ERM Program. Enterprise Risk Management Guideline

Save this PDF as:
Size: px
Start display at page:

Download "ERM Program. Enterprise Risk Management Guideline"

Transcription

1 ERM Program Enterprise Management Guideline

2 Table of Contents PREAMBLE... 2 When should I refer to this Guideline?... 3 Why do we need a Guideline?... 4 How do I use this Guideline?... 4 Who is responsible for the ERM program?... 4 ERM PROCESS... 4 Step 1: Management Communication & Consultation Methods... 5 Step 2: Establishing the Context... 5 Step 3 to Step 7 Performing a Assessment... 6 Step 3: Identification... 6 Step 4: Analysis... 7 Step 4 (a) Impact... 9 Step 4 (b) Likelihood Step 4 (c) Combined Impact/Likelihood Score Step 4 (d) Control Response Step 5: Evaluation Step 6: Treatment Step 7: Monitoring and Review FINAL NOTE APPENDIX 1: RISK REGISTER EXAMPLE DEFINITIONS REFERENCES P age

3 Enterprise Management Guideline PREAMBLE The College s Enterprise Management (ERM) Policy sets the tone for risk management throughout the organization and supports the development of an imbedded risk culture. The Enterprise Management (ERM) Guideline provides a best practices approach to guide staff through a logical seven step risk management process. For greater assistance and efficiency, the seven step process has been integrated into a Microsoft Excel working tool to assist with risk identification and assessment. As the College Enterprise Management (ERM) program matures, additional tools will become available. The following 11 principles establish the foundation for the College s ERM program to manage risk at all levels: 1. Creating and protecting value: risk management contributes to the achievement of College objectives and improves performance in areas such as corporate governance, program and project management, health and safety of staff and students and reputation. 2. An integral part of all organizational processes: risk management is not a stand-alone activity performed in isolation. Rather, it is an integral part of our daily organizational processes, change management process, performance management, planning and reporting processes. 3. Part of decision-making: risk management aids decision-makers to make informed choices, prioritize activities and identify the most effective and efficient course of action. 4. Explicitly addressing uncertainty: risk management identifies the nature of uncertainty and how it can be addressed through a range of mechanisms, for example, implementing risk controls. 5. Systematic, structured and timely: risk management contributes to efficiency and to consistent, comparable and reliable results. 6. Based on the best available information: the risk management process should draw on diverse sources of historical data, expert judgment and stakeholder feedback to result in evidence-based decisions. As decision-makers, we should take account any of the limitations of the data, modelling and divergence among experts. 7. Tailored: risk management and individual assessments are aligned with the College s internal and external context and risk profile. 2 P age

4 8. Human and cultural factors: risk management recognizes the capabilities, perceptions and intentions of internal and external factors that can aid or hinder the achievement of the College s objectives. 9. Transparent and inclusive: risk management requires appropriate and timely involvement of stakeholders, in particular, decision makers at all levels of the College to ensure relevance. Involving stakeholders in decision making processes enables diverse views to be taken into account when determining risk criteria. 10. Dynamic, iterative and responsive to change: as internal and external events occur, context and knowledge change, monitoring and review take place, new risks emerge, some change, and others disappear. Therefore, the College should ensure that risk management continually senses and responds to change. 11. Continual improvement of the organization: risk management facilitates continuous improvement of the College s operations. Ultimately, an effective ERM program will raise our awareness with respect to uncertainty and decision making. When should I refer to this Guideline? Increasingly, organizations, their executive leadership and Boards are seeking to have a better understanding of the risks their organizations are facing and the action plans to manage this risk. Although risk is often viewed negatively, the outcome of assuming risk following a risk assessment can have significant positive results. Various levels and types of risk impact departments, projects, strategic and business planning and initiatives on a daily basis. This Guideline will provide a College approved process based on an industry standard framework for staff in positions that require them to identify, assess and manage risk. Enterprise Management Framework Enterprise Management Process Identification Monitoring & Reporting College's Strategy & Objectives Analysis Treatment Evaluation 3 P age

5 Why do we need a Guideline? As opposed to a standard, this Guideline provides a flexible best practice approach and allows for the College s various industry types to employ risk management tools that are best suited for their industry group. A guideline creates a consistent approach, establishes common vocabulary and promotes risk management tools for identifying, assessing, evaluating, mitigating, monitoring, reviewing and reporting risks. Furthermore, a guideline helps to promote an environment for informed innovation and risk taking, identify both the favourable and unfavourable impacts of risk, improve accountability and transparency through assigned risk owners and integrate ERM into corporate decision making. How do I use this Guideline? The Guideline is based on a seven step process. Each step includes a brief description and examples of methods to assist in completing the step. Use of any of the illustrations, definitions, appendices and content is promoted. Users are also encouraged to use methods and tools that may be more relevant to the risk or set of risks being assessed. Electronic tools have been created and continue to be improved in order to assist users in applying the steps in a more efficient manner. The intention is to have users spend more time in the risk assessment rather than the administration. To remain sustainable, the risk management process must provide value. Who is responsible for the ERM program? The College Management Committee (CRMC) is responsible for the College s ERM program. The Coordinator, Management is responsible for managing the ERM program on a daily basis. Upon request, the Coordinator will assist you in implementing the risk management process, facilitating a risk assessment, or responding to any questions you may have with respect to the ERM Policy and Guideline. For further information, visit the College s Management webpage. ERM PROCESS The process for managing the College s risks is described in the seven steps below. Many users of this Guideline may skip to Steps 3 to 7 which focus on risk assessment. However, both risk and internal and external environments are continually changing hence the need to return back to Steps 1 & 2. 4 P age

6 Step 1: Management Communication & Consultation Methods Undertaking communication and consultation with potential external and internal stakeholders prior to and throughout the risk management process establishes a positive foundation in order to engage and obtain an understanding of the stakeholder interest, to build stakeholder consensus, and to ensure informed risk taking. Based on the ERM Framework illustration on page 3, this step is involved in all of the steps. Depending on the situation, communication and consultation methods vary and could include: / Newsletters Training and Education Sessions Briefing Notes Reports Dashboards Steering Committee and Working Group Meetings Departmental/Cross Departmental Meetings Regular Employee Meetings Awareness Campaigns Management on-line electronic tools When working through a risk assessment, it s important to receive consensus on the communication format during the risk assessment process, including the risk identification, consequences, both positive and negative, and treatment options. Step 2: Establishing the Context Prior to initiating a risk assessment, an analysis of the internal and external environment is required to identify the main stakeholders. This would include a determination of the interdepartmental interfaces or relationships within the College. In addition to stakeholder identification, defining both the internal and external environment at the time of risk assessment in relation to the achievement of the College s strategic priorities and objectives is critical. External context includes the current political, cultural, economic, regulatory and competitive environment. Internal context includes policies, organizational structure, culture, human resource capabilities, contractual relationships and information systems. Since resources are often limited, it s important to justify the amount of resources required to carry out a risk assessment, to define the goals and objectives, and identify and define responsibilities for managing the risk. Undertaking the above will ensure that the approach taken is appropriate for the situation or risk assessment, to the College and to the risks impacting on the College s ability to achieve its strategic priorities and objectives. Methods include defining: monitoring cycles Vendor relationships acceptability Government relationships Partnerships Job descriptions using College Owners Project methodology Organizational chart 5 P age

