Risk Management Steve Chadwick & Rhiannon Birch 2015.

Risk Management

Steve Chadwick & Rhiannon Birch2015

Introductions

Steve Chadwick: Profile

• 35 years in Education• 28 years in Universities (Hong Kong & UK)• 24 in strategic planning• University of Northumbria (‘New’ University)• Newcastle University (Russell Group)• Durham University (Russell Group)• Exeter University (Russell Group)• Director of Strategic Planning & Change

University of Exeter

Exeter University: Profile

• 7th in the Times Good University Guide 2015• 9th in the Independent’s Complete University Guide

2015• In top 10 universities in the UK in National Student

Survey• 3,000 staff , 19,000 students (including over 4,000

international students)

Exeter’s Growth

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140

10

20

30

40

50

University of Exeter League Table Positions

The Times Sunday Times Guardian Complete University Guide

Publication Year

Ra

nk

Rhiannon Birch: Profile

• 11 years in university sector in the UK • Originally from an information/data management

background• Worked at department and central level at the

University of Sheffield• Strategic and academic planning, risk management, HE

policy advice, project management, • Since 2013, Deputy Director of Strategy, Planning and

Governance University of Sheffield• Part-time PhD student looking at higher education

University of Sheffield

University of Sheffield: Profile

• Large, comprehensive civic university, established in 1905 by the people of the UK’s 4th largest city

• 26,300 students; 7,200 staff• Arts and Humanities, Engineering, Medicine, Dentistry and

Health, Science and Social Sciences• Ranked 80th in the 2015 QS World University rankings• Focus on research-led teaching

– In the top 10 per cent of all UK universities, in the 2014 Research Excellence Framework (REF)

– 1st for Student Experience in the Times Higher Education Student Experience Awards, 2014-15

Risk Management OBJECTIVES

• Understand the Principles of Risk Management– Be familiar with the principles & elements of risk management.– Describe how risk management effects institutional performance.

• Develop a Risk Management Framework– Develop risk management framework

• Identify and Assess Risks– Utilize a sample of risk assessment tools. – Conduct risk analysis

• Maintain, Update and Monitor Risk– Monitor the management of significant risks to reduce their unwelcome

results. – Report annually on the effectiveness of the process and procedures of risk

management.

RISK MANAGEMENT

• Session 1: What is Risk? – Basic overview of concepts

• Session 2: Risk Management Framework – How an enterprise risk management system works

• Session 3: Identifying Risks – Basic tools for identifying and categorising risks

• Session 4: Assessing Risks – Impact vs Likelihood

• Session 5: Mitigation, Monitoring and Control – How do we manage our risks? Gross vs Net and reporting tools

• Session 6: Next Steps

APPROACH

• Practitioner’s perspective

• Case-studies

• Interactive

• Participative

• Pair, group and whole class discussion

Risk Management

Session 1What is Risk

Session 1: Overview

• What is risk?• What is risk management?• Why do we need it?• Understanding the basics

– Definitions– A typical Risk Management Framework– Who’s involved?

Questions You Want Answered from Today’s Session?

TASK

What is Risk?• RISK the possibility that an action, event, or set of

circumstances will adversely or beneficially affect the University’s ability to achieve our objectives. (UoB)

• RISK uncertainty of outcome, whether positive opportunity or negative threat (PRINCE2)

• RISK is about the future and comes from uncertainty

What is Risk?• Anything that may affect the

achievement of objectives• Uncertainty that surrounds future

events or outcomes• The expression of the likelihood and

impact of an event with the potential to influence the achievement of an organization’s objectives

What are some risks at your institution?

TASK

What is Risk Management?• RISK MANAGEMENT the planned and systematic

approach to identification, evaluation and control of risk. (UoB)

• RISK MANAGEMENT to manage the probability of specific risks occurring and the potential impact if they did occur, taking action to keep exposure to an acceptable level in a cost-effective way (PRINCE2)

What is Risk Management?

• A scientific approach to dealing with risks by anticipating possible losses and designing and implementing procedures to minimize the loss or impact of the losses that do occur

• A logical, systematic method of identifying, analyzing, managing and monitoring the risks involved in any activity or process.

• The culture, processes and structures that are directed towards realizing potential opportunities and managing adverse effects

22

What is Enterprise Risk Management?

“… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Source: COSO Enterprise Risk Management – Integrated Framework. 2004. The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

So why do we need it?

The only alternative to risk management is crisis management - and crisis management is much more expensive, time consuming and embarrassing.

JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003

Without good risk management practices, (an institution) cannot manage its resources effectively. Risk management means more than preparing for the worst; it also means taking advantage of opportunities to improve services or lower costs.

Sheila Fraser, Auditor General of Canada

You only find out who is swimming naked when the tide goes out. WARREN BUFFETT, Chairman’s Letter to shareholders of Berkshire Hathaway Inc, 2001

24

Why do we need Risk Management?

• Increases risk awareness – What could affect the achievement of objectives? What could change? What could go wrong? What could go right?

• Increases understanding of sensitivities. What makes my risks increase/decrease/disappear?

• Promotes an open and transparent risk culture – It’s safe to talk about risk.

• Develops a common and consistent approach to risk - not intuition-based.

25


• Allows intelligent “informed” risk-taking• Focuses efforts – helps prioritize. Top 10 list. Or

top 3. Or…• Proactive not reactive – Prepare before things

happen. • Helps achieve objectives (corporate, college,

unit etc)• Enables accountability, transparency and

responsibility• Can reduce the impact and provide assurance if

things do go wrong – we were responsible not blind

• It’s good management …


Risk Management is now an integral part of business planning in private and public-sector

organizations throughout the world

“Risk assessment and management should be an integral component of planning strategies with

appropriate mechanisms developed for risk assessment and minimization”

NCAAA Standard 2 Paragraph 2.29

Why do we need Risk Management?…and it’s not just necessary at the institutional level. Risk needs to be embedded throughout the University since we have many risks specific to the nature of our endeavours.

For example:

• Students undertaking projects off-campus• Who are not yet legally adults• Who, if they are women, could be pregnant• And who could carry out practical work in labs or

with machinery.

Understanding the basics

• A few definitions

• A typical Risk Management process

• Who’s involved?

Understanding the Basics: Definitions

Risk Source

• A risk source has the intrinsic potential to give rise to risk. It is the place from which a risk originates - where it comes from. – There are many potential sources of risk. All of

these elements could potentially generate a risk that must be managed.

Sources of Risk• Government policy and regulation – funding regime• Competitor activity – growth into your markets• Economic conditions and market activity – global economic

downturn• Technological change – MOOCs, social media • Environmental change – global warming • Behaviour – student preferences, slowness to adapt, staff

attitudes, management shortcomings• Natural or man-made disasters or accidents – Tsunami, fire• Mistakes – data errors, IT system crash• Illegal or non-compliant activity - fraud


Risk Levels

• The level of risk is its magnitude. It is estimated by considering and combining Impact and likelihood. – A level of risk can be assigned to a single risk or a

combination of risks. It can be determined either qualitatively (e.g. Low-Medium-High) or numerically on an agreed scale.

– Impact can itself be on multiple levels …..

Risk Levels• Systemic Risk – affects whole sector (e.g. funding

regime change)• Strategic Risk – affects the strategic objectives of

the organisation (e.g student recruitment or research activity)

• Operational Risk – inherent in doing business (data quality)

• Programme or Project Risk – bounded and should be managed within project

• Local Risk – bounded, local impact only (staff sickness)


Risk Management Framework

• A set of components that support and sustain risk management throughout the University.

• We can group them into two parts:– Foundations: e.g. risk

management policy, objectives, appetite and tolerance.– Organizational arrangements e.g. plans, relationships,

accountabilities, resources, processes, templates, registers and activities used to manage the University’s risks.


Risk Management Policy

• A document which expresses the University’scommitment to risk management and clarifies its general direction or intention.

– Typically it includes a description of the risk management framework, roles and responsibilities, annual cycle, definitions etc.


Risk Appetite/Attitude

• A description of the University’s general approach to risk and how much risk it will accept. – Risk appetite influences how risks are assessed and

managed - whether they are taken, tolerated, retained, shared, reduced, or avoided, and whether or not risk treatments are implemented or postponed


Risk Owner

• The person who has responsibility for ensuring a risk is managed.

– In some cases the risk owner and risk manager are one and the same, but not necessarily. With major corporate risks they are often different people.


Risk Manager

• The person who has responsibility managing a risk on a day-to-day basis.

– The risk manager operates the controls which mitigate risk.


Risk Assessment

• A process made up of three other processes: risk identification, risk analysis, and risk evaluation.

– Identification: a process used to find, recognize, anddescribe risks

– Analysis: a process used to understand the nature, sources, causes and level of risks. It is also used to study impacts and to examine existing controls.

– Evaluation: a process used to compare risk analysis results with risk appetite in order to determine whether or not a specified level of risk is acceptable or tolerable.


Impact

• The outcome of an event which has an effect on the University or its objectives. – A single event can generate a range of impacts

which can have both positive and negative effects on objectives. Initial impact can also escalate through knock-on effects.


Likelihood

• The chance that something might happen.

– can be defined, determined, or measured objectively or subjectively and canbe expressed either qualitatively or quantitatively (using mathematics). In universities, subjective assessment is usually sufficient


Treatment

• A risk modification process. – It involves selecting and implementing one or more

treatment options, such as:– Avoid– Transfer– Control– Accept


Controls

• Controls are any measure or action that modifies risk. – Once a treatment has been implemented, it becomes

a control. Controls include any policy, procedure, practice, process, technology, technique, method, or device that modifies or manages risk. Risk treatments become controls once they have been implemented


Gross and Net Risk

• Gross risk is the risk inherent in any event or action before any mitigating actions.

• Net risk is the risk left over after you’ve applied controls. – What’s left after you’ve avoided, transferred,

controlled or accepted the risk.

Risk Management process

1. Establish the context – objectives for risk management and any assessment criteria

2. Identify risks3. Analyse and evaluate risks – likelihood and

impact = “size” of the risk and do we need to manage

4. Risk treatment – acceptance, controls5. Monitor and review6. Record the risk management process

Risk Management Framework• Context Setting• Stakeholders• Risk Policy• Sources of Risk• Internal/External• Risk Appetite

• Likelihood• Impact• Gross (Inherent)• Net (Residual)• Target

• Risk Treatment• Avoid• Transfer• Control / Contain /

Reduce • Accept

• Risk Register• Regular Reviews • Key Risk Indicators• Incident Management• Audit• Board

Identify Assess

MitigateMonitor and Report

Who is involved in Risk Management in Universities?

BoardSenior Management / ExecutivePlanning Office Finance OfficeMiddle ManagersProgramme and Project ManagersEveryone

But with different responsibilities depending on the risk level

Risk owners and risk managers

• Risk owners– Usually members of executive– Regular review of risk, receiving information from risk

managers– Place risk in context of risk policy, audit advice– Proactively manages changes to risk likelihood, impact,

appetite for their risks

• Risk managers– Usually senior/middle management– Closer to operational activity – see changes in risk in daily work– Identify mitigating activities – ensure they occur– Advise risk owners

Elements of Risk Management Framework

Top-Down Strategic Risk Assessment

(annual)

Ce

ntr

e

Bottom-Up Operation-wide Risk

Assessment

Current & Future Risk Profile(monthly / quarterly)

Integrated Board / Executive Reporting(monthly/quarterly)

Op

era

tio

ns,

Pro

jec

ts

& F

un

cti

on

s

Feedback & Actions

Functional Support Risk Review

Functional Support Risk Review

Programme & Project Risk Review

Programme & Project Risk Review

Operations Risk Review

Operations Risk Review

Collation of Operational Risk Reviews

Collation of Operational Risk Reviews

Risk embedded inStrategic Planning

Risk embedded inStrategic Planning

Action Planning

Action Planning

Key Risk & Mitigation Reporting

Key Risk & Mitigation Reporting

Integration of Strategic & Operation-wide Reviews

Integration of Strategic & Operation-wide Reviews

Key overall risks & adequacy of mitigation

Operations risk reporting with mitigating actions (quarterly)

Collated operational risk reportingwith mitigating actions (monthly / quarterly)

Functional risk reporting with mitigating actions (quarterly)

‘Watch List’ of risky business initiatives

High-level SWOT/STEP & Strategic Risk

Register

Board understanding of risk appetite

Programme & project risk reporting with mitigating actions (monthly)

Level of risk, mitigation effectiveness,Assessment of impact on overall risk profile

Coordinated mitigation plan & action tracking

Board

Executive

Senior Managers

Middle Managers

Planning Office

What makes for effective Risk Management?

• Commitment from Senior Staff• Integral to management practices• Embedded in strategic and operational planning• Open communication• Appropriate ERM system• Clear responsibility & accountability• Normal part of program & project management

Note:These are all characteristics of a mature

organization.

Have you been listening?

1. What is the difference between Gross and Net Risk?

2. What is meant by Risk Appetite?3. Name three critical success factors for

effective Risk Management.4. How do you calculate the level of risk?5. What is the difference between a risk owner

and a risk manager?

Date post:	18-Jan-2016
Category:	Documents
Upload:	luke-garrison
View:	213 times
Download:	0 times

Risk Management Steve Chadwick & Rhiannon Birch 2015.

Documents