modelled on Heriot Watt University Risk Management Strategy & Process [2012]

Transcription

1 UNIVERSITY COLLEGE CORK New Risk Management Policy and Process (incorporating User Guide) 19 th February 2013 modelled on Heriot Watt University Risk Management Strategy & Process [2012]

2 POLICY APPROVAL AND REVIEW Committee Policy Version No. Date Reviewed Date Approved Risk Management Committee Draft dated 16/11/12 20/11/12 20/11/12 University Management Team [Strategy] Draft dated 23/11/12 13/12/12 13/12/12 Audit Committee Draft dated 16/1/13 11/2/13 11/2/13 Governing Body Draft dated 16/1/13 12/2/13 12/2/13

3 TABLE OF CONTENTS POLICY APPROVAL AND REVIEW 2 Foreword 1 NEW Risk Management Policy 2 Statement of Commitment 3 Definitions 3 Governance 3 Risk 3 Risk Management: The First Line of Defence! 3 Risk Management Objectives 4 The University s Approach 5 The Benefits of Risk Management 6 Roles and Responsibilities 1 7 Roles and Responsibilities 2 8 Links to Governance Issues 9 Internal Control 9 Performance Monitoring 10 Project Management 10 Data Quality 10 Anti-Fraud 10 Whistleblowing 10 Money Laundering 10 Emergency Planning and Business Continuity 10 Safety Management 10 Risk Reporting Schedule 11 NEW Risk Management Process (incorporating User Guide) 12 Risk Management Process: User Guide 13 Introduction 13 Risk Management Process 13 The 5 steps to managing risks 14 Step 1: Linking identified risks to strategic (and operational) objectives 15

4 Step 2: Identify Risks 15 Step 3: Assess Risks 16 Step 4: Control Risks 19 Step 5: Monitor and Review Risks 21 Categories of risk 21 Risk Register and Risk Evaluation Sheets 25 Risk Evaluation Sheet template 26 Risk Register template 27 Annual Assurance Statement 28 Summary 28 Important Last Word 28

5 Foreword UNIVERSITY COLLEGE CORK considers risk management to be fundamental to good management practice and a significant aspect of corporate governance. Effective management of risk will provide an essential contribution towards the achievement of the University s strategic and operational objectives and goals. Risk management is an integral part of the University s decision-making and routine management and must be incorporated within the strategic and operational planning processes at all levels across all aspects of the University s local and international business. Risk Management, as a key component of Corporate Governance, has been on the UCC senior management agenda since We have made significant progress in developing a Risk Management Framework, in accordance with the HEA/IUA Governance of Irish Universities' policy document [approved by UCC Governing Body February 2007] The Risk Management Framework includes the Risk Policy [approved by UCC Governing Body April 2009] which we are updating with this document. The objective of Risk Management is to improve UCC s ability to deliver on its strategic and operational objectives by providing a framework to manage threats and opportunities in a systematic and transparent manner, thereby creating an environment that adds value to academic and service activities. Ultimately, effective risk management will help to ensure that the University maximises its opportunities, and minimises the risks it faces, thereby improving our ability to deliver our strategic and operational priorities and improve outcomes. Michael Farrell Corporate Secretary, University College Cork DATE: January 2013 ~ 1 ~

6 NEW Risk Management Policy ~ 2 ~

7 Statement of Commitment UNIVERSITY COLLEGE CORK is committed to adopting best practice in the identification, evaluation and control of risks to ensure that they are reduced to an acceptable level or eliminated. The University is also committed to maximising opportunities to achieve its strategic and operational objectives and deliver effective services across all aspects of University local and international business. It is acknowledged that some risks will always exist and will never be eliminated. All employees must understand the nature of risk and accept responsibility for risks associated with their area of work. Risk Management is a tool to enable better decision-making. Managers and staff will receive the necessary support, assistance and commitment from the Governing Body, the University Management Team and the Risk Management team in the Office of Corporate and Legal Affairs. The University s risk management objectives are a long term commitment and an inherent part of good management and governance practices. The objectives need the full support of all employees. The University, as a corporate body, is bound by legal obligations to provide for the health and safety of its staff, students, customers and visitors. The University is also obliged to protect its material assets and to minimise its losses and liabilities. Definitions Governance Governance is the system by which the University fulfils its purpose and achieves the intended outcomes for its staff, students and service users and operates in an effective, efficient, economic and ethical manner. Good governance leads to: Good management Good performance Good stewardship of public money Good public engagement and, ultimately good outcomes for the University community. Ensuring that the right thing, is done in the right way, for the right people, in an open, honest Risk Risk is the chance or possibility of loss, damage, injury or failure to achieve objectives caused by an unwanted or uncertain action or event. Risk management is the planned and systematic approach to the identification, evaluation and control of risk. The objective of risk management is to secure the assets and reputation of the University and to ensure continued financial and University well-being. Risk the chance of something happening that will have an impact on the University s Risk Management: The First Line of Defence! Effective Risk Management is about identifying what might go wrong, what the consequences might be of something going wrong and finally, deciding what can be done to reduce the possibility of something going wrong. If it does go wrong, as some things inevitably will, we must make sure that the impact is kept to a minimum. ~ 3 ~

8 Effective Risk Management ensures that the University makes cost effective use of a risk framework that has a series of well-defined steps. The aim is to support better decision making through a good understanding of risks and their likely impact. Risk Management is a continuous and developing process which runs throughout the University s strategy and the implementation of that strategy, methodically addressing all risks surrounding the University s activities past, present and future. Risk Management Objectives UCC is committed to establishing and maintaining a systematic approach to the identification and management of risk. The University s risk management objectives are to: Ensure that risk management is clearly and consistently integrated and evidenced in the culture of the University. Manage risk in accordance with best practice. Agree appropriate Risk Control Approach (Table 4, 4Ts) to each opportunity being considered. Anticipate and respond to changing economic, social, environmental and legislative requirements. Consider compliance with health and safety, insurance and legal requirements as a minimum standard. Prevent death, injury, damage and losses, and reduce the cost of risk and opportunities. Inform policy and operational decisions by identifying risks and their likely impact. Raise awareness of the need for risk management by all those connected with the University. Assign accountability to all staff for the management of risks within their areas of control. Ensure that all significant risks to the University locally and internationally are identified, assessed and where necessary treated and reported to the University Governing Body and University Management Team in a timely manner through the University Risk Management Committee. To provide a commitment to staff that risk is a core management capability. These objectives will be achieved by: Clearly defining the roles, responsibilities and reporting lines within the University for Risk Management. Including risk management issues when writing reports and considering decisions. Continuing to demonstrate the application of risk management principles in the activities of the University. Reinforcing the importance of effective risk management as part of the everyday work of our employees. Maintaining a register of risks linked to the University s business, strategic and operational objectives, also those risks linked to working in partnership(s). Maintaining documented procedures of the control of risk and provision of suitable information, training and supervision. Maintaining an appropriate system for recording health and safety incidents and identifying preventative measures against recurrence. Undertaking compliance audits. Preparing contingency plans to ensure business continuity where there is a potential for an event to have a major impact upon the University s ability to function. Monitoring arrangements continually and seeking continuous improvement. ~ 4 ~

9 The University s Approach It is essential that a single risk management approach be utilised at all levels throughout the University. By effectively managing our risks and opportunities, which is all part of good governance, we will be in a stronger position to deliver our strategic and operational objectives, provide improved services to our students and customers, work better as a partner with other Universities, businesses and achieve value for money. This approach to risk management will inform the University s business processes, including:- Strategic & Operational planning Financial planning Service planning Policy making and review Performance management Project management Partnership working For those employees with responsibility for achieving objectives and decision-making, responsibility also lies for identifying and assessing risks and opportunities, developing and implementing controls and warning mechanisms and reviewing and reporting on progress. The identified risks and relevant control measures will be managed through the University s Risk Register. Some objectives may be reliant upon external partners that the University may work with, such as other Universities (local and international), research partners, businesses, contractors etc. Such partnership working may affect the achievement of an objective and therefore the risk management process must be incorporated into the way the University works within these partnerships. The management of risk will become an integral part of strategic policy decisions and the initiation of major projects, which will include a statement on risk to help inform the decision making process. This will assist Heads of Colleges/Schools and Services (Functional Areas) and staff to ensure that new risks are detected and managed, by providing more detail on the process for managing risk, where each stage builds upon the other and provides practical guidance on how to identify, assess and treat risks, and monitor their progress. To assist with this approach and to ensure consistency across the University, a risk management process document and a User Guide (including the Risk Register template(s) have been prepared which will be reviewed on an annual basis. ~ 5 ~

10 The Benefits of Risk Management Achieve benefits and exploit opportunities locally and internationally enabling opportunites Achieve and demonstrate good corporate governance Avoid the impact of failure (perceived or actual) Adapt to changes to Irish, EU and international student and customer needs Achieve strategic and operational objectives, make better decisions and deliver effective and efficient services Support value for money projects, finance, and performance management Maintain service provision through adversity Comply with legal and regulatory requirements Horizon scanning: Manage external changes in culture, political, environment etc Control the development of new business or services ~ 6 ~

11 Roles and Responsibilities 1 Responsibility for risk management runs throughout the University. Clear identification of roles and responsibilities will ensure the successful adoption of risk management and demonstrate that it is embedded in the culture of the University. M Governing Body Audit Committee Risk Management Committee University Management Team Internal Audit Heads of Colleges Heads of Services (Functional Areas) Heads of Schools Line Managers Staff Staff ~ 7 ~

