Add to collection(s) Add to saved
  1. Business
  2. Management

Guideline - Risk Register - Victoria University of Wellington

advertisement 
Guideline - Risk Register
1. Introduction
The Risk Management Framework is a component of the Risk and Business Management suite. The suite
includes:




Risk Management – including risk registers
Business Continuity Plans –including business impact analysis
Emergency Response Plans
Health and Safety Plans
This document defines commonly used risk management terms and sets out the risk register format that
Victoria has adopted. This document should be read in conjunction with our Risk Management Policy and
provides a process to help us better manage and minimise the risks associated with our work.
All decisions involve risk management. Risk should be considered throughout the development and
implementation of any business process or project. Risk management is a structured and systematic
process which is part of business as usual (BAU). Managers need to consider the risk in delivering
business, how to manage that risk effectively through implementing strategies based on the amount of risk
the University considers is tolerable. This document broadly considers risk as anything that could prevent us
from achieving our goals or an outcome resulting in loss.
2. Definitions:
Risk
Is defined as “the effect of uncertainty on objectives1”.
Risk is measured in terms of likelihood and consequence.
Raw Risk
The risk before anything is done to mitigate or manage it, i.e. before controls are put in
place.
Residual Risk
The risk faced after putting in place controls or mitigation actions.
3. Organisational Scope
All Managers are responsible for identifying, assessing and managing the risk within their areas of control
and for ensuring that appropriate risk management activities are functioning effectively.
4.
Framework Content and Guidelines
The Risk Management Plan is made of four stages:

Identifying and managing risks - Risk Register;

Identifying key or priority risks – Risk Report Summary;

Reporting and escalating risks at the appropriate time; and

Reviewing risk in an on-going cycle.
1.
1
AS/NZS ISO 31000:2009 – Risk management – principles and guidelines
1
This document provides guidance on completing a risk register and the risk report summary. Managers are
required to report key risks to their managers and escalate as appropriate to SMT. This is a key component
of a manager’s responsibilities. For guidance on the formal reporting cycle refer to the Risk Management
Programme: Operational Risk.
4.1 Identifying and Managing Risks – Risk Registers
Risks are identified and assessed on a risk register. Appendix 3 contains a sample risk register using the
University’s standard template. Copies of blank templates are available from Safety and Risk (email
safety@vuw.ac.nz).
4.1.1 Identifying risks
Risks are identified through environmental scanning (keeping ourselves updated on our operating
environment), planning processes, major projects, investigating incidents (risk assessment and mitigation
actions are essential elements), internal monitoring (regular audit and inspection) and throughout the change
management process. Managers should identify sources of risk, their causes and their consequences.
Managers should consider all sources of and contributors to risk associated with delivery of their business.
From this we can determine the effect on our objectives from uncertainty associated with these factors.
Consideration should be made of factors including:










