GUIDE TO THE UNIVERSITY’S OPERATIONAL RISK REGISTER
Risk Management Strategy 1–4
Risk Management Cycle & Monthly Management Process Chart 5
Categories of Risk 6-7
Guide to the University Risk Management Process 8
Quantification Criteria for Likelihood and Impact 9 - 10
Action Plan 11
Risk Register Template 12
Risk Register Summary 13
Appendix 1 - Annual Assurance Statement By The Head Of School/Service 14
Authors: Phil McNaull / Lorraine Loy
Date: August 2010
RISK MANAGEMENT STRATEGY
The Risk Management Strategy is a key tool in the management of the risk and opportunities associated with achieving
the University’s Strategic Plan. Strategic risk includes operational, financial and reputational risks. The strategy is based
upon assessment and prevention rather than reaction and remedy.
Whilst overall corporate governance responsibility rests with The University Court, risk management will be co-ordinated
and monitored by the Planning and Management Executive. The responsibility for implementation of the Risk
Management Strategy is shared by all staff across the University.
The objective of the Risk Management Strategy Group is to establish formal mechanisms that will facilitate the timely
identification and management of risk and hence ensure the delivery of the strategic plan objectives.
Implementation of the Risk Management Strategy has four strands.
• Embedding risk assessment in the strategic decision making process
• Internal review of risk and how it is managed
• External assessment of the effectiveness of the strategy
• Provision of resources to implement the strategy including staff training
3.1 Embedding risk management in the strategic and operational decision making processes
The assessment of risk is an integral part of the planning and review process. All strategic proposals should include a
risk assessment both of doing and of not doing the proposed activity.
3.2 University Risk Management Strategy Governance Process
The process can be summarised as follows:
Court & Governance
Committees Major risks
recorded in Risk
Risk identification, Monitored by PME,
assessment and feedback
Feedback Monitored by PME,
Audit Committee and
strategic decision &
control action and or activity
or activity & update
control action plan or Court, as appropriate
Action by PME, Board, Risk control actions
School, Postgraduate risk control actions
Institute or Support Unit
It is essential that all participants in risk management are aware of their roles in the overall process and their own
The Court has responsibility for the total risk exposure of the University by:
• Setting the tone and influence of the culture of risk management across the University
• Determining the extent to which the University is “risk taking” or “risk averse” as a whole and sets the University’s
risk tolerance line
• Approving major decisions affecting the University’s risk profile or exposure
• Determining what types of risk are acceptable/not acceptable and monitoring significant risks and control
improvements to mitigate risks
• Annually reviewing the University’s approach to risk management and approving changes or improvements to key
elements of the process and procedures
To aid this Court will receive:
• An annual report from Internal Audit on the effectiveness of the risk management process in the University,
making recommendations when necessary.
Planning and Management Executive:
The Planning and Management Executive, advised by the Director of Finance, is responsible for corporate risks by:
• Identifying and evaluating the significant risks faced by the University
• Providing adequate information in a timely manner to Court on the status of risks and controls
• Participating biannually in a risk review and reporting the outcomes to Court
• Implementing policies on risk management and internal control
• Reviewing School, Institute, Service and Project risks
• Participating in the annual review of effectiveness of the system of internal control and risk management by
Schools, Institutes and Services
Heads of Schools, Institutes and Services supported by their management groups are responsible for the identification
and management and monitoring of risk within their areas of responsibility.
Risk Management Strategy Group (RMSG)
The RMSG meets every 8 weeks and reviews and updates the Strategic Risk Register. A risk owner is identified and has
responsibility for monitoring and managing their individual risks. The strategic risk register clearly documents the risk
owner along with other relevant information data on the risk and therefore each owner is required to be familiar with the
risk register. The risk owner is also responsible for the implementation of the measures taken in respect of each risk.
Director of Finance and the Group Risk Manager
The Director of Finance and the Group Risk Manager, as the risk process owners ensure that risk is managed effectively
at all levels and that risk registers are reported to an appropriate level. The Group Risk Manager reports to the Director of
Finance who manages this on his behalf.
