risk management charter en risk management & …...risk management charter and framework v0.9 dd...

1

Risk Management charter and framework v0.9 dd 15-6-2017

R ISK MANAGEMENT CHARTER EN

RISK MANAGEMENT & INTERNAL CONTROL FRAMEWORK 0.9

Executive Board

Oplage: 1

15-6-2017

2


Table of Contents 1 TiU Risk Management Strategy ................................................................................................ 6

Law and legislation ........................................................................................................... 6

Mission of the Risk management function (GRC Officer) ................................................ 6

Purpose of the Risk function ............................................................................................. 7

2 Definition ................................................................................................................................... 9

Scope of Risk Management ........................................................................................... 10

3 Risk management responsibilities .......................................................................................... 11

Responsibilities of management ..................................................................................... 11

Responsibilities of every employee ................................................................................ 11

Responsibilities of Governance, Risk & Compliance Officer (GRC officer) ................... 12

Responsibilities of Internal Audit .................................................................................... 12

4 Authority and capabilities of GRC Officer ............................................................................... 13

5 Reporting ................................................................................................................................ 14

1 TiU principles – the foundation of the framework ................................................................... 16

2 Risk Management – 3 lines of defense model ....................................................................... 17

3 The framework within TiU ....................................................................................................... 18

4 The key components of the framework and the key activities of the Risk Management

Framework ..................................................................................................................................... 19

The Risk Management Framework and the five activities ............................................. 19

Risk Appetite ................................................................................................................... 20

Risk Identification: risk mapping ..................................................................................... 21

Risk assessment ............................................................................................................. 23

Risk mitigation................................................................................................................. 25

4.5.1 Assessment of the controls ..................................................................................... 26

Risk monitoring ............................................................................................................... 26

4.6.1 Risk strategy............................................................................................................ 26

4.6.2 Level 1 or level 2 checks ......................................................................................... 27

4.6.3 Action plan management ........................................................................................ 27

Risk management reporting ........................................................................................... 28

5 Incident management ............................................................................................................. 29

Incident detection ............................................................................................................ 29

5.1.1 Incident reporting .................................................................................................... 29

5.1.2 Communication with experts ................................................................................... 30

5.1.3 Audit & control reports............................................................................................. 30

Capturing and analyzing incidents ................................................................................. 30

Incident reporting ............................................................................................................ 31

3


6 Risk management advisory .................................................................................................... 31

7 Internal Control ....................................................................................................................... 34

Definition ......................................................................................................................... 34

Fundamentals of internal control .................................................................................... 35

8 Internal Control System .......................................................................................................... 36

Control environment ....................................................................................................... 36

Control background ........................................................................................................ 37

8.2.1 Organizational Chart ............................................................................................... 37

8.2.2 Job descriptions ...................................................................................................... 37

8.2.3 Governance, powers and delegations .................................................................... 38

Process and risk mapping .............................................................................................. 38

8.3.1 Process mapping .................................................................................................... 38

8.3.2 Risk mapping........................................................................................................... 39

Control activity system .................................................................................................... 39

8.4.1 Policies / standards / guidelines.............................................................................. 39

8.4.2 Reporting & Communication ................................................................................... 40

8.4.3 Checks & monitoring ............................................................................................... 40

Addendum A : risk categories ........................................................................................................ 41

4


Tilburg University Risk Management Charter and Risk Management & Internal Control Framework The goal of Tilburg University (TiU) is to actively contribute to society. The university wants to serve society and make it a better place for all citizens. TiU has always actively promoted ways to firmly embed education and research into society. In the strategic plan 2014 five ambitions have been defined in order to achieve the goals:

Quality comes first

Innovation according to a focused method

Connections through networking

Focused International cooperation

One single, effective university.

Good risk management & Internal Control is necessary to meet the

ambitions with regard to a qualitative and effective University. TiU wants

to be a university that the stakeholders and society can trust. Adequate

risk management is part of the license to operate. It builds trust and

protects our good name in society.

Effective risk management means being in control and protecting the

loss of damage. It improves our way of operating for all stakeholders

and is viable for a sustainable operations.

Risk management is therefore strongly linked with internal control. Therefore we have combined the Risk management Framework and internal control framework in this document. In this document we describe the way we have embedded risk management and internal control in TiU with the goal to effectively manage the risks.

Charter: in the charter we describe the roles and responsibilities for risk management

Framework: in the framework we outline the methodology, tools and methods that are used for Risk management and Internal Control.

5


PART 1 Tilburg University Risk Management Charter

The purpose of the Charter is to define the organization, operation and

governance for risk management for Tilburg University. The charter

applies to all staff.

The charter requires the definition of a good Risk Control Framework

and a GRC officer and describes the roles and responsibilities with

regard to risk management for Tilburg University.

6


1 TiU Risk Management Strategy

Tilburg University (TiU) is an ambitious university and has the ambition to meet the highest

international standards. One of their core values is that quality exceeds quantity. This can only

be realized if the organization and the internal control are of very high standards. The pressure

on the internal control of Universities is increasing due to internal and external developments.

Examples are (scientific) fraud cases, increasing complexity and dynamics. There is also

pressure on the income due to changes in the financing. This has resulted in more formalized

Codes of Conduct f.e. the Code of Governance that is issued by the Vereniging Samenwerkende

Nederlandse Universiteiten (VSNU).

Effective management of Risk is a key stone in building trust. It enables TiU in protecting its

reputation, reduce losses/costs and helps to minimize the risk on investigations, prosecution and

penalties because we do the right things in the right way.

Law and legislation

The basis for adequate risk management is not clearly defined by law and legislation but can be

derived from the Code of Governance that is issued by the Vereniging Samenwerkende

Nederlandse Universiteiten (VSNU).

This Code is in line with the Dutch Corporate Governance Code ((code Tabaksblat)1. Elements in

this code that reflect to risk management / internal control are:

Code 2.1.4 ‘The executive board will ensure that the activities of the university are

appropriately arranged administratively, legally, organizationally and financially, are

transparent and can be accounted for.

Code 2.1.5: ‘The executive board will submit the internal risk management and

monitoring systems to the Board of Governors 2.’

Code 4.1.3: ‘The executive board is responsible for establishing and maintaining internal procedures (administrative organization and internal control) which ensure that all relevant financial information is known to the executive board, so that the timeliness, completeness and accuracy of the internal and external financial reports are safeguarded. The board of trustees will supervise the establishment and maintenance of these internal procedures’

TiU has implemented a Governance Risk & Compliance Function on request of the Board of

Governors.

