RISK MANAGEMENT STRATEGY

Similar documents
Bedford Group of Drainage Boards

Risk Management Policy and Process Guide

Confident in our Future, Risk Management Policy Statement and Strategy

Shepway District Council Risk Management Policy

The Risk Management strategy sets out the framework that the Council has established.

River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy

RISK MANAGEMENT POLICY

Bridgend County Borough Council. Corporate Risk Management Policy

London Legacy Development Corporation s Statement of Risk Appetite September 2015

Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy

RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES

Risk Management Policy

Risk Management Policy and Framework

A Risk Management Standard

Business Continuity Management Group Policy

RISK MANAGEMENT POLICY AND STRATEGY. Document Status: Draft. Approved by. Appendix 1. Originator: A Struthers. Updated: A Struthers

RISK AND OPPORTUNITY MANAGEMENT STRATEGY

1.20 Appendix A Generic Risk Management Process and Tasks

Northern Ireland Blood Transfusion Service

Project Risk Analysis toolkit

Eclipx Group Limited Risk Management Policy

Business Continuity Business Continuity Management Policy

Risk Methodology. Contents. Introduction The Risk Management Structure The Risk Management Cycle Methodology...

PM Governance. Executive Team ADCA ADCA

POLICY : CORPORATE RISK MANAGEMENT

Business Continuity Management Policy

CORP RISK MANAGEMENT POLICY & METHODOLOGY

Version: 3.0. Effective From: 19/06/2014

Project Management Toolkit Version: 1.0 Last Updated: 23rd November- Formally agreed by the Transformation Programme Sub- Committee

Risk Management Strategy

RISK MANAGEMENT STRATEGY

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

Audit and Performance Committee Report

Internal Audit Report Disaster Recovery / Business Continuity Planning

RISK MANAGEMENT POLICY (Revised October 2015)

The Lowitja Institute Risk Management Plan

Group Risk Management Policy

Risk Management Strategy and Guidelines

Business Continuity Management Policy

Risk Management. Policy

How To Ensure That Sovini Is A Successful Business

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

How To Manage Risk In Ancient Health Trust

APPENDIX 50. Enterprise risk management - Risk management overview

MARCH Strategic Risk Policy Update March 2012 v1.10.doc

Aberdeen City Council IT Security (Network and perimeter)

Internal Audit Strategic and Annual Plans 2015/16

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

Risk Management Policy Adopted by:

RISK MANAGEMENT STRATEGY AND FRAMEWORK

Business Continuity Planning Manual. Version 1

Risk Management Framework

Project Risk Management. Presented by Stephen Smith

LONDON BOROUGH OF SOUTHWARK

Risk Management Strategy

Guideline - Business Continuity Plan

Information Governance Policy

V1.0 - Eurojuris ISO 9001:2008 Certified

Risk Management Policy

ICSH Guidance Document: Preparing a Risk Register/ Risk Management Plan

Business Continuity Management Policy and Framework

Policy : Enterprise Risk Management Policy

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

Desktop Scenario Self Assessment Exercise Page 1

RISK MANAGEMENT STRATEGY

Business Continuity Policy

ORDINANCE 22 UNIVERSITY OF LONDON RISK MANAGEMENT POLICY

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY

Capital Requirements Directive Pillar 3 Disclosure. December 2015

Title: Rio Tinto management system

TRANSPORT FOR LONDON AUDIT COMMITTEE STRATEGIC RISK MANAGEMENT PROGRESS REPORT

RISK MANAGEMENT POLICY

Compliance Management Framework. Managing Compliance at the University

Audit Committee, 28 November. HCPC Project Risk Management. Executive summary and recommendations. Introduction

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Business Continuity (Policy & Procedure)

Introduction UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT

Council Meeting Agenda 27/07/15

Business Continuity Management

Information Security Policy. Chapter 11. Business Continuity

1.0 Policy Statement / Intentions (FOIA - Open)

A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000

SUBJECT: REPLACEMENT OF CORPORATE ELECTRONIC DATA STORAGE, BACKUP AND DISASTER RECOVERY SOLUTIONS

Capital Adequacy: Advanced Measurement Approaches to Operational Risk

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Transcription:

RISK MANAGEMENT STRATEGY

1 Introduction The purpose of this document is to outline a which facilitates the effective recognition and management of risks facing the University. The Combined Code on Corporate Governance issued by the London Stock Exchange states that the Financial Statements of an enterprise should disclose the existence of a process for identifying, evaluating and managing risks faced by an organisation; and that such a process is regularly reviewed. Risk management should be embedded within the daily operation of the University from strategy formulation through to business planning and processes. Through understanding risks, decision-makers are better able to evaluate the impact of a particular decision or action on the achievement of the University s objectives. Risk management strategy does not focus upon risk avoidance but on the identification and management of an acceptable level of risk. Whilst overall Corporate Governance responsibility rests with The University Court, risk management is co-ordinated and monitored by the Executive Board. The responsibility for implementation of the Risk Management Strategy is shared by all staff within the University. 2 Objectives To develop a risk map which will identify and rank all significant risks facing the University and assist the acheivement of the University strategy through pro-active risk management. To allocate clear roles, responsibilities and accountabilities for risk management. To facilitate compliance with best practice in corporate governance, ensuring that the appropriate disclosure statement can be issued within the annual Financial Statements To raise awareness of the principles and benefits involved in the risk management process and to obtain staff commitment to the principles of risk control. 1

3 Assessment and Review Risk Management involves four key stages: Identification Evaluation Mitigation Review 3.1 Identification Risks can be categorised as strategic, financial or operational. The identification of potentially significant risk elements might fall into the following categories: Reputation Student experience Staffing issues Estates and facilities Financial issues Commercial issues Opportunity costs Organisational issues Information and IT 3.2 Evaluation There are many tools that can be used to help identify potential risks: Workshops Scenario planning Analysing past incidents/failures Health & safety inspection Performance Review & Development interviews Staff and customer feedback 2

3.2 Evaluation (cont.) Having identified areas of potential risk, they need to be analysed by: An assessment of impact An assessment of likelihood This can be done by recording the results using the risk matrix below RISK ASSESSMENT MATRIX Low Impact High Likelihood Amber Medium Impact High Likelihood Red High Impact High Likelihood Red HIGH 4 7 9 Tolerate/Treat Treat/Transfer Treat/Transfer/ Terminate Likelihood of occurence Low Impact Medium Likelihood Green Medium Impact Medium Likelihood Amber High Impact Medium Likelihood Red MEDIUM 2 5 8 Tolerate/Treat Treat/Transfer Treat/Transfer/ Terminate Low Impact Green Medium Impact Low Likelihood Low Likelihood Green High Impact Low Likelihood Amber LOW 1 3 6 Tolerate Tolerate/Treat Treat/Transfer LOW MEDIUM HIGH Impact on the Business The High, Medium and Low categories for impact and likelihood are defined as follows: Tolerance/Treat/Terminate see the following paragraph 3.3 IMPACT High will have a major effect on the operation. May result in major financial loss, major disruption. Adverse publicity in national press. Medium will have a noticeable effect on the operation. May result in significant financial loss. Will cause a degree of disruption. Adverse publicity in regional press. Low where the consequences will not be severe and any associated losses and or financial implications will be low. Negligible effect on delivery. LIKELIHOOD High very likely to happen Medium likely to happen infrequently and difficult to predict Low most unlikely to happen 3

3.3 Mitigation The risk matrix produces a risk rating score which will enable risks to be prioritised using one or more of the four T s Tolerate Treat Transfer Terminate accept the risk take cost effective actions to reduce the risk let someone else take the risk (eg. by insurance or passing responsibility for the risk to a contractor) agree that the risk is too high and do not proceed with the project or activity 3.4 Review Effective risk management requires a reporting and review structure to ensure that risks are effectively identified and assessed and that appropriate controls and responses are in place. Regular audits should be carried out. Changes in the business and the environment in which it operates must be identified and appropriate modifications made to systems. The review process should provide assurance that there are appropriate controls in place and that the procedures are understood and followed. Management must: Ensure that the agreed control measures continue to be applied Check whether there have been any change in circumstances that necessitate a fresh risk assessment being carried out Formally review all risk assessments affecting their areas of activity at least annually as part of the planning process 4 Action Plan 4.1 Steps in Risk Assessment Identify the business activity/function/or project the assessment is to be focused on Specify the business objective Identify the threats to the objective Identify the likelihood and severity of the impact of the risk on the business objective Plot the risk score on the risk matrix Identify the risk control measures Reassess the level of residual risk after control measures are listed and re-plot residual risk on the risk matrix. This will give a measure of the effectiveness of the various control measures and help raise awareness of their importance. The residual score should be at a level that is acceptable to management. The risk assessment process involves all managers and should be repeated at least annually (more frequently if there are changed circumstances) to monitor the effectiveness of the risk control measures implemented. Finally, plot further actions planned and early warning mechanisms to assess the retained risk score. 4

4.2 Risk Register The University Executive will maintain a register of all significant risks that may affect our ability to achieve our objectives and the control measures in place for dealing with them. Schools and Support Departments will maintain their own Risk Registers. Projects undertaken by the University will have Risk Registers. New risks identified through the decision making process should be identified for inclusion in the register. Executive members and Managers must review the adequacy and appropriateness of the entries in the risk register whenever circumstances change and in any event not less than annually as part of the planning process. A copy of the risk register will be made available via the intranet for all those who need to use it. An extract from of the Risk Register is attached in Appendix 1. 4.3 Accountabilities, Roles & Responsibilities The Executive Board has overall responsibility for developing the University s approach to risk management. Responsibility for the day to day management of specific risks lies with the managers and staff, as they are the people directly responsible for different business activities. The different roles are responsibilities for risk management are shown below: Group Court Executive Board Executive Board Sub Committee eg. Risk Management Committee (RMC) Managers Role Legally responsible for ensuring a rigorous risk management procedure is in place. Delegates authority to the Principal, as Accounting Officer, who, in turn, delegates day-to-day responsibility to the Executive. To formally approve the University s. Consider risk as part of all decisions Review the University s arrangements for risk management annually. Ensure the University manages risk effectively through the Risk Management Strategy and report to Board annually. Identify strategic risks affecting the organisation and make recommendations to the Board as to the ways in which these will be managed. Ensure risk is managed effectively in each function within the agreed strategy and report to Executive quarterly. Identify individual risks affecting their activities, ensure that these are recorded in the Departmental Risk Register and that appropriate control measures are in place for managing those risks. Continually monitor the adequacy and effectiveness of all control measures and report to their Executive member. Formally review all arrangements for risk management affecting their activity at least annually as part of business planning. 5

4.3 Accountabilities, Roles & Responsibilities (contd.) Group All Employees Internal Audit Role Undertake their job within risk management guidelines including compliance with all control measures that have been identified. Report hazards/risks to their Managers. Comment on the adequacy of the process in place to identify risk and and effectiveness of the control measures in place. Make recommendations to Management, the Executive Board and Audit Committee as necessary. 5 Project Planning Risk management is also an integral part of project management, both in terms of the initial project/solution design as part of ensuring that projects are delivered successfully. Where the University provides services in partnership with others or through a contractor, potential risks that could prevent success still need to be considered just as though we were providing those services ourselves. Whilst these risks may be managed through formal contracts and partnership agreements that clearly allocate risks to the appropriate parties, failure by either or any one of those parties to manage their risks effectively can have serious consequences for the other(s). Before entering into partnership, joint working or business contract arrangements, the prospective partners and contractors should be asked to provide evidence of their approach to Risk Management. Where the Executive Board is being asked to make decisions they should be advised of the risks associated with the recommendations being made. 6 Business Continuity and Disaster Recovery Planning Business Continuity Planning. Certain risks impact upon keeping the University business running during times of change or disruption. These risks will feed the business continuity planning cycle. Disaster Recovery Planning. Certain risks emerge which could mean major disruption to our business, senior management teams, employees or accommodation. These risks will be dealt with as part of the University s disaster recovery planning cycle. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information