Risk Review at School, Institute and Service Level
Risk can be assessed using brainstorming sessions, SWOT analysis or risk assessment user groups. Management
groups should carry out a monthly management review of the linkages between strategic objectives and risks to ensure
that focus is maintained on priority activities.
The University uses a risk model to define likelihood and impact. Likelihood is the frequency or probability of a risk
occurring. Impact is the potential severity or effect of the risk. The ratings given to likelihood and impact produce an
evaluation of net risk. Both the adequacy of existing controls and net risk are denoted by a traffic light system. Any risks
in the red will require explicit review and approval by the Risk Management Strategy Group.
Each level of management should use a risk register to manage identified significant risks and report these to the next
It is important that the number of risks under active management does not exceed a manageable number (10-20) and
where the net risk is considered very low the risk can be removed from the risk register. The following questions should
be addressed at all risk management reviews.
a) Escalation of Significant Risks at School, Institute or Service Level
• In the event a risk crystallises and has the potential to impact the University’s people, assets and reputation the
Head of School, Institute or Service must notify their line manager.
b) Brief review of individual risk ownership
• Is the ownership still appropriate?
• Should the risks be delegated?
c) Each risk owner should discuss their individual risks as presented on the risk register
• Introduction to each risk.
• Challenge by other members.
• Consider the controls in place.
• Does anything need to be done to improve the controls further?
• Are there resources available to implement controls?
d) Review of overall risk register and comparison to the previous risk exercise
Reporting significant risk
The normal reporting regime will include publication of a revised risk register for any red risks that require reporting to that
level of authority or any existing controls that have been scored as red. The risk map shows for all the risks on the risk
register the level of likelihood and impact of the net risk and the adequacy of controls.
Any red risks and any risk where existing controls are assessed as inadequate should be reported to the Head of School,
Institute or Service for reporting to the Group Risk Manager or the Director of Finance in the first instance. The Director of
Finance will determine whether or not the risk should appear on the Corporate Register.
The Director of Finance will make arrangements to audit the risk process for each School, Institute and Service as part of
a regular cycle of audits and will report explicitly on the risk management processes in Schools, Institutes and Services.
e) Significant risk can be defined as:
Corporate Level – Any controlled red risk and any risks with existing controls assessed as inadequate must be reported
to the Planning and Management Executive.
School, Institute, Service and Project Level – Major and catastrophic red risks and any risks with inadequate existing
controls must be reported to the Director of Finance/Group Risk Manager.
As control improvement plans are developed the Risk Management Strategy Group will need to take a view as to whether
the actions being taken to mitigate the risk are adequate (including risk transfer for example insurance) or whether more
could be done. As a result of this exercise it will decide whether the level of residual risk is acceptable or whether the risk
should be terminated (for example ending the activity where the risk originates). In many instances the termination of the
risk may not be possible.
f) Project Risk Management
Project risk management will follow a similar process to that defined for corporate risks. Normally the Project Manager
will take responsibility for risk management. The risk register in the format set up in this policy will be populated at the
point at which permission is sought for a project to proceed. Significant project risks are to be reported to the Risk
Management Strategy Group via the Director of Finance.
The risk register will be updated and presented at each project meeting.
g) New Projects
Where a project requires approval then a full business case including a risk register must be submitted for consideration.
Resources required for the management and possible amelioration of risk associated with specific projects should be
included in the business plan for each project or proposal. The costs associated with the general management of risk
should be included in each budget holder’s annual budget and reviewed as part of the annual planning round.
All Heads of Schools, Institutes or Services are responsible for ensuring that staff development needs are identified
including risk training of appropriate staff. This training includes the identification and management of strategic risk and of
3.4 Internal review of the strategic risk register and the strategy
The Strategic Risk Register will be formally reviewed by the Planning & Management Executive at 3 monthly intervals.
The register will be updated at 6 weekly intervals by the risk owners and the Risk Management Strategy Group as the
identified risk increases or decreases. Where risks have reduced to a level below an agreed threshold, they will be
removed from the risk register.