7 Step 3 to Step 7 Performing a Assessment The diagram below provides a simplified description of the involvement for Steps 3 to 7 as well as highlights the continuous nature of these steps and their connection to the College s strategy and objectives. As mentioned, on-line electronic tools have been created to simply the step by step approach. Step 3: Identification This step involves the identification of risk sources, events, their causes and their potential impacts that may harm, assist or prevent the achievement of the College s objectives. encompasses the potential for positive as well as adverse results, for example, there could be a positive strategic risk in pursuing a new business initiative and negative operational risk in not having appropriate policies and procedures in place to regulate the business initiative. This step should result in a comprehensive list of risks, known as a Universe, which would be documented in the Register template example in Appendix 1. 6 P age

8 Example List of s for a College Universe Internal Conditions Value Chain External Conditions Strategic / Structural Governance Performance Measurement Organizational Structure Strategic Alliances, Partnerships & Reciprocal Relationships Policies Innovation Reputation / Brand Stakeholder Relations Public Policy Cultural Goal Alignment Communication Ethics, Values & Diversity Social Responsibility Change Management Accountabilities & Empowerment Students Recruitment, Enrolment & Retention International Students Program Delivery Student Satisfaction & Relationship Management Grants / Scholarships Student Services Student Conduct Technology & Information Systems Capacity and Availability IT Disaster Recovery Security Strategy & Architecture Reliability & Efficiency Information Systems Innovation / Emergency Technology Academic Curriculum Academic Fraud Research Faculty (resources / skills / interdisciplinary collaboration) Administrative / Operations General Operations Policies and Procedures Process Efficiency & Effectiveness Administrative Human Resources Staffing Levels & Skills Development, Performance & Succession Recruitment & Retention Compensation Financial Management Financial Reporting Financial Planning Financial Policies & Procedures Internal Controls Fraud Cashflow and Liquidity Funding Access (public and private sources) Capital Management Endowment Management Interest Rates Facilities Asset Management Physical Infrastructure Capacity Capital Project Management Property & Equipment Maintenance Business Environment Social/Economic (global and local marketability; demographics) Political (education policy) Competition (Colleges, programs offered by other institutions Technological Advancement Compliance & Standards Regulatory AODA Federal, Provincial & Municipal Government (funding compliance) Legal Employment Privacy Procurement Practices Methods used to identify and collect risks include the following: Universe / Register (Appendix 1) Facilitations Identification/Mitigation Worksheet (see Step 6) Stakeholder feedback Interviews & Questionnaires /Surveys Data analysis On-line electronic tools ( Management Website) Scenario planning Strength, Weakness, Opportunities and Threat (SWOT) analysis Gap Analysis Audits or physical inspections Workshops Step 4: Analysis analysis will determine the importance of a risk, current risk control responses, whether a risk control response is required and whether it will proceed to Step 5, Evaluation and Step 6, Treatment. The risk analysis process allows the College to consider the extent to which potential risks might have a negative impact on the achievement of the College s strategic priorities and operational objectives. 7 Page

9 Once a decision is made to record a risk on the Register, one of the six College Categories should be recorded in the Category column in the Register (Appendix 1): 1. Financial: The risk of financial loss due to a potential change in market condition. 2. Strategic: s that affect or are created by the College s business strategy and strategic objectives. 3. Reputational: The loss of value to the College brand and negative impact in our ability to attract students and investment. 4. International: s outside of Canada which impact the College s international and Canadian operations. 5. Operational and Hazard: s that affect the College s ability to execute its strategic plan. 6. Compliance and Legal of loss arising from non-compliance with internal and external regulatory requirements, legal action and liability claims. The College uses a 5 x 5, 25-point scale Rating Matrix to assess Impact and Likelihood of risk, with a total risk score of 25 being the highest risk. Rating Matrix Impact (I) Insignificant (1) Minor (2) (3) Major (4) Catastrophic (5) Almost Certain (5) (5) (10) High (15) Critical (20) Critical (25) Likelihood (L) Likely (4) Possible (3) Low (4) Low (3) (8) (6) High (12) (9) High (16) High (12) Critical (20) High (15) Unlikely (2) Low (2) Low (4) (6) (8) (10) Rare (1) Low (1) Low (2) Low (3) Low (4) (5) 8 P age

10 For each of the risks identified, determine the inherent risk by rating the impact and likelihood using the respective descriptor and score as further described in Step 4(a) and (b). Multiply both scores to produce a total risk score and enter the total risk into the Register (Appendix 1). Step 4 (a) Impact Apply the Descriptors in the Impact Rating Matrix to determine the Impact of the risk and the accompanying Score. The Possible Impact Examples column contains both Key Performance Indicators (KPIs) which is results focused, for example, measuring performance, and Key Indicators (KRIs) which measure or describe the level of risk associated with an activity and is an early warning sign. The examples provided will not apply to the analysis of all risks. In many cases, the risk (possible) impacts will need to be identified for each impact rating. Impact Rating Matrix Score Impact Level Descriptors Possible Impacts Examples 1 Insignificant Negative outcomes from risk or lost opportunities that do not have an effect on the College s reputation or performance 1. Financial: College revenue loss or gain of <$50K. 2. Financial: College department unit <$5K cash impact. 3. Health & Safety (Compliance): no legal consequences or adverse health effects for any individual. 4. Environment (Compliance): minor harm, clean-up <$25K. 5. Compliance & Legal: not guilty, fines <$25K. 6. Reputational: brief negative or positive attention in local news/social media; prompt resolve. 7. Strategic: achievement of a strategic goal delayed within first year. 8. Human (Hazard): injury, no first aid required. 9. Business Interruption (Operational) : <1 week; Small number of classes or research projects disrupted for <1 month. 10. Systems and Processes (Operational): minor errors or delay in system (e.g. IT), short term impact. 9 P age

11 Score Impact Level Descriptors Possible Impacts Examples 2 Minor Negative outcomes from risks or lost opportunities that will not have a permanent or significant effect on the College s reputation or performance 3 Negative outcomes from risks or lost opportunities that will not have a permanent or significant effect on the College s reputation or performance 1. Financial: College revenue loss or gain of over >$50K and < $500K. 2. Financial: College department unit $5K to $50K cash impact. 3. Health & Safety: (Compliance): warning or order to comply from regulatory authority; minor injuries to one or two individuals. 4. Environment (Compliance): clean-up $25K to $250K. 5. Compliance & Legal: minor breach, fine <250K. 6. Reputational: negative or positive attention in local news/social media for up to one week. 7. Strategic: one or more strategic goals not attainable and must be revised. 8. Human (Hazard): first aid required, injury. 9. Business Interruption (Operational): 1 to 2 weeks; Small number of classes or research projects disrupted for 1 to 4 months. 10. Systems and Processes (Operational): policy / procedure not met, key programs impacted for short term. 1. Financial: College revenue loss or gain of >$500K to <$3M. 2. Financial: College department unit cash impact of $50K to $250K. 3. Health & Safety (Compliance): statutory charges against one or two employees. 4. Environment (Compliance): short term harm, $250K to $1M clean-up. 5. Compliance & Legal: breach of legislation, fine $250K to $1M 6. Reputational: negative/positive attention in national news/social media for less than a week, or in local media for 1 to 2 weeks or in surrounding communities for < 2 10 P age

12 Score Impact Level Descriptors Possible Impacts Examples weeks; heavy local media 7. Strategic: a key strategic goal underlying an institutional commitment cannot be attained without significant revision and delay of > 1 year. 8. Human (Hazard): injury/hospital; major reversible injury. 9. Business Interruption (Operational): 2 to 4 week interruption; Inability of a substantial portion of an entire department to provide education or perform research for < 1 month or the disruption of a small number of classes or research projects > 4 months. 10. Systems and Processes (Operational): less than 1 KPI not met, service delivery inconvenient to clients, survival/success of key projects impacted. 4 Major Negative outcomes from risks or lost opportunities with a significant effect that will require major effort to manage and resolve in the medium term but do not threaten the existence of the institution in the medium term 1. Financial: College revenue loss or gain of >$3M to <$25M. 2. Financial: College department unit cash impact of $250K to $500K. 3. Health & Safety (Compliance): statutory charges or civil suits against the College and one or more of its senior administrators; permanently disabling injuries to one or more persons. 4. Environment (Compliance): short term, $1 to $5M clean-up. 5. Compliance & Legal: critical risk reported to ARM, legislation breach, fine $1 to $5M 6. Reputational: negative/positive headlines in international news/social media for < 1 week, or attention in national media for 1 to 2 weeks, or in the local media > 2 weeks or 11 P age

13 Score Impact Level Descriptors Possible Impacts Examples sustained negative/positive reaction among surrounding communities; adverse media. 7. Strategic: one or more institutional commitments unable to be achieved in planning timeframe. 8. Human: intensive care; irreversible injury or death (one person). 9. Business Interruption: business interruption 4 to 6 weeks; inability for the substantial portion of an entire department to provide education or perform research for a period between 1 and 4 months. 10. Systems and Processes (Operational): A number of KPIs not met, bad policy advice, degrading service level trends, survival of key programs and projects impacted, IT strategy not aligned with digital college. 5 Catastrophic Negative outcomes from risks or lost opportunities which if not resolved in the medium term will threaten the existence of the institution 1. Financial: College revenue loss or gain of > $25M. 2. Financial: College department unit impact of >$500K. 3. Health & Safety (Compliance): criminal charges and other legal action against the College and one or more senior administrators or directors; one or more fatalities. 4. Environment (Compliance): long term harm, clean-up >$5M. 5. Compliance & Legal: serious breach of legislation, fine >$5M. 6. Reputational: intense negative/positive headlines in the international media for > 1 week or in the national media > 2 weeks; national and international reputation impacted; major negative sanction by MTCU; closure of major part of the College. 7. Strategic: one or more institutional 12 P age

14 Score Impact Level Descriptors Possible Impacts Examples commitments unachievable. 8. Human (Hazard): multiple irreversible injuries or deaths. 9. Business Interruption (Operational): interruption > 6 weeks; Inability for the substantial portion of an entire department to provide education or perform research >1 academic term 10. Systems and Processes (Operational): critical system failure, significant impact on key programs & projects, significant impact on key stakeholders. Step 4 (b) Likelihood Apply the Descriptors below to determine the Likelihood of the risk and the accompanying Score: Likelihood Rating Matrix Score Likelihood Level 1 Rare Event may occur only in exceptional circumstances Descriptors Unlikely to occur in 5 years 2 Unlikely Event could occur at some time Likely to occur once in 5 years 3 Possible Event might occur at some time Likely to occur once in a year 4 Likely 5 Almost Certain Event will probably occur in most circumstances Event is expected to occur in most circumstances Likely to occur in a month Likely to occur in a week Step 4 (c) Combined Impact/Likelihood Score Refer to the Combined Score Legend in the table in the following page and assign the appropriate combined individual risk score, that is, Low (1-4), (5-10), High (11-18) or Critical (19-25). 13 P age

15 Rating Matrix and Combined Score Legend Impact (I) Combined Score Legend Insignificant (1) Minor (2) (3) Major (4) Catastrophic (5) Low (1-4) Low level of risk Manage by routine procedures and operations; should not require much attention but should be reviewed at least every 18 months. Likelihood (L) Almost Certain (5) Likely (4) Possible (3) (5) Low (4) Low (3) (10) (8) (6) High (15) High (12) (9) Critical (20) High (16) High (12) Critical (25) Critical (20) High (15) (5-10) level of risk Manage by specific monitoring or response procedures; should be monitored and reviewed every 12 months. High (11-18) High level of risk Requires escalation to VP and ARM; should be constantly monitored and reviewed every 6 months (May and November). Unlikely (2) Rare (1) Low (2) Low (1) Low (4) Low (2) (6) Low (3) (8) Low (4) (10) (5) Critical (19-25) Top level of risk Requires escalation to VP, ARM and Board of Governors responsible for risk management oversight; should be constantly monitored and reviewed monthly. Step 4 (d) Control Response Review the effectiveness of the current Controls in place and apply the Descriptors below to determine the Response Level and the accompanying Score: Control Response Rating Matrix Score Response Level Descriptors 1 Weak 2 Activities or controls in place are insufficient or not operating effectively to prevent or mitigate this risk or no activities or controls in place to prevent or mitigate this risk. Activities or controls moderately reduce the risk, although activities or controls do not manage all potential risk events or are not operating effectively. Significant attention to the risk and its drivers. 3 Strong Activities or controls in place provide considerable certainty of control and are operating effectively. The College has undertaken all economically feasible controls and is maintaining an ongoing monitoring system. 14 P age

16 Enter the Existing /Planned Responses and the rating Level from the Response Rating Matrix into the Effectiveness of Current Responses in column H in the Register. A B C D E F F F G H I I Strategic Description Observations, Root Existing / Planned Effectiveness Objective Category Name Causes, Impacts Impact Likelihood Score Control Responses of Current Control Responses Impact Likelihood Inherent Residual Taking into consideration the Effectiveness of the Current Response column H, refer again to Steps 4 (a) and (b), and enter the impact and likelihood ratings into Residual column I. Step 5: Evaluation Once risks have been identified and analyzed, that is, columns A through to I in the Register, an evaluation of the risks is performed to determine which risks require risk treatment. The Evaluation is based on a current period of time and as a result, a risk that may appear to be treated in one period, may not be needed to be treated in another. It is also necessary to prioritize the treatment implementation in the Action Plan (column J). A B C D E F F F G H I I I J Strategic Observations, Existing / Effectiveness Action Objective Category Name Description Root Causes, Impacts Impact Likelihood Score Planned Control Responses of Current Control Responses Impact Likelihood Score Plan Inherent Residual Reasons for the change in risk may include: The risk criteria when the context was being considered in Step 2, may have changed. The College s changing risk appetite and tolerance levels, for example, the likelihood and/or impact of risk is low enough that specific mitigation plans are not required or alternatively, there is no mitigation plan available. 15 P age

17 Cost of mitigation plan is excessive as compared to the benefit such that acceptance of the risk is the only option. The risk is being driven by an external event/organization and therefore outside of the control of the College. At this stage, the Owner will have gained a complete understanding of the risk which will allow them to identify risk treatment plans to reduce the level of risk as well as apply indicators, such as key performance and key risk indicators to respond to changes in risk prior to a negative outcome. Step 6: Treatment treatment options fall into the following: Avoidance: Reduction: Acceptance: Transfer: Taking action to exit the activities that give risk to the risks. Reducing the risk likelihood, impact or both. Taking no action to affect likelihood or impact. Reducing risk likelihood or impact by transferring or sharing a portion of the risk. The College may benefit from the adoption of a combination of treatment options, for example, both accepting and transferring percentages of risk. Action Plans (column J) are required for Critical, High and rated risks. Action plans for Low rated risks are not required although they should be monitored in the event their risk level increases. Action Plans should have a Owner which is recorded in column K. A B C D E F F F G H I I I J K Strategic Observations, Existing / Effectiveness Action Objective Category Name Description Root Causes, Impacts Impact Likelihood Score Planned Control Responses of Current Control Responses Impact Likelihood Score Plan Owner Inherent Residual Examples of action plans could include: the creation or amendment of a policy and procedure; identifying and addressing a management or employee gap; developing KPI s or introducing current KPIs, for example, the provincial government requires all colleges to gather and report on five (5) KPIs: 16 P age

18 student satisfaction, graduate satisfaction, employer satisfaction, graduate employment rate, and graduation rate; and developing KRI s or introducing current KRIs which will provide an early warning and opportunity to mitigate the risk at an earlier stage. Section 2, in the Identification/Mitigation Worksheet is an efficient tool for determining the appropriate action plan. Section 1 ( Identification) would have been completed in Step 1 to Step 4. /Mitigation Identification Worksheet Section 1: Identification #: Category: Description of : Unit Team: Factors: Impacts: Existing Control Procedures: Rating Inherent Residual Likelihood Impact Level Likelihood Impact Level Section 2: Control Response Possible Treatment Options Analysis Result (Accept/Reject) Control Response Plan Action Item Action By Timeline Resource Requirement: Reporting and Monitoring Required: Completed By: Date: 17 P age

19 Action plans should be integrated with the management processes of the College operations. The ultimate intent is to move the risk rating to within the College s Appetite. Once that is accomplished the residual risk rating will equal the Target rating, refer to diagram below. Aim for Target Step 7: Monitoring and Review Monitoring: monitoring and review provides Owners with a consistent and timely opportunity to identify new emerging risks and revise existing risk ratings as well as to review the effectiveness of risk treatment plans in place. Although ad hoc reviews could be beneficial, particularly in a period of rapid change, planned review periods should be determined. Owners are responsible for monitoring, reviewing and reporting on High and Critical rated risks, their Treatment and Residual status semiannually in March and September. Review: The High and Critical Report will be provided annually to the ARM and Presidents Council in May and November for review and comment. The College wide Register (see Register Template on next page) will be presented annually to the ARM and Presidents Council in July. The Register template will be used as the main reporting tool. At the request of ARM or Presidents Council, the register is subject to change. The tool may also be expanded at a business unit, department or project level. For example, a department may want to add an additional column to record a Business Plan Reference. 18 P age

20 Register Template A B C D E F F F G H I I I J K L Strategic Observations, Existing / Effectiveness Action Objective Category Name Description Root Causes, Impacts Impact Likelihood Inherent Score Planned Control Responses of Current Control Responses Impact Likelihood Residual Score Plan Owner Implementation Timeline FINAL NOTE Throughout the College, and until such time an efficient enterprise data management system is implemented to share and store ERM program related information, all ERM program files should be maintained in accordance with the College Directive, IT05: Information Sensitivity and Security. 19 P age

21 APPENDIX 1: RISK REGISTER EXAMPLE Strategic Objective Student and Client Success Category Strategic Name Student Retention Description The risk of an inability to retain students. Observations, Root Causes, Impacts Observations: Some students do not complete their full program. Upward trend showing a difficulty in retaining international students. Root Causes: Personal circumstances International students receive limited training on Canadian culture Impact: Difficulty maintaining revenue as students are not completing their studies Negative impact on the College s reputation Impact Likelihood Inher ent (3) (4) Likely Score (12) High Existing / Planned Responses The College has recently introduced three new programs which train students to work in growing industries. The College offers a selection of evening and online courses, as well as a fulsome internship program in select programs, in order to accommodate students that balance courses with employment, and to provide valuable employment experience to students. Effectiveness of Current Responses (2) Impact (2) Minor Likelihood Residual Score (2) Unlikely (4) Low Action Plan Measure retention rates to determine any emerging trends Survey students that did not complete their program to determine any key issues or trends Develop and implement a peer mentorship program that pairs international students with domestic counterparts to assist with integration Owner Director, International Education Implementation Timeline months 20 P age

22 DEFINITIONS Word/Term Enterprise Enterprise Management Enterprise Management Framework Enterprise Management Policy Enterprise Management Guideline Definition describes the probability of loss (financial / property, human, liability) or other negative event. At an enterprise level it describes the effect that uncertainty can have on the College s ability to execute its strategies and/or achieve its business objectives. encompasses the potential for positive as well as adverse results. Refers to integrating risk management into the entire College operation. A coordinated set of activities and methods that is used to direct the College and to control the many risks that can affect its ability to achieve objectives. Used interchangeably with the term risk management. A set of components that provides the foundations and organizational arrangement for designing, implementing, monitoring, reviewing, communicating and continually improving risk management throughout the College. There are two types of components: the Enterprise Management Policy and the process, also known as the Enterprise Management Guideline. Expresses the College s commitment to risk management and clarifies its general direction or intention. Identifies the activities we apply to manage our risk. Analysis Evaluation Criteria A process used to understand the nature, sources, and causes of the risks identified and to estimate the level of risk. It is also used to study impacts and consequences and to examine the controls that currently exist. The process of comparing the results of risk analysis with Criteria to determine whether the risk and/or its magnitude are acceptable or tolerable. evaluation assists in risk treatment decision making. Terms of reference used to evaluate the significance or importance of the College s risks. They are used to determine whether a specified level of risk is acceptable or tolerable. 21 P age

23 Word/Term Treatment Appetite Statement Tolerance Profile Owner Culture Control Likelihood Impact Communication Definition The policies, procedures, processes and controls implemented by management to modify risk, taking into consideration the College s risk tolerances, and the cost to modify and the benefit of the modification, including the effect on risk likelihood and impact. A continually reviewed statement that expresses the amount and type of risk that the College is willing to pursue or retain to achieve its mission and strategic objectives. The College statement is updated at a minimum once every three (3) years. Represents the application of Appetite to specific objectives and implemented by Owners and/or their personnel. It describes the level of risk the College is willing to accept in relation to a threat that may cause loss or an opportunity in the day-to-day business activities. The Tolerance of the College may be different for different departments and business units. A written description of a set of risks that are managed and addressed on a College wide basis or only by those that are responsible for a particular function or department of the organization. The College Profile is updated at a minimum once every three (3) years. A College employee who has been given the authority to manage a particular risk and is accountable for doing so. The system of values and behaviors present throughout the College that shape risk decisions. culture influences the decisions of management and employees, even if they are not consciously weighing risks and benefits. Culture also describes the degree to which individuals understand that risk and compliance rules apply to everyone as they pursue their business goals and that this requires a common understanding of the organization and its business purpose. An activity or management action to mitigate risk. It includes the policies, procedures, reporting and initiatives performed by the College to ensure that the desired risk response is carried out. These activities take place at all levels and functions of the College. The probability of an event occurring. Likelihood of an event occurring is rated as rare, unlikely, possible, likely, or almost certain. The severity of an event. Impact or severity of an event is rated as insignificant, minor, moderate, major or catastrophic. The process of identifying risk and communicating broadly to enable all personnel to deliver on their responsibilities. 22 P age

24 Word/Term Register Report Gap Inherent Residual Target Response Universe Definition The official recording and assessment (with Impact and Likelihood) of the identified risks facing the College at a given period. A report delivered to the Audit & Management Committee (ARM) at least every six (6) months in May and November that provides ongoing monitoring and reporting on the progress of risk mitigation activities and results. The risk of outcomes not meeting expectations. Other terms used more specifically to the type of risk include performance gap and legitimacy gap that emerges when the interests or values, for example, of funders, Board of Directors and college representatives are not meeting expectations. The Likelihood and Impact scores following a risk assessment and before the application of Response. Also known as risk without controls. The Likelihood and Impact scores after the application of the Response. that remains after controls or treatment is implemented (partially or fully). that management desires after existing and future actions and treatments. One or more risk modifications methods to control risk. All risks that could impact the College. REFERENCES 1. Enterprise Management Policy 2. Colleges Ontario-Integrated Management Framework (February 2014) Webinars - Produced by MNP LLP 3. International Standard CSA/ISO 31000; 2009 Management Principles and Guidelines 23 P age

