eureka risk management policy risk management... · • approves the risk management policy...

EUREKA / Risk Management Policy - Version 2.0

1

EUREKA

Risk Management Policy

Version 2.0 June 2018


2

Contents Contents ............................................................................................................................................. 2 Acronyms ............................................................................................................................................ 2 Scope ................................................................................................................................................. 3 What is risk? ....................................................................................................................................... 3 Purpose .............................................................................................................................................. 3 Roles and Responsibilities ................................................................................................................. 4 Risk Assessment and Management ................................................................................................... 6 Threat Identification ............................................................................................................................ 7 Risk Assessment – Evaluating the risk .............................................................................................. 8 Risk Management Actions .................................................................................................................. 9 Defining Risk Tolerance & Risk response .......................................................................................... 9 Risk Documentation ......................................................................................................................... 10 Risk Reporting .................................................................................................................................. 10 Owner ............................................................................................................................................... 11 Document History ............................................................................................................................. 11 Approval and Distribution ................................................................................................................. 11 Annex 1: Risk assessment scales for probability and severity ........................................................ 12

Acronyms EB Executive Board ESE EUREKA Secretariat GA General Assembly HoS Head of EUREKA Secretariat HR Human Resources IT Information Technology RAC Risk & Audit Committee RM Risk Management


3

Scope Risk Management Framework encompasses all the ESE’s activities whether external stakeholder facing or entirely internal. The scope of the framework covers all supporting assets (people, infrastructure and facilities) and practices required to develop, maintain and operate the ESE’s activities. It provides a common approach and language to the whole organisation for assessing risks and prioritising mitigating actions, and frames the management of risks within ESE.

What is risk? Actions (or lack of actions) typically result in opportunities and negative impacts on the organisation. Impacts are classified into different areas.

• Financial,

• Operational,

• Legal, contractual & regulatory,

• Reputation Actions (or inactions) can negatively impact one or more areas. The threat posed by (in)actions can be assessed according to the size or severity of the negative impact, and the likelihood or probability of it happening. This is the associated ‘risk’. Risk is, in general, defined as the effect of uncertainty on objectives.

Purpose This Risk Management Policy forms part of the ESE’s internal control and governance arrangements. The policy explains the underlying approach to risk management. It gives key aspects of the risk management process, and identifies the main reporting procedures.


4

Roles and Responsibilities The General Assembly

• Approves the Risk Management Policy document.

The Executive Board

• Endorses the overall Risk Management Framework and Risk Management Policy.

• Provides direction, is accountable for risk based decisions.

• Endorses, reviews and approves a regularly updated entity-wide Risk Register.

• Reviews priority risks and associated mitigation plans

Risk & Audit Committee

• Receive routine reports from the Risk & Compliance Unit.

• Set annual audit programme and priorities

• Monitor progress with audit recommendations

• Provide risk assurance to the Board

• Oversee Risk Management structure and processes

o Reports to: The Executive Board

The Head of Secretariat

• Defines the acceptance levels of particular threats and risks (risk appetite).

• Responsible for allocation of resources and accountabilities across the business activities in order to meet the objectives of the policy.

• Creates an organizational culture where management and staff take ownership of risk as part of day to day operations.

• Establishes sound risk management and internal control based on an assessment of risk in accordance with the guidelines established by the Board.

o Reports to: The Executive Board & Risk & Audit Committee

Units Managers

• Alongside their day to day management duties, conducts their own risk assessment making use of risk management expertise as appropriate.

• Provide information necessary to the Control & Compliance Unit to identify and review losses or exposures

• Ensure staff understand their responsibilities with respect to the Risk Management Policy

• They are responsible for assessment, documentation and controls of risks within their domain along with the associated monitoring.

o Reports to: Head of Secretariat & Risk & Audit Committee

o Informs: Control & Compliance Unit

Control & Compliance Unit

• Develop the risk management policy and keep it up to date

• Co-ordinate, ensures facilitation and support of the Risk management process. The risk management process covers the threat landscape and the monitoring of risk mitigation strategies.


5

• Compile risk information in the Risk register and prepare reports to oversee the risk management process and to ensure all risks are captured and subject to assessment and control.

o Reports to: Head of Secretariat & Risk & Audit Committee

o Informs: Executive Board, General Assembly & Head of Secretariat

o Consulted by: Department Managers

Directly Employed Staff, Staff Seconded to the ESE, Contractors

• By distributing the policy to all staff, the appreciation of risk, and an understanding of how the ESE reacts to it, will become a consideration of all employees and contractors in the performance of their duties.

• They shall comply with the risk management controls for all activities undertaken. They should only undertake tasks for which they are competent, and authorised.

o Reports to: Department Managers


6

Risk Assessment and Management The process of risk assessment contains the following elements:

• Identification of the threat.

• Evaluation of the risk level, giving consideration to work activities and control measures that may be in place.

• Plan to manage these risks through control measures (existing, modified or new)

• Setting up the organisation and means to implement the control measures.

• Documentation of the assessment and actions taken for managing the risk.

• Regular assessment of the effectiveness of the controls.


7

Threat Identification A threat is a circumstance or an event which could prevent, if it materialises, the organisation from meeting its business objectives or jeopardize the sustainability of its activities. The objective of threat identification is to ensure that threats are identified in a timely manner and drive appropriate management attention. Threat landscape monitoring is used to manage foreseeable threats and to define the areas of attention that would need to be tackled as ESE enters new activities or partnerships. The threat landscape includes following areas:

• External threats, these are outside ESE’s control, e.g. political environment, change in regulators framework, economic factors, war, disasters, technical failures.

• Governance and strategy

• Compliance and quality

• Internal operations, these are for instance Finance, HR, IT, Marketing & Communications.

• Programmes related threats.

A clear description of the causes and consequences of each threat will help to take the necessary control measures. This description will be used to identify links and correlations between risks.

Threat identification is an ongoing process for all staff.


8

Risk Assessment – Evaluating the risk Scores are allocated for severity and likelihood of occurring. These are multiplied to gauge the level of risk, and thus the priority for necessary actions. Risks measurement scales used at ESE involve five levels of Likelihood (Almost certain, Likely, Possible, Unlikely and Rare) and five levels of Impact (Severe, High, Medium, Low, Negligible).

Four risk dimensions are considered in measuring the severity of risks:

• Financial impact: The potential of financial loss measured in Euros.

• Operational impact: The inability to deliver against ESE’s key operational objectives.

• Legal, contractual & regulatory impact: The inability to comply with applicable statutes measured against criteria considering situations of non-compliance.

• Reputational impact: The damage to ESE’s reputation measured against criteria considering negative media exposure and/or potential loss of members.

Likelihood/Probability is measured based on the following categories:

• Technical failures: measured through probability of occurrence despite controls

• External events: measured through probability of occurrence.

• Malicious acts: measured considering the extent of knowledge and infrastructure required to perform malicious acts, known occurrences, threat sources and control effectiveness.

• Human errors: measured considering the degree of automation, known occurrences and the effectiveness of controls for the threat considered.

More details can be found in Annex 1 of this Policy. Relevant individuals within the ESE are asked to quantify the severity and probability. The scores for severity and probability for each threat are displayed as a scatterplot on the risk matrix. An Incident Register is implemented into the Risk Register to record a brief summary of all incidents that have occurred within the company over a period of time. The information is used as an element of justification for the evaluation of the likelihood of a specific risk and to plan strategies for managing prevailing risks faced by EUREKA.


9

Risk Management Actions A matrix can be used to quantify the perceived risk for a given threat. The higher the score the more serious and urgent the threat, and the greater need for risk reduction actions.

Green - Insignificant risk No action or documentary evidence required. Cost effective solutions could be considered. Yellow - Moderate risk Cost effective solutions could be considered. Monitoring would guarantee that controls are maintained. Orange (Priority B) - High risk Efforts should be made to reduce the risk. Cost effective solutions could be considered and implemented within a specific timeframe. Red (Priority A) – Substantial Considerable resources may need to be allocated to reduce the risk. Documentation and follow up is required.

Defining Risk Tolerance & Risk response Risks that have been evaluated and fall into zones A or B require a defined response. There are 4 ways in which to respond to a given risk:

• Avoid the risk – Interrupt the activity of business objective that generates the risk.

• Mitigate the risk – Institute controls to reduce the likelihood and/or impact of the risk. (e.g. Change a process, introduce training, introduce safeguards/additional checks)

• Share the risk – Partner with a third party e.g. an insurer or through a joint venture to reduce the likelihood and/or impact of the risk.

• Accept the risk – Accept the impact and likelihood of the risk without additional controls.

A simple way to remember the options is using the 4 ‘T’s:

1. Terminate – avoid or eliminate the loss or exposure 2. Treat – Instigate control activities 3. Transfer – share the risks. Insurance. Experts. Externalised activities. 4. Tolerate – define what level of risk you are willing to accept, in relation to the perceived

impacts for that risk;

The response and controls are defined within the relevant policy documentation and are managed by the owner department. References to these policies are made in the centralised risk register. Responses should follow the SMART principle:

Specific, Measurable, Achievable, Realistic and Timely. Risks that cannot be eliminated should be reduced to an acceptable level. Any significant residual risk should be controlled, periodically reviewed and reported on.


10

Risk Documentation The Risk Register & Risk Matrix The Risk Register is a living document updated on regular basis. Each risk identified within the ESE is mentioned in the Risk Register. Evaluation given to the risk is reviewed on periodical basis taking into consideration risk mitigation measures adopted and controls in place. The Risk Matrix is used to illustrate the degree of risks within the organisation. The assessed risks are documented in the Risk Register by means of a risk assessment structure. In this structure, risks are sorted by categories and areas. Each category of risk is assigned to a specific risk owner who is responsible for assessing the risk and deciding on any mitigating actions.

The Risk Management Policy The Risk Management Policy sets out the ESE’s approach to risk. The Policy sets the minimum standard for risk management as it applies to the ESE’s business and operations. It defines the level of risk that the ESE is prepared to accept in the pursuit of its strategic objectives, by describing the assessment methodology, assessment scales, the risk matrix and the various levels of response for the different areas defined within the matrix. Ad-hoc EUREKA documents One or more documents that describe the threats, risks, level of acceptability, controls and responses for threats within a single department or cross-departmental domains (e.g. ICT department or the Eurostars domain). It might be a specific guideline for a specific risk or activity (e.g. the internal control framework for payments) or it might be covered within the normal operating processes descriptions (e.g. social media engagement is an ongoing action to try to increase the number of applications).

Risk Reporting Risk reporting aims to provide management with a regular update on new threats, evolution of the organisation’s risk profile, as well as improve awareness of risk management processes.

Report Purpose Frequency Stakeholders

Risk register & matrix

• Risk profile based on risk assessment

Annual

• Risk & Audit Committee

• Executive Board

• HOS

Risk Management Status update

Developments in RM framework.

• Report changes in risk profile on an exceptional basis.

Quarterly


• Executive Board

• HOS


11

Yearly Risk Assessments

Ad-hoc Assessments

• Objectives and conclusions of assessment.

• Corrective actions if needed.

On Completion of assessments


• Executive Board

• HOS

Board Papers

• Explicit risk assessment of proposed decisions

On request • Executive Board

Owner Document Owner: Control & Compliance Unit Last Modified by: Control & Compliance Unit Modification date: 07/06/2018

Document History

Change Reference

Date Description of change Version number

0. 10/03/2016 Approval of the RMP 1.0 1. 07/06/2018 Risk Management transferred to the

Control & Compliance Unit, update of the Risk Register, adaptation of the methodology, light revision of the policy accordingly

2.0

Approval and Distribution

Version Approval of HoS

Approval of RAC

Approval of EB

Approval of GA

Distribution to Staff

1.0 16/02/2016 10/03/2016 2.0 06/06/2018 12/06/2018 05/07/2018 07/11/2018


12

Annex 1: Risk assessment scales for probability and severity Likelihood/Probability Scales The risk likelihood is defined as the possibility or probability that a given event occurs considering the category of factors, assessed based upon a five points scale. The highest and lowest points for each factor are exemplified in the following tables.

Scales Description

Almost certain The event is expected to occur

Likely The event will probably occur

Possible The event might occur at some time

Unlikely The event could occur at some time but is improbable

Rare The event may occur only in exceptional circumstances

Factors Description

External event, disaster, technical failure

Probability

Very High At least once a year

Very Low Less than every 50 years

Malicious acts

Knowledge Relates to how widely known is the vulnerability as well as the knowledge to exploit it

Very High Almost no specific knowledge is required

Very Low A high level of expertise and detailed insider knowledge in ESE is required

Occurrence Relates to how often similar kind of threats occur

Very High At least once a year

Very Low Less than every 50 years

Threat source Relates to the level of access required to perform the act

Very High Anyone

Very Low Deliberately not elaborated to assess risks at a higher level

Control Effectiveness

Includes, monitoring and tracking of the execution of controls, coverage of all possible cases and scenarios, segregation of duties, including 4 eyes principle, possible exceptions to controls and the detection or prevention.

Very High There is no control in place at all

Very Low There are successive controls in place, preventive and detective. The quality of controls is assured with different supervisory controls. Execution of controls is evidenced or enforced by automation

Human errors

Level of automation The reliance on human activity considers the degree of automation, the probability of human errors and the effectiveness of controls on human interventions and automation.


13

Very High No automation, full reliance on human activity

Very Low Extensive automation without human involvement

Known occurrence, control effectivess

Very High Same as detailed under Malicious acts

Very Low Same as detailed under Malicious acts

Impact Scales The effect of a given event occurring is ranked on a 5 points scale and assessed with consideration to 4 potential kind of consequences.

Scales Description

Severe Objectives failure: inability to achieve minimum acceptable requirements

High Secondary requirements may not be achieved, major cost and schedule increases

Medium Important requirements would still be met, moderate cost and schedule increases

Low Requirements would still be achieved, only a small cost and schedule increase

Negligible No effect on the objectives

Factors Description

Financial Direct or indirect financial losses

Very High 250 K euro or more

Very Low Less than 2.5K euro

Operational impacts

Very High

- Significant organisation wide issues which reflect poor control or management practises

- Direct major exposures of strategic objectives and / or lack of various key controls - Strong adverse impact on the level of management control and control assurance

Very Low

- Equivalent of cosmetic impact - No impact on internal control - Not considered good practice

Legal, contractual & regulatory

Considers the nature of the non-compliance (fiscal, employment / social, privacy legislation…) and scope of the exposure (Geographical, impacted projects, member states, financial…). Regulatory impact considers potential reaction/action of regulators.

Very High

- Non-compliance and high probability of lawsuit with major impact on ESE (Financial, reputation)

- Breach of contract/Service Level Agreement leading to loss of multiple major stakeholders or partners

- Main bodies seriously dissatisfied, major reaction expected

Very Low

- Non-compliance with no risk of lawsuit - Claim from small stakeholder or partner - Main bodies will want to be informed at regular meetings, but not considered

significant

Reputation

Often caused by other risks (e.g. a risk concerning integrity) and hence is of a secondary nature. In those cases, the rating relating to the primary risk prevails (e.g. if the integrity impact is considered low, than the related potential reputation risk should not be rated higher than that).

Press visibility


14

Very High

- General press coverage in multiple member countries - Extensive in depth coverage in virtually all well respected specialised press - Viral spread via social media

Very Low

- Local (non-national) newspaper article - Article in not-so-well respected specialised press - Not picked up on social media

Loss of project applications and/or support of member countries

Very High

- Decrease in volumes of more than 10% - Other significant loss of “business”; (major) public authorities or multinationals

threat to seek alternative providers for all provided services

Very Low - No noticeable decrease in volumes or no lost opportunity - Prospective members will require additional convincing

eureka risk management policy risk management... · • approves the risk management policy...

Documents