420 likes | 625 Views
RISK MANAGEMENT. Central Queensland University. November 2006. BDO Kendalls’ Role – 2002/3. Guidance to the University in establishing Risk Management Policy and Process Framework Deliver training to key management groups Facilitate process implementation workshops
E N D
RISK MANAGEMENT Central Queensland University November 2006
BDO Kendalls’ Role – 2002/3 • Guidance to the University in establishing Risk Management Policy and Process Framework • Deliver training to key management groups • Facilitate process implementation workshops • Provide feedback, information and outcomes to Risk Management Committee • Management own the process and its key elements • Key decision making remains with the University
Why Risk Management? • CQU is committed to a comprehensive and systematic approach to effective management of potential opportunities and adverse threats • Risk management is a key element in improving CQU’s business and services to assist in achieving its objectives • CQU aims to achieve best practice in controlling risks which may impact its business
Why Risk Management? Statutory Requirements • Financial Management Standard “The University must protect itself from unacceptable costs or losses associated with its operations.” • Workplace Health & Safety Act 1995 Imposes obligations on people at workplace to ensure work place health and safety • AUQA • Common Law Duty of Care
What is Risk? The exposure to the possibility of something happening that will have an impact of the University’s organisational objectives • Objectives: Financial and Non Financial
Elements of Risk Risk arises out of uncertainty and has two elements: • Frequency / likelihood of something happening • Severity / impact of the consequences arising from the event.
Culture and process Systematic application of management policies, procedures and practices Effective management of opportunities and threats Establishing context Identifying Analysing Assessing Treating Monitoring Communicating Risk Management Is …
Risk Management is Not … • Just accounting controls • Another name for insurance • About creating risk averse management • A label to hide inadequate analysis when something goes wrong • A green light for careless enthusiasm • An opening for ‘risky management”
Risk Management Objectives • Structured basis for strategic planning • Enhance governance and corporate management processes • Discharge statutory responsibilities • Practical framework for decision making • Protect unacceptable costs/losses • Minimise missed opportunities • Safeguard assets (including people)
University’s RM Objectives • Implement RM across all areas of the University in accordance with best practice guidelines • Integrate RM into the management culture of the University • Foster an environment where staff assume responsibility for managing risk
The Process to Date … • CQU Risk Management Policy promulgated • Risk Management Committee and Terms of Reference Established • Workshop to identify Key Risk Categories • Policy Framework and Guidelines established • Templates: - Risk Mgt Standards - Risk Records - Risk Treatment Plans - Risk Register 6. Pilot Launch – Health Safety and Security Key Risk Category
The Process to Date … • CQU Risk Management Workshops conducted, identifying risks and treatment plans • Risk Management Committee and Terms of Reference Established as sub-committee of Audit Committee • Significant change and restructure • AUQA Audit and Report • Risk Management Committee rolled into Audit Committee • Risk Management Software acquired • Re-launch of Risk Management to Senior Management
Key Risk Categories • Corporate Governance & Compliance • Financial and Commercial • Operations • Student • Health, Safety & Security • Human Resources • Data & Information Technology • Reputation • Asset Maintenance • Environmental
Risk Management Process AS/NZ 4360 (Refer Frame 1)
Internal and external decision makers Individuals directly and indirectly affected by decisions, actions and inactions Unions, staff groups Community groups Statutory regulators (health, safety, environmental etc) Politicians (all levels of govt) with electoral or portfolio interest Non government groups Users and suppliers of services and facilities Establishing Context & Framework • Identify Internal and External Stakeholders
Establishing Context & Framework • Purpose of stakeholder analysis is to provide decision makers with a documented profile of stakeholders to better understand needs, issues and responsibilities • Framework and Stakeholder Mix subject to constant change • Consultation and review process must be continuous and recurrent in the Risk Management process
Identifying Risks • Aim to identify risks to be managed • Comprehensive identification critical • Potential risk not identified at this stage is excluded from further analysis • Identification should include all risks whether or not they are under the University’s control
Audits & physical inspections Brainstorming Decision trees Examination of local or oversees experience Expert judgment History, incident reports Interview, focus group discussions Scenario analysis SWOT analysis Surveys, questionnaires etc… Identifying Risks Possible Methods of Identifying Key Risks
Commercial relationships Legal relationships Custody Management activities and controls Natural events Political/legal Occupational health and safety Personnel/human behaviour Property/facilities Public liability Security Socio-economic Etc … Identifying Risks Possible Sources of Risk
Identifying Risks Documentation of this step • For a small process this step may be documented by a simple tabulation • More detailed documentation may be required for larger processes • List each risk and classify • Eg functional groups, exposure profiles etc
Analysing Risks CONSQUENCES AND LIKELIHOOD • The magnitude of consequencesof an event, should it occur, and the likelihood of the event and the associated consequences, are assessed in the context of no existing controls • Consequences and likelihood are combined to produce a level of risk
How often situation occurs How many operations/people exposed Skills/experience of people exposed Special characteristics of people exposed Duration of exposure Proximity of hazard to people exposed Distractions Quantity of materials or multiple exposure points involved Environmental conditions Condition of facilities, equipment Effectiveness of existing control measures Analyse LIKELIHOOD considering:
Analysing Risks Analyse EXISTING CONTROLS considering: • Do controls represent good practice? • Are controls minimising exposure to risks? • Do stakeholders know about controls? • Are there adequate systems and procedures in place to support controls? • Is there adequate training/supervision in relations to controls? • Is there adequate maintenance of controls? • How easy is to to use, or work with, controls?
Potential for “chain reaction” Concentration of risk exposures Direct/indirect financial impact Fines, penalties, rectification costs Other regulatory impact Business interruption Position of stakeholders relative to exposure Human impact Analysing Risks Analyse CONSEQEUENCE considering:
Analysing Risks TOOLS FOR ANALYSIS Qualitative Methods Used: • Where level of risk does not justify time and resources for numerical or detailed scientific analysis • For initial screening of risks • Where Numerical data inadequate • Valuable when analysis shared across range of people, backgrounds & interests
Analysing Risks TOOLS FOR ANALYSIS Semi-Qualitative MethodsAllocates a qualitative word ranking to likelihood (eg Almost Certain – Rare) high, medium or low and consequence (eg Extreme – Insignificant) • Rankings are shown against a word scale for ranking the level of risk (eg V.High – V.Low) • Avoid overcomplicating analysis. Relatively straightforward methods can be effective • Method, rationale and results should be documented
Evaluating and Ranking Risks • Risk evaluation involves comparing the level of risk determined during analysis with previously established criteria • Decides whether risks are acceptable or unacceptable • Output of risk evaluation is a prioritised list of risks for further action (ranking)
Consider: Degree of control over risk Cost impact, benefits and opportunities presented by risk Significance of risk & importance of policy, program, process or activity Risk may be accepted if consequence & likelihood is consistent with established criteria Acceptance may follow risk reduction measures Regularly review and monitor for changing circumstances Process and rationale should be documented Evaluating & Ranking Risks Acceptable and Unacceptable Risk
Evaluating & Ranking Risks Reasons a risk may be accepted: • Level of risk so low that specific treatment not appropriate within available resources • Cost of treatment is so excessive compared to benefit that acceptance is only option • Opportunities presented outweigh threats to such a degree that risk is justified • No treatment is available
Evaluating & Ranking Risks Unacceptable risks: • Risks not considered acceptable are those which will be treated in some way • These are prioritised for subsequent management action as a component of the management’s and the University’s Risk Actions Plans and Risk Register
Risk Treatment Risk Treatment involves • Identifying and considering the range of Optionsfor Treatment • Assessing those options • Preparing Risk Treatment Plans • Implementing Risk Treatment Plans
Risk Treatment OPTIONS to Manage the Risk • ELIMINATE the risk • TRANSFER the risk • PREVENT or MINIMISE the consequences and/or likelihood of the risk • Substitution • Redesign • Isolation • RETAIN the risk - when exposure is not or cannot be minimised by other means: • Eg Administrative controls • Eg Personal protection (Refer Frame 4 – Risk Treatment Process)
Risk Treatment Preparing Risk Treatment Plans • Plans document how chosen options will be implemented • Plans identify: • Responsibilities • Schedules • Expected outcome of treatments • Budgeting, • Performance measures • Review, assessment and monitoring processes
Risk Treatment Implementing Risk Treatment Plans • Developing Standards and Procedures • Communicating • Training and instruction • Supervision • Maintenance
Risk Treatment Monitoring and Reviewing Risk Treatment • Chosen controls have been implemented as planned: • Are chosen control in place? • Are controls being used? • Are controls used correctly? • Control controls are working: • Have changes made to control exposure resulted in planned outcome? • Has exposure to risk been diminished or adequately reduced? • Are they any new problems? • Have implemented control measures resulted in introduction of new problems? • Have implemented control measures resulted in worsening of existing problems?
Documentation • Each stage of the Risk Management Process should be documented: • Demonstrate the process • Evidence of systematic process • Record to develop risk database • Provide decision makers with RM plan for approval and implementation • Accountability mechanism and tool • Facilitate continuing monitoring and review • Provide audit trail • Share and communicate information
Documentation • Risk Register • Risk Management Standards for Specific Risk Category
Responsibility • For RM to be effective it must be implemented by every person within the organisation • Council, VC, DVC, • Directors, Deans, HODS, • Line Management, • Staff, Students and 3rd Parties • RM is not just the responsibility of management • RM must become and integral part of the University’s culture
Managing Risk • Managing risk means forward thinking • Managing risk means responsible thinking • Managing risk means balanced thinking • RM provides a framework to facilitate more effective decision making • RM is all about maximising opportunity by managing risk
Contact Daniel Nolan Acting Internal Audit Manager Extension 6932