Health and Safety Risk Register. (Including Approaches to Group Consideration of Risk)

Transcription

1 Health and Safety Risk Register Guidance Note (Including Approaches to Group Consideration of Risk) The Glasgow School of Art Health and Safety Risk Register is a best practice template for recording and managing risks which prompts the user to complete the recommended steps of best practice risk management process in their area of health and safety responsibility. The School promotes the use of the H&S Risk Register for managing all risks within a School or Administrative department. The template can be built into a suitable risk assessment process as defined by the School H&S Manual. The "key" risks or those most significant within the School or administrative department must be recorded and managed on an electronic version of the Risk Register and can be found within the Health and Safety Management section of the Staff Intranet system, or the VLE H&S website. A version of the School Risk Register template and an example can be viewed by following the links below. How to Complete the Risk Register Template Instructions on how to complete the Risk Register Template The Risk Register is a template to work through the risk management process. Working from left to right across the template you are prompted to consider all elements of the risk management process. How to complete each field of the risk register is outlined below: Risk Description Define the risk clearly and simply. Try to incorporate the cause and the consequence/effect the risk has on the objective you are considering. E.g. a power failure to the main computer for the department could cause a loss of all research data, causing a project to fail to deliver its main research objective. Try to keep focused on the big risks to achieving your objectives or deliverables. The minor risks will probably be managed adequately through existing departmental policies and procedures. It is unusual for there to be more than about 3-5 main risks for each objective. 1

2 Inherent risk exposure Risk Response Level Ignoring any existing controls that might already be in place as defined above, assess the Impact and Likelihood of the risk happening. Classify the risk Very Low, Low, Medium, High, and Very High and use the terms described in the Risk Response Matrix e.g. Tolerate, Take Further Action etc. Impact - What is the worst case Impact, if the full risk should happen (ignoring any existing controls that might be in place), classify the risk Very Low, Low, Medium, High, Very High. Quantitative numerical values can be entered in the appropriate column. Likelihood Without any existing controls that might be in place, what is the likelihood of the risk occurring, classify the risk Very Low, Low, Medium, High, and Very High. Quantitative numerical values can be entered in the appropriate column. Please refer to the 'How to Assess Risks' section for guidance on assessing risks in line with the School's Risk Impact Guide and Risk Likelihood Guide, but ultimately this is your assessment. Controls measures employed - What do you already do to control or minimise the risk? This may be physical controls that are in place, or could be things such as policies, procedures in place to stop the risk happening. There may be more than one. An example could be the requirement for co-authorisation on departmental purchase orders to avoid inappropriate use of departmental funds or regular maintenance of machinery by competent technician. Please refer to the 'How to Assess Risks' section for guidance on assessing risks in line with the Risk Impact Guide and Risk Likelihood Guide, but ultimately this is your assessment. Financial impact Considering the residual risk exposure, where possible, estimate a realistic monetary impact on the School if the risk occurs. This is helpful in assessing the cost effectiveness of any control measures, but can be very difficult to estimate in some cases and so cannot be done. Is the risk tolerable? Considering the control measures that are in place, the residual impact and likelihood and the potential financial impact to the School, and the Risk Response Matrix, make an assessment as to whether you believe the School should accept the residual risk that remains, possibly even above the tolerance level if a good reason exists. Please refer to the 'How to Assess Risks' section for guidance on assessing tolerability of risks in line with the Risk Response Matrix. Further actions required / Contingency plans If you consider the risk to be tolerable, and there is realistically no further actions that need to be taken to 2

3 control this risk then this section can be left blank, but if you still believe the risk to be intolerable, then you must identify further actions/responses to reduce the risk to a tolerable level. Be specific with actions, avoiding blanket comments and identifying responsibilities, timescales and costs wherever possible. Guidance on the type of response required can be found in the Risk Response Matrix and the 'How to Respond to Risks' section of this guidance note. Where escalation and further advice to a member of the School s Management is a plan, the relevant person should be named and must be approached to agree that their acting as an advisor is an adequate contingency for the risk. Please refer to the 'How to Respond to Risks' section for guidance on the different approaches to controlling risks. Monitoring / Early warning mechanisms Identify appropriate simple mechanisms for monitoring the risk, to ensure that you have some early warning to the risk changing or occurring. These mechanisms should be specific to your area of responsibility and should identify what can be monitored, how often and by whom. Some examples of Monitoring/Early Warning Mechanisms are: Accident Trends and Analysis Area Risk Assessment by Departmental H&S Champion Quality of Teaching Course Survey of Students Availability / Suitability of Teaching Facilities / Space Audit Budget Overspend / Budget Variation Analysis IT Network Security Attacks on Firewall Give consideration to whether risks are more likely to happen at particular times of the year. If they are, show this in the risk register and plan a review of the risk at or just prior to this time e.g. Degree Show and Graduation Exhibitions. Please refer to the Risk Response Matrix for guidance on the regularity of monitoring based on the Residual Risk Exposure. Leading Action/School or Department Area of the School or Department with responsibility to co-ordinate the leading action and carry out the administrative duties. Responsibility/Risk owner Who is responsible for ensuring the management of the risk, its further actions and its monitoring actions? 3

4 Be specific and name the person responsible. (This person must have sufficient authority to be able to manage the risk and authorise action but need not be the person who actually performs the further actions or monitoring). This person should be clear on when to escalate the risk to a more senior level. Date risk last reviewed This field should show the date that this risk was last reviewed to ensure the risk assessment is still valid and controls and responses are adequate. Any changes to this date made to the Intranet register and should be supported by an auditable reference in an appropriate school document, possibly in the minutes of a meeting or departmental risk assessment. The intranet system will provide an audit history of when risks were reviewed. Current status This field should be updated after each review of the risk. The field shows the current status of the risk, when it was last reviewed; Closed, Ongoing, Reducing, Increasing, Imminent, or was there No Change. How to Identify Risks Introduction Identification of risks is the starting point in the risk management process. At this point you should not be trying to assess risks but just be trying to identify the most important risks to achieving the objectives outlined in your annual plan, or any other activities for which your school or function is expected to deliver. A common problem at this early stage is the identification of too many risks. An enormous list of risks is unwieldy, impractical and frightening, even if it does seem to be comprehensive it will only inevitably result in risks being poorly assessed and will lead to gradual disillusionment with the process. We need to keep this in mind when pulling together the list of departmental risks, but need to ensure all appropriate risks are included within internal school risk registers. It is unlikely there will be more than really significant strategic risks of interest to senior management, although you should show all risks that you feel are significant, not aim for a specific number. It is the key risks that you believe senior management should be made aware of, and that should be included in the Risk Register. Many of the smaller risks will be adequately managed through existing internal processes and procedures, and may not need to be shown on the Risk Register. Guidelines for Risk Identification Suggested approaches to identifying risks A risk can be considered as either an opportunity or a threat. Threats are things that if happen will adversely affect your ability to meet your objective and should be avoided. Opportunities are significant achievements that help you to meet or exceed your objective, which if 4

5 pursued, create a number of their own risks if not achieved. Any decision to pursue an opportunity must be balanced on what risk we are willing to take and manage to try to achieve this opportunity. Both threats against objectives and opportunities can be recorded and managed using the risk process. For your School or departmental function you should be trying to identify the main risks (Opportunities or Threats) to you achieving each of your objectives as defined in you annual business or administration plan and consider any other outputs that you are responsible for producing. Consider any milestones, timescales or resources that will be used to achieve the objective and what can affect these. In simple terms you should focus on the operational risks inherent in the work your department does, but you should consider also generic risks across the School and how they specifically affect your area. Risk identification is itself a very subjective process, and it is usually beneficial to pursue a group orientated approach that draws on the combined knowledge and experience of the people involved. It is usually best to identify people from different areas with sufficient seniority to bring to the group a different view on the risks that exists while understand the level of risk you are trying to identify. Guidelines on how to best operate these group meetings can be found in section When and How to Review Risks below. It is suggested that you should also try to involve other departments within the School with whom you have major interaction as they will be able to give you a view as to your risks from outside the School or departmental function. Key people to consider here are definitely Estates and Finance, potentially Marketing, HR, and Health and Safety etc. Prior to any people meeting to discuss risks there are a number of things that can help to stimulate consideration of the list of risks being created: Example Risk Register: Consider the Head of School / Academic Support Manager or H&S Champion producing an outline risk register outlining the school / departmental objectives with the major risks as they see them already identified as examples to stimulate other people s ideas Short list of questions: Consider asking each person to answer a number of short questions which could stimulate ideas and ask them to bring a list of risks with them to any meeting or discussion. Some examples of possible questions are shown below: Are you aware of the School s Strategic Objectives? 5

6 Does your department have any specific objectives/deliverable outputs that effect your School / functions (or School s) strategic objectives? Are there any issues that could stop your department from achieving your objectives / deliverable outputs? Over the last two years, what problems have affected your department? Do you know of any problems in your areas that any other School or department has encountered? Is there anything that is likely to stop your department achieving your performance criteria or statutory obligations? What problems or changes can you see in the future that may affect your School/function achieving its objectives? It is generally best to avoid the question what are the risks involved in your job as people can tend to misunderstand the question. Risk prompt list for comparison: Consider distributing a risk prompt list with some initial examples (possibly from other schools/areas) as a risk prompt comparison after your initial round of risk identification. It is strongly recommended NOT to use this risk list until after your first attempt at identifying your risks, otherwise there is the risk that this will become a surrogate risk profile, not accurately reflecting your individual risks. Risks must still be identified with direct relevance to your school or function objectives/outputs. School Risk Register areas: Consider risks in your area under the different areas of risk identified in the School Risk Register owned by the Head of each School/Department. Existing policies and plans: Review existing policies and plans in place within the School/Department, as the impetus to create these plans is usually a risk, with policies and plans being the control measures to manage the risks. If it is decided that different areas within the School / administration function will create their own risk registers, then there should be some way of identifying the key risks to pass upwards to the Head of School / Department for inclusion on the School / Department Risk Register. Key Considerations when Identifying Risks Key things to keep in mind when identifying risks Be careful not to identify an issue as a risk. Issues are concerns that cannot be avoided, such as an unrealistic timescale for delivering a project, whereas a risk may not actually materialise. 6

7 Risks should be identified at a level where a specific impact can be identified on your objectives and a specific action or actions to address the risk can be identified. Avoid stating general risks which do not impact on your objectives / outputs, or are at a School Strategic level. The risks identified should be meaningful to your operation and realistic i.e. not the risk of an asteroid hitting your building. Concentrate on the meaningful higher-level risks e.g. failure of students to show up for class is an infrequent (hopefully) consequential risk the real risk being (something like) students failing to be aware and to operate machinery safely and therefore causing a potential injury or accident as a result. Be aware of the difference in risk perceptions of people within your department and within other departments with who you interact to achieve your objectives. Consider external influences on your department and on the School that could affect your objectives, e.g. Central Government, Trade Unions, Funding Bodies, Research Councils, etc. Think about existing policies that are in place, are these existing controls of risks that have already been identified. Consider other policies that are not in place that might need to be Don t forget to try and identify positive opportunities that could be worth taking some risk to help achieve your objectives Risks tend to build up on each other at different levels within the department, so be aware of this and choose the level of risk appropriate at a school level. For example: Personal Level Ripped or frayed carpets in offices can cause a personal trip hazard. School Level - The school has a poor image to visitors which could impact on the ability to recruit students and quality staff which could affect income. School Strategic Level The poor maintenance of School buildings could result in high repair costs and shorter life of School assets. Key Considerations when Stating/Defining Risks Guidelines when writing risk descriptions Avoid stating impacts that may arise as being the risks themselves. 7

8 Try to remember the Cause and Effect analogy to held define a risk properly. For example, Damage to an exhibition installation may stop a show opening, but this alone is just the impact of the risk. To understand and manage the risk we should include the cause in the risk description. For example, An accident to a student working on their project artwork could result in damage to them or their work so they are unable to display it in time for assessment. Or Poor maintenance of the workshop machinery could cause an injury or the work piece to get stuck or damaged, so students are unable to complete their work in time for assessment. Both of these are specific things we can make efforts to avoid. Avoid defining risks with statements which are simply the converse of the objectives. The main point here is to ensure the nature of the risk identified is specified in enough detail; otherwise, the exercise can become meaningless. For example, if the objective is to assess the support needs of disabled students ; Then a risk could clearly be failing to assess the support needs of disabled students but this doesn t identify the nature of the risk so a better example would be; "Poor wheel chair access to buildings will not support the needs of wheel chair users and could result in complaints, litigation and bad publicity". Approaches to Group Consideration of Risks Ways to generate group discussion on risks There are two approaches that the School would suggest could work well in identification of risks. These approaches being, to hold a group workshop to discuss the risks, or to undertake individual meetings to consult with key people who can contribute risks. Whichever of these approaches is chosen the following guidelines should apply to this meeting:- The meeting should be an informal non-judgmental, non-attributive environment whereby alternative or controversial views can be heard The Identification and existence of risk is not a criticism of performance. 8

9 Where the group workshop approach is used, someone should take on the role of the facilitator in the meeting. Where possible it is beneficial that this facilitator not be from the school / department and has no link to the subject being discussed to avoid bias and lack of independence. A guide to useful group workshop techniques and a guide to effectively facilitating a meeting can be found below. Within a group meeting, it can be helpful to use one of the following approaches to generating group discussion on the list of risks that exist for each objective, output or project. Brain Storming Brainstorming relies on the generation of ideas triggered by the ideas of others, and enables the quick reinforcement of correct answers through the immediate agreement of fellow group members. Ideas are usually recorded on a flip chart and discussed and evaluated after brain storming has finished. The Four main rules to Brain Storming are:- Criticism is ruled out Any Idea is encouraged, the more outrageous the better Many ideas are encouraged more idea equals more useful ones. Try to build on other peoples ideas. Nominal Group Technique A group is asked to silently generate ideas in writing for minutes or brings pre meeting lists of risks. Round-Robin feedback from the group members is used to record each idea in short succinct phrase on flip Chart, until all ideas are recorded. Group discussion of each idea is carried out for clarification and evaluation. Individual prioritisation of ideas is made in writing with final decision through mathematical aggregation. Cause and Effect Diagrams Cause and Effect Diagrams also called Fish Bone Diagrams, are graphical representations of the causes of various events. The diagrams usually start with one event and you work backwards or forwards identifying previous or future events the lead to or resulted from an action. SWOT Analysis Consider each objective under the headings on Strengths, Weaknesses, Opportunities or Threats. 9

10 PESTLE Analysis Consider each objective under the headings of Political, Economic, Social, Technological, Legal and Environmental. Key Considerations when facilitating an interactive Workshop. Source: Simple Tools and Techniques for Enterprise Risk Management, R Chapman, Timing - Arrange the Meeting at a time convenient with all parties ensuring sufficient time is made available by each attendee. Physical Environment Select an appropriate room to accommodate comfortable all attendees, ideally in a horseshoe formation. Appropriate facilities should be available for presentation and recording of ideas, such as flip chart, projector, white board, etc. The room would benefit from being remote to the attendees normal place of work to avoid the possibility of Interruption. Agenda A structured realistic agenda should be developed which is not over ambitious. At a minimum we would suggest at least 15 minutes per risk, plus administration time, and breaks. Briefing Pack This should be send to the participants including time, date, location, purpose, attendees, agenda, workshop rules, preparation required, list of risk management terms, plus other pre meeting materials or preparation. Managing the process of the workshop:- State the objective Gain consensus to the workshop outputs. Walk through the agenda Confirm Terminology to be used during the workshop Setting out the Workshop Rules - all participants are equal Seniority has no power One person talks at a time Every idea is valid No Criticism or Judging No Mobile Phones No two person debates Provide direction and a common purpose Bringing the discussion back to core objectives, if too long on one issue. Keep to the Agenda Timetable. Maintain Momentum Ensure everyone agrees the conclusions; reaffirm everything recorded on flip chart. 10

11 Ensure all attendee have chance to participate in discussion. Suppress overpowering people. Ensure descriptions are agreed that will not be forgotten in 3 months time. How to Assess Risks Guidance on how to assess the impact and likelihood of a risk This section identifies guidelines on how to assess different types of risk in terms of impact and likelihood. These are guidelines only and are not intended to be prescriptive; any assessment of a risk is subjective and each risk should be assessed on an individual basis. Again it is suggested that a group consideration of the risks when trying to assess them can help to avoid the subjective nature of the process. Inherent Risk Exposure Inherent risks are worst case assessment of the impact & likelihood of the risk, ignoring any actions that are currently in place to control the risk. Residual Risk Exposure Residual risks are the most likely assessment of the impact & likelihood of the risk, taking into account the actions that you are already performing to control the risk. Further actions not yet being performed should not be considered when making this risk assessment. Only when further actions are implemented and are effective should the residual risk be reassessed and reclassified. Included within this section are the following guidance documents: Risk Impact Guide This gives guidance on to how to classify the impact of a risk. Examples of how to apply the levels of Impact Categories The following examples are provided as guidance to the impact classification scale and to demonstrate how the impact of different types of risks can be categorised as either Very Low, Low, Medium, High or Very High. These few examples are intended to give some guidance to staff to assist them in what can be a very subjective and tough assessment process. 11

12 Example1. Bad Publicity affecting the School Risk Bad Publicity will affect the School's Reputation and Standing in Higher Education Institutions Description Impact Rank Description of Severity Consequences/Effects Examples of Negative Impacts (Threats) Very Low Low Medium High Insignificant to achieving your objectives / output or opportunity Minor a threat that is likely to have minimal impact upon your objective/opportunity, for not more than a short period. It can be managed quite easily Moderate a threat might have moderate/possible significant impact but can be managed in the medium term with some effort Serious a threat that will have significant impact on your objective/opportunity in the long term and will require major effort to manage, (but does not threaten the existence of the objective/opportunity) No or negligible impact Minor adverse internal publicity Local adverse publicity of subject area or School, having short term impact on public perception, specifically potential Staff and Students Negative Rumors within the School or project Minor issues that affect campus only and do not impact on Staff E.g. Localised industrial action, Minor Estates issues (planning permission for new buildings) 12

13 List of other possible examples: Example 2. Errors in Data Supplied to Higher Education, Scottish Funding Council Example 3. Fall in Quality in QAA Review Example 4. Fall in the Number of Incoming Students Example 5. Health & Safety Incident Example 6. Inaccurate Gathering of Student Data Example 7. Incorrect Application of HR Legislation Example 8. Loss of Computer Hardware Example 9. Outbreak of Meningitis Example 10. Human Tragedy and Bad Publicity affecting the School Example 11. Overspend of Project Budget Example 12. Poor Implementation of a new IT Support System Example 13. QAA Audit Non-Compliance 13

14 Risk Likelihood' Guide This gives guidance on to how to classify a risk's likeliness to happen, by considering its probability or frequency. Guidance as to what the levels of Likelihood really mean Likelihood Rank Very Low Low Frequency Description Rare - Can't believe this will happen again Unlikely - Do not expect it to happen again but it is possible Could consider as a percentage 0-5 % likely to happen 6-20% Likely to happen Medium Possible - May occur occasionally 21-40% Likely to happen High Likely - Will probably occur again 41-80% Likely to happen Very High Almost Certain - would expect to occur regularly Over 80% Likely to happen Risk Register Response Matrix Risk Register Response Matrix This gives guidance in terms of the residual risk exposure (impact and likelihood), as to the tolerability of the risk and the suggested level of response to the risk, in terms of further actions and frequency of monitoring. Guidelines on acceptable levels of risk and required responses and review periods The risk register response matrix can be viewed as a pdf document by following the link above. The matrix should be used to consider whether you should tolerate a risk because it is within or outside the School's Risk Appetite. This will identify the appropriate action required for a particular level of risk, and the appropriate frequency of review, in relation to its Residual Risk Exposure (Impact / Likelihood). Guidance on the review periods for each level of risk are the minimum level of review required, but certain risks might warrant more regular reviews 14

15 How to Respond to a Risk How do you respond to a risk to control it within acceptable limits? Risk Management is about responding to risks that you are exposed to, with the aim of reducing the residual risk to within your risk appetite (the level of risk the School defines as acceptable). This is achieved through identifying actions that can be taken to control and reduce the risks Impact or Likelihood. These are referred to as Control Reponses. Control Responses List of the 5 ways to tackle reducing the impact or likelihood of a risk In any risk scenario there are five ways that a risk can be dealt with or responded to, these in order of preference, are the control responses to: Terminate the risk - Do something differently thereby removing the particular risk completely. Care should be taken that any alternative approach does not create bigger risks. This is often not possible but should always be the first consideration. Treat the risk This is where some action is taken to reduce the likelihood or impact of the risk. The key is that any action must be cost effective against the size and impact of the risk. This is the most popular and effective control response. Contingency planning Where the impact or likelihood of the risk cannot be reduced to an acceptable level, (or even when it can) then contingency plans should be devised to ensure business continuity and recovery after events we cannot control. It is preferable to use one of the other options to stop the risk occurring in the first place, rather then dealing with the effect after the event, but contingency plans are always useful to ensure any impacts are minimised as quickly as possible Contingency plans should as a minimum be considered for all risks with a high residual impact or high likelihood e.g. meningitis or fire. Transfer the risk -This is where you make the risks financial impact or responsibility for management fall on someone other then the School. This can usually be achieved well using contractual agreements for financial recompense in certain situations or insurance policies, etc, but it is hard to transfer the reputational aspect of any risk. Tolerating the risk This response to a risk is really the response of last resort. 15

16 Tolerating the risk involves accepting a risk above your perceived risk appetite without reducing it, probably because nothing can be done to reduce it at a reasonable cost. Consideration must be given as to whether this risk is really relevant to achieving the objective / opportunity. In this case the risk must be regularly monitored and contingency plans must be generated in case the risk materialises. Almost no risk response will completely remove a risk without a large amount of money being spent on it. As such it is usually enough, and more cost effective, to have controls in place to minimise risks to an acceptable level rather than completely removing the risk. Most important with any risk control response is that it must offer value for money, in terms of the risk you are reducing. Taking Opportunity to Exploit Positive Impact Keep in mind any opportunities to exploit positive impacts from a risk you are trying to control There is another supplementary action that compliments these standard control responses. Take the opportunity This is not an alternative to the above! But can be a result of one of the above actions. At the same time as mitigating the risk, there may arise an opportunity to exploit a positive impact from the risk or control measure employed. For example, Consider a large capital project has stringent controls put in place to reduce the financial risk; it might now be justifiable to increase the capital investment to gain greater advantages. Or The cost of the main raw material for the project could fall, thereby reducing the impact of project failure. As all materials can be bought for less capital outlay, these savings could be re-deployed elsewhere to gain other advantages or treat other risks thereby reducing the risk of the project failing. The Four Ways to Treat a Risk Treating a risk can take four basic forms 16

17 The Treat Control response can be broken down into 4 different types of control. Preventative controls limit the likelihood of a risk and are the most common response. e.g. Separation of responsibility (countersigning) risk assessments or restriction of duties to authorised competent persons. Corrective controls correct outcomes after the event, to gain recovery against loss or damage. e.g. Corrective actions to allow remedial works after an accident. Directive controls ensure a particular outcome is achieved. These are important when critical that an event is avoided. e.g. the wearing of protective clothing during dangerous activities, or training requirements. Detective controls highlight when a risk has happened but in no way corrects or mitigates the impact of the risk. These are only useful where the impact of the risk can be accepted e.g. Stock Checking, Financial Reconciliation, and Post Project Reviews. When and How to Review Risks Outline of requirements of the School s risk management process to review and monitor risks The risk environment is constantly changing and as such our assumptions and assessments of risks should be regularly reviewed. The Risk Register is a live document and at any time should provide the reader an up to date view of the status of the key risks facing the School or Department. Any new risks which are identified should be added on to the register and any risks which are no longer current should be closed and removed. To ensure that the risk register is kept up to date, Schools, Academic Support Managers or Head of Department/H&S Champions are required to review the risks at intervals appropriate to that level of residual risk exposure. Guidance on the frequency of review for different levels of residual risk can be found within the Risk Register Response Matrix. Heads of School should define a specific method for reviewing the risks which ideally gets a number of people to consider the continued relevance of the residual impact and likelihood ratings. Consideration should be given to the continued effectiveness of any measures to control action or monitor the risk. It is suggested that this review of the risks can most easily be achieved by building this review into existing management or project review meetings (e.g. monthly management team meetings), where a small amount of time can be set aside to review the appropriate risks due for review. Consideration should also be given to changes in the operating environment which could need to be reflected on the risk register. 17

