Last Updated: July 12, 2013 1

RISK MANAGEMENT FRAMEWORK The methodology proposed within this framework is built upon the components of the Australian and New Zealand Pubic Sector Guideline (AS/NZ Standard), the International Organization for Standardization (ISO) 31000, and the Risk Management Guideline of the BC public Sectori. The University’s risk management process is consistent with the seven elements identified within IS0 31000:2009 and the AS/NZS 4360:2004. Two elements communicate and consult and monitor and review, occur continually thorough the process. The remaining elements are normally undertaken sequentially. Figure 1, illustrates the VIU risk management framework with typical examples under each heading. Figure 1 Vancouver Island University Risk Management Frame work The ERM Process in the Public Sector (adapted from AS/NZS4360:2004)

1. COMMUNICATE & CONSULT (determine roles & responsibilities… include

stakeholders)

2. ESTABLISH CONTEXT

Integrated Plans Capital Projects New Programs Systems Projects Financial Plans Emergency/Disaster (As determined by

management)

3. IDENTIFY RISKS

Identification of

risk Categorization of

risk

4. ANALYZE RISKS

Probability Consequence Ranking Score 5. EVALUATE

RISKS Adequacy of

Controls Ranking Score

Tolerance Action

6. TREAT RISKS Typical Treatments: Accept Control Share Mitigate Sample Mitigation

Treatments: Emergency Plan Contingency Plans Insurance Waivers Contracts

7. MONITOR & REVIEW (capture risk information… follow up on treatments…

report)

Last Updated: July 12, 2013 2

1. Communication and Consultation “Communication and consultation with internal and external stakeholders should take place during all stages of the risk management process.” 1 Communication and consultation means that risk assessment, response and monitoring is proactive and inclusive.

2. Establish the Context Establishing the context for a risk management assessment confirms the subject of the risk assessment. As identified in Figure 1, examples of “subjects” would include: major integrated plans, significant capital projects, new programs, major system projects or financial plans. Note that emergency and disaster plans are specific treatments (mitigations) within a wider process.

A number of factors can influence the context both internally and externally, including organizational direction, government policy, budget regulations, economic factors or even natural events. Executive, Deans, Executive Directors, Directors, Campus Principals and Managers have the responsibility of deciding when to apply a formal risk assessment process to support their decision making.

3. Risk Identification

3.1 Risk Definition

Risk2: The effect of an event or trend, either positive or negative that will have a significant impact on operations and/or the fulfillment of the University’s objectives.

3.2 Identification

This phase consists of identifying the possible risks. Various methods can be used to identify risk such as: interview or focus groups, brainstorming, decision trees, historical information, incident reports, scenario analysis etc.

1 CAN/ISO 31000, page 14.

2 Australian and New Zealand Public Sector Guidelines for Managing Risk (HB 143:1999) defines risk as the "chance of something

happening that will have an impact on objectives. It is measured in terms of consequences and likelihood."

The Canadian Institute of Chartered Accountants defines risk as "the possibility that one or more individuals or organizations will

experience adverse consequences from an event or circumstance."

The Canadian Standards Association Risk Management: Guidelines for Decision-Makers (CAN/CSA -Q850-97) defines risk as "the chance of injury or loss as defined as a measure of the probability and severity of an adverse effect to health, property, the

environment or other things of value."

The International Organization for Standardization (ISO) ISO 31000 defines risk as the "effect of uncertainty on objects”. Note 1-

the emphasis is on effect rather than chance, similar to AS/NZS 4360, the definition is neutral in terms of negative and positive

consequences.

Last Updated: July 12, 2013 3

The ISO recommended method for stating a risk involves considering the three elements: event, cause and impact. Since we define risk as the “effect of uncertainty, either positive or negative”, it is helpful define the risk in the context of preventing the achievement of an organizational objective, milestone or target. There are several tools located on the website to assist in the identification of risks such as Fire triangle, bowtie diagram, Five Whys.

3.3 Categorization

Generally, risks can be classified into one of the following four broad categories—strategic, operational, reporting, and compliance. For Program reviews, risks can be categorized within the criteria identified in the Summative Assessment Procedure.

Strategic risks are those risks which by their nature, could impact the achievement

of high-level objectives within the integrated planning framework or the

University’s ability to achieve its purpose or support of its mission. These risks

could be financial, reputational or legal.

Operational risks, on the other hand, relate to (a) threats from ineffective or

inefficient business processes for supporting, servicing, and marketing programs,

and (b) threats of loss of assets, including reputation.

Reporting risks relate to the reliability, accuracy, and timeliness of information

systems, and to reliability or completeness of information used for either internal

or external decision-making.

Finally, compliance risks address the inadequate communication of laws and

regulations, internal behavior codes and contract requirements, and inadequate

information about failure of management or employees to comply with applicable

laws, regulations, contracts, and expected behaviours.

4. Analyze Risk

Risk analysis is the process of calculating the probability of the event and the consequence if it occurs. The product of these two becomes the Risk Ranking.

4.1 Probability

Probability is the likelihood that the risk event will occur. Probability rarely implies mathematical certainly rather it is a subjective estimate as demonstrated in Figure 2 or could be measured in time as demonstrated in Figure 2.

Last Updated: July 12, 2013 4

Figure 2: Matrix for Probability (consistent with BC Government metrics3)

Figure 3: Probability Alternate

4.2 Consequence

Consequence is the impact or severity of the effect of the risk on the goal or objective.

3 Risk Management Guide for Public Sector, Feb 21, 2011, page 14.

PROBABILTY = Likelihood of the risk event occurring

Score Descriptor How Likely (%)

1 Rare Less than 5%

2 Unlikely 5 to 25

3 Possible 25 to 55

4 Likely 55 to 90

5 Almost Certain 90 to 99

PROBABILTY = Likelihood of the risk event occurring

Score Descriptor Measure

1 Long Term > 36 months

2 Medium Term 18 to 36 months

3 Short Term 12 to 18 months

Last Updated: July 12, 2013 5

Figure 4: Matrix for Consequence (adapted from BC Government metrics4)

Consequence = impact or severity of the effect

Score Impact Descriptor

1 Insignificant Negligible effects

Strategic View: Normal Difficulties o Stakeholder faith affected lasting less than 6 months o Isolated injury o Financial loss of less than $250K

2 Minor Normal administrative difficulties

Strategic View: Delay will occur in fulfilling objective o Stakeholder faith affected lasting longer than 6 months o Isolated injury o Financial less than $1M

3 Significant Delay in accomplishing program or project o Stakeholder faith affected lasting longer than 12 months o Multiple injury o System interruption o Dispute that could affect term o Financial loss greater than $1M less than $2M

4 Major Program or project redesign required, re-approval and or re-do required.

Strategic View: Integrated Plan timeline affected. o Stakeholder faith affected lasting longer than 18 months o Isolated loss of life o Major system loss at critical time o Dispute that could affect term o Financial loss greater than $2M less than $5M

5 Severe/ Catastrophic

Project or program irrevocable finished, objective not met.

Strategic View: Mandate or objective not met. o Stake holder faith affected lasting longer than 24 months o Multiple loss of life o Complete system crash o Dispute that could cause loss of full term o Inability to recruit students or staff o Financial loss greater than $5M

4.3 Risk Ranking Risk Ranking: is the combined effect of the probability and the consequence. Ranking score = (Probability Score) times (Consequence Score). A risk ranking matrix is used to categorize the severity of the risk rating.

4 Risk Management Guide for Public Sector, Feb 21, 2011, page 14.

Last Updated: July 12, 2013 6

5 5 10 15 20 25

4 4 8 12 16 20

3 3 6 9 12 15

2 2 4 6 8 10

1 1 2 3 4 5

CONSEQUENCE 1 2 3 4 5

PROBABILITY

HEAT MAP: RANKING SCORE

Figure 5: Ranking Heat Map Matrix

4.4 Risk Terms

There are many terms associated with ranking risks. It is not necessary to use all the terms

but it is important to have common understanding of the following terms:

Inherit Risk is the rating of the risk event in the absence of existing controls or mitigation treatments. The value in assessing the inherent risk is to understand the full potential that exists. Current Risk is the rating of the risk event at the time of reporting. This allows you to track the effect of mitigation treatments that have already been applied. Residual Risk is the rating of the risk after taking into account the additional mitigation or treatments strategies. It is important to project the potential residual risk as it will establish a bench mark for monitoring and reporting. Risk tolerance is the maximum level of risk that the University is willing to accept for a particular exposure. The tolerance should defined by Executive or Management, based upon the nature of the risk, existing controls, and implications of planned mitigations. In assessing the risk and defining how much risk the University is willing to tolerate, relevant factors for success should be defined. Factors to consider could include: reputation, market, resources, quality, financial viability, compliance etc.

5. Evaluation Evaluation involves looking at the ranked risks in relationship to existing controls in the context of the tolerance for a particular risk. The outcome from evaluation is to arrive at a decision as to how to respond to the risks that have been analyzed. A generic heat map is presented in Figure 6, below. The heat map is used as a tool to evaluate the identified risks; the map sorts the risk events based upon their respective risk score into the various response quadrant.

RANKING = Probability X CONSEQUENCE

Score 0-4 Low Score 5-10 Medium Score 12-16 High score 20-25 Extreme

Last Updated: July 12, 2013 7

Figure 6 Generic Risk Heat Map

6. Treatment or Mitigation

Risks are plotted on the risk map based upon their respective risk score, as determined using the method described previously. The treatment strategy selected will be determined by the risk ranking. An example is presented in Figure 7 below. Due to the diverse nature of the University’s teaching, research and community services , and, the fact that not all risks can be transferred to third parties through insurance policies, contracts or waivers, the management and monitoring effort may be required on residual risk in some cases.

Risk mitigation treatment strategies tend to fall into one of the following categories - avoidance (eliminate or not become involved); control (ensure adequate processes are in place); accept (potential opportunity) or transfer (outsource to external party).

Accept: When the impact and probability of occurrence are low.

Control: When there is a high probability of a risk but its impact would be low: ensure that appropriate controls are in place.

Share: When there is a high impact but low probability: share the risk with others (e.g. insurance).

Mitigate and Control (Reduce): When both the probability and the impact are high, design controls and processes to reduce exposure.

Last Updated: July 12, 2013 8

Figure 7: Applied Risk Map (Sample) IMPACT Risk Management Actions

Significant Financial Loss > $5MM

Stakeholder faith impacted and lasts > 18 months

Isolated or Multiple Loss of Life

Multiple events of fine, fraud or legal action

Complete system crash with loss of critical data

Inability to recruit, retain staff to operate

Labour disruption that impacts graduation

Considerable Management

Required

Must manage and monitor

risks

Extensive management

essential

Moderate

Financial Loss < $5 MM Stakeholder faith impacted and lasts 6-12 months Significant injury to one or more Isolate incidents of fine, fraud, or legal action System crash during a peak period Difficulties in recruit and retain staff Labour disruption that impacts operations of any

duration

Risks may be worth accepting with monitoring

Management effort

worthwhile

Management effort required

Minor

Financial Loss < $500,000

Stakeholder faith impacted and lasts < 6 months Isolated injury Civil or criminal action threatened System off-line periodically during non-peak

periods

Accept risks Accept but

monitor risks Manage and monitor risks

Low > 36 months

Medium 18 to 36 months

High 12 to 18 months

LIKELIHOOD

7. Monitoring & Reporting

Monitoring is about managing your risk information. Monitoring is a follow-up activity, ensuring that policies and procedures have been carried out as intended. Sometimes monitoring procedures can be as simple updating of the risk register and the risk map.

The risk register is a management tool which, through a review and updating, provides a framework in which problems that may arise and adversely affect the delivery of the anticipated benefits are captured and actions instigated to reduce the probability and the impact of that particular risk. The Risk Register should be visible to faculty/departmental stakeholders so they are able to see the risks that concern them being addressed.

An essential tool is the risk register which is a means of recording the identified risks, their severity, and the actions steps to be taken. The risk register should evolve over time with potential risks removed and new ones added.

Last Updated: July 12, 2013 9

Supporting Documents:

Risk Register Template Related Policies and Procedures: Summative Assessment Procedure 31.15.003 Contract related Policy xxxxxx Signing Authority Policy 42.09 References Ministry Advance Education and Labour Market Development: Risk Management Guide Province Of British Columbia Risk Management Branch Risk Management Guide for The Public Sector Feb 21, 2011 (http://www.fin.gov.bc.ca/PT/rmb/ref/RMB_ERM_Guideline.pdf) Government of Canada Framework for the Management of Risk August 27, 2010 (http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=19422&section=text#cha1) University Regina Enterprise Risk Management Policy 10.105 Australia/New Zealand Standard (ERM) Deloitte: A New Global Standard for Risk Management Inside ISO 31000:2009 (http://www.deloitte.com/assets/Dcom-Canada/Local%20Assets/Documents/ERS/ca_en_ers_inside_ISO31000_handout_040310.pdf)

End of document

i Australian and New Zealand Public Sector Guidelines for Managing Risk (HB 143:1999).

The Canadian Standards Association Risk Management: (CAN/CSA -Q850-97)

International Organization for Standardization (ISO) 31000.

Risk Management Guideline For the Public Sector (http://www.fin.gov.bc.ca/PT/rmb/ref/RMB_ERM_Guideline.pdf)