Policies and processes

Risk, internal control, and audit

Improving the effectiveness of organizational risk management, control, and governance processes remained one of the top priorities for the IIASA Council and Executive in 2019. IIASA maintains a comprehensive risk register, which is continuously reviewed and updated. Appropriate actions aimed at mitigating or removing organizational risks are undertaken to prevent potential negative impacts for IIASA.

Committed to bringing in a systematic approach to evaluating and mitigating risks, the IIASA Council and Executive decided to establish an internal audit function. The purpose of this function will be to introduce a professional auditing of the governance, risk management, and internal controls at IIASA, to ensure compliance with the regulatory framework and to enhance performance, organizational learning, and efficiency and effectiveness of IIASA operations.

Delegation of authority and conflict of interest

The IIASA Council adopted a Delegation of Authority Framework in 2019, with the aim of improving transparency and the effectiveness of its decision-making processes. The new framework assigns appropriate levels of involvement in the decision-making process to the IIASA Council, the council committees, and IIASA management. This ensures efficient decision-making while retaining an apt segregation of duties, thus minimizing potential conflict of interest. Further actions taken included a decision that Council members and National Member Organization secretaries need to step down from their roles when applying for IIASA executive positions.

Social and ethical responsibility

Committed to strengthening the engagement and wellbeing of IIASA staff, and in response to recommendations from the 2017 Institutional Review, IIASA embarked on an institute-wide campaign to collectively define IIASA’s core values. The established values will serve as the backbone of the IIASA Strategy 2021-2030 and the new IIASA People Strategy. In addition they will be embedded into the daily working environment to help create an inclusive and respectful working culture for staff members at all levels. In 2019 a Works Council constituted according to Austrian labor law was established at IIASA to represent the interests of staff.

Financial policies

The Finance Committee of the Council supervises the institute’s accounting and auditing activities, the annual payments of National Member Organization contributions, the realization of royalties and other revenues, and the annual financial reports. IIASA is also legally obliged under the Austrian Association Act and Austrian Commercial Law to have its accounts externally audited on an annual basis. IIASA’s statutory financial statements are presently audited by BDO Austria.

In addition, some external funders require that the projects they contribute to are individually audited, with around 25 project audits being carried out in 2019. The European Commission (EC), a major contributor to the institute’s external funding, also sometimes performs second-level audits on already externally audited EC projects. To date, four major second-level audits on twelve projects were carried out in 2009, 2011, 2015, and 2017 respectively. All of these were successfully concluded.

At IIASA, financial policies and procedures are in place for:

Sponsored research and budgeting for proposals (sections 4.4.7 and 4.4.8 of the IIASA Operating Procedures and Policies)
Procurement, business travel, organizing conferences, and visits from external collaborators and stakeholders (section 4.4 of the IIASA Operating Procedures and Policies)
A budget planning and oversight process (section 4.4.2 in IIASA Operating Procedures and Policies)

The procedures and approval processes are facilitated and documented through the IIASA Management Information System.

Data protection and privacy

In 2019 IIASA continued to develop a register of data processing activities. The register, which is required under the EU General Data Protection Regulation (GDPR), lists all the institute’s activities which process personal data. In addition to the legal requirement, it gives IIASA a comprehensive, centrally located overview of all personal data it processes, the legality of the processing, and the location of said data, making it easier to respond to data subject requests in a timely and correct manner. Also in 2019, IIASA investigated the security of its data processing activities. In close co-operation with the relevant departments, several measures have been taken to improve these processes and the related infrastructure to make the data holdings of the institute more resilient to cyber threats.

Intellectual property and copyright

IIASA follows the rules and procedures laid out in the institute’s patent and software policies. The Patent Policy ensures that any invention made in the course of research activities at IIASA is used to bring about the widest possible benefits. This includes that the institute gains financially from any commercial exploitation of patents resulting from the use of its resources, and that favorable terms are applied in granting licenses to organizations and citizens of National Member Organization countries. The Software Policy defines and protects the intellectual property rights for software developed by IIASA staff, and outlines the processes for commercialization, licensing, and distribution.

The IIASA Copyright Policy takes the practices of international journals and publishers into consideration and aims to facilitate the widest possible dissemination of IIASA results. In 2019, a new Scientific Publications and Copyright Policy was updated in order to take into account the latest developments in academic publishing, open access publishing, and the use of creative commons licenses to expand the sharing and uptake of IIASA research. The new policy is expected to be introduced in 2020.

Data management and archive policies

The IIASA rules laid out in its policies on Good Scientific Practice and Conflict of Interest, constitute the institute’s current data archiving standard. To comply with the requirements of research funders and other collaborators, IIASA policy stipulates that all primary research data must be retained for a minimum of 10 years, thus ensuring the reproducibility of findings and results. In addition, model-based work, model specifications, and methods of analysis have to be sufficiently documented, ideally in a peer-reviewed publication or its official supplement.

