1 Risk Management Manual V1.0 - Eurojuris ISO 9001:2008 Certified
2 Section Page No 1 An Introduction to Risk Management The Framework of Risk Management Identification of Risks Evaluation of Risks The Assessment of Risk Appetite 11 6 Identification of Responses to Risk Gain Assurance on the Effectiveness 15 8 Embedding and Review of Risk Management 16 Appendix 1 Risk Assessment Form i 2 Key Questions List ii 3 Categories of Risk iii 4 Completion of Risk Assessment Form iv 5 Glossary of Terms v
3 Section 1: An Introduction to Risk Management. 1.1 Background With every activity which your Law Firm undertakes in order to achieve its business and corporate objectives, there is an associated risk. Risk is the uncertainty of outcome, within a range of potential exposures, arising from a combination of the impact and likelihood of potential events. Risks can be opportunities overlooked as well as threats to the achievement of objectives. The occurrence of these risks can threaten the achievement of both the business and corporate objectives and therefore can ultimately have an impact on the level of service delivery. For this reason it is vital that the risks which are present in your Law Firm activities are managed in the most effective way possible in order to minimise their effects and therefore to maximise the achievement of objectives. Risk management is defined as the process of identifying risks, evaluating their potential consequences and determining the most effective methods of controlling them and or responding to them. Effective risk management will improve an organisations performance by contributing to: Better service delivery. More effective management of change. A more efficient use of resources. Minimising waste, fraud and poor value for money. Support of innovation risk management encourages innovation within the defined framework. In order to ensure that all risks within the organisation are managed effectively, and all possible advantages of risk management are maximised, your Law Firm can put in place a Risk Management Policy which is linked to the corporate and business planning processes.
4 Section 1: An Introduction to Risk Management. Figure 1: The Strategic Risk Management Cycle Risk management will be a key element in informing the annual assurance by the Executive committee on the effectiveness of internal control and therefore informs the Statement on Internal Control. Risk management and risk assessment are to be embedded as part of the management and internal control activities of the organisation. 1.4 The Purpose of this Document The purpose of this document is to provide comprehensive details of the risk management processes, framework and strategy in place within your Law Firm in order to ensure that a consistent approach is applied across the organisation and that it facilitates compliance with current risk requirements.
5 Section 2: The Framework of Risk Management 2.1 Roles and Responsibilities. In order to ensure that the Risk Management activities which are carried out throughout your Law Firm are consistent and effective and are reported efficiently, a structured framework has been developed and put in place. Within this framework, there are several levels of responsibility as detailed below. Role The Executive Committee The Chairperson Responsibilities Determine the risk management strategy for the firm. Agree the risk management framework. Approve the risk management policy and embedded processes. Determine the risk appetite of the organisation. Review the consolidated quarterly corporate update report, updated risk registers. Review and approve the consolidated quarterly corporate update report and updated risk registers from the Performance Review Committee before submission to the Executive Committee. Review the effectiveness of the system of internal control and sign an annual Statement on internal control. The Internal Auditors Performance Review Committee which will comprise of the Performance Manager and Development Officer To examine the efficiency and effectiveness of the risk management process and to advise the Executive Committee and Managing Partner. Assess the key priorities and responsibilities facing your law firm in the coming year period as criteria for evaluation of completeness. Risks to be presented to them for monitoring and reporting to the Executive Committee. Review and implement the risk policies approved by the Executive Committee. Review and challenge the content of the risk registers on a quarterly basis. Review, challenge and validate the Quarterly Update Reports. Report quarterly on the risk management process to the Executive Committee. Undertake and report on an annual review of the effectiveness of the Risk Management process. In addition to the levels of responsibility detailed above, internal audit also play a role in the risk management process. Internal Audit Review and report at least twice yearly on the risk
6 Section 2: The Framework of Risk Management management process. Review the risks identified by the risk management process for inclusion in the annual audit plan. Provide an annual assurance to the Chairperson on the effectiveness of risk management. See also Figure 1 on following page for illustration of the reporting framework which is in place.
7 Section 2: The Framework of Risk Management Management ID Risk Risk Assessment Form. Ensure Actions undertaken Update YOUR LAW FIRM Risk Register Executive Officer Risk is standing item on monthly reports Quarterly Update Report Updated Register Recommend Actions if required Performance Review Committee Consolidated Qtly Update Report Report Pertinent Risk Issues Record any actions or decisions Recommend Actions if required Approval for Quarterly Update Report and Updated Risk Registers Internal Auditors Examine efficiency and effectiveness of process and advise Executive Executive Committee Approval of Paper Chairperson Annual Statement of Internal Control Figure 1: The Framework of Risk Management.
