Risk Assessment Procedure

​Risk Management Procedure

(Minutes of HELCOM 33/2012, Annex 8.3)


The Helsinki Commission (HELCOM), being a public, international body financed mostly from the Contracting Parties' budgets, must have efficient and effective functions ensuring cost-effective use of public resources.

A risk can be defined as anything that can occur and have a negative impact on the possibility of HELCOM to achieve its objectives. The purpose of risk management is to identify risks and manage them so that the risk level stays acceptable.

Risk management is derived from the objectives and key activities of HELCOM and is linked to the overall planning process of the organization. There is a dependency between objectives, activities, tasks and risks. There are risks, potential problems, associated with all objectives, so the idea is not to avoid risks but to keep them under control and sustain suitable response, according to the risk type and magnitude. Identifying and assessing risks also involves defining the acceptable level of each risk.

As risk management concerns every staff member of HELCOM, all employees are able and free to identify risks and make proposals on how to improve the work processes in order to reduce risks.

General risk assessment of the Helsinki Commission

The existence of the Helsinki Commission as an international, inter-governmental organization is not considered at risk: the Helsinki Convention and other related agreements constitute a solid foundation.

Financial sustainability ensured by the Helsinki Convention and budgetary procedure

  • The financial provisions of HELCOM are part of the Convention, stipulating that the total amount of the budget, including any supplementary budget adopted by the Commission shall be contributed by the Contracting Parties based on equal shares
  • HELCOM has a 5-year budget planning system and annual budgets are adopted by the Commission
  • The HELCOM projects undergo a review process, including contribution needs from stakeholders before adoption by HELCOM Heads of Delegation
  • Institutional sustainability ensured by the solid organizational structure and extensive network
  • The HELCOM network among the Contracting Parties is well identified and functioning
  • The HELCOM activities are closely linked with the national regimes and work of national institutions
  • The envisaged users of the products, the HELCOM organizational structure, is largely permanent
  • The HELCOM Secretariat is highly experienced and competent in coordinating and managing activities and projects.

Physical sustainability ensured by good facilities and tools

  • The threat of incidents, like fires, earthquakes etc. is assessed to be small to the continuity of HELCOM as most of the HELCOM-related activities are carried out by the Contacting Parties' national institutions scattered around the Baltic Sea.
  • The building where the HELCOM Secretariat is located, the Marina Congress Center, has a building evacuation plan for emergency situations and the HELCOM computer system (including all network drives) is covered by a back-up system
  • HELCOM staff are at all times able to work from other locations than the Secretariat building (network access, portable computers, mobile phones available)

Policy sustainability maintained by legal framework and established procedures

  • The work of HELCOM is based upon a legal foundation, the Convention for the Protection of the Marine Environment of the Baltic Sea Area, and is furthermore recognized by the Contracting Parties as linked and contributing to the national implementation of several global and EU legal frameworks and policies. This guarantees the ownership of the results by HELCOM and the sustainability of the project results/outcomes of other activities
  • The establishment of HELCOM Projects undergo a review process before adoption, ensuring conformity between HELCOM priorities and country policies
  • The work programmes of the HELCOM subsidiary bodies, and thus the initiation of new activities, require the approval by the HELCOM Heads of Delegation.

Risk Management Process

New projects and activities go through an established procedure before start-up (Project Guidelines).

Risk assessment is integrated into this framework. Before a HELCOM activity or project is started, the decision-making body (HELCOM/Heads of Delegation consisting of the Contracting Parties) or the Subsidiary Body concerned, assisted by the HELCOM Secretariat is responsible for taking risks into consideration when approving or launching the activity/project.

For each project the designated project manager has responsibility for risk management. The manager reports and can refer matters to the relevant Subsidiary Bodies/Heads of Delegation. The Secretariat stays in close contacts with managers.

The following steps are to be applied to assess (steps 1 and 2) and manage (step 3 and 4) the risk:

1. Identify

  • What can happen/what can go wrong?
  • How can it happen?
  • Who is affected?

2. Assess and analyse

  • How likely will it happen?
  • What are the consequences?
  • What is the magnitude of impact?

For these first two steps a risk matrix can be used (the risks identified in step 1 are inserted in the correct cell on the basis of their probability and impact). The risk level can be low, moderate, high or extreme, and is the combination of the impact level and likelihood criteria. By classifying the risks it is possible to identify which ones are critical and rank them for the next step in the process.

Negligible      MarginalCritical   Catasrophic   
   Certain   High   High  Extreme  Extreme
   Likely   Moderate   High High  Extreme
   Possible   Low   Moderate High  Extreme
   Unlikely   Low   Low Moderate  Extreme
    Rare   Low   Low Moderate  Extreme


3. Plan and decide action

  • Triggers: where is the limit after which action is needed
  • Type of response: reactive or proactive; depends on risk type & level
    • Avoid risk/stop action, risk is not acceptable and cannot be reduced?
    • Transfer risk/take insurance, outsource
    • Reduce risk/modify action to limit risk, improve control
    • Accept risk/this can be afforded
  • Contingency plan to be designed ("plan B")
  • Responsibilities to be defined for each step and each type of response

4. Implement and monitor, measure and control

  • Decide on monitoring frequency and responsibility
  • Document incidents, findings, decisions, actions and results for future reference
  • Feed information and experience to the process to improve it.