POLICY. Number: 7311-10-005 Title: Enterprise Risk Management. Authorization

POLICY. Number: 7311-10-005 Title: Enterprise Risk Management. Authorization POLICY Number: 7311-10-005 Title: Enterprise Risk Management Authorization [ ] President and CEO [ X] Vice President, Finance and Corporate Services Source: Director, Enterprise Risk Management Cross Index:

More information

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

Linking Risk Management to Business Strategy, Processes, Operations and Reporting Linking Risk Management to Business Strategy, Processes, Operations and Reporting Financial Management Institute of Canada February 17 th, 2010 KPMG LLP Agenda 1. Leading Practice Risk Management Principles

More information

Risk Management: Coordinated activities to direct and control an organisation with regard to risk.

Risk Management: Coordinated activities to direct and control an organisation with regard to risk. POLICY CG01 RISK MANAGEMENT Document Control Statement This Policy is maintained by the Governance and Organisational Strategy. Any printed copy may not be up to date and you are advised to check the electronic

More information

Policy 10.105: Enterprise Risk Management Policy

Policy 10.105: Enterprise Risk Management Policy Name: Responsibility: Complements: Enterprise Risk Management Framework Coordinator, Enterprise Risk Management Policy 10.105: Enterprise Risk Management Policy Date: November 2006 Revision Date(s): January

More information

ENTERPRISE RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT FRAMEWORK ENTERPRISE RISK MANAGEMENT FRAMEWORK COVENANT HEALTH LEGAL & RISK MANAGEMENT CONTENTS 1.0 PURPOSE OF THE DOCUMENT... 3 2.0 INTRODUCTION AND OVERVIEW... 4 3.0 GOVERNANCE STRUCTURE AND ACCOUNTABILITY...

More information

The Lowitja Institute Risk Management Plan

The Lowitja Institute Risk Management Plan The Lowitja Institute Risk Management Plan 1. PURPOSE This Plan provides instructions to management and staff for the implementation of consistent risk management practices throughout the Lowitja Institute

More information

University of New England Compliance Management Framework and Procedures

University of New England Compliance Management Framework and Procedures University of New England Compliance Management Framework and Procedures Document data: Document type: Administering entity: Framework and Procedures Audit and Risk Directorate Records management system

More information

Risk Management Policy and Framework

Risk Management Policy and Framework Risk Management Policy and Framework December 2014 phone 1300 360 605 08 89589500 email info@centraldesert.nt.gov.au location 1Bagot Street Alice Springs NT 0870 post PO Box 2257 Alice Springs NT 0871

More information

Avondale College Limited Enterprise Risk Management Framework 2014 2017

Avondale College Limited Enterprise Risk Management Framework 2014 2017 Avondale College Limited Enterprise Risk Management Framework 2014 2017 President s message Risk management is part of our daily life, something we do regularly; often without realising we are doing it.

More information

RISK MANAGEMENT REPORTING GUIDELINES AND MANUAL 2013/14. For North Simcoe Muskoka LHIN Health Service Providers

RISK MANAGEMENT REPORTING GUIDELINES AND MANUAL 2013/14. For North Simcoe Muskoka LHIN Health Service Providers RISK MANAGEMENT REPORTING GUIDELINES AND MANUAL 2013/14 For North Simcoe Muskoka LHIN Health Service Providers Table of Contents Purpose of this document... 2 Introduction... 3 What is Risk?... 4 What

More information

ENTERPRISE RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT FRAMEWORK ROCKHAMPTON REGIONAL COUNCIL ENTERPRISE RISK MANAGEMENT FRAMEWORK 2013 Adopted 25 June 2013 Reviewed: October 2015 TABLE OF CONTENTS 1. Introduction... 3 1.1 Council s Mission... 3 1.2 Council s Values...

More information

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT: POL ENTERPRISE RISK MANAGEMENT SC51 POLICY CODE: SC51 DIRECTORATE: Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT: Executive Support Services RESPONSIBLE OFFICER:

More information

Council Meeting Agenda 27/07/15

Council Meeting Agenda 27/07/15 3 Risk Management Framework Abstract Council s Risk Management Framework ( the Framework ) was adopted by Council in 2012. The Framework provides structure and guidance to Council s risk management activities

More information

Risk Management - Board & Management Responsibilities Murray Short, MBA, CPA CA Not-for-Profit Partner RLB LLP

Risk Management - Board & Management Responsibilities Murray Short, MBA, CPA CA Not-for-Profit Partner RLB LLP Risk Management - Board & Management Responsibilities Murray Short, MBA, CPA CA Not-for-Profit Partner RLB LLP 2 AGENDA About RLB / About Our Not-for-Profit Team Defining Risk Types of Organizational Risk

More information

Risk Management. Policy

Risk Management. Policy Policy Risk Management Endorsed: 26 February 2014 Brief description The GPC Risk Management Policy and its supporting standards and procedures provide a framework to ensure that risks arising from our

More information

Get More Out of Your Risk Assessment. Austin Chapter of the IIA

Get More Out of Your Risk Assessment. Austin Chapter of the IIA Get More Out of Your Risk Assessment Austin Chapter of the IIA Speakers Alyssa G. Martin, CPA Dallas Executive Partner, Advisory Services 25 years of public accounting experience, with a practice emphasis

More information

Risk Management Policy

Risk Management Policy Risk Management Policy Responsible Officer Author Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date effective from December 2008 Date last amended December 2012

More information

Enterprise Risk Management Framework 2012 2016. Strengthening our commitment to risk management

Enterprise Risk Management Framework 2012 2016. Strengthening our commitment to risk management Enterprise Risk Management Framework 2012 2016 Strengthening our commitment to risk management Contents Director-General s message... 3 Introduction... 4 Purpose... 4 What is risk management?... 4 Benefits

More information

Bedford Group of Drainage Boards

Bedford Group of Drainage Boards Bedford Group of Drainage Boards Risk Management Strategy Risk Management Policy January 2010 1 Contents 1. Purpose, Aims & Objectives 2. Accountabilities, Roles & Reporting Lines 3. Skills & Expertise

More information

RISK MANAGEMENT FOR INFRASTRUCTURE

RISK MANAGEMENT FOR INFRASTRUCTURE RISK MANAGEMENT FOR INFRASTRUCTURE CONTENTS 1.0 PURPOSE & SCOPE 2.0 DEFINITIONS 3.0 FLOWCHART 4.0 PROCEDURAL TEXT 5.0 REFERENCES 6.0 ATTACHMENTS This document is the property of Thiess Infraco and all

More information

Project Risk Analysis toolkit

Project Risk Analysis toolkit Risk Analysis toolkit MMU has a corporate Risk Management framework that describes the standard for risk management within the university. However projects are different from business as usual activities,

More information

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology Inclusive of, framework, procedures and methodology Contents 1 Introduction 1 1.1 Legislative Framework and best practice 1 1.2 Purpose of Enterprise Risk Management 2 1.3 Scope and Applicability 3 1.4

More information

Risk Methodology. Contents. Introduction... 2. The Risk Management Structure... 2. The Risk Management Cycle... 2. Methodology...

Risk Methodology. Contents. Introduction... 2. The Risk Management Structure... 2. The Risk Management Cycle... 2. Methodology... Risk Methodology Contents Introduction... 2 The Risk Management Structure... 2 The Risk Management Cycle... 2 Methodology... 3 Appendix 1...5 Definition of Controls... 5 Appendix 2...6 Definition of Impact...

More information

Sample Enterprise Risk Management Work Plan Fiscal Years 20XX and 20YY Revised June 2009. Internal Environment / Objectives Setting

Sample Enterprise Risk Management Work Plan Fiscal Years 20XX and 20YY Revised June 2009. Internal Environment / Objectives Setting STRATEGIC OPERATIONS REPORTING Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication COMPLIANCE DEPARTMENT SCHOOL CAMPUS

More information

CORP 600 00 RISK MANAGEMENT POLICY & METHODOLOGY

CORP 600 00 RISK MANAGEMENT POLICY & METHODOLOGY CORP 600 00 RISK MANAGEMENT POLICY & METHODOLOGY CORP 600 RISK MANAGEMENT POLICY Purpose In March 2003, the Australian Stock Exchange (ASX) Corporate Governance Council released the first version of its

More information

Integrated Risk Management:

Integrated Risk Management: Integrated Risk Management: A Framework for Fraser Health For further information contact: Integrated Risk Management Fraser Health Corporate Office 300, 10334 152A Street Surrey, BC V3R 8T4 Phone: (604)

More information

Audit of the Test of Design of Entity-Level Controls

Audit of the Test of Design of Entity-Level Controls Audit of the Test of Design of Entity-Level Controls Canadian Grain Commission Audit & Evaluation Services Final Report March 2012 Canadian Grain Commission 0 Entity Level Controls 2011 Table of Contents

More information

Version Adoption by Council: 2013 Resolution Number: 2013/177 Current Version: V1.0 Administered by: Governance Coordinator

Version Adoption by Council: 2013 Resolution Number: 2013/177 Current Version: V1.0 Administered by: Governance Coordinator Risk Management Framework Version Adoption by Council: 2013 Resolution Number: 2013/177 Current Version: V1.0 TRIM CON: 12/1132 Administered by: Governance Coordinator Last Review Date: 2013 Next Review

More information

River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy

River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy Page: 1 Contents 1. Purpose, Aims & Objectives 2. Accountabilities, Roles & Reporting Lines 3. Skills & Expertise 4. Embedding

More information

Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy

Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy Page: 1 Contents 1. Purpose, Aims & Objectives 2. Accountabilities, Roles & Reporting Lines 3. Skills & Expertise

More information

RISK MANAGEMENT STRATEGY

RISK MANAGEMENT STRATEGY RISK MANAGEMENT STRATEGY 1 Introduction The purpose of this document is to outline a which facilitates the effective recognition and management of risks facing the University. The Combined Code on Corporate

More information

Enterprise Risk Management in Colleges and Universities

Enterprise Risk Management in Colleges and Universities Enterprise Risk Management in Colleges and Universities Cherry Bekaert & Holland, L.L.P. Neal Beggan, CISA, CRISC Shane Hester, CPA, CISA Cherry, Bekaert & Holland, L.L.P. The Firm of Choice. 1 Cherry,

More information

Integration of Risk Management and Internal Audit. Chartered Institute of Management Accountants, New Zealand

Integration of Risk Management and Internal Audit. Chartered Institute of Management Accountants, New Zealand Integration of Risk Management and Internal Audit Chartered Institute of Management Accountants, New Zealand Contents Understanding the three lines of defense governance model What is Risk? Risk Management

More information

Risk assessment. made simple

Risk assessment. made simple Risk assessment made simple July 2015 1 Sayer Vincent LLP Chartered accountants and statutory auditors Invicta House 108 114 Golden Lane London EC1Y 0TL Offices in London, Bristol and Birmingham 020 7841

More information

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT Let me begin by thanking Baruch College for giving me the opportunity to present this year s prestigious Emanuel Saxe Lecture in Accounting.

More information

ENTERPRISE RISK MANAGEMENT POLICY

ENTERPRISE RISK MANAGEMENT POLICY ENTERPRISE RISK MANAGEMENT POLICY TITLE OF POLICY POLICY OWNER POLICY CHAMPION DOCUMENT HISTORY: Policy Title Status Enterprise Risk Management Policy (current, revised, no change, redundant) Approving

More information

Managing Risk in Procurement Guideline

Managing Risk in Procurement Guideline Guideline DECD 14/10038 Managing Risk in Procurement Guideline Summary The Managing Risk in Procurement Guideline assists in the identification and minimisation of risks involved in the acquisition of

More information

Analyzing Risks in Healthcare. February 12, 2014

Analyzing Risks in Healthcare. February 12, 2014 Analyzing s in Healthcare February 12, 2014 1 Content What is Enterprise Management (ERM) ERM Benefits ERM Standards / ISO 31000:2009 ERM Process Register ERM Governance Model s Q&A 2 What is Enterprise

More information

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012 The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only Agenda Introduction Basic program components Recent trends in higher education risk management Why

More information

RISK MANAGEMENT POLICY

RISK MANAGEMENT POLICY DOCUMENT TYPE: DOCUMENT STATUS: POLICY OWNER POSITION: INTERNAL COMMITTEE ENDORSEMENT: APPROVED BY: Council policy Approved Manager Organisational Development Risk Management Committee Council DATE ADOPTED:

More information

Risk assessment. made simple. sayer vincent consultants and auditors. Introduction 3. step1 Identifying the risks 4. step2 Assessing the risks 7

Risk assessment. made simple. sayer vincent consultants and auditors. Introduction 3. step1 Identifying the risks 4. step2 Assessing the risks 7 Risk assessment made simple Introduction 3 step1 Identifying the risks 4 step2 Assessing the risks 7 step3 Establishing action points 11 step4 Developing a risk register 13 Monitoring and assessment 14

More information

May 2011. Wilfrid Laurier University Enterprise Risk Management Draft Final Report

May 2011. Wilfrid Laurier University Enterprise Risk Management Draft Final Report May 2011 Wilfrid Laurier University Enterprise Risk Management Draft Final Report Table of contents Introduction 2 What we heard 8 Risk management current and desired state 20 Operationalizing ERM Opportunities

More information

Enterprise Risk Management for International Schools

Enterprise Risk Management for International Schools Enterprise Risk Management for International Schools 2014 NESA Business Managers Conference Presented by Michael Rodman & Timothy King Albert Risk Management Consultants INTRODUCTION Michael Rodman Principal

More information

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter Board of Directors Meeting 12/04/2010 Document approved Operational Risk Management Charter Table of contents A. INTRODUCTION...3 I. Background...3 II. Purpose and Scope...3 III. Definitions...3 B. GOVERNANCE...4

More information

Understanding Enterprise Risk Management. Presented by Dorothy Gjerdrum Arthur J Gallagher

Understanding Enterprise Risk Management. Presented by Dorothy Gjerdrum Arthur J Gallagher Understanding Enterprise Risk Management Presented by Dorothy Gjerdrum Arthur J Gallagher Learning Objectives Understand the components of a wellrun ERM program Review scope and process Explore the role

More information

Enterprise Risk Management: Taking the First Steps

Enterprise Risk Management: Taking the First Steps Enterprise Risk Management: Taking the First Steps TN PRIMA, 2012 DOROTHY GJERDRUM, ARM, CIRM NOVEMBER 15, 2012 Agenda Goal: To understand how to begin to implement a broader approach to risk management

More information

RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES

RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES GOVERNMENT ACCOUNTING SECTION DEPARTMENT OF FINANCE MARCH 2004 Risk Management Guidance CONTENTS Pages List of guidelines on risk management

More information

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance Applying Integrated Risk Management Scenarios for Improving Enterprise Governance János Ivanyos Trusted Business Partners Ltd, Budapest, Hungary, ivanyos@trusted.hu Abstract: The term of scenario is used

More information

Risk Assessment & Enterprise Risk Management

Risk Assessment & Enterprise Risk Management Risk Assessment & Enterprise Risk 1 Healthcare Corporate Governance Today s environment requires building a culture of risk awareness and management of risk across the organization, while formulating less

More information

Fraud Risk Management

Fraud Risk Management Fraud Risk Management Overview Discussion Questions 1) Does your organization follow a specific risk management model? If so, which one? Do you think this model adequately addresses the risks your organization

More information

RiskManagement ESIEE 06/03/2012. Aloysius John March 2012

RiskManagement ESIEE 06/03/2012. Aloysius John March 2012 RiskManagement MOTIS ESIEE 06/03/2012 Aloysius John March 2012 Risk Management is a Introduction Process for Project manager to identify factors that may more or less affect the success or the achievement

More information

Maryland Association of Boards of Education Insurance Programs

Maryland Association of Boards of Education Insurance Programs Insurance Programs ENTERPRISE RISK MANAGEMENT John Magoon, ARM (P, E), CBCP, MBCI Risk Management Officer, MABE jmagoon@mabe.org 443 603 0399 A PERFECT DAY Our Goals 1.2 1 0.8 0.6 0.4 0.2 0 Actual Goal

More information

Risk Management Framework

Risk Management Framework Risk Management Framework Category or Type Originally approved by, and date Administration and Management Vice Chancellor at VCAG on December 2008 Last approved revision October 2011 Sponsor Chief Operating

More information

Enterprise Risk Management

Enterprise Risk Management Enterprise Management ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities),

More information

IFAD Policy on Enterprise Risk Management

IFAD Policy on Enterprise Risk Management Document: EB 2008/94/R.4 Agenda: 5 Date: 6 August 2008 Distribution: Public Original: English E IFAD Policy on Enterprise Risk Management Executive Board Ninety-fourth Session Rome, 10-11 September 2008

More information

San Francisco International Airport Enterprise Risk Management

San Francisco International Airport Enterprise Risk Management San Francisco International Airport Enterprise Risk Management Mike Warren Airport Risk Manager WHAT IS ENTERPRISE RISK MANAGEMENT (ERM) It is a comprehensive program that focuses on a continuous and sustainable

More information

WHS Risk Assessment and Control Form

WHS Risk Assessment and Control Form WHS Risk Assessment and Control Form Step 1: Who has conducted the Risk Assessment Risk Assessment completed by (name): Staff / Student Number: Signature: Date: Step 4: Documentation and initial approval

More information

The Essentials of Enterprise Risk Management. Steven C. Tourek, Senior Vice President, General Counsel & Secretary, The Marvin Companies

The Essentials of Enterprise Risk Management. Steven C. Tourek, Senior Vice President, General Counsel & Secretary, The Marvin Companies The Essentials of Enterprise Risk Management Steven C. Tourek, Senior Vice President, General Counsel & Secretary, The Marvin Companies Introduction How should an organization think about the management

More information

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC Annex 1 TITLE VERSION Version 2 Risk Management Strategy and Policy SUMMARY The policy provides the framework for the management and control of risk within the GOC DATE CREATED January 2013 REVIEW DATE

More information

RISK MANAGEMENT STRATEGY 2013-2016

RISK MANAGEMENT STRATEGY 2013-2016 RISK MANAGEMENT STRATEGY 2013-2016 As presented and endorsed by the Mornington Peninsula Shire s Audit Committee at its meeting of 20 February, 2013 and subsequent adoption by Council at its meeting of

More information

Risk Management Framework

Risk Management Framework Risk Management Framework THIS PAGE INTENTIONALLY LEFT BLANK Foreword The South Australian Government Risk Management Policy Statement 2009 advocates that consistent and systematic application of risk

More information

ENTERPRISE RISK MANAGEMENT P R O G R A M. August 31, 2012

ENTERPRISE RISK MANAGEMENT P R O G R A M. August 31, 2012 ENTERPRISE RISK MANAGEMENT P R O G R A M August 31, 2012 CHARTING A PATH TO EXCELLENCE Texas A&M University Central Texas is a member of The Texas A&M University System which is governed by a ninemember

More information

Queensland State Archives. Strategic Recordkeeping Implementation Plan Workbook

Queensland State Archives. Strategic Recordkeeping Implementation Plan Workbook Queensland State Archives Strategic Recordkeeping Implementation Plan Workbook 1 Document Details Version 1 Version 1.01 Version 2 21 March 2002: Released to State and Local Authorities 9 January 2003:

More information

APPLICABLE TO: Flow Systems Group and all employees. Risk Management

APPLICABLE TO: Flow Systems Group and all employees. Risk Management PURPOSE: Flow Systems is committed to managing its risks and ensuring compliance with all relevant laws and regulations in a proactive, on-going and positive manner. This document outlines Flow s Risk

More information

Risk Management Strategy 2012-2014

Risk Management Strategy 2012-2014 Management Strategy 2012-2014 Mission: To support and develop a sustainable, thriving and resilient community through leadership and partnerships NOTE: This Document should be read in conjunction with

More information

UNIVERSITY OF LONDON GUIDE TO RISK MANAGEMENT. Purpose of the guide... 2

UNIVERSITY OF LONDON GUIDE TO RISK MANAGEMENT. Purpose of the guide... 2 UNIVERSITY OF LONDON GUIDE TO RISK MANAGEMENT Purpose of the guide... 2 Risk Management The Basics... 2 What is Risk Management?... 2 Applying Risk Management... 2 The Use of Risk Registers in Risk Management...

More information

CONSULTATION PAPER Proposed Prudential Risk-based Supervisory Framework for Insurers

CONSULTATION PAPER Proposed Prudential Risk-based Supervisory Framework for Insurers INSURANCE CONSULTATION PAPER Proposed Prudential Risk-based Supervisory Framework for Insurers December 2010 CONSULTATION PAPER: Proposed Risk-based Supervisory Framework (Final December 2010) Page 1 of

More information

POLICY : CORPORATE RISK MANAGEMENT

POLICY : CORPORATE RISK MANAGEMENT APPENDIX 5 POLICY : CORPORATE RISK MANAGEMENT 1 Scope This is a Service wide policy. 2 Aims and Objectives Lancashire Combined Fire Authority provides services to a diverse range of people and organisations,

More information

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK ACCOUNTABLE SIGNATURE AUTHORISED for implementation SIGNATURE On behalf of Chief Executive Officer SAHRA Council Date Date

More information

Bridgend County Borough Council. Corporate Risk Management Policy

Bridgend County Borough Council. Corporate Risk Management Policy Bridgend County Borough Council Corporate Risk Management Policy December 2014 Index Section Page No Introduction 3 Definition of risk 3 Aims and objectives 4 Strategy 4 Accountabilities and roles 5 Risk

More information

Core Infrastructure Risk Management Plan

Core Infrastructure Risk Management Plan SHIRE OF MOUNT MAGNET Roads and Buildings Core Infrastructure Risk Management Plan Version 1 May 2013 AM4SRRC Document Control Asset Management for Small, Rural or Remote Communities Document ID: 59_280_110211

