Procedure: Risk management

Transcription

1 Procedure: Risk management Purpose To outline the procedures involved for identification, assessment and management of risks. Procedure Introduction 1. This procedure outlines the University s Risk Awareness Framework, which is supported by: a robust governance structure, including the Audit and Risk Management Committee and the Risk Management Advisory Committee; a Risk Management Policy that clearly articulates and assigns key roles and responsibilities; and the availability of risk management support, advice, assessment tools and training to academic and support areas. 2. The Corporate Governance and Risk Office (CGRO) provides the following risk management services: Strategic risk profiling Fraud risk management Business continuity planning Project risk management Grant risk management Risk assessment workshops and training A range of guidance material, tools and templates are available for staff reference on the Risk and Audit web page. This procedure provides information as to accountabilities for risk management activities and an overview of the approach recommended for all areas of risk management. Procedure: Risk management Page 1

2 Accountabilities Council: Ensure that a risk management framework is established, implemented and maintained; Identify strategic risks (in consultation with the Vice Chancellor) that impact upon the University's strategic objectives; and Monitor the management of strategic risks. Vice-Chancellor: Identify and manage strategic risks; and Ensure that a risk management framework is established, implemented and maintained in accordance with this policy. University Executive: Identify and manage strategic and operational risks within their portfolio that may impact upon the University's strategic and operational objectives; and Promote compliance with statutory and regulatory requirements. ANU Deans, Service Division Directors and/or Heads of Budget Units: Develop and maintain a Strategic Risk Profile; Integrate risk management principles with operational planning processes and the management activities of the colleges; Ensure the application of risk management principles when major projects are considered or managed; Identify and report on risk issues as part of budget planning, annual reporting and assurance processes; Develop and maintain a Fraud Risk Profile plan in accordance with the Fraud Control Procedure; Develop and maintain a Business Continuity Plan (BCP); and Ensure that staff are encouraged to participate in risk management training activities. Procedure: Risk management Page 2

3 Heads of Controlled entities, and entities that are derived from the legal status of the University will be responsible to their respective Boards to: Develop and maintain a strategic and/or operational plan that integrates risk management principles with planning processes and management activities; Identify and report on risk issues as part of budget planning and annual reporting and assurance processes; Develop and maintain a Fraud Risk Management Plan; Develop and maintain a Business Continuity Plan (BCP); and Ensure that staff are encouraged to participate in risk management training activities. Audit and Risk Management Committee: Oversee the risk management framework; Monitor strategic and enterprise-wide risks; and Receive and consider risk management reports to inform both Council and internal audit activity (including the internal audit plan). Risk Management Advisory Committee: Monitor and review institutional risks; Make recommendations to the Director, CGRO, the Audit and Risk Management Committee, and the Vice-Chancellor (as appropriate) on risk management policies and procedures; Assist the University to raise levels of management awareness and accountability for risk management and the development of a risk management culture; Review and monitor local area risk management plans; and Make recommendations on the University's crisis management plans and arrangements and review incidents as they occur. Corporate Governance and Risk Office: Through broad consultation the role and responsibilities of the CGRO include: Facilitate the development, ratification and adoption of the ANU risk management policy and associated procedures; Procedure: Risk management Page 3

4 Develop and implement a University-wide risk management framework; Provide risk management support, advice, assessment tools and training to academic and support areas; and Raise the profile of risk management within the University and ensure a culture of risk management is sustained. Approach - overview Risk analysis is based on identifying those events that contribute to the uncertainty surrounding the achievement of specific objectives or outcomes. Essentially this event can then be investigated through a two dimensional construct of the likelihood of the event occurring and its consequences (sometimes also referred to as impact). The University endorses the application of Australian and NZ Risk Management Standard AS/NZS ISO 31000:2009, which details the generic risk management process. Specifically this includes the following elements: Establish the context Risk identification Risk prioritisation Risk response Risk treatment Communicate and consult (at all prior steps) Monitor and Review (at all prior steps) 8. All staff are encouraged to familiarise themselves with the Australian and NZ Risk Management Standard AS/NZS ISO 31000:2009 and undertake associated training from a recognised provider if required. Upcoming training events will be publicised through the University s risk portal and CGRO is available to facilitate customised training as required. Approach - guidance 9. The same risk management approach is applied to all activities/projects, whether they are strategic or operational in nature. However, additional guidelines are available on the Risk and Audit web page which help to provide context for the area of risk being considered. Specifically, guidance has been provided regarding the management of strategic, grant, project, Procedure: Risk management Page 4

5 fraud and business continuity risk assessments. 10. Step 1: Risk Identification Think broadly about the risks associated with the activity/project. Refer to the ANU Enterprise Wide Risk Matrix, which provides guidance as to the categories and types of risks to consider. Make a list of the potential risks and utilise the ANU Risk Register template as necessary. 11. Step 2: Risk Prioritisation Determine the high-priority risks by assessing the probability of them occurring (likelihood) and the consequence to the activity/project, and ANU (impact). Initially, this should be done by considering the current risk. That is, the risk facing the activity/project at the moment, with operations running as business as usual. The residual risk can then be determined, being the risk remaining after all mitigation strategies have been put in place. Criteria should be set to ensure that risks are prioritised consistently. This can be achieved with reference to the ANU Risk Assessment Matrix, being sure to be clear on what each criteria means for the activity/project. 12. Step 3: Risk Response. There are four things you can do about a risk. 13. Mitigate the risk. Take actions to lessen the impact or the likelihood of the risk occurring. For example, if the risk relates to ensuring that information remains confidential, ensure that adequate controls are in place to protect the information and that an appropriate non-disclosure agreement is signed by any party external to ANU. Avoid the risk. Do something to remove it such as move to an alternative supplier, or conduct the activity/project at a different time. Transfer the risk. This would involve making someone else responsible. For example, risk may be transferred to a vendor. Accept the risk. The responsible officer/delegate/committee may agree that the risk is so small that the effort to take further action is not worthwhile. Strategies chosen to address each risk should be documented, including any actions required in order to execute the strategy. 14. Step 4: Risk Monitoring The final step is to continually monitor risks to identify any change in the Procedure: Risk management Page 5

6 status. It is best to hold regular risk reviews to identify actions outstanding, risk probability and impact, remove risks that have passed, and identify new risks. Common language Business Continuity A limited return to business operations following a significant and disruptive natural or man-made event. Consequence The outcome of a risk if it occurs expressed qualitatively or quantitatively. Threats have unfavourable consequences, and opportunities have favourable consequences. Hazard A source of potential harm or a situation with a potential to cause loss. Inherent Risk The level of risk of an unwanted event before consideration of the controls that could be applied within the business to reduce the risk. Likelihood The chance that a particular risk will occur. This can be expressed as either a probability for a single event or condition, or a frequency of occurrence for repeat events. Loss Any negative consequence, financial, or otherwise. Opportunity An uncertain beneficial event or condition that if it occurs will result in favourable outcomes such as improved safety, saved time or cost. Practicable With regard to risk controls, means the level of control that would be practicable to achieve having regard to the severity of the loss; the risk of it occurring; the state of knowledge about the risk; and the availability, suitability, and cost of mitigating the risk. Residual Risk The risk remaining after the implementation of risk treatments Procedure: Risk management Page 6

7 Risk The chance of something happening that will have an impact on the realisation of the University's stated objectives. Risk Acceptance Threshold The level of risk exposure above which action must be taken to proactively manage threats and maximise opportunities, and below which risks may be accepted. Risk Appetite The level of risk the University is prepared to take on. Risk Assessment The process of risk identification, analysis and evaluation Risk Classification All identified risks within ANU should be categorised into one of four descriptors, defined as follows: Low: Risks that are acceptable and do not require active management. Moderate: Risks that are unlikely to cause much damage and/or threaten the efficiency and effectiveness of the program/activity. Manage by specific monitoring or response procedures. High: Risks that are generally not acceptable and likely to cause some damage, disruption or breach of controls. Senior management attention needed and management responsibility specified; treatment plans to be developed and reported to PVC/Executive Director or Vice-Chancellor. Extreme: Risks that are not acceptable and likely to threaten the survival or continued effective function of the program or the organisation, either financially or politically. Immediate action required; must be managed by senior management with a detailed treatment plan reported to PVC/Executive Director, Vice-Chancellor and Council. Risk Control Effectiveness The actual level of control that is in place and effective relative to what could reasonably be achieved for the particular risk. Procedure: Risk management Page 7

8 Risk Controls Policies, delegations, procedures, devices, systems or other actions that eliminate or reduce risk. Risk Criteria The criteria by which an informed decision to accept the consequences and the likelihood of a particular risk is made. Risk Drivers The factors that introduce risk into the strategic and operational environment of the University. Some examples of the 'risk drivers' in higher education include: Globalisation Emerging economies Funding models Government policy Increasing regulatory scrutiny and compliance requirements Capital investment Increasing competition Increasing consumer expectations Contracting Quality of academic program Emerging educational delivery systems Commercialisation\intellectual property Emerging pandemics Natural events Emerging technology Fraud Risk Evaluation The process of estimating the likelihood and consequences of identified risks, and comparing against a defined risk acceptance threshold. Risk Identification A structured process to identify threats and opportunities. Procedure: Risk management Page 8

9 Risk management The application of rigorous analyses, appropriate decision making and actions to achieve the University's stated objectives. Risk Owner A person with the capacity, authority, experience and resources necessary to deal with and monitor an identified risk. Risk Profile Identified and assessed risks associated with a particular context (e.g. Project or College and or impact such as safety or fraud) Risk Treatment The process of selection and an implementation of measures to modify risk. Risk treatment measures can include avoiding, modifying, sharing or retaining risk. Risk Types Strategic: These risks relate to the overall objectives and longterm viability of the University. An example may include the ability to acquire adequate funding or the ability to maintain the integrity of the University's reputation and relevance; Business and operational: These are risks concerned with 'day to day' business practices that assist the University to meet its strategic objectives and would include risks associated with contract management, financial and asset management, stakeholder management (internal/external); Enterprise-wide: These risks have a systemic focus such as knowledge and information management, HR management and facilities management; Specialist: Relates to areas of risk that are often externally regulated and require specialist expertise but relate to the whole of the university. Examples would include OH&S, security and fraud. Threat An uncertain adverse event or condition that if it occurs will result in unfavourable outcomes such as injury, damage to the environment, delay, or economic loss. Procedure: Risk management Page 9