Risk Management at ECU An Introductory Presentation for ECU Staff Phillip Draber Manager, Risk and Assurance
Outcomes By the end of this session you should: Be able to complete and document risk management (RM) applicable to your School, Centre or Project. Be able to: Effectively understand how RM is integrated with ECU s Strategic Planning and Operational Planning and Project processes; Develop a focussed RM capability within your School, Centre or Project.
Risk Management - Context Risk management is integral to the successful conduct of operations or the completion of any project. What is the risk management process? How can the risk management process be applied to a project? This introductory session will outline what the RM process is at ECU and how it is broadly used in ECU operations and projects.
What is Risk? The effect of uncertainty on ECU s objectives at the strategic, operational and tactical (project level). A deviation from the expected positive and/or negative. All decisions create a risk. Did we make the right decision? Can we manage the outcomes of that decision?
Consequences of Poor Risk Management Global Financial Crisis? $16Million Software Fix for the RMIT Peoplesoft IT Software (2002 2004). Perth Arena 1 (2007 Current) $438 Million cost vs. $160 Million budget Opening 3 years later than scheduled Alterations in the allocation between contractors and State Government Increased risk to the State Lack of transparency in decision-making 1 The Office of the Auditor General for WA Report 1/2010, The Planning and Management of Perth Arena, Perth Western Australia, 10 March 2010.
Risk Management is A logical, systematic method to: Identify Analyse Evaluate, and Treat Risks Associated with activities, functions and processes that enable ECU to maximise and exploit opportunities by minimising threats and hazards and the impact of adverse events encountered in the pursuit of our strategies.
Risk Management is About creating and protecting value An integral part of all University processes Part of ECU decision-making About addressing uncertainty Systematic, structured and timely Based on the best available information Tailored for ECU About taking into account our culture and our community Transparent and inclusive Dynamic, iterative and responsive About continuous improvement at ECU
Applications of Risk Management Process Contingency or uncertainty based IT Disaster Recovery Plans Business Continuity Plans Hazard based Workplace Safety Hazard Assessments Duty of Care for Work Place Integrated Learning Practicum Project based Major IT Systems Projects Offshore Programs Capital Works Operations Strategic Risk Management & Reporting Faculty and Centre Risk Registers
When Risk Management can be Used Alignment with Quality @ ECU Cycle: Plan Do Review Improve Material risks associated with key initiatives Material risks associated with various options or alternative courses of action Regular monitoring of and reporting on how we are managing identified risks Lessons learned from our experiences to improve (particularly when mistakes made)
Integrated Risk Management Policy Policy Statement The aim of this policy is to provide a framework to manage the risks involved in all University activities to maximise opportunities and minimise adversity. Considered and structured risk-taking is an essential ingredient in the successful achievement of the University s mission and strategic objectives. To this end, the University will maintain procedures to provide the Council and the Senior Leadership Team with a systematic view of the risks faced in the course of ECU activities. Where appropriate these procedures will be consistent with the Standards Australia Risk Management Standard, AS/NZS 4360:2004 - Risk Management 1. 1 Now superseded by AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines
Introduction Integrated Risk Management Guidelines Risk Management can be characterised as the culture, processes and structures that are directed towards the effective management of potential opportunities to reduce or mitigate adverse impacts to an organisation. Risk is inherent in all academic, administrative and business activities. Every member of the University community continuously manages risk. Formal and systematic approaches to managing risk have evolved that are now regarded as good practice. Consequently, ECU acknowledges that the adoption of a strategic and formal approach to risk management will improve decision-making, enhance outcomes and lead to greater accountability. The aim of risk management is not to eliminate risk, rather to manage the risks involved in all University activities, with the overall goal of maximising opportunities and minimising adversity.
Integrated Risk Management Framework As part of integrated risk management, it is important for ECU to define the Risk Framework facing it and thus set the context for the manner by which risk is managed at the University. To this end, an IRM Framework has been developed that maps risks to ECU s strategic priorities. It forms the basis for all risk registers as well as the structure of the ECU Strategic Risk Register. The information in the map should not be seen as exhaustive, but rather as a tool to assist in the identification and control of operational risks.