8 Section 2: The Framework of Risk Management 2.1 Relevant Documents. Risk Assessment Form (Appendix 1). This form must be completed by Executive or Technical officer for any new or changed risk which is within their area of work. Details included on the form include information about likelihood and impact of the risk and the current controls in place to address the risk. Further details regarding the completion of the Risk Assessment Forms are covered in Section 3 of this manual. Divisional Risk Register This is maintained and updated by your Law Firm from the Risk Assessment Forms. It contains details of all risks identified within your Law Firm and a quarterly updated copy is forwarded to the Performance Review Committee. Corporate Risk Register This contains details of all risks identified which may be a threat to the achievement of the your Law Firm corporate objectives. It is updated by the Chairperson of the Performance Review Committee on a quarterly basis. Quarterly Update Report A quarterly update report is produced by each Executive and Technical Officer and includes details of any new risks which have been identified in the quarter and any changes to existing risks. This report is approved by the Executive Committee and forwarded to your Law Firm Administrator. Consolidated Quarterly Update Report The Performance Review Committee compiles a consolidated Quarterly Update Report from the Executive and Technical Officer reports and this is then presented to the Executive Committee.
9 Section 3: The Identification of Risks 3.1 The process of identifying risks. The first stage of risk management is the identification of risk and a consistent and systematic approach must be applied across your Law Firm. By identifying key risks, steps can then be taken to either prevent the event occurring or to minimise the impact. A strategic approach to risk management depends on identifying risks against key organisational objectives. Within your Law Firm this is done against your current aims and objectives Each Executive officer must consider and regularly review each of these aims objectives and identify any significant risks to their achievement. When this is being undertaken, the activities which occur must also be taken into account in order to ensure that all relevant risks have been identified. To make sure that the identification of risks is as comprehensive as possible, cross each Executive and Technical Officer s area of responsibility, and partnership risks must also be considered. Risk Management is a continual process and therefore, any new or emerging risks which may become apparent throughout the year must be assessed and reported to the Performance Review Committee. All Executive and Technical Officers must also be aware of any changes to existing risks which may occur. In these circumstances, the risk must be reassessed and the Risk Register updated accordingly. It is vital that ownership for any risks which are identified is assigned at an appropriate level of authority and responsibility to enable the risk to be properly managed.
10 Section 3: The Identification of Risks 3.2 Factors to consider when identifying risks. There are several factors which it may be of assistance to consider when identifying risks: (a) Any Previous Risk Assessments which may have been undertaken in relation to the organisational Aims and Business objectives. (b) Any areas which have been subject to significant recent change. (c) Any new or innovative practice/business areas (d) Risk History Information this will indicate which incidents have occurred in the past, how often they have occurred and what the consequences were. (e) Organisational aims and business objectives. (f) Consideration of all the key activities of the business. (g) Key Questions List (see appendix 2) (h) The financial categories of risk (see appendix 3). (i) Risk Publications (j) Common Risk Documents 3.3 Completion of the Risk Assessment Form For each significant new risk or change to existing risk identified, a Risk Assessment Form (Appendix 1) must be completed. Details of how to complete the Risk Assessment Form are to be found in Appendix 4 Once completed, the risk assessment form is passed to the Chairperson of the Performance Review Committee for inclusion or update on your Law Firm risk register.
11 Section 4: The Evaluation of Risks. Once the key risks within the organisation have been identified, they must be evaluated in order to allow decisions to be made about the areas of risk in which action is required to be taken and their relative priority. Criteria which can be used for the evaluation of risk include: Financial/ Value for Money issues Service Delivery/ Quality of Service issues Reversibility or otherwise of realisation of the risk The quality or reliability of evidence surrounding the risk The impact of the risk on the organisation / clients / partners / others Defensibility of the realisation of the risk. When evaluating the risks which have been identified, the impact of the event if it occurred and the likelihood of the event occurring must be considered. The impact of some risks, such as financial risks may be quantifiable whilst others, such as reputation risks, may be more subjective and difficult to quantify. To overcome this problem and to ensure that a consistent approach to evaluating risks is applied across your Law Firm, an Impact Matrix is to be used. 4.1 The Impact Matrix. The impact matrix uses the criteria of organisational level, cost and service disruption to guide the evaluation of the significance of the risk concerned. Organisation Level: Cost: (Single Impact) Service Disruption: High Impact Medium Impact Low Impact Strategic/ Corporate/ Programme Business/ Project Operational XYZ Euros XY Euros < X Euros Significant/ Protracted Moderate/ Medium Limited/ Short term This matrix is used to determine the level of impact the risk would have if it occurred. If there has been any deviation from the criteria used in this matrix, the deviation must be justified. Once the impact has been determined to be high, medium or low, the Risk Scoring matrix can be used to determine an overall risk score. The likelihood of the risk occurring is to be medium unless a reason is given for the use of low or high.
