Policy Title
Risk Management Policy
Policy Number
1-01
Functional Field
Governance and Management
Related Policies
Policy of Making University Policies
Responsibility of
Risk Management Office
Issuing Office
Quality Assurance Office
In-revision
 Active
Status
Proposed
Draft #
Approved By
Draft #
3
Academic Council and University Council
Approved by AC on 13th January 2015,
Res. no. AC/2014-15/3/2.
Approval Date
Approved by UC on 13-5-015, qarar no.416/2015.
Effective Date
Revision History
Number
Date
Revision # 1
9/1/2014
Revision # 2
1/12/214
Revision # 3
3/3/2015
Revision # 4
9/3/2015
By
Changes to be aligned with essential
Dr. Salim Al-Harthi
steps to develop SQU risk
in consultation with
management plan and changes
QAO
recommended by SQU stakeholders
Changes recommended by the
Dr. Salim Al-Harthi
Academic Council
Changes recommended by the
Dr. Salim Al-Harthi
Academic Council
Final revision of Arabic version and
QAO
matching it with the English version
Revision # 5
Contact Office
Main Changes
Risk Management Office
Risk Management Policy
e-mail address
Phone Number
Sultan Qaboos University
salim1@squ.edu.om
24141470
1. POLICY TITLE
Risk Management Policy
2. DEFINITIONS AND ABBREVIATIONS
In the context of this policy and for better consistency, the following terms have the meaning given
against each one:
2.1
Risk
Risk is an event that may adversely (threat) or favorably (opportunity) affect the achievement of
SQU vision, mission and strategic objectives. It is assessed in terms of frequency and severity.
2.2
Risk Management
Risk management is a systematic process of identifying, assessing, controlling, recording, and
monitoring risks. It aims at eliminating or reducing risk damages and seizing opportunities to
achieve objectives. Risk management includes the necessary infrastructure and
responsibilities to administer the process.
2.3
Gross Risk
Gross risk is a risk before applying controlling or mitigating measures.
2.4
Net Risk
Net risk is a risk remaining after applying controlling or mitigating measures. In this policy, risks
are considered as net risks since control measures are in place.
2.5
Risk Appetite
Risk appetite is the level of tolerance applied by an institution in accepting risks; i.e. degree of
the institutions’ acceptance of risks, or how much risk the university is ready to accept. In this
policy, risks above a defined score (frequency x severity) are considered unacceptable; the
score is taken as ≥ 9.
2.6
Risk Assessment
Risk assessment is the process of systematically determining the level of the severity and
frequency of an event. To have a consistent approach to risk assessment, standardized
scales are to be used across the university. See tables.
2.7
Risk Identification
Risk identification is a process through which threats and opportunities events are
determined. Information on their magnitude, timing, and reasons are also determined in
the process. The university uses a variety of methods in identifying risks. These may
include surveys, internal and external workshops, individual or group interviews, staffstudents meetings, audit reports, departmental meeting and review of documentations
and reports.
2.8
Early Warning Indicators
Early warning indicators are mechanisms designed to provide the management with
information on any development or problems relating to risks and effectiveness of control
measures or sudden change in the observed trends. Such information is normally included in
monthly monitoring reports forwarded to the person(s) responsible for managing risks.
2.9
Risk Register
1
Risk Management Policy
Sultan Qaboos University
Risk register is a file containing a prioritized list of risks together with information on risk
identification, risk assessment, control measures and risk ranking.
2.10 Control or Mitigating Measures
Control or mitigating measures refer to actions (e.g. operating bylaws, regulations, policies
,procedures and best practices) used to reduce the negative impact of a risk and enhance the
likelihood of seizing an opportunity and also the level of adherence by staff to such measures.
3. POLICY STATEMENT
Sultan Qaboos University (SQU) is committed to applying appropriate risk management practices in
its activities to minimize the unfavorable effect of risks and to seize different opportunities.
4. PURPOSE/ REASONS FOR POLICY
The purpose of the policy is to:
4.1
adopt a systematic and consistent approach to risk management
4.2
ensure and embed risk management good practices
4.3
help ensure the achievement of SQU objectives
4.4
help in seizing opportunities and reducing losses
4.5
better inform decision-making
4.6
foster risk management culture
4.7
assist in better allocation and use of resources
4.8
assure stakeholder trust and confidence
5. GENERAL PRINCIPLES
The following main principles constitute the basis of this policy:
5.1
Risk management is fundamental in achieving SQU set objectives.
5.2
SQU staff in general and senior mangement in particular are expected to always promote
risk management good practices while conducting activities.
5.3
Risk assessment will be conducted on all new initiatatives, projects and programs prior to
commencement.
5.4
Risks will be assessed using the risk score matrix given in this policy.
5.5
All risks shall be aligned with the university risk appetite given in this policy.
5.6
This policy is a guideline and not prescriptive. Line managers and staff are expected to
apply their good judgement in applying this policy.
5.7
A “Risks Register” is kept at the relevant unit as well as the central SQU Risk
Management Office, which records all identified risks.
5.8
This policy considers all types of risk, including those related to Health, Saftey and
Enveronment (HSE).
6. SCOPE OF APPLICATION
All Units of the University
2
Risk Management Policy
Sultan Qaboos University
7. POLICY OWNER
Risk Management Office
8. APPROVAL BODY
University Council
9. PROCEDURES
Below are the main elements of risk management procedures. It must be stated that there is no one
standard procedure for risk management.
9.1
Internal and external environment:
Risk management process starts with understanding the university internal environment. This
environment includes university values, objectives, academic and quality standards, bylaws,
policies, procedures, risk appetite, management structure and delegation of authorities.
Understanding university internal environment is essential in assessing risks. In addition, risk
management should consider external environment including statuary regulations, competition,
and reputation.
9.2 Identifying, prioritizing, categorizing and exploring risks:
Before starting any new initiative or activity, the university must identify associated risks. These
are obtained from various sources including face-to-face interviews with individuals or groups,
workshops, documentations, reports, questionnaires feedback, and meetings. The identified list
of risks may be prioritized so as not to be very exhaustive. It is suggested to limit, whenever
possible, the university risk list to 30 main risks. Prioritizing risks could be reached by
consultation with university community or by managerial decision. Risks can be grouped under
different categories to ensure full coverage of activities. Risks could be grouped as strategic,
operation, financial, health and safety, reputation, compliance, teaching and learning, human
resources, reporting, research, and students. Once risks are identified, each must be explored.
This may include clearly defining each risk, contributing factors, existing control measures and
early warning indicators. An example is given Table 1 below:
Table 1 – Risk identification card
Risk: Declining student progression in the foundation program
Risk Category:Teaching and Learning
Risk owner
Definition
Contributing
factors
Existing control
measures
Early warning
indicators
Additional control
measures
Frequency: 4
Severity: 4
Risk
Assessment
Score: 16
Director of Foundation Program
Student intake is defined as the number of new students enrolling in the foundation
program in September of each academic year
1. Introduction of new academic standards
2. Introduction of new syllabus
3. Unfamiliarity with newly introduced rules
4. Lack of needed study skills
1. Peer teaching observation
2. Annual program syllabus review
3. Effective communication of new rules
4. Review of teaching materials
5. Students surveys
6. Aligning teaching and learning approaches with new standards
1. Students semester results
2. Number of withdrawal cases
3. Raised related issues in students/staff meetings
4. Peer teaching observation
5. Student surveys findings
1. Consider including additional entry requirement
2. Review program contact hours
3. Introduce independent student learning approach to enhance progression rate
4.Test mathematic competencies at entry
3
Risk Management Policy
9.3
Sultan Qaboos University
Risk assessment
Risk assessment is the process of systematically determining the level of the severity and
frequency of an event. To have a consistent approach to risk assessment, standardized
scales are to be used across the university. Table 2 gives different frequency levels and
description of each level.
Frequency Level
1
Rare
2
Seldom
3
Occasional
4
Probable
5
Frequent
Table 2 – Description of frequency levels
Description
Occurs in extraordinary circumstances, not likely to occur in 10 years time.
Unusual, happens once in 5-10 years.
Happens from time to time, once in 1-5 years
Occurs several times (e.g. four times) a year
Occurs more frequently, once a month
The levels of severity are given in Table 3 together with the description of each level.
Severity Level
1
Insignificant
2
Minor
3
Marginal
4
Serious
5
Catastrophic
Table 3 – Description of severity levels
Description
Activity continues, minimum cost loss < OR x1, (e.g. <1000), reputation intact, no injury to
persons and revenue is unaffected.
Activity continues with slight difficulty, cost loss between OR x1-and OR x2, (e.g. 1000 5000), reputation internally affected, injury required first aid only, revenue is
insignificantly affected.
Activity disrupted, considerable cost losses between OR x2 and OR x3, (e.g. 500020000), injury to persons needing medical treatment, reputation damaged and revenue
affected slightly.
Activity seriously disrupted, serious cost loss between OR x3 and OR x4, (e.g. 20000100000) injury requiring hospital admission, reputation seriously damaged and revenue
is considerably affected.
Activity stopped, large cost losses>RO x4, (>100000), reputation very seriously
damaged, serious injury (death or permanent injury) to persons, unable to resume
activity and revenue is greatly affected.
There are no standard values for cost lost at each level; however, recommended values are
1
given in brackets.
Once a risk frequency and severity are defined, risk scores are calculated as: Frequency
times (x) Severity. A 5 by 5 risk score matrix is suggested to assess risks; this matrix is widely
accepted within the higher education sector. Table 4 below shows such a matrix including
various scores.
Frequency
Scale
1
Rare
2
Seldom
3
Occasional
4
Probable
5
Frequent
Table 4 – Risk assessment score matrix (Frequency x Severity)
Severity
1
2
3
4
Insignificant
Minor
Marginal
Serious
5
Catastrophic
1
2
3
4
5
2
4
6
8
10
3
6
9*
12
15
4
8
12
16
20
5
10
15
20
25
1
The units concerned within the university may want to define these as per existing practices of tolerance.
* SQU Acceptable Risk Level
4
Risk Management Policy
Sultan Qaboos University
9.4 Risk appetite and control measures
The university is to decide on acceptable risk exposure levels, risk appetite. Existing
control measures and effectiveness of risk management are considered when deciding
on risk appetite. In addition, higher risks require stringent control measures coupled with
effective management. In this policy, any risk score equal or above 9 is considered
unacceptable, which warrants additional control measures, sharing risk or stopping the
activity.
Table 5 below indicates risk rating and tolerability levels:
Table 5 – Risk rating details
Risk
Score*
Rating
Color code
1&2
Very low
(VL)
Green (G)
3&4
Low
(L)
Light Green
(LG)
5,6&8
9,10&12
15,16,
20&25
Medium
(M)
High
(H)
Very high
(VH)
Yellow (Y)
Orange (G)
Red (R)
Description
No or little harm, activity
undisrupted. Minimum costs
loss <RO x1. Negligible effect
on achieving objectives
Impact can be recovered
within a day.
Minor harm, activity is slightly
disrupted, slight financial loss
<RO x2. May have slight
effect
on
achieving
objectives.
No permanent impact. Could
be recovered within days.
Moderate damages, activity
is
marginally
disrupted,
moderate financial losses
between ROx3 and RO x4,
reputation may be damaged.
Expected
difficulties
in
achieving in operational
objectives.
Could
be
recovered within months.
Significant damages, activity
is disrupted, large financial
losses >OR x5 and reputation
is
badly
affected.
Considerable
operational
difficulties
in
achieving
objectives.
Strategic
objectives are affected in
part.
Very
serious
damages,
activity is severely disrupted,
heavy financial losses >OR x6
and reputation is severely
damaged. If not treated will
impact on operational and
strategic objectives.
Tolerability
Comments
Acceptable
Keep conditions, continue with
control measures. Review and
report annually.
Acceptable
Keep
control
conditions,
continue
with
measures.
Review and report annually.
Tolerable
Make changes in conditions,
continue with or improve on
control measures and /or
modify objectives to reduce
risk. Monitor and report
biannually.
Unacceptable
Unacceptable
Reduce the severity. Impose
strict control measures to
reduce to a tolerable level
and/or set new objectives.
Monitor and report regularly.
Stop the activity, transfer
responsibility,
outsource,
and/or set new objectives.
Detailed control plan must be
developed.
Monitor and report regularly.
*: Frequency X Severity
9.5
Early warning indicators
Early warning indicators are tools used to inform the management on the effectiveness of risk
management process. Such indicators help decision-makers to take preventive or preemptive
measures before the situation deteriorates. The effectiveness of the risk management process is a
function of the appropriateness of the control measure, changes in risk frequency and severity, and
changes in the activities. Risk managers and officers would want to identify indicators that will give
information on any identified risk. Some examples are listed below:
1. Risk: Weak students; Indicators: class tests, assignments and attendance.
2. Risk: Quality of teaching; Indicators: Students surveys, quality of handouts and other
teaching materials and teaching assesment and quality of exams.
3. Risk: Plagiarism; Indicators: Consistency in applying policies, number of reported cases
and imposed penalties.
5
Risk Management Policy
Sultan Qaboos University
Early warning indicators alert management that additional actions may be needed. Key
performance indicators may be used as warning indicators.
Appendix I shows Risk Management Organizational Chart.
9.6
Risk register
Risk register is a file containing prioritized list of risks together with information on risk identification
assessment and control measures. The information recorded in the risk register is periodically
reviewed by the Central Risk Management Office as well as Line Managers each in their
respective area of discretion. Reviewing risk register is important in finding out if certain risks are
dying and if there are new emerging risks. The standard format for the type of information
recorded in the register is given in Appendix II.
10. RELATED POLICIES
Policy of Making University Policies and SQU bylaws
11. RESPONSIBILITY FOR IMPLEMENTATION
The Vice Chancellor shall have overall responsibility of risk management. The Vice Chancellor is
assisted by a Risk Management Office, Risk Management Officers (At the moment chair of HSE) in
various units, and staff responsible for managing and reviewing risks. The organizational chart of
risk management is given in Appendix I.
11.1 The Risk Management Office (RMO) role is to:
11.1.1 Facilitate risk management activities and advise the Vice Chancellor on strategic and
operational risks.
11.1.2 Identify and prioritize strategic and operational risks in consultation with the Vice
Chancellor.
11.1.3 Ensure availability of risk management resources.
11.1.4 Ensure effective communication of risk management strategies, risk reporting and risk
escalation processes with the risk management officers across the university.
11.1.5 Review major risks identified and monitor progress in risk management plan.
11.1.6 Decide on accepting, managing, sharing, or avoiding risks.
11.1.7 Report on compliance of university units with this risk management policy.
11.1.8 Receive and issue monitory reports on management of risks.
11.1.9 Annually report to the Vice Chancellor on the effectiveness of risk management
processes and make recommendations for improving risk management policy and
procedures.
11.1.10 Review risks and risk assessment procedures and scales.
11.1.11 Disseminate risk management good practices and provide support to various
university levels.
11.1.12 Set the ground for and encourage the university community to foster a culture of risk
management within the university.
11.1.13 Establish and maintain a university risk register.
11.2 Each academic and non-academic unit will designate a Risk Management Officer who
will be the owner of the risk policy in his/her unit.His/her responsibilities include:
11.2.1 Liaise with the Central Risk Management Committee
11.2.2 Update the unit risk register.
11.2.3 Monitor adherence to risk management at the unit’s level.
11.2.4 Identify emerging new risks and disappearing old ones.
11.2.5 Report to line manager on management of risks within the unit.
6
Risk Management Policy
Sultan Qaboos University
11.2.6 Inform the unit’s community on university risk management issues.
11.2.7 Encourage risk management culture within the unit.
11.3 Line managers are responsible for:
11.3.1 Ensuring that staff under their supervision apply risk management where applicable.
11.3.2 Giving staff enough and clear information on this policy, in particular during induction
programs.
11.3.3 Nominating a risk management owner.
11.3.4 Developing and maintaining risk register at the unit level.
11.3.5 Ensuring the review of the risk register.
11.3.6 Ensuring the effectiveness of risks control measures within the unit.
11.3.7 Assigning staff who would effectively manage and review risks.
11.3.8 Documenting good practices and risk incidents.
11.4
Quality Assurance Office – reviewing feedback information, aligning with related
policies, assisting in and disseminating good practices and reporting on effectiveness.
12. ISSUING OFFICE
Risk Management Office
13. REVIEW
13.1 The Risk Management Office shall annually evaluate the effectiveness of this policy.
13.2 The Quality Assurance Office shall report on adherence and effectiveness of this policy
across the university.
14. KEY RISKS
Identifying potential risks associated with the introduction of policies, in particular new ones, is
considered a good practice. Line managers have the responsibility to embed risk management
practices in their day-to-day operations. This may include taking the necessary measures to
eliminate or control such risks. Main risks associated with this policy are listed below:
14.1 Inability to identify risks appropriately.
14.2 Not having early warning indicators.
14.3 Inconsistency in adherence to the policy across the university.
14.4 Communication and reporting on risks fail to reach decision makers in a timely manner.
14.5 Lack of enthusiasm to risk management concept.
15. APPENDICES
APPENDIX I–RISK MANAGEMENT ORGANIZATIONAL CHART
APPENDIX II–RISK REGISTER
APPENDIX III–RISK MANAGEMENT PROCESS FLOW CHART
7
Risk Management Policy
Sultan Qaboos University
APPENDIX I. RISK MANAGEMENT ORGANIZATIONAL CHART
Vice Chancellor
Director of Risk Management
Office
Strategic and Operational
RM Dept./Unit
Coordination, follow-up and
records keeping Dept./Unit
Academic RM
Dept./Unit
8
Risk Management Policy
Sultan Qaboos University
APPENDIX II. RISK REGISTER
Financial
Strategic
Category
The following table shows one sample template for therisk register.
Risk Assessment
N
o
Risk
Frequency
x Severity
Score &
Rating
Contri
buting
factors
1
2
3
4
5
6
Teaching
7
8
9
1
0
9
Additional
Control
measures
suggested
actions
Responsibility
Risk owner
Observed
frequency
and dates
Risk
Ranking
Risk Management Policy
Sultan Qaboos University
APPENDIX III. RISK MANAGEMENT PROCESS FLOW CHART
Understand internal
and external
environment
Identify, prioritize,
categorize and explore
risks
Assess risks
Consult risk appetite
and identify control
measures
Identify early warning
indicators
Risk Register
1. Understand related university values, objectives, academic and quality standards, bylaws, policies, procedures, risk
appetite, management structure and delegation of authorities. Understanding university internal environment is
essential in assessing risks.
2. Understand related external environment including statuary regulations, competition and reputation.
1. List risks associated with an activity. Use interviews, questionnaires, review of documentations and workshops.
2. List problems or difficulties encountered in the past.
3. Link risks with objectives, financial impact, scale of impact( e.g. whole university). Establish a list of 20 to 40 risks
4. Risks may be grouped as: Strategic, Financial, Reputation, Students Experience, Teaching and Learning, Research
and Reputation, or risks may be grouped as per the OAAA Quality Audit manual chapters.
5. Identify risks and list contributing factors , control measures and early warning indicators
1. Establish severity and frequency levels.
2. Establish risk score; risk score= severity X frequency
3. Consider accepted risks; consult risk appetite.
1. Consider university readiness to risk exposure.
2. List existing control measures
3. High expectations require high control measures and resources
4. Identify additional control measures to effectively manage risks.
5. Share or outsource risks if it is believed that risks cannot be affectively managed.
Risk managers and officers would want to identify indicators that will give information on any identified risk. Some examples are
listed below:
1. Risk: Weak students; Indicators: class tests, assignments and attendance.
2. Risk: Quality of teaching; Indicators: Students surveys, quality of handouts and other teaching materials and teaching
observations.
3. Risk: Budget overspending; Indicators: Monthly budget variation analysis
4. Risk: Plagiarism; Indicators: Consistency in applying policies, number of reported cases and imposed penalties.
1. Record relevant risk information in a Risk Register
2. Recorded information includes: Risk title, assessment, contributing factors, control measures, additional actions,
responsibility and observed frequency and dates.
10