Risk Management Process Establish Context RISK ASSESSMENT Communication and Consultation Identify Risks Analyse Risks Evaluate Risks Monitor and Review Treat Risks Adopted from ISO Standard 31000
Establish a Context Context of the ECU risk management process Risk Management Policy, Guidelines and Risk Map Strategic Risk directly related to ECU s Strategic Priorities Operational related to Schools and Centres and would incorporate strategic risks managed by Faculties and Centres Opportunity Risk Management major projects such as IT, Commercialisation, Capital Works Projects and Offshore Programs Establish criteria against which risk will be evaluated Defines structure of risk analysis
Functional Risk Categories and their Consequences Identifying risks and their consequences is the first step in the risk management process and is the precursor for the risk assessment. To provide structure for this step, the Senior Leadership Team and Council have approved an integrated risk management framework. Each risk and consequence can be categorised for higher order analysis. Categorising risks and their consequences will focus risk identification activities and contribute to more effective risk management.
Risk Categories In the Integrated Risk Management Framework and in the Risk Register the functional risk categories are: Engagement Student Recruitment and Retention Teaching and Learning Staffing Research and Creativity IT & Knowledge Systems Physical Infrastructure Financial Management Governance and Accountability
Identification of Risks The identification of what, why and how events arise as the basis for future analysis Use a well structured systematic process Identify studies needed Scope, objectives, resources Use generic sources of risk as a guide Risk Glossary Risk Statements Threat, Risk Event, Impact Hazard, Risk Event, Consequence
Risk Statements Should follow the syntax of a threat/hazard whilst doing something (context) may result in an event that has the following impacts/consequences. Consider the following example: Wet weather whilst driving may result in an accident that causes injury, damage or death.
Analysis of Risks Consider Sources of risk (threats/hazards) The likelihood that those risks may occur Consider The range of potential consequences or impacts The context of existing procedures and controls Consequence and likelihood are combined to produce an estimated (inherent) level of risk
Risk Analysis Best available information sources used Purpose Separate minor risks from major risks Provide data to assist in evaluation and treatment plans Use professional judgement and experience
Qualitative Measures of Likelihood Score Description Likelihood 1 Theoretically possible but not expected to occur during your career, the activity or the lifetime of the equipment Rare (<5% probability) 2 Possible that it may occur once during your career, the activity or the life of the equipment Possible (5-10% probability) 3 This event may occur slightly more than twice in your career, during the activity or during the life of the equipment Occasional (10-25% probability) 4 This event may occur frequently in your career, the activity or during the life of the equipment 5 Expected to occur routinely in your career, or at least once during the activity or during the lifetime of the equipment Likely (25-50% Probability) Almost Certain (>50% probability)
Qualitative Measures of Consequence or Impact Level Rank Injuries Financial Loss Asset Loss Interruption to Services Minor 1 No injuries < $50K or 5% of Operational Budget Little or no impact on assets Reputation & Image < 1/2 day Unsubstantiated, low impact, low profile or no news items Performance Up to 5% variation to KPI Disruptive 2 First aid treatment $50K - $250K or 10% of Operational Budget Minor loss or damage to assets 1/2-1 day Substantiated, low impact, low news profile 5-10% variation to KPI Serious 3 Medical treatment $250K - $3M or 25% of Operational Budget Major damage to assets > 1 day to < 1 week Substantiated, public embarrassment, moderate impact, moderate news profile 10-25 % variation to KPI Critical 4 Death or extensive injuries $3M - $10M or 50% of Operational Budget Significant loss of 1 week - 1 assets month Substantiated, public embarrassment, high impact, high news profile, third party actions 25-50% variation to KPI Catastrophic 5 Multiple Deaths or severe permanent disabilities $10M > or 50% > of Operational Budget Complete loss of assets 1 month > Substantiated, public embarrassment, very high multiple impacts, high widespread news profile, third party actions 50%> variation to KPI
Risk Evaluation Factors (REF) Consequences Minor Disruptive Serious Critical Catastrophic Description Likelihood Score 1 2 3 4 5 Theoretically possible but not expected to occur during your career, the activity or the lifetime of the equipment Rare (<5% probability) 1 1 (Low) 2 (Low) 3 (Low) 4 (Low) 5 (Moderate) Possible that it may occur once during your career, the activity or the life of the equipment Possible (5-10% probability) 2 2 (Low) 4 (Low) 6 (Moderate) 8 (Moderate) 10 (Substantial) This event may occur slightly more than twice in your career, during the activity or during the life of the equipment Occasional (10-25% probability) 3 3 (Low) 6 (Moderate) 9 (Moderate) 12 (Substantial) 15 (High) This event may occur frequently in your career, the activity or during the life of the equipment Likely (25-50% Probability) 4 4 (Low) 8 (Moderate) 12 (Substantial) 16 (High) 20 (Extreme) Expected to occur routinely in your career, or at least once during the activity or during the lifetime of the equipment Almost Certain (>50% probability) 5 5 (Moderate) 10 (Substantial) 15 (High) 20 (Extreme) 25 (Extreme)
Risk Evaluation A comparison of estimated risk levels against preestablished criteria: Consider objectives of project or strategies. Consider opportunities of project or strategic outcomes. Decide can risk be accepted? Treat, Tolerate, Transfer or Terminate (4T s) Produce prioritised list for action.
Accept Risk Establish acceptable level of risk
Risk Management Delegations
Risk Treatments Identify actions required to reduce risk to acceptable level Should be cost-effective (ALARP As Low As is Reasonably Possible) Should include timelines/deadlines Specific responsibilities must be assigned
Risk Treatments Low and moderate risks Require minimal or no treatment But regularly monitor and review to ensure that they remain low or moderate Substantial/High or Extreme risks Devise, and actively monitor Treatment Action Plans (TAP)
Risk Treatment Options Techniques Tactics Examples Accept Tolerate Approvals Avoid Terminate Cease Activity Prevent Treat Training Engineer Treat Equipment Modification Substitute Treat Development and Test Environments Detect Treat Alarms Risk Transfer Transfer Insurances
Documenting the Process Demonstrates RM is properly conducted Provides management and decision-makers with a plan Addresses key exposures in a logical and prioritised way Provides an accountability mechanism Facilitates continuous monitoring & review Consistent with the Quality@ECU process (PDRI) Allows us to share & communicate RM activities amongst all stakeholders (particularly staff)
Risk Management Plan Template Introduction Context Roles and Responsibilities Risk Identification and Analysis Documentation Approval
Monitor & Review Oversight and review of the risk management system (including internal audit, follow-up and annual reviews) Changes that might affect the activity Occurs concurrently throughout the process, particularly during planning Schools and Centres must regularly: Revisit risk assessments Monitor implementation of action plans
Communication & Consultation Should: Be appropriate Address internal & external stakeholder requirements Cover each stage of the process and the process as a whole Include decisions using a consultative process Be effectively communicated Be documented
Risk Registers and Plan Once the planning context for each risk management process is established (either by a project plan or other source documents) the identification of risks, their analysis and evaluation along with their treatment is to be documented in a risk register. A risk management plan simply identifies how the risk management will be carried out during the activity rather than what risks are to be managed.
Risk Management Outcomes More informed decision-making Improved Business Continuity and Contingency Planning Minimising disruptions to operations and projects Better use of resources Strengthening the culture of continuous improvement
Risk Management Contacts Phillip Draber (x2495) Darryl Welsby (x2426)
Conclusion Risk management is integral to the successful completion of any project. What is the risk management process? How can the risk management process be applied to a project? This introductory session outlined what the RM process is at ECU and how it is broadly used in ECU projects.
Risk Management Questions?