Risk Policy and Risk Management Procedures

Transcription

1 Risk Policy and Risk Management Procedures Preface The University s Risk Policy sets out The University s approach to risk and its management together with the means for identifying, analysing and managing risk in order to minimise its frequency and impact. The risks considered significant to the ability of UWE to achieve its objectives are set out in the Corporate section of the Risk Register, which incorporates actions for dealing with those risks. The Corporate section of the Risk Register is monitored by the Vice-Chancellor s Executive on a monthly basis and is updated by nominated groups to take account of changing environment and circumstances.

2 UWE Risk Management Policy and Corporate Risk Register Table of Contents Pages(s) Introduction and Implementation of Risk Management 3 Risk Policy Aims of the Policy 4 Approach to Risk Management 4 Roles and Responsibilities 5 Risk Management 5 Reporting Framework 6 Risk and Internal Control 7 Annual Review of Effectiveness 8 Risk Management Procedures 9 Corporate (Strategic) and Faculty/Service (Operational) Risk Management Project Risk Management 11 2

3 Introduction Risk is present throughout an organisation, in its buildings, equipment, policies, systems, processes, staff, students and visitors. The University recognises that the management of risk is vital to good management practice. It must be an integral part of all the functions and activities of an organisation. The purpose of the University s Risk Policy is to develop a consistent approach towards risk across the institution and outline processes for recognising, analysing and dealing with risks as well as assuring the effectiveness of the identified processes. The Risk Policy is designed to enable UWE to minimise the frequency and effect of adverse incidents arising from risks and to identify improvements in procedures and service delivery in order to ensure the efficient and effective use of public funds. The management of risks includes the culture, processes and organisational structures, which contribute to the effective management of potential opportunities, threats and adverse incidents. Implementation of Risk Management Overall responsibility for risk management within UWE lies with the Vice-Chancellor, with responsibility for implementation delegated to the Deputy Vice-Chancellor (Operations). The University s Memorandum of Understanding with the Funding Council requires governing bodies to take reasonable steps to ensure that there are sound arrangements for risk management, control and governance, and for economy, efficiency and effectiveness (value for money), within the HEI. The Audit Committee is a committee of the Board of Governors and has responsibility for assessing the effectiveness of risk management. The Audit Committee reports on the arrangements for risk management to the Board of Governors. 3

4 Risk Policy 1. Aims of the Policy 1.1 To outline the University s underlying approach to risk assurance; 1.2 To document the roles and responsibilities of the Board of Governors, the Vice-Chancellor s Executive and other key committees and individuals; 1.3 To outline key aspects of the risk management process; 1.4 To identify the main reporting procedures. 2. Approach to Risk Management 2.1 The definition of risk adopted by the University is twofold: Threat - An uncertain event which if it was to occur would a have a material negative effect on the likelihood of achieving University, Faculty, Service or project objectives Opportunity An uncertain event which if it was to occur would have a favourable and advantageous effect on the likelihood of achieving University, Faculty, Service or project objectives. 2.2 Risks are linked to objectives which exist on different planes: Corporate/strategic risks that affect the institution as a whole; Faculty & Professional Service/Operational risks that are predominantly related to the operation of specific areas of the University; Project/programme risks associated with independent and, usually, time limited activities. 2.3 The University accepts that total elimination of risk is neither desirable nor achievable. It expects managers to take all reasonable steps to mitigate risk. The level of risk accepted should be commensurate with the expected reward. In overall terms it is looking to achieve a balanced risk portfolio at the University level with net risk averaging out at medium using the scoring system illustrated within section The following key principles outline the University s approach to risk and internal control: the Board of Governors has responsibility for overseeing risk management within the University as a whole; the approach adopted to identifying and mitigating risk is an open one, receptive to input from all Governors and staff at all levels; the Vice-Chancellor s Executive supports, advises and implements policies approved by the Board of Governors; the University makes conservative and prudent recognition and disclosure of the financial and non-financial implications of risks; significant risks will be identified and monitored on a regular basis; risks will be identified through the academic and executive Governance structures and will be managed at a variety of different levels of the University; the University will adopt standard reporting processes and frameworks. 4

