Add to collection(s) Add to saved
  1. Business
  2. Management

Guidelines for Completing Institute and Departmental Risk Registers

advertisement 
Guidelines for Completing Institute and Departmental Risk Registers
Overall responsibility for ensuring the completion and maintenance of the local risk registers lies with
the Institute Managers or Heads of Service Department but this should be done in consultation with
senior managers and colleagues. .
The risk registers should be completed on the standard templates (one for Institute and one for
Professional Service Departments) which are available on the website or from the Planning and
Governance Department.
Further information on risk management and the completion of risk registers can be found in the Risk
Management Policy and Procedures at http://www.aber.ac.uk/en/pag/risk-management/
A brief description is given below of the information required in each column.
1.
Reference
A reference number should be provided for each risk.
2. Risk
A helpful definition of risk is:
‘The threat that an event will adversely affect the ability to achieve objectives. It arises as much from
the likelihood that something good will not happen as it does from the threat that something bad will
happen.’
It should also be noted that a risk is something which has not yet happened but could potentially
happen. If the risk actually occurs it becomes an ‘issue’ and is usually dealt with through other
processes such as Departmental / Institute Action Plans.
Generally speaking the risks that are included in the register should be significant enough that they
would have an effect at a departmental, institute or even at university level.
3.
Relationship to Strategic Plan
Risk management processes must be aligned to the University’s Strategic Aims as stated in the 20122017 Strategic Plan which is available at http://www.aber.ac.uk/en/strategicplan/ . At an Institute or
Departmental level you may also be looking at high-level operational risks.
Institute Risk registers include separate tabs for each of the Strategic Aims and you are expected to
include some risks under each aim.
Departmental Risk Registers only have one tab and with a drop-down list of Strategic Aims to select
from. It is recognised that Professional Service Departments may not have risks relating to every aim.
Below is a broad outline of the types of risk that might fall under each Strategic Aim:
Creating Opportunities




Student recruitment and retention
Widening Access
Equality and diversity
Staff Development
1


Bilingualism
Welsh Medium
Research with Excellence that makes an impact



Research Grants
REF
Postgraduate Research issues
Teaching that Inspires





Course portfolio
Learning experience
Quality Assurance
Modes of delivery
Student satisfaction / NSS areas
Engaging in the world





International student recruitment
Overseas engagement
UKBA
Support for International Students
International Partnerships
Working in partnership






Partnerships other than international
Quality Assurance (Partnerships)
Alumni relations and engagement
Strategic Alliance with Bangor University
Fundraising
Local relations
Investing in our future









Financial contribution / surplus
Non-achievement of student numbers
Estates
Environment
IT
Project Management
Governance
Capital Investment
Business Continuity
4.
Risk Appetite
Risk appetite refers to the level of risk that is considered to acceptable. Further information can be
2
found in the University’s Risk Appetite Statement and Matrix which are available on the Risk
Management Webpage. Consideration should be given as to whether the Risk Appetite is High, Medium
or Low for each risk.
5.
Contributing factors
A contributing factor is anything which may have an impact on the risk or mitigating actions.
Contributing factors can be either external (e.g. Government policy, new regulations, economic
environment, media coverage) or internal (e.g. staffing issues) to the University. A good risk register will
include a certain amount of ‘horizon scanning’ (i.e. what are our competitors doing, what are the
national trends for a particular subject area etc.).
6.
Risk Impact and likelihood
Risk levels should be assessed by looking at the impact and the likelihood of risks separately. The
impact and likelihood are scored between 1 (very low) and 5 (very high). The spreadsheet will then
automatically calculate the overall risk rating and assign the appropriate colour. An assessment matrix
defining how risk can be quantified has been provided at Appendix A.
7.
Gross Risk
Gross risk is the status of the risk prior to any mitigating actions or controls being put in place. In other
words this is what the risk would look like if we did nothing at all to mitigate it (although it assumes
some common sense in places).
8.
Risk trend
A risk trend should be assigned to both the gross and net risks to indicate whether a risk is static,
increasing or diminishing. The risk trend should reflect the movement in risk assessment since the last
update of the risk register (for the first version, it will be level). The risk trend should be defined, using
one of the following symbols:
 = risk is static;
 = risk has increased
 = risk has diminished.
The appropriate symbols should be entered in the ‘Risk trend’ columns; one relating to gross risk and
one for net risk.
9.
Mitigating Actions and Controls
The mitigating actions and controls are the things that are already being done to mitigate a particular
risk. They should be things that can be easily tested for assurance that their design is appropriate and
effective at mitigating the relevant risk. So, for example, to mitigate the risk of under-recruitment you
might be building relationships with schools in South East Wales.
10.
Sources of assurance
The sources of assurance are the evidence that can prove that a) our assessment of net risk level is
correct and b) our controls are in place and working. These will generally be some form of
documentation (e.g. minutes of meetings, reports, certificates, data sets etc.) and can be either external
or internal. One simple way to identify sources of assurance is to consider what evidence you might be
3
able to show someone who was auditing that particular area of activity. For the example given in
Section 9 it might be correspondence or reports for school visits.
11.
Net Risk
The Net Risk is the risk after mitigating actions and controls have been taken into account. The risk
impact and likelihood should be assessed bearing in mind what is already being done to mitigate the
risk. Generally the Net Risk rating will be lower than the Gross Risk but it should be noted that it is
unlikely that a single mitigating action would reduce both the likelihood and the impact.
12.
Risk Owner
The Risk Owner is the person charged with the overall responsibility for assessing, managing and
reporting the risk, although they may delegate implementation to the appropriate staff. It is a way to
provide greater monitoring of risk so, for example, in an Institute student numbers would be ‘owned’ by
the Director of Recruitment. For Professional Services it depends on the size of the department but, for
example, data integrity might be owned by a key IT person.
13.
Further Actions
These are the actions which still need to be done in order further mitigate the risk. Ideally this column
should capture relatively short term actions (to be done within 1 to 6 months) which can add to risk
mitigation, and which can be update at each refresh of the Risk Register.
14.
Who
This is the person or persons responsible for delivering the Further Actions. They are not necessarily the
same person as the Risk Owner.
15.
By When
This is the delivery date for the Further Action. Ideally this would be no more than six months from the
date that the risk register is being reviewed. For longer term actions the delivery dates should be given
for key milestones. It is preferable not to use the term ‘on-going’ for Further Actions.
Updating your risk registers
When updating a Risk Register, it is important to:




Track all changes from one version to another, so that reasons for change in risks/risk
levels can be seen - for example, recent refurbishment has reduced risk of failure of
building structures
Identify changes in risk trend – whether risks are increasing or decreasing
Assess whether actions have been taken; and
Report at summary level
It is important that the content of the Risk Register and the scoring of risk exposure and risk trend are
assured and validated by a group, rather than being developed and assessed only by the “risk owners”
themselves.
Risk reporting cycle
Updating the local risk registers should form part of the regular management processes within the
Institute or Professional Services Department, and discussed at Executive / Senior Team meetings or
4
equivalent. Local risk registers should be submitted to the Risk Management Committee twice a year
usually around October and April. If there are any significant changes to the local risk register outside of
the normal reporting cycle (e.g. new risks emerging or large increases to existing risks) these should be
reported to the Planning Department as soon as possible.
5
Appendix A - Matrix of definitions to assist in assessment of impact and likelihood risk levels.
For Institutes and Service Departments, the definitions of Insignificant,
Minor, Moderate, Serious and Very Serious financial impact at local level are <£50K, <50K to £100K, <£100K to <500K, and <£500K; or as per the University level measures
if the risk being assessed is a university wide risk, for example, the impact of an incorrect statutory return does not just affect the Planning Department, but is a university
Size of Risk – Likelihood
wide hit.
Severity descriptors
Possible consequences
1 - Insignificant
2 - Minor
Negative outcomes from risks or
lost opportunities unlikely to have a
permanent or significant effect on
the University’s reputation or
performance
No impact

Less than 0.5%of total turnover financial impact

No regulatory consequence

Minor adverse publicity

Minor reversible injury

No more than10 days if senior staff time
3 – Moderate
Negative outcomes from risks or
lost opportunities having a
significant impact on the University.
Can be managed without major
impact in the medium term





4 - Serious
Negative outcomes from risks or
lost opportunities with a significant
effect that will require major effort to
manage and resolve in the medium
term but do not threaten the
existence of the institution in the
medium term


5 – Very serious
Negative outcomes from risks or
lost opportunities which if not
resolved in the medium term will
threaten the existence of the
institution

Financial loss up to 2% of total turnover in any year
Limited regulatory consequence
Local adverse publicity of subject area
Major reversible injury
No more than 25 days of senior staff time
Examples1





University sued successfully for
wrongful dismissal
Lecturer has work related injury
e.g. slips
Major IT project late or overspent
Contractual staff injured due to
University negligence
Loss of a major contract
Descriptor
Likelihood
1 – Very low
2% likely to happen
2 – Low
5% likely to happen
3 – Medium
10% likely to happen
4 – High
20% likely to happen
5 – Very
high
50% likely to happen
Total risk score guide










Financial loss over 2% of total turnover in a single year
Major savings programme required to break-even in the
medium term
Significant regulatory consequence
Negative headlines in the national press
Irreversible injury or death
No more than 45 days of senior staff time
Financial loss (or loss of potential financial surplus) over 2% of
turnover for consecutive years or over 5% in a single year
Substantial regulatory consequence
Sustained negative headlines in national press
Major negative sanction by HEFCW
Closure of major part of business
Irreversible multiple injury or death
Over 45 days of senior staff time







Research team found to have
falsified results with a major
impact e.g. on health issues
Major overseas recruitment
problems due to war or terrorism
– potential to escalate to very
serious
University financial systems fail
completely and cannot be
recovered
Major accident due to University
negligence
Major fire prevents substantial
part of the University delivering
courses
Collapse in student application
numbers
Sustained failure to recruit staff
Descriptor
Guide
0 – 6 Low
Low level of risk, should not
require much attention but
should be reviewed at least
annually
7 – 12
Medium
Medium level of risk, should
be monitored and reviewed
annually as a minimum, 6
monthly if necessary
13 – 19 High
High level of risk, should be
constantly monitored and
reviewed quarterly or 6
monthly. Possibly escalate
to higher committee if
required
20 – 25 Very
High
Top level of risk, should be
constantly monitored and
reviewed monthly.
Page 7 of 16
Related documents
Risk Register Procedure
Risk Register Procedure
Business Impact Analysis and Risk Assessment for Information
Business Impact Analysis and Risk Assessment for Information
UEL Case Study
UEL Case Study
REGISTER OF SIGNIFICANT RISKS
REGISTER OF SIGNIFICANT RISKS
Training Risk Management Methodology no 2
Training Risk Management Methodology no 2
Benefits Identification Workshop – Slides
Benefits Identification Workshop – Slides
Great Debates in IR theory
Great Debates in IR theory
Course Introduction
Course Introduction
INTEROPERABILITY IN LAND REGISTERS
INTEROPERABILITY IN LAND REGISTERS
The Top Four Essential Objectives to Auditing ERM
The Top Four Essential Objectives to Auditing ERM
Powerpoint - StatsMonkey.
Powerpoint - StatsMonkey.
A ppt I presented on Voxy
A ppt I presented on Voxy
Download
advertisement