risk management framework - employees.viu.ca · risk management framework the methodology proposed...
TRANSCRIPT
Last Updated: July 12, 2013 1
RISK MANAGEMENT FRAMEWORK The methodology proposed within this framework is built upon the components of the Australian and New Zealand Pubic Sector Guideline (AS/NZ Standard), the International Organization for Standardization (ISO) 31000, and the Risk Management Guideline of the BC public Sectori. The University’s risk management process is consistent with the seven elements identified within IS0 31000:2009 and the AS/NZS 4360:2004. Two elements communicate and consult and monitor and review, occur continually thorough the process. The remaining elements are normally undertaken sequentially. Figure 1, illustrates the VIU risk management framework with typical examples under each heading. Figure 1 Vancouver Island University Risk Management Frame work The ERM Process in the Public Sector (adapted from AS/NZS4360:2004)
1. COMMUNICATE & CONSULT (determine roles & responsibilities… include
stakeholders)
2. ESTABLISH CONTEXT
Integrated Plans Capital Projects New Programs Systems Projects Financial Plans Emergency/Disaster (As determined by
management)
3. IDENTIFY RISKS
Identification of
risk Categorization of
risk
4. ANALYZE RISKS
Probability Consequence Ranking Score 5. EVALUATE
RISKS Adequacy of
Controls Ranking Score
Tolerance Action
6. TREAT RISKS Typical Treatments: Accept Control Share Mitigate Sample Mitigation
Treatments: Emergency Plan Contingency Plans Insurance Waivers Contracts
7. MONITOR & REVIEW (capture risk information… follow up on treatments…
report)
Last Updated: July 12, 2013 2
1. Communication and Consultation “Communication and consultation with internal and external stakeholders should take place during all stages of the risk management process.” 1 Communication and consultation means that risk assessment, response and monitoring is proactive and inclusive.
2. Establish the Context Establishing the context for a risk management assessment confirms the subject of the risk assessment. As identified in Figure 1, examples of “subjects” would include: major integrated plans, significant capital projects, new programs, major system projects or financial plans. Note that emergency and disaster plans are specific treatments (mitigations) within a wider process.
A number of factors can influence the context both internally and externally, including organizational direction, government policy, budget regulations, economic factors or even natural events. Executive, Deans, Executive Directors, Directors, Campus Principals and Managers have the responsibility of deciding when to apply a formal risk assessment process to support their decision making.
3. Risk Identification
3.1 Risk Definition
Risk2: The effect of an event or trend, either positive or negative that will have a significant impact on operations and/or the fulfillment of the University’s objectives.
3.2 Identification
This phase consists of identifying the possible risks. Various methods can be used to identify risk such as: interview or focus groups, brainstorming, decision trees, historical information, incident reports, scenario analysis etc.
1 CAN/ISO 31000, page 14.
2 Australian and New Zealand Public Sector Guidelines for Managing Risk (HB 143:1999) defines risk as the "chance of something
happening that will have an impact on objectives. It is measured in terms of consequences and likelihood."
The Canadian Institute of Chartered Accountants defines risk as "the possibility that one or more individuals or organizations will
experience adverse consequences from an event or circumstance."
The Canadian Standards Association Risk Management: Guidelines for Decision-Makers (CAN/CSA -Q850-97) defines risk as "the chance of injury or loss as defined as a measure of the probability and severity of an adverse effect to health, property, the
environment or other things of value."
The International Organization for Standardization (ISO) ISO 31000 defines risk as the "effect of uncertainty on objects”. Note 1-
the emphasis is on effect rather than chance, similar to AS/NZS 4360, the definition is neutral in terms of negative and positive
consequences.
Last Updated: July 12, 2013 3
The ISO recommended method for stating a risk involves considering the three elements: event, cause and impact. Since we define risk as the “effect of uncertainty, either positive or negative”, it is helpful define the risk in the context of preventing the achievement of an organizational objective, milestone or target. There are several tools located on the website to assist in the identification of risks such as Fire triangle, bowtie diagram, Five Whys.
3.3 Categorization
Generally, risks can be classified into one of the following four broad categories—strategic, operational, reporting, and compliance. For Program reviews, risks can be categorized within the criteria identified in the Summative Assessment Procedure.
Strategic risks are those risks which by their nature, could impact the achievement
of high-level objectives within the integrated planning framework or the
University’s ability to achieve its purpose or support of its mission. These risks
could be financial, reputational or legal.
Operational risks, on the other hand, relate to (a) threats from ineffective or
inefficient business processes for supporting, servicing, and marketing programs,
and (b) threats of loss of assets, including reputation.
Reporting risks relate to the reliability, accuracy, and timeliness of information
systems, and to reliability or completeness of information used for either internal
or external decision-making.
Finally, compliance risks address the inadequate communication of laws and
regulations, internal behavior codes and contract requirements, and inadequate
information about failure of management or employees to comply with applicable
laws, regulations, contracts, and expected behaviours.
4. Analyze Risk
Risk analysis is the process of calculating the probability of the event and the consequence if it occurs. The product of these two becomes the Risk Ranking.
4.1 Probability
Probability is the likelihood that the risk event will occur. Probability rarely implies mathematical certainly rather it is a subjective estimate as demonstrated in Figure 2 or could be measured in time as demonstrated in Figure 2.
Last Updated: July 12, 2013 4
Figure 2: Matrix for Probability (consistent with BC Government metrics3)
Figure 3: Probability Alternate
4.2 Consequence
Consequence is the impact or severity of the effect of the risk on the goal or objective.
3 Risk Management Guide for Public Sector, Feb 21, 2011, page 14.
PROBABILTY = Likelihood of the risk event occurring
Score Descriptor How Likely (%)
1 Rare Less than 5%
2 Unlikely 5 to 25
3 Possible 25 to 55
4 Likely 55 to 90
5 Almost Certain 90 to 99
PROBABILTY = Likelihood of the risk event occurring
Score Descriptor Measure
1 Long Term > 36 months
2 Medium Term 18 to 36 months
3 Short Term 12 to 18 months
Last Updated: July 12, 2013 5
Figure 4: Matrix for Consequence (adapted from BC Government metrics4)
Consequence = impact or severity of the effect
Score Impact Descriptor
1 Insignificant Negligible effects
Strategic View: Normal Difficulties o Stakeholder faith affected lasting less than 6 months o Isolated injury o Financial loss of less than $250K
2 Minor Normal administrative difficulties
Strategic View: Delay will occur in fulfilling objective o Stakeholder faith affected lasting longer than 6 months o Isolated injury o Financial less than $1M
3 Significant Delay in accomplishing program or project o Stakeholder faith affected lasting longer than 12 months o Multiple injury o System interruption o Dispute that could affect term o Financial loss greater than $1M less than $2M
4 Major Program or project redesign required, re-approval and or re-do required.
Strategic View: Integrated Plan timeline affected. o Stakeholder faith affected lasting longer than 18 months o Isolated loss of life o Major system loss at critical time o Dispute that could affect term o Financial loss greater than $2M less than $5M
5 Severe/ Catastrophic
Project or program irrevocable finished, objective not met.
Strategic View: Mandate or objective not met. o Stake holder faith affected lasting longer than 24 months o Multiple loss of life o Complete system crash o Dispute that could cause loss of full term o Inability to recruit students or staff o Financial loss greater than $5M
4.3 Risk Ranking Risk Ranking: is the combined effect of the probability and the consequence. Ranking score = (Probability Score) times (Consequence Score). A risk ranking matrix is used to categorize the severity of the risk rating.
4 Risk Management Guide for Public Sector, Feb 21, 2011, page 14.
Last Updated: July 12, 2013 6
5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5
CONSEQUENCE 1 2 3 4 5
PROBABILITY
HEAT MAP: RANKING SCORE
Figure 5: Ranking Heat Map Matrix
4.4 Risk Terms
There are many terms associated with ranking risks. It is not necessary to use all the terms
but it is important to have common understanding of the following terms:
Inherit Risk is the rating of the risk event in the absence of existing controls or mitigation treatments. The value in assessing the inherent risk is to understand the full potential that exists. Current Risk is the rating of the risk event at the time of reporting. This allows you to track the effect of mitigation treatments that have already been applied. Residual Risk is the rating of the risk after taking into account the additional mitigation or treatments strategies. It is important to project the potential residual risk as it will establish a bench mark for monitoring and reporting. Risk tolerance is the maximum level of risk that the University is willing to accept for a particular exposure. The tolerance should defined by Executive or Management, based upon the nature of the risk, existing controls, and implications of planned mitigations. In assessing the risk and defining how much risk the University is willing to tolerate, relevant factors for success should be defined. Factors to consider could include: reputation, market, resources, quality, financial viability, compliance etc.
5. Evaluation Evaluation involves looking at the ranked risks in relationship to existing controls in the context of the tolerance for a particular risk. The outcome from evaluation is to arrive at a decision as to how to respond to the risks that have been analyzed. A generic heat map is presented in Figure 6, below. The heat map is used as a tool to evaluate the identified risks; the map sorts the risk events based upon their respective risk score into the various response quadrant.
RANKING = Probability X CONSEQUENCE
Score 0-4 Low Score 5-10 Medium Score 12-16 High score 20-25 Extreme
Last Updated: July 12, 2013 7
Figure 6 Generic Risk Heat Map
6. Treatment or Mitigation
Risks are plotted on the risk map based upon their respective risk score, as determined using the method described previously. The treatment strategy selected will be determined by the risk ranking. An example is presented in Figure 7 below. Due to the diverse nature of the University’s teaching, research and community services , and, the fact that not all risks can be transferred to third parties through insurance policies, contracts or waivers, the management and monitoring effort may be required on residual risk in some cases.
Risk mitigation treatment strategies tend to fall into one of the following categories - avoidance (eliminate or not become involved); control (ensure adequate processes are in place); accept (potential opportunity) or transfer (outsource to external party).
Accept: When the impact and probability of occurrence are low.
Control: When there is a high probability of a risk but its impact would be low: ensure that appropriate controls are in place.
Share: When there is a high impact but low probability: share the risk with others (e.g. insurance).
Mitigate and Control (Reduce): When both the probability and the impact are high, design controls and processes to reduce exposure.
Last Updated: July 12, 2013 8
Figure 7: Applied Risk Map (Sample) IMPACT Risk Management Actions
Significant Financial Loss > $5MM
Stakeholder faith impacted and lasts > 18 months
Isolated or Multiple Loss of Life
Multiple events of fine, fraud or legal action
Complete system crash with loss of critical data
Inability to recruit, retain staff to operate
Labour disruption that impacts graduation
Considerable Management
Required
Must manage and monitor
risks
Extensive management
essential
Moderate
Financial Loss < $5 MM Stakeholder faith impacted and lasts 6-12 months Significant injury to one or more Isolate incidents of fine, fraud, or legal action System crash during a peak period Difficulties in recruit and retain staff Labour disruption that impacts operations of any
duration
Risks may be worth accepting with monitoring
Management effort
worthwhile
Management effort required
Minor
Financial Loss < $500,000
Stakeholder faith impacted and lasts < 6 months Isolated injury Civil or criminal action threatened System off-line periodically during non-peak
periods
Accept risks Accept but
monitor risks Manage and monitor risks
Low > 36 months
Medium 18 to 36 months
High 12 to 18 months
LIKELIHOOD
7. Monitoring & Reporting
Monitoring is about managing your risk information. Monitoring is a follow-up activity, ensuring that policies and procedures have been carried out as intended. Sometimes monitoring procedures can be as simple updating of the risk register and the risk map.
The risk register is a management tool which, through a review and updating, provides a framework in which problems that may arise and adversely affect the delivery of the anticipated benefits are captured and actions instigated to reduce the probability and the impact of that particular risk. The Risk Register should be visible to faculty/departmental stakeholders so they are able to see the risks that concern them being addressed.
An essential tool is the risk register which is a means of recording the identified risks, their severity, and the actions steps to be taken. The risk register should evolve over time with potential risks removed and new ones added.
Last Updated: July 12, 2013 9
Supporting Documents:
Risk Register Template Related Policies and Procedures: Summative Assessment Procedure 31.15.003 Contract related Policy xxxxxx Signing Authority Policy 42.09 References Ministry Advance Education and Labour Market Development: Risk Management Guide Province Of British Columbia Risk Management Branch Risk Management Guide for The Public Sector Feb 21, 2011 (http://www.fin.gov.bc.ca/PT/rmb/ref/RMB_ERM_Guideline.pdf) Government of Canada Framework for the Management of Risk August 27, 2010 (http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=19422§ion=text#cha1) University Regina Enterprise Risk Management Policy 10.105 Australia/New Zealand Standard (ERM) Deloitte: A New Global Standard for Risk Management Inside ISO 31000:2009 (http://www.deloitte.com/assets/Dcom-Canada/Local%20Assets/Documents/ERS/ca_en_ers_inside_ISO31000_handout_040310.pdf)
End of document
i Australian and New Zealand Public Sector Guidelines for Managing Risk (HB 143:1999).
The Canadian Standards Association Risk Management: (CAN/CSA -Q850-97)
International Organization for Standardization (ISO) 31000.
Risk Management Guideline For the Public Sector (http://www.fin.gov.bc.ca/PT/rmb/ref/RMB_ERM_Guideline.pdf)