12 Section 4: The Evaluation of Risks. 4.2 Risk Scoring Matrix H I G H HL (6) HM (8) HH (9) I M P A C T M E D I U M L O W ML (3) LL (1) MM (5) LM (2) MH (7) LH (4) LOW MEDIUM HIGH LIKELIHOOD The level of impact as determined above combined with the likelihood of the event occurring are combined to give an overall risk score. For each risk, a risk score should initially be determined before any controls are applied. This is the inherent or gross risk score. The net risk score can then be determined by assessing the likelihood and impact after the controls which are currently in place to address the risk have been applied. The gross and net risk scores can then be used to prioritise all risks across the organisation. The Executive Committee will be informed of any risks which are determined to present significant threats to the achievement of the corporate and business objectives.
13 Section 5: The Assessment of Risk Appetite 5.1 Risk Appetite Risk Appetite is the amount of risk to which your Law Firm is prepared to be exposed before it accepts that intervention is necessary. Risk appetite must be understood in order to ensure that risks present are managed to an acceptable level. Before any decisions can be made about how to respond to risks which have been identified, the amount of risk which the organisation can tolerate must be determined. Risk appetite may be very specific in relation to a particular risk or it may be more generic in the sense that the total risks which an organisation is prepared to accept at any one time will have a limit. 5.2 Assessment of Risk Appetite. A measure of risk appetite must be determined both at an overall organisational level and an individual risk level. This measure is dependant upon both the perceived importance of the risks and their timing as the organisation may be more or less susceptible to different risks at different times. Within your Law Firm, the Executive Committee will determine the maximum overall exposure to risk that should be accepted, based on the benefits and the costs involved. Once this organisational tolerance level or risk appetite has been set, management can then determine tolerance levels for individual programmes, projects and activities. This level will then dictate when risk issues must be referred upwards as any risk which can not be reduced to the level agreed must be referred upwards and in extreme cases the activity may need to be terminated. 5.3 Application of Risk Appetite When the concept of risk appetite is being applied to the risk management processes within your Law Firm the net risk score must be compared with the risk appetite: If the net risk score (i.e., the risk score after the existing controls have been applied) is lower than the determined level of risk appetite, the risk can be tolerated and therefore no further response is required. If the net risk score is at a higher level than the determined level of risk appetite for that risk then a response is required in order to bring the level of the risk to an acceptable level.
14 Section 6: Identification of Suitable Responses to Risk The identification and evaluation of risk along with the assessment of the corresponding level of risk appetite will result in a risk profile being developed for Your Law Firm Once these steps have been carried out, consideration can be given to the appropriate response for the risks. 6.1 Types of Responses to Risk. There are a number of valid responses to risk and it must be remembered that effective risk management does not equate with risk avoidance. There are four main responses to risk: Response Transfer Tolerate Treat Terminate Details The risk is transferred to a third party eg, insurance, IT supplier,... The level of the risk is within the risk appetite of your Law Firm or, The cost of taking any action may be disproportionate to the potential benefit gained. Actions are taken to contain the risk to an acceptable level. (Internal Controls) Either the likelihood or the impact of the risk may be reduced. The risk can not be reduced to a tolerable level and is a threat to the achievement of objectives and must be terminated. Risks with a high probability and impact must be addressed whilst lesser risks may be less critical and may therefore be within the risk appetite of the organisation. Within your Law Firm, the majority of risks will be within the risk appetite of the organisation and therefore can be tolerated. Some risks identified may require treatment in order to bring the level of the risk down to a tolerable level. Few risks will have the option to be transferred and very few, if any will have the option of the activity causing the risk being terminated. When deciding the response to a risk, the response must offer value for money in relation to the risk which it is controlling. The responses to risk must also be in proportion with the risk which they address. Over control of any minor risks must be avoided as well as the under control of serious risks.