Mission of the Risk management function (GRC Officer)

The objective of the Risk management function are to:

Raise awareness of the need for risk management

Minimize loss, disruption, damage and injury and reduce the costs of risks;

Identify and assess all the risks together with the business owners.

The goal is together with the organization embed risk management in the daily operations to

maximize trust and minimize the related risk.

. 2 Bij TiU betreft dit het Stichtingsbestuur

7


Purpose of the Risk function

The Risk management (Risk Control Framework) is built in line with the COSO ERM3 model.

COSO identifies the relations between the risks and the

internal control system. Within the context of the mission

and vision and the strategic objectives it implements a

process of management, control, report and review.

The internal control is a process that ensures a

reasonable assurance regarding the realization of the

goals with regard to:

Realization of strategic objectives (strategic)

Effectivity and efficiency of processes

(operations)

Reliability of (financial) information (reporting

Compliance with applicable law and legislation.

An effective (risk) control system contains 8 elements that are related to the management

process:

Internal environment: this relates to the culture of the internal organization and contains

the risk management philosophy, risk appetite and the integrity and ethical values of the

organization.

Objective setting: Objects must have been defined in order to define the risks of not

realizing them.

Event identification: internal and external events that influence the realization of the

objectives must be identified. This includes risks and opportunities.

Risk assessments: risks need to be assessed in terms of likelihood and impact.

Risk response: per risk the most appropriate reaction must be selected (avoid, accept,

mitigate or transfer) in order to align the risk with the risk appetite.

Control activities: in order to mitigate the risk controls (policies, procedures checks)

must be identified and implemented.

Information and communication: relevant information must be identified and

communicated.

Monitoring: monitor the effectiveness of risk management and implement changes for

improvement.

Within this framework the purpose of the Governance, Risk & Compliance Officer is to:

Risk Management GRC purpose

Internal Environment Deepen the culture of risk management by partnering with the business to

increase a culture of trust, accountability, transparency and integrity.

Objective setting Support the TiU strategy by clearly defining roles and responsibilities with

regard to risk management and proactively advise TiU with regard to all risks.

Using a risk based approach to align business outcomes with the risk

appetite.

Event identification Understand and advocate the processes and activities in order to identify

3 COSO ERM: The COSO ERM-model the most commonly used framework for the implementation and assessment of risk management and was defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO),

8


Risk Management GRC purpose

risks and the related events by working together with the business

Risk assessment Assess in cooperation with the organization the risks

Control activities Define and assess effectivity of risk controls in cooperation with the business

in line with the defined risk strategy.

Information and

communication

Develop and enhance tools to detect, communicate report and manage the

risks in order to limit surprises

Monitoring Implement a monitoring and reporting system with regard to the effectiveness

of risk management

9


2 Definition

In this chapter you will find the definitions of terms used in this document:

Term Definition

Risk An event that has a negative or positive impact on the organizational goals.

Operational

Risk

The risk of loss resulting from the inadequacy or failure of any internal

process, or from external events whether deliberate, accidental or natural.

The risk of loss represents the possible occurrence of an event liable

to lead to a loss or unforeseen cost. The loss is deemed to be ‘the

effect’

The term resulting from introduces the concept of cause

Inadequacy or failure of any internal process: in TiU definition this

includes persons and systems

The external events referred to in this definition cover those of human

or natural origin. External events do not reflect to the so called

financial market risks that relate to counterparty risk, interest risk etc.

The definition introduces 2 fundamental principles:

It is centered on internal processes

It is based upon a caused- event- effect analysis

Strategic

Risk

Strategic risks” are those risks that are most consequential to the

organization’s ability to execute its strategies and achieve its business

objectives.

Legal risk Legal risk arises from the potential that unenforceable contracts, lawsuits, or

adverse judgments can disrupt or otherwise negatively affect the operations

or conditions of TiU.

Regulatory

risk

Regulatory risk is the risk of legal or regulatory sanctions, material financial

loss or loss to reputation, TiU might suffer as a result of its failure to comply

with laws, regulations, rules and branch standards (VSNU) and codes of

conducts applicable to all of the activities.

Reputational

risk

The risk resulting from adverse perception, whether true or not, of the image

of Tilburg University.

Safety risk The risk of staff members or students with regard to injury and death.

Operational

risk

management

Is the mechanisms, tools, policies, procedures and processes, including

management oversight, to identify, assess, monitor, report and control

operational risk.

Internal

Control

Internal control is the mechanism by with TiU is organized to:

Ensure the overall control of risks

Give reasonable assurance that the strategic targets are realized.

The internal control framework) aims to ensure:

The development of high level risk culture

The effectiveness and quality of LSN internal operating mode

The reliability of internal and external information

The security of operations

The compliance to law, legislation and internal policies

10


Incident Incidents are a real event resulting from inadequate or failed internal

processes, or from external event(s), which has, could or led to a loss, gain or

shortfall in income or leads to a loss of trust (reputation) or sanctions /

penalties issued by a regulator or a serious injury of a staff member or

student

Scope of Risk Management

The scope of risk management applies to all processes, activities of Tilburg University and

applies to all staff members of Tilburg University .

11


3 Risk management responsibilities

Risk management is the responsibility of all staff members of Tilburg

University.

Responsibilities of management

Management is accountable for all the processes they perform and in that role they are also

responsible for the control of the risks.

They must set a good example with regard to considering the expectations of the stakeholders,

knowing and applying the rules, and defining and encouraging a culture where people are trusted

and accountable for their activities.

The Executive Board is ultimately responsible for risk management for all of the activities of

Tilburg University. The Executive Board will report incidents and report on the risk management

& control systems to the Audit Committee and the Board of Governors (supervisor).

The management of divisions and faculties (directors, deans) are responsible for risk

management for all the activities in their department / faculty.

At all levels management must create an environment of individual and collective accountability

in which the importance of adequate risk management is well understood. Management achieves

this part in providing sufficient resources (training, budget, staffing) to its risk management

function. It is important that the staff members understand the risks and why they need to

execute controls in order to mitigate these risks.

Furthermore the management is important with regard to risk management as they need to

inform the GRC officer in case of operational incidents that occur in their faculty or division: They

need to:

Collect all the information with regard to the incident and report them to the GRC officer

(within 3 working days).

Assist the GRC officer in the analysis of the incidents and take part in the follow up

process by implementing corrective and preventive measures.

The Executive Board has appointed a Governance, Risk and Compliance Officer to embed Risk

management in the organization.

