Risk Management Process

Risk Management Implementation Guideline

This guide is primarily aimed at those involved in planning, launching and implementing a risk management (RM) process. It follows to disclose that there is no one correct process.

This guide draws private and public entities and higher education institutions best practices and is not prescriptive.

The purpose of this guide is to highlight the key issues that the college needs to consider in planning and developing its RM processes.

Whatever stages the college has reached in implementing RM processes, this guide helps taking stock of what has been achieved so far, and to plan ahead effectively

  1. Risk and Risk Management

    What is Risk?

    Risks and objectives are directly connected. Objectives are generally set when opportunities to achieve them are present. To seize the opportunities, series of events must occur, and events include uncertainties.

    The first step in looking at risk management (RM) is to define what risk is. Many definitions are available. However, this guide focuses on the uncertainty of an event occurrence and its effect on the college's ability to achieve its objectives.

    What is an event? An event is an incident or an occurrence from internal or external sources that affects the college's ability to achieve its objectives. Events can have adverse or beneficial impact or consequence.

    Events with adverse impact erode existing value. On the other hand, management channels events with beneficial impact to strategy to seize the opportunity. Events with beneficial impact offset the adverse impact of other events.

    Therefore, risk is the uncertainty that emanates from the college's inability to precisely determine the severity and the time of impact of events that may adversely or beneficially affect its ability to achieve its objectives.

    It is rare for a risk to arise as a single event. Multiple events must occur to onset one risk. The severity of impact and the time of occurrence of these events vary.

    Risks, like objectives, can exist at a number of different levels of the college's organizational structure:

    • Strategic
    • People
    • Department
    • Personal
       

    What is Risk Appetite?

    Risk appetite is the amount of risk the college is willing to take or accept in pursuit of achieving its objectives. Risk appetite is directly related to the college's strategy, and is considered in strategy setting, as different strategies expose the college to different risks.

    High risk strategies present higher risk appetite than moderate or low risk strategies. Management establishes the college's risk appetite. The college's risk appetite should be cascaded down to all business and operating units.

    What is Risk Tolerance?

    Risk tolerance is the acceptable level of variation relative to the achievement of a specific objective. Usually it is around ±5 percent of the objectives desired outcome.

    What is Risk Management?

    RM is a process that:

    • Allows on taking additional risks while growing existing risks more securely because risks:
      • Have been identified.
      • Are being managed.
      • Exposure is identifiable.
      • Exposure is acceptable.
    • Provides a balanced risk portfolio.
    • Is effected by people at all levels of the college's organizational structure.
    • Is applied in a strategy setting.

       

    RM is a process that also provides assurance that:

    • Objectives are more likely to be achieved.
    • Damaging things will not happen or are less likely to happen.
    • Mitigating actions will be or are more likely to be identified
    • Beneficial things will be or are more likely to be achieved.
    • Improvement actions will be or are more likely to be addressed and requested.

       

    RM fosters consistent and systematic management behavior. It can be used to complement the college's strategic planning; resource allocation; business activities and projects at the unit or function level.

    RM is not a process for avoiding risk. When used well, it can actively encourage the college to take on activities that have a higher level of risk, because the risks have been identified and are being managed, so the exposure to risk is both identifiable and acceptable.

    RM is not the management of insurable risks. Insurance is an important way of transferring a risk, but most risks will be managed by other means. RM provides upwards assurance from business activities and administrative functions, from departments to senior management and ultimately to the governing body. During its design stage, a RM process must be able to provide the governing body and senior management sufficient evidence and information to support their disclosure of any assurance statements they wish to make.

    What Benefits will RM Deliver?

    The benefits of RM vary depending on how it is planned and implemented. Therefore, the college needs to decide what benefits it would like to derive from its RM approach and plans it accordingly, taking into account best practices.

    Potential benefits of a well-planned RM process include:

    • Align risk appetite and strategy by considering risk when evaluating strategic alternatives and objectives.
    • Support strategic and business planning.
    • Support effective use of resources.
    • Promote continual improvement.
    • Reduce operational surprises.
    • Allow quicker grasp of new opportunities.
    • Enhance communication and accountability.
    • Provide greater awareness of activities and initiatives.
    • Enhance management response.
    • Provide integrated response to multiple risks.
    • Build a balanced risk portfolio across the college.
    • Improve deployment of capital.

       

    RM enables management to effectively deal with uncertainties and associated risks and opportunities, and thereby, enhances the college capacity to build value. It helps people to understand risk in the context of the college's objectives.

    RM cannot prevent people from making bad judgments or decisions, or extent the events that can cause the entity to fail achieving objectives. It does however enhance likelihood of management making better decisions.

    What is Control or Mitigation Action?

    Control or mitigating action is an action taken to reduce the likelihood of a risk occurring, or to limit its adverse consequences. Control mitigates the impact and the likelihood of a risk.

    Control comes with a cost, both direct (supervisory staff, information systems, etc.) and indirect (missing an opportunity, less entrepreneurship, etc.). The speed of onset of a risk is a key factor when assessing the quality, efficiency, and effectiveness of a control or mitigation action.

    What is Risk Exposure?

    Risk exposure (a.k.a. residual risk) is the net risk after all controls to mitigate the risk have been taken into account. The college's risk exposure reflects the quality, efficiency and effectiveness of existing controls and mitigation actions.

  2. Developing a Process

    Content:

    Identifying risk – Techniques
    Identifying risk – Categories
    Prioritization
    Assessing the risk – Impact and Likelihood
    Assessing the risk – Techniques
    Assessing the risk – Exposure
    Improvement action

    Preparing an Implementation Plan

    The implementation of a risk management (RM) process may be faced by a range of problems that may be challenging to such a process(figure-1).



    Figure-1:  Potential Problems and Their Causes

    Potential Problem:  Misunderstandings and confusion 

    • Risk language is not common
    • Roles and responsibilities are not clear
       

    Potential Problem:  Unfocused process

    • Scope is too wide
    • Too many risks identified
    • Poor prioritization
       

    Potential Problem:  Uncertain outputs

    • End-point and usage are not clear
    • Implementation of the suggested improvements is not clear
    • No link to budget allocation or business planning
       

    Potential Problem:  Insufficient resources to implement

    • Unexpected problems during the start-up phase
    • Staff is unwilling to commit their time
    • Process is perceived to evaluate performance
       

    Potential Problem:  Creates more paper and generates extra work

    • Other processes (such as strategic planning and budgeting) do not consider RM at the planning stages
       

    Potential Problem:  Lack of senior management support

    • Risk philosophy was not developed
    • Risk philosophy was not approved by the governing body
       

    Potential Problem:  Poor commitment from staff

    • Process objectives are not clear
    • Process benefits are not identified
       

    Potential Problem:  Process not sustained

    • Ongoing roles and responsibilities are not clearly defined
    • Not linked to existing ongoing processes
       


    Good planning can help reduce the likelihood of these problems occurring. Answers to the
    following planning stage questions will help to determine a philosophy underpinning its
    approach to RM.

    There are no right answers. Responses will vary with the college circumstances and
    requirements.

    1. How broad should the process initially be: The top 20-30 significant risks, only risks with high impact and likelihood, or all identified risks?
    2. Considering the breadth of the program, are there sufficient resources to implement and support the process?
    3. How will evidence be generated to support disclosure statements on risks and internal controls?
    4. Who will own, manage, implement, or facilitate the RM process and maintain it?
    5. Should RM operate as a separate managerial process or be integrated into the college's existing processes structure?
    6. What to do with all the information captured during the process?
    7. Will the academic staff support the process?
       

    Who should be Involved?

    Staff members are in the best position to know their own risks. Who is involved, and whether the people who identify risks also assess them, will partly be determined by the type and scope of the department or the assessed area.

    It is clearly appropriate for strategic reviews to involve senior managers and senior academic staff members. More specific reviews, such as those focusing on a particular department, function or project, may require a group of participants with more direct knowledge and experience of the area.

    Identifying risk is a good opportunity to involve staff of many disciplines and levels of seniority. There is a balance to be struck between the top-down and bottom-up approaches. For some staff this may be the first time that they have been involved in the College management processes. This, and the fact that RM may be a new concept to even the more experienced managers in the college, will raise some training needs.

    In general, the same groups of staff are involved in both identifying and assessing risk. A decision is needed on how many and which staff will be involved in assessing risk. This stage of the program tends to generate heated debate (particularly over priorities and acceptance of the net risk, and can be the most difficult to handle effectively.

    Identifying Risk – Techniques

    Whatever technique is used to identify risks, they must relate to the College strategic objectives, faculty, department, personal, and the function or project in question. If objectives are not already explicit, they will need to be made so.

    Staff also may not be willing to commit their time and effort because the process is perceived as a performance evaluation project rather than their own. Few staff at any level of seniority or experience will be able to identify risks without some prompting or fear.

    It is therefore very important to encourage participants to supply the information required to compile a list of risks. There is no right or wrong way to do this: Many methods have been tried, and each has its benefits and drawbacks (figure-2). The choice may be determined by the time and resources available, and more than one method could be used in the same RM process.



    Figure-2:  Methods of Prompting Staff to Identify Risks

    Technique:  Desk-top review of documentation

    Advantages:

    • Limited resources required
    • Quick
    • Good background information

    Disadvantages:

    • May be out of date
    • Unclear about who was involved in the preparation
    • Incomplete

    Tips:  Undertake initial review and then probe during interviews or group sessions

    Technique:  Questionnaire

    Advantages:

    • Wide coverage
    • No facilitation skills required

    Disadvantages: 

    • Patchy response
    • No opportunity to pursue detail

    Tips:  Encourage additional comments to explain answers to questions

    Technique:  One-to-one interviews

    Advantages:

    • Confidentiality
    • Facilitation skills not essential

    Disadvantages:

    • Time-consuming
    • Potential for too much detail
    • No interaction to bounce ideas off one another
    • Can get stuck in single area

    Tips:  Ensure all interviewees have attended a group training session in advance, so that time is not wasted explaining the process individually

    Technique:  Group interview

    Advantages:

    • Broader coverage
    • Stimulation of ideas

    Disadvantages:

    • Some facilitation skills required
    • Scheduling difficulties
    • Limited confidentiality

    Tips:  Maximum of three interviewees

    Technique:  Workshop, focus group or round table discussion

    Advantages:

    • Good coverage

    Disadvantages:

    • Good facilitation skills required
    • Scheduling difficulties
    • Lack of confidentiality

    Tips: 

    • Participants may be required to be prepared
    • Time constraints for discussion during the session
       

    The following questions are a useful risk discussion starting point:

    • Are you aware of the college's strategic objectives?
    • Do you have any personal objectives in addition to those of the college?
    • Are there any issues that could prevent you from meeting the college or personal objectives?
    • Over the last two years, what problems have affected your work?
    • What problems or changes can you foresee in the short and medium term that may prevent you from achieving the college or personal objectives?
    • If you or your faculty and staff members have performance criteria, do you meet them, and what stops you from meeting them?
       

    Identifying Risk – Categories

    Organizing the types of risk into broad categories helps ensuring that key issues are not overlooked, and helps documenting the process. In many cases the risk categories will be determined by the objectives.

    There is no one right way to define risk categories. Each department may define a different set of risk categories determined by its objectives. Figure-3 illustrates a sample of risk categories:


    Figure-3: Sample of Risk Categories

    External

    Political 

    • Federal
    • State
    • Regulatory
    • Elections

    Economic

    • Fundraising
    • Inflation
    • Consumer behavior
    • Demographics
    • Resources
    • Employment
    • Competition
    • Terrorism
    • Entrepreneurship

    Technology

    • Interruption
    • E-commerce
    • External data
    • Emerging technology

    Environment

    • Emission and waste
    • Energy
    • Natural disaster
    • Sustainability development
    • Pandemics

    Internal

    Governance   

    • Management and leadership
    • RM
    • Internal controls environment
    • Compliance
    • Information and communication
    • Processes
    • Image perception

    Resources

    • Availability
    • Allocation
    • Monitoring
    • Reliability of disclosures

    Personnel

    • Employee capability
    • Delegation of duties
    • Employee training

    Technology

    • Integrity
    • Security
    • Privacy
       

    Prioritization

    A common problem at this early stage in the process is the identification of too many risks. A monster list of risks is impractical and frightening even if it seems to be comprehensive and thorough. It will inevitably result in the risks being poorly assessed and will lead to a gradual disillusionment with the process. There are unlikely to be more than 20-30 significant risks of interest to the governing body, so it might be best to focus on these first as a strategic risk review.

    Ways to produce a more manageable list of risks.

    • Looking first at those risks which potentially have a financial impact above a preset financial threshold.
    • Grouping risks together by category.
    • Grouping by links – Risks are often linked, one being a contributing factor to another.
    • Selecting those that are most relevant to the achievement of objectives.
    • Identifying as many significant risks as possible, and then prioritizing them.
       

    Risks can be prioritized democratically or autocratically. In the latter case, the duty often falls on the project owner and one or two senior staff such as financial management or internal auditing. The democratic approach may use more resources and deliver the same result. However, it can deliver much greater acceptance of the final result and ownership of subsequent action.

    In order to remain independent, the project manager or coordinator may ask all or selected participants in the risk identification process to rank the risks by order of priority or importance. This is not the same as asking them to assess the risks, and the difference should be made clear.

    Exploring the Risk

    The risks that have been identified need to be fully explored before they are assessed. This involves:

    • Providing a risk clear description and common risk language.
    • Listing contributing factors.
    • Identifying early warning mechanisms.
    • Considering existing controls and mitigating actions.
       

    A team of people can waste a great deal of time assessing a risk that they are all interpreting differently. The better the description the more chance there is for an accurate assessment.

    Early Warning Indicators and Mechanisms

    The impact or likelihood of a specific risk can change for many reasons, for example:

    • Nature of the risk is changing.
    • Existing controls are inadequate or not functioning.
    • Current controls were enhanced and improved.
    • New controls are introduced.
       

    Early warning indicators and mechanisms are designed to let management know before a risk occurs. In many cases, when considering the risk and its existing controls it is helpful to compile a list of early warning indicators and mechanisms. These may be described or highlighted in monthly reports to management and/or periodic reports to the governing body (figure-4). Key characteristics of such indicators and mechanisms are:

    • Information must accurately and timely reach the person who can make decisions.
    • The frequency of monitoring should be related to how quickly the risk can materialize and its likely impact.
    • Mechanisms must pick up the problem before it happens, or at least before it gets too serious.
       

    Figure-4: Samples of Early Warning Indicators and Mechanisms

    Risk                                           Early warning indicators and mechanisms
    Quality of services                    Internal customer survey

    Availability of facilities             Space audit

    Budget overspend                    Budget variation analysis

    IT network security breach      Attacks on firewall
     


    Assessing the Risk – Impact and Likelihood

    There are two main attributes for assessing risk:

    • Severity of impact – How significant might the consequences be?
    • Time of impact – How likely is it to happen?
       

    There is no right approach to assess these two attributes. To avoid confusion, whatever assessment method is used it should be standardized not necessarily across the whole College but certainly for the whole of an individual department RM process. Different risks have different type of impact. Risk assessors will need to consider all types of impact when making their assessment (figure-5).


    Figure-5: Sample Types of Impact

                                Minor                             Moderate                      Severe
    Financial loss      Lesser than $X              Between $X-Y               Greater than $Y

    Bad publicity      Damaging article in      Damaging article in      Damaging article in
                                  student press                 local press                     in national press

    Injuries                Minor reversible            Major reversible            Major irreversible


    Most major losses occur from high impact – low probability risks that can be scenario tested. Assessing the likelihood of a risk occurring tends to be more straightforward. For example:

    • All the time
    • Frequently
    • Occasionally
    • Almost certain
    • Possible
    • Unlikely
    • Rarely
    • Never
       

    Assessing the Risk – Techniques

    As with risk identification, risk assessment can be conducted in a number of ways, from a paper-based exercise to a workshop. Factors to consider in deciding on a risk assessment technique are summarized in figure-6.


    Figure-6: Factors Affecting the Techniques for Risk Assessment

    Participation

    How widespread will the participation be? Workshops for more than 20 people are difficult to facilitate, and often it is hard to find a suitable date and time.

    Co-operation

    How co-operative the participants will be? There may already be an indication of how well they have bought into the process from the response to the risk identification stage.

    Confidentiality

    A questionnaire which participants can complete in privacy may reveal more truth about the College. However, not discussing issues in the open may conflict with the objectives of the process.

    Domination

    Workshops can be easily dominated by one or two people, especially senior staff, who not only dominate the discussion but can also influence the scoring or voting of the others.

    Intimidation

    Similar to domination, except it may be more subtle.

    Anonymity

    Can be particularly important for scoring or voting on the impact, likelihood and rating of RM. It is worth considering using anonymous scoring or voting
     


    Using workshops to assess risk has many advantages but can be difficult to run and require good planning. Tips for successful workshops include:

    • Circulate papers to all participants in advance.
    • Encourage participants to make any amendments and corrections to the wording and definitions of risks before the workshop.
    • Choose a venue that accommodates everyone comfortably around a single large table, to encourage discussion and debate.
    • Schedule breaks as necessary.
    • Organize an introductory talk to be given by the most senior or respected participant.
    • Assume that it will take at least 15 minutes to assess each risk – this may require a full day to be set aside.
    • Consider using a facilitator.
    • Consider using anonymous voting if consensus voting may be difficult to handle or cause too many disagreements.
    • Capture the outputs of the discussions on a flip chart or, preferably, by using a PC connected to a projector.
       

    Assessing the Risk – Exposure

    Having assessed the risk, the next step is to establish the level of exposure. The relationship between objectives, risks, controls and exposure is broadly that high returns require tough objectives which mean greater risks. The exposure that the College faces is then dependent on the effectiveness of controls in place, and this can normally be illustrated by a risk exposure matrix, as shown in figure-6.


    Figure-6: Risk Exposure

    EXPOSURE                                        Controls rating
    Risk attributes rating         Tight           Satisfactory      Light
    High                                    Medium      High                   High
    Medium                              Low             Medium             High
    Low                                     Low             Low                   Medium
     


    Risk can be assessed without considering existing controls (inherent or gross risk), or with considering existing controls (net risk). This guide focuses on assessing the net risk taking into consideration the effectiveness and efficiency of the existing controls and mitigation actions. For example, inspections by the fire department, installation of fire doors, servicing of fire alarms and extinguishers, and regular fire drills are all mitigating actions that help to reduce the chance of a fire causing a serious threat to life or property. The risk of a fire having a significant impact with these controls in place is the net risk.

    Assessing the risk exposure is not an end in itself. Having established the exposure, the College has to decide whether it needs to act to manage risk better. Improvement actions are decided based on the level of exposure the residual or net risk determines. Having assessed the risk, a rough guide to appropriate action would be:

    • High exposure – Immediate action.
    • Medium exposure – Consider action and have a contingency plan.
    • Low exposure – Monitor and keep under periodic review.
       

    It is also important to consider whether the overall level of exposure is acceptable to the College.

    What Is Acceptable Exposure?

    Exposure is unacceptable if the people involved in RM believe that not enough is being done to manage the risk satisfactorily. Assessing whether exposure is acceptable helps determining how much additional work is required to satisfy the college that the risk is being adequately managed. In effect, this is the point where the RM process starts to translate into an action plan for improvement.

    What level of exposure is acceptable will vary from between departments. For example, a large
    department is likely to accept higher risks than a small department.

    Improvement Action

    Where exposure to risk is considered unacceptable, action for improvement needs to be
    planned, developed and implemented. This action, also known as management response to an
    individual risk, could include the following:

    • Transferring all or part of the risk through insurance or a partnership arrangement.
    • Avoiding the risk by withdrawing from an activity.
    • Managing the risk by improving existing controls or obtaining more information.
    • A combination of the above actions.
       

    Often, action for improvement will become obvious during the risk assessment and can be captured at this stage. This makes it easy to monitor progress, as all the participants have agreed what needs to be done to reduce the impact or likelihood of any given risk materializing.

    Where actions are not identified during risk assessment, generally due to lack of time, both deciding upon and then carrying out the necessary actions must be delegated to the most appropriate individual or group. The proposed action should, however, always be reported back to all participants for completeness. Either way, it is essential that the RM process does not stop before the actions for improvement have been developed and executed.

    It might be helpful to think about how to handle the actions for improvement when designing the process. Participants will want to know the details, and particularly if additional resources will be made available. Actions for improvement can be split into:

    • Those to be implemented locally within existing resources.
    • Those requiring additional resources or central co-ordination.
    • It is unlikely that all actions falling into the second category can be done at once so they will need to be prioritized.
       

    There is no one scale to prioritize actions for improvements. However, the following scale could be used to assess such actions:

    • Important; needing action; cost effective – Provide resources or budget immediately or within the next year.
    • Important; needing action; not cost effective – Consider whether resource provision makes sense at this time.
    • Non-critical; review at later date – Ensure review takes place.
       

    The need for resources to implement actions supports the case for a link between the RM, business planning, and budget allocation processes.

  3. Sustaining the Process

    If the process of risk management (RM) is to be sustained there are a number of key attributes that need to be in place:

    • Appointing a process owner.
    • Ownership of risks.
    • Documentation and reporting.
    • Independent assurance.
    • Training.
    • Communication and guidance.
    • Annual review.
    • Embedding the process.
    • Assessing the process.
       

    Appointing a Process Owner

    Any process needs someone who ensures that it is running smoothly and delivering what it was set up to deliver. Who is appointed as the owner of RM will depend on how the process has been set up.

    The danger of calling someone a risk manager is that other people may perceive him or her to be a manager of risk, which is very different from a manager of the process. The real managers of risk are the governors, senior management and staff of the college. Risk is the responsibility of everyone in the college.

    If the RM process is clearly distinguishable, as opposed to fully embedded, then appointing a process owner can be helpful. The role of the process owner would be to support the process, provide advice and support to management in undertaking RM, manage the compiled information, and produce an annual report for the governing body.

    Ownership of Risks

    A key element of RM is to allocate ownership of risks. This makes it much more likely that the problem will be addressed and rectified. The natural owner may be one individual, a group of individuals or a specific committee. The allocation should always be to a staff member of the college, even when the risk is generated outside the college.

    It is not usually difficult to determine who owns a risk. Acknowledging ownership is not the same as shouldering the entire burden of the risk. The owner should see himself or herself as the person in the best position to oversee the management of the risk. This may or may not involve delegation to others, liaison with other bodies (internal or external), and coordination of the college efforts.

    Documentation and Reporting

    It is worth considering what information to keep and what reports need to be generated. Different people may wish to review the information including:

    • Governing body.
    • Senior management.
    • Staff.
    • Internal and external auditors.

       

    One simple way to present the information, particularly for workshops, is in a table format. The risk scores can later be summarized by plotting them in a chart for example.

    If the college risk have been identified, then the early warning indicators and mechanisms will need to be reported to the right group or person. The governing body or a particular committee may request information on certain risks and specify the frequency of reporting (figure-7).


    Figure-7: Example of Risk Reporting

    Health and Safety Committee
    Risk Contributing Factors      Early Warning Indicators and Mechanisms

    Laboratory accidents             Incidents per month labeled by minor and major
    Open fire doors                      Monthly inspection figures
    Explosive gas storage            Annual fire department inspection
     


    These indicators and mechanisms are important to alert management that additional action needs to be taken with respect to a certain risk. Often risk early warning indicators and mechanisms have triggers and are used with exception reporting. For example, if the number of laboratory incidents is above a certain level then the health and safety committee is alerted and it can then decide on the appropriate action.

    Independent Assurance

    How can continuity be assured and how will the governing body know that it is working effectively? This is a function that could usefully be undertaken in Colleges Internal Audit (IA), given its specialized knowledge and independence. In doing so, IA could be guided by the college RM philosophy and their knowledge of the college to validate the risk assessments. A report to the governing body would help give the assurance the latter needs for its disclosures. However, this would have resource implications for IA.

    Training

    Training can help embed the culture of RM and support the launch and continuation of the RM process. Risk awareness training is a helpful way of ensuring that management and other staff members understand the concept and benefits of RM. It will bring the level of knowledge up to a certain standard and can be used to embed a common language of risk so terminology does not become confusing. Training is also useful to support the RM process itself. If senior managers are confident and comfortable with the process, and understand how it benefits them, they are more likely to sustain it.

    One approach is to run an initial series of RM training sessions to get the majority of key staff on board. This will help to ensure continuity and improve the quality of output.

    Communication and Guidance

    Supporting information on launch and ongoing communication about RM, can help bring the initiative to life and encourage continuity. A quarterly RM bulletin highlighting emerging risks and changes in the management of certain types of risk can help to keep the profile of RM high and maintain interest.

    Annual Review

    The need and focus for RM will change from year to year. An annual review is a good opportunity to reflect on the success of RM in the previous year, and to recommend improvements for the forthcoming year. It will help to ensure the process continually improves and delivers the expected benefits.

    The annual review might include:

    • Reflection on the management of significant risks during the previous year.
    • Any controls that failed during the year, and why.
    • Unforeseen risks; why they occurred and why they were not previously identified.
    • Changes to the external and internal environments that will change the risk profile.
    • Risks expected to emerge during the forthcoming year.
    • New controls that should be put in place.
    • Changes or improvements to the process recommended for next year.
       

    The annual review could be undertaken by the project owner or by internal audit, and its results presented to the governing body and senior management.

    Embedding the Process

    Embedding the RM process within existing processes has many advantages:

    • RM is not seen as a separate process but as part of existing management practice.
    • It reduces administration by using existing reporting procedures.
    • It encourages continuity as existing processes are less likely to fail.
    • Practical aspects of RM are easier to see, thereby encouraging participation.


