as low, moderate, substantial, or high. Substantial or high risks may require further technical expertise to assess the likelihood/impact.
2. Risk category:Once the risk is evaluated, the risk consequences are assessed against the 8 ERM risk categories and sub-categories.



3. Risk significance and escalation: The risk is now compared against the risk significance in the corporate risk appetite for that category. See the UNDP Risk Appetite Statement (RAS), UNDP RAS Guidance on how to apply the RAS. If needed, and if the risk is above the ERM escalation conditions, the risk is escalated following the process in the Risk escalation process  section of this Manual.