Legal compliance

IIASA is legally registered as a “Verein” (Association) in Austria with registration number ZVR-Nr 524808900 and is subject to the laws and jurisdiction of its host country, Austria. IIASA monitors relevant laws and regulations and updates the IIASA rules and regulations to stay compliant with an evolving legal environment. In 2019, the work on bringing IIASA buildings up to date with Austrian fire safety regulations was completed with the implementation of a comprehensive Fire Safety Action Plan. Further compliance activities included the ongoing revision of the IIASA travel policy and a review of the Retirement Benefits Plan offered to international staff.

Health and safety

Since 2017 IIASA cooperates with Health Consult-Sicherheitstechnik GmbH to ensure effective monitoring of legal obligations in respect to health and safety in the workplace. The duties stipulated under Austrian law are carried out by the IIASA Works Council, the institute doctor, and our appointed representative for work safety.

Health Consult conducts inspections twice a month and compiles an annual report based on their findings. The following health and safety measures are monitored or performed in accordance with §77 ASchG.

Workplace inspection
Investigation and evaluation of occupational accidents, including implementation of preventative measures
Testing and selecting personal safety equipment
Occupational psychology, work hygiene, and ergonomics
Fire safety and measures in case of evacuation
Training and education in health and safety matters

The documentation provided by the health and safety officer exceeds the legal requirements (ASchG) and is regulated by Health Consult’s quality management policy ISO 9001.

Infrastructure developments

The technical infrastructure team undertook a number of general refurbishments in 2019, including the renovation of kitchen facilities, windows, and floors.

To ensure the safety of people and property in case of emergency, an automatic alarm system was implemented in 2019 as part of a new Fire Safety Action Plan. This includes a direct connection to the fire brigade to minimize response time. In addition, the doors in the General Purpose Building were equipped with emergency exit locks and the installation of fire detectors will be completed in early 2020.

In order to refurbish and modernize the heating infrastructure, IIASA installed automated controls for the boiler, which can be operated remotely. This has led to reduced costs and impact on the environment in the region of 15% (costs and CO₂ reduction). Furthermore, the electric power supply system of the boiler room was replaced to be in line with Austrian regulations.

Plans are in place for further infrastructure developments to be implemented in 2020, such as a new access control system, renovations of meeting rooms and restrooms, and replacement of water pumps and pipes. In addition, IIASA has acquired an additional 165m2 of office space from the Schloss Laxenburg Betriebsgesellschaft which will be adapted for use in 2020.

Information technology

The Information and Communication Technologies department manages all IT services to include computers and servers, data networks, and related equipment. The team runs 70 physical servers supporting 169 virtual machines servers and a 20-node (80-core) compute cluster. In addition they manage a total of 520 TB of usable data storage and data backup systems, and support software for office automation and scientific models.

In 2019, IIASA reconfigured and redistributed over 350 PCs and laptops, in addition to the below activities:

The central server network was upgraded from 1 to 10 GB transmission speeds in order to facilitate improvements in network speed to users over the coming years.
Linux-based, load-balanced clusters were established in order to expand scientific computing capabilities and enable efficient scientific processing.
The central data storage was expanded from 240 to 386 TB, bringing IIASA’s total usable data storage capacity to 520 TB, with a corresponding expansion of our data backup systems.
A two-node clustered approach was introduced to the Web-Application Firewall to improve the reliability and security of our online scientific applications, models and data.
An external assessment of the IIASA IT security environment was conducted which resulted in recommendations to be implemented in 2020.

Environmental performance

Work continued in 2019 between the Staff Association’s Environment Committee & Sustainability Champions and IIASA management to improve the institute’s environmental performance on a number of areas.

IIASA completed the first stages to obtain the eco label “Klimabündnis Betrieb” (“Climate Alliance Enterprise”), which included a full sustainability audit conducted by the State of Lower Austria and the Climate Alliance Austria. The audit recommends internal sustainability targets to be monitored over the next five years. The certificate was awarded at the Laxenburg Climate and Energy Day hosted at IIASA with the Laxenburg Mayor.

Printing across the institute was reduced by 22% compared to 2018, and 36% compared to 2017. Payslips and various administrative procedures are now paperless, and publications produced by the institute such as policy briefs and Options magazine are now only distributed digitally.

IIASA continues to purchase electricity from renewables, and installed a smart control system for the heating system in 2019 which is expected to deliver 20% CO₂ savings. A review of the travel policy by IIASA management is further expected to reduce travel and therefore the institute’s carbon footprint in 2020.