Risk Management Process

Document Sample
Risk Management Process Powered By Docstoc
					                                                         Enterprise Risk Management Program

Risk Management Process                                                                                        PART I
                                                                                                               1. Identify and Define Risk -            In order to
                                   Risk                                                                             manage risk we have to be able to identify
      Committee/               Management                        PEG                      Board                     potential threats. First identifiers are often front
        Group                  Management                         PEG                     Board
        Group                    Office                                                                             line workers. Identifying risks early allows us to
                                  Office                                                                            act proactively in advance of something
   PART I – Risk Form                                                                                               happening, rather than "fire-fighting" after an
                                                                                                                    event. As well, Dept. Heads should continue to
                                                                                                                    identify risks to their VP’s who will bring risks
                                                                                                                    forward to PEG on an on-going basis.
                                                                                                               2.   Quantitative Risk Assessment The RMO will
                                                                                                                    conduct a quantitative assessment, provide loss
                                                                                                                    histories, forecast potential losses and provide
              1                                                                                                     compliance information & Risk Industry Best
         Identifies &
                                                                                                                    Practice information.
        Defines Risks
         (New and/or                                                                                           3.   Qualitative Risk Assessment This above
      Inventoried Risks)                                           3                                                information along with control/mitigation
                                                            Confirms ID &                                           recommendations will be provided to PEG for
                                        2                    Qualitatively
                                                            Assesses - Set
                                                                                                                    evaluation and decision on status of “closed” or
                               Quantitative Risk
                                                            Priority, Select                                        “active”. If “active” this will start the risk
                              Assessment – crunch
                                                            Risk Treatment                                          management (RM) process.
                                #s, loss histories,
                                forecast potential
                                                           Determine Owner,                                         RM Form – Complete Part I and determine
                                                             log in DB and
                               losses and provide
                                                               forward to                                           “tolerance” for this risk. Select “Priority” using
                                compliance info &
                                                                Assigned                                            Risk Size Grid Tool. Decide “Ownership” and who
                                                                 Group)                                             the risk will be “Assigned to”. E.A. to the
                                                                                                                    President will log in Database (DB) and forward to
                                                                                                                    Chair of “Assigned” Committee/group for

                                                                                                               PART II
                                                                                                               4. Implement Risk Control/Mitigation
                                                                                                                    Risk Prevention - with many risks we are able to
   PART II – Risk Form                                                                                              identify preventative measures that will
                                                                                                                    significantly reduce the probability of the risk
                                                                                                                    Risk Reduction - sometimes we can't reduce the
                                                                                                                    probability that something bad will happen, but it
             4                                                                                                      may be possible to reduce the cost if it does.
      Implement Risk                                                                                                Business & Finance Continuity Plan - often the
     (Identify Lead and
                                                                                                                    best we can do is make plans for how we would
        Task Team to                                                                                                survive a problem. Contingency plans are what we
       implement risk                                                                                               can do after the worst has happened, such as a
      Controls, impact                                                                                              disaster recovery plan.
      reduction, and/or                                                                                             The “Assigned To” group will identify a “Lead” and
          planning)                                                                                                 Task “Team” to implement Directive from PEG (see
                                                                                                                    Part I of RM Form) above to PEG.
                                                                                                                    RM Form – “Assigned” Group will complete Part II
                                                                                                                    of form and return to PEG. Recommendations will
                                                                                                                    include costing analysis.
                                                                                                               5. Monitoring Process
                                                                                             5b                     a. Completed Forms return to PEG EA (Quarterly
                                                   5a.                               Monitoring Process
                                                                                                                        report is reviewed) PEG will monitor results of
                                           Monitoring Process
                                                                                    Evaluate and Approve                RM Activities:
                                   (evaluate controls/mitigations, review
                                          analysis & write reports
                                                                                    Reports and Outcomes                   Areas (“Categories”) with the most risk
                                                                                                                            exposure (e.g. quantity and monetary
                                                                                                                           Risk Mitigation Cost Analysis
                                                                                                                           Risk Resolution durations (by category,
                                                                                                                            by Assigned Group, by time of year etc.)
                                                                                                                           Amount of unresolved risk at any given
                                 Risk Management Office                                                                    RMO will monitor the adherence to the
    Assist all functions with Risk Management Tools, Techniques and Best Practices. Use reports and analysis
                 to educate and bring awareness of the importance of Risk Management on campus.                     b. Annual Report submitted to the Board.
                                                                                                                        Analysis and Reports will also be used to
                                                                                                                        educate and heighten awareness.
Enterprise Risk Management Roles and Responsibilities
Risk is uncertainty about events that can be either positive or negative. Enterprise Risk
Management is a process of making and implementing sound managerial decisions, and
therefore should be integrated with all university planning, budgetary and management
activities to support the strategic goals of Trent University.

       a. Everyone in the university is responsible for ensuring that effective risk
          management is carried out for their own personal safety and to maintain a safe
          and secure environment.
       b. Members of Assigned Committees and Groups (COMMITTEE/GROUP )
          identify risks to PEG and implement PEG directives and strategies to reduce
          and mitigate those risks that affect their operations. The Joint Health and
          Safety Committee and Emergency Planning Committees have specific risk
          identification responsibilities.
       c. The Risk Management Office (RMO) is responsible for the Enterprise Risk
          Management Program, monitoring industry best practices and standards, with
          specific responsibility for risk quantitative assessment, recommendation of
          risk controls, ERM education and training, risk financing and program
       d. The President’s Executive Group (PEG) is responsible to prioritize and
          make status decision on identified risks, assign risk and risk management
          resources and evaluate, review and monitor the ERM program quarterly, and
          ensure that it is integrated with the university’s strategic goals.
       e. The President is responsible to report on the university’s risk profile to the
          Board of Governors annually.
       f. The Board of Governors is responsible to ensure that an effective Enterprise
          Risk Management program is in place and that Trent University meets or
          exceeds all legislated requirements relating to risk management.
                                 RISK MANAGEMENT FORM
                                                                   5    5    10   15   20   25