12 Roles and Responsibilities 2 GROUP OR INDIVIDUAL Governing Body Audit Committee University Management Team (UMT) Risk Management Committee (RMC) Internal Audit Corporate Secretary Risk Manager Heads of Colleges / Schools and Services (Functional Areas) Managers Project and Programme Managers Employees / staff ROLE Oversee the effective management of risk throughout the University. Provide independent assurance to the Governing Body of the risk management framework and associated control environment. Receive reports from UMT and RMC Gain an understanding of, and promote the risk management process and its benefits. Oversee the implementation of the risk management policy and agree inputs and resources required to support the work corporately. Ensure risk analysis is included when considering significant decisions. Ensure the risk management process is considered and adopted in the University s financial regulations. Support the University in the effective development, implementation and review of its risk management process. Identify and communicate risk management issues to Colleges/Schools and Services (Functional Areas) and report to UMTS and Audit Committee. Assist in undertaking risk management training and/or direct support. Maintain the University Risk Register and consider emerging risks as notified. Support the achievement of the University s strategic objectives by providing independent assurance to the University's Audit Committee and University management on the nature, efficiency and effectiveness of the system of internal controls operating within the University. The Internal Audit role is discharged by conducting regular audits of University activities and appraising internal controls, risk management, governance and financial matters together with undertaking value for money audits. Champion the risk management process throughout the University with members of the Governing Body and the University Management Team. Overall responsibility for University Risk Management process. Ensure the process is embedded and effective. To facilitate the implementation of the University s Risk Management Policy, reporting to the Corporate Secretary Ensure that the risk management process is promoted, managed and implemented effectively in their Colleges/Schools and Service AND a standing item on Executive meeting agendas. Liaising with staff and external agencies to identify and manage risk. Disseminating relevant information to line managers and employees. Ensure the Risk Management Committee receives annual Risk Register and report and is apprised of all significant and emerging risks. Raise awareness, manage and implement the risk management process effectively in their areas of responsibility, recommending any necessary training for staff on risk management. Responsible for managing project and programme specific risks and complete and keep under review a project/programme risk register to demonstrate effective management of project and programme risks Identify local / emerging risks and support the Risk Management process wherever they work in the University. ~ 8 ~

13 Links to Governance Issues Internal Control Controls Activities designed to determine, direct or command University processes and procedures in order to ensure that they operate in an orderly and efficient manner, statutory and management requirements are complied with, assets are safeguarded, completeness and accuracy of records are secured and which identify and correct when something has gone wrong. Systems of internal control A term to describe the totality of the way the University designs, implements, tests and modifies controls in specific systems, to provide assurance to the corporate level that the University is operating efficiently and effectively. Systems of internal control focus on and encompass the policies, procedures, processes, tasks and behaviours within the University. Control environment The control environment comprises the systems of governance, risk management and internal control. The key elements of the control environment include: Establishing and monitoring the achievement of the University s strategic and operational objectives. The facilitation of decision - ensuring compliance with established policies and procedures. Laws and regulations including how risk management is embedded in the activity of the University, how leadership is given to the risk management process, and how staff are trained or equipped to manage risk in a way appropriate to their authority and duties. Ensuring the economic, effective and efficient use of resources and ensuring continuous improvement in the way in which its functions are exercised, having regard to a combination of economy, efficiency and effectiveness. The financial management of the University and the reporting of financial management. The performance management of the University and the reporting of performance management. Heads of Colleges/Schools and Services (Functional Areas) are responsible for ensuring that proper controls are in place to ensure that resources are used appropriately, to provide value for money and delivery of the University s strategic and operational objectives. The controls are reported through an annual governance statement, to assure and ensure that the systems and services they are responsible for, deliver consistent, predictable, effective results in order to meet service or strategic objectives. An annual report / Risk Register from each College and Service will be presented to the Risk Management Committee on a rolling programme. An audit process independently monitors the controls and procedures across the University to enhance value for money, ensure systems reliability, minimise risk and act upon suspicion of fraud or corruption. The Audit Committee relies on the audit processes in place in formulating their opinion of the University s control environment comprising risk management, control and governance by evaluating its effectiveness in achieving the University s strategic and operational objectives. ~ 9 ~

14 Performance Monitoring Performance monitoring of risk management activity will ensure that the treatment of risk remains effective and the benefits of implementing risk control measures outweigh the costs of doing so. Performance monitoring is a continual review not only of the whole process, but also of individual risks or projects and of the benefits gained from implementing risk control measures. The Risk Reporting section of this policy aids the achievement of performance monitoring. Project Management Ensuring that we are capable of delivering major and complex projects across our Colleges, Schools and Services is key to achieving the University s strategic and operational objectives. Achievement of these projects is only possible because good managers take the time to plan, organise and manage their projects well, including continually reviewing the risk management process throughout the life of the project. Data Quality The University needs to ensure that the data we use for performance monitoring and to inform decision making is accurate, reliable and fit for purpose. If the information is misleading, decision making may be flawed, resources may be wasted, poor services may not be improved and policy may be ill-founded. These could represent significant risks to the University. There is also a danger that good performance may not be recognised and rewarded. Anti-Fraud The University is in the process of developing an anti-fraud policy, which will direct the University towards ensuring a professional and ethical approach to combating fraud. Whistleblowing The University is committed to the highest possible standards of propriety and accountability in the conduct of its activities for the community. Employees are often the first to realise that something wrong may be happening within the University. The UCC Whistleblowing policy (currently in draft form) is intended to help employees who have concerns over any potential wrong-doing within the University. Money Laundering The University s policy is to do all that it can to prevent, wherever possible, the University and its employees being exposed to money laundering, to identify the potential areas where it may occur, and to comply with all legal and regulatory requirements, especially with regard to the reporting of actual or suspected cases. Emergency Planning and Business Continuity The Emergency Planning and Business Continuity process is essentially risk management applied to the whole University and its ability to continue with its service provision in the event of a catastrophic event. The University must ensure risk management processes are applied throughout the business continuity lifecycle. Safety Management Under the University s safety management system, (occupational H&S risks) the President formally charges each Head of Colleges and Services (Functional Areas), by letter each year, to submit an assurance statement for Governing Body, together with a concise summary of their 5 major H&S risks, the actions taken and those planned (for the H&S Risk Register). The assurances submitted by each FA are included in Appendices 2 and 3 of the GB annual Safety Report (since Dec 2011). ~ 10 ~

15 Risk Reporting Schedule TIMEFRAME MTG DATES REPORT TO DESCRIPTION INPUT REQUIRED Quarterly (every 2 nd mtg) To be inserted on an annual basis Governing Body Provide strategic and operational risk registers and report on the management of risk in the University Corporate Secretary University Management Team Risk Management Committee Annually November - December To be inserted Audit Committee Provide composite Annual Report the management of risk in the University Corporate Secretary Chair, Risk Management Comm Risk Manager Quarterly To be inserted on an annual basis Audit Committee Provide updated strategic risk register and minutes of the Risk Management Committee Corporate Secretary Risk Manager Quarterly (rolling basis) To be inserted on an annual basis Risk Management Committee Strategic and operational risk register review Heads of Colleges / Schools and Services (Functional Areas) All members of the Risk Management Committee Bi-monthly To be inserted on an annual basis University Management Team Strategic and operational risk register update and minutes of Risk Management Committee Corporate Secretary Chair, Risk Management Comm Risk Manager Bi-Annually To be inserted on an annual basis Corporate Secretary Review of the risk management strategy and process documents to identify and agree any major changes Risk Management Committee Risk Manager Quarterly To be inserted on an annual basis Risk Management Committee Updated College and Service risk registers Heads of Colleges and Services (Functional Areas) Ad Hoc To be inserted Risk Management Committee Risk and opportunity reviews Heads of Colleges and Services (Functional Areas) Also Risk Management Workshops for UMTS take place bi-annually ~ 11 ~

16 NEW Risk Management Process (incorporating User Guide) ~ 12 ~

17 Risk Management Process: User Guide Introduction Risk management is an indispensable element of good management. As such, its implementation is crucial to the University and essential to its ability to discharge its academic and services responsibilities. The risk management policy has been designed to support Heads of Colleges/Schools and Services (Functional Areas) and staff in ensuring that the University is able to discharge its risk management responsibility in a consistent manner. The risk management policy outlines the objectives, benefits and approach to ensure that risks and opportunities are successfully managed. Risk management is about improving our ability to deliver positive outcomes for the University by managing our threats, enhancing our opportunities and creating an environment that adds value to ongoing academic and service activities. Risk management is a key part of corporate governance. Corporate governance is the way an organisation manages its business, determines strategy and objectives and goes about achieving those objectives. Good risk management will help identify and deal with key corporate risks facing the University in the pursuit of its goals and is a key part of good management, not simply a compliance exercise. Ask yourself the following questions: What could go wrong? How likely is it to happen? What would the impact be of it happening? What should be done to reduce the risk? Who owns the risk? Having evaluated and reduced specific risks can the decision now go ahead to implementation? What else do you need to do about it? To help with the process this guidance document provides a simple SMART methodology: Specific Measurable Achievable Realistic Time bound Risk Management Process The starting point for risk management is a clear understanding of what the University is trying to achieve. Risk management is about managing the threats that may hinder delivery of our strategic aims, objectives and operational services, and maximising the opportunities that will help to deliver them. Therefore, effective risk management should be clearly aligned to the following objectives and processes: ~ 13 ~

18 The 5 steps to managing risks Step 1 STRATEGIC AND OPERATIONAL OBJECTIVES What is the University / College / School or Service trying to achieve? Where are we going? What are the proposed outcomes? What decisions need to be made? Are they SMART? Step 2 Identify what could go wrong Step 3 Assess How likely is it to happen? What would the impact be of it happening? Step 5 Monitoring & reviewing Step 4 Controls & Actions Who owns the risk? Assign risk owner. What current controls are in place to reduce the risk? What future actions must be done to reduce the risk? What else do you need to do about the risk? Are the controls effective? Are the actions effective? Has the risk changed? ~ 14 ~

19 Step 1: Linking identified risks to Strategic and Operational objectives It is very important to ensure that the identified risk is a risk to the achievement of the University s mission, vision and strategic objectives under the following headings: 1/ Delivering research-inspired teaching and learning with a world class student experience 2/ Being a premier European university for research, discovery, innovation and commercialisation 3/ Being pre-eminent in internationalisation, external engagement and contribution to society 4/ Applying best international practice to attract, develop and retain staff of the highest quality and to enable all staff to reach their full potential 5/ Strengthening our infrastructure and resource base Step 2: Identify Risks Identify the potential risks or opportunities that may arise. Where taking risks that may benefit the University, managing these opportunities increases the chance of success and reduces the possibility of failure. By managing our opportunities well, we will be in a better position to provide improved services and better value for money. It may be helpful to use the following if..then.. structure to describe risks and opportunities and related consequences. Examples would be: If we do not review and manage our budgets, then there is a risk that we will overspend If the implementation of the new system is achieved according to the action plan, then the overall process will be more effective Risks will be considered under the following headings: Strategic risks 1 Operational risks 2 Regulatory Financial Reputational Service Continuity Each risk needs to be allocated to an owner who will be responsible and lead on the management of that risk, taking forward any action to minimise the risk. 1 Strategic risks: External and internal forces that may have a significant impact on achieving key strategic objectives. The causes of these risks include such things as national and global economies and significant government policy. Often, they cannot be predicted or monitored through a systematic operational procedure. The lack of advance warning and frequent immediate response required to manage strategic risk mean they are often best identified and monitored by the University Management Team as part of their strategic planning, horizon-scanning and review mechanisms. 2 Operational risks: Inherent in the ongoing activities that are performed across the University. These are the risks associated with such things as day-to-day operational performance of staff, the risk inherent in the Colleges/Schools and Services (Functional Areas) and the manner in which core operations and services are delivered. ~ 15 ~

20 Step 3: Assess Risks Having indentified the risks it is then necessary to assess which are going to pose the greatest threat or opportunity by looking at both the likelihood of the risk occurring and the impact that might result, producing the overall risk rating. See Table 1 and Table 2 for the object criteria to be used when assessing risks. These scores are not intended to provide precise measurements of risk but to provide a useful basis for identifying vulnerabilities or opportunities, ensuring that any necessary actions are undertaken. The University has developed a standard methodology (including PPVOTE software and/or Microsoft Excel) to compute the risk ratings and to prioritise the risks. This methodology helps ensure consistent, meaningful scores that can be used to assess risks. The risk rating needs to be regularly reviewed at strategic and operational level to check that existing controls are effective and to assess any changes should new controls be established and the risk rating should be amended to reflect changes. You will find the criteria for assessing the likelihood and impact on the following pages. It should be noted that the information provided is a guideline, there may be many other factors which may impact on your assessment. Table 1 Likelihood [5-step scale] Risk owners assess the likelihood of each risk using the five point scale which is shown in outline below. The risks should be assessed by considering the controls which are currently in place to mitigate each risk. RATING SCORE THREAT OPPORTUNITY Almost Certain 5 Expected to occur or a common occurrence Favourable outcome is likely within 6 months Likely 4 Will probably occur in most circumstances Favourable outcome is likely within one year Possible 3 Might occur at some point Some chance of favourable outcome Unlikely 2 Small chance of occurring at some point Some chance of favourable outcome in the long term 10% - 30% Rare 1 Only in exceptional circumstance Less than 10% of occurrence ~ 16 ~

21 Table 2 Impact [5-step scale] Risk owners assess the severity of each risk using the following five point scale and criteria where examples of the severity of each risk is shown under five headings dimensions; Strategic and Operational, Regulatory, Financial, Reputation and Continuity of Service. RATING Severe (5) Major (4) Moderate (3) Minor (2) Insignificant (1) STRATEGIC & OPERATIONAL Achievement of strategic and operational goals in the medium term jeopardised. Existence of the University, Colleges/Schools, Service, Project under threat. Significant effect on operational performance will require operational resource reallocation (financial, assets and or people) to manage and resolve in the medium term to avoid non achievement of strategic goals. Some impact on the University s Colleges / Schools, Service, Project or operational performance. Less impact on strategic goals in the medium term. Disruption to operations with no permanent or significant effect on the University, College / School, Service, Project. Some localised inconvenience, but no impact to the University, College/School, Service or Project. Absorbed with Colleges/Schools/Service running costs. REGULATORY: COMPLIANCE/LEGAL Breach of legislation, contract or policy leading to significant and costly legal action and/or fines with widespread potential impact for the University or breakdown of relationships involving funding. Litigation or criminal prosecution and or substantial major negative sanction by a regulatory body Breach of legislation, contract or policy leading to significant and costly legal action and/or fines with widespread potential impact for the University. Litigation or criminal prosecution and or substantial major negative sanction by a regulatory body. Breach of legislation, contract or policy leading to escalated legal enquiries and/or fines. Regulatory or legal consequence limited to additional questioning or review by enforcing authority. Breach of legislation, contract or policy that may have an impact on the relationship with the third party or enforcing authority, but no long lasting effect. No litigation or prosecution and /or fine. Regulatory consequences limited to standard inquiries Breach of legislation, contract or policy that does not have any penalty or litigation impact. FINANCIAL REPUTATION CONTINUITY OF Greater than 5% of annual income OR 10m Between 2% and 5% of annual income OR between 5m- 10m Between 1% and 2% of annual income OR between 2m- 5m Between 0.5% and 1% of annual income OR between 1m- 2m Less than 0.5% of annual income OR 1m Loss of student confidence in the University. Reputation and standing of the University adversely affected nationally /internationally. Serious public outcry and or international coverage. Reputation adversely impacted with majority of key stakeholders. Significant breakdown in strategic and or business partnerships. Loss of student confidence in a College/School or service. Sustained adverse national media and public coverage. Reputation adversely impacted with a significant number of stakeholders. Breakdown in strategic and or business partnership. Student and or community concern. Adverse national media coverage and external criticism. Reputation adversely impacted with some stakeholder. Issue raised by students and or local press. Adverse local public or media attention and complaints. Reputation is adversely affected by a small number of affected people. Internal matter. Issue resolved promptly by operational management processes. Minimal or no stakeholder interest. Individual grievances SERVICE LEVELS Total loss of research or service functions. University, Colleges / Schools, Service or Project failure. Complete disruption to University, Colleges / Schools, Service operations. Loss of two weeks to two months of teaching research and/ or service functions. Loss of 1-7 days of teaching, research and/ or business functions. Loss of one full day of teaching, research and/or service function. Loss of less than one days teaching, research and or service functions. ~ 17 ~

22 Table 3 Risk Matrix [5x5 model] (5) Severe Low Medium High Extreme Extreme (4) Major Low Medium Medium High Extreme I M P A C T (3) Moderate Low Low Medium Medium High (2) Minor Insignificant Low Low Medium Medium (1) Insignificant Insignificant Insignificant Low Low Low Less than 10% chance of occurrence 10-39% chance of occurrence at some time 40-69% chance of occurrence at some time 70-79% chance of occurrence 80% or above chance of occurrence Rare (1) Unlikely (2) Possible (3) Likely (4) Almost Certain (5) LIKELIHOOD Risk Matrix Legend Extreme Medium Extreme Medium Extreme Medium Extreme Medium Extreme Medium Extreme Medium High Medium High Low High Low High Low High Low Low Insignificant Insignificant ~ 18 ~

23 Step 4: Control Risks This stage of the process is to confirm the risk owner who must then decide on a course of action to address the risks identified, to ensure that they do not develop into an issue, where the potential threat is realised. There are four approaches that can be taken to address the risks that have been identified and assessed, these being terminate, transfer, treat and tolerate. Table 4 - Risk control approaches [The 4 Ts] Risk Control approaches are concerned with the actions/measures taken to reduce the impact or likelihood of risks, not wholly to terminate or transfer. APPROACH Terminate Transfer Treat Tolerate DESCRIPTION A decision is made not to undertake the activity that is likely to trigger the risk. Where the risks outweigh the possible benefits, terminate the risk by doing things differently and thereby removing the risk. Share the exposure, either totally or in part, with a partner or contractor, or through insurance. Any partnership will need to be carefully monitored as it may not be possible to transfer all risks and certain aspects may remain, such as loss of reputation. The most common approach is to introduce preventative actions to reduce the probability or impact if the risk occurs and maximise the potential for success. The ability of an effective action against some risks may be limited or the cost of taking such action may be disproportionate to the potential benefits gained. Terminate Transfer Treat Tolerate Eliminate Pass on Reduce Accept Avoid by withdrawing The University is no longer prepared to take the risk. Transfer or share risk via insurance, partnerships, outsourcing, sub contracting etc Use of internal controls and actions, training, supervision, risk awareness, diversification, marketing and strategic planning Accept the risk ~ 19 ~

24 Table 5 - Risk Appetite University Level LEVEL OF RISK LEVEL OF CONCERN TARGET RESOLUTION & REVIEW PERIOD RISK CONTROL APPROACH OPTIONS OTHER ACTIONS REQUIRED Extreme (all extreme risks must be reported to Governing Body) An extreme risk is unacceptable. Immediate notification to the Corporate Secretary. Senior University Management consideration is required and a detailed mitigation plan must be put in place. Monitoring and reporting to the UMT is necessary. Target resolution:3-6 months Review period every two weeks by UMTO or as and when a significant change occurs Terminate Transfer Treat Report directly to the President or Corporate Secretary High A high risk is usually unacceptable. Senior University Management consideration is required and a detailed mitigation plan must be developed. Regular monitoring and reporting to the UMT Target resolution: 6-12 months Review period every month by UMTS or as and when a significant change occurs Terminate Transfer Treat Report to the Corporate Secretary Medium A mitigation / action plan must be developed; existing controls, consequences and likelihood do not substantially change. Report to Risk Management Committee. Target resolution: months Review period every 2 months or as and when a significant change occurs Terminate Transfer Treat Head of College / School/Service to ensure mitigation / action plans are developed and put in place Low Risk is tolerable. Manage by well established, routine processes and procedures and be mindful of changes to the nature of the risks Review every 6 months or as and when a change occurs. Tolerate Monitor and treat if cost effective ~ 20 ~

25 Step 5: Monitor and Review Risks Few risks remain static. New issues and risks are likely to emerge and existing risks may change. Having identified the risks assessed them and put control measures in place, it is essential that they are routinely monitored. (See Risk Reporting Schedule, page 11). Risk management needs to be seen as a continuous process. It is essential that the incidence of risk be reviewed to see whether it has changed over time. Risk Management is a dynamic process which means new risks will be identified. Some will be terminated and control measures will need to be updated in response to changing internal and external events. The assessment of the impact and likelihood will also need to be reviewed in light of management actions. Monitoring progress and regular reviews provide: Assurance that progress is being made towards controlling risks Assurance that controls are effective Knowledge of any changes to the risk brought about by shifting circumstances or business priorities. When undertaking the monitor and review process, guidance is given below on the sorts of questions that should be taken into account: Are the risks still relevant? Has anything occurred that could impact on them? Are performance indicators appropriate? Are the controls in place effective? Have risk scores changed, and if so are they decreasing or increasing? If risk profiles are increasing, what further controls might be needed? If risk profiles are decreasing, can controls be relaxed? The monitoring and review process should be integrated into existing business processes so that it adds value and supports the successful achievement of objectives and is not just seen as a bolt on. Where objectives have not been achieved or are not on course to be achieved, the cause(s) should be investigated to inform and improve the risk assessment process. Categories of risk Categories are widely used to identify sources of risk. Some will be of greater concern at the corporate level and some at the operational level, however there is no clear distinction and all levels of management should be concerned, to varying degrees with the majority of categories. These risks can be categorised as follows: This list provides a prompt which can be used to aid risk discussions. These can be used as a guide, a starting point or as a checklist for existing registers. ~ 21 ~

26 CATEGORIES OF RISK Strategic Management Strategic / Commercial INDICATIVE GUIDELINES GIVEN AS EXAMPLES Budgeting (relates to availability or allocation of resources) Fraud or Theft Unethical dealings Product and or services failure (resulting in lack of support to business process) Public perception and reputation Exploitation of employees and or suppliers (availability and retention of suitable staff) Environmental (mismanagement issues relating to fuel consumption, pollution etc) Occupational Health & Safety mismanagement and or liability Failure to comply with legal and regulatory obligations and or contractual aspect (can you sue or be sued?) Civil action Failure of the infrastructure (including utility supplies, computer networks etc) Failure to control intellectual property (as a result of abuse or industrial espionage) Failure to take account of widespread disease or illness among the workforce Failure to complete to published deadlines or timescales Failure to take on new technology where appropriate to achieve objectives Failure to invest appropriately Failure to control IT effectively Failure to establish a positive culture following business change Vulnerability of resources (material and people) Failure to establish effective continuity arrangements in the event of disaster Loss of buildings or extensive damage inadequate fire spread controls between buildings or within preserved/ iconic buildings. Inadequate insurance/contingency provision and disasters such as fire, floods and bomb incidents Failure to address economic factors (such as interest rates, inflation) Political and market factors (for management of risk, security etc) Operational procedures adequate and appropriate Capability to innovate (to exploit opportunities) Under performance of services relative to specification Management will under perform against expectations Collapse of contractors Failure of suppliers to meet contractual commitments (this could be in terms of quality, quantity, and timescales on their own exposures to risk) Insufficient capital investment, shortfall in revenue expected / planned Fraud/Theft ~ 22 ~

27 Economical / Financial / Market Legal and Regulatory Reputation Organisation / Management / Human Factors Partnerships failing to deliver desired outcome An event being non insurable or cost of insurance outweighs the benefit Exchange rate fluctuation Interest rate instability Inflation Shortage of working capital Failure to meet project revenue targets Market developments will adversely affect plans New or changed legislation may invalidate assumptions upon which activity is based Failure to obtain appropriate approval (e.g. planning consent) Unforeseen inclusion or contingent liabilities Loss of intellectual property rights Failure to achieve satisfactory contractual arrangements Unexpected regulatory controls of licensing requirements Changes in tax structure Non compliance with regulatory provisions (fire codes, building control At, Occ H&S law, licencing acts, environmental, etc) Adverse media attention Policies misunderstood or misinterpreted Negative implications identified by others which have not been previously considered Failure to keep partners on side Loss of stakeholder confidence Breach of confidentiality Lack of Business Continuity plan Failure to maintain property Management incompetence Inadequate corporate policies Inadequate adoption of management practices Poor leadership Key personnel have inadequate authority to fulfil roles Poor staff selection procedures Lack of clarity over roles and responsibilities Vested interest creating conflict and compromising the overall aims Individual or group interests given unwarranted priority Personality clashes Indecisions or inaccurate information ~ 23 ~

28 Not incorporating H&S requirements/ advice or non observance / adherence to H&S regulatory requirements or guidance People Environmental Political Technical / Operational / Infrastructure Human Resource Management practices Recruitment Induction Training and development Non-adherence to the University s safety management system and occupational health controls at recruitment and in operation. Industrial action Occupational Health Fraud, corruption and crime Natural hazards Security Public Health (legionella/food safety) Emergency management Waste and refuse Pollution incidents Transport problems Radiation Hazardous and toxic materials (chemicals asbestos, gas etc) Failure to adequately control risk of exposure to Laboratory animal allergens in research facilities Change of government policy Change of government War and disorder, civil unrest Adverse public opinion/media intervention Inadequate design Professional negligence Human error/incompetence Infrastructure failure Increased dismantling/decommissioning costs Safety being compromised Performance failure Residual maintenance problems Unclear expectations Breaches in statutory/information security Lack or inadequacy of business continuity plans ~ 24 ~

29 Operational Risks Lack of clarity of service requirements Inadequate infrastructure to provide required operational services Inadequate or inappropriate people available to support the required service provision Inappropriate contract in place and or inadequate contract management to support the required level of service provision Changing requirements, enabled in an uncontrolled way Products passed to operational teams without due consideration to implementation, handover, subsequent maintenance and decommissioning Unexpected or inappropriate expectations of service users Inadequate incident handling Lack or inadequacy of business continuity or contingency measures with regard to maintaining critical business services Failing to meet legal or contractual obligations Risk Register and Risk Evaluation Sheets It is good governance for the University, Colleges/Schools and Services (Functional Areas) to maintain and review their risks, assigning a named individual as risk owner responsible and accountable for the management of the identified risk(s). Each risk owner must complete and keep updated an individual Risk Evaluation sheet for each risk which then feeds into the Risk Register. Risk Registers are required at University, College, School, Services (Functional Areas) and Project level. Any risks scoring 15+ on the Risk Matrix (see Table 3), i.e. in the High or Extreme category, must be escalated to the next level of management. The Risk Register is the tool which captures important information about the risk or opportunity and is a continual process. New risks may be identified, some may be terminated, and control measures will need to be adapted in response to changing internal and external events or factors. Horizon scanning i.e. being alert to and conscious of external changes in culture, political, environment etc is of increasing importance in the identification of new risks and in the level of preparedness to manage such risks. The University has adopted a standard format for the recording of risks University-wide. The Risk Evaluation sheet template and sample Risk Register format may be found overleaf and also on the following web page ~ 25 ~

30 Risk Evaluation Sheet template ~ 26 ~

31 Risk Register template ~ 27 ~

32 The information contained in the Strategic and Operational Risk Registers will be used to inform our performance reporting to: The University Management Team Risk Management Committee Audit Committee Governing Body Comptroller and Auditor General Higher Education Authority To meet this requirement the Risk Management Service, within the Office of Corporate & Legal Affairs maintains a register of all risks for reporting purposes. Heads of Colleges/ Schools and Services (Functional Areas) are required to provide an updated risk register annually in line with the University s Risk Reporting Schedule or in the event that significant risks arise or where there is significant escalation to an existing risk. Annual Assurance Statement As part of the Annual Assurance Statement required by Heads of Colleges and Services (Functional Areas) will now be required to provide an annual assurance statement for reporting to the Audit Committee annually. The assurance statement will include the following documents: Current College/School and Service risk registers Supporting comments for any of the risks in the risk register (if any) Highlight any significant changes to risks over the last 12 months Review of effectiveness of internal process and structure (what worked well and what did not, including proposed improvements in the next year if any) Review of escalated risks in the last 12 months (if any) Review of embedding of risk management across the College/School or Service. Heads of Colleges and Services (Functional Areas) will also be invited annually to present their risk register and discuss their approach to Risk Management to the Risk Management Committee and to the external auditors. Summary This document is intended to provide a simple methodology to help with the risk management process. It may be helpful to understand how managing risk through this process fits in with the overall approach to managing risk throughout the University. Details of this can be found in the Risk Management Policy section. Important Last Word Risk Management is not the responsibility of a few, it is the responsibility of every employee. ~ 28 ~