Policy Title Risk Management Policy Policy Number 1-01 Functional Field Governance and Management Related Policies Policy of Making University Policies Responsibility of Risk Management Office Issuing Office Quality Assurance Office In-revision Active Status Proposed Draft # Approved By Draft # 3 Academic Council and University Council Approved by AC on 13th January 2015, Res. no. AC/2014-15/3/2. Approval Date Approved by UC on 13-5-015, qarar no.416/2015. Effective Date Revision History Number Date Revision # 1 9/1/2014 Revision # 2 1/12/214 Revision # 3 3/3/2015 Revision # 4 9/3/2015 By Changes to be aligned with essential Dr. Salim Al-Harthi steps to develop SQU risk in consultation with management plan and changes QAO recommended by SQU stakeholders Changes recommended by the Dr. Salim Al-Harthi Academic Council Changes recommended by the Dr. Salim Al-Harthi Academic Council Final revision of Arabic version and QAO matching it with the English version Revision # 5 Contact Office Main Changes Risk Management Office Risk Management Policy e-mail address Phone Number Sultan Qaboos University salim1@squ.edu.om 24141470 1. POLICY TITLE Risk Management Policy 2. DEFINITIONS AND ABBREVIATIONS In the context of this policy and for better consistency, the following terms have the meaning given against each one: 2.1 Risk Risk is an event that may adversely (threat) or favorably (opportunity) affect the achievement of SQU vision, mission and strategic objectives. It is assessed in terms of frequency and severity. 2.2 Risk Management Risk management is a systematic process of identifying, assessing, controlling, recording, and monitoring risks. It aims at eliminating or reducing risk damages and seizing opportunities to achieve objectives. Risk management includes the necessary infrastructure and responsibilities to administer the process. 2.3 Gross Risk Gross risk is a risk before applying controlling or mitigating measures. 2.4 Net Risk Net risk is a risk remaining after applying controlling or mitigating measures. In this policy, risks are considered as net risks since control measures are in place. 2.5 Risk Appetite Risk appetite is the level of tolerance applied by an institution in accepting risks; i.e. degree of the institutions’ acceptance of risks, or how much risk the university is ready to accept. In this policy, risks above a defined score (frequency x severity) are considered unacceptable; the score is taken as ≥ 9. 2.6 Risk Assessment Risk assessment is the process of systematically determining the level of the severity and frequency of an event. To have a consistent approach to risk assessment, standardized scales are to be used across the university. See tables. 2.7 Risk Identification Risk identification is a process through which threats and opportunities events are determined. Information on their magnitude, timing, and reasons are also determined in the process. The university uses a variety of methods in identifying risks. These may include surveys, internal and external workshops, individual or group interviews, staffstudents meetings, audit reports, departmental meeting and review of documentations and reports. 2.8 Early Warning Indicators Early warning indicators are mechanisms designed to provide the management with information on any development or problems relating to risks and effectiveness of control measures or sudden change in the observed trends. Such information is normally included in monthly monitoring reports forwarded to the person(s) responsible for managing risks. 2.9 Risk Register 1 Risk Management Policy Sultan Qaboos University Risk register is a file containing a prioritized list of risks together with information on risk identification, risk assessment, control measures and risk ranking. 2.10 Control or Mitigating Measures Control or mitigating measures refer to actions (e.g. operating bylaws, regulations, policies ,procedures and best practices) used to reduce the negative impact of a risk and enhance the likelihood of seizing an opportunity and also the level of adherence by staff to such measures. 3. POLICY STATEMENT Sultan Qaboos University (SQU) is committed to applying appropriate risk management practices in its activities to minimize the unfavorable effect of risks and to seize different opportunities. 4. PURPOSE/ REASONS FOR POLICY The purpose of the policy is to: 4.1 adopt a systematic and consistent approach to risk management 4.2 ensure and embed risk management good practices 4.3 help ensure the achievement of SQU objectives 4.4 help in seizing opportunities and reducing losses 4.5 better inform decision-making 4.6 foster risk management culture 4.7 assist in better allocation and use of resources 4.8 assure stakeholder trust and confidence 5. GENERAL PRINCIPLES The following main principles constitute the basis of this policy: 5.1 Risk management is fundamental in achieving SQU set objectives. 5.2 SQU staff in general and senior mangement in particular are expected to always promote risk management good practices while conducting activities. 5.3 Risk assessment will be conducted on all new initiatatives, projects and programs prior to commencement. 5.4 Risks will be assessed using the risk score matrix given in this policy. 5.5 All risks shall be aligned with the university risk appetite given in this policy. 5.6 This policy is a guideline and not prescriptive. Line managers and staff are expected to apply their good judgement in applying this policy. 5.7 A “Risks Register” is kept at the relevant unit as well as the central SQU Risk Management Office, which records all identified risks. 5.8 This policy considers all types of risk, including those related to Health, Saftey and Enveronment (HSE). 6. SCOPE OF APPLICATION All Units of the University 2 Risk Management Policy Sultan Qaboos University 7. POLICY OWNER Risk Management Office 8. APPROVAL BODY University Council 9. PROCEDURES Below are the main elements of risk management procedures. It must be stated that there is no one standard procedure for risk management. 9.1 Internal and external environment: Risk management process starts with understanding the university internal environment. This environment includes university values, objectives, academic and quality standards, bylaws, policies, procedures, risk appetite, management structure and delegation of authorities. Understanding university internal environment is essential in assessing risks. In addition, risk management should consider external environment including statuary regulations, competition, and reputation. 9.2 Identifying, prioritizing, categorizing and exploring risks: Before starting any new initiative or activity, the university must identify associated risks. These are obtained from various sources including face-to-face interviews with individuals or groups, workshops, documentations, reports, questionnaires feedback, and meetings. The identified list of risks may be prioritized so as not to be very exhaustive. It is suggested to limit, whenever possible, the university risk list to 30 main risks. Prioritizing risks could be reached by consultation with university community or by managerial decision. Risks can be grouped under different categories to ensure full coverage of activities. Risks could be grouped as strategic, operation, financial, health and safety, reputation, compliance, teaching and learning, human resources, reporting, research, and students. Once risks are identified, each must be explored. This may include clearly defining each risk, contributing factors, existing control measures and early warning indicators. An example is given Table 1 below: Table 1 – Risk identification card Risk: Declining student progression in the foundation program Risk Category:Teaching and Learning Risk owner Definition Contributing factors Existing control measures Early warning indicators Additional control measures Frequency: 4 Severity: 4 Risk Assessment Score: 16 Director of Foundation Program Student intake is defined as the number of new students enrolling in the foundation program in September of each academic year 1. Introduction of new academic standards 2. Introduction of new syllabus 3. Unfamiliarity with newly introduced rules 4. Lack of needed study skills 1. Peer teaching observation 2. Annual program syllabus review 3. Effective communication of new rules 4. Review of teaching materials 5. Students surveys 6. Aligning teaching and learning approaches with new standards 1. Students semester results 2. Number of withdrawal cases 3. Raised related issues in students/staff meetings 4. Peer teaching observation 5. Student surveys findings 1. Consider including additional entry requirement 2. Review program contact hours 3. Introduce independent student learning approach to enhance progression rate 4.Test mathematic competencies at entry 3 Risk Management Policy 9.3 Sultan Qaboos University Risk assessment Risk assessment is the process of systematically determining the level of the severity and frequency of an event. To have a consistent approach to risk assessment, standardized scales are to be used across the university. Table 2 gives different frequency levels and description of each level. Frequency Level 1 Rare 2 Seldom 3 Occasional 4 Probable 5 Frequent Table 2 – Description of frequency levels Description Occurs in extraordinary circumstances, not likely to occur in 10 years time. Unusual, happens once in 5-10 years. Happens from time to time, once in 1-5 years Occurs several times (e.g. four times) a year Occurs more frequently, once a month The levels of severity are given in Table 3 together with the description of each level. Severity Level 1 Insignificant 2 Minor 3 Marginal 4 Serious 5 Catastrophic Table 3 – Description of severity levels Description Activity continues, minimum cost loss < OR x1, (e.g. <1000), reputation intact, no injury to persons and revenue is unaffected. Activity continues with slight difficulty, cost loss between OR x1-and OR x2, (e.g. 1000 5000), reputation internally affected, injury required first aid only, revenue is insignificantly affected. Activity disrupted, considerable cost losses between OR x2 and OR x3, (e.g. 500020000), injury to persons needing medical treatment, reputation damaged and revenue affected slightly. Activity seriously disrupted, serious cost loss between OR x3 and OR x4, (e.g. 20000100000) injury requiring hospital admission, reputation seriously damaged and revenue is considerably affected. Activity stopped, large cost losses>RO x4, (>100000), reputation very seriously damaged, serious injury (death or permanent injury) to persons, unable to resume activity and revenue is greatly affected. There are no standard values for cost lost at each level; however, recommended values are 1 given in brackets. Once a risk frequency and severity are defined, risk scores are calculated as: Frequency times (x) Severity. A 5 by 5 risk score matrix is suggested to assess risks; this matrix is widely accepted within the higher education sector. Table 4 below shows such a matrix including various scores. Frequency Scale 1 Rare 2 Seldom 3 Occasional 4 Probable 5 Frequent Table 4 – Risk assessment score matrix (Frequency x Severity) Severity 1 2 3 4 Insignificant Minor Marginal Serious 5 Catastrophic 1 2 3 4 5 2 4 6 8 10 3 6 9* 12 15 4 8 12 16 20 5 10 15 20 25 1 The units concerned within the university may want to define these as per existing practices of tolerance. * SQU Acceptable Risk Level 4 Risk Management Policy Sultan Qaboos University 9.4 Risk appetite and control measures The university is to decide on acceptable risk exposure levels, risk appetite. Existing control measures and effectiveness of risk management are considered when deciding on risk appetite. In addition, higher risks require stringent control measures coupled with effective management. In this policy, any risk score equal or above 9 is considered unacceptable, which warrants additional control measures, sharing risk or stopping the activity. Table 5 below indicates risk rating and tolerability levels: Table 5 – Risk rating details Risk Score* Rating Color code 1&2 Very low (VL) Green (G) 3&4 Low (L) Light Green (LG) 5,6&8 9,10&12 15,16, 20&25 Medium (M) High (H) Very high (VH) Yellow (Y) Orange (G) Red (R) Description No or little harm, activity undisrupted. Minimum costs loss <RO x1. Negligible effect on achieving objectives Impact can be recovered within a day. Minor harm, activity is slightly disrupted, slight financial loss <RO x2. May have slight effect on achieving objectives. No permanent impact. Could be recovered within days. Moderate damages, activity is marginally disrupted, moderate financial losses between ROx3 and RO x4, reputation may be damaged. Expected difficulties in achieving in operational objectives. Could be recovered within months. Significant damages, activity is disrupted, large financial losses >OR x5 and reputation is badly affected. Considerable operational difficulties in achieving objectives. Strategic objectives are affected in part. Very serious damages, activity is severely disrupted, heavy financial losses >OR x6 and reputation is severely damaged. If not treated will impact on operational and strategic objectives. Tolerability Comments Acceptable Keep conditions, continue with control measures. Review and report annually. Acceptable Keep control conditions, continue with measures. Review and report annually. Tolerable Make changes in conditions, continue with or improve on control measures and /or modify objectives to reduce risk. Monitor and report biannually. Unacceptable Unacceptable Reduce the severity. Impose strict control measures to reduce to a tolerable level and/or set new objectives. Monitor and report regularly. Stop the activity, transfer responsibility, outsource, and/or set new objectives. Detailed control plan must be developed. Monitor and report regularly. *: Frequency X Severity 9.5 Early warning indicators Early warning indicators are tools used to inform the management on the effectiveness of risk management process. Such indicators help decision-makers to take preventive or preemptive measures before the situation deteriorates. The effectiveness of the risk management process is a function of the appropriateness of the control measure, changes in risk frequency and severity, and changes in the activities. Risk managers and officers would want to identify indicators that will give information on any identified risk. Some examples are listed below: 1. Risk: Weak students; Indicators: class tests, assignments and attendance. 2. Risk: Quality of teaching; Indicators: Students surveys, quality of handouts and other teaching materials and teaching assesment and quality of exams. 3. Risk: Plagiarism; Indicators: Consistency in applying policies, number of reported cases and imposed penalties. 5 Risk Management Policy Sultan Qaboos University Early warning indicators alert management that additional actions may be needed. Key performance indicators may be used as warning indicators. Appendix I shows Risk Management Organizational Chart. 9.6 Risk register Risk register is a file containing prioritized list of risks together with information on risk identification assessment and control measures. The information recorded in the risk register is periodically reviewed by the Central Risk Management Office as well as Line Managers each in their respective area of discretion. Reviewing risk register is important in finding out if certain risks are dying and if there are new emerging risks. The standard format for the type of information recorded in the register is given in Appendix II. 10. RELATED POLICIES Policy of Making University Policies and SQU bylaws 11. RESPONSIBILITY FOR IMPLEMENTATION The Vice Chancellor shall have overall responsibility of risk management. The Vice Chancellor is assisted by a Risk Management Office, Risk Management Officers (At the moment chair of HSE) in various units, and staff responsible for managing and reviewing risks. The organizational chart of risk management is given in Appendix I. 11.1 The Risk Management Office (RMO) role is to: 11.1.1 Facilitate risk management activities and advise the Vice Chancellor on strategic and operational risks. 11.1.2 Identify and prioritize strategic and operational risks in consultation with the Vice Chancellor. 11.1.3 Ensure availability of risk management resources. 11.1.4 Ensure effective communication of risk management strategies, risk reporting and risk escalation processes with the risk management officers across the university. 11.1.5 Review major risks identified and monitor progress in risk management plan. 11.1.6 Decide on accepting, managing, sharing, or avoiding risks. 11.1.7 Report on compliance of university units with this risk management policy. 11.1.8 Receive and issue monitory reports on management of risks. 11.1.9 Annually report to the Vice Chancellor on the effectiveness of risk management processes and make recommendations for improving risk management policy and procedures. 11.1.10 Review risks and risk assessment procedures and scales. 11.1.11 Disseminate risk management good practices and provide support to various university levels. 11.1.12 Set the ground for and encourage the university community to foster a culture of risk management within the university. 11.1.13 Establish and maintain a university risk register. 11.2 Each academic and non-academic unit will designate a Risk Management Officer who will be the owner of the risk policy in his/her unit.His/her responsibilities include: 11.2.1 Liaise with the Central Risk Management Committee 11.2.2 Update the unit risk register. 11.2.3 Monitor adherence to risk management at the unit’s level. 11.2.4 Identify emerging new risks and disappearing old ones. 11.2.5 Report to line manager on management of risks within the unit. 6 Risk Management Policy Sultan Qaboos University 11.2.6 Inform the unit’s community on university risk management issues. 11.2.7 Encourage risk management culture within the unit. 11.3 Line managers are responsible for: 11.3.1 Ensuring that staff under their supervision apply risk management where applicable. 11.3.2 Giving staff enough and clear information on this policy, in particular during induction programs. 11.3.3 Nominating a risk management owner. 11.3.4 Developing and maintaining risk register at the unit level. 11.3.5 Ensuring the review of the risk register. 11.3.6 Ensuring the effectiveness of risks control measures within the unit. 11.3.7 Assigning staff who would effectively manage and review risks. 11.3.8 Documenting good practices and risk incidents. 11.4 Quality Assurance Office – reviewing feedback information, aligning with related policies, assisting in and disseminating good practices and reporting on effectiveness. 12. ISSUING OFFICE Risk Management Office 13. REVIEW 13.1 The Risk Management Office shall annually evaluate the effectiveness of this policy. 13.2 The Quality Assurance Office shall report on adherence and effectiveness of this policy across the university. 14. KEY RISKS Identifying potential risks associated with the introduction of policies, in particular new ones, is considered a good practice. Line managers have the responsibility to embed risk management practices in their day-to-day operations. This may include taking the necessary measures to eliminate or control such risks. Main risks associated with this policy are listed below: 14.1 Inability to identify risks appropriately. 14.2 Not having early warning indicators. 14.3 Inconsistency in adherence to the policy across the university. 14.4 Communication and reporting on risks fail to reach decision makers in a timely manner. 14.5 Lack of enthusiasm to risk management concept. 15. APPENDICES APPENDIX I–RISK MANAGEMENT ORGANIZATIONAL CHART APPENDIX II–RISK REGISTER APPENDIX III–RISK MANAGEMENT PROCESS FLOW CHART 7 Risk Management Policy Sultan Qaboos University APPENDIX I. RISK MANAGEMENT ORGANIZATIONAL CHART Vice Chancellor Director of Risk Management Office Strategic and Operational RM Dept./Unit Coordination, follow-up and records keeping Dept./Unit Academic RM Dept./Unit 8 Risk Management Policy Sultan Qaboos University APPENDIX II. RISK REGISTER Financial Strategic Category The following table shows one sample template for therisk register. Risk Assessment N o Risk Frequency x Severity Score & Rating Contri buting factors 1 2 3 4 5 6 Teaching 7 8 9 1 0 9 Additional Control measures suggested actions Responsibility Risk owner Observed frequency and dates Risk Ranking Risk Management Policy Sultan Qaboos University APPENDIX III. RISK MANAGEMENT PROCESS FLOW CHART Understand internal and external environment Identify, prioritize, categorize and explore risks Assess risks Consult risk appetite and identify control measures Identify early warning indicators Risk Register 1. Understand related university values, objectives, academic and quality standards, bylaws, policies, procedures, risk appetite, management structure and delegation of authorities. Understanding university internal environment is essential in assessing risks. 2. Understand related external environment including statuary regulations, competition and reputation. 1. List risks associated with an activity. Use interviews, questionnaires, review of documentations and workshops. 2. List problems or difficulties encountered in the past. 3. Link risks with objectives, financial impact, scale of impact( e.g. whole university). Establish a list of 20 to 40 risks 4. Risks may be grouped as: Strategic, Financial, Reputation, Students Experience, Teaching and Learning, Research and Reputation, or risks may be grouped as per the OAAA Quality Audit manual chapters. 5. Identify risks and list contributing factors , control measures and early warning indicators 1. Establish severity and frequency levels. 2. Establish risk score; risk score= severity X frequency 3. Consider accepted risks; consult risk appetite. 1. Consider university readiness to risk exposure. 2. List existing control measures 3. High expectations require high control measures and resources 4. Identify additional control measures to effectively manage risks. 5. Share or outsource risks if it is believed that risks cannot be affectively managed. Risk managers and officers would want to identify indicators that will give information on any identified risk. Some examples are listed below: 1. Risk: Weak students; Indicators: class tests, assignments and attendance. 2. Risk: Quality of teaching; Indicators: Students surveys, quality of handouts and other teaching materials and teaching observations. 3. Risk: Budget overspending; Indicators: Monthly budget variation analysis 4. Risk: Plagiarism; Indicators: Consistency in applying policies, number of reported cases and imposed penalties. 1. Record relevant risk information in a Risk Register 2. Recorded information includes: Risk title, assessment, contributing factors, control measures, additional actions, responsibility and observed frequency and dates. 10