Health & Safety
Service delivery
Legal and regulatory
Finance
Reputation
Adverse media coverage
Environmental impact
Product quality
Human Resources
Information
4.1.2 Assessing the effects
Risks are assessed by considering the consequences of an event and the likelihood of the outcome
occurring. The risk assessment is carried out by the manager responsible for the work area or process being
assessed.
The table in Appendix 1 provides guidance for calculating risk levels.
The likelihood scale is based on the event occurring in the next year. This process provides information to
help us decide whether the risks need to be treated and the most appropriate control .
4.1.3 Managing risk – controls and assurance
Victoria University has developed an integrated assurance framework to bring together mitigating practices
such as the reporting framework, statutes, policies, procedures, and guidelines or physical controls that the
University uses to govern its work. This approach provides clarity over any areas where there is an
assurance gap, helps to avoid duplication, and focuses assurance on strategic drivers and initiatives.
Further internal controls that support the management of risk are business continuity plans, emergency
response plans, health and safety plans and internal audit and academic reviews. The University’s policies
are kept current and indexed by function in an accessible, well-maintained website and an internal audit
reviews the effectiveness of the internal control system within the University. Independent audit is also
carried out in line with our ACC workplace H&S accreditation.
Managers should implement their own assurance programme to check the risk controls in their areas and
develop a realistic actionable mitigation plan for each major risk including whether/how a risk is currently
managed , such as business as usual (BAU) processes or other internal controls already in place. It is
important that, where possible, mitigations dovetail with existing plans.
The impact of all mitigating actions and sources of assurance are considered before calculating the ‘residual’
risk. Therefore, theoretically, either likelihood or consequences or both likelihood and consequences of risk
can be reduced. It really depends on the nature of the risk, the underlying subject matter and what specific
treatment plan or controls have been identified. If a control system has been listed but is not performing as
well as originally intended, then the manager’s mitigation plan will include the improvements to
implementation, application or structure of the risk control in this case.
2
Examples:
1. The risk of key university systems and processes being immobilised or disrupted in the event of an
earthquake.
Control: An effective business continuity and disaster recovery plan.
Comment: This does not reduce the likelihood of an earthquake occurring, but it does reduce
the impact on essential operations.
2.
The risk of the University not complying with key legislation.
Control: A robust legislative compliance framework which clearly identifies key legislation and
ensures there are processes.
Comment: It may not however, be able to influence the impact if non-compliance was to occur.
3.
The risk that VUW staff incur expenditure that is not in line with University goals.
Control 1: Systems that enforce segregation between purchase order creation and approval.
Comment: This reduces the likelihood of such expenditure occurring.
Control 2: Systems that require “sign-off” from appropriate staff depending on the value of the
transaction, e.g. delegated financial authorities.
Comment: This reduces the impact, i.e. dollar value, of the risk.
Both controls working in combination (fairly typical in most financial systems) will reduce both
the likelihood and impact of the risk.
The table in Appendix 2 provides managers with guidance on how to evaluate the effectiveness of risk
controls. The controls are ranked level 1 – 3. A level 1 control is the most robust. A level 3 control is
the least robust. Managers should consider also how well the control (already in place) is implemented
or complied with. For example if a procedure is listed as part of the control mechanism but our audit
process identifies that it is not complied with, the control is considered to be weak, therefore the
manager will not reduce the assessed risk value significantly. A mitigation plan should be developed to
address poor compliance.
If multiple controls are in place and a good level of compliance is verified by our audit process, then the
control effectiveness is considered to be robust and the manager can reduce the residual risk.
4.2 Identifying Key or Priority Risks - the Risk Report Summary
Once the register has been complete, the risks should be populated in a risk heat map using the
residual risk rating and identifying the risk by a numeric record number. The manager should review the
heat map and provide a report summary to their manager on the following basis:

Identifying high and key risks

Assessing the level of effectiveness of controls;

Identifying issues or areas for improvement; and

Making recommendations for improving the controls or addressing the risk in some other way.
A sample heat map is attached in Appendix 4.
A sample Risk Report Summary is attached in Appendix 5.
The Risk Report Summary must be reviewed and provided to line managers at least once a year, and at
any other time should the risk rating change significantly or when new key risks arise, or when the
environment and other contextual changes occur. For further guidance refer to the Risk Management
Programme –Operational Risk.
3
Appendix 1 – Table for assessing risk levels
Likelihood
Consequence
Risk
(Likelihood x consequence)
1 – Very low
Extremely unlikely
Less than 5% chance of occurring
1 – Insignificant.
Consequences are very low, minor
disruption.
1–5
Very low
Manage within existing controls.
Monitor annually
2 – Low
Unlikely
5% - 25% chance of occurring
2 – Minor
Losses may disrupt services for a
short period. Financial losses may
be in the region of $10,000
Disruption to a single area of the
business.
6 – 10 Low
Manage within existing controls.
Monitor 6 monthly
3 – Medium
Possible
25%-60% chance of occurring
3 – Moderate
Service lost for period 1 – 5 days.
Financial loss $10,000 - $100,000.
Internal event review required.
Moderate injury equivalent to staff
requiring time < 5 days away from
work. Adverse media coverage for
1 day.
11 – 15 Medium
Evaluate efficiency of existing
controls.
Develop and implement additional
control mechanisms
Monitor quarterly
4 – High.
Likely.
60% - 80% chance of occurring
4 – Serious
Service lost for period exceeding 1
week. Financial loss $100,000 –
$1M.
Adverse media coverage for 1
week. Internal investigation or by
an external source/regulator. Staff
contractor or visitor suffers serious
injury.
Impact to multiple and diverse
areas of the business. Significant
senior management intervention
required including external
assistance.
16 – 20 High
Implement mitigation plan
Escalate/report to senior
management
Monitor monthly
5 – Very high.
Almost certain.
80%-100% chance of occurring
5 – Very serious
Significant resources required to
recover from impact. Legal
consequences resulting in
prosecution. Financial loss >$10M.
Staff, contractor or visitor involved
in a fatal event. Adverse media
coverage for an extended period.
Complete loss of service delivery
affecting all VUW critical functions.
Immediate SMT and Council
intervention required.
Over 20 Very high
Implement mitigation immediately
Escalate to senior management
Monitor weekly
The values identified above for financial loss reflect those which may be experienced at an organisational level.
Divide the value by 10 for potential losses at directorate, school or service level.
4
Appendix 2 - Table for assessing controls
Control level
1
2
3
Example of control mechanism
For H&S, substitute with alternative equipment, substance.
Off site storage (data files)
Back up equipment/assets E.G. multiple servers, generators
Fire prevention E.G. appropriate materials, good housekeeping
Management/supervision
Maintenance regime, programmed inspection.
Fully enclose process, guarding, fencing, locked doors
Policy, procedure, guideline
Technical/industry standards
Contract
Training/ development programme
Competent staff
Specialist advice (internal & external)
IT data storage & retrieval systems
Business/service planning
Alternative suppliers
Fire detection equipment
Communication with stakeholders
Recruitment and selection processes
Approval process
Information
Warn signs
Personal protective equipment
Monitoring
CCTV
Key performance indicators
Contract monitoring
Compliance with risk controls should be measured with audit processes.
5
Appendix 3 - Sample Risk Register
Risks
numbered
for
reference
and
mapping
1
Financial
Risk description
Unable to deliver classes
due to building services
failure
Raw Risk
1= lowest 5=highest
Risk Consequences
Up to $100,000 in repairs
to services and other
losses
Mitigations/contro
ls
Likelihood
(L) 1-5
Consequence
(C) 1-5
Raw
Risk
(L x C)
3
3
9
Building
maintenance
programme
“Early notification”
fault reporting
process
Sources of
Assurance
Supplier
audit
Residual Risk (RR)
(after mitigation actions and
controls)
L
Consequence
RR
1-5
1-5
(L x C)
2
3
6
2
4
8
Planned
general
inspection
process
Alternative venue
(BCP)
SAM plan
2
Service
delivery
Failure to adhere to
maintenance programme
resulting in unreliable
laboratory equipment
Cancellation of
experiments or classes
impacting tutorial
programme and delayed
research projects
4
4
16
Maintenance
programme
Contract
management
protocols.
Pre use
inspection
process
Fault reporting
process
Spare equipment
Programming of
classes
6
3
H&S
Failure to comply with H&S
practices – correct storage
and handling when using
chemicals
Staff serious injury, lost
time, prosecution by DoL
and environmental
damage
5
4
20
Staff training
Bunding
Planned
general
inspection
2
4
8
System tests
and auditing
data
protection
systems
2
3
6
Audit of
project
controls
3
4
12
Appropriate
storage
H&S Audit
Information SDS
Linked to
hazard
register
Product labelling
Supervision
Written
procedures
Personal
Protective
Equipment
Fume extraction
(LEV)
Hazard
assessment
4
Loss of essential
information due to IT failure
Reputation
5
Finance
The project delivery is
delayed
Unable to access data or
provide
reports/information to
external
regulators/stakeholders.
Unable to monitor
performance
3
Project overrun resulting
in excess of $150,000 in
additional rent or hire
payments
5
3
9
Maintenance
regime
Systems “backed
up” and
information stored
off site
4
20
Project manager
appointed
Project planning
7
process
Contract
monitoring
Contract
identifying
timeline and
penalties
6
Service
delivery
Unable to provide secure
campus due to unavailability
of security equipment on
demand
University premises not
secured due to
inoperative electronic
security equipment. Theft,
unauthorised access.
4
4
16
Equipment
servicing
3
4
12
2
3
6
2
5
10
Early notification
fault reporting
system
Software upgrade
Manual lock up
when electronic
system fails
Security patrols
7
Service
delivery
Electronic monitoring
equipment unavailable on
demand
Unable to monitor
premises resulting in
potential for
loss/theft/vandalism
3
3
9
Equipment
servicing
Regular
monitoring
Early notification
fault reporting
Security patrols
8
Service
Reliance on contractors to
provide essential services
Lower level of institutional
knowledge resulting in
inflexible models of
3
5
15
Robust contract
management
Supplier
audit
8
delivery
9
Breach of building act
service delivery.
processes
Loss of
institutional/corporate
knowledge
Alternative
suppliers
Delay to project and
prosecution
4
3
12
Legal &
regulatory
Project manager
in place
Supplier
audit
Adherence to
building
standards
Contract
evaluation
process
2
3
6
2
4
8
2
5
10
Legal advice
Contract
management
processes
10
Poorly presented high
profile event
Adverse
media
coverage
Media coverage resulting
in poor reports in national
press publications and
national TV
4
4
16
Advice and
management
from VUW
Communications
team.
Communications
protocols
Operations team
providing security
plan and security
staff.
11
Product
quality
Inaccurate information
presented during a lecture
or incorrect instructions
given when using
equipment
Poor performance when
graduate leaves VUW
and is employed in
industry.
4
5
20
NZQA
TEC standards
Regulators
inspections
and audit
Regulators and
industry
9
Also poor reputation
standards
Recruitment and
selection
Professional
indemnity
insurance
12
Product
quality
Poor student experience
due to course material not
available due to bad
planning
Student unable to
continue with course
because of poor
performance
3
4
12
Course manager
appointed.
2
4
8
2
5
10
2
5
10
Electronic
information/media
systems available
Personal/group
tutors appointed
13
Reputation
Poor student experience
due to inadequate
information/administrative
systems. Courses not
properly marketed.
Students unable to
access courses
4
5
20
Marketing
Study at Vic day
Conferring
ceremony
Student
recruitment
process
14
Finance
Loss of funding from
external agencies for
research because of
inability to produce high
calibre Post Graduates.
Unable to run Post
Graduate programmes.
Also impacting upon
VUW reputation. Unable
to service premises in
which to deliver
programmes.
4
5
20
NZQA
TEC standards
Regulators
inspections
and audit
Regulators and
industry
standards
Recruitment and
10
selection process
Continuous
professional and
technical
development
15
HR
Unable to deliver quality
services due to our inability
to attract and retain high
calibre staff
Unable to deliver and
support high quality
teaching programmes
4
5
20
Staff support
PDCP
2
4
8
Staff
development
Recruitment and
selection
Succession
management
programmes
Communication
and news letters
11
Appendix 4 – Sample Heat Map
Record the reference number of the risk on the risk heat map, using the residual risk value.
8’11,13,14
5
2,
3,10,12,15
4
5,6
1,4,7,9
3
Consequence
2
1
1
2
3
4
5
Likelihood
12
Appendix 5 – Sample Risk Report Summary
Risk Report Summary - Campus Operations: Safety and Risk
1.
Introduction
This risk report summary is part of the Campus Services process for managing our risks. The report provides a
description of risks and management activities within the directorate, more specifically the Safety and Risk Unit of
Campus Operations. The summary relates to the risks and controls associated with some aspects of the
management of our building security/emergency arrangements particularly those which occur outside of “office
hours”.
This risk report serves the following important functions:






Records and identifies the base line for risk management activities
Identifies problems and successes in risk management activities
Provides an input for informed decision making
Analysis of the effectiveness of various risk control mechanisms
Describes and defines a plan of action for implementing improvements
Provides a mechanism for escalating risks where a manager does not have the delegated authority to
act or implement certain risk reduction methodologies
2.
High or Priority risks
The highest risks assessed within this site specific assessment are described below.
PROVIDE A DESCRIPTION OF THE SITE SPECIFIC RISKS CLARIFYING WHY THE RISK IS HIGH EG.
The Fire Safety & Evacuation of Buildings Regulations 2006 requires:
3.
Details of the High or Priority Risks
The highest assessed risks recorded on the risk register associated with this summary are as follows:
LIST THE RISKS AND THE RISK RATING
4.
Recommendations
LIST THE RECOMMENDED ACTIONS
13
Related documents
REGISTER OF SIGNIFICANT RISKS
REGISTER OF SIGNIFICANT RISKS
Multiplication Principle of Probability
Multiplication Principle of Probability
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
Implementation of an Enterprise-Wide Risk Management Framework
Implementation of an Enterprise-Wide Risk Management Framework
Post Project Audits - The Institute for CIO Excellence
Post Project Audits - The Institute for CIO Excellence
Risk Assessment - Health, Safety and Emergency Management
Risk Assessment - Health, Safety and Emergency Management
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
2. Risk Management Framework
2. Risk Management Framework
Download
advertisement