5 3. Roles and Responsibilities Role of the Board of Governors 3.1 The Board of Governors has responsibility for the oversight of the management of risk, part of which it may delegate to its Audit Committee 3.2 Through approving the Risk Policy the Board of Governors sets the tone and influences the culture of risk management within the University. This includes determining: whether the University is risk taking or risk adverse as a whole or on any relevant issue; the risk appetite of the University; what types of risk are acceptable and which are not; the standards and expectations of staff with respect to conduct and probity in relation to risk management; 3.3 The Board of Governors is also responsible for: determining the appropriate level of risk exposure for the University; taking major decisions affecting the University s risk exposure; monitoring the management of the most significant corporate risks; assuring itself that risks identified across the University are being actively managed, with appropriate controls in place which are working effectively; biennially review the University s Risk Policy to ensure it remains fit for purpose. Role of the Vice-Chancellor s Executive 3.4 The key roles of the Vice-Chancellor s Executive is to: maintain risk registers for which they are responsible for; implement policies on risk management within the areas for which they are responsible; through the Vice-Chancellor s Executive Group, identify and evaluate the significant risks faced by the University for consideration by the Board of Governors; provide adequate information in a timely manner to the Board of Governors and its committees on the status of risks and controls; undertake an annual review of the effectiveness of the system of internal control and provide a report to the Audit Committee; 3.5 The Vice-Chancellor has delegated day to day responsibility for risk management to the Deputy Vice-Chancellor (Operations). 4. Risk Management 4.1 The objective of risk management is to actively support the achievement of the University s agreed objectives and not simply to avoid risk. 4.2 Control of risks generates direct costs and opportunity costs. Risk management involves determining the acceptable level of exposure to risk which enables the achievement of University objectives whilst achieving a balance between the level of risk exposure and the cost of mitigating actions. Risk management is a process which provides assurance that: 5

6 4.2.1 objectives at all levels are more likely to be achieved; damaging events are less likely to occur; beneficial events are more likely to occur. 5. Reporting Framework 5.1 The University uses a single SharePoint based Risk Register which delivers a consistent format whilst allowing for different views of the information. 5.2 Risks will be categorised as preventable, strategic or external. The category of risk will assist in determining the appropriate method of managing the risk. 5.3 Risks will be assessed using two elements: impact of the risk occurring and the probability of occurrence. Each element will be assessed on a 5 point scale. 5.4 The impact of a risk occurring is likely to affect the cost, quality or the timeliness of the activity. The Impact of a risk will be the determined by the highest score received on the matrix below. Impact Financial Quality Time Financial implications of the risk The impact on quality is very are very low and are low. Risk occurring would 1 comfortably within the ability of represent a minor revision to the risk owner to manage planned outcomes. locally. 2 3 Financial implications of the risk are low (<10% of the budget or Faculty/ Service turnover). It remains within any contingencies set. Financial implications of the risk are medium (10% - <25% of the budget or Faculty/ Service turnover). It may exhaust or be larger than contingencies made but can be managed without additional funds. The impact on quality is low. Risk occurring would may detract slightly from the desired quality of the outcomes. The impact on quality is medium. Risk occurring would detract from the desired quality of the outcomes but not detract from the overall purpose of the activity. The impact is very low. It will have little effect on timescales. The impact is low, It may delay one or more elements of the activity but not the overall timescale. The impact is medium. Overall timescale slightly extend but it is unlikely to materially affect desired outcomes. 4 Financial implications of the risk are high (25% - <50% of the budget or Faculty/ Service turnover). It is not possible to meet the cost within the approved budget and further funding would be required. The impact on quality is high. Risk occurring would significantly detract from the original desired quality of the outcomes and may reduce the viability of the activity as outcomes require revision. The impact is high. Timescales greatly extended. Outcomes may be later than required in order to obtain maximum benefit. 5 The impact on finance is critical (>50%of the budget or Faculty/ Service turnover). Increased cost would negate benefits of activity and may destabilise the reporting unit. The impact on quality is critical. Risk occurring would reduce quality of desired outcomes to such an extent that it negates benefits of activity. The impact is critical. Extended timescales mean that outcomes would be too late and negate benefits of activity 5.5 Members of the Vice-Chancellor s Executive and Project Sponsors are responsible for determining the impact of a risks for which they are responsible for, using the framework provided in 5.4 as a guide. 6

7 5.6 The assessment of the probability of a risk occurring is standard across the University: Probability Score All Risks 1 Highly unlikely to occur (< 20% probability) 2 Unlikely to occur (20% - <40% probability) 3 Likely to occur (40% - <60% probability) 4 Very likely to occur (60% - <80% probability) 5 Extremely to occur (> 80% probability) 5.7 Risks will be scored before and after mitigating actions and at each point of scoring the total risk will be the multiple of the two elemental scores: Impact Probability Mitigating actions are controls and actions taken to reduce the likelihood of a risk occurring, or to limit the impact of the risk. Risk exposure is the net risk after all mitigating actions or factors have been taken into account 5.9 The risk register also captures: the deadline for mitigating actions to be implemented (or embedded) by; leading edge indicators which may signal that a risk is increasing or decreasing in response to mitigating actions; assurance mapping so that Managers can demonstrate that mitigating actions are both being implemented as designed and delivering the desired effect. The assurance mapping can be used to further test the assumptions of risk owners. 6. Risk and Internal Control 6.1 The system of internal control is designed to manage and mitigate rather than eliminate the risk of failure to achieve policies, aims and objectives. It is based on an ongoing process to identify the principal risks to their achievement, to evaluate the nature and extent of those risks and to manage them efficiently, effectively and economically. 6.2 Related to significant risks are policies that among other things form part of the internal control process. The policies are approved by the Board of Governors and implemented by the Vice-Chancellor s Executive. 6.3 Risk Management is addressed on a University-wide basis but individual Faculties, and Professional Services have an essential role in the identification, assessment, on-going monitoring and mitigation of risks. Faculty and Professional Service planning documents should identify mitigating actions that will be taken to reduce significant risks. In some cases, individual risks will be formally owned by a Faculty or Professional Service where the function concerned lies wholly or mainly within its remit. 6.4 Reporting arrangements through senior line management are designed to monitor key risks and their controls. Decisions to rectify problems are made by the member Vice-Chancellor s Executive with responsibility for the risk, with reference to other staff and University committees and the Board of Governors as and where appropriate to do so. 6.5 The strategic planning and annual budgeting process is used to set key objectives in support of the 2020 work streams and enablers, agree action plans and allocate resources. Targets contained in the Faculty and Professional Service planning documents provide mitigating 7

8 actions which are explicitly linked to risks faced by the University. The annual estimates (macro budget) presented to the Board of Governors contain an analysis of risks inherent in them and how these are mitigated. 6.6 Risks associated with major University projects will be managed through the appropriate project boards adopting project management methodologies such as PRINCE2 and have a distinct section within the risk management procedures document (see page 13). 6.7 The Corporate section of the Risk Register is compiled by the Vice-Chancellor s Executive and reported to the Audit Committee to help facilitate the identification, assessment and monitoring of risks of significant importance to the University. The document is normally discussed monthly by the Vice-Chancellor s Executive Group and presented to each meeting of Audit committee. Emerging risks are added as required, and improvement actions and risk indicators are monitored on an ongoing basis through line management structures. 6.8 Audit Committee is required to report to the Board of Governors on internal controls and alert it to any emerging issues. The Audit Committee oversees internal audit, external audit and management as required in its review of internal controls. The Committee has responsibility, delegated by the Board of Governors, for governor oversight of risk assurance, ensuring that the Risk Policy is appropriately applied. It directly monitors the management of the most significant risks to the University, as recorded in the Corporate Section of the Risk Register. 6.9 Internal audit is an important element of the internal control process. In addition to its programme of probity and value for money work, internal audit is responsible for aspects of the annual review of the effectiveness of internal control systems. The internal audit plan is guided by, but not limited to, the assessment of risks identified through the University s risk management procedures External Audit provides feedback to the Audit Committee on the operation of internal financial controls reviewed as part of the annual audit. 7. Annual Review of Effectiveness 7.1 The Audit Committee is responsible for reviewing the effectiveness of internal control of the institution, based on information provided by auditors, senior management and the Director of Finance. 7.2 For each significant risk identified, the Audit Committee will: review the previous year and examine the institution s track record on risk management and internal control; consider the internal and external risk profile of the coming year and consider if current internal control arrangements are likely to be effective. 7.3 In so doing, the Audit Committee will consider: Control environment: - the University s objectives and its financial and non-financial targets; - organisational structure and calibre of the Senior Management Team; - culture, approach and resources with respect to the management of risk; - delegation of authority; - public reporting On-going identification and evaluation of significant risks: - timely identification and assessment of significant risks; - prioritisation of risks and the allocation of resources to address areas of high exposure Information and communication: 8

9 - quality and timeliness of information on significant risks; - time it takes for control breakdowns to be recognised or new risks to be identified Monitoring and corrective action: - ability of the institution to learn from its problems; - commitment and speed with which corrective actions are implemented. 7.4 The Vice-Chancellor s Executive prepares a report of its review of the effectiveness of the internal control system annually for consideration by the Audit Committee, normally as part of the returns submitted to HEFCE in the autumn/winter. 8. Risk Management Procedures 8.1 The University s risk management procedures are approved by the Vice-Chancellor s Executive Group. Recognising the different type of risks the procedures are split in to two sections: Preventable, Strategic and External risk management Project risk management (section 9) Preventable, Strategic and External Risk Management Risk Management 8.2 Categorising risks as either Preventable, Strategic and External risks helps managers consider why the risk is occurring and what can feasibly done to mitigate the risk. The definition of the categories as well as mitigation tactics are set out below: - Preventable risks represent the majority of risks faced by the University; they originate internally from failure ensure or prevent particular behaviours. There is rarely, if ever, a benefit to the University of tolerating a preventable risk. Preventable risks should be mitigated against using a rules or process approach to promote or prohibit behaviours. Failure to manage these risks might feasibly lead to loss of reputation or even prosecution. Examples of preventable risk include fraud or failure to follow process. - Strategic risks are more acceptable and recognise that pursuing one strategic direction over another incurs risks (including opportunity risks). These risks should be managed through reducing the probability of the risk materialising or managing or containing the impact should it occur. In order to test the assumptions strategy risks they require greater levels of discussion and challenge than preventable risks. - External Risks may be foreseeable by the University, but are outside of its control. These risks should be managed though identifying and assessing the foreseeable risks and planning how the impact could be mitigated should they occur. They can be difficult to spot and as a result often fall into the black swan category and encompass natural or economic disasters, geopolitical or environmental changes or strong moves by competitor organisations. Scenario planning based on the outcomes of a PESTLE analysis or even assigning staff to consider the University s vulnerability to disruptive technologies or competitors can also help to identify external risks. An example of an external risk would be a change to legislation on, or regulation of, student visas. 8.3 The University maintains a single risk register. The register records all non-project risks. 8.4 Each Faculty and Service is required on a monthly basis to detail what they consider to be key risks, their gross score (pre mitigation), mitigating actions and the net risk score (post mitigation) on the risk register. 8.5 All risks must be specific (i.e. what it is a risk in relation to) and provide mitigating actions, and a date by which they will be implemented (or become embedded within core activities) and who is responsible for managing the risk. They must also indicate lead indicators, a change to which might signal a positive or negative moment in the University s exposure to a particular risk. 9

10 8.6 Where the risk, mitigating actions or the assurance of mitigating actions has not changed, Faculties and Services are required to indicate that they have reviewed the risk by entering the date of review. When reviewing risks they are responsible for, a commentary should be provided on the level of assurance that can be taken in the mitigating actions in that they are being implemented and are also effective. 8.7 The Head of Service or Executive Dean is responsible for the Faculty/Service section of the risk register but may delegate the maintenance of the register to another member of the management team. 8.8 Where appropriate, risks identified by Faculties and Services should be mapped to the workstreams and enablers supporting the 2020 Strategy or the Faculty Business Plan. Strategic Workstreams Outstanding Learning Research with Impact Ready and Able Graduates Strategic partnerships, connections and networks People: Performance and Development Place: Resources, Estate and Infrastructure Health and Safety Reputational and Market Executive Lead Prof Paul Gough supported by Prof Julie Mcleod Prof Paul Gough supported by Prof Martin Boddy Prof Paul Gough supported by Prof Julie Mcleod John Rushforth supported by Prof Martin Boddy and Prof Julie Mcleod Vice-Chancellor supported by John Rushforth and Debbie England John Rushforth and William Marshall supported by William Liew and Chris Abbott Vice-Chancellor Supported by John Rushforth and Alison Weeks Vice-Chancellor Supported by John Rushforth 8.9 From the review of risks identified by Faculties and Services and their own horizon scanning members of the Vice-Chancellor s Executive, or their nominee, are responsible for updating relevant risks in the corporate section of the Risk Register at each meeting The Deputy Vice-Chancellor (Operations) is responsible for presenting the Corporate section of the Risk Register to the Vice-Chancellor s Executive for review, and based on an analysis of the risk profile illustrated by the whole Risk Register, will identify where additional thematic discussion of risks and their management is necessary The Corporate section of the Risk Register will be provided to each meeting of the Board of Governors Audit Committee for monitoring purposes and may allow for discussion of the risk management practices employed by an individual Faculty or Service. 10