Responsibilities of every employee

Every employee of TiU is responsible for Risk management with regard to the activities. They

must understand how to execute their activities and why they are performing the steps in the

process (risk awareness).

12


Responsibilities of Governance, Risk & Compliance Officer (GRC officer)

The GRC officer is responsible for the following:

Manage day-to-day activities with regard to risk management

Define and implement the Risk Control framework. Drive the ongoing evolution of the

Risk Control Framework.

Facilitate, advice and support the faculties and department in defining the Risk Control

Framework for their activities including training and communication support.

Oversee Risk management activities in all faculties and divisions. Advise and support the

faculties and divisions with this respect.

Advise and support the organization in in changes and processes with respect to Risk

management. F.e. by participating in projects.

Ensure adequate and timely reporting with regard to incidents and Risk management.

Responsibilities of Internal Audit

Internal Audit is responsible for the provision of independent, objective assurance on the overall

effectiveness of the Risk management and internal control process.

13


4 Authority and capabilities of GRC Officer

The Governance Risk & Compliance requires some rules with respect to the authority of the

GRC function with regard to:

Independence To avoid potential conflicts of interest the GRC Officer must be

independent of the business activities and report directly to the

Chairman of the College van Bestuur of Tilburg University.

Investigate and

challenge

When GRC officer perceive a Risk or when a Management Decision

may give or has given rise to a significant financial or reputational risk

for TiU they must investigate and challenge any actions or concerns

without influence form the business. If the matter is not promptly

resolved, the GRC Officer must follow the escalation process

Escalation When a matter is escalated the GRC officer, he/she must decide

whether to advise the College van Bestuur that the course of an action

would result in an unacceptable risk and that the action cannot

proceed. Management must postpone the execution of the action until

a decision has been taken by the College van Bestuur.

Access The GRC officer must, at all times, have unfettered and direct access

(in accordance with applicable law and legislation) to all activities in

their area of responsibilities. This includes all documentation, systems

(e.g. complaints registers, whistleblower reports and files), employees,

the Chairman of the Executive Board, directors, staff members etc,

that the GRC officer reasonably believes are necessary to execute

their responsibilities effectively. The GRC officer must have the

opportunity to attend (relevant) meetings to raise any matters that are

reasonable and necessary.

Liaison and

partnering

The GRC officer must work closely together with management of

faculties and divisions, employees, management to ensure knowledge

exchange about Risk & Control.

Capabilities,

evaluation and

remuneration

The GRC officer must have the necessary qualifications, experience

and professional and personal skills to enable him/her to carry out the

responsibilities effectively. He/she must have an overall understanding

of the activities and governance of Tilburg University. He/she must

understand the obligations, legislation and standards that impact the

activities. The GRC must coach and train new management regarding

risk management.

The GRC officer must have the opportunity to develop his/her skills.

The remuneration of the GRC Officer will be in line with the Collective

Labour Agreements.

Recruitment and

termination

The President of the Executive Board will decide whether to appoint or

terminate the GRC Officer.

14


5 Reporting The GRC officer will report at least quarterly to the President of the Executive Board on the effectiveness of implementation and embedding of risk management in Tilburg University. This report will contain:

Status-update on risk management implementation;

Key Risks;

Incidents reported;

Status action plan implementation. All incidents that meet the defined threshold will be reported within 5 working days after detection by the GRC officer to the President. Incidents that are reported in the whistleblower regulation or with regard to the scientific integrity are excluded from this reporting. In the regulations with regard to whistleblowing and scientific integrity separate reporting is defined. In this reporting an advice is provided. The GRC officer will receive these advises and based upon this they will analyze the advice and in cooperation with the accountable departments will define an action plan. The monitoring of the follow up of this action plan will be included in the standard process. The Executive Board will ensure the reporting to the Board of Governors via the standard process.

15


PART 2 Tilburg University Risk Management Framework

The Tilburg University (TiU) risk management framework (framework) comprises the principles,

processes and tools that the organization uses to manage Risk. It is essentially a risk

management program.

The framework is a key tool for the organization and all of its employees

and supervisors to understand – and apply – our approach to risk

management. It also creates transparency to our external stakeholders.

The important topics for Risk Management are:

1. The business principles of Tilburg University – the foundation for the framework

2. The three line of defense model to manage risk

3. The framework in Tilburg University

4. The key components and the key activities of the chart.

This framework complements, and should be read with the Charter. Modifications in the

Framework must be aligned with the scope of the charter.

16


1 TiU principles – the foundation of the framework

The Business principles of Tilburg University express what the

University holds dear, what we believe and what we aim for. Individually

each principle is equally important and taken as a whole they define our

collective conscience. As such they are the foundation of everything we

do.

The principles are defined in our code of conduct (rules of behavior) that can be found on the

intranet and are: Those who work or study at Tilburg University.

Behave appropriately and are conscientious and trustworthy

Show respct for each other

Use their expertise in their field of study/activity to contribute to an inspiring working environment

Are involved with both individuals and society

17


2 Risk Management – 3 lines of defense model

The 3 line of defense model that Tilburg University has implemented helps us to mitigate the

risks – it applies to all faculties and divisions within the University. This model is essential for the

effective operation of the Risk Control Framework.

Tilburg University has implemented risk management based upon the 3 lines of defense model.

Executive Board and Management, the Risk management functions and the Internal Audit

department. The three line of defense model distinguishes among functions that own and

manage risks, functions that monitor and oversee risks and functions that provide independent

assurance.

Defense line 1: Management

The first line of defense, develops and implements mitigation activities, including monitoring and

reporting, for managing risks in business activities. The directors and management manages

risks day-to-day and they are affected by the consequences of the risks.

Defense line 2: Risk management function

The second line of defense assist the management to identify their risks. They help the

management to identify activities that mitigate the risks (controls) within the risk appetite of the

University. They monitor the control of the risks and advise on risk related manners. They work

together with other second line of defense functions (f.e. finance & control) to provide objective

challenge and support, escalating matters when necessary to help optimize the tradeoff between

risk and reward. The second line of defense serves in an advisory and validation role as the

organization designs, implements and embeds policies and guidelines, tracks internal mitigation

activities (action plan management) and executes training on risk related subjects.

Defense line 3: Internal Audit

The third line of defense, provides management with independent, objective assurance on the

overall effectiveness of the design and operation of internal controls (mitigation activities).

Executive

Board

First line of defense:

management

Second line of defense:

staff departments (Governance, Risk & Compliance, Finance &

Control)

Third line of defense:

Internal Audit (independent)

18


3 The framework within TiU

The University operates in a complex environment governed by law and legislation in which the

reputation is one of the key assets for the organization.

It is therefore important that we have embedded Risk management in the organization as a good

level of control of the risk secures the reputation, the continuity and the realization of the goals as

defined in the Strategic Plan.

The Framework consists of the following components:

The Risk Management Framework

Incident management

Advisory Services

The Risk Management Framework (RMF) reflects the key activities that need to be performed in

order to understand and manage the Strategic and Operational risks. These are activities that the

first line of defense must implement.

Advisory service is the specialized support and advise that the first line of defense receives to

help to manage the compliance risks more effectively.

19


4 The key components of the framework and the key activities of the Risk Management Framework

The Risk Management Framework and the five activities

The risk management is a vital part of the framework as it provides an overview of the

compliance obligations and the risks arising from law and legislation and the implementation in

Tilburg University. The Chart is the outcome of a continuous process and exists of 5 key

activities that are listed in the chart:

1. Risk Identification

2. Risk Assessment

3. Risk Mitigation (incl. training and education)

4. Risk Monitoring (incl. Action Tracking)

5. Risk Reporting (incl. incident management)

The risk management framework provides an overview of the

risks related to activities (processes) and an assessment of

the impact, the mitigation measures. In other words how is

the control of risks embedded and ensured? It helps the

business in the awareness of the risks and it helps to provide

assurance about risk management to stakeholders like

regulators, auditors and employees as all information is

centralized.

The Risk Management Framework must contain the following:

1. Clear description of the risks

2. Risk assessment of these risks (impact assessment) without and with the current controls

in place (gross and net risk assessment)

3. The process to which the risks is/are linked

4. The implemented controls that mitigate the risk.

5. The process owner (accountable) is also responsible for the risks and the related

controls.

The chart must be as practical, brief and concise as possible, and must link to existing and newly

identified activities.

Management must: Governance, Risk & Compliance Officer

must:

1. Help the GRC officer develop and update

the risk Management by clearly identifying

the principle business activities and

relevant processes affected by the risks.

1. Develop and maintain a Risk

Management Framework for the

University (entities) with the assistance of

management

2. Identify the employees that have

managerial accountability for and are

accountable for execution of an activity

outlined in the Risk Management

Framework.

1 Risk Identifcation

2 Risk Assessment

3 risk Mitigation

4 Risk Monitoring

5 Risk Reporting

20



must:

3. Formally approve the Risk Management

Framework for their activity / entity

2. Demonstrate that all the elements of the

chart have been discussed and approved

by the accountable management. 4. Notify GRC immediately of any changes

in activities that have an effect on the Risk

Management Framework.

Risk Appetite

The risk appetite is the risk that Tilburg University is willing to accept in order to achieve its

objectives. Organizations can have a prudent (defensive) or a more offensive position towards

the risks they are willing to take. It is important that the risk appetite is defined and formalized

although it is difficult to quantify it. Questions that help to define the risk appetite are:

What is our growth or innovation strategy?

What are our main risks?

What is the worst case scenario financially?

How much risk can we bear (risk tolerance)?

o Which risk buffer is available?

o How agile is the organization?

What can absolutely never be in the news?

How effective is our current internal control system?

In most circumstances when identifying risk appetite only the financial component is defined,

what is the capital at risk?

Within Tilburg University we are using the following risk appetite scale (based upon Kaplan4).

Rating Philosophy Tolerance for

uncertainty

Choice Trade off

Overall risk taking

philosophy

Willingness to

accept uncertain

outcomes or period

to period variation

When faced multiple options,

willingness to select an

option that puts objectives at

risk

Willingness to trade off

against achievement of

other objectives

1 - Averse Avoidance of risk

is a core objective

Extremely low Will select the lowest risk

option, always

never

2 -

Minimalist

Extremely

conservative

Low Will accept only if

essential, and limited

possibility/extent to

failure

With extreme

reluctance

3 -

Cautious

Preference for

safe delivery

Limited Will accept if limited, and

heavily outweighed by

benefits

Prefer to avoid

4 -

Flexible

Will take strongly

justified risks

Expect some Will choose to put at risk,

but manage the impact

Willing under right

conditions

4 Kaplan, Robert S. and Mikes, Anette, Risk Management — The Revealing Hand (March 4, 2016). Harvard Business School Accounting & Management Unit Working Paper No. 16-102. Available at SSRN: https://ssrn.com/abstract=2744133

https://ssrn.com/abstract=2744133

21


Rating Philosophy Tolerance for

uncertainty

Choice Trade off

5 - Open Will take justified

risks

Fully anticipated Will choose option with

the highest return,

accept possibility of

failure

Willing

The risk appetite is defined for the following categories:

Image

Students

Safety

Technical innovation

Employee relation ship

Revenue growth

Profit & Loss

Environment


must:

1. Identify and decide on the risk appetite

that Tilburg University is willing to accept

1. Facilitate the definition of the risk appetite

Risk Identification: risk mapping

The Risk Management Framework must be kept up-to-date. It must at all times reflect the

strategic and operational risks that apply to the activities of Tilburg University. The risk mapping

is defined based upon 4 goals:

Ensure that all activities are processed correct ,complete and timely

Ensure adequate (= effective) and efficient processing with the goal to realize the

strategic goals

Ensure that the processes are compliant with law and legislation

Ensure that the processes / activities does not harm the reputation of Tilburg

University.

The risk mapping is prepared by the GRC Officer together with the manager accountable for the

process. Workshops are organized to define the risks per process and activity.

Management must GRC officer must:

1. Identify together with the GRC officer,

risks that arise from the activities in their

faculty, division, and department.

1. Identify with management the Risks and

update the Risk Management

Framework.

Example

22


For all risks we define:

The risks (events) are categorized using a standard categorization. We distinguish the following

risk types:

Strategic risk: risks that result from strategic or tactical decision process.

Operational Risk: risks that result from failure or omission in internal processes, human

error or technological error or unexpected external events.

Financial Risk: risks that result from the deviations in valuation of financial assets due to

interest, currencies etc.

Regulatory risk: risk on sanctions / penalties due to non-compliance with law and

legislation.

These risk categories are diversified further in more detail in which we use a methodology that is

common practice in the market for example for strategic risks the DEPEST categories and for

Operational risk the BASEL II categories (used in financial institutions). In addendum A we have

the overview.

Completeness of risk mapping is an important issue. We must ensure (for as far as possible) that

the risk mapping is exhaustive. In order to realize this we have implemented the following

method:

Cross reference with historical incidents (see incident management)

Review of management reports.

Responsibility Governance, Risk & Compliance Officer in cooperation with the

accountable managers.

Requirements Risk Mapping should be updated at least every year.

All risks should be clearly described (cause, risk and effect) and

linked to process and accountable department

Risk mapping should be validated and approved by:

o Business owner for their risks

o Executive Board for the overall risk mapping

Publication The master-document for risk mapping is managed by the GRC Officer.

It is stored at GRC - Sharepoint

Cause

f.e. fraud / input error / power outage

Risk (event)

f.e non availability of system

Effect

f.e. additional costs / reputation

• What causes the risk? there can be mulitpple causes linked to one risk

Inducer / cause

• The description of the risk

Risk

• What is/are the effects of the risk? This is often linked to financial, reputational, regulatory or safety impact. One risk can have multiple effects

Effect

23


Risk assessment

The risks that are defined in the risk mapping will be assessed by the business owner

accountable (assisted by the GRC Officer).


must:

1. Participate and contribute to the risk

assessment sessions to define the risks

and assess the impact.

1. Ensure that the risks are integrated in the

assessment process.

2. Work with GRC to identify the high risks

(risk assessments).

2. Participate (facilitate) all Risk assessments

3. Work with GRC identify the controls that

mitigate the (high) risks

3. Rate and rank in cooperation with

management the current and anticipated

critical and high residual risks and

determine the mitigation measures

4. Validate and approve the outcome of the

risk assessment

4. Ensure that the reporting regarding risk

contain the information regarding risk

assessments

5. Inform the GRC officer in case of any

changes that impact the risks

5. At least review and update the risk

mapping on an annual basis in cooperation

with management.

This impact assessment is performed based upon a standard methodology that identifies the

following impact types:

Financial impact: risk with impact on additional costs or loss of income related;

Regulatory impact: Risk with sanctions issued by regulators

Reputational impact: undermining of the reputation and image of Tilburg University.

Health and safety impact: risk impacting with health and safety of the employees and / or

students.

The risk assessment will be executed based upon the most likely case, i.e. not on a worst case

scenario.

The impact of the risk is defined in:

Frequency /chance : probability of the risk occurring (most likely case)

Severity: impact of the risk (most likely case)

A risk may have one or more effects and therefore related impact types. It is important that

all impacts are assesses to have a comprehensive view of the resulting effect in the event the

risk occurs.

The risk assessment is done using a standardized grid:

Frequency Severity Impact

24


Frequency / chance Description

0 – Rare Once in 100 years or less

1 – Unlikely Once in 25 years up to once in 100 years

2 – Possible Once in 5 years up to 25 years

3 – Likely Once in 1 to 5 years

4 – Frequent Up to once a year or more

Severity /

impact

Financial Regulatory Reputation Health and safety

Costs or missing

income

Sanctions / fines Impact on image Impact on health of staff or

students

1 –

incidental

< €5.000 not to be reported

regulator

Hardly any effect

on reputation: no

impact TiU

very small impact /

injury

2 - minor > €5.000 en <

€50.000

To be reported to

regulator: no

follow up

Loss of trust or

complaints: short

term impact on

TiU

Limited impact / injury.

Necessary to have

medical treatment

3 -

moderate

> €50.000 en <

€100.000

Reported to

regulator: follow

up by regulator

(corrective action

plan)

Medium term

impact and

investigation

started

Large impact / injury :

one or more

hospitalized

4 - major > €100.000 Sanctions and

fines issued by

regulator

Long term impact

on reputation /

effect on core

activities.

high impact: casualties

or long term handicap

Impact assessment grid:

kans / impact 0 - rare 1- unlikely 2 – possible 3 – likely 4 - frequent

1 – incidental laag laag laag gemiddeld gemiddeld

2 - minor laag laag gemiddeld gemiddeld hoog

3 - moderate laag gemiddeld gemiddeld hoog hoog

4 - major hoog hoog hoog hoog hoog

For every risk we will assess 2 situations:

Gross risk / inherent risk: risk with impact without implementation of mitigating controls

(what is the impact when there are no measures implemented to mitigate the risk?)

Net risk / residual risk: impact of risk with taking into account the measures that control

the risk.



Requirements Risk Assessment should be updated at least every year.

All risks should be asses using the standardized GRID

Risk assessment should be validated and approved by:

25



o Executive Board for the overall risk mapping

Publication The master document for risk assessed is managed by the GRC

Officer. It is stored at SharePoint - GRC

Risk mitigation

Risk mitigation is the process of developing and implementing controls that mitigate the risk. In

general the Internal Control Framework defines set of measures that is implemented to control

the organization in order to realize its strategy. We refer to part 3 for the internal control

framework as it has such a link with the Risk Management Framework and more specific the risk

mitigation. The Internal Control standard provides more insight in the building stones of internal

control, that also play a very important role in risk management.

For risk management the following categories are implemented to mitigate the risk:

For the risk that are identified as gross risk with impact high (hoog) according to the GRID that is

mentioned in chapter 4.3 the mitigating controls will be defined and formalized.



Requirements For all gross risks with impact high (hoog) the mitigating controls

will be identified and described.

Risk mitigations should be validated and approved by:


•Formalised documentation such as:

•Processes and working instructions

•Policies and standards

•Contract / service level agreements

Documentation & procedures

•Physical security: f.e. access control, measures for water or firedamage etc

•Business continuity (BCP): disaster recovery, back ups, crisis team, evacuaction etc

•Security of information: login procedures, passwords, system authorisations

•Risk / finance: insurances

Access and security

•meetings

•monitoring processes (f.e. budget and forecast)

•training and awareness activities

Organization

•dedicated check or monitoring (level 1 or level 2)

Checks

26


Publication The master document for risk mitigation is managed by the GRC

Officer. It is stored at SharePoint - GRC

4.5.1 Assessment of the controls

For all controls that are listed in the RCS the effectivity must be assessed: They can have the

following assessment:

Adequate: the control is described and implemented

Inadequate: the control is not described / formalized

Non-existent: de control does not exist.

For every control this assessment must be formalized. In case of inadequate or non-existing

controls a follow up action must be defined.

Responsibility Governance, Risk & Compliance Officer in cooperation with the accountable

managers.

Requirements The RCF assessment must be validated in case of significant changes

or at least every year.

In case of assessment inadequate or non-existent a follow up action

plan (monitored by GRC officer) must be formalized.

Publication The master document for risk mitigation is managed by the GRC Officer. It

is stored at SharePoint - GRC

Risk monitoring

4.6.1 Risk strategy

Based upon the risk appetite the strategy related to the residual (net) risk must be defined. What

is the strategy related to the risk? In general controls need investment (cost money) and

therefore it should be balanced. Therefore per risk we need to define the risk strategy:

An action plan must be implemented in case of all strategies except for ‘accept’.

•Avoid the risk by stopping the activity

Avoid :

•Accept the residual risk as it is and take no additional mitigation measures (controls)

Accept

•take additional measures to mitigate the risk further ==> implement more controls

Mitigate

•Transfer the risk to another party f.e. insurance company

Transfer

•In certain cases the accepted risk can be higher than it currently is ==> eliminate controls

Increase

27


4.6.2 Level 1 or level 2 checks

The monitoring of risks makes it possible for the business to verify whether the risk mitigation

activities are working adequately and to identify new or changed risks. This is done via so-called

checks. We distinguish 2 levels of checks:

Level 1 checks: these are checks performed by the accountable department (lines of

defense level 1)

Level 2 checks: independent checks performed by another department f.e. GRC, Finance

& Control.

All checks are formalized in a check plan. The Check plan must be documented and updated on

an annual basis (more frequently when required and should describe:

Risk(s)

Goal of the check

Check methodology and sample size

Selection criteria

Responsible

Check items (what do we check and how)

Assessment criteria (when OK and when not)

Reporting (how and to whom)


must:

1. Establish a first line of defense tracking

and report deficiencies to the GRC officer.

1. Work with the business to document the

necessary check plans and validate them

after preparation.

2. Provide to the GRC Officer the check plan

that outlines the first line tracking activities

and the person accountable for the

execution.

2. Establish second line of defense monitoring

activities via level 2 checks. Formalizing

these checks in a check plan. Execution

and reporting of the findings. Define

recommendations if needed to mitigate

risk.

3. Work with the GRC officer to ensure

appropriate evaluation of the first line

checks.

4. Within the time agreed with the GRC

Officer to address issues that arise from

the first line and second line checks (action

plan follow up)

3. Report on a quarterly basis on the checks

result to the President of the Executive

Board.

5. Ensure adequate resources (quantity and

quality to execute the checks.

4.6.3 Action plan management

Action plan management is a process to ensure the visibility on risk related findings and issues

(so including the checks performed). Risk related findings should include:

Actions related to strategy based upon the risk assessment process

Actions identified by management in its day to day operations and from the first line of

defense checks.

28


Actions resulting from recommendations made by the second line of defense monitoring

and other framework activities.

Actions resulting from incidents as part of the risk management process (formalized in

the risk management charter and framework).

Actions resulting from recommendations made by internal / external audit (3rd line of

defense).

Actions resulting from recommendations / findings from supervision by authorities.


must:

1. Ensure risk related actions are recorded in

the action plan database managed by GRC

officer

1. Monitor all risk related findings and issues

until they are resolved (by processing and

managing action plan database).

2. Resolve identified issues in a sustainable

manner within the agreed deadline.

2. Create and execute a process for tracking

and managing the actions and the

adequate execution of the actions.

3. Provide the GRC officer of a status update

on open actions until the issue is resolved

3. Incorporate with management lessons

learned in the activities (translated into

actions that are monitored)

4. Incorporate (in cooperation with GRC

officer) of lessons learned in the activities

4. Report to the President of the Executive

Board the unaddressed (open) and

overdue actions via the Risk Management

Dashboard (quarterly)

All actions are logged for monitoring in the action plan database of the GRC department and

must include:

Finding or risk

Recommendation (if applicable)

Action to be taken (mitigation measure)

Accountable for action

Deadline.

Risk management reporting

Risk Management reporting allows the management and the GRC to assess whether risk exceed

the risk appetite. Reporting also allows for communication and discussion of potential risks.

Management and GRC are responsible for gathering information, and then analyzing and

communicating the result so that informed, timely decisions can be made.

Reports will be issued at least on a quarterly basis.

29


5 Incident management

Incidents are a real event resulting from inadequate or failed internal

processes, or from external event(s), which has, could or led to a loss,

gain or shortfall in income or leads to a loss of trust (reputation) or

sanctions / penalties issued by a regulator or a serious injury of a staff

member or student or visitor.

This definition applies to the internal processes of all activities (core and supporting processes. In

other words all processes, activities and departments).

Incident detection

Incidents can be detected via several ways:

Reported by the accountable management (as described in chapter 5.1.1)

In communication with experts:

o Director Finance & Control

o Director HRM

o Director LIS

o Director Facilities

By reports from internal audits / internal controls

5.1.1 Incident reporting

The directors of the faculties / divisions should report incidents to the GRC Officer within 3

working days after detection in case the impact of the incident is expected to be:

Financial

impact

Reputational

impact

Regulatory

impact

Health and

safety impact

Incident to be

reported to

GRC Officer

Larger than

€10.000

And/ or

At least: Short

term impact on

reputation

And / or

Has regulatory

impact

(sanction/ fines

by regulator)

And / or

At least an

Incident in which

there is an injury

with one or more

employees or

students

admitted to

hospital

This report should be send via e-mail and should at least contain:

Description of the incident (what happened, why could it happen, what is the effect)

30


In case not all the information is present as much as possible will be provided. Additional

information can be added in a later stage.

Management must:

1. Ensure that any suspected incident is reported to the GRC Officer as described

in the threshold within 3 working days after detection

5.1.2 Communication with experts

Incidents are often related to staff, IT or premises or have a financial impact. Therefore the

directors responsible for the divisions HRM, LIS, Facilities and Finance & Control and Legal

Affairs are often aware about incidents. The GRC officer has regular meetings with these

directors to discuss risks and incidents or will be added to the mailing list in which these incidents

are reported.

5.1.3 Audit & control reports

The GRC officer will receive the internal control and the internal and external audit reports in

order to review whether there are (potential) incidents.

Internal Audit must: Finance & Control

Manager must:

Governance, Risk &

Compliance Officer must:

1. Provide GRC officer with

the Internal Audit reports

1. Provide GRC officer

with external audit

reports as well as

internal control

reports.

1. Review internal control and

(internal and external) audit

reports to identify (potential)

incidents and risks

Capturing and analyzing incidents

The GRC officer collects all the information regarding the incidents and starts the analyzing of

the incident in cooperation with the responsible business owner.

For all incidents we capture:

The following initial incident is captured:

Identification date

Reported by

Occurrence date

Summary of the incident

Detailed description

Cause of incident

Effect of incident

Cause

f.e. fraud / input error / power outage

Incident

f.e non availability of system

Effect

f.e. additional costs / reputation

31


Risk related

Impact

Status of the incident : under investigation, finalized etc

Actions defined

Incident reporting

Ad hoc reporting

Incidents that meet certain thresholds must be reported to the (President of) the Executive

Board, or the Board of Governors in case it meets the following thresholds within 5 working days

after reporting to the GRC Officer:

Financial

impact

Reputational

impact

Regulatory

impact

Health and

safety impact

Incident to be

reported to

President of the

Executive

Board

Larger then

€10.000

And/ or

At least: Short

term impact on

reputation

And / or

Has regulatory

impact

(sanction/ fines

by regulator)

And / or

At least an

Incident in which

there is an injury

with one or more

employees or

students

admitted to

hospital

Incident

reported to the

Executive

Board

Larger than

€20.000

And/ or

At least: Short

term impact on

reputation

And / or

Has regulatory

impact

(sanction/ fines

by regulator)

And / or

At least an

Incident in which

there is an injury

with one or more

employees or

students

admitted to

hospital

Incident

reported to the

Board of

Governors

Larger than

€50.000

And/ or

At least: Short

term impact on

reputation

And / or

Has regulatory

impact

(sanction/ fines

by regulator)

And / or

casualties or

long term

handicap

Periodical reporting

All incidents will be reported in the quarterly risk management dashboard. (see 4.7)

6 Risk management advisory

The GRC department plays a very important pro-active advisory role: they advise Executive

Board, management, departments, committees and employees. They provide advice on risk,

32


responsibilities, obligations and concerns on risk management issues while taking into account

the business practices and operational constraints.

In the event that a significant risk is identified and management planned course of action may put

Tilburg University at risk, the GRC officer must, unless circumstances otherwise prevent,

immediately escalate the manner to the President of the Executive Board and the Audit

Committee for an opinion.

Together a decision will be made whether to advise management in writing that the course of the

action would result in an unacceptable compliance risk. If management is advised NOT to

proceed, but nonetheless wishes to proceed, management must, in writing advice the Board of

Governors (Stichtingsbestuur) and get approval from that level. In the advice the opinion of the

GRC officer must be presented.


must:

1. Create and maintain an environment that

supports the GRC Officer in their role as

advisor

1. Responds to requests from employees

and management for guidance on risks

and reporting of risks

2. Seek advice from the GRC officer when

developing new activities, cooperation’s

and changing the governance of the

organization

2. Assess whether particular conduct or

activities (including governance, new

activities, new cooperation’s or changes

to existing) have an effect on the risks of

TiU.

3. Work closely with the GRC Officer to find

solutions based on business practices and

operational constraints

3. Advise (requested and unrequested) on

risk issues

4. Maintain records of significant advises

given.

33


PART 3 Tilburg University Internal control standard

The Tilburg University (TiU) Internal Control standard comprises the principles, processes and

tools that the organization uses to embed internal control in the organization. It details the roles

and responsibilities with regard to internal control, which is very important for the management &

control of the organization including the way Tilburg University manages risks

Internal control is a management system by which the business is

organized to:

Ensure overall coverage of risk (= risk management)


34


7 Internal Control

Definition

Internal control is a management system by which the business is organized to:

Ensure overall coverage of risk (= risk management)


This system is employed by all involved in Tilburg University, whatever their level with practices

that ensure:

Effectiveness, performance and security of the Internal operations:

o Reliability of internal and external information (including financial)

o Compliance with law, regulations and internal standards / policies.

o Effectiveness, performance and security of the operations.

In this context implementing an internal control system should contribute to:

Protecting and

safeguarding assets

The term assets includes the following:

Tangible items and property (buildings, hardware, software)

Intangible items (intellectual property)

Consequently protecting and safeguarding (and hence availability) the

assets requires:

The monitoring and analysis of events that might adversely

affect their integrity (f.e. accident, intrusion, illicit access, theft)

By a set of measures prevent the occurrence of incidents or

limit the impact.

Consistent application

of targets defined by

Executive Board and

Faculty / division

management

The internal control system should ensure:

That the targets defined by faculties / departments etc are in

line with TIU’s strategy

Department organization is suited to the achievement of the

targets

Processes employed are optimized

Appropriate controls are introduced and employed

Efficient use of

resources

As processes should meet an optimal performance target, it is

necessary to:

Monitor prudent use of resources in processes

Implement on-going and preventive and corrective actions on

default factors.

Protecting the interest

of the student / social

environment

It is necessary protect the interest of the students and the social

environment as part of the public sector :

Verifying that the practices used are compliant to laws and

legislation with regard to public financing and students /

research.

Set up an organization with adapted resources to embed this

in organization

Set up permanent preventive and corrective actions on default

factors.

Reliability of internal The quality of information is evaluated in 3 ways:

35


Segregation of function is an

important instrument in internal control

Risk management is the responsibility of all

staff members

Scope concerns all activities, organization

units and risks

Management (business owners) are entirely

responsible of implementing means and for effectiveness

of internal control system

and external information

Reliability (accurate, justified, relevant, representative)

Traceability (responsibility, origin: audit trail, nature,

destination)

Availability (accessibility, security, retained).

Reliability must be guaranteed by:

Implement a set of measures to ensure the reliability of internal

and external information

Compliance with law

and legislation

Internal control must ensure that:

TiU complies with laws and regulations they are subject to

Complies with the standard and rules by all those involved.

For more detail we refer to the Compliance Risk management charter

and framework.

Fundamentals of internal control

The fundamentals of internal control are:

36


8 Internal Control System

An effective, consistent internal control system can only be realized when the following

guarantees exist to ensure the effectiveness and consistency:

Close and ongoing involvement of the management of Tilburg University (tone at the top)

Consistency of the organization

Compliance with the instructions given

Optimizing resources (HRM)

Segregation of function

Security

The internal control system is organized around 2 blocks:

Control background

Control Activity System

There are 7 building stones of a good internal control:

Business owners must ensure the implementation of these prerequisites (building stones) and

ensure that they are up to date.

Control environment

The control environment is a very important element for internal control as it defines the

awareness of the need for controls. It is a very important cornerstone of all the elements for

internal control, including the discipline and organization. It is defined by:

Regulatory environment: if control is ‘imposed’ by law in general the culture for control is

strong. F.e the control culture in financial companies is stronger than in e-commerce.

Organization environment: if the management is a strong supporter of control the

implementation of control is much easier then when it is not the case.

Control background

Organisation chart

Job descriptions

Governance, power and delegations

Process & risk mapping

Process descriptions

Risk mapping

Control activity system

Policies

Reports & Communication

Checks & Monitoring

Control environment

37


Documentary environment: if the organization is well documented and there is an urge

for documentation then the control system will also be stronger (as it is formalized).

(Management) culture: if there is a strong culture (integrity / professional ethics) then

there is more focus on control.

If the control environment is not strong, this will impact the

effectiveness and consistency of the internal control system.

Control background

The control background exist of 3 items:

8.2.1 Organizational Chart

The organization chart defines the hierarchical overview of the departments and functions with

regard to Tilburg University. The organization chart is presented on the intranet and describes

besides the hierarchical structure also the responsibilities and main tasks of the faculties /

divisions.

Responsible HRM department

Publication intranet

8.2.2 Job descriptions

For the university branch so-called UFO profiles have been defined. These are general profiles

used the university branch in the Netherlands. Every employee is linked to a certain job profile

that matches their function in the best way. . In the function profile it is defined what:

The goal of the function

The context

The results

The Tasks, responsibilities and authorizations

For each function the competences are defined (standard matrix) and the functions are weighted

based upon standard methodology.

NB: the UFO profiles are generic. For certain specialist functions they are too generic and do not

describe the real tasks, responsibilities and authorizations. Internal profiles must be defined.

Organization chart

Job Descriptions

Governance, power &

delegations

38


Responsible HRM department


8.2.3 Governance, powers and delegations

GOVERNANCE

With governance in this context we refer to the meeting organization that is implemented in

Tilburg University. For each standard meeting it is formalized:

Goal of the meeting

Participants and role

Quorum

Frequency

Decision power : what can be decided in the meeting

Standard agenda

Responsible GRC Officer

Approval Executive Board


POWERS & DELEGATIONS

The powers and delegations must be described and are high level described in the job

descriptions (mandate part). However, this does not contain details like limits (f.e to what amount

can somebody approve an invoice). This is formalized in the delegation matrix and proxy

overview.

Responsible GRC Officer



Process and risk mapping

8.3.1 Process mapping

All the activities of TiU are linked to processes, for which a process model is defined. This is an

overview of all the processes within the university. The process model is managed by the GRC

officer.

For every process a high level process description must be available. What are the major steps /

activities within the process in order to secure it. A process description is a workflow in which you

see who does what and can be extended with the when, where (and why). All processes must be

formalized in a process description. Preferably in the standard tool called MAVIM. Because of the

strong link between processes, risks and controls the process flows must be validated by the

GRC officer.

For some processes it is important that employees have information on how to perform it. These

are called working instructions. When it is a complex task it is recommended to have working

instruction. Working instructions are not mandatory.

39


Responsible Process mapping GRC Officer

Process flow Accountable manager

Working instruction Accountable manager

Validation Process flow GRC Officer


For all the processes a so called RASCI matrix must be completed. RASCI stands for:

Responsible: the one who is responsible for the execution of the process/ activity.

He reports to the one accountable. There is typically one responsible, but he can be

supported by others (supportive).

Accountable: This is the one who is ultimately accountable and approves the result. He

can make decisions. There must be only one accountable.

Supportive: Those that help the responsible with the realization of the result.

Consulted: This is the person that needs to be consulted, provides approval and delivers

the input of the process. This role has influence on the realization of the result. It is 2-way

communication.

Informed: those who are kept informed on progress, decision and results, so that a next

step can be made. It is just 1-way communication.

8.3.2 Risk mapping

All risks must be identified, assessed and formalized. For more detail we refer to chapter 4.

Control activity system

The control activity system consists of:

8.4.1 Policies / standards / guidelines

The rules, policies and guidelines of TiU are defined in policies. The decision process with regard

to policies / standards are formalized and managed by the Secretary to the Board

(bestuurssecretarissen). They manage the decision process and secure the consultations that

are necessary and the information and decision process taking into account the participation

body (University Council).

Responsible Accountable manager



Policies, standards , guidelines

Reports & Communication

Checks & Monitoring

40


8.4.2 Reporting & Communication

For all activities there must be reports and communication about the performance via the main

performance indicators (KPI).


Publication Department drive

8.4.3 Checks & monitoring

The last part of the internal control system is the checks and monitoring. We distinguish 3 levels

of checks/monitoring

The checks & monitoring are repressive controls. They are performed after the activity mainly

based upon exception reports (= monitoring) and sample checks (checks).

The checks and monitoring must be formalized in a document that describes the goal, method

and workplan.


Publication Department drive

Level 1

• Performed by department responsible for activity

• Periodical checks (repressive) with high interval

Level 2

• Performed by other department (risk based)

• Finance & Control, GRC etc

• Periodical checks (risk based) with regular interval

Level 3

• Performed by independent department : Internal Audit

• Less frequent check (audit plan)

41


Addendum A : risk categories

Strategic

Risk arising from strategical or

tactical decision process

Political:

risks resulting from changes in law and

legislation

Demographic:

Risks from developments in the

size, or composition of population

Economic:

risks from economic factors f.e.

unemployment, inflation

social

not take into account social environment or

comply to social norms

Ecology

not taken into account ecological factors and

developments

Technology

not taken into account technological

developments (f.e IT)

Regulatory

Operational

Integrity

Financial

Operational

Risk arising from inadequacy or failure due to a process, human

factor or external event

Internal fraudunauthorised activity,

theft and fraud

External Fraud

theft, fraud, system security (virus attack,

intrusion ..)

Employment practises & workplace safety:

employee relation, safe environment, discriminationetc.

Student, products & business practises : suitability, fiduciary

and disclosure, impropoer market

practise, quality flaws

Damage to physical assets:

disasters and other events (f.e. fire, water)

Business disruption and system failures

system disruptions, other business

disruptions)

Execution, delivery and process

management : student management, supporting processes,

documentation etc

Financial

Risk of changes in the value of

financial assets

Counterparty risk: credit risk

related to failure of

creditor or counterparty

market risk;

risk resulting from the

development of ratings, stock

exchange rates

Interest rate:

variation of interest rates

Foreign exchange risk:

variation of currencies

Regulatory

risk on sanctions or fines from

regulators

REgulatory: sanctions or fines from regulators

Reputation

42


risk management charter en risk management & …...risk management charter and framework v0.9 dd...

Documents