Version: th November 2010 RISK MANAGEMENT POLICY

Transcription

1 Version: th November 2010 RISK MANAGEMENT POLICY

2 Document History Document Location To be completed. Revision History Date of this revision: 17/09/2010 Date of next revision: N/A Revision Number Revision Date Summary of Changes /09/10 Risk Management Policy issued to Institutes of Technology for tailoring to own requirements /10/10 Risk Management Policy reviewed by Risk Management Committee and tailored to GMIT requirements /12/10 Audit Committee approval /12/10 Governing Body approval Changes marked Approvals This document requires following approvals Name Title Date Risk Management Committee 20/10/10 Audit Committee 02/12/10 Governing Body 08/12/10 Version th November

3 Contents Document History BACKGROUND PURPOSE OF RISK MANAGEMENT POLICY DEFINITIONS ROLES & RESPONSIBILITIES Governing Body Audit Committee Risk Management Committee Institute Executive Board Heads of Function/ Heads of School / Heads of Department /Heads of Administrative Units Risk Owner Internal Audit RISK MANAGEMENT FRAMEWORK Risk Identification Risk Assessment Control and Risk Mitigation Risk Monitoring and Reporting Risk Appetite Management of Risk REVIEW OF POLICY Appendix 1 GUIDE TO RISK MANAGEMENT Risk Identification Risk Assessment Risk Impact Likelihood Risk Rating Control Assessment When are Risks Assessed Risk Register Residual Risk and Level of Reporting Required Appendix 2 Templates Risk Register Template Local Risk Identification and Analysis Template Version th November

4 1. BACKGROUND 1.1 There has been increasing focus on governance in corporate and public bodies and the reasons for this focus over the past decade are welldocumented. In Ireland, the government published the Code of Practice for the Governance of State bodies in 2009, issued by the Department of Finance and the Institute of Technology sector has its own tailored Code called Governance of Irish Institutes of Technology issued in January As part of this updated Code (originally issued in 2003) the Chairperson and President of each Institute of Technology is required to report to the relevant Minister that there is an appropriate system of internal control in place, that the responsibility for the Institute s system of internal control rests with the Governing Body and that there has been a review of the effectiveness of the system of internal control. A common theme running through these reports is the management of risk. 1.2 The Governance of Irish Institutes of Technology, is designed to ensure appropriate procedures and controls are implemented to manage risks facing such complex institutions, while at the same time respecting their autonomy. 2. PURPOSE OF RISK MANAGEMENT POLICY 2.1 The purpose of this Policy is to provide a framework for management to identify, assess and rate risks, and to develop strategies to deal with risks so as to provide reasonable assurance that the Institute s strategic objectives will be achieved. In effect, this Policy will establish a framework to identify potential events that may expose the Institute to risk, to manage this risk to keep it within the Institute s risk appetite and to provide reasonable assurance regarding the achievement of the Institute s objectives. 2.2 The Policy sets out the following: Definitions; Roles and responsibilities; Risk Management Framework - Risk Identification; - Risk Assessment; - Control & Risk Mitigation; - Risk Monitoring and Reporting; - Risk Appetite; - Management of Risk. 2.3 Risk Management is not solely about managing risks, it is also about identifying and taking opportunities. Some of the benefits associated with Risk Management include: Transparent processes and good practice; Support for management decisions; Version th November

5 Provision of competitive advantage by adapting to new circumstances; Improved public accountability; Increased quality and efficiency in processes; Immediate risk prioritisation; Positive attitude to implementing risk controls. 3. DEFINITIONS 3.1 Risk: Risk may be defined as the Institute not benefiting from opportunities available or not achieving its objectives due to an internal or external event. Risks, by their very nature, may or may not occur and fall into a variety of categories, some of the most common being: Strategic Risks: the inability to achieve the Institute s strategic and operational objectives as set out in the Strategic Plan and also, not availing of opportunities when they arise; Operational Risks: the inability to prevent any loss resulting from inadequate internal policies, procedures and systems; Financial Risks: exposure to losses arising as a result of the need to improve the management of the Institute s financial assets; Reputational Risks: exposure to losses arising as a result of negative publicity and the need to improve stakeholder relationship management. In addition, risks can exist at different levels: Corporate or Strategic Level (Fundamental) Function/School/Department/Administrative level; Project level. 3.2 Risk Identification: The process of determining what can happen, why and how. 3.3 Risk Analysis: The systematic use of available information to determine the likelihood of specific events occurring and the magnitude of their consequences/impact on the Institute. 3.4 Risk Assessment: Risks are assessed and prioritised on the combined basis of their likelihood of occurrence and the resulting impact should they materialise. 3.5 Risk Register: A risk register is a risk recording and monitoring tool for the management of the Institute. It is a hierarchical entity and a review of the Risk Register (corporate or strategic level risks) may be informed by more detailed local risk analysis (School/Department/Administration and project level risks) at Functions, Schools, and Administrative Units. 3.6 Risk Appetite: Risk appetite is the amount of risk the Institute is prepared to accept based on the expected output of the development/activity in question. The Institute can be risk-taking or risk-adverse and different levels of risk appetite can apply to different activities. In deciding its risk appetite the Version th November

6 Institute will decide the threshold beyond which risks move from being monitored locally to being monitored by the Executive Board, or finally to the abandonment of the particular activity. Clarity in relation to the Institute s risk appetite is critical to enable the Executive Board to decide on how best to manage any particular risk. 4. ROLES & RESPONSIBILITIES 4.1 Governing Body Overall responsibility for the management of risk within the Institute lies with the Governing Body. The Governing Body will approve the Institute s Risk Management Policy, will satisfy itself through its Audit Committee that an adequate Risk Management Framework is in place in the Institute and that Risks are being managed appropriately by the Institute s Executive Board. 4.2 Audit Committee The role of the Audit Committee is to assure Governing Body that an adequate Risk Management Framework is in place in the Institute. In providing the required level of assurance, the Audit Committee will: Keep under review, and advise on, the operation and effectiveness of the Institute s Risk Management Framework; Ensure that assurance provided by management and external/internal auditors is appropriate; Monitor the effectiveness of Risk Management in relation to risks identified as fundamental to the success or failure of the Institute s strategic objectives; Receive reports from the Risk Management Committee on its findings in relation to risk management and the adequacy of the Risk Management Framework on a bi-annual basis. The Audit Committee will request the Risk Management Committee to present these findings to Governing Body. 4.3 Risk Management Committee The President of the Institute has overall responsibility for ensuring that procedures and processes are in place to enable adherence to this Risk Management Policy Additionally, the Risk Management Committee will: Ensure the development of the Risk Management Policy of the Institute for approval by Governing Body and Audit Committee. Ensure compliance with the Code of Governance for Third Level Institutions and Code of Practice for the Governance of State Bodies with respect to risk management. Version th November

7 Ensure the co-ordination and promotion of risk management by ensuring that risk processes, including the identification, assessment and management of risks are operated efficiently and effectively. Ensure that fundamental risks, which threaten the achievement of the Institute s objectives, are identified, assessed and included in the Institute s Risk Register, which shall be reviewed regularly and included in the Committee s reports to Governing Body and Audit Committee. Ensure that each fundamental risk has a risk owner who is responsible for its management and who will report on that management to the Risk Management Committee. Ensure that local risks, including health and safety risks, inter alia, are appropriately managed and receive reports from heads of administrative/academic units in that regard. Ensure adequate systems are in place to identify new or emerging risks and ensure that they are being considered by the appropriate Institute bodies. Ensure that there is appropriate communication with staff on risk, risk policy and controls. Ensure that a risk management culture is encouraged throughout the Institute and ensure that risk is embedded as part of the Institute s decision making and operation. Ensure in conjunction with the Finance Committee and Executive Board that risk is considered as part of the annual planning and budgetary process. Ensure that risk registers are received from heads of administrative and academic units and refer any risk that may require escalation to the Governing Body for consideration. Ensure that reports are received on Institute insurances. Ensure that adequate training is in place to support staff in fulfilling the requirements of the Institute s Risk Management Policy. Ensure that Institute risk management is in line with best practice and seek external/expert advice as necessary. Ensure that there is adequate flow of information to the Audit Committee to allow that Committee to fulfil its remit with respect to Risk Management. 4.4 Institute Executive Board The Institute s Executive Board is responsible for: Implementing the Institute s Risk Management Policy; Identifying and monitoring Risks; Ensuring that each risk has a Risk Owner responsible for its management; Ensuring that controls identified are working, provide periodic positive assurance that they are working and/or report if they are not working. Ensuring that individuals understand what level of risk they are assigned to take on behalf of the Institute; Ensuring local risks are appropriately managed (through consideration of reports on local risk on a bi-annual basis from Heads of Function / Heads of School / Heads of Department /Heads of Administrative Units / Leaders of Strategic Pillars); Version th November

8 Taking particular note of any risks identified locally that should be escalated to the Risk Register; Reviewing the Risk Register on a bi-annual basis in light of reports on local risk analysis and other relevant matters; Monitoring the assessment and management of risks that could impact on the achievement of the Institute s objectives; Encouraging a risk management culture throughout the Institute so that risk is embedded as part of the Institute s decision making and operation; Critically reviewing the effectiveness of risk management processes; Report to the Institute Risk Management Committee on a bi-annual basis on the Institute s Risk Register and the implementation of the Risk Management Framework. 4.5 Heads of Function / Heads of School / Heads of Department /Heads of Administrative Units Heads of Function / Heads of School / Heads of Department /Heads of Administrative Units are responsible for the following in relation to risk management: Implementation of Institute Policy in relation to Risk Management within their area of control; The identification, assessment, management and ownership of risk within their area of control; The establishment and regular review of local risks in their area and its transmission to their line manager who is a member of the Executive Board bi-annually or as required; Heads of Function / Heads of School / Heads of Department /Heads of Administrative Units will report bi-annually to the Executive Board on local risks within their areas of control; The identification of new and emerging risks that cannot be managed locally and the reporting of such risks to the Executive Board as required but at least bi-annually for escalation to the Risk Register; Ensuring that all substantial projects or new programmes undergo risk assessment and that such assessment is included in the project/ programme proposal, and reporting on same to the Executive Board; Supporting the embedding of risk management in their area and the development of a risk-aware culture. 4.6 Risk Owner The risk owner oversees the process around the management of a particular risk. The risk owner s role in relation to risk management includes: Coordination of the relevant risk controls; Ensuring staff are dealing with local risks; Overall management of the risk. 4.7 Internal Audit Version th November

9 4.7.1 Internal Audit is responsible for the review of internal controls within the Institute. In developing its Annual Internal Audit Plan, in consultation with the Audit Committee and the President, cognisance will be taken of the Institute s Risk Register. The internal audit reviews of Institute activities / faculties / functions / units will include a periodic assessment of the effectiveness of their respective risk management processes and will report to the Governing Body, through its Audit Committee, on how those risks are being managed. 5. RISK MANAGEMENT FRAMEWORK 5.1 The Risk Management Framework is an iterative process consisting of steps when taken in sequence, enable continual improvement in decision making. It constitutes a logical and systematic method of identifying, analysing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable the Institute to minimise losses and maximise opportunities. The Institute s Risk Management Framework provides assurance from academic and administrative functions to the senior management team and, through the team, to the Risk Management Committee, Audit Committee and Governing Body. Effective risk management focuses on understanding and measuring risk and control rather than necessarily avoiding or totally eliminating it and comprises the following components: 5.2 Risk Identification The purpose of risk identification is to produce a list of the potential risks that could impact on the Institute achieving its objectives. Risks will be identified (commonly under four pre-defined categories as set out in Section 3.1) and prioritised using a variety of techniques such as interviews, workshops, School /Departmental meetings etc. A formal risk identification and review exercise will be undertaken on a biannual basis in order to update the Risk Register with any local risks as required. The risk identification process will commence with the establishment of a Risk Register by the Institute s Executive Board. 5.3 Risk Assessment The size of any risk can be measured using two dimensions, the affect on the Institute should the risk materialise (impact) and the probability of the event occurring (likelihood). To ensure consistency of application across the Institute, risks identified must be assessed and measured in accordance with inherent and residual risk criteria as shown in the table below: Assessment Inherent Residual Impact The extent of impact on The extent of impact on the Institute s operations if the Institute s operations if the risk arises in the the risk arises in the absence of mitigating presence of mitigating controls. actions and controls. Version th November

10 Likelihood The probability of the risk arising in the absence of mitigating controls. The probability of the risk arising in the presence of mitigating actions and controls Appropriate quantification of risk is critical to an effective Risk Management Framework. Not all risks are equal and effective risk management is only possible if risks are prioritised appropriately. Generally, risks should be prioritised according to their ability to affect the Institute achieving its objectives and therefore may change as objectives change. Certain risks will be deemed to be Fundamental Risks and will be recognised as being of greater strategic or operational importance to the Institute than Non- Fundamental Risk. This approach enables risk management resources to be targeted to the most important areas whilst still recognising less important risks. The method of assessment of risk is set out in the Guide to Risk Management attached as Appendix 1 to this Policy. 5.4 Control and Risk Mitigation Based on the risk assessment, controls and mitigating actions are put in place to reduce exposure to the risk materialising. Heads of Function / Heads of School / Heads of Department / Heads of Administrative Units, are responsible for implementing and enforcing controls that effectively manage and mitigate risks identified, to a level that is within the tolerance limits approved by the Executive Board. Heads of Function / Heads of School / Heads of Department / Heads of Administrative Units are expected to document the controls that are in place to mitigate against the risks materialising. Once documented, the risks are reassessed by the Risk Owner for their residual risk on a bi-annual basis. The aim of the residual risk assessment is to ensure that the control is still meeting its design objective of managing/mitigating the inherent risk to acceptable residual levels. Controls implemented must be relative and reflect the likelihood and impact of the risk, if it occurred. An efficient and effective control will have the appropriate balance between the cost of implementing, the likelihood and potential impact of the risk event if it occurred and residual risk. Mitigating actions and controls include all the policies, procedures, practices and processes in place to provide reasonable assurance of the management of risk. Where mitigating actions / controls exist but are not being followed and monitored, then it is policy that it is deemed that adequate controls do not exist, as in order for mitigating practices / controls to be effective they also must be communicated, actioned and monitored. As a result of the risk and control assessment process, actions with clear accountabilities will be set for all risks where gaps in the control environment Version th November

11 are identified. These action plans as determined by Heads of Function / Heads of School / Heads of Department /Heads of Administrative Units are developed to introduce new controls or improve existing controls as required. To ensure accountability these actions will be linked to the risk and therefore to the underlying strategic objective. If this part of the process does not occur then the benefits of the risk identification process will not be realised. The Heads of Function / Heads of School / Heads of Department / Heads of Administrative Units tasked with delivering under the strategic objective will also be responsible for delivering under these actions. A formal audit trail must exist that relates the risk identification and assessment process to the actions arising. The action plans will set out the following: Planned control actions to address risk Responsibility for undertaking the planned activities Timeline for action The Risk Management Committee monitors the implementation of the mitigating control action plans and reports on a bi-annual basis in relation to the progress of same to the Executive Board and Audit Committee. 5.5 Risk Monitoring and Reporting The following monitoring and reporting requirements will apply: Each Head of Function / Head of School / Head of Department / Head of Administrative Unit will consider their own local risks. A review of risks will take place as follows: within one month of any internal audit report where recommendations are made; following major changes to the structure, funding or strategic direction of the Function/ School/ Department/ Unit; following a specific request by the Executive Board: at least twice per annum, notwithstanding the above conditions. Following the completion of a review of their local risks, Heads of Function / Heads of School / Heads of Department /Head of Administrative Units will prepare a report using the standard risk register template attached as Appendix 2 to this Policy. The report will be submitted to the Executive Board for consideration and discussion on a bi-annual basis or immediately depending on the level of the risk as set out in the Guide to Risk Management (Appendix 1) The Executive Board will meet bi-annually to consider local risks, to consider on-going developments within the Institute and any emerging risks. Based on such consideration, the Executive Board will review the Institute s Risk Register and amend the Register as required. Where deemed necessary by the Chairman of the Executive Board, the emergence of new risks may be considered immediately by the Executive Board. The Executive Board will submit a report to the Risk Management Committee on the Risk Register and the effectiveness of the Risk Management Framework twice per annum. Version th November

12 5.5.3 The Risk Management Committee will report at least bi-annually to the Audit Committee and the Governing Body on the management of the Risk Register and the implementation of the Institute s Risk Management Framework. 5.6 Risk Appetite The Institute s risk appetite defines how it accepts and manages risk. Risk elements arising from proposed or actual developments/activities within the Institute may fall into three categories: (i) Risks that are trivial and therefore acceptable and do not need to be managed; (ii) (iii) Risks that are acceptable and will need to be managed; Risks that are unacceptable and therefore the development/activity should not proceed. The concept of risk appetite applies to major developments/activities and is concerned with the placing of a boundary between (ii) and (iii) above. It therefore reflects the Institute s tolerance of risk A major development/activity may be defined as having a value in excess of 1 million or which may pose a significant reputational risk to the Institute. Any such proposed development/activity and associated risks must be reported to the Executive Board for consideration immediately as they arise. This process must be followed also where there is any doubt whether or not a risk associated with any development/activity might be deemed acceptable to the Institute. 5.7 Management of Risk Upon completion of a risk assessment and taking account of the Institute s risk appetite, the Institute may decide to: treat the risk (e.g. use of internal controls); terminate the risk;( do not proceed with the activity); tolerate the risk (accept the risk with or without monitoring), or transfer the risk (e.g. by using insurance, sub-contracting). 6. REVIEW OF POLICY 6.1 This policy will be reviewed every two years to ensure that it continues to enhance the decision-making and operation of the Institute. Version th November

13 Appendix 1 GUIDE TO RISK MANAGEMENT 1. Risk Identification 1.1 The purpose of risk identification is to produce a list of the potential risks that could impact on the Institute achieving its objectives. Risks will be identified under four commonly used headings i.e. Strategic Risks: the inability to achieve the Institute s strategic and operational objectives as set out in the Strategic Plan and not availing of opportunities when they arise; Operational Risks: the inability to prevent a loss resulting from inadequate internal processes and systems; Financial Risks: exposure to losses arising as a result of the need to improve the management of the Institute s financial assets; Reputational Risks: exposure to losses arising as a result of bad press, negative public image and the need to improve stakeholder relationship management. Risks will be identified and prioritised using a variety of techniques such as interviews, workshops, School/Departmental meetings etc. 2. Risk Assessment 2.1 Risk Impact Having identified a risk, the potential impact and likelihood of the risk being realised will be rated. To ensure consistency across the Institute, the following method will be used in assessing risk (examples supplied):

14 IMPACT RATING Financial Impact Examples of Intangible Impacts Financial Strategic Operational Reputational Extreme 4 Over 1 million Non completion of new School resulting in non recruitment of students to new programme Closure/disruption of the Institute for greater than 2 days Serious debilitating injury/loss of life Prominent coverage of the Institute in national news media. Cancellation of exams Serious 3 500,000 1 million Reduced research income of greater than 10% per annum Widespread irregularity in academic processes resulting in overhaul/review of processes Unavailability of School/service of the Institute for more than 2 days Injury requiring hospitalisation. Postponement of exams Embarrassment within a department/function leading to adverse media coverage. Moderate 2 Minor 1 100, ,000 Up to 100,000 Reduced research income of up to 2% per annum. Significant delay in the delivery of planned new academic programmes Minor delay in e.g. achievement of goals relating to integration of teaching & research. Disruption to a few departments delaying the academic process for up to 1 day. Injury requiring attendance at medical facility Delays in exams Non delivery of classes for up to half a day. Injury resulting in cuts/bruises. Disruption to individual exams Reputational impact in local/ specialist area covered in the media. Potential damage evident to those close to the event/area of interest. For the purposes of the risk assessment process, the highest ranked rating across the categories will be deemed to be the overall impact assessment, for example, if a reduction in research earnings scored a 4 under Financial Impact and 3 under Strategic Impact, then that impact assessment rating would be 4. Version th November

15 2.2 Likelihood Analysing risks requires an assessment of their frequency of occurrence also. The following table provides broad descriptions used to support risk likelihood ratings: Rating Likelihood 4 Very Probable Very Likely, will occur in most circumstances (within the next year) 3 Quite Probable 2 Possible 1 Improbable Likely, may occur (once every 1-2 years) Very Unlikely, may occur at some point (once in 3-5 years) Rare, never happen, may occur in exceptional circumstances (once in 5-10 years) Version th November

16 2.3 Risk Rating When rating the risks identified, use the Heat Map table below to calculate the risk score and then the Classification of Risks below to identify the Risk Rating. IMPACT Improbable (1) Possible (2) Quite Probable (3) Very Probable (4) Extreme (4) Likelihood Serious (3) Moderate (2) Minor (1) Table: Heat Map Classification of Risks Score Extreme Red Serious Amber Moderate Yellow Minor Green Version th November

17 2.4 Control Assessment Assess the strength of control. Where the strength of the control is assessed as highly effective reduce the inherent risk score by 90%. Where the control is assessed as moderate i.e. in place with limited exceptions, reduce the inherent risk score by 60% and where there is no control in place or the control has serious weaknesses, reduce the control by 0%. 2.5 When are Risks Assessed The above risk assessment exercise should be carried out at two levels: At an inherent risk level where the potential risks affecting the Institute are assessed in the absence of mitigating actions and controls (at least bi-annually); At a residual risk level where the risks affecting the Institute are considered with selected mitigating actions and controls fully implemented (at least bi-annually). Having identified the inherent risk and the impact and likelihood of that risk, it is necessary to consider the controls which would mitigate the impact and likelihood of that risk being realised. It is essential to distinguish between those controls that are in place and those that are planned. It is then a matter to assess the impact and likelihood of the residual risk being realised. It is important to note that the assessment of residual risk can only be based on controls already in place. Version th November

18 2.6 Risk Register The following template can be used at a local level to capture and analyse risks identified. The example below shows an example of a risk in the financial area and Residual Risk Heat Map should be used in the assessment of Risk (the main Risk Register Template is set out in Appendix 2): Risk No Risk Description 1 Failure to achieve budget strategy Risk Register Template Risk Category Highlight those that apply Strategic Reputational Operational Financial Inherent Risk Rating Impact Likelihood Score Current Controls 1. Financial Controller has a budgetary process in place that is reviewed on a quarterly basis to ensure actual spend is within budget Mitigation Strategy 1. Ensure adherence to budgetary constraints 2. H 90% reduction Control Assessment Risk Owner M - 60% reduction L - 0% reduction Secretary / Financial Controller Action Plan 1. Communication with Schools/Admin Units 2. Implementation of increased controls over spending Control Rating Score 4.8 Version th November

19 2.7 Residual Risk and Level of Reporting Required Residual risk score is the inherent score multiplied by the control percentage. Residual Risk & Level of Further Information Report Extreme The Executive Board Residual Risk Score If the residual risk is deemed to be extreme, then immediate action is required. In this case the activity/project should not proceed or if it relates to an existing activity/project then the Manager of the area who is a member of the Executive Board must inform the Executive Board of the matter so that action can be taken immediately to either moderate the risk or close the activity/project. Serious Head of School or Head of Function who is a member of the Executive Board Serious risks require careful on-going management with frequent evaluation of the risk factors by the manager of the area who is a member of the Executive Board in order to restore them to more acceptable levels of risk. Risks at this level should be reported to the Executive Board at its bi-annual risk management meetings. In the interim, any escalation of risk should be reported to the Executive Board immediately by the relevant Executive Board member. Moderate Head of Department / Unit Minor Head of Department / Customer Service Manager Moderate levels of risk may be acceptable for certain projects and these risks require approval of the Head of Department/Unit prior to commencing the activity/project or to allow the project/activity to continue. Re-assessment of the risk factors should be conducted at regular intervals to assure stakeholders that the risk has not escalated. This is the lowest and most tolerable level of risk. Student projects and individual staff research should carry no higher than tolerable risk without the express approval of the Head of Department/Unit. Re-assessment of the risk factors should be conducted at regular intervals to assure stakeholders that the risk has not escalated. Version th November

20 Appendix 2 Templates 1 Risk Register Template No Risk Category Risk 1 Financial Failure to achieve budget strategy Impact Likelihood Score Controls 3 4 E 1. Financial Controller has a budgetary process in place that is reviewed on a quarterly basis to ensure actual spend is within budget Risk Reduction M 60% Score M Risk Owner Secretary / Financial Controller Actions Required 1. Ensure adherence to budgetary constraints 2. Communication with Schools/Admin Units 3. Implementation of increased controls over spending Dates TBC Version th November

21 2 Local Risk Identification and Analysis Template Risk No 1 Risk Description Risk Register Template Risk Category Highlight those that apply Strategic Reputational Operational Financial Inherent Risk Rating Impact Likelihood Score Current Controls H 90% reduction Control Assessment Risk Owner M - 60% reduction L - 0% reduction Control Rating Score Mitigation Strategy Action Plan Version th November

22 Version th November