Procedure: Risk management

Similar documents
RISK MANAGEMENT POLICY

Risk Management Policy

Perpetual s Risk Management Framework

POLICY. Policy Title: Integrated Risk Management. Director, Strategic and Governance Services Centre

RISK MANAGEMENT FRAMEWORK

Topic RISK MANAGEMENT Procedure Category Risk Management Updated 07/2011

Risk Management Framework

Risk Management Policy

Practical aspects of determining and applying a risk appetite for SMEs

RISK MANAGEMENT POLICY October 2015

Risk Management. Policy No. 14. Document uncontrolled when printed DOCUMENT CONTROL. SSAA Vic

Scouting Ireland Risk Management Framework

RISK MANAGEMENT FRAMEWORK

Risk Management Policy Adopted by:

28 July May October 2016

Risk Management Policy. September 2015

Risk Management Policy and Framework

Risk Management Plan PURPOSE: SCOPE:

Risk Management Policy and Procedures.

Risk Management Framework. Group Risk Management Version 2

RISK AND BUSINESS CONTINUITY MANAGEMENT

JCU Risk Management Framework and Plan

Risk Management Framework

RISK MANAGEMENT FRAMEWORK

TONGA NATIONAL QUALIFICATIONS AND ACCREDITATION BOARD

The Australian National University Fraud Control Framework. Corporate Governance & Risk Office

Risk Management Strategy January NHS Education for Scotland RISK MANAGEMENT STRATEGY

CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK MANAGEMENT POLICY

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Master Class: Construction Health and Safety: ISO 31000, Risk and Hazard Management - Standards

Risk Management Policy

Risk Management Framework

Kidsafe NSW Risk Management Plan. August 2014

GOV : Enterprise Risk Management Policy

University of the Sunshine Coast (USC) Risk Appetite Statement

Policy Number: 040 Risk Management August 2018

Integrated Risk Management Framework Sept Page 1 of 17

Approved by: Diocesan Council 17 December 2015

Version: th November 2010 RISK MANAGEMENT POLICY

CMP for Special Regs and Safety Issues. 1. INTRODUCTION Purpose Scope Submissions to Australian Sailing:...

UNIVERSITY OF ABERDEEN RISK MANAGEMENT FRAMEWORK

Goodman Group. Risk Management Policy. Risk Management Policy

Risk Management Framework. Metallica Minerals Ltd

Main Sections. Corporate Risk Policy Statement and Procedures AR-RMD-CR01. Executive Summary. Anglia Ruskin University Risk Management

Risk Management Strategy

NATIONAL RISK MANAGEMENT SYSTEM

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

HSC Business Services Organisation Board

Risk Management Policy (v7.0)

Risk Management Guideline

Policy (Board Approved) Public Version

Section Defining Risk Management. 11. Principles of Risk Management

Risk Management Relevance to PAS 55 (ISO 55000) Deciding on processes to implement risk management

Risk Management. Seminar June Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small

CONTROLLED DOCUMENT. Version Number: 4.1. On: January 2018 Review Date: June 2016 Distribution: Essential Reading for: Information for: 1 of 15

RISK MANAGEMENT STRATEGY Version 3

Risk Management Strategy

NHS North Somerset Clinical Commissioning Group Risk Management Strategy and Framework

Fraud Risk Management

ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework

An Introductory Presentation for ECU Staff

Risk Management Framework

INTEGRATING RISK MANAGEMENT AND BUSINESS CONTINUITY

Risk Management. Webinar - July 2017

Risk Assessment Workshop Pam Walaski, CSP, CHMM Director, Health and Safety GAI Consultants, Inc. Pittsburgh, PA

Risk Management Policy. Apollo Hospitals. Risk Management Policy

Understanding Enterprise Risk Management: An Overview

Nagement. Revenue Scotland. Risk Management Framework. Revised [ ]February Table of Contents Nagement... 0

Risk Management Strategy and Board Assurance Framework

Fundamentals of Project Risk Management

Guide. Risk Management For Community Service Organisations

An Update On Association Policies, Health Checks & Guidelines To A Safer Hockey Association. Lauren Woods Member Engagement & Operations

RISK MANAGEMENT POLICY AND STRATEGY

College Procedure. 1. Introduction

Risk Management Policy

RISK MANAGEMENT FRAMEWORK

RISK MANAGEMENT GUIDELINES

Risk Management. Policy and Procedures

PROHSP6 Control health and safety risks

Policy No. Contact Brian Orpin Version 3.0 Issue Date 28/11/2014 Telephone Review Date IA Date 09/08/2013

University of Greenwich Risk Management Guide Revised October 2017

LONDON BOROUGH OF ENFIELD RISK MANAGEMENT STRATEGY

Policy (Board Approved)

Bournemouth Primary MAT Risk Management Policy

RISK MANAGEMENT POLICY

Solvency Assessment and Management: Stress Testing Task Group Discussion Document 96 (v 3) General Stress Testing Guidance for Insurance Companies

Risk Management Policy

RISK MANAGEMENT POLICY

GLP2 Risk Management GLP6 Work Health & Safety. Responsible Organisational Unit Infrastructure Services and Development

Risk Workshop Session 1. Malcolm Leinster

Manage Risk STUDENT HANDOUT

RISK MANAGEMENT FRAMEWORK OVERVIEW

RISK MANAGEMENT MANUAL

SOL PLAATJE MUNICIPALITY

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

GRINDROD SOUTH AFRICA//Policy Risk and opportunity governance framework

Business Auditing - Enterprise Risk Management. October, 2018

Risk Assessment Policy

Risk Management Policy

Risk Management Policy

Transcription:

Procedure: Risk management Purpose To outline the procedures involved for identification, assessment and management of risks. Procedure Introduction 1. This procedure outlines the University s Risk Awareness Framework, which is supported by: a robust governance structure, including the Audit and Risk Management Committee and the Risk Management Advisory Committee; a Risk Management Policy that clearly articulates and assigns key roles and responsibilities; and the availability of risk management support, advice, assessment tools and training to academic and support areas. 2. The Corporate Governance and Risk Office (CGRO) provides the following risk management services: Strategic risk profiling Fraud risk management Business continuity planning Project risk management Grant risk management Risk assessment workshops and training 3. 4. A range of guidance material, tools and templates are available for staff reference on the Risk and Audit web page. This procedure provides information as to accountabilities for risk management activities and an overview of the approach recommended for all areas of risk management. Procedure: Risk management Page 1

Accountabilities Council: Ensure that a risk management framework is established, implemented and maintained; Identify strategic risks (in consultation with the Vice Chancellor) that impact upon the University's strategic objectives; and Monitor the management of strategic risks. Vice-Chancellor: Identify and manage strategic risks; and Ensure that a risk management framework is established, implemented and maintained in accordance with this policy. University Executive: Identify and manage strategic and operational risks within their portfolio that may impact upon the University's strategic and operational objectives; and Promote compliance with statutory and regulatory requirements. ANU Deans, Service Division Directors and/or Heads of Budget Units: Develop and maintain a Strategic Risk Profile; Integrate risk management principles with operational planning processes and the management activities of the colleges; Ensure the application of risk management principles when major projects are considered or managed; Identify and report on risk issues as part of budget planning, annual reporting and assurance processes; Develop and maintain a Fraud Risk Profile plan in accordance with the Fraud Control Procedure; Develop and maintain a Business Continuity Plan (BCP); and Ensure that staff are encouraged to participate in risk management training activities. Procedure: Risk management Page 2

Heads of Controlled entities, and entities that are derived from the legal status of the University will be responsible to their respective Boards to: Develop and maintain a strategic and/or operational plan that integrates risk management principles with planning processes and management activities; Identify and report on risk issues as part of budget planning and annual reporting and assurance processes; Develop and maintain a Fraud Risk Management Plan; Develop and maintain a Business Continuity Plan (BCP); and Ensure that staff are encouraged to participate in risk management training activities. Audit and Risk Management Committee: Oversee the risk management framework; Monitor strategic and enterprise-wide risks; and Receive and consider risk management reports to inform both Council and internal audit activity (including the internal audit plan). Risk Management Advisory Committee: Monitor and review institutional risks; Make recommendations to the Director, CGRO, the Audit and Risk Management Committee, and the Vice-Chancellor (as appropriate) on risk management policies and procedures; Assist the University to raise levels of management awareness and accountability for risk management and the development of a risk management culture; Review and monitor local area risk management plans; and Make recommendations on the University's crisis management plans and arrangements and review incidents as they occur. Corporate Governance and Risk Office: Through broad consultation the role and responsibilities of the CGRO include: Facilitate the development, ratification and adoption of the ANU risk management policy and associated procedures; Procedure: Risk management Page 3

Develop and implement a University-wide risk management framework; Provide risk management support, advice, assessment tools and training to academic and support areas; and Raise the profile of risk management within the University and ensure a culture of risk management is sustained. Approach - overview 5. 6. 7. Risk analysis is based on identifying those events that contribute to the uncertainty surrounding the achievement of specific objectives or outcomes. Essentially this event can then be investigated through a two dimensional construct of the likelihood of the event occurring and its consequences (sometimes also referred to as impact). The University endorses the application of Australian and NZ Risk Management Standard AS/NZS ISO 31000:2009, which details the generic risk management process. Specifically this includes the following elements: Establish the context Risk identification Risk prioritisation Risk response Risk treatment Communicate and consult (at all prior steps) Monitor and Review (at all prior steps) 8. All staff are encouraged to familiarise themselves with the Australian and NZ Risk Management Standard AS/NZS ISO 31000:2009 and undertake associated training from a recognised provider if required. Upcoming training events will be publicised through the University s risk portal and CGRO is available to facilitate customised training as required. Approach - guidance 9. The same risk management approach is applied to all activities/projects, whether they are strategic or operational in nature. However, additional guidelines are available on the Risk and Audit web page which help to provide context for the area of risk being considered. Specifically, guidance has been provided regarding the management of strategic, grant, project, Procedure: Risk management Page 4

fraud and business continuity risk assessments. 10. Step 1: Risk Identification Think broadly about the risks associated with the activity/project. Refer to the ANU Enterprise Wide Risk Matrix, which provides guidance as to the categories and types of risks to consider. Make a list of the potential risks and utilise the ANU Risk Register template as necessary. 11. Step 2: Risk Prioritisation Determine the high-priority risks by assessing the probability of them occurring (likelihood) and the consequence to the activity/project, and ANU (impact). Initially, this should be done by considering the current risk. That is, the risk facing the activity/project at the moment, with operations running as business as usual. The residual risk can then be determined, being the risk remaining after all mitigation strategies have been put in place. Criteria should be set to ensure that risks are prioritised consistently. This can be achieved with reference to the ANU Risk Assessment Matrix, being sure to be clear on what each criteria means for the activity/project. 12. Step 3: Risk Response. There are four things you can do about a risk. 13. Mitigate the risk. Take actions to lessen the impact or the likelihood of the risk occurring. For example, if the risk relates to ensuring that information remains confidential, ensure that adequate controls are in place to protect the information and that an appropriate non-disclosure agreement is signed by any party external to ANU. Avoid the risk. Do something to remove it such as move to an alternative supplier, or conduct the activity/project at a different time. Transfer the risk. This would involve making someone else responsible. For example, risk may be transferred to a vendor. Accept the risk. The responsible officer/delegate/committee may agree that the risk is so small that the effort to take further action is not worthwhile. Strategies chosen to address each risk should be documented, including any actions required in order to execute the strategy. 14. Step 4: Risk Monitoring The final step is to continually monitor risks to identify any change in the Procedure: Risk management Page 5

status. It is best to hold regular risk reviews to identify actions outstanding, risk probability and impact, remove risks that have passed, and identify new risks. Common language Business Continuity A limited return to business operations following a significant and disruptive natural or man-made event. Consequence The outcome of a risk if it occurs expressed qualitatively or quantitatively. Threats have unfavourable consequences, and opportunities have favourable consequences. Hazard A source of potential harm or a situation with a potential to cause loss. Inherent Risk The level of risk of an unwanted event before consideration of the controls that could be applied within the business to reduce the risk. Likelihood The chance that a particular risk will occur. This can be expressed as either a probability for a single event or condition, or a frequency of occurrence for repeat events. Loss Any negative consequence, financial, or otherwise. Opportunity An uncertain beneficial event or condition that if it occurs will result in favourable outcomes such as improved safety, saved time or cost. Practicable With regard to risk controls, means the level of control that would be practicable to achieve having regard to the severity of the loss; the risk of it occurring; the state of knowledge about the risk; and the availability, suitability, and cost of mitigating the risk. Residual Risk The risk remaining after the implementation of risk treatments Procedure: Risk management Page 6

Risk The chance of something happening that will have an impact on the realisation of the University's stated objectives. Risk Acceptance Threshold The level of risk exposure above which action must be taken to proactively manage threats and maximise opportunities, and below which risks may be accepted. Risk Appetite The level of risk the University is prepared to take on. Risk Assessment The process of risk identification, analysis and evaluation Risk Classification All identified risks within ANU should be categorised into one of four descriptors, defined as follows: Low: Risks that are acceptable and do not require active management. Moderate: Risks that are unlikely to cause much damage and/or threaten the efficiency and effectiveness of the program/activity. Manage by specific monitoring or response procedures. High: Risks that are generally not acceptable and likely to cause some damage, disruption or breach of controls. Senior management attention needed and management responsibility specified; treatment plans to be developed and reported to PVC/Executive Director or Vice-Chancellor. Extreme: Risks that are not acceptable and likely to threaten the survival or continued effective function of the program or the organisation, either financially or politically. Immediate action required; must be managed by senior management with a detailed treatment plan reported to PVC/Executive Director, Vice-Chancellor and Council. Risk Control Effectiveness The actual level of control that is in place and effective relative to what could reasonably be achieved for the particular risk. Procedure: Risk management Page 7

Risk Controls Policies, delegations, procedures, devices, systems or other actions that eliminate or reduce risk. Risk Criteria The criteria by which an informed decision to accept the consequences and the likelihood of a particular risk is made. Risk Drivers The factors that introduce risk into the strategic and operational environment of the University. Some examples of the 'risk drivers' in higher education include: Globalisation Emerging economies Funding models Government policy Increasing regulatory scrutiny and compliance requirements Capital investment Increasing competition Increasing consumer expectations Contracting Quality of academic program Emerging educational delivery systems Commercialisation\intellectual property Emerging pandemics Natural events Emerging technology Fraud Risk Evaluation The process of estimating the likelihood and consequences of identified risks, and comparing against a defined risk acceptance threshold. Risk Identification A structured process to identify threats and opportunities. Procedure: Risk management Page 8

Risk management The application of rigorous analyses, appropriate decision making and actions to achieve the University's stated objectives. Risk Owner A person with the capacity, authority, experience and resources necessary to deal with and monitor an identified risk. Risk Profile Identified and assessed risks associated with a particular context (e.g. Project or College and or impact such as safety or fraud) Risk Treatment The process of selection and an implementation of measures to modify risk. Risk treatment measures can include avoiding, modifying, sharing or retaining risk. Risk Types Strategic: These risks relate to the overall objectives and longterm viability of the University. An example may include the ability to acquire adequate funding or the ability to maintain the integrity of the University's reputation and relevance; Business and operational: These are risks concerned with 'day to day' business practices that assist the University to meet its strategic objectives and would include risks associated with contract management, financial and asset management, stakeholder management (internal/external); Enterprise-wide: These risks have a systemic focus such as knowledge and information management, HR management and facilities management; Specialist: Relates to areas of risk that are often externally regulated and require specialist expertise but relate to the whole of the university. Examples would include OH&S, security and fraud. Threat An uncertain adverse event or condition that if it occurs will result in unfavourable outcomes such as injury, damage to the environment, delay, or economic loss. Procedure: Risk management Page 9

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback