Enterprise Risk Management Program

Similar documents
Risk management procedures

Practical aspects of determining and applying a risk appetite for SMEs

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

Risk Management Strategy January NHS Education for Scotland RISK MANAGEMENT STRATEGY

Executive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Risk Management Policy and Procedures.

Understanding Enterprise Risk Management: An Overview

GOV : Enterprise Risk Management Policy

South Lanarkshire College Risk Management Policy and Procedures

Risk Management Policy and Framework

RISK MANAGEMENT POLICY October 2015

An Introductory Presentation for ECU Staff

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

Risk Management Policy

Risk Management Strategy

Risk Management Framework

RISK MANAGEMENT POLICY AND STRATEGY

RISK MANAGEMENT FRAMEWORK

Risk Management Framework

Kidsafe NSW Risk Management Plan. August 2014

Risk Management Policy and Processes

Introduction to Risk for Project Controls

Risk Management Framework. Group Risk Management Version 2

28 July May October 2016

Risk Management Policy

Bournemouth Primary MAT Risk Management Policy

Nagement. Revenue Scotland. Risk Management Framework. Revised [ ]February Table of Contents Nagement... 0

West Coast District Municipality. Risk Management Policy

Version: th November 2010 RISK MANAGEMENT POLICY

Senior Director, Fire Life Safety & Risk Management

LONDON BOROUGH OF ENFIELD RISK MANAGEMENT STRATEGY

Risk Management Policy

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

Policy Number: 040 Risk Management August 2018

Integrated Risk Management Framework Sept Page 1 of 17

Perpetual s Risk Management Framework

HSC Business Services Organisation Board

University Risk Management Policy

An Update On Association Policies, Health Checks & Guidelines To A Safer Hockey Association. Lauren Woods Member Engagement & Operations

RISK REGISTER POLICY AND PROCEDURE

Thirty-Second Board Meeting Risk Management Policy

Policy Number Functional Field. Governance and Management. Related Policies. Policy of Making University Policies.

Nagement. Revenue Scotland. Risk Management Framework

Risk Management Strategy

GRINDROD SOUTH AFRICA//Policy Risk and opportunity governance framework

Risk Management. Seminar June Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small

Risk Management Policy

Scouting Ireland Risk Management Framework

Risk Management Framework

Approved by: Diocesan Council 17 December 2015

Risk Management Framework. Metallica Minerals Ltd

RISK MANAGEMENT FRAMEWORK

SOLID GROUP INC. ENTERPRISE RISK MANAGEMENT POLICY

ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework

Risk Management Policy Adopted by:

TONGA NATIONAL QUALIFICATIONS AND ACCREDITATION BOARD

Risk Management at the Deutsche Bundesbank March 2011

CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK MANAGEMENT POLICY

Topic RISK MANAGEMENT Procedure Category Risk Management Updated 07/2011

Risk Management. Policy and Procedures

NHS North Somerset Clinical Commissioning Group Risk Management Strategy and Framework

Risk Management Policy

Best Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]

Risk Management at Central Bank of Nepal

RISK MANAGEMENT FRAMEWORK

Energize Your Enterprise Risk Management

Procedures for Management of Risk

RISK MANAGEMENT POLICY

Risk Management Policy

ENTERPRISE RISK MANAGEMENT Framework

M_o_R (2011) Foundation EN exam prep questions

MINDA INDUSTRIES LIMITED RISK MANAGEMENT POLICY

APPENDIX 1. Transport for the North. Risk Management Strategy

RISK MANAGEMENT GUIDELINES

Risk Associated with Meetings

USF System Compliance & Ethics Program. Risk Assessment Process. Enterprise-Wide Risk Assessment

Risk Management. Webinar - July 2017

Risk Management Policy

Global Tax Strategy November 2017

Risk Management Strategy Draft Copy

Fraud Risk Management

ENTERPRISE RISK MANAGEMENT POLICY FRAMEWORK

Risk Management Strategy

RISK MANAGEMENT FRAMEWORK

RISK MANAGEMENT - CORPORATE COMPLIANCE & ETHICS

Policy (Board Approved) Public Version

Risk Management Policy & Procedures. Premier Ltd.

Risk Assessment Mitigation Phase Risk Mitigation Plan Lessons Learned (RAMP B) November 30, 2016

TAXATION STRATEGY. The strategy covers all taxes including, inter alia, Corporation Tax, VAT, PAYE and stamp duty.

RISK MANAGEMENT FRAMEWORK

TERMS OF REFERENCE OF THE BOARD RISK COMMITTEE OF THE BOARD OF DIRECTORS

CORPORATE RISK MANAGEMENT POLICY

RISK MANAGEMENT - CORPORATE COMPLIANCE & ETHICS

BERGRIVIER MUNICIPALITY

University of Greenwich Risk Management Guide Revised October 2017

Risk Management Policy. September 2015

INTEGRATED RISK MANAGEMENT FRAMEWORK (STRATEGY AND POLICY)

Risk Assessment for Drug Products with Device Components

D7 Risk Management Policy

Transcription:

Enterprise Risk Management Program David W Sundvall, Risk Manager 3/2/2016 Page 0 of 12

Table of Contents Introduction... 2 Approach... 2 Risk Appetite... 3 Roles and Responsibilities... 3 Process... 4 Risk Evaluation Criteria - Likelihood... 7 Risk Evaluation Criteria - Impact... 8 Integrating Risk Management into UCAR Culture... 11 Glossary of Terms... 12 Risk Contacts... 12 Page 1 of 12

Introduction Enterprise Risk Management (ERM) is UCAR s comprehensive program to proactively and continuously identify and manage risks that could affect the organization s ability to achieve its goals and objectives. As with universities or organizations within the private sector, UCAR operates in an inherently risky environment. Risks can be categorized in many different ways including: Root cause External risks risks caused by outside people, entities and environments People risks risks involving people who work for the organization Process risks risks arising from the execution of business operations Relationship risks risks caused by connections with third parities Systems risks risks due to data or information assets Functional Strategic risks risks aligned with strategic goals and objectives Operational risks risks from day to day operations Financial risks risks related to funding and spending Compliance risks risks associated with laws, regulations and contractual obligations Technology risks risks arising from software, technical data, hardware, and networks Managing this portfolio of risks is especially important to help ensure that UCAR can continue to work toward its mission of empowering its member institutions, NCAR, and community programs. By strategically managing risk, we can reduce the chance of loss, create greater financial stability, and protect our resources. Approach UCAR s approach to risk management has been developed to support the key requirements of responsible corporate governance. It is an important management discipline that helps to ensure that UCAR achieves the goals and objectives that are set by both NCAR and UCAR. This approach ensures that: Risk management supports strategic planning and decision making. Managing risk is a transparent process that provides management, auditors, and board members with access to information on current risks and how they are being managed. Page 2 of 12

There is consistency in the process for regular risk review, documentation and reporting as circumstances change and are acted upon. There is clear accountability for risks. Each risk is assigned an individual owner who is responsible for assessing, evaluating, reviewing, reporting and managing controls. Appropriate innovation and progress is encouraged. Risks are managed in a balanced way to avoid surprises without becoming bogged down in details. Adequate resources are assigned to risks and controls to ensure satisfactory results. Successful risk management helps UCAR to manage challenges, organizational changes and regulatory changes to better deliver on its mission. The Board of Trustees, President s Council and Senior Management are advocates of the risk management process and provide the framework for risk management process to work. UCAR s approach to risk management ensures that there are controls and actions in place to mitigate risks, along with resources needed to succeed in managing risks. Risk Appetite It is important that UCAR management focus on risk awareness rather risk avoidance. Management should carefully consider risks it is willing to retain without any additional mitigating actions, thereby setting an invisible line between acceptable risks and risks that require active controls to manage the risk exposure. A higher exposure equates to a higher priority for actions. An acceptable level of risk is the point where the cost and effort of additional mitigation to reduce the level of risk is greater than the loss that would be experienced if the risk were to occur. Roles and Responsibilities The UCAR President retains ultimate responsibility for risk management. Determines the appropriate level of risk that UCAR is willing to accept. Presents current risk register and detailed reports to the Audit and Finance Committee or the Board of Trustees upon request. The ERM Steering Committee (ERM-SC) roles and responsibilities are currently being handled by President s Council (PC) who have been delegated by the President with responsibility for overseeing risk management activities at UCAR. Approves appropriate risk management procedures throughout the organization. Owns and manages enterprise level risks for the organization. Reviews the risk register regularly and delegates appropriate actions as needed. Considers adding or dropping risks from the risk register. Acts as risk champions throughout UCAR/NCAR/UCP. Ensures that managing risks is integrated with other UCAR processes. Page 3 of 12