Part I:       Risk Identification Report                           4    4    8    12   16   20       High

                                                                   3    3    6    9    12   15       Medium
Risk ID Number: Assigned by PEG
                                                                   2    2    4    6    8    10       Low

Risk Title:       Name                                             1    1    2    3    4    5

Risk Area:      Operational (Students)                                  1    2    3    4    5

Date Opened:       MM/DD/YY                      Date Due:                         Risk Tolerance:
                                                   MM/DD/YY                        1 (Low)

Risk Score prior to Mitigation:       1 (Low)    Assigned to: Committee or Group

Description of Risk         Mitigation/Control to date:            Future Mitigation/Control:
and Liability:
                            1.                                     2.

Comments (Including Risk Indicators and costs):

Part II:      Risk Mitigation Report

Date of Receipt:       MM/DD/YY                                    Lead:          EMG Member
                                                                   Team:          EMG Member(s)

Risk Score after Mitigation/Control:       1 (Low)

Description of Risk         Description of                         Residual Risk:
Mitigation/Control          Mitigation/Control Success:
Measures:                                                               3.

Comments (Including Risk Indicators):

Future Risk Assessment needed:           Never (Unless arises again)

Mitigation/Control is Complete.

_________________________________________                               _______________________
            Lead (Manager)                                                         DATE
Size of Risk – Impact Guide
                                                                                                                                           * the examples can move up or down the
                                                                                                                                           matrix accordingly to suit whether a
The Impact guides are only for guidance and are not intended to be prescriptive.
                                                                                                                                           department, a school or the University as a
It should be the worst-case scenario that is usually used to rate the risk.                                                                whole.

     Severity descriptors                       Possible consequences                         Examples*                                    Size of Risk – Likelihood
 1 - Insignificant                              No impact
 2 - Minor                                         Less than <0.5%of total financial            University sued successfully for          Descriptor
                                                    impact                                        wrongful dismissal                        1 – Very low     2% likely to happen
                                                   No regulatory consequence                    Lecturer has a work related injury
 Negative outcomes from risks or lost                                                                                                       2 – Low          5% likely to happen
 opportunities that are unlikely to have a         Minor adverse publicity                       e.g. slips
 permanent or significant effect on the            Minor reversible injury                                                                 3 – Medium       10% likely to happen
 University’s reputation or performance                                                                                                     4 – High         20% likely to happen
 3 – Moderate                                      Financial loss up to 2% of total             Major IT project is late or overspent
                                                                                                                                            5 – Very high    50% likely to happen
                                                    turnover in any year                         Contractual staff injured due to
                                                   Limited regulatory consequence                University negligence
 Negative outcomes from risks or lost
 opportunities that will have a significant        Local adverse publicity of Subject area      Loss of a major contract
 impact on the University but can be                adverse publicity                                                                      Total risk score guide
 managed without major impact in the               Major reversible injury
 medium term                                                                                                                                Descriptor       Guide
 4 - Serious                                       Financial loss over 2% of total              Research team found to have
                                                    turnover in a single year                     falsified results with a major impact
                                                                                                                                            0 – 6 Low        Low level of risk, should not require
                                                   Major savings programme required to           e.g. on health issues                                      much attention but should be
 Negative outcomes from risks or lost                                                                                                                        reviewed at least annually
                                                    break-even in the medium term                Major overseas recruitment
 opportunities with a significant effect that
 will require major effort to manage and           Significant regulatory consequence            problems due to war or terrorism –        8 – 12 Medium    Medium level of risk, should be
 resolve in the medium term but do not             Negative headlines in the national            may have the potential to escalate to                      monitored and reviewed annually as
                                                    press                                         very serious                                               a minimum, 6 monthly if necessary
 threaten the existence of the institution in
 the medium term                                   Irreversible injury or death                 University financial systems fail
                                                                                                  completely and cannot be recovered        14 – 20 High     High level of risk, should be
 5 – Very serious                                  Financial loss (or loss of potential         Major accident due to University                           constantly monitored and reviewed
                                                    financial surplus) over 2% of turnover        negligence                                                 quarterly or 6 monthly. Possibly
                                                    for consecutive years                        Major fire that prevents a substantial                     escalate to higher committee if
 Negative outcomes from risks or lost
                                                   Substantial regulatory consequence            part of the University delivering                          required
 opportunities which if not resolved in the
 medium term will threaten the existence           Sustained negative headlines in the           courses
                                                                                                                                            Over 20 – Very   Top level of risk, should be
 of the institution                                 national press                               Collapse in student application
                                                                                                                                            high             constantly monitored and reviewed
                                                   Major negative sanction by HEFCE              numbers
                                                                                                                                                             monthly. Possibly escalate to RSC
                                                   Closure of major part of business             Sustained failure to recruit staff
                                                   Irreversible multiple injury or death

                                                                                                                                                                                               Page 4 of 4

Shared By: