risk management steve chadwick & rhiannon birch 2015
TRANSCRIPT
Risk Management
Steve Chadwick & Rhiannon Birch2015
Introductions
Steve Chadwick: Profile
• 35 years in Education• 28 years in Universities (Hong Kong & UK)• 24 in strategic planning• University of Northumbria (‘New’ University)• Newcastle University (Russell Group)• Durham University (Russell Group)• Exeter University (Russell Group)• Director of Strategic Planning & Change
University of Exeter
Exeter University: Profile
• 7th in the Times Good University Guide 2015• 9th in the Independent’s Complete University Guide
2015• In top 10 universities in the UK in National Student
Survey• 3,000 staff , 19,000 students (including over 4,000
international students)
Exeter’s Growth
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140
10
20
30
40
50
University of Exeter League Table Positions
The Times Sunday Times Guardian Complete University Guide
Publication Year
Ra
nk
Rhiannon Birch: Profile
• 11 years in university sector in the UK • Originally from an information/data management
background• Worked at department and central level at the
University of Sheffield• Strategic and academic planning, risk management, HE
policy advice, project management, • Since 2013, Deputy Director of Strategy, Planning and
Governance University of Sheffield• Part-time PhD student looking at higher education
University of Sheffield
University of Sheffield: Profile
• Large, comprehensive civic university, established in 1905 by the people of the UK’s 4th largest city
• 26,300 students; 7,200 staff• Arts and Humanities, Engineering, Medicine, Dentistry and
Health, Science and Social Sciences• Ranked 80th in the 2015 QS World University rankings• Focus on research-led teaching
– In the top 10 per cent of all UK universities, in the 2014 Research Excellence Framework (REF)
– 1st for Student Experience in the Times Higher Education Student Experience Awards, 2014-15
Risk Management OBJECTIVES
• Understand the Principles of Risk Management– Be familiar with the principles & elements of risk management.– Describe how risk management effects institutional performance.
• Develop a Risk Management Framework– Develop risk management framework
• Identify and Assess Risks– Utilize a sample of risk assessment tools. – Conduct risk analysis
• Maintain, Update and Monitor Risk– Monitor the management of significant risks to reduce their unwelcome
results. – Report annually on the effectiveness of the process and procedures of risk
management.
RISK MANAGEMENT
• Session 1: What is Risk? – Basic overview of concepts
• Session 2: Risk Management Framework – How an enterprise risk management system works
• Session 3: Identifying Risks – Basic tools for identifying and categorising risks
• Session 4: Assessing Risks – Impact vs Likelihood
• Session 5: Mitigation, Monitoring and Control – How do we manage our risks? Gross vs Net and reporting tools
• Session 6: Next Steps
APPROACH
• Practitioner’s perspective
• Case-studies
• Interactive
• Participative
• Pair, group and whole class discussion
Risk Management
Session 1What is Risk
Session 1: Overview
• What is risk?• What is risk management?• Why do we need it?• Understanding the basics
– Definitions– A typical Risk Management Framework– Who’s involved?
Questions You Want Answered from Today’s Session?
TASK
What is Risk?• RISK the possibility that an action, event, or set of
circumstances will adversely or beneficially affect the University’s ability to achieve our objectives. (UoB)
• RISK uncertainty of outcome, whether positive opportunity or negative threat (PRINCE2)
• RISK is about the future and comes from uncertainty
What is Risk?• Anything that may affect the
achievement of objectives• Uncertainty that surrounds future
events or outcomes• The expression of the likelihood and
impact of an event with the potential to influence the achievement of an organization’s objectives
What are some risks at your institution?
TASK
What is Risk Management?• RISK MANAGEMENT the planned and systematic
approach to identification, evaluation and control of risk. (UoB)
• RISK MANAGEMENT to manage the probability of specific risks occurring and the potential impact if they did occur, taking action to keep exposure to an acceptable level in a cost-effective way (PRINCE2)
What is Risk Management?
• A scientific approach to dealing with risks by anticipating possible losses and designing and implementing procedures to minimize the loss or impact of the losses that do occur
• A logical, systematic method of identifying, analyzing, managing and monitoring the risks involved in any activity or process.
• The culture, processes and structures that are directed towards realizing potential opportunities and managing adverse effects
22
What is Enterprise Risk Management?
“… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004. The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
So why do we need it?
The only alternative to risk management is crisis management - and crisis management is much more expensive, time consuming and embarrassing.
JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003
Without good risk management practices, (an institution) cannot manage its resources effectively. Risk management means more than preparing for the worst; it also means taking advantage of opportunities to improve services or lower costs.
Sheila Fraser, Auditor General of Canada
You only find out who is swimming naked when the tide goes out. WARREN BUFFETT, Chairman’s Letter to shareholders of Berkshire Hathaway Inc, 2001
24
Why do we need Risk Management?
• Increases risk awareness – What could affect the achievement of objectives? What could change? What could go wrong? What could go right?
• Increases understanding of sensitivities. What makes my risks increase/decrease/disappear?
• Promotes an open and transparent risk culture – It’s safe to talk about risk.
• Develops a common and consistent approach to risk - not intuition-based.
25
Why do we need Risk Management?
• Allows intelligent “informed” risk-taking• Focuses efforts – helps prioritize. Top 10 list. Or
top 3. Or…• Proactive not reactive – Prepare before things
happen. • Helps achieve objectives (corporate, college,
unit etc)• Enables accountability, transparency and
responsibility• Can reduce the impact and provide assurance if
things do go wrong – we were responsible not blind
• It’s good management …
Why do we need Risk Management?
Risk Management is now an integral part of business planning in private and public-sector
organizations throughout the world
“Risk assessment and management should be an integral component of planning strategies with
appropriate mechanisms developed for risk assessment and minimization”
NCAAA Standard 2 Paragraph 2.29
Why do we need Risk Management?…and it’s not just necessary at the institutional level. Risk needs to be embedded throughout the University since we have many risks specific to the nature of our endeavours.
For example:
• Students undertaking projects off-campus• Who are not yet legally adults• Who, if they are women, could be pregnant• And who could carry out practical work in labs or
with machinery.
Understanding the basics
• A few definitions
• A typical Risk Management process
• Who’s involved?
Understanding the Basics: Definitions
Risk Source
• A risk source has the intrinsic potential to give rise to risk. It is the place from which a risk originates - where it comes from. – There are many potential sources of risk. All of
these elements could potentially generate a risk that must be managed.
Sources of Risk• Government policy and regulation – funding regime• Competitor activity – growth into your markets• Economic conditions and market activity – global economic
downturn• Technological change – MOOCs, social media • Environmental change – global warming • Behaviour – student preferences, slowness to adapt, staff
attitudes, management shortcomings• Natural or man-made disasters or accidents – Tsunami, fire• Mistakes – data errors, IT system crash• Illegal or non-compliant activity - fraud
Understanding the Basics: Definitions
Risk Levels
• The level of risk is its magnitude. It is estimated by considering and combining Impact and likelihood. – A level of risk can be assigned to a single risk or a
combination of risks. It can be determined either qualitatively (e.g. Low-Medium-High) or numerically on an agreed scale.
– Impact can itself be on multiple levels …..
Risk Levels• Systemic Risk – affects whole sector (e.g. funding
regime change)• Strategic Risk – affects the strategic objectives of
the organisation (e.g student recruitment or research activity)
• Operational Risk – inherent in doing business (data quality)
• Programme or Project Risk – bounded and should be managed within project
• Local Risk – bounded, local impact only (staff sickness)
Understanding the Basics: Definitions
Risk Management Framework
• A set of components that support and sustain risk management throughout the University.
• We can group them into two parts:– Foundations: e.g. risk
management policy, objectives, appetite and tolerance.– Organizational arrangements e.g. plans, relationships,
accountabilities, resources, processes, templates, registers and activities used to manage the University’s risks.
Understanding the Basics: Definitions
Risk Management Policy
• A document which expresses the University’scommitment to risk management and clarifies its general direction or intention.
– Typically it includes a description of the risk management framework, roles and responsibilities, annual cycle, definitions etc.
Understanding the Basics: Definitions
Risk Appetite/Attitude
• A description of the University’s general approach to risk and how much risk it will accept. – Risk appetite influences how risks are assessed and
managed - whether they are taken, tolerated, retained, shared, reduced, or avoided, and whether or not risk treatments are implemented or postponed
Understanding the Basics: Definitions
Risk Owner
• The person who has responsibility for ensuring a risk is managed.
– In some cases the risk owner and risk manager are one and the same, but not necessarily. With major corporate risks they are often different people.
Understanding the Basics: Definitions
Risk Manager
• The person who has responsibility managing a risk on a day-to-day basis.
– The risk manager operates the controls which mitigate risk.
Understanding the Basics: Definitions
Risk Assessment
• A process made up of three other processes: risk identification, risk analysis, and risk evaluation.
– Identification: a process used to find, recognize, anddescribe risks
– Analysis: a process used to understand the nature, sources, causes and level of risks. It is also used to study impacts and to examine existing controls.
– Evaluation: a process used to compare risk analysis results with risk appetite in order to determine whether or not a specified level of risk is acceptable or tolerable.
Understanding the Basics: Definitions
Impact
• The outcome of an event which has an effect on the University or its objectives. – A single event can generate a range of impacts
which can have both positive and negative effects on objectives. Initial impact can also escalate through knock-on effects.
Understanding the Basics: Definitions
Likelihood
• The chance that something might happen.
– can be defined, determined, or measured objectively or subjectively and canbe expressed either qualitatively or quantitatively (using mathematics). In universities, subjective assessment is usually sufficient
Understanding the Basics: Definitions
Treatment
• A risk modification process. – It involves selecting and implementing one or more
treatment options, such as:– Avoid– Transfer– Control– Accept
Understanding the Basics: Definitions
Controls
• Controls are any measure or action that modifies risk. – Once a treatment has been implemented, it becomes
a control. Controls include any policy, procedure, practice, process, technology, technique, method, or device that modifies or manages risk. Risk treatments become controls once they have been implemented
Understanding the Basics: Definitions
Gross and Net Risk
• Gross risk is the risk inherent in any event or action before any mitigating actions.
• Net risk is the risk left over after you’ve applied controls. – What’s left after you’ve avoided, transferred,
controlled or accepted the risk.
Risk Management process
1. Establish the context – objectives for risk management and any assessment criteria
2. Identify risks3. Analyse and evaluate risks – likelihood and
impact = “size” of the risk and do we need to manage
4. Risk treatment – acceptance, controls5. Monitor and review6. Record the risk management process
Risk Management Framework• Context Setting• Stakeholders• Risk Policy• Sources of Risk• Internal/External• Risk Appetite
• Likelihood• Impact• Gross (Inherent)• Net (Residual)• Target
• Risk Treatment• Avoid• Transfer• Control / Contain /
Reduce • Accept
• Risk Register• Regular Reviews • Key Risk Indicators• Incident Management• Audit• Board
Identify Assess
MitigateMonitor and Report
Who is involved in Risk Management in Universities?
BoardSenior Management / ExecutivePlanning Office Finance OfficeMiddle ManagersProgramme and Project ManagersEveryone
But with different responsibilities depending on the risk level
Risk owners and risk managers
• Risk owners– Usually members of executive– Regular review of risk, receiving information from risk
managers– Place risk in context of risk policy, audit advice– Proactively manages changes to risk likelihood, impact,
appetite for their risks
• Risk managers– Usually senior/middle management– Closer to operational activity – see changes in risk in daily work– Identify mitigating activities – ensure they occur– Advise risk owners
Elements of Risk Management Framework
Top-Down Strategic Risk Assessment
(annual)
Ce
ntr
e
Bottom-Up Operation-wide Risk
Assessment
Current & Future Risk Profile(monthly / quarterly)
Integrated Board / Executive Reporting(monthly/quarterly)
Op
era
tio
ns,
Pro
jec
ts
& F
un
cti
on
s
Feedback & Actions
Functional Support Risk Review
Functional Support Risk Review
Programme & Project Risk Review
Programme & Project Risk Review
Operations Risk Review
Operations Risk Review
Collation of Operational Risk Reviews
Collation of Operational Risk Reviews
Risk embedded inStrategic Planning
Risk embedded inStrategic Planning
Action Planning
Action Planning
Key Risk & Mitigation Reporting
Key Risk & Mitigation Reporting
Integration of Strategic & Operation-wide Reviews
Integration of Strategic & Operation-wide Reviews
Key overall risks & adequacy of mitigation
Operations risk reporting with mitigating actions (quarterly)
Collated operational risk reportingwith mitigating actions (monthly / quarterly)
Functional risk reporting with mitigating actions (quarterly)
‘Watch List’ of risky business initiatives
High-level SWOT/STEP & Strategic Risk
Register
Board understanding of risk appetite
Programme & project risk reporting with mitigating actions (monthly)
Level of risk, mitigation effectiveness,Assessment of impact on overall risk profile
Coordinated mitigation plan & action tracking
Board
Executive
Senior Managers
Middle Managers
Planning Office
What makes for effective Risk Management?
• Commitment from Senior Staff• Integral to management practices• Embedded in strategic and operational planning• Open communication• Appropriate ERM system• Clear responsibility & accountability• Normal part of program & project management
Note:These are all characteristics of a mature
organization.
Have you been listening?
1. What is the difference between Gross and Net Risk?
2. What is meant by Risk Appetite?3. Name three critical success factors for
effective Risk Management.4. How do you calculate the level of risk?5. What is the difference between a risk owner
and a risk manager?