The Audit and Finance Committee of UCAR s Board of Trustees collaborate with UCAR management in monitoring key risks and report to the Board of Trustees on assurances concerning the management of risks within UCAR. The Enterprise Risk Manager is responsible for ensuring that risk management activities are carried out effectively throughout UCAR in accordance with the risk management policy and procedures. Maintains risk register and risk data in JCAD CORE system. Advises President s Council on ERM best practices. Supports the regular review of risk management policy and procedures and makes recommendations. Produces regular reports for the Board of Trustees, President s Council, and risk and control owners. ERM Points of Contact (ERM-POC) will be appointed by lab/program/department Directors to serve as local go-to contacts for all ERM matters in their lab/program/department, and to guide the development of localized risk registers and risk control plans. Localized risk registers are updated at least twice a year and provided to the Enterprise Risk Manager for review, consolidation, and reporting to the ERM Steering Committee. A Risk Owner is assigned to each risk. A Risk Owner is responsible for the management of the particular risk and ensuring that appropriate and effective controls are in place and operating as intended. It is the Risk Owner s responsibility to provide the President and the Risk Manager with information to report to the Audit and Finance Committee on progress toward mitigation control plans and the results of any new risk assessments. A Control Owner is assigned to each mitigation control plan or activity. It is the Control Owner s responsibility to provide the Risk Owner with regular updates on the progress and effectiveness of mitigation activities. The Control Owner also reports on control failures and incidents that affect risks to goal achievement. All Staff are expected to maintain an awareness of the need to manage risks when making decisions and in day to day operations. Staff share responsibility for identify risks and reporting them to their supervisor, especially during periods of change to processes or operations. Process A risk to the organization is any event or action that could have a negative impact. This includes events that could lead to: Death or injury. Financial loss. Damage to the UCAR/NCAR/UCP s reputation or adverse media coverage. Damage to facilities, including land, water or air quality. Failure to meet regulatory or contractual requirements. The failure to identify and capitalize on opportunities can also be considered a risk. It is good management practice to be aware of risks and take precautions to avoid significant damage as a result of those risks. Therefore, UCAR has developed a risk management program to ensure that management of risks is undertaken in a systematic and standard approach across all of its operations. Page 4 of 12

Risk assessment process: Risk Identification Risk Monitoring and Reporting Risk Analysis Risk Controls Risk Evaluation 1: Risk identification Risk identification requires documenting reasonably foreseeable risks that have or may have a significant impact on the organization. Risks may arise from the possibility that opportunities will not be realized, or from the possibility that threats will materialize, mistakes made, or damage/injury occur. Structured risk identification and review sessions should take place at least once a year in labs/programs/departments. As new risks are identified during the normal course of work they should be managed immediately and reported by staff to senior management for assessment and possible inclusion in the risk register. The result of the risk identification process is a comprehensive list of risks known as a risk register. 2: Risk analysis A thorough analysis needs to be documented for each identified risk, and should include the following information: summary of the risk, detailed description of the risk, impact, likelihood, risk exposure, risk category, goals that are affected, risk source, triggers, consequences, current controls, effectiveness of controls, new controls, risk owner, date risk was added, date risk was reviewed, and a time interval for reviews. Risks are identified using the following root-cause categories: external, people, process, relationships, or systems. 3: Risk evaluation Page 5 of 12

Risk evaluation prioritizes risks resulting in identification of risks that require the most attention or additional attention. The level of risk determined in the analysis process is compared to risk criteria using the following options: Impact insignificant, minor, moderate, major, and critical Likelihood rare, unlikely, possible, likely, and almost certain When assessing likelihood, note that the likelihood score for a risk needs to reflect the likelihood that the impact may occur, rather than the likelihood of the risk occurring. Page 6 of 12

Risk Evaluation Criteria - Likelihood Description % Rate of Occurrence 5 Almost Certain HIGH, almost certain, expected in most circumstances > 75% Daily - Weekly 4 Likely MEDIUM-HIGH, likely, will probably occur Up to 75% Monthly 3 Possible MEDIUM, possible, could occur at some time Up to 50% Once or twice a year 2 Unlikely MEDIUM-LOW, unlikely, not expected to occur Up to 30% Every 2 5 years 1 Rare LOW, rare, exceptional circumstances only < 10% 10+ years Page 7 of 12

