understanding & managing “risk”: a guide for managers and...

Understanding & Managing “Risk”:

A Guide for Managers and Staff

July 2015

1

Understanding and Managing “Risk” at the Cambridge International College:

A Guide for Managers and Staff

Introduction All decisions and actions involve risk, “the effect of uncertainty on objectives” (AS/NZS ISO 31000:2009). Put another way, risk can be understood as anything that could prevent a business from achieving its goals or that could produce an outcome resulting in loss. This conceptualisation of risk, of course, allows for positive possibilities as well as negative ones. Managing risk, then, refers to the methods and processes used by organizations both to manage risks and seize opportunities related to the achievement of their objectives. In its family of standards relating to risk management (ISO31000), the International Organization for Standardization (ISO) identifies risk management as a systematic approach to maximising the chances of success of the business, through the identification, assessment and management of the attendant risk of its business processes and projects. All Managers are responsible for identifying, assessing and managing the risk within their areas of control, and for ensuring that appropriate risk management activities are functioning effectively. The Cambridge International College (CIC) Board and senior staff regularly and methodically consider the range of risks associated with the management and delivery of its educational services, and how to manage those risks effectively, through implementing strategies based on the amount of risk the College considers appropriate and manageable. This document has been developed to explain the risk management approach that Cambridge International College has adopted, and the processes and internal controls it has implemented to help the College better manage and minimise the risks associated with its work. The document should be read in conjunction with the College’s Risk Register and its Risk Management Plan. Elaborating, Identifying, Assessing and Managing “Risk”: First Principles As noted above, risk is understood in terms of an action or event affecting the organisation’s ability to achieve its objectives. The first stage in managing any risk to the business is to identify and measure the range and levels of risk the business faces. Risk is measured in terms of the likelihood that an event or action will happen, and the anticipated consequence of that event/action occurring. The more likely it is that an event will happen and the more significant the impact of that event, the greater the assessed level of risk. The table in Appendix 1 illustrates one way that the likelihood and consequence of an event can be characterised, and how the resultant level of risk is then derived. There are two broad levels of risk that need to be understood in the context of a risk management approach – raw risk and residual risk. Raw risk is the level of risk faced by the business before its internal controls are put in place. These internal controls are in the form of the processes, policies and procedures used by the business to govern its work, or any additional controls or mitigating actions taken to deal with a particular situation (see Appendix 2). Residual risk is the level of risk faced by the business after its internal controls have been applied. Assessment and prioritisation of a risk is summarised and entered into the risk management system via a Risk Assessment & Prioritisation Report (see Appendix 3). The detailed listing of raw and residual risks, together with their respective control/mitigation mechanisms, is then represented in a risk register (see Appendix 4) and summarised in a risk matrix (see Appendix 5) as a reporting and decision-making aid.

Understanding & Managing “Risk”: A Guide for CIC Managers & Staff

2

Risk Management: The Process

A variety of approaches to risk management have been developed and operate in different organisations, according to the industry and operating contexts in which they are embedded. AS/NZS ISO 31000:2009 provides principles and generic guidelines on risk management that can be used by any public, private or community enterprise, association, group or individual. The process of risk management involves:

1. Establishing Context: an understanding of the current conditions in which the organization operates on an internal, external and risk management context. This includes the organisation’s regulatory environment, and its own appetite for risk.

2. Identifying, Analysing and Quantifying Risks: documentation of both the material threats to the organization’s achievement of its objectives and the areas that the organization may exploit for competitive advantage. Risk is then formulated in terms of impact on the organization’s key performance metrics.

3. Assessing and Prioritising Risks: determination of the contribution of each risk to the aggregate risk profile, and appropriate prioritisation.

4. Controlling and Exploiting Risks: development of strategies for controlling and exploiting the various risks.

5. Monitoring and Reviewing: continual measurement and monitoring of the risk environment and the performance of the risk management strategies.

Figure 1 shows how these various elements of risk management are related to each other, with risk assessment central to what is a comprehensive, integrated, whole of organisation approach. Communication and consultation with everyone in the organisation is critical at every stage of what is an on-going, iterative business activity. Figure 1: The risk management process


3

Establishing Context

As a private higher education provider in Australia, CIC operates in a complex local public policy and regulatory environment, and an increasingly competitive global marketplace, characterised by rapid technological change in what has become known as the Asian century. In regard to the regulatory framework, CIC’s activities are governed principally by the Tertiary Education Quality and Standards Agency Act 2011 (the TEQSA Act) and the Education Services for Overseas Students Act 2000 (the ESOS Act). TEQSA registers and evaluates the performance of higher education providers against the Higher Education Standards Framework. A key component of the TEQSA approach is its risk assessments of registered higher education providers. This approach is explained in TEQSA’s Risk Assessment Framework Version 2, released in March 2014. In brief, taking into consideration the provider’s context, history and standing, and an analysis of a series of risk indicators related to students, academic staff and financial sustainability, TEQSA makes an evaluation of potential risks to a provider’s academic standards. Depending on the outcome of the risk assessment, TEQSA’s response to a provider may range from no action through to formal regulatory action or review. Clearly, given CIC’s status as a higher education provider and the nature of TEQSA’s regulatory responsibilities, there is a great deal of overlap in the range of risks that are of interest to each, and the TEQSA approach is incorporated in our risk management approach. TEQSA’s concerns however, are restricted to a provider’s academic standards. In addition to its academic standards, which are primary in its considerations, CIC has wider concerns relating to the health, safety and wellbeing of our students, our staff and the community with which we interact. CIC has a low risk appetite for risks relating to:

Legislative and policy compliance;

The administration of our finances and the assets available to us; and

The health, safety and wellbeing of our students, our staff and the community with which we interact.

At the same time, we have a higher risk appetite for innovation and improving best practices

including improvement of our service delivery and increased efficiencies, where these benefits

outweigh the risks.

Identifying, Analysing and Quantifying Risks

Risks are identified through environmental scanning (keeping ourselves updated on our operating environment), planning processes, major projects, investigating incidents (risk assessment and mitigation actions are essential elements), internal monitoring (regular audit and inspection) and throughout the change management process. The manager of the work area or process being assessed (the risk owner) is responsible for carrying out the risk assessment process. The risk owner undertakes this assessment because that person is best placed to identify and monitor the risk, to initiate action if the risk becomes more serious, or to escalate the matter to senior management if necessary. Managers should identify sources of risk, their causes and their consequences. Appendix 6 shows the relationship between business planning, the cascade of risks (according to the range of business activities impacted) and the appropriate risk ownership. TEQSA focuses on four areas in its risk assessments:

Regulatory history and standing;

Students (load, experience and outcomes);

Academic staff profile; and

Financial viability and sustainability


4

TEQSA does so on the basis that these areas provide coverage across key aspects of providers’ operations and all contribute to a view of potential risks to academic standards. At the same time, the Higher Education Standards Framework (Threshold Standards) 2011 sets Provider Registration Standards that must be met, consistent with the Tertiary Education Quality and Standards Agency Act 2011:

Provider standing – the higher education provider is reputable and accountable for the higher education it offers.

Financial viability and sustainability – the higher education provider has the financial resources and financial management capacity to sustain higher education provision consistent with the Provider Registration Standards.

Corporate and academic governance – the higher education provider shows sound corporate and academic governance of its higher education operations.

Primacy of academic quality and integrity – the higher education provider maintains academic quality and integrity in its higher education operations.

Management and human resources – the higher education provider’s higher education operations are well managed and human resources are appropriate.

Responsibilities to students – the higher education provider defines and meets its responsibilities to students, including the provision of information, support and equitable treatment.

Physical and electronic resources and infrastructure – the higher education provider ensures there are well-maintained physical and electronic resources and infrastructure sufficient to enable the achievement of its higher education objectives, across all its locations in Australia and overseas.

By incorporating TEQSA’s specific concerns in this wider framework, we can determine the effect on our objectives from uncertainty associated with all these factors. Risk indicators, accurately identified, provide the risk owner with early warning that action may be required to mitigate that risk through stronger internal controls or, if the indicated risk is outside the business’ control, to be aware of it and closely monitor it. These indicators should be measurable and underpinned with data. TEQSA provides extensive detail of the risk indicators it uses for calculation of overall risk in its Risk Analysis Framework. For example, TEQSA uses “Academic staff on casual work contracts” as a risk indicator, on the basis that

A significantly high proportion of casual academic staff increases the risk of these staff not being appropriately supported and resourced to provide a continuity of support for students, anchor academic activities, engage in scholarly activities, and be active contributing members in a community of scholarship

It then quantifies the number of casual academics employed by a provider as a percentage of the total academic workforce, as a reflection of the inherent risks around mechanisms for effective integration and engagement. On the other hand, too low a proportion of casual academic staff can mean the provider is not able to be sufficiently flexible to be able to respond positively to changes in demand for particular areas of study, or to take advantage of new developments in specific research areas. This is a matter for judgement, based on assessment and prioritisation of the risk.

Assessing and Prioritising Risks The risk owner carries out the next stage of the risk assessment process by considering the consequences of an event and the likelihood of the outcome occurring. The table in Appendix 1 provides guidance for calculating risk levels. The likelihood scale is based on the event occurring in the next year, while the consequences range from very low disruption to complete loss of service delivery. Again, the more likely it is that an event will happen and the more significant the impact of that event, the greater the assessed level of risk. This process provides information to help us


5

decide whether the risks need to be treated and what the most appropriate form of control should be. Using another of TEQSA’s risk indicators, “Revenue earned by the provider from the delivery of its own higher education courses to international students”, as an example, the following provides a case of how risks can be assessed and prioritised. Let’s say there are 100 students in our programs, paying $A10,000 each per year, for annual revenue of $A1m. Let’s say further, that 37 of them are international students, all of whom are at the limit of their paying capacity, which is in $US. Consider the likelihood and impact of a 15% rise in the Australian dollar ($A) against the US dollar ($US) on enrolments, revenue and financial viability. Consider first the impact of such a change – at the limit of their paying capacity, all the international students would drop out of the program, resulting in, at least, a 37% reduction in revenue, and a move, on balance, from profit to loss, from financial viability to unsustainability. This is at least a Serious, or more likely, a Very Serious consequence, scoring 4 or 5 according to our methodology (see Appendix 1). But what is the likelihood that such an event would occur? Currently (July 2015) the $A is valued around $US0.75, so a 15% increase in its value would see the $A at $US0.86. Over the last 30 years, the $A has fluctuated from $US0.49 to $US1.10, with average valuation of about $US0.75. However, the $A is on a downward trend, from $US1.10 in the middle of 2011. It would be reasonable to think, then, that an event like a 15% increase could occur at some time, but it’s unlikely in the next year. This would translate to a Consequence score of 2 and, using our methodology in Appendix 1, a Risk Score of 8 to 10, which is considered “Medium”. CIC uses a traffic light system in its risk management approach, defining the raw/residual risks and colours as follows:

Green: Risk Score: 1 – 7 (Low). The risk is under control and represents no immediate threat or impact.

Orange: Risk Score: 8 – 14 (Medium). The risk has the potential to move to red. It needs managing and close monitoring but there is no immediate threat that would have a significant impact.

Red: Risk Score: 15+ (High). The risk requires active management. It poses an immediate threat and its impact would be significant. This is a qualitative expert judgement taking into consideration the provider’s context, history and standing, and analysis of risk indicators.

The use of the traffic light system in the contexts of the risk register and the risk matrix can be seen in the exemplar Appendices 3 and 4, respectively.

Controlling and Exploiting Risks

Noting that our definition of risk incorporates positive as well as negative outcomes, our response to identifying, assessing and prioritising the range of risks that CIC will encounter involves both managing risks and seizing opportunities related to the achievement of our objectives. ISO 31000:2009 gives a list of ways to deal with risk:

Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk

Accepting or increasing the risk in order to pursue an opportunity

Removing the risk source

Changing the likelihood

Changing the consequences

Sharing the risk with another party or parties (including contracts and risk financing)

Retaining the risk by informed decision


6

Cambridge International College has developed an integrated assurance framework to bring together mitigating practices such as the reporting framework, policies, procedures, and guidelines or physical controls that the College uses to govern its work. This is also reflected in the example in Appendix 5. This approach provides clarity over any areas where there is an assurance gap, helps to avoid duplication, and focuses assurance on strategic drivers and initiatives. Further internal controls that support the management of risk are our business continuity plans, emergency response plans, health and safety plans and internal audit and, of course, our academic reviews. The College’s policies are kept current and indexed by function in an accessible, well maintained website, and an internal audit reviews the effectiveness of the internal control system within the College. Independent audit is also carried out in line with our workplace health and safety requirements. The following examples of risks and control/mitigation mechanisms indicate possible responses to identified risk:

The risk of the College not complying with key legislation.

Control: A robust legislative compliance framework that clearly identifies key legislation and ensures there are appropriate processes to respond accordingly.

Comment: This control reduces the likelihood that the College is not compliant, but it may not be able to influence the impact if non-compliance occurred.

The risk that CIC staff incur expenditure that is not in line with College goals.

Control 1: Systems that ensure separation between purchase order creation and approval.

Comment: This reduces the likelihood of such expenditure occurring.

Control 2: Systems such as delegated financial authorities that require “sign-off” from appropriate staff according to the value of the transaction

Comment: This reduces the impact, i.e. dollar value, of the risk. Together, these two controls will reduce both the likelihood and impact of the risk. Managers (risk owners) implement their own assurance programme to check the risk controls in their areas and develop a realistic, actionable mitigation plan for each major risk including whether/how a risk is currently managed, and other internal controls already in place. It is important that, where possible, mitigations dovetail with existing plans. Appendix 6 illustrates the relationship between risk at the various layers of the business (the cascade of risk), risk ownership and business planning. The impact of all mitigating actions and sources of assurance are considered before calculating the ‘residual’ risk. Therefore, theoretically at least, likelihood or consequences or both likelihood and consequences of risk can be reduced. It really depends on the nature of the risk, the underlying subject matter, and what specific treatment plan or controls have been identified. If a control system has been listed but is not performing as well as originally intended, then the manager’s mitigation plan will include the improvements to implementation, application or structure of the risk control in this case. The table in Appendix 2 provides managers with guidance on how to evaluate the effectiveness of risk controls. The controls are ranked level 1 – 3, with a level 1 control being the most robust, and a level 3 control the least robust. Managers should consider also how well a control already in place has been implemented or the extent to which staff are complying, as appropriate. For example if a procedure is listed as part of the control mechanism but our audit process identifies that it is not complied with, the control is considered to be weak, therefore the manager will not reduce the assessed risk value significantly. A mitigation plan should be developed to address poor compliance. If multiple controls are in place and our audit process verifies a good level of


7

compliance, then the control effectiveness is considered to be robust and the manager can reduce the residual risk. Completion and submission of a Risk Assessment & Prioritisation Report (see Appendix 3) is the key to accurate and comprehensive identification and prioritisation of the risks that CIC faces. This form enables the preparation of a summary report of the risk identified, an assessment of the risk and any planned/implemented mitigation/control strategy and the current status of the mitigation process. Brought to the attention of the relevant manager the RAP Report can be incorporated in the business papers of the relevant management/Board committee and further considered for inclusion on the CIC Risk Register. Again, the information can be transferred to the Risk Register already in the correct format, reducing any likelihood of inaccuracy in transposition and subsequent consideration. Appendix 4 provides an integrated representation of the risk management process, brought together in the Risk Register. Take for example Risk 11, which is a Service Quality risk. The risk is that inaccurate information is presented during a lecture or incorrect instructions are given when using equipment. The consequence is poor performance when the graduate leaves CIC and is employed in industry and CIC develops a poor reputation. The event is considered likely (4) in the absence of controls, with very serious consequences (5), with a resultant “high” risk rating (20). There are, however, multiple methods to reduce the risk, through proper implementation of TEQSA and other industry standards, as well as sound recruitment and selection processes that assure highly qualified and knowledgeable lecturing staff. Holding sufficient professional indemnity insurance reduces the impact of such an event, if it occurs. Regulator inspection and audit gives assurance that the controls have been properly developed and implemented. Effectively controlled, the likelihood of this event is now unlikely (2), but consequence is still very serious (5) if such an event were to occur, so the residual risk is still considered medium (10), and so needs management and close monitoring.

