Risk Profiling
How to Guide for Service Division Directors and Managers
Document Description and Usage
This guide provides helpful hints for people who will lead a risk profiling process.
Definitions
The term ‘Business Unit’ in this document means any sub-unit within the University such as
a Division, Academic Department or Service Unit.
The term ‘Cost Centre’ is used to refer to individual Academic Departments and Service
Units.
Introduction and Purpose ....................................................................................... 3
1.1. What is risk profiling? ..................................................................................... 3
1.2. What is the risk profiling process? ................................................................... 3
1.3. Who facilitates the risk profiling? .................................................................... 4
2. Preparation ............................................................................................................ 5
2.1. Preparatory Material ...................................................................................... 5
2.2. Approach to Risk Profiling Exercise ................................................................ 5
3. Risk Profiling Exercise............................................................................................ 8
3.1. Risk Profiling Introduction .............................................................................. 8
3.2. Risk Identification ........................................................................................... 8
3.3. Inherent Risk Identification ............................. Error! Bookmark not defined.
3.4. Control Identification .................................................................................... 10
3.5. Control Assessment ....................................................................................... 10
3.6. Residual Risk Assessment .............................................................................. 11
3.7. Action Planning ............................................................................................. 11
3.8. Final Check ................................................................................................... 12
3.9. Next Steps ..................................................................................................... 12
4. Review.................................................................................................................. 13
4.1. Monitoring and Reporting ............................................................................. 13
Appendix 1 Roles and Responsibilities .......................................................................... 14
Risk Facilitator .......................................................................................................... 14
Risk Coordinator.......................................................... Error! Bookmark not defined.
1.
Page 2 of 15
1. Introduction and Purpose
This document provides information on how to facilitate a risk profiling workshop. It is intended
to help Heads of Department/and Directors of Service Divisions (or delegates) carry out a risk
profiling workshop with their teams as part of the annual budgeting round.
Risk Profiling is used to initially identify the risks the University and each Business Unit within the
University faces in the next 12 months and to assess: the severity and likelihood of those risks; key
controls associated with the risks identified; whether the risks are tolerable or will require further
action.
1.1. What is risk profiling?
Risk profiling provides a structured approach to the identification and assessment of risk. This
guide outlines the process and the expectations placed on Business Units of the University.
The output of the risk identification and assessment process is a completed risk profile (or Risk
Register). A completed risk profile contains the following attributes

A record of all the key risks and a list of Risk Owners.

An assessment of the risk exposure (both before and after the application of controls).

Identification of the key controls in place to mitigate the risks.

Any further actions that are proposed to reduce the risk and who will complete them

A due date for further actions and a review date for each risk.
This Guide and the associated tools have been developed so that:
 Each Business Unit can have a complete risk profile to ensure a common understanding of the
risks the University faces. By assessing risk severity at Divisional and cost centre level, Heads
of Division/Departments will know the areas of greatest risk, be able to prioritise activities and
allocate resources in the upcoming budgeting round to reduce the most serious risk exposures.
 An aggregated risk profile can be produced at Corporate Level. To be able to do this is it
necessary to have risk profiles done at Cost Centre level and Divisional level and done in a
consistent manner.
The overall goal of the process is to help Academic Departments and Service Units achieve their
annual financial and operational goals and to prevent disruption from avoidable problems during
the year.
1.2. What is the risk profiling process?
The risk profiling process is comprised of three main phases:

Preparation

Risk Profiling Exercise

Review
These are explored in more detail in the following sections and summarised in the diagram below.
Page 3 of 15
More information on each of these phases is provided in the following sections.
1.3. Who facilitates the risk profiling?
This document refers to the ‘Facilitator’ as the person who facilitates the risk profiling exercise. A
detailed description of this role is included in Appendix 1.
Page 4 of 15
2. Preparation
2.1. Preparatory Material
The purpose of preparing material prior to the workshop is to provide a good understanding of the
Business Unit and the issues it faces to help the completion of the risk profile. Background
knowledge is useful to prompt participants during the workshop on potential areas of risk or issues
with controls. The preparation approach taken may vary dependent on the Facilitator.
Prior to the workshop it is suggested that the facilitator gain an understanding of the following
areas:

The objectives or goals of the area and the main activities/processes it carries out – this
information can be used as a basis for brainstorming risks i.e. what events could prevent the
Divisions/department/service unit from meeting its objectives. This also helps establish the
link between risk management, the budget and day-to-day management activities.