Risk Evaluation Criteria - Impact Service Disruption, Affect Upon Funds or Process Reputation Failure to Comply or Meet Obligations People 5 Critical Total failure of service, extremely expensive, >$1M, $$$$ National publicity >3 days, resignations Claim, fine, or impact above $5M Fatality of 1+ employees or citizens 4 Major Serious disruption to service, $1M, $$$ National public or press interest Claim, fine, or impact above $500K Serious injury or disability of 1 + people 3 Moderate Disruption to service, $500K, $$ Local public and press interest Claim, fine, or impact above $100K Major injury to people 2 Minor Some minor impact on service, $100K, $ Contained within the dept but known by entity Claim, fine, or impact above $10K Minor injuries to people 1 Insignificant Annoyance, small or no $ impact, $5K Contained within the dept Claim, fine, or impact <$10K Minor injury to individual Page 8 of 12

Risk prioritization is determined within the JCAD CORE tool by combining the impact ranking and likelihood ranking, resulting in a risk exposure of either very low, low, medium, significant, or high, that can be plotted on a heat map matrix as shown below. The exposure ranking of a risk determines: The nature of further action that is required, and the urgency with which mitigation action should be undertaken. The reporting requirements for the risk, including who the risk is reported to. How often the risk is monitored. 4: Risk controls Controlling risks involves identifying the options for treating each risk, evaluating those options, assigning accountability for oversight, preparing risk treatment plans and implementing them. Many practical options are possible for mitigating risks, and all should be considered before deciding on an action plan. Page 9 of 12

5: Risk monitoring and reporting Regular monitoring of risks and risk control action plans is an essential part of the risk assessment process. On a regular basis, risk owners need to ensure that new risks are identified and considered as they arise, and that existing risks are being monitored for changes that may need additional mitigation. Risk control owners need to monitor existing controls to ensure that they are in place and performing as planned. There needs to be ongoing conversation between risk owners and control owners to ensure that the complete risk environment is being managed to expectations. Risk information needs to be communicated through the President or his/her designee to the Audit and Finance Committee, who then will bring significant risk issues to the attention of the Board of Trustees. By adhering to this risk management assessment process, UCAR will be better able to anticipate and respond to events that might otherwise cause damage. In many cases, the implementation of a robust ERM program contributes to better communication throughout the organization, improved overall compliance, and a more agile organization better able to react to change and opportunity. The role of the ERM-SC in their review of risk owner s reports is to advise the President on acceptability and relevance of the controls detailed in the reports. The role of the Risk Manager is to draft an regular ERM report for presentation at the Board of Trustees meetings. The risk monitoring and review process should proceed continuously throughout the year according to an established schedule, with risk owners supplying risk and control reviews and updates to the Risk Manager. To ensure proper management of risks at a strategic level, President s Council will regularly review the risk register to ensure: New risks to UCAR are identified and considered. Existing risks are monitored to identify any changes which may have an impact. Risks have been properly assessed and recorded in the risk register together with relevant information such as existing risk controls. An appropriate person has been identified for all new risk controls and new risk controls are being implemented according to the planned schedule. Existing risk controls are operating effectively. Page 10 of 12

As a guide, the following table shows the reporting and action that is required for each level of risk as emerging risks are identified: Level of risk Reporting requirements Action required Accountability High Must be reported to Risk Manager who will report President s Council for possible reporting to the Audit and Finance Committee. Immediate action must be taken to reduce the risk. If it is not possible to reduce the risk immediately, it must be referred to the President via the Risk Manager. Assign ownership to the appropriate individual. Significant Should be reported at least quarterly to the Risk Manager Action should be considered to manage the risk. Assign ownership to the appropriate individual. Medium Should be reported within 6 months to the Risk Manager It may be appropriate that medium risks require no extraordinary action to reduce the risk further. Assign ownership to the appropriate individual. Low, Very Low Should be reported annually to the Risk Manager It may be appropriate that low and very low risks require no specific action to reduce the risk further. Assign ownership to the appropriate individual. Integrating Risk Management into UCAR Culture To successfully integrate risk management into UCAR culture staff must be aware the importance of risk management and be engaged in the process. UCAR s Board of Trustees and President s Council are aware of the value of ERM and are strong proponents of the practice. Staff can find out more about ERM on the Office of the President website: http://president.ucar.edu/. Periodically, ERM updates will be a part of UMF (UCAR Management Forum) and other all-staff trainings and meetings. Page 11 of 12

Glossary of Terms A glossary of commonly used terms can be found on the Enterprise Risk Management website. Risk Contacts For more information contact: David Sundvall, ERM program manager, risk@ucar.edu, 303-497-8898; Members of President s Council Page 12 of 12

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback