Risk Management short practical guidance



Similar documents
Achieve. Performance objectives

Northern Ireland Blood Transfusion Service

GUIDELINES FOR PILOT INTERVENTIONS.

These guidelines can help you in taking the first step and adopt a sustainability policy as well as plan your further sustainability communication.

Key Steps to a Management Skills Audit

ASTRAZENECA GLOBAL POLICY SAFETY, HEALTH AND ENVIRONMENT (SHE)

RISK MANAGEMENT POLICY (Revised October 2015)

Supporting effective teamwork

Safety Management Systems (SMS) guidance for organisations

Request for Proposal. Supporting Document 3 of 4. Contract and Relationship Management for the Education Service Payroll

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

PROCEDURES RISK MANAGEMENT FRAMEWORK AND GUIDELINES PURPOSE INTRODUCTION. 1 What is Risk?

Integrated Risk Management Policy

The report rated this area Substantial Assurance and made 2 housekeeping recommendations.

Risk Policy and Risk Management Procedures

Internal Audit Quality Assessment Framework

Adopted by the Board of Directors on 23 April 2015 with entry into force as of 24 April OPERATIONAL RISK MANAGEMENT POLICY

REGULATIONS ON OPERATIONAL RISK MANAGEMENT OF THE BUDAPEST STOCK EXCHANGE LTD.

White Paper: The Seven Elements of an Effective Compliance and Ethics Program

Good Governance Guide. Risk Management in Community and Comprehensive Schools

RISK MANAGEMENT POLICY

Part One: Introduction to Partnerships Victoria contract management... 1

Guide to CQI Qualifications for learners

MANATEE COUNTY SCHOOL DISTRICT RISK ASSESSMENT UPDATE PROCESS REPORT

Project Management Toolkit Version: 1.0 Last Updated: 23rd November- Formally agreed by the Transformation Programme Sub- Committee

V1.0 - Eurojuris ISO 9001:2008 Certified

PDNPA Project Management Peak District National Park Authority Internal Audit Report 2014/15

ENTERPRISE RISK MANAGEMENT POLICY

CHECKLIST OF COMPLIANCE WITH THE CIPFA CODE OF PRACTICE FOR INTERNAL AUDIT

KENYA NATIONAL BUREAU OF STATISTICS RISK MANAGEMENT POLICY

RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES

The Learning Zone - Project Management Arrangements

Safety Regulation Group SAFETY MANAGEMENT SYSTEMS GUIDANCE TO ORGANISATIONS. April

The University s responsibilities and its arrangements for internal audit Internal audit protocol 2014/15 to 2016/17

Introduction. Page 2 of 11

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

Risk Management: Coordinated activities to direct and control an organisation with regard to risk.

Annual Governance Statement 2013/14

IT Services Risk Management Strategy

Contract Management Guideline

London Legacy Development Corporation s Statement of Risk Appetite September 2015

Risk Management Plan template <TEMPLATE> RISK MANAGEMENT PLAN FOR THE <PROJECT-NAME> PROJECT

IFAD Policy on Enterprise Risk Management

Risk Management Policy

RISK MANAGEMENT POLICY AND STRATEGY. Document Status: Draft. Approved by. Appendix 1. Originator: A Struthers. Updated: A Struthers

SMALL BUSINESS OH&S SELF APPRAISAL

Risk Management Policy

Business Continuity Policy. Version 1.0

Bridgend County Borough Council. Corporate Risk Management Policy

High Assurance Overall, very good management of risk. An effective control environment appears to be in operation.

Confident in our Future, Risk Management Policy Statement and Strategy

Government Communication Professional Competency Framework

ADVERT POSITION: SPECIALIST: CONTRACTS MANAGEMENT JOB LEVEL: 6 DURATION 3 YEAR CONTRACT LOCATION: NATIONAL OFFICE PORTFOLIO: DSU

MANAGEMENT OF STRESS AT WORK POLICY

Policy : Enterprise Risk Management Policy

Aberdeen City Council

UNIVERSITY OF LONDON GUIDE TO RISK MANAGEMENT. Purpose of the guide... 2

MARITIME OPERATOR SAFETY SYSTEM: MARITIME RULE PARTS 19 AND 44

Risk Management Guide

Perth & Kinross Council. Risk Assessment, Annual Audit Plan and Fee Proposal for 2007/08. External Audit Report No: 2008/01

Periodic risk assessment by internal audit

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

Governance, Risk and Best Value Committee

PROCESS FOR RISK ASSESSMENT

Guideline. Operational Risk Management. Category: Sound Business and Financial Practices. No: E-21 Date: June 2016

DRAFT. Informing the audit risk assessment for Cheshire Fire Authority. Year ending 31 March 2013 xx April 2013

Risk Management Policy

OUR ASSURANCE PLAN 2016/17 MARCH Our Assurance Plan 2016/17

Managing Your Career Tips and Tools for Self-Reflection

DIRECTORATE OF AUDIT, RISK FF AND ASSURANCE. Appendix 2a FOLLOW UP REVIEW OF CORPORATE BUSINESS CONTINUITY

Risk Management Framework

Health and Safety Management Standards

Risk Management & Business Continuity Manual

HR Enabling Strategy

The Advanced Certificate in Performance Audit for International and Public Affairs Management. Workshop Overview

Edwin Lindsay Principal Consultant. Compliance Solutions (Life Sciences) Ltd, Tel: + 44 (0) elindsay@blueyonder.co.

Making a positive difference for energy consumers. Competency Framework Band C

BSO Board Director of Human Resources & Corporate Services Business Continuity Policy. 28 February 2012

LGMA Qld Governance and Corporate Planning Village Forum

PROCEDURES BUSINESS CONTINUITY MANAGEMENT FRAMEWORK PURPOSE INTRODUCTION. 1 What is Business Continuity Management? 2 Link to Risk Management

REHABILITATION SERVICES PROVIDED BY THE CORRECTIONAL SERVICES DEPARTMENT. Executive Summary

Information Commissioner's Office

Performance objectives

Procurement of Goods, Services and Works Policy

7 Directorate Performance Managers. 7 Performance Reporting and Data Quality Officer. 8 Responsible Officers

Management. Level 4 NVQ Diploma in Management (QCF) 2014 Skills CFA Level 4 NVQ Diploma in Management (QCF) Page 1

Enterprise Risk Management, Compliance, Management Advisory Services: An Integrated Approach

Utilizing Defect Management for Process Improvement. Kenneth Brown, CSQA, CSTE

1. This bulletin, which contains the Charter of the Office of Internal Oversight Services (IOS) of

DIRECTOR OF PEOPLE & ORGINAISATIONAL DEVELOPMENT NICK MERNOCK EMPLOYEE SUCCESSION PLANNING STRATEGY

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY

GENERAL TERMS OF SERVICE OF THE BUDAPEST STOCK EXCHANGE LTD. BOOK EIGHT REGULATIONS ON OPERATIONAL RISK MANAGEMENT

ICSH Guidance Document: Preparing a Risk Register/ Risk Management Plan

SUPERVISORY AND REGULATORY GUIDELINES: PU GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

Risk Management Policy and Process Guide

APPLICABLE TO: Flow Systems Group and all employees. Risk Management

Information Management Responsibilities and Accountability GUIDANCE September 2013 Version 1

How To Understand The Importance Of Internal Control

University of New England Compliance Management Framework and Procedures

Transcription:

Risk Management short practical guidance April 2014 Introduction Risks are related to potential problems or situations that, if they materialise, could affect negatively the achievement of the Organisation s objectives and outputs as defined in the biennial Programme and Budget. At the same time, conscious and controlled risk taking is required to seize emerging opportunities. Risk management is a systematic way of gathering, evaluating, recording and disseminating information leading to action in response to identified risks. It is an internal management tool that today is used also by most international organisations. Risk Management is foreseen in the CoE Financial Regulations and based on positive pilot exercises it was decided in January 2014 that systematic risk management is introduced in the whole Organisation. Risk management is a not a one-off but a continuous exercise in four main stages: 1. Identifying risks, 2. Assessing risks (their likelihood and potential impact, enabling them to be prioritised), 3. Addressing risks (mitigating the occurrence or impact of adverse events and maximising the likelihood that objectives will be achieved), and 4. Reviewing and reporting on risks (the status and effectiveness of mitigating controls or action). How to prepare a risk register? The key requirement is a risk register table, prepared and followed-up at the MAE-level. The following summarises the steps for preparing the risk register using the template in table 4 at the end of this document. The template contains some examples as illustration. While using the steps shown below, the level of involvement of individual staff should be adapted according to the size of the MAE/directorate. This is at the same time a team building exercise and increases the communication among the staff. Foresee several sessions and you may need a break between them to gather new ideas and reflect on the draft elements established. If possible, invite an external moderator in order to help in compiling and assessing the risks and agreeing on follow-up action. DIO is ready to participate in the preparation before, during and after such sessions to provide methodological support. Step 1: Recall the strategic objective The point of departure is the relevant strategic objective as per the Programme and Budget document, please enter it into the line Strategic Objective of the risk register in table 4 below. 1

Step 2: Identify risks The following question should be answered: What can put the achievement of strategic and other objectives at risk? Specific risks, each belonging to a defined risk area, should be described in the risk register (table 4 below). To start the process each staff member (or manager in bigger MAEs) should list the five most important risks regarding their line of work. The focal point for the risk assessment, or the heads of units, should fill them into the draft risk register table. It is important to prepare the risk register with different risk areas and angles in mind but it is not necessary to address all the risk areas listed below. The MAE s overall register should generally not contain more than 20-25 specific risks in order to remain operational. However, fraud risks should always be considered. The identified risks should be largely actionable by the MAE and not only depend on organisation-wide actions and additional resources. Table 1: Main types of risk areas in the CoE context Risk areas Examples Communication and reputation Lack of visibility, incorrect information, information leaks, bad performance, unethical behaviour of staff Political risks Politically incorrect action/decision, non-implementation by states, lack of political support, member states leaving the organisation. Management Deficient forecasting/planning/management, weaknesses in conflict resolution, inefficient processes, etc. Safety and security Security of staff in the workplace, work accidents, protection of property, break-ins or intrusions Human resources Financial Lack of motivation, imbalanced work load distribution, loss of key staff, recruitment duration and constraints, legal disputes, falsified diplomas, baseless claims for family or other allowances, etc. Excess costs, shortfalls in income, failure to achieve potential savings, procurement issues, financial losses, embezzlement, etc, Legal IT or technical Contractual risk, risk of legal action, obligations towards third parties, etc. Computer system deficiencies, loss of data, equipment failures, etc. During a meeting or a retreat, compile all risks in one table for the MAE and strive for a consensus about the assessment of the risks. Identifying particularly sensitive or confidential risks is an important part of the risk 2

management process. If so wished, such risks can be brought to the exclusive attention of the Secretary General, who will look at all key risks of the CoE Risk Register. Step 3: Likelihood and impact analysis The following definitions are used for likelihood (probability of occurrence) and impact determination. The categories are qualitative and are best established in a group discussion. The results of the assessment are again entered in the columns under risk assessment in the risk register (table 4 below). Table 2: Risk likelihood and impact categories Likelihood High Medium Low Impact High Medium Low Definition The risk is very likely to occur and controls are ineffective. The risk is likely to occur and controls have some effect. The risk is not likely to occur and controls are effective. Definition Severe adverse effects on organisational operations, assets, or individuals expected. Serious adverse effects on organisational operations, assets, or individuals expected. Limited adverse effects on organisational operations, assets, or individuals expected. Step 4: Determine the risk exposure When the risks have been analysed by likelihood and impact they can be categorised as in the graph below. High impact and high likelihood combined give the highest risks which need considerable management effort to address them (shown as red), medium impact and medium likelihood risks require still management attention (shown as orange) while on the other hand low impact and low likelihood risks can be accepted (shown as green). The results are entered into the column exposure in the risk register table 4 below. 3

Table 3: Risk heat map IMPACT RISK MANAGEMENT ACTIONS High Management required AMBER Must actively manage and monitor risks RED Considerable management effort essential RED Medium Risks may be worth accepting with monitoring GREEN Management required AMBER Must actively manage and monitor risks RED Low Accept risks GREEN Accept, but monitor risks GREEN Management required AMBER Low Medium High LIKELIHOOD Step 5: Prepare the risk mitigation action The next step is to develop action addressing the various risks, starting with the most urgent ones in red and put them into the table 4 below. The most common categories of possible action are: Prevention: Prevent the risk from materialising or prevent it from having an impact on objectives; Reduction: Reduce the likelihood of the risk developing or limiting the impact in case it materialises; Transference: Pass the impact of the risk to a third party (for ex. via an insurance policy); Contingency plan: Prepare actions to implement should the risk occur; Acceptance: Accept the possibility that the risk may occur and go ahead without further measures to address the risk. Key part of the preparation of the action is to define target dates for implementing the mitigating actions and to name the Risk Manager and the Risk Owner. Each risk is assigned to a single Risk Owner in order to clarify the accountability. Risk Owners are 4

generally the Commitment Officers who are responsible for the implementation of the action items and will report on them to the Secretary General. The Risk Manager implements the mitigation action and reports to the Risk Owner. Step 6: Complete the risk register and send it to DIO / follow-up The last step is to complete the risk register in table 4 below and to send it to DIO by the set deadline. DIO will aggregate all risk registers received to a draft organisation-wide Risk Register for submission to the Secretary General and discussion by the Senior Management Group. The central as well as specific risk registers need to be reviewed at least once per year in order to remain up-to-date and to assure accountability for the actions identified. DPFL, DIO and the Oversight Advisory Committee (previously called Audit Committee) will also use the CoE Risk Register. Thank you for your cooperation. Prepared by the Directorate of Internal Oversight. 5

Table 4: MAE Risk Register (with example from DIO) Strategic objective: the DIO provides independent oversight to support the Secretary General and senior managers in fulfilling their responsibilities for the effective management of resources of the Organisation through internal audit, evaluation and investigation services. Compiled by: DIO staff Reviewed by: A Eussner Review date: January 2014 Risk Nr Risk area as per table 1 Specific risks in risk area Risk assessment Internal controls currently in place Additional actions planned to mitigate risks identified Target date for implementing the actions planned Risk Manager and Risk Owner Impact 1 Likelihood 1 Exposure 2 1 Human resources Losing key staff M H RED Recruitment constraints M M AMBER Insufficient consultancy funds M M AMBER Staffing table of the directorate as per budget and programme Staff policy Budget controls Develop staff (training, certification) Offer stable employment Motivate Recognise efforts Pro-active and forward looking staff planning, Clear and specific job description in vacancy notices Clarify criteria for the distribution of funds among divisions Agree on the distribution before work programmes are agreed Continuous Continuous I/2014 Head of division X Director of Department Y Head of division X Director of Department Y Head of division X Director of Department Y 1 High Medium or Low 2 Red, Amber or Green 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information