Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Risk Management Policy

advertisement 
Risk Management Policy
Paper Number: P1415-887
Document author
Risk Administrator
Policy to be reviewed
Every 2 years
Date of next review
September 2017
Amendment & Approval History
Version
Date
1.0
23/03/2015
Approved by
Change
Council
New policy
Purpose of this document
This risk management policy (the policy) forms part of the University’s internal control and governance
arrangements.
The purpose of the policy is to explain the University’s underlying approach to risk management and
to document the roles and responsibilities of Council and its sub-committees, the Senior Management
Team (SMT) and other key parties. It also outlines key aspects of the risk management process and
identifies the main reporting procedures.
It describes the process the Council will use to evaluate the effectiveness of the University’s internal
control procedures.
The policy has been written in accordance with HEFCE risk management guidance.
Policy Statement
The University considers risk management to be fundamental to good management practice and a
significant aspect of corporate governance. Effective management of risk will provide an essential
contribution towards the achievement of the University’s strategic and operational objectives and
goals.
Risk management must be an integral part of the University’s decision making and routine
management, and must be incorporated within the strategic and operational planning processes at all
levels across the University.
Risk assessments must be conducted on new ventures and activities, including projects, processes,
systems and commercial activities to ensure that these are aligned with the University’s objectives
and goals. Any risks or opportunities arising from these assessments will be identified, analysed and
reported to the appropriate management level. The University will maintain a corporate risk register.
All Colleges, Professional Service departments, subsidiary companies, major projects and institutes
will maintain risk registers. The University is committed to ensuring that all staff, particularly Heads of
Colleges and Professional Service Directors are provided with adequate guidance and training on the
principles of risk management and their responsibilities to implement risk management effectively.
The University will regularly review and monitor the implementation and effectiveness of the risk
management process, including the development of an appropriate risk management culture across
the University.
Risk Definitions
Risk can be defined as the combination of the probability of an event and its consequence 1. In all
types of University undertaking, there is the potential for events and consequences that constitute
opportunities for benefit or threats to success. In the safety field it is recognised that consequences
are only negative and therefore the management of safety risk is focussed on prevention and
mitigation of harm.
Risk management is the process whereby the University methodically address the risks attaching to
University activities with the goal of achieving sustained benefit within each activity and across the
portfolio of activities. Its objective is to add maximum sustainable value to all the activities of the
organisation2.
Related documentation:
 University policies in relation to Health & Safety Risk Assessments for staff, students,
contractors and visitors arising from the University’s undertaking
 University insurance policies in relation to staff or students involved in University business
 University Incident Management Plans
 University Business Continuity Plans
1
2
International Organisation for Standardization – ISO/IEC Guide 73 Risk Management
Institute of Risk Management (IRM) – A Risk Management Standard: 2002
Risk Management Policy v1.0
Page 2 of 12
Approach to Risk Management
The following key principles outline the University’s approach to risk management:

Council has ultimate responsibility for risk management at the University and is therefore
responsible for the approval and review of the Risk Management Policy and for ensuring that it is
appropriately managed

The risk appetite of the University will emanate from the University’s Strategic Plan which is
considered and approved by the Council

The Audit Committee is responsible for providing the Annual Assurance to Council on the
adequacy of risk management. The Audit Committee will receive assurance statements yearly via
the University Risk Administrator

there should be an open and receptive approach to mitigating risk

the Vice-Chancellor and SMT supports, advises and implements policies approved by Council

SMT will lead and provide direction on the major strategic and operational risks facing the
University

A corporate risk register, built around the key strategic themes and enablers (as identified in the
University’s Strategic Plan) will be created and maintained and will be subject to quarterly reviews
by SMT and the Audit Committee

the University makes conservative and prudent recognition and disclosure of the financial and
non-financial implications of risks

all Colleges, Professional Service departments, subsidiary companies, major projects and
institutes will use a consistent and transparent approach to risk, ensuring an agreed and widely
understood method and language

Heads of Colleges and Professional Service Directors are responsible for management of all risks
within their areas of control, including ensuring appropriate systems are created to identify,
assess, manage and review risks in line with the University Risk Management process

Each College and Professional Service department is required to review and maintain its own risk
register using the University Risk Register tool

All new significant initiatives or projects will undergo a risk assessment, which will generate an
initial risk register for the project

Early warning mechanisms will be put in place and monitored to alert the University so that
remedial action can be taken to manage any potential hazards
Risk Management Policy v1.0
Page 3 of 12
Risk Identification
Risk identification sets out to identify the University’s exposure to uncertainty.
IMPACT
The University uses a nine-point (3X3) scale risk rating mechanism to assess the impact and
probability of risk, with a scoring of A1 denoting the highest risk on the scale as high impact and high
probability.
A
A3
A2
A1
B
B3
B2
B1
C
C3
C2
C1
3
2
1
A1=high impact, high probability
A2=high impact, medium probability
A3=high impact, low probability
B1=medium impact, high probability
B2=medium impact, medium probability
B3=medium impact, low probability
C1=low impact, high probability
C2=low impact, medium probability
C3=low impact, low probability
PROBABILITY
Classifications of high, medium and low probability and impact are:
Probability
Description
High (probable)
Medium (possible)
Chance of occurrence greater than 60%
Chance of occurrence between 20% and 60%
Low (remote)
Change of occurrence less than 20%
Risk Management Policy v1.0
Page 4 of 12
Impact
Area
Description
High
Finances
Financial impact on the University is likely to be greater than
£500K
A critical event which would require mobilisation of a special
project team
Management time
Health & Safety
Medium
Reputation
Regulatory & Legal
Action
Staff Impact
Finances
Management time
Low
Major incident with serious casualties or which causes operations
to be stopped
Sustained negative national media coverage
Disruption to courses / research activity over an extended period of
time
Significant adverse impact with Trade Unions in conflict mode
Financial impact on the University is likely to be between £50K and
£500K
An event which would require management activity but which can
be handled under normal circumstances
Health & Safety
Reputation
Regulatory & Legal
Action
Staff Impact
Finances
Management time
Moderate incident with some casualties or disruption to operations
Extended negative local/sector media coverage
Penalties applied but no disruption to courses / research activity
Health & Safety
Reputation
Regulatory & Legal
Action
Staff Impact
Minor incident with no sickness absence and no lasting impact
Minor articles in local press
Minor breaches with no penalties applied
General discontent evident across multiple groups of staff
Financial impact on the University is likely to be less than £50K
An event which can be absorbed through normal activity
Minor staff complaints
A variety of risk identification techniques are to be used –
 Brainstorming
 Risk questionnaires
 Business Plan reviews
 Industry benchmarking
 Scenario analysis
 Incident investigation
 Auditing and inspection
For all externally funded proposals which are greater than £100K in value the pre-risk assessment
checklist process is to be followed.
For major projects or initiatives the University Risk Administrator will facilitate a risk assessment
review process to ensure that impacts of new proposals are assessed, reviewed and authorised by
SMT.
For major projects or initiatives which are greater than £10 million in value to the University, then a
member of the Finance Committee will be invited to attend the risk assessment review. The Finance
Risk Management Policy v1.0
Page 5 of 12
Committee is required to ratify all risk assessment reviews which are greater than £10 million in value
at the next scheduled Committee meeting.
For existing projects or initiatives the University Risk Administrator will facilitate a risk workshop, when
required, supported by the relevant SMT owner of the activity and all related stakeholders.
A range of techniques can be used to analyse risks including –
 Market surveys
 Impact analysis
 SWOT (strengths, weaknesses, opportunities, threats) analysis
 Event tree analysis
 Business continuity planning
 Threat analysis
 PESTLE (political economic social technical legal environmental) analysis
 Cause and effect diagrams (Ishikawa diagram)
Risk Description
The objective of risk description is to display the identified risks in a structured format. The following
risk register format is used for the University Risk Register Criteria
Detail
Risk Identifier
RAG
Provides the risk with a unique identifier
Traffic light status –
RED – highest priority risks
AMBER – medium priority risks
GREEN – lowest priority risks
Assigns ownership of risk to a member of SMT
A detailed description of the risk and the impact if the event occurs
(related reference to the University’s Strategic Plan)
Owner
Description & Impact
(Strategic Reference)
Probability
Impact
Trend
Indicators
Controls/Actions
Action by
Action Due
Qualification of probability – high/medium/low(before controls applied)
Qualification of impact – high/medium/low (before controls applied)
Description of risk severity status – increasing/no change/decreasing
Description of the evidence to be analysed in order to provide early
warning of the occurrence of event triggering risk
Identifies actions to be implemented in order to mitigate the risk (when
actions are completed they are recorded in the University Risk
Register Revision Update and removed from the Risk Register).
Assigns ownership of the planned actions to a member of the
University Management Board
Due date for implementation of planned actions
The University Risk Register is reviewed in a quarterly cycle and controls/actions will always show
proposed or incomplete activity to further mitigate the risk. Controls and actions which have been
completed are noted as completed in the University Risk Register Revision document accompanying
the risk register.
Risk Management Policy v1.0
Page 6 of 12
For local risk registers (College, Professional Service department, major project, institutes or
subsidiary companies) the following format of risk register will be used –
Criteria
Detail
Risk Identifier
RAG
Provides the risk with a unique identifier
Traffic light status –
RED – existing controls/actions are not working or are inadequate –
escalation for higher level management attention required
AMBER – existing controls/actions are in danger of failing
GREEN – controls/actions in place are working
Owner
Assigns ownership of risk to a member of staff reporting to the owner
of the risk register
A detailed description of the risk and the impact if the event occurs
Qualification of probability – high/medium/low(before controls applied)
Qualification of impact – high/medium/low (before controls applied)
Description of risk severity status – increasing/no change/decreasing
Description of the evidence to be analysed in order to provide early
warning of the occurrence of event triggering risk
Description & Impact
Probability
Impact
Trend
Indicators
Controls/Actions
Action by
Action Due
Identifies actions to be implemented in order to mitigate the risk (when
actions are completed they are recorded in the Minutes of the relevant
management meeting which reviewed the risk register and removed
from the Risk Register).
Assigns ownership of the planned actions to a member of staff
Due date for implementation of planned actions
Controls/actions will always show proposed or incomplete activity to further mitigate the risk. Controls
and actions which have been completed are noted as completed in the minutes of the management
meeting where the risk register has been reviewed.
Risk Management Policy v1.0
Page 7 of 12
Risk Appetite
In pursuit of achieving the University’s strategic aims and academic mission, the University will
therefore accept a degree of risk commensurate with the potential reward. The risk that the University
is willing to take is within defined tolerances for risk appetite agreed by Council for each of the key
strategic themes and enablers.
The following risk appetite thresholds have been defined in the evaluation of risk in projects/activities
within the designated strategic themes or enablers.
Appetite Threshold
Low Risk Appetite
(risk averse)
Description
Avoidance of risk and uncertainty is a key University objective. There is a
preference for business delivery options that have a low degree of inherent
risk and only a potential for limited reward. The University is willing to
proceed with a portfolio of activities providing that the exposure is not
greater than all of the following:
Finances
0%-1% of turnover as an investment or liability
Staff
Resources
Estate
Medium Risk Appetite
(risk neutral)
No more than 10 days of senior staff time (grade 9 and
above) over and above everyday business
Consider change of use for existing infrastructure but not
new development
Reputation
Potential to have some negative local or regional damage
to reputation
Preference is for safe delivery options that have a low degree of residual
risk and may only have limited potential for reward. The University is willing
to proceed with a portfolio of activities in pursuit of achieving strategic aims
providing that the exposure is not greater than all of the following:
Finances
1%-5% of turnover as an investment or liability
Staff
No more than 25 days of senior staff time (grade 9 and
Resources
above) over and above everyday business
Estate
High Risk Appetite (risk
seeking)
Consider change of use for existing infrastructure and
limited new development on areas of the estate where it is
permitted
Reputation
Potential to have significant negative local or regional
damage and some national damage to reputation
Eager to be innovative and to choose options offering potentially higher
business rewards despite the greater inherent risk. Willing to consider all
potential delivery options and choose the one that is most likely to result in
successful delivery. The University is willing to proceed with a portfolio of
activities in pursuit of achieving strategic aims providing that the exposure is
not greater than all of the following:
Finances
5%-10% of turnover as an investment or liability
Staff
No more than 45 days of senior staff time (grade 9 and
Resources
above) over and above everyday business
Estate
Consider change of use for existing infrastructure and
significant new development
Reputation
Risk Management Policy v1.0
Potential to have significant negative regional or national
damage to reputation
Page 8 of 12
The table below provides an overview of the risk appetite threshold assigned to each of the key
strategic themes and enablers as defined in the Swansea University Strategic Plan 2012-17. In cases
where an activity straddles more than one key theme or enabler, and the appetite in these areas is
different, judgement will be required to balance the relative proportion of risk for each key area with
the differing appetites.
Key Strategic
Risk
Rationale for Risk Appetite
Theme or Enabler Appetite
Threshold
Research
Medium/High  University is unlikely to take risks that have a direct and adverse
impact on research income.
Excellence
 However, the University is aggressive in growth targets for research
and is prepared to take risks to achieve these rewards. The spread
of activity across the University means the risk is spread and the
potential impact of any higher risk projects can be balanced.

University is unlikely to take risks that have a direct and adverse
Student
Medium/High
impact on income from student fees.
Experience
 Operating in a competitive marketplace means that the University is
prepared to take risks in developing strategies that result in higher
volumes of student and higher levels of student satisfaction.

University is unlikely to take risks that have a direct and adverse
Knowledge-led
Medium
impact on income from Knowledge Economy projects.
Economy and
 The University is prepared to be innovative with industry to achieve
Society
breakthroughs for the wider economic benefit.
Internationalisation
Medium
Working with
Others
Low/Medium
Building Common
Purpose
Low/Medium
Effective & Efficient
Use of Resources
Low
Estate & Facilities
Low/Medium
Risk Management Policy v1.0
 Balanced view of risk is taken to ensure that project commitments
are delivered.
 University is unlikely to take risks that have a direct and adverse
impact on income from student fees.
 Operating in a competitive marketplace means that the University is
prepared to take risks in developing strategies that result in to
achieve higher volumes of overseas students and higher levels of
student satisfaction.
 Uncertainty of operations in some countries means that the
University will be cautious in establishing new relationships.
 University’s mission in terms of the local region means some risk
should be taken for the greater public good.
 Volatility of local partnership organisations and structures means
that some caution should be taken to limit risk exposure
 A competitive marketplace means that the University is prepared to
take risks to enter new strategic partnerships to achieve University
growth targets.
 University’s performance relies on staff and some risks will be
taken to improve staff performance and strengthen the University
community.
 University will not take risks which damage the operational
performance or league table positions by making radical changes
to internal processes without detailed and thorough assessment of
the risks
 University will take prudent action to safeguard the financial targets
and enable re-investment into the estate
 University will be cautious in any diversification of income initiatives
 University will be cautious in providing safe and attractive working
environments for staff, students and the wider community.
 University will take managed risks to achieve breakthroughs in the
design of environments to increase attractiveness to students and
other users of the estate.
Page 9 of 12
Risk Management Responsibilities
Council
Council has a significant role to play in the management of risk. Council’s role is to –

set the tone and influence the culture of risk management within the University. This includes:
o determining whether the University is ‘risk taking’ or ‘risk averse’ as a whole or on any
relevant individual issue
o determining what types of risk are acceptable and which are not
o setting the standards and expectations of staff with respect to conduct and probity
determine the appropriate risk appetite or level of exposure for the University
approve major decisions affecting the University’s risk profile or exposure
monitor the management of significant risks
satisfy itself that the less significant risks are being actively managed with appropriate and
effective controls in place
review annually the University’s approach to risk management and approve changes or
improvements to key elements of its processes and procedures.





Audit Committee
The Audit Committee is required to keep under review the effectiveness of the risk management,
control and governance arrangements on behalf of Council. The Audit Committee will monitor the
management of corporate and local risks and authorise remedial action where necessary. It is also
required to report to Council on an internal controls and alert members to any emerging issues.
Senior Management Team (SMT)
Led by the Vice-Chancellor, the Senior Management Team (SMT) role in relation to risk is to:

Implement policies on risk management and internal control

Identify and evaluate the significant risks faced by the University in the University Risk
Register for consideration by Council and its Audit Committee

Provide adequate information in a timely manner to Council and its Committees on the
status of risks and controls

Provide direction and guidance to all members of the University Management Board to
ensure appropriate action is taken to mitigate the key risks of the University. Where risks
cannot be managed within a specific College or Professional Service department, SMT will
provide direction as to the University’s approach to responding to the risk.

Undertake an annual review of effectiveness of the system of internal control and provide
a report to Council
Risk Management Policy v1.0
Page 10 of 12
Risk Administrator
The Risk Administrator is responsible for development and communication of University risk
management processes and tools, involving training of staff in risk management. The Risk
Administrator is also responsible for administration of the University Risk Register on behalf of the
Vice-Chancellor. An annual report on risk management is produced for review and approval of SMT,
Audit Committee and Council.
Heads of Colleges and Professional Service Directors
The Heads of College and Professional Service Directors are responsible for actions to manage all
risks within their areas and are responsible for implementing appropriate procedures to manage and
monitor these risks, and for ensuring that all changes in key risks are reflected in the College/PS
Department risk register. Where a risk is identified in RED status, then it should be raised in
discussion with the Registrar/Chief Operating Officer (COO). There will be a standing agenda item for
risk on all College management committee meetings. There will be a standing agenda item for risk on
all Management Board meetings.
Escalations
On a quarterly basis the Risk Administrator will conduct a review with the Registrar/COO. At this
review, all College and PS department risk registers are reviewed. Risks identified in RED status are
reviewed and consideration is made by the Registrar/COO regarding possible amendments to the
University Risk Register to reflect these RED risks. Level of management activity against each
College and PS department risk register is also reviewed and the Registrar/COO will take follow-up
action with relevant Head of College or PS Director as required.
Individual members of staff
Effective risk management depends on the commitment and co-operation of all staff. Individual
members of staff within a College or Professional Service department are responsible for ensuring
that individual risks are controlled and monitored appropriately with changes escalated where
appropriate.
Joint Internal Audit Unit (JIAU)
Internal audit is an important part of the internal control process for risk. The JIAU use a risk-based
methodology which is informed by the risks in the University Risk Register. Reviews of the
University’s approach to risk management are undertaken on a regular basis on behalf of the Audit
Committee.
External Audit
External audit provides feedback to the Audit Committee on the operation of the internal financial
controls reviewed as part of the annual audit
Risk Management Policy v1.0
Page 11 of 12
Contacts
The key post holders for risk management are:
College
Code
Register Owner
Risk Coordinator
Arts & Humanities
AAH
Prof John Spurr
Heidi Waddington
Business & Economics
(School of Management)
MGT
Prof Nigel Piercy
Garry Astley
Engineering
ENG
Prof Javier Bonet
Steve Davies
Health & Human Sciences
HHS
Prof Ceri Phillips
Stephen Herrieven
Law
LAW
Prof Andrew Beale
Sarah Holtom
Medicine
MED
Prof Keith Lloyd
Paul Roberts
Science
SEC
Prof Matt Jones
Steve Walmsley
PS Department
Code
Register Owner
Risk Coordinator
Academic Registry
ACR
Adrian Novis
Adrian Novis
DRI
DRI
Ceri Jones
Ceri Jones
Estates & Facilities
EST
Craig Nowell
Craig Nowell
Finance
FIN
Rob Brelsford-Smith
Rob Brelsford-Smith
HR
HRA
David Williams
John Cox
ISS
ISS
Kevin Daniel
Tony Ollier
Marketing
MKT
Catherine Mullin
Liz Shouaib
PSPU
PSP
Pat Price
Louisa Parry
Student Services
STS
Kevin Childs
Kevin Childs
VC’s Office
VCO
Martin Lewis
Martin Lewis
University
UNI
Vice-Chancellor
Ciaran Whyte
Risk Management Policy v1.0
Page 12 of 12
Related documents
Missing Child Policy Senior & Junior Schools
Missing Child Policy Senior & Junior Schools
The Top Four Essential Objectives to Auditing ERM
The Top Four Essential Objectives to Auditing ERM
Risk Management Policy Template
Risk Management Policy Template
Authorizing Leadership: Models of School Leadership in
Authorizing Leadership: Models of School Leadership in
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
effective risk management - Association of Financial Mutuals
effective risk management - Association of Financial Mutuals
Download
advertisement