Advisers to Growing Businesses RISK MANAGEMENT Central Queensland University November 2006.

Advisers to Growing Businesses

RISK MANAGEMENT RISK MANAGEMENT

Central Queensland UniversityCentral Queensland University

November 2006


BDO Kendalls’ Role – 2002/3BDO Kendalls’ Role – 2002/3

• Guidance to the University in establishing Risk Management Policy and Process Framework

• Deliver training to key management groups

• Facilitate process implementation workshops

• Provide feedback, information and outcomes to Risk Management Committee

• Management own the process and its key elements

• Key decision making remains with the University


Why Risk Management?Why Risk Management?• CQU is committed to a comprehensive

and systematic approach to effective management of potential opportunities and adverse threats

• Risk management is a key element in improving CQU’s business and services to assist in achieving its objectives

• CQU aims to achieve best practice in controlling risks which may impact its business


Why Risk Management? Why Risk Management?

Statutory Requirements Statutory Requirements

Financial Management Standard“The University must protect itself from unacceptable costs or losses associated with its operations.”

Workplace Health & Safety Act 1995Imposes obligations on people at workplace to ensure work place health and safety

• AUQA• Common Law

Duty of Care


What is Risk?What is Risk?

The exposure to the possibility of

something happening that will have an

impact of the University’s organisational

objectives Objectives: Financial and Non Financial


Elements of RiskElements of Risk

Risk arises out of uncertainty and has two elements:

1. Frequency / likelihood of something

happening

2. Severity / impact of the consequences

arising from the event.


Risk Management Risk Management IsIs … …

• Culture and process• Systematic

application of management policies, procedures and practices

• Effective management of opportunities and threats

• Establishing context• Identifying• Analysing• Assessing• Treating• Monitoring • Communicating


Risk Management is Risk Management is NotNot … …

• Just accounting controls

• Another name for insurance

• About creating risk averse management

• A label to hide inadequate analysis when something goes wrong

• A green light for careless enthusiasm

• An opening for ‘risky management”


Risk Management ObjectivesRisk Management Objectives

• Structured basis for strategic planning

• Enhance governance and corporate management processes

• Discharge statutory responsibilities

• Practical framework for decision making

• Protect unacceptable costs/losses

• Minimise missed opportunities

• Safeguard assets (including people)


University’s RM ObjectivesUniversity’s RM Objectives

• Implement RM across all areas of the University in accordance with best practice guidelines

• Integrate RM into the management culture of the University

• Foster an environment where staff assume responsibility for managing risk


The Process to Date …The Process to Date …1. CQU Risk Management Policy promulgated

2. Risk Management Committee and Terms of Reference Established

3. Workshop to identify Key Risk Categories

4. Policy Framework and Guidelines established

5. Templates:

- Risk Mgt Standards - Risk Records

- Risk Treatment Plans - Risk Register

6. Pilot Launch – Health Safety and Security Key Risk Category


The Process to Date …The Process to Date …7. CQU Risk Management Workshops conducted, identifying

risks and treatment plans

8. Risk Management Committee and Terms of Reference Established as sub-committee of Audit Committee

9. Significant change and restructure

10. AUQA Audit and Report

11. Risk Management Committee rolled into Audit Committee

12. Risk Management Software acquired

13. Re-launch of Risk Management to Senior Management


Key Risk CategoriesKey Risk Categories

1. Corporate Governance & Compliance2. Financial and Commercial3. Operations4. Student5. Health, Safety & Security6. Human Resources7. Data & Information Technology8. Reputation9. Asset Maintenance10. Environmental


Risk Management ProcessRisk Management Process

AS/NZ 4360 AS/NZ 4360

(Refer Frame 1)


Establishing Context & FrameworkEstablishing Context & Framework

Internal and external

decision makers Individuals directly and

indirectly affected by

decisions, actions and

inactions Unions, staff groups Community groups

Statutory regulators (health,

safety, environmental etc)

Politicians (all levels of govt)

with electoral or portfolio

interest

Non government groups

Users and suppliers of services

and facilities

Identify Internal and External Stakeholders


Establishing Context & FrameworkEstablishing Context & Framework

Purpose of stakeholder analysis is to provide decision makers with a documented profile of stakeholders to better understand needs, issues and responsibilities

Framework and Stakeholder Mix subject to constant change

Consultation and review process must be continuous and recurrent in the Risk Management process


Identifying RisksIdentifying Risks

Aim to identify risks to be managedComprehensive identification criticalPotential risk not identified at this stage

is excluded from further analysisIdentification should include all risks

whether or not they are under the University’s control


Identifying RisksIdentifying Risks

Audits & physical inspections

Brainstorming Decision trees Examination of local

or oversees experience

Expert judgment

History, incident reports

Interview, focus group discussions

Scenario analysis SWOT analysis Surveys,

questionnaires etc…

Possible Methods of Identifying Key Risks


Identifying Risks Identifying Risks

Commercial relationships

Legal relationships Custody Management

activities and controls

Natural events Political/legal

Occupational health and safety

Personnel/human behaviour

Property/facilities Public liability Security Socio-economic Etc …

Possible Sources of Risk


Identifying Risks Identifying Risks Documentation of this step

For a small process this step may be documented by a simple tabulation

More detailed documentation may be required for larger processes

List each risk and classify Eg functional groups, exposure profiles

etc


Analysing RisksAnalysing Risks

The magnitude of consequences of an event, should it occur, and the likelihood of the event and the associated consequences, are assessed in the context of no existing controls

Consequences and likelihood are combined to produce a level of risk

CONSQUENCES AND LIKELIHOOD


How often situation occurs

How many operations/people exposed

Skills/experience of people exposed

Special characteristics of people exposed

Duration of exposure Proximity of hazard to

people exposed

Distractions Quantity of materials or

multiple exposure points involved

Environmental conditions

Condition of facilities, equipment

Effectiveness of existing control measures

Analyse LIKELIHOOD considering:


Analysing Risks Analysing Risks

Do controls represent good practice? Are controls minimising exposure to risks? Do stakeholders know about controls? Are there adequate systems and procedures

in place to support controls? Is there adequate training/supervision in

relations to controls? Is there adequate maintenance of controls? How easy is to to use, or work with, controls?

