Guideline - Risk Register
1. Introduction The Risk Management Framework is a component of the Risk and Business Management suite. The suite includes:
Risk Management – including risk registers Business Continuity Plans –including business impact analysis Emergency Response Plans Health and Safety Plans
This document defines commonly used risk management terms and sets out the risk register format that Victoria has adopted. This document should be read in conjunction with our Risk Management Policy and provides a process to help us better manage and minimise the risks associated with our work.
All decisions involve risk management. Risk should be considered throughout the development and implementation of any business process or project. Risk management is a structured and systematic process which is part of business as usual (BAU). Managers need to consider the risk in delivering business, how to manage that risk effectively through implementing strategies based on the amount of risk the University considers is tolerable. This document broadly considers risk as anything that could prevent us from achieving our goals or an outcome resulting in loss.
2. Definitions:
Risk Is defined as “the effect of uncertainty on objectives1”. Risk is measured in terms of likelihood and consequence. Raw Risk The risk before anything is done to mitigate or manage it, i.e. before controls are put in place. Residual Risk The risk faced after putting in place controls or mitigation actions.
3. Organisational Scope
All Managers are responsible for identifying, assessing and managing the risk within their areas of control and for ensuring that appropriate risk management activities are functioning effectively.
4. Framework Content and Guidelines
The Risk Management Plan is made of four stages: Identifying and managing risks - Risk Register; Identifying key or priority risks – Risk Report Summary; Reporting and escalating risks at the appropriate time; and Reviewing risk in an on-going cycle. This document provides guidance on completing a risk register and the risk report summary. Managers are required to report key risks to their managers and escalate as appropriate to SMT. This is a key component
1 AS/NZS ISO 31000:2009 – Risk management – principles and guidelines
1 of a manager’s responsibilities. For guidance on the formal reporting cycle refer to the Risk Management Programme: Operational Risk.
4.1 Identifying and Managing Risks – Risk Registers Risks are identified and assessed on a risk register. Appendix 3 contains a sample risk register using the University’s standard template. Copies of blank templates are available from Safety and Risk (email [email protected]).
4.1.1 Identifying risks Risks are identified through environmental scanning (keeping ourselves updated on our operating environment), planning processes, major projects, investigating incidents (risk assessment and mitigation actions are essential elements), internal monitoring (regular audit and inspection) and throughout the change management process. Managers should identify sources of risk, their causes and their consequences.
Managers should consider all sources of and contributors to risk associated with delivery of their business. From this we can determine the effect on our objectives from uncertainty associated with these factors. Consideration should be made of factors including:
Health & Safety Service delivery Legal and regulatory Finance Reputation Adverse media coverage Environmental impact Product quality Human Resources Information
4.1.2 Assessing the effects Risks are assessed by considering the consequences of an event and the likelihood of the outcome occurring. The risk assessment is carried out by the manager responsible for the work area or process being assessed.
The table in Appendix 1 provides guidance for calculating risk levels. The likelihood scale is based on the event occurring in the next year. This process provides information to help us decide whether the risks need to be treated and the most appropriate control.
4.1.3 Managing risk – controls and assurance Victoria University has developed an integrated assurance framework to bring together mitigating practices such as the reporting framework, statutes, policies, procedures, and guidelines or physical controls that the University uses to govern its work. This approach provides clarity over any areas where there is an assurance gap, helps to avoid duplication, and focuses assurance on strategic drivers and initiatives.
Further internal controls that support the management of risk are business continuity plans, emergency response plans, health and safety plans and internal audit and academic reviews. The University’s policies are kept current and indexed by function in an accessible, well-maintained website and an internal audit reviews the effectiveness of the internal control system within the University. Independent audit is also carried out in line with our ACC workplace H&S accreditation.
Managers should implement their own assurance programme to check the risk controls in their areas and develop a realistic actionable mitigation plan for each major risk including whether/how a risk is currently managed , such as business as usual (BAU) processes or other internal controls already in place. It is important that, where possible, mitigations dovetail with existing plans.
The impact of all mitigating actions and sources of assurance are considered before calculating the ‘residual’ risk. Therefore, theoretically, either likelihood or consequences or both likelihood and consequences of risk can be reduced. It really depends on the nature of the risk, the underlying subject matter and what specific treatment plan or controls have been identified. If a control system has been listed but is not performing as well as originally intended, then the manager’s mitigation plan will include the improvements to implementation, application or structure of the risk control in this case. Examples: 1. The risk of key university systems and processes being immobilised or disrupted in the event of an earthquake. Control: An effective business continuity and disaster recovery plan. Comment: This does not reduce the likelihood of an earthquake occurring, but it does reduce the impact on essential operations.
2. The risk of the University not complying with key legislation. Control: A robust legislative compliance framework which clearly identifies key legislation and ensures there are processes. Comment: It may not however, be able to influence the impact if non-compliance was to occur.
3. The risk that VUW staff incur expenditure that is not in line with University goals. Control 1: Systems that enforce segregation between purchase order creation and approval. Comment: This reduces the likelihood of such expenditure occurring.
Control 2: Systems that require “sign-off” from appropriate staff depending on the value of the transaction, e.g. delegated financial authorities. Comment: This reduces the impact, i.e. dollar value, of the risk.
Both controls working in combination (fairly typical in most financial systems) will reduce both the likelihood and impact of the risk.
The table in Appendix 2 provides managers with guidance on how to evaluate the effectiveness of risk controls. The controls are ranked level 1 – 3. A level 1 control is the most robust. A level 3 control is the least robust. Managers should consider also how well the control (already in place) is implemented or complied with. For example if a procedure is listed as part of the control mechanism but our audit process identifies that it is not complied with, the control is considered to be weak, therefore the manager will not reduce the assessed risk value significantly. A mitigation plan should be developed to address poor compliance.
If multiple controls are in place and a good level of compliance is verified by our audit process, then the control effectiveness is considered to be robust and the manager can reduce the residual risk.
4.2 Identifying Key or Priority Risks - the Risk Report Summary Once the register has been complete, the risks should be populated in a risk heat map using the residual risk rating and identifying the risk by a numeric record number. The manager should review the heat map and provide a report summary to their manager on the following basis: Identifying high and key risks Assessing the level of effectiveness of controls; Identifying issues or areas for improvement; and Making recommendations for improving the controls or addressing the risk in some other way.
A sample heat map is attached in Appendix 4. A sample Risk Report Summary is attached in Appendix 5.
The Risk Report Summary must be reviewed and provided to line managers at least once a year, and at any other time should the risk rating change significantly or when new key risks arise, or when the environment and other contextual changes occur. For further guidance refer to the Risk Management Programme –Operational Risk.
3 Appendix 1 – Table for assessing risk levels
Likelihood Consequence Risk (Likelihood x consequence) 1 – Very low 1 – Insignificant. 1 – 5 Very low Extremely unlikely Consequences are very low, minor Manage within existing controls. Less than 5% chance of occurring disruption. Monitor annually
2 – Low 2 – Minor 6 – 10 Low Unlikely Losses may disrupt services for a Manage within existing controls. 5% - 25% chance of occurring short period. Financial losses may Monitor 6 monthly be in the region of $10,000 Disruption to a single area of the business. 3 – Medium 3 – Moderate 11 – 15 Medium Possible Service lost for period 1 – 5 days. Evaluate efficiency of existing 25%-60% chance of occurring Financial loss $10,000 - $100,000. controls. Internal event review required. Develop and implement additional Moderate injury equivalent to staff control mechanisms requiring time < 5 days away from Monitor quarterly work. Adverse media coverage for 1 day. 4 – High. 4 – Serious 16 – 20 High Likely. Service lost for period exceeding 1 Implement mitigation plan 60% - 80% chance of occurring week. Financial loss $100,000 – Escalate/report to senior $1M. management Adverse media coverage for 1 Monitor monthly week. Internal investigation or by an external source/regulator. Staff contractor or visitor suffers serious injury. Impact to multiple and diverse areas of the business. Significant senior management intervention required including external assistance. 5 – Very high. 5 – Very serious Over 20 Very high Almost certain. Significant resources required to Implement mitigation immediately 80%-100% chance of occurring recover from impact. Legal Escalate to senior management consequences resulting in Monitor weekly prosecution. Financial loss >$10M. Staff, contractor or visitor involved in a fatal event. Adverse media coverage for an extended period. Complete loss of service delivery affecting all VUW critical functions. Immediate SMT and Council intervention required.
The values identified above for financial loss reflect those which may be experienced at an organisational level. Divide the value by 10 for potential losses at directorate, school or service level. Appendix 2 - Table for assessing controls
Control level Example of control mechanism 1 For H&S, substitute with alternative equipment, substance. Off site storage (data files) Back up equipment/assets E.G. multiple servers, generators Fire prevention E.G. appropriate materials, good housekeeping Management/supervision 2 Maintenance regime, programmed inspection. Fully enclose process, guarding, fencing, locked doors Policy, procedure, guideline Technical/industry standards Contract Training/ development programme Competent staff Specialist advice (internal & external) IT data storage & retrieval systems Business/service planning Alternative suppliers Fire detection equipment Communication with stakeholders Recruitment and selection processes Approval process 3 Information Warn signs Personal protective equipment Monitoring CCTV Key performance indicators Contract monitoring Compliance with risk controls should be measured with audit processes.
5 Appendix 3 - Sample Risk Register
Raw Risk Residual Risk (RR) Risks Risk 1= lowest Mitigations/co Sources of (after mitigation actions and controls) Risk numbered for description ntrols Assurance Consequence 5=highest reference and s mapping Likelihood (L) Consequence Raw Risk L Consequence RR 1-5 (C) 1-5 (L x C) 1-5 1-5 (L x C) 1 Unable to Up to 3 3 9 Building Supplier audit 2 3 6 Financial deliver $100,000 in maintenance Planned classes due repairs to programme general to building services and “Early inspection services other losses notification” process failure fault reporting process Alternative venue (BCP) SAM plan 2 Failure to Cancellation 4 4 16 Maintenance Contract 2 4 8 Service adhere to of programme management delivery maintenance experiments Pre use protocols. programme or classes inspection resulting in impacting process unreliable tutorial Fault laboratory programme reporting equipment and delayed process research Spare projects equipment Programming of classes 3 Failure to Staff serious 5 4 20 Staff training Planned 2 4 8 H&S comply with injury, lost Bunding general H&S time, Appropriate inspection practices – prosecution storage H&S Audit correct by DoL and Information Linked to storage and environmenta SDS hazard handling l damage Product register when using labelling chemicals Supervision Written procedures
6 Personal Protective Equipment Fume extraction (LEV) Hazard assessment 4 Loss of Unable to 3 3 9 Maintenance System tests 2 3 6 Reputation essential access data regime and auditing information or provide Systems data due to IT reports/inform “backed up” protection failure ation to and systems external information regulators/sta stored off site keholders. Unable to monitor performance 5 The project Project 5 4 20 Project Audit of 3 4 12 Finance delivery is overrun manager project delayed resulting in appointed controls excess of Project $150,000 in planning additional process rent or hire Contract payments monitoring Contract identifying timeline and penalties 6 Unable to University 4 4 16 Equipment 3 4 12 Service provide premises not servicing delivery secure secured due Early campus due to inoperative notification to electronic fault reporting unavailability security system of security equipment. Software equipment on Theft, upgrade demand unauthorised Manual lock access. up when electronic system fails
7 Security patrols 7 Electronic Unable to 3 3 9 Equipment 2 3 6 Service monitoring monitor servicing delivery equipment premises Regular unavailable resulting in monitoring on demand potential for Early loss/theft/van notification dalism fault reporting Security patrols 8 Reliance on Lower level of 3 5 15 Robust Supplier audit 2 5 10 Service contractors to institutional contract delivery provide knowledge management essential resulting in processes services inflexible Alternative models of suppliers service delivery. Loss of institutional/c orporate knowledge 9 Breach of Delay to 4 3 12 Project Supplier audit 2 3 6 Legal & building act project and manager in Contract regulatory prosecution place evaluation Adherence to process building standards Legal advice Contract management processes 10 Poorly Media 4 4 16 Advice and 2 4 8 Adverse presented coverage management media high profile resulting in from VUW coverage event poor reports Communicati in national ons team. press Communicati publications ons protocols and national Operations TV team providing
8 security plan and security staff. 11 Inaccurate Poor 4 5 20 NZQA Regulators 2 5 10 Product information performance TEC inspections quality presented when standards and audit during a graduate Regulators lecture or leaves VUW and industry incorrect and is standards instructions employed in Recruitment given when industry. and selection using Also poor Professional equipment reputation indemnity insurance 12 Poor student Student 3 4 12 Course 2 4 8 Product experience unable to manager quality due to course continue with appointed. material not course Electronic available due because of information/m to bad poor edia systems planning performance available Personal/grou p tutors appointed 13 Poor student Students 4 5 20 Marketing 2 5 10 Reputation experience unable to Study at Vic due to access day inadequate courses Conferring information/a ceremony dministrative Student systems. recruitment Courses not process properly marketed. 14 Loss of Unable to run 4 5 20 NZQA Regulators 2 5 10 Finance funding from Post TEC inspections external Graduate standards and audit agencies for programmes. Regulators research Also and industry because of impacting standards inability to upon VUW Recruitment produce high reputation. and selection calibre Post Unable to process
9 Graduates. service Continuous premises in professional which to and technical deliver development programmes. 15 Unable to Unable to 4 5 20 Staff support PDCP 2 4 8 HR deliver quality deliver and Staff services due support high development to our inability quality Recruitment to attract and teaching and selection retain high programmes Succession calibre staff management programmes Communicati on and news letters
10 Appendix 4 – Sample Heat Map
Record the reference number of the risk on the risk heat map, using the residual risk value.
8’11,13,14 5
2, 5,6 4 3,10,12,15
1,4,7,9 3
Consequence 2
1
1 2 3 4 5
Likelihood
11 Appendix 5 – Sample Risk Report Summary
Risk Report Summary - Campus Operations: Safety and Risk
1. Introduction This risk report summary is part of the Campus Services process for managing our risks. The report provides a description of risks and management activities within the directorate, more specifically the Safety and Risk Unit of Campus Operations. The summary relates to the risks and controls associated with some aspects of the management of our building security/emergency arrangements particularly those which occur outside of “office hours”.
This risk report serves the following important functions:
Records and identifies the base line for risk management activities Identifies problems and successes in risk management activities Provides an input for informed decision making Analysis of the effectiveness of various risk control mechanisms Describes and defines a plan of action for implementing improvements Provides a mechanism for escalating risks where a manager does not have the delegated authority to act or implement certain risk reduction methodologies
2. High or Priority risks The highest risks assessed within this site specific assessment are described below.
PROVIDE A DESCRIPTION OF THE SITE SPECIFIC RISKS CLARIFYING WHY THE RISK IS HIGH EG.
The Fire Safety & Evacuation of Buildings Regulations 2006 requires:
3. Details of the High or Priority Risks The highest assessed risks recorded on the risk register associated with this summary are as follows:
LIST THE RISKS AND THE RISK RATING
4. Recommendations
LIST THE RECOMMENDED ACTIONS
12