The degree of dependency on other University departments for specific services, either with
respect to one-off initiatives or generally throughout the year. This information will highlight
the potential for problems if the business unit has new initiatives planned which will require
support services to be available during a certain period, or if there are activity peaks/staff
absences at a certain time of year that support services should be made aware of etc

Any risks that have been identified through other reports (e.g. internal audit reports,
departmental reviews), issues raised and if possible an understanding of their magnitude. This
helps establish some of the key risks that should be raised in the risk profiling workshop.

Any controls that are documented in other reports and any indication of their effectiveness,
This provides information on some of the key controls that should be noted in the risk profiling
exercise and an indication of how effective they are.
2.2. Approach to Risk Profiling Exercise
Forum for conducting the risk profile
The approach to running the risk profiling workshops should be agreed with the Business Unit at
the outset. This may be dependent on a number of factors, such as availability of staff, leadership
style, conflicting priorities etc.
The risk profiling exercise can either be run as a workshop or through a series of meetings with
individuals or groups to discuss the risks and controls. The advantage of holding a workshop is
that it promotes:

Discussion and challenge amongst participants which helps refine the profile in the workshop.

It provides an ideal forum to focus on risks that could impact on the business unit’s annual
objectives, and any resources that may be required to address the risks (particularly those that
will need to be factored into the budget).
Page 5 of 15
Attendees



It is recommended that no more than 15 people attend the risk profiling exercise (if it is to be
run as a workshop). With more attendees it can prove difficult to facilitate the meeting and
time can be spent discussing details which may not be important to the outcome of the
workshop.
Participants should represent a level of seniority with a good level of knowledge of
activities/processes to be able to identify related risks and controls.
One option that could be considered is to hold an initial workshop with
academics/management to identify and assess the risks and another workshop with their
internal support staff/reports to discuss the controls and their effectiveness. This process may
benefit from having only the appropriate individuals in each workshop. If this approach is
followed it is important that management validate the controls identified and residual risk
rating.
Meeting logistics




Appoint a support person to arrange the workshop, invite participants and send out relevant
materials. This person will also be capturing information during the workshop. (See Appendix
1 for the role of the Risk Coordinator)
Consider the need / applicability of sending pre-reading material to attendees
Consider having the following available at the workshop:
 Copies of the Risk Matrix
 Copies of the impact definitions / examples
 Copies of the previous risk matrix (if available)
When this Risk Profiling methodology is first used workshops should last approximately two
hours, to allow sufficient time to discuss the risks in the business unit. If this proves to be
insufficient time to cover all the risks then follow up one-on-one meetings may need to be
organised (the approach should be agreed with the participants at the end of the first meeting or
workshop), ideally within a week of the initial workshop. This ensures momentum is
maintained to complete the profile.
Pre-population of risk register
When the risk profile is completed for the first time it may be beneficial to pre-populate the risk
register) prior to the workshop to help stimulate ideas on the risks from the preparatory material.
Outlined below are a number of sources that can be used to help pre-populate the risk register and
prepare for risk profiling workshops
Previous Risk Assessment Reports – These can include previous risk profiles or other specific
risk assessments such as Project Status report and/or risk & issue logs, H&S reports, etc. If these
other specific risk assessments have been done recently, it may be possible to save time in the
workshop workshops by presenting the results of these risk assessments for confirmation.
Academic Review Findings and Recommendations – Typically illustrate how well the
Department/Service Unit has been performing against objectives based on feedback from subject
experts and key stakeholders. Review the issues/recommendations raised within the report and
consider what the risk is.
Student Opinion and Graduate Opinion Surveys
Page 6 of 15
Student issues - Review any student complaints or issues, these can highlight actual or potential
risks that result in an impact on the student experience.
Regulatory breaches/fines - The underlying cause of the breach or fine may provide an indication
of the risk event that caused the regulatory impact.
External Audit points / Internal Audit points - The findings of audit reports can provide an
indication of the risks that are or may occur within the Business Unit. Review the issues/findings
raised within the reports and consider what the risk is.
Issues arising from other Academic Departments/Service Units - Consider whether other areas
within the University have experienced risk events or issues that could potential occur within your
Department/Service Unit.
Business Plans - The risks associated to achieving objectives/growth aspirations/development can
be considered.
Previous failures/losses/issues
Note:
On an ongoing basis the previous risk profile should be used as a starting point for the annual risk
profiling exercise, where the business unit can amend as appropriate.
The Financial scales to be used
The financial scale used for each Business Unit is a University scale and should not be adjusted to
reflect Cost Centre/Divisional revenue. Assessing risks on a University scale allows the Risk
Manager to identify risks that are common to a number of departments which, when viewed
collectively, could pose a significant risk to the University or indicate that there is a service-related
problem impacting a number academic departments that needs to be addressed.
Data Capture
An important part of running the risk profiling exercise is to ensure the output of the discussion is
documented. It is suggested that information is captured ‘on the spot’ in either the Risk Data
Capture form or directly into the Risk Register Template. It can be helpful to project this to all the
participants to provide a structure to the process and also to gain agreement during the workshop
on the way in which the risks have been captured and assessed.
Page 7 of 15
3. Risk Profiling Exercise
The main role of the risk Facilitator during the risk profiling exercise is to provide leadership and
assist the business unit to complete the exercise.
Note: the Business Unit is responsible for managing risk within their area.
3.1. Risk Profiling Introduction
At the opening of the risk profiling exercise it is useful to provide an introduction and context to
the workshop. The nature of the introduction given will vary dependent on the experience and
knowledge of the participants (for example, the background provided during the first risk profile
exercise may be different from subsequent revisions). Potential material to cover during an
introduction includes the following information:

The objectives of the exercise – i.e. to identify and assess risks and controls that may prevent
the Business Unit from achieving its objectives, and that may need to be budgeted for

Purpose of performing the exercise – i.e. to help Council and University management have a
consistent understanding of the key risks the University faces

An introduction to risk – i.e. definition, categories, differentiation between cause, risk and
consequence, difference between inherent and residual risk.

A walkthrough of an example – i.e. how it the risk profiling process fits together.
It is also useful to provide hard copy handouts of the impact definitions, risk matrix and control
effectiveness criteria to provide a reference for the business during risk assessment activity. These
are available from the Risk Manager or can be downloaded from the University’s website under
Risk Management.
3.2. Risk Identification
If the template has been pre-populated prior to the workshop then the risks can be discussed in the
order they appear on the template and any additions, changes or deletions can be covered.
If the workshop is being run from a ‘blank’ template, then the facilitator should ensure all risks are
identified first, documented and then considered in turn to: assess them inherently (impact and
likelihood), identify controls and score the risks residually.
Page 8 of 15
Helpful hints for facilitating the identification of risks
The guidance below is useful to consider when facilitating the identification of risks:

The risk profiling exercise should consider plausible key risks to the business unit, i.e. over the
next 12 months what risks could conceivably occur to prevent the business unit from achieving
its objectives, or what are the risks associated with important processes in the
department/service unit. If the business unit identifies risks that are not plausible these should
be challenged. It is important not to waste time on risks that don’t/won’t matter.

It is important to differentiate between causes, risk events and consequences. In some instances
it may be difficult to identify whether a ‘risk’ is a cause or consequence. The following may
provide helpful guidance:
 A cause could occur but a operational loss may not necessarily follow, for example
‘power failure’, ‘staff workload’, ‘manual processes’, ‘human error’ in their own right
may not have an impact, e.g. you could be reliant on manual processes but it is only if
they go wrong that a loss may be incurred. On the other hand, a risk event usually has a
defined impact e.g. financial loss etc.

A risk event is something with a defined outcome or impact e.g. systems failure, late or
incorrect payments etc. Dependent on the division/ unit these may or may not be relevant
key risks and the impact and likelihood of these will be different.

A consequence is the impact that occurs as a result of a risk event occurring e.g.
regulatory fines, customer service, reputational impact, cost of rectification etc.
The following diagram provides an illustrative example. There may be additional causes and
consequences of the risk event. Causes and consequences should be specific to the business
undertaking the risk profile.
Cause
Event can be allocated to
primary causes
•
•
•
•
•
•


Risk
Event occurs
System changes
Out of date systems
Systems at capacity
System Failure
Malicious damage
Consequence
Effect of the risk hinders the
achievement of business
objectives
•
•
•
Poor customer service
Data corruption / loss of data
Regulatory breach
Viruses / hacking
Software bugs
Participants may also identify control failures as a risk. The facilitator can question the
participants to help identify the underlying risk which the control mitigates. For example, ‘lack
of Business Continuity Plan (BCP)’. The risk event could be ‘Business Interruption’, one of
the controls being a BCP which may not effective.
It is important to ensure that the risk is appropriately defined to ensure there is common
understanding of the risk across the University. The facilitator should ensure that sufficient
details are captured in order that the risk event is fully defined. This not only helps the Risk
Manager identify common and potentially serious institutional risks but it also means that
subsequent risk profiling exercises will be easier.
Page 9 of 15

For example, with the risk of systems failure; what systems are being considered, what is the
nature of the failure (5 minutes vs. 2 weeks) etc. Defining the risk makes the assessment
process easier to measure, monitor and control.
Consideration should be given to whether certain risks can be consolidated on the risk profile.
In deciding whether there is the potential to consolidate risks that appear to identify the same
risk, consider:
 Would the impacts be the same for the different risks identified?
 Are the controls in place for each risk the same?
If the answer to both of the above points is yes, then there may be good grounds to consolidate
the risks.
3.3. Control Identification
A control is a process the University uses to minimise either the likelihood or impact of a risk
event occurring. When considering the controls for the purpose of the risk profiling exercise, the
following may prove useful:

Only the main or key controls should be documented.

Controls should be ‘tangible’, i.e. ‘management oversight’ is not a tangible control, where as
‘monthly exception reporting provided to management’ is. A tangible control could be thought
of as something that could be tested by an independent party, i.e. review evidence of how it is
designed and is performed.

When identifying and documenting the controls, a control can be assigned to more than one
risk as appropriate.

Internal and external audits should not be captured as a control on the template. Although these
mechanisms provide a degree of assurance over the process, they are not ‘close’ enough to the
underlying risk event.
It may help the discussion to outline the four main types of controls the business could have in
place to mitigate the identified risks:

Preventative Controls – Controls in place to prevent or stop a risk event from occurring e.g.
system security, automatic system shutdowns, regular maintenance alarms, etc. (these controls
mitigate the ‘likelihood’ of the risk occurring)

Detective Controls – Controls in place to identify an event has occurred e.g. management
reporting, quality reviews etc.

Recovery Controls – Control in place to help the University/department/service unit recover
after an event has occurred, e.g. data backups, insurance coverage, etc. (these controls mitigate
the ‘impact’ should these risks occur)

Administrative Controls – Controls in place that provide passive guidance, e.g. Policies,
procedures, training, warning signs, etc.
Of these four types, the ‘Administrative’ controls are not considered to be key controls due to their
passive nature. It is however possible to have any of the other three types of controls based on an
administrative control where there is active monitoring and action taken by people with clear
responsibilities.
3.4. Control Assessment
Controls are assessed on the basis of design and performance. The design of a control assesses
how well the control should work in theory if it is always applied in the way intended. Control
performance considers the way in which the control is operated in practice, if it is applied when it
Page 10 of 15
should be and in the way intended by its design. The following guidance may help to assess the
controls:

Controls should be assessed using a combination of management experience and using
supporting material gathered during the preparation phase. For example, audit findings may
help provide a basis for assessing whether the control is effective.

Consider whether the control is appropriate for its purpose (design). For example, is a monthly
reconciliation for high value transactions appropriate or should it be undertaken on a more
frequent basis? How much of the risk does it mitigate?

Consider whether the control is adequately performed. For example, reconciliations may
actually only be carried out every two months or not be completed correctly in line with policy.

Controls such as policies and procedures or certain training may not rank highly in terms of
performance. This is because whilst they may be well designed, they rely on staff to
understand and implement them.

Controls that are embedded in systems are usually more robust e.g. system access password
protected, however consideration should be given to how they work in practice, i.e. are
passwords deactivated appropriately for staff moving departments etc.

As mentioned earlier only key controls should be identified and assessed. By explicitly
identifying controls it becomes possible to a) ensure clear accountability for the ownership of
controls; b) identify the controls that did or did not operate where risks/ losses have occurred.
Note: typically the more senior academics/management will not have a great deal of hands-on
experience with the various controls, so having the identification and assessment done by more
junior staff will produce a more accurate outcome. These outcomes can then be provided to senior
management for review.
3.5. Residual Risk Assessment (the level of risk after you’ve applied the above controls)
When facilitating this discussion the following areas maybe useful to consider:

When assessing residual risk, consider whether the existing controls reduce the inherent impact
and/or the likelihood of the risk and also how effective they are.

That there is not a mathematical relationship between the control effectiveness assessment and
residual risk rating, the residual risk assessment should be based on experience and the opinion
of participants with relevant skill/knowledge to make a judgment call.

The facilitator could prompt participants to consider the current situation when assessing
residual risk. That is, the current experience of the cost centre; how frequently has the risk
occurred and what was the result?
3.6. Action Planning
Throughout the risk profiling exercise remediation action may be identified, these actions should
be captured as appropriate during the discussion (by the Risk Coordinator).
If any residual risk exceeds the University’s risk tolerance, it must be reported to the Risk Manager
and actions taken to correct the situation. The University Risk Appetite cannot be intentionally
exceeded without first obtaining the Vice Chancellor’s and Council’s approval.
If the assessment of residual risk is below the University’s Risk Tolerance, but still considered too
high for the individual Department/Service Unit, the facilitator should consider the following
options;

Risk Transfer – Risk can potentially be reduced through strategies such as insurance, to
minimise the residual risk to the business. It should be noted however that sometimes risk
Page 11 of 15

transfer may not completely negate the risk and may also create new types of risk. For example
outsourcing a business activity to a third party does not relieve the University of the
responsibility for the third party’s performance, and will also require that the risks of
outsourcing be included in the risk register.
Risk Reduction – It may be possible to reduce the risk further through improving controls or
other mechanisms
If neither of these first two options is possible then consider:

Risk Avoidance – Completely cease the activity that creates the risk. This would be the
recommended course where the costs of risk transfer / reduction outweigh the benefits of the
activity, so the activity is ceased.

Risk Acceptance –It may not be possible to economically reduce the residual risk, for example,
due to the cost of improving the controls. Therefore although the residual risk is high, it maybe
accepted by the Department/Service Unit but this should be communicated to the Head of
Division.
3.7. Final Check
The guidance below is useful to consider before finishing the risk profiling workshop:

Have all the risks identified during the preparatory phase been covered in the workshop?