More information

Enterprise Risk Management (ERM): In Action. January 2010. Co-presented by: Michael Yip, Marsh Risk Consulting Norma Essary, DFW International Airport

Enterprise Risk Management (ERM): In Action. January 2010. Co-presented by: Michael Yip, Marsh Risk Consulting Norma Essary, DFW International Airport January 2010 Enterprise Risk Management (ERM): In Action Co-presented by: Michael Yip, Risk Consulting Norma Essary, DFW International Airport www.marsh.com Discussion Topics Enterprise Risk Management

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

More information

A Risk Management Standard

A Risk Management Standard A Risk Management Standard Introduction This Risk Management Standard is the result of work by a team drawn from the major risk management organisations in the UK, including the Institute of Risk management

More information

P3M3 Portfolio Management Self-Assessment

P3M3 Portfolio Management Self-Assessment Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Portfolio Management Self-Assessment P3M3 is a registered trade mark of AXELOS Limited Contents Introduction

More information

and Risk Tolerance in an Effective ERM Program

and Risk Tolerance in an Effective ERM Program The Roles of Risk Appetite and Risk Tolerance in an Effective ERM Program Eric Gerner, Risk Advisory Services Director Tuesday, July 10, 2012 General Information Share the webinar Ask a question Votes

More information

Business Continuity Plan

Business Continuity Plan Business Continuity Plan October 2007 Agenda Business continuity plan definition Evolution of the business continuity plan Business continuity plan life cycle FFIEC & Business continuity plan Questions

More information

Audit Committee, 28 November. HCPC Project Risk Management. Executive summary and recommendations. Introduction

Audit Committee, 28 November. HCPC Project Risk Management. Executive summary and recommendations. Introduction Audit Committee, 28 November HCPC Project Risk Management Executive summary and recommendations Introduction At its meeting on 29 September 2013 the Committee agreed that it would receive the Education

More information

RISK AND OPPORTUNITY MANAGEMENT STRATEGY 2013-2014

RISK AND OPPORTUNITY MANAGEMENT STRATEGY 2013-2014 RISK AND OPPORTUNITY MANAGEMENT STRATEGY 2013-2014 Version 1.0 October 2013 Not protectively marked INDEX PAGE NO TITLE 3 Executive Summary 4 Our Shared Vision and Priorities 5 Outline of the Risk and

More information

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing B o a r d of Governors of the Federal Reserve System Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing January 23, 2013 P U R P O S E This policy statement is being issued

More information

Risk Management Policy Adopted by:

Risk Management Policy Adopted by: Risk Management Policy Adopted by: Infigen Energy Limited Infigen Energy (Bermuda) Limited Infigen Energy RE Limited in its capacity as Responsible Entity of Infigen Energy Trust Adopted: 17 December 2009

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis

More information

Compliance Management Framework. Managing Compliance at the University

Compliance Management Framework. Managing Compliance at the University Compliance Management Framework Managing Compliance at the University Risk and Compliance Office Effective from 07-10-2014 Contents 1 Compliance Management Framework... 2 1.1 Purpose of the Compliance

More information

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Project Management Self-Assessment Contents Introduction 3 User Guidance 4 P3M3 Self-Assessment Questionnaire

More information

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework Dorothy Gjerdrum, ARM-P, Chair of the ISO 31000 US TAG and Executive Director,

More information

Feature. Developing an Information Security and Risk Management Strategy

Feature. Developing an Information Security and Risk Management Strategy Feature Developing an Information Security and Risk Management Strategy John P. Pironti, CISA, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC. He has designed and implemented enterprisewide

More information

Business Analyst Position Description

Business Analyst Position Description Analyst Position Description September 4, 2015 Analysis Position Description September 4, 2015 Page i Table of Contents General Characteristics... 1 Career Path... 2 Explanation of Proficiency Level Definitions...

More information

Risk Management Strategy and Guidelines

Risk Management Strategy and Guidelines Swale Borough Council Risk Management Strategy and Guidelines Status: Final Originating Date: January 2008 Date Ratified: February 2008 (Audit Committee) Next Review Date: January 2009 Accountable Member:

More information

Enterprise Risk Management

Enterprise Risk Management Cayman Islands Society of Professional Accountants Enterprise Risk Management March 19, 2015 Dr. Sandra B. Richtermeyer, CPA, CMA What is Risk Management? Risk management is a process, effected by an entity's

More information

SAFETY and HEALTH MANAGEMENT STANDARDS

SAFETY and HEALTH MANAGEMENT STANDARDS SAFETY and HEALTH STANDARDS The Verve Energy Occupational Safety and Health Management Standards have been designed to: Meet the Recognised Industry Practices & Standards and AS/NZS 4801 Table of Contents

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES A CONSULTATION REPORT OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS STANDING COMMITTEE 3 ON MARKET INTERMEDIARIES

More information

RISK MANAGEMENT AND COMPLIANCE

RISK MANAGEMENT AND COMPLIANCE RISK MANAGEMENT AND COMPLIANCE Contents 1. Risk management system... 2 1.1 Legislation... 2 1.2 Guidance... 3 1.3 Risk management policy... 4 1.4 Risk management process... 4 1.5 Risk register... 8 1.6

More information

Discipline: Technical Services Category: Procedure. Risk Management RM-01 2013. Applicability. ARTC Network Wide. Interstate Network.

Discipline: Technical Services Category: Procedure. Risk Management RM-01 2013. Applicability. ARTC Network Wide. Interstate Network. Discipline: Technical Services Category: Procedure Risk Management RM-01 2013 Applicability ARTC Network Wide Interstate Network Hunter Valley Document Status Version Prepared by Reviewed by Endorsed Approved

More information

Cloud Computing and Privacy Toolkit. Protecting Privacy Online. May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1

Cloud Computing and Privacy Toolkit. Protecting Privacy Online. May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1 Cloud Computing and Privacy Toolkit Protecting Privacy Online May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1 Table of Contents ABOUT THIS TOOLKIT... 4 What is this Toolkit?... 4 Purpose of this Toolkit...

More information

Guidance notes: Financial Planning & Managing Risk

Guidance notes: Financial Planning & Managing Risk Guidance notes: Financial Planning & Managing Risk This guidance note is particularly for governors on the audit or finance committee, but will be of interest to all governors. What is the governing body

More information

Version: 3.0. Effective From: 19/06/2014

Version: 3.0. Effective From: 19/06/2014 Policy No: RM66 Version: 3.0 Name of Policy: Business Continuity Planning Policy Effective From: 19/06/2014 Date Ratified 05/06/2014 Ratified Business Service Development Committee Review Date 01/06/2016

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page

More information

RISK MANAGEMENT TOOLKIT

RISK MANAGEMENT TOOLKIT RISK MANAGEMENT TOOLKIT (OPERATIONAL) This toolkit has been adapted from the toolkit prepared by the Finance Facilities and Planning Services Branch of the Department of Education and the University of

More information

Applying Risk Assessment to Your Audit Plan Break-out Session T3, Tuesday, October 26 2:00-2:50pm

Applying Risk Assessment to Your Audit Plan Break-out Session T3, Tuesday, October 26 2:00-2:50pm Applying Risk Assessment to Your Audit Plan Break-out Session T3, Tuesday, October 26 2:00-2:50pm Mike Brown Senior Vice President, Corporate Audit State Street Corporation Rich Reynolds Partner PricewaterhouseCoopers

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information