Post on 04-Jun-2018
8/13/2019 Risk Management Policy and Guidelines
1/22
Opportunity and RiskPolicy and Guidelines
8/13/2019 Risk Management Policy and Guidelines
2/22
Opportunity and Risk Policy and Guidelines
Contents
Higher Education Funding Council for Wales RiskManagement Policy
1
ntroduction !
8/13/2019 Risk Management Policy and Guidelines
3/22
Higher Education Funding Council for Wales Risk ManagementPolicy
'he Higher Education Funding Council for Wales (HEFCW) has adopted arisk *ased approach to internal control +hich is designed to pro,idereasona*le assurance that +e +ill achie,e our corporate o*-ecti,es ando,erall mission.
The approach to risk management, set out in this Policy and Guidelines, has beenapproved by the Audit and Risk Committee and Higher Education Funding Council or!ales "the Council#$ The approach allocates responsibility or risk management andestablishes a rame%ork %ithin %hich risks are identiied and evaluated so that anappropriate response can be determined and aected$
Risk management needs to allo% or the eective assessment and e&ploitation oopportunities %hile also identiying %hat %ill prevent us rom achieving our ob'ectives,and ensuring %e have in place procedures to minimise, or manage, those risks$ Riskmanagement thereore involves a planned and systematic approach to the identiication,assessment and mitigation o the risks that could hinder the achievement o strategicob'ectives$ (t involves the ollo%ing main steps)
identiying the key strategic risks that %ould prevent achievement o ob'ectives
assigning o%nership evaluating the signiicance o each risk
assessing the Council*s risk appetite
identiying suitable responses to each risk
ensuring the internal control system helps manage the risks
developing the assurance mechanism to the Chie E&ecutive
regular revie%$
To coordinate the risk management process the approach combines oversight by the
8/13/2019 Risk Management Policy and Guidelines
4/22
Each Team is e&pected to)
Esta*lish clear o*-ecti,es for their area of operations and identify ande,aluate the key risks to achie,ing those o*-ecti,es. 'his task should*e linked to the annual planning process.
ncorporate risk responses into a system of internal control that isdesigned to address opportunities/ facilitate effecti,e and efficient
operations/ protect the HEFCW0s interests and ensure compliance +ithapplica*le la+s and guidance.
Follo+ HEFCW guidelines and standards relating to particular types ofrisk and ensure that emerging risks are identified and an appropriateresponse is affected.
esign/ operate and monitor the system of internal control.
Monitor the effecti,eness of the system of risk and internal controlmanagement and report significant +eaknesses or non2 compliance tothe Management &oard.
Ensure that a risk *ased approach to internal control is communicated
8/13/2019 Risk Management Policy and Guidelines
5/22
%'RO3C'O%
What is Risk4
Risk can be deined as the element o uncertainty o %hich aects operationaldecisions and planned outcomes$ Risk actors may be either positive opportunities ornegative threats$ Essentially, they are the actors that help or hinder theachievement o our ob'ectives$ "nne$ "sets out e&les o the dierent types orisks that might aect us$
-y identiying the key risks to achieving HEFC!*s ob'ectives, %e are able to consider
and plan our response to them$ This helps us to minimise the impact o 0surprises*and to respond more eectively to possible opportunities$
Risk management is not ne%$ Planning and decision making %ithin HEFC! alreadyincludes signiicant elements o risk assessment$ For e&le, %hen developingcorporate and operational plans %e automatically relect on the threats andopportunities associated %ith meeting our ob'ectives$ (n addition Council papersinclude a risk assessment section %hich provides detail o any identiied risks, current
o uture, arising rom the issues covered by the paper .The risk management processormalises a number o these e&isting processes and helps us to ensure that key risksare not overlooked$
Who is this guidance for4
Risk management is a particular responsibility o the Council, the Audit and RiskCommittee, the .irectors and all the Heads o Teams$ Ho%ever, management o riskis something that %e all do every day$ (t aects all aspects o our planning and
decision making processes Conse1uently all sta need to be a%are o the HEFC!
8/13/2019 Risk Management Policy and Guidelines
6/22
Gaining "ssurance
'he Risk Management Cycle
Risk management is a luid process that aects all areas o our planning and decisionmaking processes$ 4ey stages in the cycle o risk management are set out belo%)
Risk ,anagement Cycle
(dentiyrisks
Evaluatethe risks
Assess riskappetite
(dentiysuitable riskresponses
Gainassurance
on theeectiveness
Embed andrevie%
15
!#6
7
This section describes the stages %e go through to integrate risk management intoHEFC!*s processes$
Our "pproach
Risks are identiied and assessed at t%o levels)
8e,el 19 Corporate Risks
8/13/2019 Risk Management Policy and Guidelines
7/22
Roles and Responsi*ilities
The roles and responsibilities o the various groups and individuals %ithin HEFC! areoutlined belo%)
&ody :ey Responsi*ilitiesHEFC! Council To approve the risk management strategy and policies and
to determine HEFC!*s 0risk appetite* advised by the Auditand Risk Committee, the Chie E&ecutive and theanagement -oard$
Audit and RiskCommittee
To monitor and advise the Council on the preparation,implementation and maintenance o the Council*s riskmanagement strategy$
The Chie E&ecutive As Accounting 2icer, the Chie E&ecutive remains
ultimately accountable or the organisation and its
management o risk$ He must)
have a clear understanding and assessment o the risks
that could prevent delivery o ob'ectives
ensure that the organisation has eective risk
management and control processes
be provided %ith assurance that the processes and the
key strategic risks are being eectively managed
8/13/2019 Risk Management Policy and Guidelines
8/22
management and internal control$
All 2ther /ta (dentiication and management o operational and pro'ectrisks$ .ra%ing the attention o their line manager to keyrisks, %hich may be suiciently serious to re1uiremonitoring at corporate level$
8/13/2019 Risk Management Policy and Guidelines
9/22
dentifying the Risks
( all key risks are to be identiied, %e %ill need input rom those %ho are amiliar %ithour processes and procedures as %ell as those involved in determining ourstrategies$ Thereore sta at all levels %ithin HEFC! need to be involved$
Risk management should not be seen simply as a desk exerciseto be undertaken only by Directors Heads of !eam or the Risk "ssurancefunction#
The Corporate Risk Register %ill be developed by the anagement -oard$ Theanagement -oard presently e&tracts its key ob'ectives rom the Corporate /trategy anddevelops them into a corporate operating plan$ The Corporate Risk Register %ill thereoreconsist o)
4ey risks to the achievement o the /trategic 2b'ectives5 and
Risks arising rom 2perational Risk Registers that have been evaluated aspotentially having a signiicant impact at Corporate level$
2perational Risk Registers %ill be developed or each Team %ith the key risks beingidentiied by each Team*s Risk anagement Group in parallel %ith the development o2perating Plan ob'ectives$ The register should be developed by considering eachoperating plan ob'ective and recording any signiicant risks to achieving that ob'ective$3udgement needs to be e&ercised in this process, one ob'ective could have severalsigniicant risks associated %ith it, and another may have none$ (t is perectly acceptableto record an ob'ective and note that there are no signiicant risks associated %ith it$
Each Head o Team has a speciic responsibility or oversight o the identiication andt ti l i k ithi th i t 2 i ht th ti th
8/13/2019 Risk Management Policy and Guidelines
10/22
Evaluating Risks
Having identiied our key risks, %e then assess the likelihood o occurrence and thepotential impact on the goals o HEFC! should they be realised$ This provides us%ith a hierarchical assessment o the risks as illustrated belo%$
HIGH
mitigation
controls /
contingency
plans
mitigation
controls /
contingency
plans; monitor
closely
TA4E7RGE6T
REE.(A8
ACT(26526(T
2RR(G2R27/89
mpact
MEDIM t l t ! iti ti
mitigatio
t l
8/13/2019 Risk Management Policy and Guidelines
11/22
delivery o a beneicial outcome in the public interest$ As an Assembly /ponsored Public
-ody "A/P-# the 6ational Assembly*s priorities and ob'ectives largely drive our risk
appetite$ 2ur understanding o these ob'ectives, in consultation %ith our other key
stakeholders, is relected in our strategic plan$ To deliver these ob'ectives %e need to
balance opportunities to innovate and improve %ith our responsibilities in terms o
accountability, propriety, regularity and value or money$
The level o risk that is acceptable, our Risk Appetite, %ill be determined by theCouncil %ho are advised by the Audit and Risk Committee and the anagement-oard$ Risk appetite may vary on a case by case basis depending on the perceivedbeneits o the issue being considered$ For e&le %e may be prepared to accept ahigher level o risk in relation to a pro'ect %ith ma'or potential beneits throughoutthe HE sector in !ales compared to one %ith similar risks but %here the beneits aremore tenuous or %ould only apply to a proportion o the sector$ The anagement-oard %ill ensure consistency o approach and make sure that cross: unctional risksare considered$
8/13/2019 Risk Management Policy and Guidelines
12/22
dentifying ;uita*le Risk Responses
Having identiied the key risks aced by HEFC! %e then need to decide ho% theyshould be managed$ Responses to the risks %ill all into our categories)
'R"%;FER ; !e already transer some inancial risks in relation to ourcontracts %ith Higher and Further education institutions because %e can recoverunds %here our re1uirements are not met$
'O8ER"'E; Accept the risk in vie% o the potential beneits and the cost o
mitigating the risk$
'RE"' ; This is the most likely category$ !e introduce additional internalcontrols to reduce the risk to an acceptable level$ This could include, ore&le) monitoring reports to management5 revie%ing authorisationarrangements5 audit revie%s etc$ Alternatively %e might %ish to considerchanging the %ay %e deliver aspects o our %ork to reduce the risks$
'ERM%"'E; This option is probably limited to the more 0entrepreneurial*
aspects o our operations %here %e might decide that the risks are too greatand the potential re%ards insuicient or us to engage in the activity at all$There is unlikely to be an option to terminate activities that all %ithin our coreremit$
The responses to the risks %ill orm the basis o a plan setting out the actions, timescalesand responsibilities necessary to manage the key risks do%n to an acceptable level$
(t t l b ibl t ll i k d t t bl l l b
8/13/2019 Risk Management Policy and Guidelines
13/22
2ur system o internal control must also encompass the unds provided by the Council%hich are transmitted to higher and urther education institutions "and related bodies# oreducation, research and associated purposes$
The /tatement o (nternal Control "/(C# re1uires the Chie E&ecutive to carry out a revie%o the eectiveness o the Council*s system o internal control and to report on thatrevie% each year$
The Chie E&ecutive participates in the e&ercise o many o the key internal controls or,
through participation in activities, sees evidence o their e&istence and operation$ (naddition the Chie E&ecutive receives conirmation rom the anagement -oard and Riskanagement Groups that the controls are %orking eectively$
Monitoring the Risks
A pro'ect management structure has been developed to acilitate input rom allHEFCW sta, as ollo%s)
Pro'ect 2rganisation
Higher EducationFunding Council for Wales
"udit < RiskCommittee
Management&oard
8/13/2019 Risk Management Policy and Guidelines
14/22
Risk registers should be 0live* documents$ 4ey risks %ill change over time and ne%responses to manage them may be re1uired$ /igniicant ne% risks should be recordedand assessed as soon as they become apparent$ All Council, committees andmanagement board papers should include a risk assessment section %hich providesdetail o any identiied risks, current o uture, arising rom the issues covered by thepaper. +#e ris! assessments in t#ese papers s#o,l- $e consistent "it# t#e ris!s assesse- in t#e ris! registers.
Formal reassessment o the risks recorded in our risk registers %ill be undertaken on anannual basis as part o our corporate and operational planning processes but this mustnot prevent ongoing re:assessment, recording and monitoring o risks as and %hen theyarise$ As a general guide, a ormal ull revie% o potential ne% risks to achieving our
operational ob'ectives should be carried out at least 1uarterly %ith ormal monitoring othe actions due or completion being carried out at least once during each 1uarter byeach Risk anagement Group$
Pro-ect Management
Risk management is a key element in the control rame%ork or running pro'ects$HEFC!*s Pro'ect anagement Guidance re1uires the Pro'ect anager to prepare a risk
register or approval by the Pro'ect 2%ner %hen proposing a ne% pro'ect$ The registermust be prepared in accordance %ith these guidelines and in consultation %ith the RiskAssurance section$
Risk registers or individual pro'ects should be prepared on the same basis as theCorporate and 2perational risk registers e&cept that %hen evaluating the risks you shouldevaluate the impact as being the impact on the pro'ect rather than the overall impact onHEFC!$ Risks or key pro'ects could potentially be recorded at three dierent levels asillustrated)
8/13/2019 Risk Management Policy and Guidelines
15/22
( %e are to achieve HEFC!*s mission, every member o sta %ill need to help by%orking to%ards the achievement o individual operational ob'ectives$ 2ur planning
processes help to ensure that %e all understand %hat our individual ob'ectives, setor each member o sta, are and that they are consistent %ith the overall mission$The 6ational Assembly, the HEFC! Council and the anagement -oard need amechanism through %hich they can gain assurance regarding our ability to meet ourob'ectives$
The risk: based approach to internal control described in these guidelines provides abasis or the provision o assurance regarding our ability to deliver ourob'ectives$
8/13/2019 Risk Management Policy and Guidelines
16/22
HEFCW0s o*ligation to make an annual ;tatement of nternal Control
The Combined Code and the subse1uent Turnbull report both emphasise the need ormore ocused and open %ays o managing risks$ To relect this approach, corporategovernance statements have been %idened to include internal controls "not 'ustinancial controls#$ This has let to the inclusion o a ne% /tatement o (nternal Control"/(C# %ithin inancial statements, premised on strategic risk management processesbeing embedded in the operation o the organisation$ The /(C is a narrativestatement that e&plains ho% the Council has applied the internal control principle$
This should cover risk management and all controls, including inancial, operational
and compliance controls$
/ince April =>>= the Chie E&ecutive as the HEFC! Accounting 2icer has beenre1uired by the 6ational Assembly to provide a /tatement o (nternal Control "/(C#%ithin the Accounts o the Higher Education Funding Council or !ales$ This includesa commentary on)
The Council*s risk management strategy$
Audit arrangements established by the Council$
onitoring procedures or subsidiary bodies ; institutions and third partyproviders$
Procedures established to ensure that aspects o risk management andinternal control are regularly revie%ed and reported on$
The Chie E&ecutive thereore re1uires assurance that the processes and the key
i i k b i i l d i d i h hi
8/13/2019 Risk Management Policy and Guidelines
17/22
Annex A
E$amples of Risks
E&les o the types o risks that %e may ace in meeting our ob'ectives aresuggested belo%$ The e&les are intended to be illustrative only, not a deinitivelist o all possible risks)
Fraud7nauthorised use,isrepresentation
Thet, Hacking
/ t
anagement.ecision making?ision, Fle&ibility
/kills
@
Health + /aety8itigation
( ' . th
6atural EventsFire, Flood
!eather, ?erminPolicy.evelopment
.elivery
PeopleCommunications
.irection/kills
Reputation
Public Perceptions6ational Assembly
E$amples of Risks
8/13/2019 Risk Management Policy and Guidelines
18/22
Annex B
Notes on completion of risk registers
Column Heading uidance
$ RI!"Risk reference linked tostrategic aim and descriptionof risk
Cross reference the risk to the Corporate andteam plan ojective to #hich it relates%
&ach ojective should e recorded' even if
there are no significant risks associated #ithit% (his #ill act as a reminder #hen revie#ingthe register% (he ojectives should appear inthe same order as in the Corporate andoperational plan%
Risks could relate to more than one ojective%
(o identify the risk:
$% Ask #hat is the ojective)
*% Ask #hat #ill prevent the ojectiveeing achieved)
+ou do not have to identify a risk/risks forevery ojective provided you have #orkedthrough all ojectives systematically in
d t i i h t d t d d
8/13/2019 Risk Management Policy and Guidelines
19/22
* PR#BABI$I%&
Assess probability of riskbeing realised
(his assessment of a 3igh' !edium or Lo#
proaility of the risk eing realised shoulde efore taking account of any controls inplace to manage the risk
4 C#N!'()'NC' (his should e a statement of the impact thatthe risk #ould have on the organisation5sojectives if realised
6 IMPAC% (his is an assessment of 3igh' !edium orLo# as to the severity of the impact of theconse,uence of the risk eing realised
7 RI!" RA%IN *R#!!+ (his is the comined risk of the assessedproaility and impact from 3igh/3igh do#nto Lo#/Lo# efore taking account of anycontrols in place to manage the risk-sometimes referred to as the gross risk0
8 %#$'RA%'R#!! RI!"
Is this risktolerable,acceptable-
*&es or No+
(his is a judgement%
9n general any risk #ith a 3igh proaility -i%e%certain or almost certain to e realised0 or3igh 9mpact -i%e% a fundamental impact0 isunlikely to e acceptale together #ith risksthat have oth a !edium proaility and
! di i t i k
8/13/2019 Risk Management Policy and Guidelines
20/22
(he Risk Assurance =ection can provide
further guidance on the identification ofcontrols if re,uired%
AC%I#N! R'()IR'/ %#!%R'N%H'N C#N%R#$!
9dentify the actions re,uired if any to enhancethe control measures currently in place%
(hese actions must e specific tasksallocated to a 3ead of (eam and their (eam5sRisk !anagement roup #ith a specifiedtimetale for completion of the task%
> RI!" RA%IN *N'%+ (his is the revised comined risk of theassessed proaility and impact after takingaccount of controls in place -or controlsidentified to e put in place in the action planaove0 to manage the risk -sometimesreferred to as the net risk0
? %#$'RA%'N'% R'!I/)A$ RI!"
Is the residual risk no.tolerable,acceptable-
*&es or No+
(his is a forecast of the residual risk once thecontrol actions identified aove have eentaken%
3ave you done' or are planning to do' all thatyou reasonaly can do to manage the riskdo#n to an acceptale level) 9f so can3&@C< accept the risk that remains)
8/13/2019 Risk Management Policy and Guidelines
21/22
8/13/2019 Risk Management Policy and Guidelines
22/22