15 Section 6: Identification of Suitable Responses to Risk 6.2 Internal Controls as a Response to Risk Control is any action, procedure or operation which is undertaken by management to increase the likelihood that activities and procedures achieve their objectives. Internal control is therefore a response to risk. The purpose of internal control is not to eliminate risk altogether but to provide reasonable assurance of confining the likely loss from the realisation of key risks to within the risk appetite of your Law Firm Internal controls can be classified into four main types: Detective Controls: These controls are designed to identify occasions of undesirable outcomes having been realised. They are after the event and so are only appropriate when it is possible to accept the loss or damage incurred as a result of the event. Directive Controls: These are designed to ensure that a particular outcome is achieved and are particularly important when it is critical that an undesirable event is avoided. Preventative Controls: Controls which are designed to limit the likelihood of an undesirable outcome being realised are preventative controls. Most controls implemented by your Law Firm belong to this category. One example of this type of internal control is the segregation of duties. Corrective Controls: This type of control is designed to correct undesirable outcomes which have been realised. These controls limit the impact of the event occurring and provide some recovery against loss and damage. Any controls which are put in place must be properly documented and also be regularly reviewed to ensure that they remain effective and that they continue to offer the best value for money response to the risk. 6.3 Consideration of Current Controls. Before determining whether any additional controls are required to be applied to the risk, the current controls which are in place must be considered. The effectiveness of the current controls must be assessed. If the current controls do not reduce the net risk score and therefore the exposure to the risk to within the risk appetite of the organisation, a further response will be required. 6.4 Implementation of Response
16 Section 6: Identification of Suitable Responses to Risk All options for the response to each key risk should be evaluated and the option decided upon detailed on the risk assessment form. A plan for the implementation of the controls should then be devised with specific actions, details of who has been delegated authority to complete them and by when. All details must be clearly communicated to the relevant level of management. Any responses to risk must then be monitored and reported upon in order to ensure that they have been implemented effectively and that there has been no deviations from the agreed implementation plans.
17 Section 7: Gain Assurance on the Effectiveness. Assurance must be gained regarding the effectiveness of the risk management policy. Assurance must also be gained about the effectiveness of any risk responses to determine that they have been implemented and are having the desired effect of reducing the exposure to risk to within the risk appetite. There are two main ways of this being done: 7.1 Reporting. An effective reporting system will allow the management structure to report upwards about how effective the risk management and the controls applied in response to risk are. Within your Law Firm, the reporting framework is as illustrated in Section 2 of this document. Each level of management must regularly review the risks and controls for which it is responsible and report upwards on the outcome of this review. If there is any need to change priorities or controls, this must be clearly recorded and the necessary action taken. Executive and Technical officers are designated responsible for all activity risks in their area of responsibility and as such must provide assurance on all to the Performance Review Committee. When controls are being reviewed, it must be insured that any additional actions required have not been subject to slippage. If there are any significant digressions from the agreed action plans for the implementation of risk responses they must be noted. The Executive and Technical Officers must then complete an annual assurance statement which will provide assurance that the risk is being managed in accordance with the risk management policy. These statements will in turn provide assurance to the Chairperson when making the annual Statement on internal control. 7.2 Internal Audit The other main source of gaining assurance on the effectiveness the risk management process is through the Internal Audit function of your Law Firm. Internal Auditors will undertake periodic reviews of the risk management activities as part of their audit plan. Internal Auditor will provide independent assurance on the process of risk identification, evaluation and control. They will review the risk management processes and procedures which are in place and report on their effectiveness to the Executive Committee and Chairperson.
18 Section 8 :References. 8.1 Embedding Risk Management within your Law Firm. In order to ensure that the risk management process works as efficiently as possible, it is vital that it becomes embedded within your Law Firm activities. Some of the advantages of embedding risk management throughout your Law Firm activities are as follows: More likelihood of achieving aims and objectives. More confidence in moving into new areas or introducing new or innovative activities. Learning from past issues and incorporating what was learnt into future activities. The risk management process should not be considered as an annual event or a one off exercise but should be an intrinsic part of the way your Law Firm works. As risk management is aligned with the aims and objectives of the organisation, Officers must consider all changes to their objectives and developments of working practices in terms of risk and act accordingly at all times. To ensure that risk management does become successfully embedded within your Law Firm, information about risks and controls will be incorporated within each level of management reporting. The risk management process builds on the control systems which are already in place within your Law Firm. 8.2 Review of Risk Management Policy and Procedures. The risk environment of your Law Firm is constantly changing and the priorities of objectives and the consequent importance of risks will change. Due to this changing environment, it is vital that the risk strategy, policies and processes are regularly reviewed in order to ensure that they are still valid. If the any part of the risk management strategy is found not to be up to date, any necessary changes to the strategy or processes must be made through the framework of responsibility.
20 APPENDIX 1 RISK ASSESSMENT FORM Inserted By Date: Approval Ref: LAW FIRM Aim: LAW FIRM Objective: System/Activity: Risk Type: Risk No: Risk Owner: Risk: Potential Root Causes (What can cause the risk to occur): Existing Controls (Controls in place to address risk): Assurance Officer: Action(s) Planned: Officer Target Date Progress (S,O,C) Contingency Plan Necessary: Y / N (If yes please state plan) ASSESSMENT OF RISK EXPOSURE: Gross Impact / Likelihood HH HM MH HL MM LH ML LM LL Net Impact / Likelihood HH HM MH HL MM LH ML LM LL Frequency of Reporting Required: Removed By Date: Approval Ref: i
21 APPENDIX 2 KEY QUESTIONS LIST (ORANGE BOOK) KEY QUESTIONS LIST RISK ASSESSMENT 1 What are the major opportunities facing your law firm? 2 How is change affecting the risks faced and the risks that your law firm has chosen to take (NB: Areas of change are often the biggest areas of risk)? 3 What are the killer risks from which your law firm would be unable to recover? 4 What damaging press headlines need to be avoided? 5 What problems have happened in the past in your law firm or elsewhere? 6 What are the types of fraud and business probity issues to which your law firm could be particularly susceptible? 7 What are the major regulatory and legal risks to which your law firm is exposed? 8 What risks arise from the business processes? ii
22 APPENDIX 3 CATEGORIES OF RISKS External 1. Infrastructure Relating to infrastructures such as transport systems for archers, power supply systems, suppliers, business relationships with partners, dependency on internet and e- mail 2. Economic Relating to economic factors such as interest rates, exchange rates, inflation 3. Legal and Regulatory Relating to the laws and regulations which if complied with should reduce hazards (Eg Health and Safety at Work Act) 4. Environmental Relating to issues such as fuel consumption, pollution 5. Political Relating to possible political constraints such as change of government 6. Market Relating to issues such as competition and supply of goods 7. Act of God Relating to issues such as fire, flood, earthquake. Financial 8. Budgetary Relating to the availability of resources or the allocation of resources 9. Fraud or theft Relating to the unproductive loss of resources 10, Insurable Relating to potential areas of loss which can be insured against 11. Capital Relating to the making of appropriate investment decisions investment 12. Liability Relating to the right to sue or to be sued in certain circumstances Activity 13. Policy Relating to the appropriateness and quality of policy decisions 14. Operational Relating to the procedures employed to achieve particular objectives 15. Information Relating to the adequacy of information which is used for decision making 16. Reputational Relating to the public reputation of the organization and consequent effects 17. Transferable Relating to risks which may be transferred or to transfer of risks at inappropriate cost 18.Technological Relating to the use of technology to achieve objectives 19. Project Relating to project planning and management procedures 20. Innovation Relating to the exploitation of opportunities to make gains Human Resources 21. Personnel Relating to the availability and retention of suitable Officers 22. Health and Relating to the well-being of people. Safety iii
23 APPENDIX 4 Section on Risk Assessment Form Aim/Objective, System/Activity Risk Risk Owner Potential Root Causes Existing Controls Assurance Officer Actions Planned Contingency Plan Necessary Assessment of Risk Exposure Tolerance COMPLETION OF RISK ASSESSMENT FORM Details Required Record reference to your law firm aims and/or objective and/or system/activity as appropriate. A brief specific description of what the risk is should be given. The name of the Officer designated with responsibility for managing the risk. The risk owner should be an Officer of sufficient grade and authority to take action to manage the risk. What can allow the risk to occur? The events which would prevent or hinder the achievement of the specified objective. Examples of potential root causes: New sport/business area where practical experience is limited. May be an area which is particularly susceptible to fraud or failure. A fundamental change in activity or transaction. An established control not being applied. Absence of clear and understood policy/ procedure. The actions which are taken by the Officer to address the risk present, to ensure that objectives are met. The name of the Officer who is responsible for implementing the controls which are in place. Details of any actions which are planned to implement the responses required to reduce the risk to a level which would be tolerable. Details of who is going to be responsible for ensuring that the appropriate action is taken and the target dates for the action are to be recorded also. Description of the actions required to ensure the continuation of service in the event of the risk occurring. The gross and net risk scores as determined by the Risk Scoring Matrix are to be recorded. The use of this matrix is covered in more detail in section 4.1. A tolerance level will be established for early warning of the potential materialisation of the risk. This may be a target, an operational incident or a combination of these iv
24 APPENDIX 5 GLOSSARY OF KEY TERMS Assurance: gaining (independent) confirmation that risk assessment and control response is appropriate, adequate and achieving the effects for which it has been designed. Control: Corrective control: Detective control: Directive control: Embedding risk management: Exposure: Corporate Governance: Impact: Opportunity: Preventive control: Probability: Risk: Risk appetite: Risk management: Risk review: Threat: any action, procedure or operation undertaken to either contain a risk to an acceptable level of potential exposure or to increase the probability of a desirable outcome. a control designed to correct undesirable outcomes. a control designed to detect undesirable outcomes which have arisen. a control designed to ensure a particular outcome. ensuring that the risk management strategy is reflected in the objectives and function of every level of the organisation. the range of outcome arising from the combination of the impact of an event and the probability of the event actually happening. the overall management of an organisation where it is possible to explain/see how activities are undertaken with appropriate, associated, accountability. the evaluated effect or result of a particular outcome actually happening. an uncertainty of outcome that may result in a positive or beneficial impact that the organisation wishes to take advantage of or exploit. a control designed to prevent an undesirable happening. the evaluated probability of a particular outcome actually happening (including a consideration of the frequency with which the outcome may arise). the uncertainty of outcome, within a range of exposure, arising from a combination of the impact and probability of potential events. the range of exposure that is judged tolerable for the organisation. the limitation of the exposure to an acceptable level, by taking action on probability, impact (or both); it therefore requires identification of the elements to be considered and which may be controllable. a strategic review sponsored by the Executive Committee to identify the risks associated with all the activities and operations of the organisation. an uncertainty of outcome likely to result in a negative or damaging impact that the organisation may wish to control to an acceptable level. v
Annex 1 TITLE VERSION Version 2 Risk Management Strategy and Policy SUMMARY The policy provides the framework for the management and control of risk within the GOC DATE CREATED January 2013 REVIEW DATE
Confident in our Future, Risk Management Policy Statement and Strategy Risk Management Policy Statement Introduction Risk management aims to maximise opportunities and minimise exposure to ensure the residents
Bridgend County Borough Council Corporate Risk Management Policy December 2014 Index Section Page No Introduction 3 Definition of risk 3 Aims and objectives 4 Strategy 4 Accountabilities and roles 5 Risk
ANNEX C Risk Management & Business Continuity Manual 2011-2014 Produced by the Risk Produced and by the Business Risk and Business Continuity Continuity Team Team February 2011 April 2011 Draft V.10 Page
RISK MANAGEMENT POLICY Approved by Governing Authority February 2016 1. BACKGROUND 1.1 The focus on governance in corporate and public bodies continues to increase. It resulted in an expansion from the
Risk Management Policy and Process Guide Status: pending Next review date: December 2015 Page 1 Information Reader Box Directorate Medical Nursing Patients & Information Commissioning Operations (including
Business Continuity Policy Version.0 January 206 Contents Contents Version control Foreword Policy. Scope.2 Aim and objectives.3 Methods and standards.4 Responsibilities.5 Governance.6 Training and exercises
UNIVERSITY OF LONDON GUIDE TO RISK MANAGEMENT Purpose of the guide... 2 Risk Management The Basics... 2 What is Risk Management?... 2 Applying Risk Management... 2 The Use of Risk Registers in Risk Management...
A Risk Management Standard Introduction This Risk Management Standard is the result of work by a team drawn from the major risk management organisations in the UK, including the Institute of Risk management
Corporate Risk Management Policy Managing the Risk and Realising the Opportunity www.reading.gov.uk Risk Management is Good Management Page 1 of 19 Contents 1. Our Risk Management Vision 3 2. Introduction
GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental
RISK MANAGEMENT POLICY AND PRINCIPLES 1 (17) Board of Directors 20 January 2011 RISK MANAGEMENT POLICY Orava s goals and tasks of the Risk management The central short-term goal of Orava is to distinctly
Avondale College Limited Enterprise Risk Management Framework 2014 2017 President s message Risk management is part of our daily life, something we do regularly; often without realising we are doing it.
Derbyshire County Council Management Policy Statement The Authority adopts a proactive approach to Management to achieve Best Value and continuous improvement and is committed to the effective management
Policy No: RM66 Version: 3.0 Name of Policy: Business Continuity Planning Policy Effective From: 19/06/2014 Date Ratified 05/06/2014 Ratified Business Service Development Committee Review Date 01/06/2016
KENYA NATIONAL BUREAU OF STATISTICS RISK MANAGEMENT POLICY SEPTEMBER 2009 Table of Contents Pg No. FOREWARD... ii PREFACE...iii CHAPTER ONE... 1 INTRODUCTION... 1 1.0 Background... 1 1.1 KNBS policy statement...
RISK MANAGEMENT 1 Contents Introduction 2 Corporate Governance 2 Purpose of this policy 2 Policy Objectives 2 Policy Statement 3 Scope of the policy 3 What is Risk? 4 The University s Approach 4 Description
Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies
Integration of Risk Management and Internal Audit Chartered Institute of Management Accountants, New Zealand Contents Understanding the three lines of defense governance model What is Risk? Risk Management
NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY AUTHOR/ APPROVAL DETAILS Document Author Written By: Human Resources Authorised Signature Authorised By: Helen Shields Date: 20
BUSINESS CONTINUITY MANAGEMENT POLICY AUTHORISED BY: DATE: Andy Buck Chief Executive March 2011 Ratifying Committee: NHS Rotherham Board Date Agreed: Issue No: NEXT REVIEW DATE: 2013 1 Lead Director John
The Lowitja Institute Risk Management Plan 1. PURPOSE This Plan provides instructions to management and staff for the implementation of consistent risk management practices throughout the Lowitja Institute
Audit Committee 29 April 2010 Item No 7 Revised Risk Management Policy and Framework Report by Head of Finance Summary A substantial review of our current Risk Management Strategy has been carried out.
WFP ENTERPRISE RISK MANAGEMENT POLICY Informal Consultation 3 March 2015 World Food Programme Rome, Italy EXECUTIVE SUMMARY For many organizations, risk management is about minimizing the risk to achievement
Purpose of this document Develop and document procedures and work instructions for Risk Management to cover the project Stages set out in the Project Process Map. The purpose of this procedure is to identify
ROCKHAMPTON REGIONAL COUNCIL ENTERPRISE RISK MANAGEMENT FRAMEWORK 2013 Adopted 25 June 2013 Reviewed: October 2015 TABLE OF CONTENTS 1. Introduction... 3 1.1 Council s Mission... 3 1.2 Council s Values...
Audit Committee 21 June 2012 Internal audit report Risk Management review Executive summary and recommendations Introduction Mazars have undertaken a review of Risk Management, in accordance with the internal
Business Continuity Policy St Mary Magdalene Academy V1.0 / September 2014 Document Control Document Details Document Title Document Type Business Continuity Policy Policy Version 2.0 Effective From 1st
RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES GOVERNMENT ACCOUNTING SECTION DEPARTMENT OF FINANCE MARCH 2004 Risk Management Guidance CONTENTS Pages List of guidelines on risk management
Not Protectively Marked Item 6 Appendix B DORSET & WILTSHIRE FIRE AND RESCUE AUTHORITY Management Policy The Dorset & Wiltshire Fire and Rescue Authority () is the combined fire and rescue authority for
Business Continuity Business Continuity Management Policy : Date of Issue: 28 January 2009 Version no: 1.1 Review Date: January 2010 Document Owner: Patricia Hughes Document Authoriser: Tony Curtis 1 Version
MARCH 2012 Version 1.10 Strategic Risk Policy Update March 2012 v1.10.doc Document History Current Version Document Name Risk Management Policy Statement and Strategic Framework Last Updated By Alan Till
Risk Analysis toolkit MMU has a corporate Risk Management framework that describes the standard for risk management within the university. However projects are different from business as usual activities,
Risk Management Framework Category or Type Originally approved by, and date Administration and Management Vice Chancellor at VCAG on December 2008 Last approved revision October 2011 Sponsor Chief Operating
RISK MANAGEMENT STRATEGY 1 Introduction The purpose of this document is to outline a which facilitates the effective recognition and management of risks facing the University. The Combined Code on Corporate
THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK ACCOUNTABLE SIGNATURE AUTHORISED for implementation SIGNATURE On behalf of Chief Executive Officer SAHRA Council Date Date
ASTRAZENECA GLOBAL POLICY SAFETY, HEALTH AND ENVIRONMENT (SHE) THIS POLICY SETS OUT HOW WE WILL MEET OUR COMMITMENT TO OPERATING OUR BUSINESS IN A WAY THAT PROTECTS PERSONAL HEALTH, WELLBEING AND SAFETY
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
Uniting Church in Australia Synod of Victoria and Tasmania RISK MANAGEMENT STRATEGY AND FRAMEWORK Prepared by: Synod Risk Management Committee Date Prepared and Issued: February 2010 S:\AdminFinance\EDAF\Risk
Tablelands Regional Council ENTERPRISE RISK M A NAGEMENT POLICY Draft Final Policy No: PD 3.3.1 File ref: PD 3.3.1 Policy Section: INSURANCE AND RISK MANAGEMENT Version: 1 Date Adopted: 7 July 2010 Review
POLICY CG01 RISK MANAGEMENT Document Control Statement This Policy is maintained by the Governance and Organisational Strategy. Any printed copy may not be up to date and you are advised to check the electronic
Risk assessment made simple July 2015 1 Sayer Vincent LLP Chartered accountants and statutory auditors Invicta House 108 114 Golden Lane London EC1Y 0TL Offices in London, Bristol and Birmingham 020 7841
Part Two Part One Not Protectively Marked DORSET & WILTSHIRE FIRE AND RESCUE AUTHORITY Performance, Risk and Business Continuity Management Policy. The Dorset & Wiltshire Fire and Rescue Authority (DWFRA)
The Orange Book Management of Risk - Principles and Concepts October 2004 The Orange Book Management of Risk - Principles and Concepts October 2004 Crown copyright 2004 Published with the permission of
Informing the audit risk assessment Enquiries to those charged with governance Calderdale Council This version of the report is a draft. Its contents and subject matter remain under review and its contents
Corporate Governance Risk Management Policy Approved by the Council of Ministers, May 2006 1. Background The Isle of Man Government is working to promote better risk management, with emphasis on the importance
APPENDIX 5 POLICY : CORPORATE RISK MANAGEMENT 1 Scope This is a Service wide policy. 2 Aims and Objectives Lancashire Combined Fire Authority provides services to a diverse range of people and organisations,
Risk Management Framework Version Adoption by Council: 2013 Resolution Number: 2013/177 Current Version: V1.0 TRIM CON: 12/1132 Administered by: Governance Coordinator Last Review Date: 2013 Next Review
Risk Management Policy Adopted by: Infigen Energy Limited Infigen Energy (Bermuda) Limited Infigen Energy RE Limited in its capacity as Responsible Entity of Infigen Energy Trust Adopted: 17 December 2009
Business Continuity (Policy & Procedure) Publication Scheme Y/N Can be published on Force Website Department of Origin Force Operations Policy Holder Ch Supt Head of Force Ops Author Business Continuity
Inclusive of, framework, procedures and methodology Contents 1 Introduction 1 1.1 Legislative Framework and best practice 1 1.2 Purpose of Enterprise Risk Management 2 1.3 Scope and Applicability 3 1.4
Group Risk Management Policy Originator: Approval date: Policy and Strategy Team Sovini Board PCHA Board OVH Board/EMT 6 th December 2013 31 st October 2013 14 th October 2013 Review date: December 2014
Force Policy & Procedure Reference Number Business Continuity Management D269 Policy Version Date 23 July 2015 Review Date 23 July 2016 Policy Ownership Portfolio Holder Links or overlaps with other policies
TRUST POLICY FOR EMERGENCY PLANNING Reference Number: CL-OP/ 2013/027 Version: 1.4 Status: New Draft Author: Ashley Reed Job Title: Head of Security and EPO Version / Amendment History Version Date Author
RISK MANAGEMENT POLICY Version 3 Version: Version 3 Version 3 Authors: Liz Hollman, Mary Klaus, Sarah Langan-Hart Approved by: Healthcare Governance Committee Trust Board Approved date: May 2009 Review
PROCEDURES RISK MANAGEMENT FRAMEWORK AND GUIDELINES PURPOSE This Framework and Guidelines have been developed in support of the CQUniversity Risk Management Policy and are intended for use by the CQUniversity
Business Continuity Management Policy Business Continuity Policy Version 1.0 1 Version control Version Date Changes Author 0.1 April 13 1 st draft PH 0.2 June 13 Amendments in line with guidance PH 0.3
SAI GLOBAL LIMITED Risk Management Policy SAI Global Ltd ABN 67050611642 Last Updated: February 2012 Contents 1. Risk Management... 3 2. Policy... 3 3. Risk Management Philosophy... 3 4. Risk Appetite...
Standard Rio Tinto management system December 2014 Group Title: Rio Tinto management system Document No: HSEC-B-01 Standard Function: Health, Safety, Environment and Communities (HSEC) No. of pages: 23
Manage the performance of teams and individuals to achieve objectives Overview This standard is about making the best use of your team and its members so that they can achieve your organisation's objectives.
4 November 2013 Performance and Resources Board 15 To consider Risk Management Framework Issue 1 To consider a draft revised Risk Management Framework as requested by Council at its meeting on 7 February
COUNTY DURHAM AND DARLINGTON FIRE AND RESCUE SERVICE Administration and General Order No. AD/1/TBC CORPORATE RISK MANGEMENT POLICY 1. INTRODUCTION 1.1 County Durham and Darlington Combined Fire Authority
PROCEDURES BUSINESS CONTINUITY MANAGEMENT FRAMEWORK PURPOSE This Framework has been developed in support of both the Business Continuity and Crisis Management Policy and the Emergency and Fire Evacuation
PROCESSES SUPPLY CHAIN SKILLED TALENT CUSTOMER RELATIONSHIPS FURTHER EXCELLENCE GENERIC STANDARDS INDUSTRY STANDARDS CUSTOMISED SOLUTIONS TRAINING SERVICES THE ROUTE TO ISO 9001:2015 FOREWORD The purpose
INTERNATIONAL STANDARD ISO/IEC 38500 First edition 2008-06-01 Corporate governance of information technology Gouvernance des technologies de l'information par l'entreprise Reference number ISO/IEC 38500:2008(E)