Analyse EXISTING CONTROLS considering:


Analysing Risks Analysing Risks

• Potential for “chain reaction”

• Concentration of risk exposures

• Direct/indirect financial impact

• Fines, penalties, rectification costs

• Other regulatory impact

• Business interruption

• Position of stakeholders relative to exposure

• Human impact

Analyse CONSEQEUENCE considering:



Qualitative Methods Used: Where level of risk does not justify time and

resources for numerical or detailed scientific analysis

For initial screening of risks Where Numerical data inadequate Valuable when analysis shared across range

of people, backgrounds & interests

TOOLS FOR ANALYSIS



Semi-Qualitative Methods Allocates a qualitative word ranking to likelihood (eg Almost Certain – Rare) high, medium or low and consequence (eg Extreme – Insignificant)

Rankings are shown against a word scale for ranking the level of risk (eg V.High – V.Low)

Avoid overcomplicating analysis. Relatively straightforward methods can be effective

Method, rationale and results should be documented

TOOLS FOR ANALYSIS


Evaluating and Ranking RisksEvaluating and Ranking Risks

Risk evaluation involves comparing the level of risk determined during analysis with previously established criteria

Decides whether risks are acceptable or unacceptable

Output of risk evaluation is a prioritised list of risks for further action (ranking)


Evaluating & Ranking RisksEvaluating & Ranking Risks

Consider: Degree of control over

risk Cost impact, benefits

and opportunities presented by risk

Significance of risk & importance of policy, program, process or activity

Risk may be accepted if consequence & likelihood is consistent with established criteria

Acceptance may follow risk reduction measures

Regularly review and monitor for changing circumstances

Process and rationale should be documented

Acceptable and Unacceptable Risk


Evaluating & Ranking RisksEvaluating & Ranking Risks

Level of risk so low that specific treatment not

appropriate within available resources

Cost of treatment is so excessive compared

to benefit that acceptance is only option

Opportunities presented outweigh threats to

such a degree that risk is justified

No treatment is available

Reasons a risk may be accepted:


Risks not considered acceptable are those

which will be treated in some way

These are prioritised for subsequent

management action as a component of the

management’s and the University’s Risk

Actions Plans and Risk Register

Evaluating & Ranking RisksEvaluating & Ranking RisksUnacceptable risks:


Risk TreatmentRisk Treatment

Risk Treatment involves

Identifying and considering the range of

Options for Treatment

Assessing those options

Preparing Risk Treatment Plans

Implementing Risk Treatment Plans



ELIMINATE the risk TRANSFER the risk PREVENT or MINIMISE the consequences and/or

likelihood of the risk Substitution Redesign Isolation

RETAIN the risk - when exposure is not or cannot be minimised by other means: Eg Administrative controls Eg Personal protection(Refer Frame 4 – Risk Treatment Process)

OPTIONS to Manage the Risk



Plans document how chosen options will be implemented

Plans identify: Responsibilities Schedules Expected outcome of treatments Budgeting, Performance measures Review, assessment and monitoring processes

Preparing Risk Treatment Plans



Developing Standards and Procedures Communicating Training and instruction Supervision Maintenance

Implementing Risk Treatment Plans


Risk TreatmentRisk TreatmentMonitoring and Reviewing Risk Treatment Chosen controls have been implemented as planned:

Are chosen control in place? Are controls being used? Are controls used correctly?

Control controls are working: Have changes made to control exposure resulted in planned

outcome? Has exposure to risk been diminished or adequately

reduced?

Are they any new problems? Have implemented control measures resulted in introduction

of new problems? Have implemented control measures resulted in worsening

of existing problems?


DocumentationDocumentation Each stage of the Risk Management Process

should be documented: Demonstrate the process Evidence of systematic process Record to develop risk database Provide decision makers with RM plan for approval and

implementation Accountability mechanism and tool Facilitate continuing monitoring and review Provide audit trail Share and communicate information


DocumentationDocumentation

Risk Register

Risk Management Standards for Specific Risk Category


Responsibility Responsibility For RM to be effective it must be implemented

by every person within the organisation Council, VC, DVC, Directors, Deans, HODS, Line Management, Staff, Students and 3rd Parties

RM is not just the responsibility of management RM must become and integral part of the

University’s culture


Managing RiskManaging Risk

Managing risk means forward thinking Managing risk means responsible

thinking Managing risk means balanced thinking RM provides a framework to facilitate

more effective decision making RM is all about maximising opportunity

by managing risk


ContactContact

Daniel Nolan

Acting Internal Audit Manager

Extension 6932

Advisers to Growing Businesses RISK MANAGEMENT Central Queensland University November 2006.

Documents

Transcript of Advisers to Growing Businesses RISK MANAGEMENT Central Queensland University November 2006.