Have all risks and action plans have been assigned owners? The reason for assigning
ownership is to ensure responsibility for managing the risk, control or action.

Has sufficient detail been captured to allow the Risk Manager to understand common risks
across departments/service units? Business Units are likely to express risks in different ways,
so if adequate information is provided the Risk Manager will be able to consolidate risks to a
more appropriate level.
3.8. Next Steps
Before closing the workshop the facilitator should agree the next steps in order to finalise any
items that are outstanding from the workshop. For example:
 If not all risks and controls have been identified or assessed, or,
 Action plans have not been finalised; require more detailed planning and costing
As outlined previously one-on-one meetings can be held to complete the profile.
Page 12 of 15
4. Review
Following the workshop, the facilitator should review the risk register to ensure that:
 risks have been clearly documented
 the register accurately reflects the risks facing the business unit.
 details of the resources (people, money and time) required to implement the action plans
are clearly documented. If any money is needed to mitigate risks, then this will need to be
provided for in the upcoming budget.
At this stage it is also beneficial to reorder the risks to reflect the highest risk first. Risks should be
ordered according to the residual risk rating.
Following this step the risk register can be signed off by the owner of the Risk Register and a copy
submitted to the Risk Manager.
4.1. Monitoring and Reporting
The following guidance is provided for the ongoing maintenance of the risk profile

When the risk register has been reviewed and signed off by senior management it should be
maintained by the Business Unit and reviewed if circumstances in the department change e.g. a
large loss is incurred, new papers or business processes are introduced or are changed etc.

The risk co-ordinator should retain a ‘live’ copy of the risk register and co-ordinate any
changes from the Business Unit. Changes should be communicated to the HOD /Head of
Division.

As a minimum the register should be updated every six months.

Action plans agreed as a result of the risk profiling exercise should be monitored to ensure they
are actioned
Page 13 of 15
APPENDIX 1 - Roles and Responsibilities
Risk Facilitator
Overview
The main responsibility of Facilitators (typically the Director of the Service Division or
Manager of a unit) is to work with the division/unit to identify, assess and monitor risk. It
should be noted that the role is not an administrative function, the Facilitator should provide
leadership and support to facilitate this process. The main roles and responsibilities are
detailed below:
Governance

Act as a conduit between the Risk Manager and the Department/Service Unit.
Risk Profiling Process

Review preparation material prior to the workshop to gain an understanding of the risks
and controls in the area and any issues associated with them.

Facilitate the risk profile workshop to help the cost centre identify and assess the key risks

Review the output of the workshop for quality, consistency etc. and rank risks based on
residual assessment.

Obtain sign-off of the risk profile/register

Be custodian of the risk profile and consult the business on whether it needs to be updated
in-between the formal review process in light of incidents, change in processes etc. in the
business.
Monitoring Actions

Progress on remediation plans formulated by Business Units (as a result of risk profile to
ensure they are implemented according to the plans established.
Risk Coordinator




The Risk Coordinator is there primarily to record all the risk events, associated controls and
action plans as they arise.
The risk events discussed by the group should be record accurately, where there is any
doubt the Risk Coordinator should confirm with the participants that the correct risk event
has been captured. Where discussed example causes and effects should be added into the
comments field to supplement the information captured.
Where participants mention controls or identified control weakness during any point in the
workshop these should be recorded in the appropriate columns, to aid the control
identification and scoring process.
The Risk Coordinator should also aid the facilitator in ensuring that conversation in the
workshop remains focused and that risk events are clarified.
Page 14 of 15


The Risk Coordinator will also help with facilitation by ensuring coverage of all risk areas
is achieved by moving conversation on to topics that have not been covered, should
participants spend too long on one area.
Any issues that cannot be resolved during the workshop will be noted by the Risk
Coordinator, in the risk register template and discussed after the workshop. It should be
ensured that these issues are resolved as appropriate and reported back to the Business
Unit.
Page 15 of 15