Monitoring and Reviewing Once the risk register is prepared, the risks can be summarised in a risk matrix (see Appendix 5), using the residual risk rating and identifying the risk by its Risk Register number. This provides a clear snapshot of the high, medium and low risks the business faces and can be a focus for Board and management discussion. The matrix in Appendix 5 shows that, while there are no high risks identified, there is still a number requiring monitoring and management via the processes that have been implemented. Business planning is also an ongoing process (see Appendix 6). Risk management is incorporated into the business planning cycle at the appropriate level according to whether they are seen as strategic, corporate or operational lists. Accordingly, the planning process should include identifying high and key risks, assessing the level of effectiveness of controls; identifying issues or areas for improvement; and making recommendations for improving the controls or addressing the risk in some other way.

The Risk Register should be reviewed and updated regularly, and at any other time should the risk rating change significantly or when new key risks arise, or when the environment and other contextual changes occur. This includes seeking to take advantage of opportunities. This is also a formal process, requiring the completion of a Risk Assessment & Prioritisation Report to “close the loop” in providing assurance that risk is being identified and properly managed on an on-going basis. Guidelines for Positive Risk-Taking To this point, the focus of these guidelines has been on managing risk where the consequences are presumed to be negative, and implementing controls to protect the business from those consequences. As noted earlier though, the other half of risk management is in taking positive


8

risks, in order to maximise the chances of success of the business. This section then, is designed to provide our managers with guidelines on positive risk-taking Positive risk-taking is weighing up the potential benefits and harms of exercising one choice of action over another, and developing plans and actions that reflect the organisation’s positive potentials and its stated priorities. An early piece on positive risk-taking by Steven Morgan (2004) identifies the following principles for working with risk:

Risk is a normal everyday experience.

Risk is dynamic, constantly changing in response to changing circumstances.

Accessing multiple sources of information enhances assessment of risk, but frequently we will be working with incomplete and possibly inaccurate information.

Identification of risk carries a duty to do something, that is, manage the risk.

Risk-taking is an integral component of good risk management.

Decision-making can be enhanced through positive collaborations.

Risk can be minimised, but not eliminated.

Organisations carry a responsibility to meet reasonable expectations for encouraging a no-blame culture, while not condoning poor practice.

This is the basis on which CIC describes itself as having an appetite for risk – where the risk involves innovation and improving best practices, including improvement of our service delivery and increased efficiencies, and these benefits outweigh the risks. TEQSA also recognises that innovation often involves a degree of risk taking and does not consider risk as necessarily negative or that all risk must be controlled or eliminated. As a learning organisation, CIC actively encourages its people at all levels in the organisation to critically reflect on all the aspects of our business and to proffer their ideas for improvement. When we ask the question “Why do we do it this way”, the answer “Because this is the way we have always done it” is simply not good enough. We look for opportunities to benchmark our services, not just in education but also in, for example, customer service, with a view to introducing new, better ways of doing things, whether that involves adopting new information and communications technologies in and out of the classroom, developing partnerships with business and community organizations, or improving our assurance of learning processes. References International Organisation for Standardisation (2009) ISO Guide 73:2009, Risk Management-Vocabulary, First Edition. Morgan, S. (2004) Positive risk-taking: an idea whose time has come http://practicebasedevidence.squarespace.com/storage/pdfs/OpenMind-PositiveRiskTaking.pdf Accessed 12 December 2012. TEQSA (2014) TEQSA’s Risk Assessment Framework VERSION 2.0 MARCH 2014 http://www.teqsa.gov.au/sites/default/files/publication-documents/TEQSARiskAssessFramework2014_0.pdf Accessed 10 April 2014 Standards Australia/Standards New Zealand Standard Committee (2009) AS/NZS ISO 31000:2009, Risk Management-Principles and Guidelines, November.

http://practicebasedevidence.squarespace.com/storage/pdfs/OpenMind-PositiveRiskTaking.pdf

http://www.teqsa.gov.au/sites/default/files/publication-documents/TEQSARiskAssessFramework2014_0.pdf

http://www.teqsa.gov.au/sites/default/files/publication-documents/TEQSARiskAssessFramework2014_0.pdf

9

Appendix 1 – Assessing risk levels

Likelihood Consequence Risk (Likelihood x consequence)

Rare 1 May occur only in exceptional circumstances. Less than 1% Probability of Occurring

Insignificant 1

Consequences are very low, minor disruption.

Low 1 – 7

Manage within existing controls.

Monitor 6 monthly/ annually NB: Rare but Very Serious (5) & Almost Certain but Insignificant (5) show Medium

Unlikely 2 Could occur at some time

Minor 2

Losses may disrupt services for a short period. Financial losses around $10,000

Disruption to a single area of the business.

Possible 3 Should occur at some time

Moderate 3

Service lost for period 1 – 5 days.

Financial loss $10,000 - $100,000. Internal event review required. Moderate injury equivalent to staff requiring time < 5 days away from work.

Adverse media coverage for 1 day.

Medium 8 – 14

Evaluate efficiency of existing controls.

Develop and implement additional control mechanisms

Monitor quarterly

Likely 4 Will probably occur in most circumstances

Serious 4

Service lost for period exceeding 1 week. Financial loss $100,000 – $1M.

Adverse media coverage for 1 week. Internal investigation or by an external source/regulator. Staff contractor or visitor suffers serious injury.

Impact to multiple and diverse areas of the business. Significant senior management intervention required including external assistance.

High 15+

Implement mitigation plan

Escalate/report to senior management for intervention

Monitor weekly (management) or monthly (Board)

Almost certain 5 Is expected to occur in most circumstances

Very serious 5

Significant resources required to recover from impact. Legal consequences resulting in prosecution. Financial loss >$10M.

Staff, contractor or visitor involved in a fatal event. Adverse media coverage for an extended period.

Complete loss of service delivery affecting all CIC critical functions..

The values identified above for financial loss reflect those that may be experienced at an organisational level. Divide the value by 10 for potential losses at business unit level.

10

Appendix 2 - Assessing control levels

Control level Example of control mechanism

1

For WH&S, provide substitute with alternative equipment, substance.

Off site storage (data files)

Back up equipment/assets E.G. multiple servers, generators

Fire prevention E.G. appropriate materials, good housekeeping

Management/supervision

2

Maintenance regime, programmed inspection.

Fully enclose process, guarding, fencing, locked doors

Policy, procedure, guideline

Technical/industry standards

Contract

Training/ development programme

Competent staff

Specialist advice (internal & external)

IT data storage & retrieval systems

Business/service planning

Alternative suppliers

Fire detection equipment

Communication with stakeholders

Recruitment and selection processes

Approval process

3

Information

Warning signs

Personal protective equipment

Monitoring

CCTV

Key performance indicators

Contract monitoring

Implementation and management of risk control measures should be monitored through the audit process.