    Examples of how to embed the process include:

    • Sponsorship by the governing body.
    • Annual risk identification and assessment are undertaken as part of the business planning exercise.
    • Personal objectives and appraisals include a link to the management of certain risks.
    • Emerging risks are discussed and recorded at management meetings.
    • Key risk indicators are reported on in monthly reports with other performance information.
    • Follow up on improvement actions by head of departments or by internal audit throughout the year.
       

    The annual review should also enable the governing body to reflect on the status of the process, which should help focus the minds of senior management.

  4. Good practice assessment check list

    TASK .                                                                     REQUIRED ACTION
    Is risk clearly defined?

    ☐ Yes   ☐ No 

    • Define what is risk
    • Define the connection between risk and objectives

    Is risk appetite clearly defined? 

    ☐ Yes   ☐ No 

    • Define what is risk appetite
    • Define how risk appetite is connected to strategy setting

    Is risk tolerance clearly defined?

    ☐ Yes   ☐ No 

    • Define what is risk tolerance
    • Define how risk appetite is connected to operational setting and risk appetite

    Is RM clearly defined?

    ☐ Yes   ☐ No 

    • Define what is RM
    • Define what assurance RM provides at the strategic level

    Are the potential benefits a RM
    process provides identified and
    known by management and
    staff?

    ☐ Yes  ☐ No 

    • Identify the potential benefits a RM process provides
    • List these benefits and promote them to help acceptance of the process
    • Identify what benefits your department desires to derive from RM

    Is control and mitigation action
    clearly defined?

    ☐ Yes   ☐ No 

    • Define what is control and mitigation action
    • Identify how control and mitigation action affect the impact and likelihood of a risk
    • Identify the potential cost associated with control

    Is risk exposure clearly defined?

    ☐ Yes   ☐ No 

    • Define what is risk exposure
    • Define what is acceptable risk exposure
    • Identify and promote what is acceptable exposure cross the institution

    Did your institution develop a
    risk philosophy?

    ☐ Yes   ☐ No 

    • Disclose the underlying approach to RM
    • Define the role and responsibility of the governing body and senior management
    • Get the process the authority to be sustained within the department processes structure

    Has an implementation plan
    been prepared?

    ☐ Yes   ☐ No

    • Plan an implementation plan that includes answers to the following questions:
      • Are you aware of the potential problems RM presents?
      • Will the academic staff support the process?
      • Should RM operate as a separate process or be imbedded into your existing process structure
      • Who will own the RM process?
      • How will evidence be generated to support disclosure statements?
      • Are there sufficient resources to implement/support the process?
      • How broad should the process be?

    Have the risk identification
    techniques been determined?

    ☐ Yes   ☐ No

    • Answer the following questions to determine the techniques and methods that best help you:
      • Who should be involved?
      • What techniques to use; group or one-to-one interview; questionnaire or desk top review?
      • What are the advantages and disadvantages of each technique?
      • What are the risk categories that best fit the department risk culture?
      • How the identified risk will be prioritized and explored?
      • How the risk contributing factors will be identified and explored?
      • How the existing controls and mitigation actions will be identified and assessed?
      • How the risk early warning indicators and mechanisms will be identified and explored?

    Have the risk assessment
    methods been determined?

    ☐ Yes    ☐ No

    • Answer the following questions to determine the techniques and methods that best help you:
      • What are the factors that affect a risk assessment technique?
      • Is the risk impact will be assessed in a qualitative or quantitative way?
      • Is the risk likelihood will be assessed in a qualitative or quantitative way?
      • What are the different types of impacts that will be considered during the assessment of a risk?
      • What will be the key components of a qualitative or quantitative assessment method?
      • What type of scoring sheets and tables?
      • How the risk assessment will be displayed and reported?
      • What is the acceptable exposure for your institution?
      • When an improvement action is to be taken?
      • How the reporting structure will be designed?
      • How the final report will be drafted and presented?

    Has the how to sustain the RM
    process within the department’s
    processes structure been
    determined?

    ☐ Yes   ☐ No

    • Answer the following questions to determine the techniques and methods that best help you:
      • Who is the owner of the process?
      • How will risk be presented and reported
      • Is there a need for training?
      • How information will be communicated and shared?
      • How the process annual review will be