Guideline - Risk Register 1. Introduction The Risk Management Framework is a component of the Risk and Business Management suite. The suite includes: Risk Management – including risk registers Business Continuity Plans –including business impact analysis Emergency Response Plans Health and Safety Plans This document defines commonly used risk management terms and sets out the risk register format that Victoria has adopted. This document should be read in conjunction with our Risk Management Policy and provides a process to help us better manage and minimise the risks associated with our work. All decisions involve risk management. Risk should be considered throughout the development and implementation of any business process or project. Risk management is a structured and systematic process which is part of business as usual (BAU). Managers need to consider the risk in delivering business, how to manage that risk effectively through implementing strategies based on the amount of risk the University considers is tolerable. This document broadly considers risk as anything that could prevent us from achieving our goals or an outcome resulting in loss. 2. Definitions: Risk Is defined as “the effect of uncertainty on objectives1”. Risk is measured in terms of likelihood and consequence. Raw Risk The risk before anything is done to mitigate or manage it, i.e. before controls are put in place. Residual Risk The risk faced after putting in place controls or mitigation actions. 3. Organisational Scope All Managers are responsible for identifying, assessing and managing the risk within their areas of control and for ensuring that appropriate risk management activities are functioning effectively. 4. Framework Content and Guidelines The Risk Management Plan is made of four stages: Identifying and managing risks - Risk Register; Identifying key or priority risks – Risk Report Summary; Reporting and escalating risks at the appropriate time; and Reviewing risk in an on-going cycle. 1. 1 AS/NZS ISO 31000:2009 – Risk management – principles and guidelines 1 This document provides guidance on completing a risk register and the risk report summary. Managers are required to report key risks to their managers and escalate as appropriate to SMT. This is a key component of a manager’s responsibilities. For guidance on the formal reporting cycle refer to the Risk Management Programme: Operational Risk. 4.1 Identifying and Managing Risks – Risk Registers Risks are identified and assessed on a risk register. Appendix 3 contains a sample risk register using the University’s standard template. Copies of blank templates are available from Safety and Risk (email safety@vuw.ac.nz). 4.1.1 Identifying risks Risks are identified through environmental scanning (keeping ourselves updated on our operating environment), planning processes, major projects, investigating incidents (risk assessment and mitigation actions are essential elements), internal monitoring (regular audit and inspection) and throughout the change management process. Managers should identify sources of risk, their causes and their consequences. Managers should consider all sources of and contributors to risk associated with delivery of their business. From this we can determine the effect on our objectives from uncertainty associated with these factors. Consideration should be made of factors including: Health & Safety Service delivery Legal and regulatory Finance Reputation Adverse media coverage Environmental impact Product quality Human Resources Information 4.1.2 Assessing the effects Risks are assessed by considering the consequences of an event and the likelihood of the outcome occurring. The risk assessment is carried out by the manager responsible for the work area or process being assessed. The table in Appendix 1 provides guidance for calculating risk levels. The likelihood scale is based on the event occurring in the next year. This process provides information to help us decide whether the risks need to be treated and the most appropriate control . 4.1.3 Managing risk – controls and assurance Victoria University has developed an integrated assurance framework to bring together mitigating practices such as the reporting framework, statutes, policies, procedures, and guidelines or physical controls that the University uses to govern its work. This approach provides clarity over any areas where there is an assurance gap, helps to avoid duplication, and focuses assurance on strategic drivers and initiatives. Further internal controls that support the management of risk are business continuity plans, emergency response plans, health and safety plans and internal audit and academic reviews. The University’s policies are kept current and indexed by function in an accessible, well-maintained website and an internal audit reviews the effectiveness of the internal control system within the University. Independent audit is also carried out in line with our ACC workplace H&S accreditation. Managers should implement their own assurance programme to check the risk controls in their areas and develop a realistic actionable mitigation plan for each major risk including whether/how a risk is currently managed , such as business as usual (BAU) processes or other internal controls already in place. It is important that, where possible, mitigations dovetail with existing plans. The impact of all mitigating actions and sources of assurance are considered before calculating the ‘residual’ risk. Therefore, theoretically, either likelihood or consequences or both likelihood and consequences of risk can be reduced. It really depends on the nature of the risk, the underlying subject matter and what specific treatment plan or controls have been identified. If a control system has been listed but is not performing as well as originally intended, then the manager’s mitigation plan will include the improvements to implementation, application or structure of the risk control in this case. 2 Examples: 1. The risk of key university systems and processes being immobilised or disrupted in the event of an earthquake. Control: An effective business continuity and disaster recovery plan. Comment: This does not reduce the likelihood of an earthquake occurring, but it does reduce the impact on essential operations. 2. The risk of the University not complying with key legislation. Control: A robust legislative compliance framework which clearly identifies key legislation and ensures there are processes. Comment: It may not however, be able to influence the impact if non-compliance was to occur. 3. The risk that VUW staff incur expenditure that is not in line with University goals. Control 1: Systems that enforce segregation between purchase order creation and approval. Comment: This reduces the likelihood of such expenditure occurring. Control 2: Systems that require “sign-off” from appropriate staff depending on the value of the transaction, e.g. delegated financial authorities. Comment: This reduces the impact, i.e. dollar value, of the risk. Both controls working in combination (fairly typical in most financial systems) will reduce both the likelihood and impact of the risk. The table in Appendix 2 provides managers with guidance on how to evaluate the effectiveness of risk controls. The controls are ranked level 1 – 3. A level 1 control is the most robust. A level 3 control is the least robust. Managers should consider also how well the control (already in place) is implemented or complied with. For example if a procedure is listed as part of the control mechanism but our audit process identifies that it is not complied with, the control is considered to be weak, therefore the manager will not reduce the assessed risk value significantly. A mitigation plan should be developed to address poor compliance. If multiple controls are in place and a good level of compliance is verified by our audit process, then the control effectiveness is considered to be robust and the manager can reduce the residual risk. 4.2 Identifying Key or Priority Risks - the Risk Report Summary Once the register has been complete, the risks should be populated in a risk heat map using the residual risk rating and identifying the risk by a numeric record number. The manager should review the heat map and provide a report summary to their manager on the following basis: Identifying high and key risks Assessing the level of effectiveness of controls; Identifying issues or areas for improvement; and Making recommendations for improving the controls or addressing the risk in some other way. A sample heat map is attached in Appendix 4. A sample Risk Report Summary is attached in Appendix 5. The Risk Report Summary must be reviewed and provided to line managers at least once a year, and at any other time should the risk rating change significantly or when new key risks arise, or when the environment and other contextual changes occur. For further guidance refer to the Risk Management Programme –Operational Risk. 3 Appendix 1 – Table for assessing risk levels Likelihood Consequence Risk (Likelihood x consequence) 1 – Very low Extremely unlikely Less than 5% chance of occurring 1 – Insignificant. Consequences are very low, minor disruption. 1–5 Very low Manage within existing controls. Monitor annually 2 – Low Unlikely 5% - 25% chance of occurring 2 – Minor Losses may disrupt services for a short period. Financial losses may be in the region of $10,000 Disruption to a single area of the business. 6 – 10 Low Manage within existing controls. Monitor 6 monthly 3 – Medium Possible 25%-60% chance of occurring 3 – Moderate Service lost for period 1 – 5 days. Financial loss $10,000 - $100,000. Internal event review required. Moderate injury equivalent to staff requiring time < 5 days away from work. Adverse media coverage for 1 day. 11 – 15 Medium Evaluate efficiency of existing controls. Develop and implement additional control mechanisms Monitor quarterly 4 – High. Likely. 60% - 80% chance of occurring 4 – Serious Service lost for period exceeding 1 week. Financial loss $100,000 – $1M. Adverse media coverage for 1 week. Internal investigation or by an external source/regulator. Staff contractor or visitor suffers serious injury. Impact to multiple and diverse areas of the business. Significant senior management intervention required including external assistance. 16 – 20 High Implement mitigation plan Escalate/report to senior management Monitor monthly 5 – Very high. Almost certain. 80%-100% chance of occurring 5 – Very serious Significant resources required to recover from impact. Legal consequences resulting in prosecution. Financial loss >$10M. Staff, contractor or visitor involved in a fatal event. Adverse media coverage for an extended period. Complete loss of service delivery affecting all VUW critical functions. Immediate SMT and Council intervention required. Over 20 Very high Implement mitigation immediately Escalate to senior management Monitor weekly The values identified above for financial loss reflect those which may be experienced at an organisational level. Divide the value by 10 for potential losses at directorate, school or service level. 4 Appendix 2 - Table for assessing controls Control level 1 2 3 Example of control mechanism For H&S, substitute with alternative equipment, substance. Off site storage (data files) Back up equipment/assets E.G. multiple servers, generators Fire prevention E.G. appropriate materials, good housekeeping Management/supervision Maintenance regime, programmed inspection. Fully enclose process, guarding, fencing, locked doors Policy, procedure, guideline Technical/industry standards Contract Training/ development programme Competent staff Specialist advice (internal & external) IT data storage & retrieval systems Business/service planning Alternative suppliers Fire detection equipment Communication with stakeholders Recruitment and selection processes Approval process Information Warn signs Personal protective equipment Monitoring CCTV Key performance indicators Contract monitoring Compliance with risk controls should be measured with audit processes. 5 Appendix 3 - Sample Risk Register Risks numbered for reference and mapping 1 Financial Risk description Unable to deliver classes due to building services failure Raw Risk 1= lowest 5=highest Risk Consequences Up to $100,000 in repairs to services and other losses Mitigations/contro ls Likelihood (L) 1-5 Consequence (C) 1-5 Raw Risk (L x C) 3 3 9 Building maintenance programme “Early notification” fault reporting process Sources of Assurance Supplier audit Residual Risk (RR) (after mitigation actions and controls) L Consequence RR 1-5 1-5 (L x C) 2 3 6 2 4 8 Planned general inspection process Alternative venue (BCP) SAM plan 2 Service delivery Failure to adhere to maintenance programme resulting in unreliable laboratory equipment Cancellation of experiments or classes impacting tutorial programme and delayed research projects 4 4 16 Maintenance programme Contract management protocols. Pre use inspection process Fault reporting process Spare equipment Programming of classes 6 3 H&S Failure to comply with H&S practices – correct storage and handling when using chemicals Staff serious injury, lost time, prosecution by DoL and environmental damage 5 4 20 Staff training Bunding Planned general inspection 2 4 8 System tests and auditing data protection systems 2 3 6 Audit of project controls 3 4 12 Appropriate storage H&S Audit Information SDS Linked to hazard register Product labelling Supervision Written procedures Personal Protective Equipment Fume extraction (LEV) Hazard assessment 4 Loss of essential information due to IT failure Reputation 5 Finance The project delivery is delayed Unable to access data or provide reports/information to external regulators/stakeholders. Unable to monitor performance 3 Project overrun resulting in excess of $150,000 in additional rent or hire payments 5 3 9 Maintenance regime Systems “backed up” and information stored off site 4 20 Project manager appointed Project planning 7 process Contract monitoring Contract identifying timeline and penalties 6 Service delivery Unable to provide secure campus due to unavailability of security equipment on demand University premises not secured due to inoperative electronic security equipment. Theft, unauthorised access. 4 4 16 Equipment servicing 3 4 12 2 3 6 2 5 10 Early notification fault reporting system Software upgrade Manual lock up when electronic system fails Security patrols 7 Service delivery Electronic monitoring equipment unavailable on demand Unable to monitor premises resulting in potential for loss/theft/vandalism 3 3 9 Equipment servicing Regular monitoring Early notification fault reporting Security patrols 8 Service Reliance on contractors to provide essential services Lower level of institutional knowledge resulting in inflexible models of 3 5 15 Robust contract management Supplier audit 8 delivery 9 Breach of building act service delivery. processes Loss of institutional/corporate knowledge Alternative suppliers Delay to project and prosecution 4 3 12 Legal & regulatory Project manager in place Supplier audit Adherence to building standards Contract evaluation process 2 3 6 2 4 8 2 5 10 Legal advice Contract management processes 10 Poorly presented high profile event Adverse media coverage Media coverage resulting in poor reports in national press publications and national TV 4 4 16 Advice and management from VUW Communications team. Communications protocols Operations team providing security plan and security staff. 11 Product quality Inaccurate information presented during a lecture or incorrect instructions given when using equipment Poor performance when graduate leaves VUW and is employed in industry. 4 5 20 NZQA TEC standards Regulators inspections and audit Regulators and industry 9 Also poor reputation standards Recruitment and selection Professional indemnity insurance 12 Product quality Poor student experience due to course material not available due to bad planning Student unable to continue with course because of poor performance 3 4 12 Course manager appointed. 2 4 8 2 5 10 2 5 10 Electronic information/media systems available Personal/group tutors appointed 13 Reputation Poor student experience due to inadequate information/administrative systems. Courses not properly marketed. Students unable to access courses 4 5 20 Marketing Study at Vic day Conferring ceremony Student recruitment process 14 Finance Loss of funding from external agencies for research because of inability to produce high calibre Post Graduates. Unable to run Post Graduate programmes. Also impacting upon VUW reputation. Unable to service premises in which to deliver programmes. 4 5 20 NZQA TEC standards Regulators inspections and audit Regulators and industry standards Recruitment and 10 selection process Continuous professional and technical development 15 HR Unable to deliver quality services due to our inability to attract and retain high calibre staff Unable to deliver and support high quality teaching programmes 4 5 20 Staff support PDCP 2 4 8 Staff development Recruitment and selection Succession management programmes Communication and news letters 11 Appendix 4 – Sample Heat Map Record the reference number of the risk on the risk heat map, using the residual risk value. 8’11,13,14 5 2, 3,10,12,15 4 5,6 1,4,7,9 3 Consequence 2 1 1 2 3 4 5 Likelihood 12 Appendix 5 – Sample Risk Report Summary Risk Report Summary - Campus Operations: Safety and Risk 1. Introduction This risk report summary is part of the Campus Services process for managing our risks. The report provides a description of risks and management activities within the directorate, more specifically the Safety and Risk Unit of Campus Operations. The summary relates to the risks and controls associated with some aspects of the management of our building security/emergency arrangements particularly those which occur outside of “office hours”. This risk report serves the following important functions: Records and identifies the base line for risk management activities Identifies problems and successes in risk management activities Provides an input for informed decision making Analysis of the effectiveness of various risk control mechanisms Describes and defines a plan of action for implementing improvements Provides a mechanism for escalating risks where a manager does not have the delegated authority to act or implement certain risk reduction methodologies 2. High or Priority risks The highest risks assessed within this site specific assessment are described below. PROVIDE A DESCRIPTION OF THE SITE SPECIFIC RISKS CLARIFYING WHY THE RISK IS HIGH EG. The Fire Safety & Evacuation of Buildings Regulations 2006 requires: 3. Details of the High or Priority Risks The highest assessed risks recorded on the risk register associated with this summary are as follows: LIST THE RISKS AND THE RISK RATING 4. Recommendations LIST THE RECOMMENDED ACTIONS 13