11

Appendix 3 - Risk Assessment & Prioritisation Report

Risk Assessment & Prioritisation Report

Risk Identification

Date Identified:

Risk Description: A possible future situation (threat or opportunity) that, if it occurs, could affect organisational performance, expressed as IF [event] happens/does not happen by [date] THEN [consequence]

Risk Category: SR Standing & Reputation

CG Corporate Governance

AG Academic Governance, Quality & Integrity

SP Student Profile, Experience & Outcomes

SR Staff Profile, Resources & Development

FS Financial Viability & Sustainability

RI Physical & Electronic Resources and Infrastructure

Risk Assessment (circle Raw (initial) or Residual (mitigated))

Probability of Occurrence: Rare (1) to Almost Certain (5)

Impact: Insignificant (1) to Very Serious (5)

Risk Rating: Low Medium High

Risk Planning

Mitigation/ Specific course of action being Control Plan: taken/recommended to deal with the risk

Risk Owner: Person responsible for the risk & for carrying out action plan

Risk Status

Current progress/ status of mitigation process

12

Appendix 4 - Risk Register Example

RISK ID Risk description Risk Consequences Raw Risk Controls/

Exploitation Strategies Sources of Assurance

Residual Risk (RR)

Likelihood Consequence Raw Risk L C RR

1 Financial

Unable to deliver classes due to building services failure

Up to $100,000 in repairs to services and other losses

3 3 9

Building maintenance programme

“Early notification” fault reporting process

Alternative venue

Supplier audit Planned general inspection process

2 3 6

2 Service delivery

Failure to adhere to maintenance programme resulting in unreliable classroom ICT equipment

Cancellation of classes impacting tutorial programme

4 4 16

Maintenance programme

Pre-use inspection process

Fault reporting process

Spare equipment

Programming of classes

Contract mgt protocols.

2 4 8

3 WH&S

Failure to comply with WH&S practices – correct storage and handling when using chemicals

Staff serious injury, lost time, prosecution, and environmental damage

5 4 20

Staff training

Appropriate storage

Information MSDS

Product labelling

Supervision

Written procedures

Personal Protective Equipment

Fume extraction (LEV)

Hazard assessment

Planned general inspection WH&S Audit Linked to hazard register 2 4 8

13



Residual Risk (RR)


4 Reputation

Loss of essential information due to IT failure

Unable to access data or provide reports/information to external regulators/stakeholders. Unable to monitor performance

3 3 9

Maintenance regime

Systems “backed up” and information stored off site

System tests and auditing data protection systems

2 3 6

5 Finance

The project delivery is delayed

Project overrun resulting in excess of $150,000 in additional rent or hire payments 5 4 20

Project manager appointed

Project planning process

Contract monitoring

Contract identifying timeline and penalties

Audit of project controls

3 4 12

6 Service delivery

Unable to provide secure campus due to unavailability of security equipment on demand

College premises not secured due to inoperative electronic security equipment. Theft, unauthorised access.

4 4 16

Equipment servicing

Early notification fault reporting system

Software upgrade

Manual lock up when electronic system fails

Security patrols

3 4 12

7 Service delivery

Electronic monitoring equipment unavailable on demand

Unable to monitor premises resulting in potential for loss/theft/vandalism 3 3 9

Equipment servicing

Regular monitoring

Early notification fault reporting

Security patrols

2 3 6

14



Residual Risk (RR)


8 Service delivery

Reliance on contractors to provide essential services

Lower level of institutional knowledge resulting in inflexible models of service delivery. Loss of institutional/corporate knowledge

3 5 15

Robust contract management processes

Alternative suppliers

Supplier audit

2 5 10

9 Legal & regulatory

Breach of building act

Delay to project and prosecution

4 3 12

Project manager in place

Adherence to building standards

Legal advice

Contract management processes

Supplier audit Contract evaluation process 2 3 6

10 Adverse media coverage

Poorly presented high profile event

Media coverage resulting in poor reports in national press publications and national TV

4 4 16

Advice and management from CIC Communications team.

Communications protocols

Operations team providing security plan and security staff.

2 4 8

15



Residual Risk (RR)


11 Service quality

Inaccurate information presented during a lecture or incorrect instructions given when using equipment

Poor performance when graduate leaves CIC and is employed in industry. Also poor reputation

4 5 20

TEQSA standards

Regulators and industry standards

Recruitment and selection

Professional indemnity insurance

Regulator inspection and audit

2 5 10

12 Service quality

Poor student experience due to course material not available due to bad planning

Student unable to continue with course because of poor performance 3 4 12

Course manager appointed.

Electronic information/media systems available

Personal/group tutors appointed

2 4 8

13 Reputation

Poor student experience due to inadequate information/administrative systems. Courses not properly marketed.

Students unable to access courses

4 5 20

Marketing

Study at CIC day

Graduation ceremony

Student recruitment process

2 5 10

14 Finance

Loss of funding from external agencies for research because of inability to produce high calibre Post Graduates.

Unable to run Post Graduate programmes. Also impacting upon CIC reputation. Unable to service premises in which to deliver programmes.

4 5 20

TEQSA standards

Regulators and industry standards

Recruitment and selection process

Continuous professional and technical development

Regulator inspection and audit

2 5 10

16



Residual Risk (RR)


15 HR

Unable to deliver quality services due to our inability to attract and retain high calibre staff

Unable to deliver and support high quality teaching programmes

4 5 20

Staff support

Staff development

Recruitment and selection

Succession management programmes

Communication and news letters

PDCP

2 4 8

17

Appendix 5 – Risk Assessment Matrix (drawn from Risk Register exemplar in Appendix 4)

RISK ASSESSMENT- Record the risk reference number on the risk assessment matrix, using the residual risk value.

CONSEQUENCE

LIKELIHOOD INSIGNIFICANT 1 MINOR 2 MODERATE 3 SERIOUS 4 VERY SERIOUS 5

ALMOST CERTAIN 5

Is expected to occur in most circumstances

LIKELY 4 Will probably occur in most circumstances

POSSIBLE 3 Should occur at some time 5, 6

UNLIKELY 2 Could occur at some time 1, 4, 7, 9 2, 3, 10, 12, 15 8, 11, 13, 14

RARE 1 May occur only in exceptional circumstances. Less than 1% Probability of Occurring

Green: Low Risk - the risk is under control and represents no immediate threat or impact.

Orange: Medium Risk - the risk has the potential to move to red. It needs managing and close monitoring but there is no immediate threat that

would have a significant impact.

Red: High Risk - the risk requires active management. It poses an immediate threat and its impact would be significant.

Risk is new or has changed level since previous report

18

Appendix 6 – Business Planning, the Cascade of Risk and Risk Ownership

Business Plans Cascade of Risk Risk Ownership

Strategic Plan

The strategic plan describes the common

purpose and direction of the college, identifies

key priorities and strategies to achieve objectives

and sets the policy for the next three year

planning cycle

Strategic Risks

Risks that may have a positive or negative impact on

achieving the College’s strategic purpose and objectives

This also includes wider organisational sector risks

Risks at this level affect the decisions made around

organizational priorities, resource allocation and

tolerance and acceptance of risk

Board of

Directors

Operational Plans

Annual plans that identify the key accountabilities in implementing the strategic plan, key strategies and targets. Plans are developed through a process of scanning and reviewing past performance and risks to determine upcoming challenges and new priorities

Corporate Risks

Risk or opportunities that may affect achieving the

objectives of the planned outcomes of performance

identified through the operational plans

Managing

Director

Other Business Unit Plans

These include planning done by business units as well as planning for projects

Operational Risks

Risks or opportunities that affect plans cascading from the

enterprise operational plan and achieving the deliverables

of projects. Risks at this level relate to the business unit’s

systems, resources and processes

Academic and

Business

Managers

Employee Performance and & Development Plans

Individual employee Performance Review and Professional Development enables staff to identify how their work contributes to achieving their departmental objectives

Operational Risks

When identifying their responsibilities or professional

Development requirements, employees also need to

consider their responsibility in regard to risk management

Individual

employees

understanding & managing “risk”: a guide for managers and...

Documents