11 Process Overview Stage 1 Faculties/Services identify risks to their objectives and successful operation as well as the appropriate mitigating actions and the assurance that can be taken in those actions. Identified risks aligned to headings of the University's Strategic Plan. Stage 2 Executive Groups or Academic Board Committees review risks identified under the corporate headings delegated to them by the Vice-Chancellors Executive. Using the information from Faculties/Service, combined with knowledge of the external context, each member of the Vice-Chancellor's Executive (or nominee) updates risks under the headings of the corporate section of the risk register for which they are responsible. Stage 3 Vice-Chancellor's Executive review the Corporate section of the Risk Register on a monthly basis to monitor management of risks and determine any ancillary actions required to manage identified risks. From the accompanying analysis of the whole register Vice-Chancellor's Executive determine where further thematic discussion or additonal resources may be required. Stage 4 Corporate section of the Risk Register provided to each Board of Governors Audit Committee for monitoring. Audit Committee report to the Board of Governors on Risk Management at the University. 9. Project Risk Management Strategy Document Title: UWE PMO Projects Risk Management Strategy Author: Chris Little Version 0.4 Status: For Review and Approval The source of this printed document can be found in the Transformation Services Documents in SharePoint. Version History Revision Date Version Number Summary of Changes 22/12/ Initial Draft N 4/01/ & 3.2 N 1/02/ Figure 1 & Appendix A N 6/06/ Updated refs to PMO Changes Marked 11

12 Reviewed by This document (or its component) parts have been reviewed by the following: Name Title Issue Date Version Lee Norris PMO, ITS 22/12/11 0.1/0.3 Alastair Osborn Deputy to Clerk of Governors 22/12/11 0.1/0.3 Chris Little Senior Project Manager, Transformation Services 6/6/13 0.3/0.4 Approvals This document requires the following approvals: Name Title Date Lee Norris Head of PMO ITS 01/02/12 VCEG Distribution This document has been distributed to: Vice Chancellors Exec group Name Title Date VCEG Vice Chancellors Exec group 06/02/12 12

13 Contents Section Heading 1 Purpose of Document 1.1 Introduction 1.2 Scope Inclusions 1.3 Scope Exclusions 1.4 Ownership 2 Risk Management Framework 2.1 Introduction 2.2 Aims of the Risk Management Framework 2.3 Objectives 2.4 Risk Assessment 2.5 Mitigation Strategy 3 Risk Management Process 3.1 Overview 3.2 Risk Analysis 3.3 Risk Management 3.4 Risk reporting Figure 1 Process Flow Risk Management Process 3.5 Roles and Responsibilities Appendix 1 Matrix of Roles and Responsibilities 13

14 1. Purpose of Document 1.1 Introduction The purpose of this document is to provide a consistent process for the management, of risks for all Projects and Programmes 1 within UWE. This document defines Risk Management in respect of the standards, processes and procedures to be employed in the identification, analysis, quantification, mitigation, escalation and documentation of risks. The audience of this document is all members of Transformation Services, Project Managers, Project and Programme Boards, Project Team members. 1.2 Scope Inclusions; This document describes the process for resolving: Project Risks. Risks that can be resolved within a project team. Programme Risks. Risks that cannot be managed at the project level or affect multiple projects within a programme Project Board Risks. Risks that are either of a strategic nature, have a major impact on service operations or project milestones, or require senior stakeholder direction or action. 1.3 Scope Exclusions. The scope of this document excludes the management of corporate strategic and operational risks which is detailed in the corporate Risk Policy and Risk Management Procedures at Ownership The Project Risk Management Strategy is owned and controlled by Transformation Services. 2 The Risk Management Framework 2.1 Aims of the Risk Management Framework The aim of risk management is to improve the likelihood of the organisation, programme or project achieving its stated objectives and safeguarding assets and investments. The Risk Management Strategy is designed to; Focus the Project Board and senior management on the major risks that threaten Project delivery and objectives. Provide a clear picture of the major risks facing the Project, their nature, potential impact and their likelihood. Establish a shared and unambiguous understanding of what risks will be tolerated Actively involve all those responsible for the planning and delivery of Project key deliverables objectives and benefits. Embed risk awareness and management in planning and decision-making processes Clarify and establish roles, responsibilities and processes Enable and empower managers to manage those risks in their area of responsibility 1 Programme in this context is a group of projects and/or related activities which are designed to deliver a strategic benefit to the organisation 14

15 Include regular risk monitoring and review of the effectiveness of internal control 2.2 Objectives of the Risk Management Strategy The objectives of an effective RMS are to ensure; Early identification and management of risks Proper analysis, evaluation and quantification of risks Clear and consistent assignment of ownership and management of risks Comprehensive identification, definition and evaluation of appropriate mitigation routes Clearly defined policy, standards, processes and procedures Proper documentation and storage of information for audit and quality purposes. 2.3 Risk Assessment Risk Assessment Matrix The Assessment matrix provides a framework for assessing and measuring identified Risks, which will be reviewed at various points within the Governance structure to ensure appropriate priority and visibility is assigned to it Whilst Risks will occur from various diverse routes, it is essential that the standards for assessing the probability and impact of occurrence of each Risk should be subject to the same criteria across the whole Project. This will allow the Risks to be managed consistently, at the appropriate level and given the appropriate attention and visibility. Risk evaluation and quantification comprises of scores of four types; Impact - The level of impact on objectives and business service that would arise should the risk materialise Probability - The likelihood of the risk arising Proximity - This is when the risk is likely to occur and assists with prioritisation and urgency associated with managing risks. Trend This records the direction of travel of the level of a risk. The scores and associated description are shown in the tables below; Scoring Impact The Risk Owner allocates a score based in the severity of the impact assessment see table 1 15

16 Table 1 Levels of Risk Impact Impact Rating Impact Description Impact on cost / loss of benefit. (**Example) 1 Negligible 2 Minor 3 Moderate 4 Significant 5 Critical It will have little effect on Programme / Project milestones, timescales, or achievement of overall goals or benefits. It may delay delivery or quality of one or more deliverables but not delay the overall Project, or affect achievement of overall goals or benefits. A Project milestone is delayed which could extend timescales, but it is unlikely to materially affect successful delivery of the programme / project objectives and benefits. It is likely to delay the achievement of a number of Programme / project milestones or a major milestone which could significantly extend timescales or costs. Successful delivery of the Programme / Project benefits could also be materially impacted Programme/ Project objectives no longer achievable or major reduction of benefits due to significant time, cost or quality issues No additional cost No additional cost Additional costs by up to 5% Additional costs by 6% to 10% Additional costs over 10% ** The amount of risk which is judged to be tolerable is the risk tolerance and is the maximum overall exposure to risk that should be accepted based upon the benefits and costs involved. This level will be determined on a Project by Project basis by the respective Boards and will be influenced by the scale (time, cost, benefits) and complexity of each Project Scoring Probability This allows an assessment of the probability that the risk will materialise. The Risk Owner allocates a score based on the probability assessment, see Table 2 Table 2 Value Levels of Risk Probability Description 1 Unlikely / Rarely happens. It is highly unlikely that the risk will materialise. Less than 20% chance 2 Likely. Could happen with a chance 20% to < 40% chance 3 Very Likely 40% to < 60% chance of occurring 4 Highly Likely 60% < 80% chance of happening, difficult to prevent because outside of direct control or influence. There will be strong evidence to back-up the assessment 5 Extremely Likely. 80+% chance Overall Risk Score The Impact multiplied by the Probability gives an overall risk score 16

17 Table 3 Risk Score Impact Negligible Minor Moderate Significant Critical Probability Extremely Likely Highly Likely Very Likely Likely Unlikely Project risks can be summarised in a heat map. A template is available at: %20-%20heat%20map%20template.xlsx These risk scores will determine the amount and urgency of mitigation action and monitoring to manage the associated risks. Table 4 below provides some guidance as to what the scores can represent in management terms. Table 4 Definition underpinning Risk Scores Risk Score Close monitoring by Project Board High or very high exposure Beyond risk appetite Urgent need to consider additional risk mitigation action Contingency plan required Risk Score Close Monitoring/management by Project manager and Workstream leads Borderline risk appetite Urgent need to consider additional risk mitigation action Contingency plan required Exception reporting on increasing severity to red Risk Score 5-10 Medium exposure Within risk appetite Need to consider additional risk mitigation measures Close monitoring/management by risk owner Review by Workstream lead/project manager Risk Score 1-4 Low exposure Well within risk appetite Monthly monitoring by Risk Owner Risk owner should give consideration to relaxation of control 17

18 2.3.5 Risk Proximity All risks must also include an entry for the Proximity, ie the time period in which the risk is expected to occur. This provides another dimension for prioritising mitigation and actions for effective risk management There are 3 levels of proximity added to the risk log for all risks and in risk reporting. 0-3 Months 3-6 Months 6 9 Months 9 Months Risk Trend The risk trend provides another dimension to the assessment and management of risk by indicating the direction of travel of a risk, which with proximity help prioritise management attention where more than one risk share the same risk scores. There are 3 trends; Static Increasing Decreasing 2.4 Mitigation Strategy A risk mitigation strategy is a plan which seeks to mitigate the risks and safeguard investment and service delivery activities. This is achieved through proactive actions that reduce either: a) the probability of a risk occurring or b) the impact of the risk. The Mitigation Strategy comprises of 3 approaches to deal with the risk Acceptance: Treat: Transfer: Accept the risk but take no pre-emptive action to resolve it (unable to address the risk or not cost effective to do so), but consider contingency plans should the risk materialise. Develop a mitigation plan to reduce probability and or impact The Risk is moved to another Individual, Department or Function, to deal with The risk mitigation plan - will detail the specific risks that will have to be dealt with and the action that has to be taken to carry out the risk mitigation strategy. This provides team members, and managers with clarity of the action that is expected from them while the senior management and the Partnership Board has the knowledge of the steps being taken on their behalf to reduce the risk Risk Status The Team manager updates the issue status depending on progress with management and resolution. New WIP A newly reported risk in the month The risk has been assessed, and is being actively managed Escalated The risk has been escalated to the Project Board or other governance body for review and advice Transfer The risk has become an issue and transferred to the project issues log, or has been transferred out of the project to another management body. 18

19 Closed The risk has been resolved or its consequences accepted 3 Risk Management Process 3.1 Overview Risk analysis and management are ongoing processes incorporated throughout the life of a Programme or Project and is the responsibility of all staff involved with a project. The responsible managers will keep stakeholders informed of risks identified, action taken where appropriate and the success of those actions. There are three parts to the risk management process: Analysis: Identification, definition, and assessment of probability and impact. Management: Risk mitigation strategy and plan, monitoring and control of actions employed to deal with the threat, and problems identified in analysis. Reporting: All risks raised will be recorded on the Project Risk Log and will be owned by the Project Manager. Reporting of risks will be carried out on a regular basis in accordance with the agreed governance structure and terms of reference. 3.2 The Risk Analysis Process Identification of risks is an ongoing process but gets the best results when done on a group basis at key intervals such as the initial business case development stage, and again during project initiation Identify risks that could adversely affect the impact and efficient delivery of project and programme objectives and benefits. A risk should be defined in a brief and clear sentence. A recommended structure is: IF <the anticipated event happens> THEN <impact on the project objective occurs>. It is helpful if risks and objectives are considered together this can help clarify project objectives. Assess the importance, probability and the impact of each risk Decide whether the level of risk is acceptable (see 2.3.4) Identify possible actions to be taken to reduce the probability or impact of the risk materialising. 3.3 Risk management process Mitigation strategy and monitoring. Based upon the level of concern and controllability for each risk, the Risk Owner will decide on the risk mitigation strategy and associated actions i.e. whether to accept, treat, or transfer the risk, and ensure those actions are carried out as required. The Risk Owner at least monthly (more frequently for red and amber/red risks), will review and monitor progress and consider the effect on the overall risk rating and those changes and updates are reflected in the Risk log Contingency planning Where the risk has a high risk rating (red) contingency plans will need to be developed to address the consequences of the risk materialising Escalation Risks will need to be escalated to the next level of seniority (ie individual or group) and the escalation recorded in the risk log where; The risk is of significant concern (ie red) - escalate to the Board 19

20 Where the risk is outside of the boundaries of authority responsibility, or control of the Risk Owner or The risk relates to more than one managers area of responsibility or Actions to manage the risk require additional resources or requires approval elsewhere Transfer 3.4 Reporting When the risk actually happens it becomes an issue and should be transferred to the issues log. If a risk affects the project but is outside of the remit of the Project Team or Project Board it should be transferred to the most appropriate corporate governance body and managed therein. A watching brief within the project will be required. Up to date risk reports are provided for team meetings and governance meetings on a timely basis for review, with a focus on amber and red/amber risks within the Project Team, and red or strategic risks at the Project Board. See Figure 1 for Process Flow 3.5 Roles and Responsibilities The Project Manager The Project Manager is responsible for ensuring that all Risks have been assigned a RO and are actively being managed. The Project Manager is specifically responsible for; Ensuring all Programme/Project risks are identified and captured on the risk log Check the assessment (RAG) and mitigation strategy and category for all risks Ensure all risks are assigned with the most appropriate Risk Owner with the authority and responsibility to manage them. Review any with risks increasing severity (Amber to Red based on premitigation score) Escalate risks to the Project Board for consideration when mitigation is outside the Programme/Project manager s jurisdiction, or additional support outside of the Programme/Project is needed Consider if there are new unidentified risks Ensure the top 3 risks are reported on the weekly Project highlight reports Note: in a project, it is normally the Project Manager who is the risk owner, as the PM will be managing the risk, but others will be Action Owners, including the sponsor and Board members where their authority is needed Project Board The Project Board is accountable for the overall management of the Project Risks and is required to review the Board level risks as a standing agenda item. Review and monitor all Red risks on the register and as a minimum examine in detail all risks with a score of 16 to 25. Identify strategic risks and mitigation Allocate as necessary resource to support the risk management process Agree the overall risk tolerance level (risk appetite) 20

21 Provide direction to the Project Manager as required for management of risks All staff To be alert to possible risks and raise risks with the Project Manager Appendix 1 shows a summary matrix of roles and responsibilities. 21

22 Figure 1 Risk Management Process Risk Raiser 1. Risk Identified- Records Risk description & category in Risk Log, or notifies RO by Responsible for notifying the RO of a new risk N Risk Owner 2. Assesses & validates risk, ownership & mitigation strategy 3. Creates mitigation plan, assigns actions & updates risk log 6. R.O updates Risk Log with progress and new mitigation if req d 7. Decides if risk is mitigated sufficiently or resolved Responsible for managing assigned risks and updating risk log Y 8. Closes, Transfers or Escalates risk Action Owner 4. Action Owner executes actions 5. Action Owner Updates Risk Owner with Progress Responsible for executing assigned actions & updating risk log Project Manager Reviews Log, chases updates and produces updates for Governance meetings. 22

23 Appendix 1 Roles and Responsibilities for Risk Management Process Task Notify the PM or Workstream lead of any new risks as they arise Ensure all known risks are entered on the Risk Log. Assess Risk, decides mitigation strategy and category & inform relevant Risk Owner Proj Mngr Work stream lead Risk Owner Action Owner Project Team Y Senior Project Team Project Board Frequency As they arise, or at least on a weekly basis prior to the project update process Y Y As they arise, or at least on a weekly basis prior to the project update process Tool Via /meetings/ or phone Risk Log Assign and notifies Risk Owner Y Y When risk arises Risk Log Develop Risk Mitigation plan and assigns Action Owners Y When assigned Risk Risk Log Executes mitigation actions and updates RO with progress Updates Risk log with progress and reassesses risk & status etc Enter Top 3 risks in Highlight Report Review Risk log, chase RO for updates Review Highlight reports for Risks Y When assigned actions. Updates fortnightly Y At least monthly more frequently for red or amber/red risks Risk Log Y Weekly Highlight Report Y At least Monthly Risk Log Y Weekly Highlight report Prepare Risk Report for Board Y For Governance meetings Risk Log, Report Review Risk Report Y Y At all Governance meetings Risk Report 23