18 The specific review of the risk and any decisions made to change or not change the risk register should be documented for audit purposes, as a cross reference to the actual change being made in the intranet risk register. An example of this audit record would be the writing of the decision of the risk review in the minutes of a meeting with an action for a person to amend the risk register. Any changes to the Residual Impact or Likelihood or the control measures / further actions should be changed on the intranet version of the risk register. What to Update on the GSA H&S Risk Register Explanation of the Risk Status that must be updated on the GSA H&S Risk Register At the time of the review the review team should identify the current status of the risk, to identify whether the risk is either: - Closed No longer a threat to the objective, output or opportunity, maybe because the cause of the risk no longer exists. Reducing the risk is reducing in its ability to threaten the objective, output or opportunity. Increasing The risk is increasing in its ability to threaten the objective, output or opportunity. Imminent This status indicates that the risk is likely to happen in the very near future. Any risks which have this status should be reviewed continuously, control measures reviewed, and contingency plans prepared for immediate introduction if required. No Change This status shows that the risk is deemed to not have changed in impact, likelihood or proximity since the last time the risk was reviewed. The new status of the risk should be changed in the GSA H&S Risk Register, and the date of last review should be changed to the date the review was carried out (be careful as this date will change automatically where a status has been changed, so if updating the Intranet Risk Register retrospectively then the date should be overtyped after the changes have been made). If the review of the risk results a status of No Change then the date of last review should be the only thing changed, to highlight the review has taken place. 18

19 The Risk Management Process Defined The Glasgow School of Art approach to the risk management process as a cycle composed of the following elements with the main output being a list of the key risks in each area of the organisation and defined actions being taken to control these risks. This document is called the Risk Register. Define a Framework There are three important principles when defining a framework to manage risk 1. Adopting a continuous approach throughout the organisation 2. Ensuring there is a clear structure to the process linked into existing processes and policies 3. Gaining approval and support of the process at a senior level The approach is clear to suggest that ultimate ownership of risk management should be allocated at a senior management level. Identify the Risks The School advocates an approach based around considering risks that are most likely to affect the ability of the organisation or department to achieve its objectives/outputs. It provides guidance on identifying risks and these are identified in the guidance notes. Assess the Risks Once the key risks have been identified then you should assess the likelihood of the risk occurring and the size of the impact it would have. Consideration should also be given to any existing controls that you have in place to manage the risk before coming up with a final evaluation. The approach to assessing risk will be different for different types of risk; some will lend them to numerical assessment while others can only be measured subjectively. Guidance can be given but this process is inherently subjective and as such is best performed by consensus. Evaluate the Risk Appetite Once risks have been identified and assessed, the process must evaluate the risk assessment against an appetite or acceptance for each risk. Risk appetite being the amount of risk to which the organisation is prepared to be exposed before it judges at some sort of response action is necessary. 19

20 Some guidance can be given by developing a Corporate Risk Appetite, in key risk areas, but ultimately each risk must be evaluated on an individual basis. Where risks are currently being managed within tolerance of the risk appetite, then no further action is necessarily required with this risk, but where the risk evaluation is outside of our tolerance we must decide on an appropriate response. Identify Suitable Responses to risk. Four common Reponses to risk are described in this approach as being: Transfer, Tolerate, Treat & Terminate. These are discussed in more detail in the guidance notes. The response to the risk is intended to make the risk tolerable, by transferring the impact of the risk to someone else or treating the risk in some way to reduce the risk exposure. If nothing can be done to treat or transfer the risk then the risk will either have to be terminated, or the risk tolerated outside the risk appetite. Contingency plans are another response to risks. In all decisions regarding responses to a risk the cost of the action must be cost effective, in light of the possible financial impact of the risk. It is usually enough to have controls in place to minimise a risk, rather than completely removing it. Overall any risk response must offer value for money. Gain assurance about effectiveness of Risk Management Assurance about effectiveness of risk identification, evaluation and appropriate responses in place is done in three ways: 1. Testing and Approval of the Risk Register produced within each department by senior management to reinforce the evaluation of risks, decisions on tolerance and appetite and the adequacy of responses 2. Internal reporting on effectiveness of Risk Management within each department and changes to the Risk Register 3. Internal audit are required for an independent and objective assurance about effectiveness. 20

21 Embed and review Risk Management should be embedded as a culture within the School. Everyone should consider how their actions impact on the School s ability to achieve its objectives. The strategic objectives of the School will cascade the individual objectives for each department, hence to embed risk management it should be linked into the planning and budgeting process linked to identifying these objectives. Although linked to business planning the process must not only look at financial risks, but must look also at operational risks. To enable departments to manage risk effectively they must be given the control to do so, and this is achieved by ensuring risk ownership is cascaded down the same hierarchical structure as management responsibility. Within a department risk should be built into existing management processes and meetings to keep the focus on regularly reviewing risk regularly. Once complete the process should then start again with a review of the overall framework and its effectiveness, with changes being made as required to improve the system and keep it in line with changes in the internal and external operating environment. Any internal audit corrective actions or recommendations shall be considered in reviewing departmental risk and where necessary updated in the Risk Register. 21

22 The Glasgow School of Art Risk Register Response Matrix The qualitative risk response matrix below should be used to consider the appropriate action required for a risk, in relation to its Residual Risk Exposure (Impact/Likelihood). Guidance on the review periods for each level of risk are the minimum level of review required, but certain risks might warrant more regular reviews. (5) Tolerate; Continue Existing Control Measures; Review at least every 4 months Possibly Tolerate, Consider Further Actions to Reduce Risk; Continue Controls; Review at least every 3 Months Quickly Implement Further Actions to Reduce Risk; Continue Existing Controls; Generate Contingency Plan; Review at least every 2 Months Take Immediate Further Remedial Action to Reduce Risk; Contingency plan on standby; Review at least Monthly Take Immediate Further Remedial Action to Reduce Risk; Contingency plan on standby; Review Continuously (4) Tolerate; Continue existing Control Measures; Review at least every 4 months Tolerate; Continue Existing Control Measures; Review at least every 4 months Implement Further Actions to Reduce Risk; Continue Existing Controls; Generate Contingency Plan; Review at least every 3 Months Urgently Take Further Remedial Action to Reduce Risk; Contingency plan on standby; Review at least every 2 Months Take Immediate Further Remedial Action to Reduce Risk; Contingency plan on standby; Review at least Monthly IMPACT (3) Tolerate; Continue existing Simple Control Measures; Review at least every 6 Months Tolerate; Continue Existing Control Measures; Review at least every 6 Months Tolerate; Continue Existing Control Measures; Review at least every 4 months Implement Further Actions to Reduce Risk; Continue Existing Controls; Generate Contingency Plan; Review at least every 3 Months Quickly Implement Further Actions to Reduce Risk; Continue Existing Controls; Generate Contingency Plan; Review at least every 2 Months (2) Tolerate; No action: Continue Control if Required; Review at least Annually Tolerate; No action: Continue Control if Required; Review at least Annually Tolerate; Continue existing Simple Control Measures; Review at least every 6 Months Tolerate; Continue Existing Control Measures; Review at least every 4 months Possibly Tolerate, Consider Further Actions to Reduce Risk; Continue Controls; Review at least every 3 Months (1) Tolerate; No action: Continue Control if Required; Review at least Annually Residual Risk Exposure (Impact X Likelihood) Tolerate; No action: Continue Control if Required; Review at least Annually Tolerate; Continue existing Simple Control Measures; Review at least every 6 Months Tolerate; Continue existing Control Measures; Review at least every 4 months Tolerate; Continue existing Control Measures; Review at least every 4 months (1) (2) (3) (4) (5) LIKELIHOOD Risk Acceptance Key Green = Very Low / Tolerate, Light Green = Low, Orange = Medium or High / Don t Tolerate / Take Action to Reduce Risks Red = Very High, Outside Acceptance, definitely don t tolerate, consider stopping action/project to remove such high level of risk. Quantitative Risk Analysis (QRA) is a formalised specialist method for calculating numerical individual, school, departmental, and public risk level values for comparison with the risk criteria identified above. Identify and number each risk on the risk register template which could have an impact on achieving the School's objectives in your School/Department, give a score of 1-5 for impact with 1 being no impact and 5 being significant impact. Give a score of 1-5 for likelihood with 1 being very unlikely and 5 being very likely. The risk register template will multiply impact and likelihood to give the score in the correct column as a guide. Then describe the action(s) you will take to mitigate the risk, identify who in your School/Department has responsibility for ensuring the risk is mitigated. 22