Dublin City University Risk Management Explanatory Document

Transcription

1 Dublin City University Risk Management Explanatory Document December 2011

2 Dublin City University Risk Management Contents 1.0 Objective Elements risk Strategic Risk Operational Risk Financial Risk Reputational Risk Assessment of Risk Impact Likelihood Risk Assessment Matrix Control of Risk The Risk Register

3 Dublin City University Risk Management 1.0 Objective A risk is an event that would prevent the University from achieving its objectives. The aim of this risk management exercise is to provide a method by which the risks facing DCU are identified, assessed and controlled and to provide a process by which these risks are managed on an on-going basis. The first part of the process will be the establishment of a risk register for DCU. In this way the risks facing DCU can be identified and assessed in terms of their potential impact and likelihood of them happening. The controls in place to prevent such risks happening will also be determined. This will provide the opportunity of assessing whether those controls are sufficient or if there is a need to develop additional control measures to further strengthen the control environment in the University. The management of risk should form part of the overall process used to manage the University on an ongoing basis. The risk register forms a key element in that process. 2

4 2.0 Elements risk A risk is an event that would prevent the University from achieving its objectives. It can be categorised into four elements: Strategic Risk Operational Risk Financial Risk Reputational Risk 2.1 Strategic Risk Strategic risk is the risk that the organisation would engage in an activity at variance with its mission statement or fundamental objectives, or not engage with an opportunity that may arise. 2.2 Operational Risk Operational risk is the risk that policies, procedures, systems or activities would fail thus restricting progress towards achieving organisational objectives. 2.3 Financial Risk Financial risk is the risk of failing to safeguard company assets, of incurring a financial loss, of financial misreporting or of a failure to achieve value for money. 2.4 Reputational Risk Reputational risk is the risk that the organisation would engage in activities or be perceived to engage in activities that would threaten its good name brand and public image. The Total risk will be the sum of all of the elements of risk. A risk can be categorised into more than one element. So for example a risk might be categorised as an operational risk, but it might also create a financial exposure and therefore be categorised as a financial risk as well. 3

5 3.0 Assessment of Risk Risk can be assessed in terms of its potential impact and likelihood of happening. Both the impact of an event on DCU and the likelihood of that event happening can be determined using a five point scale. In estimating the impact and likelihood scales of any particular risk consideration should also be given to existing controls in place which reduce the risk exposure and also the score for that particular risk. 3.1 Impact The scale for assessing the potential impact of an event is as follows: IMPACT : scale of Minor (e.g. none or almost no impact.) 2. Limited (e.g. controlled failure etc.) 3. Serious (e.g. control breakdown resulting in costs etc.) 4. Very Serious (e.g. substantial loss of revenue or substantial cost incurred etc. 5. Catastrophic (e.g. major event bringing into question the continued operation of DCU) 4

6 The following risk assessment criteria table is provided as an aid to help score the impact of chosen risks between 1 and 5. Risk Assessment Criteria Impact 1 Minor 2 Limited 3 Serious 4 Very Serious 5 Catastrophic Strategic Negligible delays in achieving strategic objectives of the University. Some delays with policy or strategic initiatives implementation. Significant delays to strategic Only able to achieve partial Failure to achieve initiatives or policy implementation of a policy/initiative. implementation. policy/initiative. Operational Students/staff not impacted or aware of the problem. Students/staff aware of problem but impact on them is negligible. Serious operational disruption effecting all staff/students. Ongoing significant disruption to University activities. Major event requiring complete shutdown of all services for extended period. Financial Up to 50,000 50, , , , ,000-5,000,000 Over 5,000,000 Reputational Strong reputation, seen as a quality HE university. Some negative comments in press/media about DCU Critical article in media. Public criticism from authorities. Continuing negative publicity in press or TV. Ministerial concern with political repercussions. Loss of public confidence. 5

7 Likelihood The likelihood of an event occurring can be assessed using a five point scale as follows: LIKELIHOOD: scale of Rare (20 years and over) 2. Unlikely (10 20 years) 3. Possible (5 10 years) 4. Likely (1 5 years)) 5. Already happening or within 1 year 3.2 Risk Assessment Matrix The combination of the impact and the likelihood of an event together with an assessment of the existing controls in place (see note 4 below) will determine the overall risk profile of that event. Risk Assessment Matrix 5 4 Impact Liklihood The more risks arising in the red zone the more the overall risk profile of the University will increase. 6

8 4.0 Control of Risk Part of establishing the risks facing DCU, how likely they are to happen and what their impact is, consideration also needs to be given as to what controls are in place to prevent or reduce the risk of the event happening. The identification of the existing controls in place allows us to answer the following questions: Are we happy with the existing level of controls? What changes might we wish/need to make? How much uncontrolled risk do we wish to bear? What is the estimated cost versus potential benefit of additional controls? For any further controls which need to be put in place (required for all risks in the red zone) the required control, the individual responsible for implementing it and the proposed timeline can all be identified and built into the on-going planning process. 5.0 The Risk Register The risk register will encompass all of the risks identified, the assessment of the likelihood of events happening and the likely impact, the additional controls which have been identified as being necessary, the individual responsible and the timeline for implementation of the new controls. In this way the risk register will provide an important element of the overall control process for the University and will help to ensure that any risks to the achievement of DCU objectives are properly identified and controlled. As such the risk register will be kept under on-going review and will be formally reviewed on a periodic basis by both SMG and Governing Authority. Detailed Risk Register - Illustrative 1 2 Risk Re duce d Funding. The Government will significantly reduce the annual core grant funding from the University. This would lead a significant gap in the University finances and bring into question the viability of DCU and its ability to deliver the range of services currently provided to students and the local communities. Incre asing financial burde n of aging physical Infracture. Increased maintenance costs, increased refurbishment costs and additional health and safety risks. Controls/Actions already in place Significant level of engagement with Ministers, Department officials and the Higher Education Authority by management and IUA. Governing Authority engagement with relevant individuals. Meetings with local political representatives. Engagement with local community groups in support of DCU. Prioritisation of long term maintenance funds. Linking maintenance work capital projects to maximise impact of investment. Implementation of new Estates Strategy. Impact Likelihood Priority 5 4 H 3 4 M Risk Owner Finance Estates Further Actions Required Will be required for red zone risks Date 3 4 Failure to maximise Stude nt Re te ntion. Student retention/progression is one important measure for successful learning within DCU. This issue is one of growing importance both nationally and internationally. Poor student retention damages our reputation and significantly reduces available funding. Our non presence performance based on a study on progression published by the HEA last October positions DCU at 11% with other Universities at approx 9%. Our estimated funding cost in respect of non presence is 1.8M per year. Each 1% improvement in retention will generate approx 163K of revenue. 1 Further Analysis. Continue to analyse causes (also analyse what we do well) involve more people who are accountable and coordinate an overall "student retention initiative". 2 Measurement. Further develop a system of measurement, KPI's etc to understand better how we are progressing with all initiatives. 3 PR. Improve marketing of DCU programs and the DCU brand. 4 Operations. Improve student support system where possible. De ve lopme nt of strate gic alliance s with the wrong partne rs. Proposals routinely considered by SMG/Exec. Guidelines Damage to reputation. Wasted resources at planning and implementation in place for development of strategic partnerships phases. Missed opportunities with more appropriate partners. 4 3 M 2 1 L Student Affairs OVPR 7