The Risk Management Strategy Group will report to the Audit Committee who in turn report to the University Court.
3.5 External assessment of the effectiveness of the strategy
An integral part of this Risk Management Strategy is that there should be a formal evaluation of its effectiveness. This
evaluation will be undertaken annually by the Audit Committee and will report to the University Court.
The effectiveness review will determine whether risks are being properly identified, managed and reported at appropriate
levels. The review will include a report on the risks identified within the risk registers.
THE RISK MANAGEMENT CYCLE – PART OF NORMAL BUSINESS
The final step is to monitor A risk that has not
Identifying the risks
the risk management been identified
strategy, plans and cannot be managed.
practices. Are there new
risks? Will the risk
treatments still be effective?
Analysing the risks
Monitoring the risks
The aim of risk
analysis is to
in the context of
The purpose of risk any existing control
treatment is to change measures.
the risk to a level
where the benefit Evaluating the risks
exceeds the cost of Treating the risks
The output of risk
evaluation is a
prioritised list of risks
for further action.
MONTHLY MANAGEMENT MEETING PROCESS CHART
Considering and re-
Send updated Risk
assessing existing Risk Update action plans on
Register to Group Risk Risk Register Chart.
Manager Register Summary.
Rescore if necessary.
Group Risk Manager to
escalate to RMSG / PME
Communicating Monthly Identifying and evaluating new risks
Top RED Risks
If necessary produce new
charts. Agree action
plans. Score. Add to Risk
Updating Risk Considering and
Register Summary Updating Risk Heat
Categories of Risk
This appendix provides a prompt which can be used to aid risk discussions. These can be used as a guide, a starting
point or as a checklist for existing registers
Strategic Risk – Major Threats
Sources of threat that may give rise to significant strategic risk includes:
• Budgeting (relates to availability or allocation of resources)
• Fraud or Theft
• Unethical dealings
• Product and or services failure (resulting in lack of support to business process)
• Public perception and reputation
• Exploitation of workers and or suppliers (availability and retention of suitable staff)
• Environmental (mismanagement issues relating to fuel consumption, pollution etc)
• Occupational health and safety mismanagement and or liability
• Failure to comply with legal and regulatory obligations and or contractual aspect (can you sue or be sued)
• Civil Action
• Failure of the infrastructure (including utility supplies, computer networks etc)
• Failure to address economic factors (such as interest rates, inflation)
• Political and market factors (for management of risk, security etc)
• Operational procedures – adequate and appropriate
• Capability to innovate (to exploit opportunities)
• Failure to control intellectual property (as a result of abuse or industrial espionage)
• Failure to take account of widespread disease or illness among the workforce
• Failure to complete to published deadlines or timescales
• Failure to take on new technology where appropriate to achieve objectives
• Failure to invest appropriately
• Failure to control IT effectively
• Failure to establish a positive culture following business change
• Vulnerability of resources (material and people)
• Failure to establish effective continuity arrangements in the event of disaster
• Inadequate insurance/contingency provision and disasters such as fire, floods and bomb incidents.
Examples of commercial risks includes
• Under performance of service relative to specification
• Management will under perform against expectations
• Collapse of contractors
• Insolvency of promoter
• Failure of suppliers to meet contractual commitments (this could be in terms of quality, quantity, and timescales on
their own exposures to risk)
• Insufficient capital investment, shortfall in revenue expected / planned
• Partnerships failing to deliver desired outcome
• An event being non insurable or cost of insurance outweighs the benefit
• Exchange rate fluctuation
• Interest rate instability
• Shortage of working capital
• Failure to meet project revenue targets
• Market developments will adversely affect plans
Legal and Regulatory
• New or changed legislation may invalidate assumptions upon which the activity is based
• Failure to obtain appropriate approval (e.g. planning consent)
• Unforeseen inclusion or contingent liabilities
• Loss of intellectual property rights
• Failure to achieve satisfactory contractual arrangements
• Unexpected regulatory controls of licensing requirements
• Changes in tax structure
• Management incompetence
• Inadequate corporate policies
• Inadequate adoption of management practices
• Poor leadership
• Key personnel have inadequate authority to fulfil roles
• Poor staff selection procedures
• Lack of clarity over roles and responsibilities
• Vested interest creating conflict and compromising the overall aims
• Individual or group interests given unwarranted priority
• Personality clashes
• Indecisions or inaccurate information
• Health and safety constraints
• Change of government policy
• Change of government
• War and disorder
• Adverse public opinion/media intervention
• Natural disasters
• Storms, flooding
• Pollution incidents
• Transport problems
• Inadequate design
• Professional negligence
• Human error/incompetence
• Infrastructure failure
• Operation lifetime lower than expected
• Increased dismantling/decommissioning costs
• Safety being compromised
• Performance failure
• Residual maintenance problems
• Unclear expectations
• Breaches in statutory/information security
• Lack or inadequacy of business continuity
• Lack of clarity of service requirements
• Inadequate infrastructure to provide required operational services
• Inadequate or inappropriate people available to support the required service provision
• Inappropriate contract in place and or inadequate contract management to support the required level of service
• Changing requirements, enabled in an uncontrolled way
• Products passed to operational teams without due consideration to implementation, handover, subsequent
maintenance and decommissioning
• Unexpected or inappropriate expectations of service users
• Inadequate incident handling
• Lack or inadequacy of business continuity or contingency measures with regard to maintaining critical business
• Failing to meet legal or contractual obligations
Extracted from Management of Risk: Guidance for practitioners
Guide to the University Risk Management Process
Introduction - Consider whether you are dealing with an issue (it is raining) or a risk (it might rain). This register is for
risks. Please refer to the University Risk Management Policy and Guide for assistance with this process.
A. RISK ASSESSMENT
Step 1: Now insert the name of the School/Service and the name of the person who is responsible for managing the risk
(the Risk Owner). Also record the date the risk was first identified and the date when you conduct this review.
Name of School/Service: Risk Owner: Date Risk identified: Date of this update:
SAS Project ACW 05/02/09 5/12/10
Step 2: Describe the risk in simple language. State what is causing the risk to become sufficiently important now to
warrant consideration at your budget holder’s monthly meeting and what the consequences will be if you don’t take
further action: describe the consequences in measurable terms. The consequences need to be described to emphasise
the impact on delivery of the University’s strategic plan (both financial and non-financial measures may be required).
Description of risk: Failure to implement (reduced scope) implementation of Banner Student Admin System, requiring
continued reliance on ISS (beyond August 2010) leading to potential failure of enrolment processes and further costs
increases to complete the migration. (Sub risk: failure to develop wider business improvement programme)
Refer to risk management guidelines.
Step 3: Describe the current internal controls you rely on to manage this type of risk generally or this specific risk if
Current internal controls RAG status
1. Project management using HWU PMM, flexed where appropriate, with an actively monitored risk
2. New governance arrangements with reconstituted Project Board and Steering Group now
3. Regular reports to PME (monthly) and relevant boards (LTB,IB) and other stakeholders.
4. SunGard HE available to SAS project board/steering group and weekly checkpoints with Project
5. Additional training incorporated in plan.
Having considered the controls in the above box (col. 1) that are currently in place, are you satisfied that these controls
are sufficient to reduce the likelihood of the risk becoming a reality. Also, will these controls reduce the potential impact to
an acceptable level? If yes, then no further action is required other than to make sure these controls continue to work. If
no, then record in col. 2 in the box above your concerns. Then assess your concerns as red, amber or green in col. 3.
Now discuss this with your management team or budget holder and get confirmation of your risk assessment rating (the
RAG status); move to step 4.
Step 4: Now assess the impact that the university would experience if the risk were to become a reality. Tick all of the
boxes in the following table that best describe what the impact would be if we continue to rely only on the existing controls
and do nothing else. Depending on where the greatest number of highlights appears, select and circle one of the overall
impact rating scores in the top row of the table. (In this example we have circled 4)
Step 5: If your budget holder agrees with your impact risk assessment then you need to assess the likelihood of this risk
becoming a reality (i.e. it changes from a risk to an issue) if we continue to rely only on the existing controls, and do
nothing else. Circle the appropriate score in the following table. (In this example we have circled 4)
Quantification Criteria for Likelihood
Description Chance Score
Event is expected in most circumstances >90% Almost Certain 5
Event will probably occur in most 50 – 90% Likely
Event should occur at some time 30 -50% Possible 3
Event could occur at some time 10 – 30% Unlikely 2
Event may occur only in exceptional <10% Rare 1
Quantification Criteria for Impact (Operational Values)
Impact 1 2 3 5
Insignificant Minor Moderate 4
Financial < £30K £30K - £50K £51K - £100K £101 - £200K >£200K
Turnover Up to £100K £100K- £200K £201 - £300K £301K - £1m >£1m
Management Resolution would Resolution would Resolution would Resolution would Resolution would
Time be achieved by require require input from require the require input from
budget holder’s coordinated input PME team mobilisation of a the Court
team alone from Schools/ dedicated project
Institutes/ Sections team
Health & On-site exposure, On-site exposure On-site exposure, Prolonged /Major Major incident with
Safety immediately contained after contained with incident with multiple fatalities
contained prolonged effect outside assistance serious casualties
Reputation Letters to Series of articles in Extended negative Short term Extensive,
local/sector press local press local/sector media negative national sustained negative
coverage media coverage national media
Regulatory & Minor breaches be No fine, no Fine but no Fine and disruption Significant
Legal Action individual staff disruption to disruption to to teaching/ disruption to
members courses/research teaching/research research courses/research
period of time
Staff Impact No evidence of Staff complaints, General discontent Significant adverse Disaster
(Morale, adverse reaction possible comment evident across impact, significant management
Recruitment, by Union Members multiple groups of concerns to process required.
Retention) staff University Trade Unions in
Management An event which An event the A significant event A critical event A disaster with
Effort can be absorbed consequences of which can be which, with proper potential to lead to
through normal which can be managed under management can the collapse of the
activity absorbed but mgt normal be endured University
effort required to circumstances
Plot the scores on the following table
Current Net Score Likelihood X Impact = 4 x 4=16
5 10 15 20 25
I 4 8 12 20
I 3 6 9 12 15
O 2 4 6
1 2 3 4 5
If your plot does not lie in the red zones, then consider if it really is as big a problem as you assessed when you started
You have now plotted your current net risk (shown as “current” in the table above). If you plot this in the red zone you will
need to identify what further actions you propose to take to:
a) reduce the likelihood that the risk will become an issue and/or
b) reduce the impact if the risk becomes an issue.
We want to reduce the risk to the point where we can plot an acceptable score (shown here for illustration as “Desired” in
the table above).
The desired score that you wish to achieve will be decided by you. There may be a cost involved in achieving the better
controls that reduce the risk and you must assess the cost/benefit tradeoff.
C. ACTION PLAN
Step 7: Consider the additional actions you propose to take from now to better manage this risk. These actions should be
SMART (Specific, Measurable, Agreed, Reliable and Time-bound). Will these actions introduce new, permanent
improvements to internal controls or are they a one-off response to a non-recurring problem?
Once the actions are completed satisfactorily, you should be able to return to Step 1 of this process and repeat the
process so that the plot in Step 6 is at an acceptably low level. (i.e. the ‘desired’ score in step 6 above).
Step 8: Document the further actions you now intend to take to reduce the likelihood of this risk crystallising to an
acceptable level (your ‘desired’ state). The target date needs to be in the near future (within 1 – 3 months). If it is longer
than this then you need to consider whether the target action you have set can be broken down into progress stages that
can be monitored on a short term basis. Please add as many rows as needed.
Action Proposed action to reduce the Action owner Target Status and impact of action plan
no. likelihood of this risk crystallising (one person completion at the date of this assessment
who is date
1. Considering risks associated with ANO1 31st March Added risks of switching from V7 to
the launch of the system on the 2010 V8 currently being assessed
basis of latest software version relative to advantages of avoiding a
(Banner-8) later change over
2. Discussions being held with the AN02 SAS team started reviewing needs
users about their reporting and implementation options
requirements to ensure these can be
3. Ensuring Schools can make their AN03 SAS team preparing a detailed
inputs as required-data checking, timetable, showing inputs required
training etc by Schools and all associated
4. Ensuring clear communication of ANO4 Update e-mails continue to be
current project plan issued. Open presentation to all
stakeholders, including Q&A
session was held 21/1/10. Further
presentations are planned, along
with SAS open days. A summary of
communications plan is being
Step 9: Document the further actions you now intend to take to reduce the impact if this risk becomes an issue to an
acceptable level (your ‘desired’ state).
Action Proposed action to reduce the Action owner Target Status and impact of action
no. impact if this risk crystallises (one person) completion plan at the date of this
2. Maintain existing system until confident N/A N/A Full testing of new Banner
switch over can be successfully systems to be included in work
completed plan. Started process of
preparing fall-back plan were
Banner to not become fully
operational over the summer.
Step 10: Following your assessment of the likelihood and impact of the risks your team has identified you now need to
place all the indentified risks (of which this is only one) in order from the highest likelihood and impact scoring to the
lowest. Please note you can’t put all your risks as number 1, as a team you will need to decide as to how you will prioritise
the risks indentified. Now place the risk ranking in your summary Risk Register.
Step 11: Review this document in one month from now and reappraise the risk. Amend the scores and/or actions as
Risk Management Template
Tools: Current C Desired D Strictly Confidential
Heriot Watt University Operational Risk Register Risk Owner:
L 5 5 10 15 20 25
K School/Institute/Section/Project: This version updated on:
E 4 4 8 12 16 20
H 3 3 6 9 12 15 Risk Register Summary Rank: Impact: Likelihood: Score:
D 2 2 4 6 8 10 Description of Risk:
1 1 2 3 4 5
Current internal controls (refer to Step 3 of the guide): Effectiveness? Use shading to
signify RED, AMBER OR
1 2 3 4 5 GREEN
Proposed actions to reduce the likelihood of the risk Target Completion Status and impact of actions
chystallising (Refer to step 8 of the guide) Date
Proposed action to reduce the impact if this risk Target Completion Status and impact of actions
chrystallises (refer to step 9 of the guide): Date
Risk Management Template
RISK REGISTER SUMMARY
School/Institute/Section/Project name: This Summary dated:
Previous Summary dated:
Description Rank Score Owner Last Reviewed RAG
Rank - 1 is highest in risk terms Key/Definitions:
(*All the symbols can be copied and pasted as required under the column RAG)
Score - Higher scores relate to high risks ( ** All symbols can be copied and pasted as applied to the heat map)
RAG Red Amber Green
L 5 5 10 15 20 25
K No change since last report
E 4 4 8 12 16 20
H 3 3 6 9 12 15 Risk has increased
D 2 2 4 6 8 10
Risk has reduced
1 1 2 3 4 5 **
1 2 3 4 5
IMPACT D Desired
ANNUAL ASSURANCE STATEMENT BY THE HEAD OF SCHOOL/SERVICE
Name of School/Service:
I can give assurance to the Planning and Management Executive, that all risks within the School, Institute or
Support Service are being appropriately managed by adequate processes and that the significant key risks to
the School, Institute or Support Service are outlined in the attached business plan/risk register.
Additional papers to be submitted:
• Current risk register
• Supporting comments for any of the risks in the risk register (if any)
• Highlight any significant changes to risks over the last 12 months
• Review of effectiveness of internal process and structure (what worked well and what did not, including
proposed improvements in the next year if any)
• Review of escalated risks in the last 12 months (if any)
• Review of embedding of risk management across the School or Service.