THE WORLD BANK GHANA GOVERNMENT DEBT AND RISK MANAGEMENT (GDRM) PROGRAM Aide-Memoire on Operational Risk Management component of GDRM II program February 2021   1 Contents  Glossary .......................................................................................................................................... 3  I.  Executive Summary ................................................................................................................ 4  II.  Operational Risk Management ................................................................................................ 5  Previous Mission Activities and Outputs Generated ............................................................... 5  Virtual Mission Activities and Outputs Generated ................................................................. 5  III.  Operational Risk Management Framework Template .......................................................... 13  IV.  Key Messages and Next Steps............................................................................................... 15  Annex: Mission Agenda ............................................................................................................... 17  2 Glossary  BCP Business Continuity Plan BIA Business Impact Analysis BoG Bank of Ghana CAGD Controller and Accountant General’s Department CAT Catastrophic Bond COVID-19 Coronavirus Disease CS-DRMS Commonwealth Secretariat Debt Recording and Management System DRFI Disaster Risk Financing and Insurance DRP Disaster Recovery Plan GDRM Government Debt and Risk Management ICT Information and Communications Technology MoF Ministry of Finance MTI Macro Trade and Investment ORM Operational Risk Management SECO Swiss State Secretariat for Economic Affairs TDMD Treasury and Debt Management Division TTL Team Task Leader WB World Bank 3 I. Executive Summary  1. At the request of the authorities, a World Bank virtual mission was arranged from December 14th to 18th, 2020 to continue providing Technical Assistance to the Ministry of Finance (MoF) under the second phase of Ghana Government Debt and Risk Management (GDRM) project funded by the Swiss State Secretariat for Economic Affairs (SECO). 2. The main purpose of the mission was to continue developing the Operational Risk Management (ORM) framework for the Treasury and Debt Management Division (TDMD), through taking stock of and updating the assessment already carried out on current processes and procedures performed by TDMD, along with associated risks and likelihood (i.e. Business Impact Analysis). Based on the assessment, the mission supported TDMD on updating the ORM Matrix and on initiating the design of strategies to deal with the identified risks and consolidate them in an ORM framework to be formalized for TDMD. 3. In addition to this Executive Summary, the Aide-Memoire outlines: a) Section II: the activities completed including the presentations and discussions, and output generated for the Business Impact Analysis (BIA); b) Section III: a template for the Operational Risk Management Framework; c) Section IV: the key messages and next steps for the ORM component of the GDRM II program; and d) Annex: the detailed mission agenda and TDMD participants during each session. 4. Mission team was comprised by Leandro Secunho (Senior Debt Specialist, WB/MTI, GDRM program TTL) and Ian Storkey (International Consultant), who prepared this aide- memoire. 5. The team is grateful to Mr. Samuel Arkhurst, Director of Treasury and Debt Management Division and his team for the comprehensive support and enthusiasm demonstrated during all sessions of the mission.   4 II. Operational Risk Management  Previous Mission Activities and Outputs Generated  6. A mission held in June 2018 in Accra kicked-off the development of the component related to Operational Risk Management (ORM) under the second phase of the GDRM program. During this mission, it was agreed to follow a six-step process work plan as follows: a) Document business activities and critical processes and systems; b) Undertake business impact analysis to assess probability and impact; c) Develop business continuity plan (BCP) (include 3rd parties); d) Implement or update BCP; e) Training to imbed into the day-to-day operations of the TDMD; and f) Regular (annual) testing and updating. 7. This first mission was aimed at raising awareness of the importance of ORM. A full day workshop was held with staff involved in debt management activities and their key stakeholders (BoG and CAGD). During the workshop, late payment of external loans, was one of the key risks identified by staff of TDMD. Recommendations and possible solutions were provided to the authorities. Detailed recommendations were documented in the mission report. 8. The WB continued to provide support to TDMD by developing templates for the mapping of critical business processes, systems and people. Monthly videoconference meetings were held to review the populated template formulated by TDMD. A follow-up mission was held in November 2018 and focused on providing on-site support on the identification and breakdown of most critical business processes, the likelihood and impact of their interruption, and the strategy to deal with the identified risks. Virtual Mission Activities and Outputs Generated  9. The World Bank conducted a virtual mission from December 14th to 18th, 2020 with the main purpose of continuing to develop the ORM framework for TDMD. This involved taking stock of the assessment already undertaken during the two previous missions and revisiting the findings to identify changes that may be necessary to the methodology given changes in the ORM landscape. For example, the emergence of the global pandemic and cyber-attacks will warrant inclusion and greater attention. This may also warrant consideration of additional mitigation strategies. 5 10. The mission revisited the findings from the previous mission (as documented in the Aide Memoire, dated December 2018) in order to update and revise, where necessary, the following three tables, including taking account of any new business operations and processes across TDMD1:  Table 1: Threats to TDMD  Table 2: Impact on TDMD  Table 3: Likelihood vs. Impact Matrix for TDMD 11. In addition, a key focus of the virtual mission was to revise Table 4: TDMD Risk Matrix of Critical Processes, People and Systems and update the mitigation strategies to deal with each of the critical operational risks. Based on the assessment, the mission supported TDMD on the design of an ORM framework to be formalized for TDMD. The template prepared is shown in Section III. 12. The activities outlined in the agenda were led by the Debt and Risk Management Sector (D&RM) with participation of staff from the Financing and Execution (F&E), Debt Accounting and Settlement (D&AS) and Treasury Sectors of TDMD. Discussions during the mission centred around fully understanding the critical processes, systems and people associated with TDMD’s operations and to identify the key risks that might impact on its operations. As agreed during the December 2018 mission, the responsibility to oversee this process would rest with the D&RM Sector to ensure a common understanding and consistency of approach and terminology. TDMD has recently appointed a dedicated person for the risk monitoring and compliance function as head of the compliance unit. 13. The head of the compliance unit has been assigned responsibility for maintaining the ORM framework including the role as the risk champion that will report to senior management on the greatest exposures, the risk management techniques to mitigate, control, or limit the risks, the actions that are recommended to address the greatest exposures, and an estimate of costs. This approach will be used to set the level that will balance the amount of detail and usefulness to senior management and the overall ORM process. To this end, a compliance function was established within the D&RM Sector and a staff appointed for the task. A job description (including desirable trainings) and the formalization of the function is advisable and can be supported by the GDRM program. 14. The business impact analysis was revisited to clearly understand the various risks that are likely to affect the TDMD’s operations and to update the risks from the previous assessment. For each category of operational risk or incident that may affect TDMD, as set out in Table 1, an assessment was undertaken to determine the risk exposures as a result of an incident or event affecting TDMD’s operations. This required separately assessing the probability and the impact, using a combination of Very High/High/Medium/Low/Very Low Likelihood (or Probability) and Catastrophic/Major/ Moderate/Minor/Insignificant Impact from a reputation, impact on TDMD’s operations, and reporting and resource perspective. The updated table of threats is shown below. 1  Given the ongoing transitional process for TDMD to absorb cash management activities, associated processes and  procedures may be needed to be assessed (and possibly) included in the ORM framework in a future revision.  6 Table 1: Threats to TDMD2 (x,y) where x=likelihood, y=impact Infrastructure and  Technology Failures Power failure (3,4) Server failure (2,2) MS  Office failure (1,2) Data corruption including  viruses (2,2) PC failure (3,3) Meridian/SQL failure (1,3) Voice network (landline & mobile) failure (3,2) LAN/Intranet failure (3,2) Failure of email system (2,2) Poor maintenance (2,2) GIFMIS  failure (2,4) Bloomberg  (3,3) Cyber attacks (4,5) Theft of  equipment (2,2) Bloomberg  with issuance (3,5)  Sabotage (1,2) Accidental damage (1,1) Internet failure (3,3) Internal flood (pipes)  (1,1) Theft of  data/information (2,4) Internet failure with issuance (3,5) Incidents  where Access  to  Premises  is  Denied Flooding  or a fire concern (2,2) Health and safety violation (1,1) Hazardous chemicals  accident (1,2) Gas or chemical leak (1,2) Industrial action or riot (1,2) Bomb or terrorist threat (2,2) Building  fire or explosion (2,5) Internal/external flood (2,2) Sabotage or terrorism  (2,4) Key Service Providers  or Resource Failures  Dependencies Failure of  key service providers (telephone,  Third party providers (BOG  and other outsourced  Impact of incident on critical teams  or groups  internet, banking  etc) (4,5) operations) (2,4) (pandemic, travel, group incident)  (2,4) Staff, Management and  Related  Human  Failures Human error (which may be due to poor training   Poor training  or inadequate supervision (which  Failure to follow  code of  conduct or conflict of  or inadequate supervision) (3,3) may lead to human error or execution of   interest guidelines (5,2) unauthorized transactions)  (3,3) Lack of policy guidance (which may lead to poor  Poor understanding  of  risk environment (which  Poorly specified delegations (which may lead to  decisions or unauthorized activities)  (3,3) may lead to unnecessary or unknown risks) (4,3) execution of unauthorized transactions) (5,3) Failure to follow  or adhere to administrative  Key person risk (which may lead to human error  Fraudulent, corrupt or dishonest practices (which  practices (which may lead to processing errors)  when key person is absent) (5,5) may lead to financial loss  and political  (2,2) embarrassment)  (2,5) Failure to  Meet Statutory, Legal, Human  Resources  and  Other Obligations Legal/statutory obligations  (e.g. compliance  Management directives (e.g. internal policies   Procedures manuals and delegated authorities   with loan agreements) (2,3) and procedures) (4,2) (4,2) Reporting obligations (e.g. to higher authorities  Contractual obligations (e.g. debt service  Health and safety regulations (e.g. national  and international institutions)  (3,4) obligations) (5,5) workplace laws or regulations)  (1,1) Major Natural and Regional Disasters Major earthquake (2,3) Severe fires (1,2) Civil disturbance (2,3) Severe flooding  (3,2) Terrorism  (2,2) Global pandemic ( 2,3) 15. Three impacts are to be considered in the analysis:  Reputational impact: that may lead to a loss of confidence by the Government, loss of market confidence, media coverage, and/or a high-level Presidential Commission of Enquiry or Parliamentary enquiry;  Impact on TDMD’s operations: that may result in failure to meet TDMD’s payment and other debt obligations and maintain the debt management activities for the effective functioning of the Government; and  Reporting and resource impact: that may be reported to the Government or senior management within government–or external to regulators–and / or significant time is spent dealing with the issue. 2  The five‐point scale from 1 (lowest) to 5 (highest) of the likelihood and impact assigned, and the colour allocated  to each threat is shown in Table 3. The explanation of the assignments is set out in paragraph 17.  7 16. Under each of the three kind of impacts, TDMD undertakes an assessment of the factors that will generate possible distress according to each of the five severity levels identifies in Table 2. The results of the threats and impact (Tables 2 and 3) is brought together in the likelihood versus impact matrix as shown in Table 3 (which was not changed from the December 2018 mission). Table 2: Impact on TDMD Assessment Reputational Impact on Reporting & of Impact Impact DMD’s  Operations Resource Impact Failure  to pay debt  service payments  by the  due date  Loss   of  Ghanaian Government confidence Reported  to President  or Parliament resulting  in penalty  interest Significant  amount  of  time  spent  dealing  with  Loss   of  market confidence Failure  to conduct auction of   government securities impact (i.e. greater  than 20 person‐ days) To execute  trading  or hedging  transactions   without  Extensive  media and/or audit coverage authority  or  in excess  of  limits or controls Catastrophic Failure  to meet legal  or  contractual  obligations   with  Presidential  Commission of  Enquiry international bond issues Failure  to meet legal  or  contractual  obligations   with  Parliamentary  enquiry  [or resignation] international financial  institutions Blacklisted by one  or more of  the International  Failure  to meet legal  or  contractual  obligations   Financial  Institutions under an  IMF  program Financial  and  legal  penalties To incur  an erroneous  payment such as  payment of   Strained Ghanaian Government relationships Reported  to Minister  of  Finance an incorrect amount Failure  to deliver reports   to all  stakeholders  by the  Large  amount of  time spent dealing  with impact  Temporary loss  of  market confidence deadline required (i.e. between 10  and  20 person‐days) To submit reports   to the government with  Moderate media and/or  audit  coverage Major significant errors and/or poor advice Significant  errors in  debt  service  forecasts  with  an  Ministerial enquiry adverse impact on the budget outcome Loss  or  damage of  original  loan, on‐ lending  and  guarantee agreements  and loan transaction  records Failure  to undertake important  debt  management  Reported  to Chief  Director  of  Ministry of  Finance  Increased Ghanaian Government  attention activities and/or to M&E Division Incorrect  recording  of   debt  and  debt  transactions in  Moderate amount  of  time  spent  dealing with impact  Market  confidence not affected Meridian (i.e. between 5 and  10 person‐ days) Failure  to prepare debt service forecasts  by the  due  Minor, if  any,  media  and/or audit  attention Moderate date Failure  to complete  evaluations  for authorization to  Priority  for DMD to resolve contract new  debt  or for on‐ lending  and guarantees  within imposed deadlines Failure  to evaluate  cost/pricing/risk of   on‐ lending  and  guarantees Some Ghanaian  Government  attention Failure  to monitor  and report on market conditions Included  in internal  DMD reports No media and/or audit coverage Failure  to undertake analysis  of  the debt portfolio Some amount of  time spent dealing  with impact Minor Internal  DMD enquiry Errors  on  the DMD website (i.e. less   than  5  person‐ days) Unable to  conduct  reconciliation of  debt  records  with creditor statements Ghanaian Government and market relationships   Errors  in setting  up users  and permissions in  No reports  needed intact Meridian Insignificant Failure  to monitor  audit  trails  in Meridian Minimal  amount of  time  spent  dealing  with impact (i.e. less   than  4  person‐ hours) Table 3: Likelihood vs. Impact Matrix Impact Level of Risk Insignificant Minor Moderate Major Catastrophic  Very High 0 0 0 0 1 Likelihood  Level  High 0 3 1 5 0 Medium 0 0 11 0 3 Low 0 8 2 14 1 Very Low 0 1 3 0 0 8 17. For each critical business process, system and people used in the BIA, TDMD assigned a likelihood to the occurrence of an incident/event, as well as an impact rating assuming that the incident/event was to occur. During the mission and a post-mission video-conference discussion held on January 6th, each activity was examined and classified, which led to a revision of the previous assessments (the revised assessment is show in Table 4 below). Only one activity has been classified with the highest risk, coloured red. This relates to the failure to make external debt payments due to insufficient liquidity. This has been noted in previous World Bank missions and can be mitigated by establishing a liquidity buffer. Given the severity of this risk, it should be a high priority for TDMD. 18. Ten activities were identified and assessed by TDMD to have the second highest risk, coloured pink. The focus of TDMD should be on mitigation strategies to eliminate or reduce the risks from these 10 activities. Five relate to key person risk mainly around the Meridian system administration function. This can be mitigated by having at least two systems administrators through training other staff to perform this function, which should also be a priority for TDMD. Three relate to the criticality of Meridian as the debt database and the risk of the debt data being lost or not readily accessible. This can be mitigated by installing Meridian on a laptop and creating daily back-ups of the debt database. The mitigation strategies for the remaining two are set out in Table 4. Depending on the risk tolerance level, TDMD may wish to also include those 28 that are coloured orange, particularly for the 14 where the impact is major. 19. To prepare TDMD’s understanding of the options available for managing each of the critical risks, the WB made a presentation on the ORM matrix (a copy accompanies this Aide- Memoire). The ORM mitigation strategies available to TDMD as presented are:  Prevention or avoidance, where the probability of an event occurring is reduced or eliminated by putting in place systems and procedures to minimize or where possible eliminate the risk of disruption;  Transference, where risks are passed to third parties by taking out insurance and/or reinsurance, outsourcing or devolving critical activities to third parties, and establishing facilities to provide financial resources in the event of a major incident;  Containment, where the potential impact of an event occurring is limited in the early stages using controls or other techniques and putting in place escalation procedures including an Incident Management Team to manage major incidents; and  Acceptance and recovery, where an event or disruption might well occur, but treasury operations can be resumed and continued successfully using the disaster recovery plan. 20. The key output from the five-day virtual mission and the post-mission discussion session was the completion of the risk matrix in Table 4: Risk Matrix of Critical Processes, People, and Systems. Several new activities were added to the risk matrix, namely the inclusion of the credit risk assessment and priority list for structured finance proposal that is set out in Appendix 10c of the Budget. The likelihood and impact have been coloured in accordance with Table 3. The mitigation/ controls column documents what TDMD will use to mitigate each risk. 9 Table 4: TDMD Risk Matrix of Critical Processes, People and Systems Activity  Area Activities Sub‐Activities Objectives of Activities Encountered Risks Sources of Risk Existing  Controls Likelihood Impact Mitigation/Controls Send formal early   Internal procedures  detailing   External (related  requests and informal  2 4 processes prior to the conduct of the  institutions) communication, domestic  MTDS debt validation Install Meridian on laptop with daily   Meridian Meridian backups 3 5 backups to stored in cloud or outside  the Ministry Key  person risk  &  Update procedure manual and  Incorrect or delay  in the  Train other staff, staff  manual processes  4 4 training  staff for system  debt data  that comes  experience (particularly  systems) administration from BOG, ESRD, RMERD  Publish MTDS  approved  or from within TDMD Train staff on the use of the use of  Undertake  MTDS by  Cabinet by  start of fiscal  meridian and develop internal  MTDS Accurate external debt  year Debt data validation  3 3 procedures to ensure for debt entries.   data Enhanced complaince to facilitate  timely  and accurate debt entries Internal procedures  detailing  the  Front office financing   Informal communication  responsibilities and participation of  2 2 strategies & encouragement various units, divisions and/ or  institutions Delay  in the data   Coordination with related  Failure to obtain approval  Engage Management prior to, during,  provided by  related  units, preparation with  and publish MTDS  by  the  2 4 and at the end of designing  the  units, system failure, or  plenty  of time, monitor  deadline strategies Cabinet approval processing Send formal early   Internal procedures  detailing   External (related  requests and informal  2 4 processes prior to the conduct of the  institutions) communication, domestic  DSA debt validation Install Meridian on laptop with daily   Meridian Meridian backups 3 5 backups to stored in cloud or outside  the Ministry Key  person risk  &  Update procedure manual and  Incorrect or delay  in the  Train other staff, staff  manual processes  4 4 training  staff for system  debt data  that comes  experience (particularly  systems) administration from BOG, ESRD,RMERD  or from within TDMD Train staff on the use of the use of  Submit DSA  to Minister of  meridian and develop internal  DSA Undertake DSA Accurate external debt  Finance Debt data validation  3 3 procedures to ensure for debt entries.   data Enhanced complaince to facilitate  timely  and accurate debt entries Internal procedures  detailing  the  Front office financing   Informal communication  responsibilities and participation of  2 2 strategies & encouragement various units, divisions and/ or  institutions Failure to deliver DSA   report to Minister of  Delay  in the data   Coordination with related  Internal procedures  detailing  the  Finance for input to the  provided by  related  units, preparation with  2 4 expected submission dates and  Budget and Medium  units, system failure plenty  of time timelines for approval Term Fiscal Strategy Delay  in SOEs submitting   Liaise with SIGA and PIAD to ensure  External (related  Send formal request and  audited financial  4 2 that SOES  submit audited financial  institutions) informal communication statements statements for the assessment Liaise with SIGA and PIAD to send a   Undertake  Submit credit risk  report to  Failure to obtain audited  circular to SOEs detailing   Credit Risk  Assesment credit risk   Delay  in data provided  Coordination with related  Minister of Finance financial statement, cash  4 2 requirements for an assessments,  assessment by  SOEs unit Debt  flow projections which will include audited financial  Recording,  statements Analysis and  Train other staff, staff  Train staff and assign stafff with  Key  person risk 2 3 Reporting experience accounting  backgroungs Send formal early   Internal procedures  detailing   External (related  requests and informal  2 4 processes prior to the preparation of  institutions) communication, domestic  the report debt validation Install Meridian on laptop with daily   Meridian Meridian backups 3 5 backups to stored in cloud or outside  the Ministry Key  person risk  &  Update procedure manual and  Incorrect or delay  in the  Train other staff, staff  manual processes  4 4 training  staff for system  debt data  that comes  experience Publish annual debt report  (particularly  systems) administration from BOG, ESRD, RMERD  to be submitted to  Train staff on the use of the use of  Prepare Annual  or from within TDMD Parliament within 3‐ meridian and develop internal  Debt Report Accurate external debt  months from end of fiscal  Debt data validation  3 3 procedures to ensure for debt entries.   data year for approval Enhanced complaince to facilitate  timely  and accurate debt entries Internal procedures  detailing  the  Front office domestic  Informal communication  responsibilities and participation of  2 2 financing & encouragement various units, divisions and/ or  institutions Delay  in the data   Failure to obtain submit  Coordination with related  Internal procedures  detailing  the  provided by  related  report to Minister for  institutions, preparation  2 4 expected submission dates and  institutions, system  approval by  the deadline with plenty  of time timelines for approval failure Send formal early   Internal procedures  detailing   External (related  requests and informal  2 4 processes prior to the preparation of  institutions) communication, domestic  the bulletin Reporting debt validation Install Meridian on laptop with daily   Meridian Meridian backups 1 3 backups to stored in cloud or outside  the Ministry Key  person risk  &  Update procedure manual and  Incorrect or delay  in the  Train other staff, staff  manual processes  4 4 training  staff for system  debt data  that comes  experience (particularly  systems) administration from BOG, ESRD, RMERD  Preparing  Debt  Submit debt statistical  Train staff on the use of the use of  or from within TDMD Statistical  bulletin to Minister of  meridian and develop internal  Accurate external debt  Bulletin Finance Debt data validation  3 3 procedures to ensure for debt entries.   data Enhanced complaince to facilitate  timely  and accurate debt entries Internal procedures  detailing  the  Front office domestic  Informal communication  responsibilities and participation of  2 2 debt & encouragement various units, divisions and/ or  institutions Failure to submit bulletin  Delay  in the data   Coordination with related  Internal procedures  detailing  the  to Minister by  the  provided by  related  units, preparation with  2 4 expected submission dates and  deadline of 1‐month from  institutions, system  plenty  of time timelines for approval end of quarter failure Train staff on the use of the use of  Incorrect entries into   Accurate external debt  meridian and enhance complaince to  Debt data validation  3 3 Submit Quarterly  and  Meridian  data facilitate timely  and accurate debt  Reporting  to  Annual Report to the  entries the World Bank World Bank  DRS Failure to submit to the  Install Meridian on laptop with daily   World Bank  by  the  System failure Meridian backups 1 2 backups to stored in cloud or outside  deadline the Ministry 10 Activity  Area Activities Sub‐Activities Objectives of Activities Encountered Risks Sources of Risk Existing Controls Likelihood Impact Mitigation/Controls Internal directive to other divisions to  Record loan  Coordination with related  Loan details are recorded  Failure to obtain loan  ensure that original copies of signed  details and  Internal (related Units) Units to obtain loan  4 3 on the Meridian agreements loan agreements are submitted to  amendments agreement TDMD Frequent checks on client connection  Check  online (WB), follow  websites for information, internal  Delay  in receiving  RMERD Unit failure to  up with RMERD and  directives to RMERD to furnish TDMD  2 4 disbursement data share the data creditors, check  creditor  with information, and frequent checks  Record  Record external debt  invoices with commercial creditors to obtain  Recording disbursements disbursement in Meridian information on disbursements Train staff on the use of the use of  Data validation and  Incorrect entry  into  meridian and enhance complaince to  Meridian reconciliation with  3 3 Meridian facilitate timely  and accurate debt  creditor invoices entries Train staff on the use of the use of  Recording  Accurate and timely   Delay  in data from  Data validation and  Omission, delay  or errors  meridian and enhance complaince to  actual external  recording  of actual debt  BOG, delay  in input in  reconciliation with  3 3 in recording  payments facilitate timely  and accurate debt  debt payments payments TDMD creditor invoices entries Process  Prepare service letter and  Delay  in obtaining   Approval from Budget  external debt  Commence processing  4‐ Develop internal procedures detailing   warrants for each debt  necessary  approvals and  Division and internal  2 4 service  6 weeks early timelines for processing  debt service Debt Service payment submit to CAGD approvals External Debt Payments payments Make external  Ensure sufficient liquidity  is  Insufficient liquidity  with  Processing  by  CAG &  Cash and debt  5 5 Establish a liquidity  buffer debt payments available late payment BOG management Delay  in updating  and  Reconciliations at time of  Enhance complaince to facilitate  Omission or delay  in  3 3 Monitor debt  cross‐checking  in Excel MTDS  and debt report timely  and accurate debt entries Record domestic debt  recording  debt payments  Domestic Debt Payments service  Rekeying errors with  Arrange soft copy  from BoG and  service payments in Excel received in paper format  Reconciliations at time of  payments input of debt  3 3 ensure quarterly  reconciliation with  from BOG MTDS  and debt report payments to Excel CSD and BOG Send formal early   Internal procedures detailing   External (related  requests and informal  2 4 processes prior to the preparation of  institutions) communication, domestic  the forecast debt validation Incorrect or delay  in the  Install Meridian on laptop with daily   Prepare debt service  Debt service  debt data that comes  Meridian Meridian backups 1 3 backups to stored in cloud or outside  Forecasting forecasts for budget and  forecasts from BOG, ESRD, RMERD  the Ministry supplementary  budget or from within TDMD Key  person risk  &  Update procedure manual and  Train other staff, staff  manual processes  4 4 training  staff for system  experience (particularly  systems) administration Accurate external debt  Debt data validation  3 3 Quarterly  data reconciliation exercise data Failure to complete  Install Meridian on laptop with daily   processing  of external  Meridian Meridian backups 1 3 backups to stored in cloud or outside  Complete monthly  period  debt and domestic loans  the Ministry Back  Office  Period End  Processing  and Reporting end processing  by  15th of  by  the 15th of the  Key  person risk  ‐ 2 PEP  Processing Processing Train other staff 2 3 Train ICT staff to run PEP the following month following  month needed  systems specialists before any  reports can be  Staff experience to rectify   Enhance complaince to facilitate  produced Errors in the data 3 3 errors  timely  and accurate debt entries Successful auction and  Dependency  on BOG as  Treasury  bill  BOG as agent for  Close coordination with  Ensure agency  agreement with BOG  settlement of Treasury   agent to complete  2 4 auctions TDMD BOG including  BCP/DRP bills in domestic market auction Domestic Market Successful auction and  Dependency  on BOG as  Bookrunner  BOG as agent for  Close coordination with  Ensure agency  agreement with BOG  settlement of bonds in  agent to complete  2 4 bond auctions TDMD BOG including  testing  of BCP/DRP domestic market auction Debt Issuance Locate to market for  Communication with  Failure to communicate  issuance, and use of  lead managers and  2 4 Set up TDMD gmail accounts Issuance of  Successful issuance and  with external players personal emails and  legal agents International Markets sovereign  settlement of bond in  mobiles bonds international market Failure to complete all  Communication with  Coordination with related  documentation by  the  2 5 Establish multi‐media communication legal agents institutions date of signing Solicited proposal not in  Clear communication by  MOF  to SOEs  the priority  list of projects  that all solicited proposals should be  4 2 in the Appendix 10c of the  included in Appendix 10C of the  Budget Budget Ensure cabinet and  Delay  in obtaining   Failure to obtain cabinet  parliamentary  memos  Procedures manual detailing timelines  cabinet and  and parliamentray   are accompanied by  the  2 2 for obtaining  Cabinet and  parliamentray   approvals necessary   Parliamentary  approvals Preparing  the  Publish the list of priority   approvals documentation list of priority   projects to be  Structured  Submission of Priority  List  Failure to obtain legal  Conditions preceeding   projects to be  implemented inAppendix  Attorney  General  Procedure manual detailing  timelines  Finance for Approval opinion and specimen  loan effectiveness are  2 2 submitted for  10C of the  budget  unable to provide for obtaining  legal opinion signatures met  approval statement Delay  in sector ministries  Send formal early   Communication to sector ministries  External (related  submitting  their priority   requests and informal  2 2 specifying deadlines for submitting   institutions) projects communication  their priority  projects Failure to deliver the list  of priority  projects  to  Delay  in the list of  Coordination with related  Procedures manual detailing timelines  Minister of Finance for  projects provided by   institutions , preparation  2 2 for submitting  list of priority  projects to  input to the Budget and  related institutions with plenty  of time the Minister Appendix 10C 11 21. The changing landscape since the December 2018 mission has been influenced heavily by the Coronavirus Disease (COVID-19) pandemic where stay at home orders and work from home was necessary during the peak of the pandemic in mid-2020. There were times when it was necessary to convene virtual Treasury and Cash Management committees, same format needed to be adopted by the Auction Committee. Not all staff had the technology and internet connectivity to work from home or the internet connections were slow or unreliable. In addition, it was not possible to access Commonwealth Secretariat Debt Recording and Management System (CS- DRMS) from home.3 Moreover, internet connection from home raises the risk of cyber-attacks. Therefore, TDMD introduced home-based working often on a rotating basis given the inability to have all activities performed from home. 22. The key benefit from the experience of working from home has been the introduction to what is referred to as teleworking, where TDMD makes use of technologies to work from home or a remote location, communicate using tele-conferencing platforms, and using cloud storage to protect sensitive data. There is still a need and advisable to have a separate operations site for contingencies, but the requirements for such facilities could be less if combined with teleworking. This can be examined in the context of developing a business continuity and disaster recovery plan (BCP/DRP). 23. Given that the pandemic will be around for some time, it is recommended that TDMD continue to maintain the capability to work from home or, more seriously, be prepared if forced into isolation should one or more of the staff contract COVID-19. The health and well-being of all staff in TDMD should be included in the ORM Framework. 24. Other new technologies and resources that TDMD can consider in developing mitigation strategies for the critical or significant risks identified under the ORM Framework are:  Straight-through-processing, where TDMD can make greater use of treasury and integrated financial management information systems that provide electronic processing from issuance to settlement (referred to as STP) with interfaces and connectivity to SWIFT and other payment systems;  Software-as-a-Service (SaaS), where TDMD can contract a third-party software provider to host treasury systems and associated data to outsource hardware and software maintenance and support to the SaaS provider under a subscription arrangement with a monthly or annual fee (a number of debt management offices have adopted this service);  Devolution, where TDMD can set up under a statutory delegation, executive order or power of attorney to grant to a third party such as the BoG, commercial bank or other government agency the authority to undertake activities on behalf of the TDMD;  Financial resources, where TDMD can consider issuing catastrophe (CAT) bonds, establishing a national catastrophe or contingency fund, or establishing a disaster risk financing and insurance (DRFI) program to provide a ready source of funds to respond immediately in the event of a major local or national disaster; and 3  TDMD is the process of migrating from CS‐DRMS to Meridian, a web‐based debt management system that can be  accessible from home. Currently, TDMD is still using CS‐DRMS which sits on the Ministry’s server and is not  accessible outside of work.  12  Data centres, where TDMD can enter into an arrangement with a third party (BoG or a private company) to host an alternate data centre with replication of the debt database. 25. These can be considered in formulating the BCP/DRP that will follow the development of the ORM framework. III. Operational Risk Management Framework Template  26. During the mission, the WB team prepared a suggested template for the ORM framework including inputs for Section Two and part of Section Five, as follows: Table of Contents Acronyms and Abbreviations Forward Section One: Introduction Section Two: Scope of the ORM Framework  Definition Operational risk is defined as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.”  Classification The classification of operational risks faced by TDMD are: o Infrastructure and technology failures covering computer systems, power, telecommunications including internet, data and physical records, and cyber attacks o Incidents where access to premises is denied, either through inaccessibility or building damage o Dependencies on third party key service providers such as the central and/or commercial banks, telecom and internet providers, and other outsourced operations, or resource failures o Human errors or failures through lack of resources, skills, training, policies, procedures, delegations, code of conduct, and poor management o Failure to meet statutory, legal or contractual, human resources and other obligations including management objectives and reporting obligations o Natural and regional disasters covering incidents such as major earthquake, severe flooding, severe fires, civil disturbance or terrorism, and global pandemics  Risk Appetite TDMD’s risk appetite will be set through undertaking a business impact analysis to assess the operational risk exposures in terms of the impact resulting from an incident or event affecting its operations. This will involve assessing the probability and the impact using a combination of Very-High / High / Medium / Low / Very-Low probability or likelihood and Catastrophic / Major / Moderate / Minor / Insignificant impact according to the following three impacts: 13 o Reputational impact: that may lead to a loss of confidence by the Government, loss of market confidence, media coverage, and/or a high-level Presidential Commission of Enquiry or Parliamentary enquiry. o Impact on TDMD’s operations: that may result in failure to meet TDMD’s payment and other debt obligations and maintain the debt management activities for the effective functioning of the Government. o Reporting and resource impact: that may be reported to the Government or senior management within government–or external to regulators–and / or significant time is spent dealing with the issue. TDMD will focus on mitigation strategies to eliminate or reduce the risk of an incident or event that has a Very-High/High probability and/or Catastrophic/Major impact. The mitigation strategies and controls will be documented in the TDMD Risk Matrix of Critical Processes, People and Systems.  Strategy and Objectives TDMD will develop ORM strategies that concentrate on improving resilience and ensuring mitigation techniques are put in place for those incidents or events identified as having a combination of Very-High/High probability and Catastrophic/Major impact. For these incidents or events, TDMD will select the most cost effective and suitable risk treatment approach for each incident or event using one or more of the following: o Prevention or avoidance, where the probability of an incident or event occurring is reduced or eliminated by putting in place systems and procedures to minimize or where possible eliminate the risk of disruption. o Transference, where risks are passed to third parties by taking out insurance and/or reinsurance, outsourcing or devolving critical activities to third parties, and establishing facilities to provide financial resources in the event of a major incident. o Containment, where the potential impact of an incident or event occurring is limited in the early stages using controls or other techniques and putting in place escalation procedures including an Incident Management Team to manage major incidents or events. o Acceptance and recovery, where an event or disruption might well occur, but TDMD’s operations can be resumed and continued successfully using the business continuity and disaster recovery plan. Section Three: Methodology  Critical Processes, Systems and People  Threats  Business Impact Analysis  Risk Matrix  Mitigation Strategy and Controls  Monitoring and Reporting (Compliance & Reporting Function) Section Four: Conclusion Section Five: Responsibilities  Roles, responsibilities, accountabilities and authorities that support the ORM framework 14 The head of the compliance unit will be responsible for maintaining the ORM framework including the role as the risk champion that will report to senior management on the greatest exposures, the risk management techniques to mitigate, control, or limit the risks, the actions that are recommended to address the greatest exposures, and an estimate of costs. Senior management in TDMD can then assess the cost-risk trade-off before making policy decisions and/or seeking approval from higher level.  Accountabilities and expectations for all relevant parties, including the roles and responsibilities of the Minister, management, and employees. The head of the compliance unit will be responsible for reporting the status of ORM including business continuity planning and disaster recovery annually to the head of TDMD and senior management in the Ministry of Finance. TDMD will set out the ORM framework and policies in the medium-term debt management strategy and the annual debt report that is approved by the Minister of Finance and submitted to Parliament. The heads of the financing and execution, treasury and cash management, debt accounting and settlement, and debt and risk management sectors will be responsible for implementing the ORM policies and ensuring compliance with the ORM framework within their respective sectors. Appendices:  Job Description for Risk Monitoring and Compliance function  TDMD Code of Conduct 27. The WB team also prepared an example of code of conduct for TDMD to consider. A copy accompanies this Aide-Memoire. IV. Key Messages and Next Steps  28. Key messages on ORM from the mission as presented to TDMD at the wrap-up are:  Good progress has been made by TDMD in updating the risk matrix and completing the BIA. The completion of the Risk Matrix of Critical Processes, People and Systems with a mitigation and controls that will be applied by TDMD is the key output from the BIA.  Given that the pandemic will be around for some time, it is recommended that TDMD continue to maintain and further develop the capability to work from home or, more seriously, be prepared if forced into isolation should one or more of the staff contract COVID-19.  The update of the Risk Matrix of Likelihood vs. Impact identified only one activity that has been classified with the highest risk (coloured red). This relates to the failure to make external debt payments due to insufficient liquidity. This has been noted in previous World Bank missions and can be mitigated by establishing a liquidity buffer. Given the severity of this risk, it should be a high priority for TDMD.  Ten activities were identified and assessed by TDMD to have the second highest risk, coloured pink. The focus of TDMD should be on mitigation strategies to eliminate or reduce the risks from these 10 activities. Five relate to key person risk mainly around the 15 Meridian system administration function. This can be mitigated by having at least two systems administrators through training other staff to perform this function, which should also be a priority for TDMD. Three relate to the criticality of Meridian as the debt database and the risk of the debt data being lost or not readily accessible. This can be mitigated by installing Meridian on a laptop and creating daily back-ups of the debt database.  TDMD has recently appointed a dedicated person for the risk monitoring and compliance function as head of the compliance unit. This person has been assigned responsibility for maintaining the ORM framework including the role as the risk champion that will report to senior management on the greatest exposures, the risk management techniques to mitigate, control, or limit the risks, the actions that are recommended to address the greatest exposures, and an estimate of costs.  TDMD needs to constantly review all the business processes and further develop the mitigation strategies and controls identified in order to establish the policies and procedures to implement the measures necessary. In undertaking these reviews, TDMD should consider new technologies and other resources outlined in this Aide-Memoire to assist in developing the mitigation strategies. 29. The next steps under the operational risk management component include: TDMD  Formally complete and sign-off the: o documentation of critical business processes, systems and personnel o risk matrix of likelihood vs. impact o mitigation strategies for critical business processes, systems and personnel  Draft the ORM Framework document  Submit the ORM Framework document to the World Bank for review and comment  Review the World Bank mission report and provide comments  Draft the code of conduct for TDMD drawing on the example provided by the World Bank  Draft the risk monitoring and compliance job description drawing on the example provided by the World Bank  Draw on the ORM Framework as preparation for developing the business continuity and disaster recovery plan (which can be the next step under the GDRM project) World Bank  Review ORM Framework document and send comments to TDMD  Respond to further requests from TDMD 30. The following spreadsheets, presentations and other documents that were submitted during the mission accompany this Aide-Memoire:  Ghana ORM Matrix_rev06012020.xlsx  CLOSING WB VIRTUAL MISSION GHANA 18DEC2020.pptx  ORM Matrix Ghana December 2020.pptx  OPENING WB VIRTUAL MISSION GHANA 14DEC2020.pptx  Example of Code of Conduct for Ghana TDMD.docx  Example of Risk Monitoring and Compliance Job Description.docx 16 Annex: Mission Agenda  Date/Accra time Topic Counterpart Participants Monday, December 14, 2020 15:00 – 16:00 Mission Opening Session Leandro Secunho – WB Ian Storkey – WB consultant  Recap on previous work Samuel Arkhurst  Changes to DMO structure and Doris Dzidzornu operations Esinam Dagadu  Agree approach and resources to progress Ralph Jacob Amartey Ayiku ORM Framework Difie Boakye-Mensah  Agree mission workplan Sampson Kofi Hado 16:00 – 18:00 Review of ORM completed previously: Abdul-Fatawu Hakeem Mmabila Deborah Azika  Review critical business processes, Samuel Aholu systems and personnel for each of front, Jerry Asiamah middle and back offices Agnes Tetteh  Review threats to DMO along with Ivy Sarkodie probability or likelihood Ekow Turkson  Review impact on DMO covering Jessie Akuffo reputation, reporting and resources, and DMO’s operations Tuesday, December 15, 2020 15:00 – 18:00 Business Impact Analysis (BIA): Leandro Secunho – WB Ian Storkey – WB consultant  Agree business BIA methodology and Doris Dzidzornu approach Esinam Dagadu  Undertake BIA and set up probability / Ralph Jacob Amartey Ayiku impact matrix Abdul-Fatawu Hakeem Mmabila Deborah Azika Agnes Tetteh Ekow Turkson Samuel Aholu Difie Boakye-Mensah Ivy Sarkodie Jerry Asiamah Jessie Akuffo Wednesday, December 16, 2020 15:00 – 18:00 Review BIA and Mitigation Policies: Leandro Secunho – WB Ian Storkey – WB consultant  Review BIA results Doris Dzidzornu  Develop ORM strategy to mitigate Esinam Dagadu critical business processes and systems Samuel Aholu Mmabila Deborah Azika Agnes Tetteh Jessie Akuffo 17 Difie Boakye-Mensah Hamza Ralph Jacob Amartey Ayiku Ivy Sarkodie Thursday, December 17, 2020 15:00 – 18:00 Formulate ORM Framework: Leandro Secunho – WB Ian Storkey – WB consultant  Document ORM framework Doris Dzidzornu Esinam Dagadu Difie Boakye-Mensah Ivy Sarkodie Mmabila Deborah Azika Samuel Aholu Agnes Tetteh Sampson Kofi Hado Abdul-Fatawu Hakeem Friday, December 18, 2020 15:00 – 18:00 Formulate ORM Framework: Leandro Secunho – WB Ian Storkey – WB consultant  Complete documentation of ORM Doris Dzidzornu framework Mmabila Deborah Azika  Establish workplan and resources to Sampson Kofi Hado progress ORM Framework Esinam Dagadu Mission Wrap up Abdul-Fatawu Hakeem S/N Division Name Email 1. Office of the Directorate Samuel Arkhurst SArkhurst@mofep.gov.gh 2. Financing & Execution Agnes Tetteh ATetteh@mofep.gov.gh Sampson Hado sampsonhado@gmail.com 3. Treasury Abdul-Fatawu FHakeem@mofep.gov.gh Hakeem Jessie Akuffo JAkuffo@mofep.gov.gh 4. Debt Accounting & Ralph Ayiku RAyiku@mofep.gov.gh TDMD Settlement Difie Boakye-Mensah DBoakye-Mensah@mofep.gov.gh Ivy Sarkodie ISarkodie@mofep.gov.gh 5. Debt & Risk Doris Dzidzornu DDzidzornu@mofep.gov.gh Management Samuel Aholu SAholu@mofep.gov.gh Esinam Dagadu EDagadu@mofep.gov.gh Mmabila Deborah deborahazika2020@gmail.com Azika 6. ICT Jerry Asiamah JAsiamah@mofep.gov.gh Ekow Turkson ETurkson@mofep.gov.gh 18