risk and business continuity risk registers a user guide robbie sinclair manager risk and business...

Risk and Business Continuity

Risk Registers

A user guide

Robbie Sinclair

Manager Risk and Business Continuity


Agenda

Our task is to

1.Understand what Risk is at Griffith university

2.Understand the Risk Policy, Framework and Register

3.Completing the Risk Register


Risk at Griffith University

Risk is defined as

“…the chance of something happening that will have an impact on achievement of the University’s objectives…”

The International Standard (ISO 31000:2009) expands on this

definition to include the influence of ‘uncertainty’


Risk at Griffith University3 internal documents guide risk management at Griffith University

1.Risk Management Policy Currently under review

2.Risk Management Framework Currently under review

3.Risk Register Executive review and support obtained


Risk at Griffith UniversityAbout these documents?

1.Risk Management Policy Remove operational aspects Align closer to Strategic Objectives Cognisant of TEQSA guidelines

2.Risk Management Framework Closer reference to Risk Policy – consistent language Reflect “best of breed” position

3.Risk Register Existing template Review of existing risks currently Close alignment to TEQSA guidelines Robust Executive Group discussion encouraged!


Risk at Griffith University - Hierachy

Griffith University CouncilGriffith University Council

Executive Team(DVC – PVC)

Executive Team(DVC – PVC)

Divisional Management & Staff

Divisional Management & Staff

•Endorsement of risk appetite and policies. Approval of target risk position and action plans

•Functional oversight and provide support to Council, Executive team and business units

•Day to day risk management activities

•Endorsement of risk appetite and policies. Approval of target risk position and action plans

ASSURANCE PROVIDERS

Internal Audit, Manager Risk and

Business Continuity

ASSURANCE PROVIDERS

Internal Audit, Manager Risk and

Business Continuity

Independent challenge of risk information and

review of control effectiveness and action

implementatoin



No RiskRisk

Category

Inherent risk

Risk decision

Residual Risk

Key controls / mitigating actions StatusExecutive

responsibleC L Rating C L Rating

Risk Categories

SafetyFinance

ReputationComplianceCommercial

Risk decisionAccept Controls are deemed appropriate. Monitored and contingency plans developed

Mitigation

Reduce the likelihood - Improving management controls and procedures.Reduce the consequence - Putting in place strategies to minimise adverse consequences, e.g. contingency planning, Business Continuity Plan, liability cover in contracts.

TransferShifting responsibility by contract or insurance. Can be transferred as a whole or shared.

AvoidNot to proceed with the activity or choosing an alternative approach to achieve the same outcome. Aim is risk management, not aversion.

ConsequencesInsignificant

MinorModerate

MajorCatastrophic

LikelihoodRare

UnlikelyPossible

Likely

Almost Certain

RatingLowMediumHigh

Extreme

RiskIn this space articulate the risk in terms appropriate to the reader. Should be descriptive to remove ambiguity and misinterpretation

RiskIn this space articulate key control activities planned or underway to mitigate the risk (assuming the decision regarding the risk was to mitigate in the first place. Controls need to be defined and address the risk issues.

Risk

In this space advise who in your group is responsible for this risk


Likelihood rating

The number of times within a specified period in which a risk may occur either as a consequence of operations or through failure of physical or virtual assets, operating systems, policies or procedures.

Rating Description Occurrence Probability

Almost Certain Expected to occur in most circumstances Multiple / 12 months > 80%

Likely Strong possibility of occurrence Within 12 months 61% – 80%

Possible May occur occasionally Within 5 years 31% – 60%

Unlikely Not expected to occur but may happen Within 10 years 5% – 30%

Rare May only occur in exceptional circumstances >10 years < 5%

Likelihood Rating: Evaluation Criteria Ratings are used to provide definition so there is a common understanding of their meaning. The likelihood rating is a measure of the probability over time of exposing the University to specific risks. It considers factors such as:

Anticipated frequency of occurrence;

The external environment (e.g. regulatory, economic, competition, community expectations and market issues);

The procedures, tools and skills currently in place; and

History of previous events – taking into account Griffith University, other University sector and wider business sector experiences.


Consequence Rating: Evaluation CriteriaUniversity risks are assessed in terms of the consequence of their impact on strategic objectives. Indirect financial consequences such as reputation and management effort are key considerations. It is understood there can be more than one consequence, and those consequences can be either positive or negative, and sometimes simultaneously. Consequences can be expressed qualitatively or quantitatively and are considered in relation to the achievement of objectives. The following table is used to guide the assessment of consequence of each identified risk.

#The consequence category for “Project Budget” may differ according to the overall value of the project itself. Likewise, the criteria for “Program Delays” may also vary depending on the specific Project deadlines.



Consequences

LikelihoodInsignificant Minor Moderate Major Catastrophic

Almost Certain Low Medium High High Extreme

Likely Low Medium Medium High High

Possible Low Low Medium Medium High

Unlikely Low Low Low Medium Medium

Rare Low Low Low Low Medium


Robbie Sinclair

Manager Risk and Business Continuity

Nathan Campus

Griffith University

Ph: +617 3735 7706

risk and business continuity risk registers a user guide robbie sinclair manager risk and business...

Documents