Risk Management

Steve Chadwick & Rhiannon Birch

2015
Introductions
 Steve Chadwick: Profile
• 35 years in Education
• 28 years in Universities (Hong Kong & UK)
• 24 in strategic planning
• University of Northumbria (‘New’ University)
• Newcastle University (Russell Group)
• Durham University (Russell Group)
• Exeter University (Russell Group)
• Director of Strategic Planning & Change
University of Exeter
 Exeter University: Profile

• 7th in the Times Good University Guide 2015

• 9th in the Independent’s Complete University Guide
2015
• In top 10 universities in the UK in National Student
Survey
• 3,000 staff , 19,000 students (including over 4,000
international students)
Exeter’s Growth
 University of Exeter League Table Positions

Publication Year

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
0

10
Rank

20

30

40

50

The Times Sunday Times Guardian Complete University Guide

 Rhiannon Birch: Profile
• 11 years in university sector in the UK
• Originally from an information/data management
background
• Worked at department and central level at the
University of Sheffield
• Strategic and academic planning, risk management, HE
policy advice, project management,
• Since 2013, Deputy Director of Strategy, Planning and
Governance University of Sheffield
• Part-time PhD student looking at higher education
University of
Sheffield
 University of Sheffield: Profile
• Large, comprehensive civic university, established in
1905 by the people of the UK’s 4th largest city
• 26,300 students; 7,200 staff
• Arts and Humanities, Engineering, Medicine, Dentistry
and Health, Science and Social Sciences
• Ranked 80th in the 2015 QS World University rankings
• Focus on research-led teaching
– In the top 10 per cent of all UK universities, in the 2014
Research Excellence Framework (REF)
– 1st for Student Experience in the Times Higher Education
Student Experience Awards, 2014-15
 Risk Management
OBJECTIVES
• Understand the Principles of Risk Management
– Be familiar with the principles & elements of risk management.
– Describe how risk management effects institutional performance.

• Develop a Risk Management Framework

– Develop risk management framework

• Identify and Assess Risks

– Utilize a sample of risk assessment tools.
– Conduct risk analysis

• Maintain, Update and Monitor Risk

– Monitor the management of significant risks to reduce their
unwelcome results.
– Report annually on the effectiveness of the process and procedures of
risk management.
 RISK MANAGEMENT
• Session 1: What is Risk?
– Basic overview of concepts
• Session 2: Risk Management Framework
– How an enterprise risk management system works
• Session 3: Identifying Risks
– Basic tools for identifying and categorising risks
• Session 4: Assessing Risks
– Impact vs Likelihood
• Session 5: Mitigation, Monitoring and Control
– How do we manage our risks? Gross vs Net and reporting
tools
• Session 6: Next Steps
 APPROACH

• Practitioner’s perspective

• Case-studies

• Interactive

• Participative

• Pair, group and whole class discussion

Risk Management

Session 1
What is Risk
 Session 1: Overview
• What is risk?
• What is risk management?
• Why do we need it?
• Understanding the basics
– Definitions
– A typical Risk Management Framework
– Who’s involved?
 TASK

Questions You Want Answered

from Today’s Session?
 What is Risk?
• RISK the possibility that an action, event, or set of
circumstances will adversely or beneficially affect
the University’s ability to achieve our objectives.
(UoB)
• RISK uncertainty of outcome, whether positive
opportunity or negative threat (PRINCE2)
• RISK is about the future and comes from
uncertainty
 What is Risk?
• Anything that may affect the
achievement of objectives
• Uncertainty that surrounds future
events or outcomes
• The expression of the likelihood
and impact of an event with the
potential to influence the
achievement of an organization’s
objectives
 TASK

What are some risks at your

institution?
 What is Risk Management?
• RISK MANAGEMENT the planned and systematic
approach to identification, evaluation and control of
risk. (UoB)
• RISK MANAGEMENT to manage the probability of
specific risks occurring and the potential impact if
they did occur, taking action to keep exposure to an
acceptable level in a cost-effective way (PRINCE2)
 What is Risk Management?
• A scientific approach to dealing with risks by
anticipating possible losses and designing and
implementing procedures to minimize the loss
or impact of the losses that do occur

• A logical, systematic method of identifying,

analyzing, managing and monitoring the risks
involved in any activity or process.

• The culture, processes and structures that are

directed towards realizing potential
opportunities and managing adverse effects
What is Enterprise Risk Management?

“… a process, effected by an entity's board of

directors, management and other personnel,
applied in strategy setting and across the
enterprise, designed to identify potential events
that may affect the entity, and manage risks to
be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity
objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
22
 So why do we need it?

The only alternative to risk management is crisis management - and

crisis management is much more expensive, time consuming and
embarrassing.
JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003

Without good risk management practices, (an institution) cannot

manage its resources effectively. Risk management means more
than preparing for the worst; it also means taking advantage of
opportunities to improve services or lower costs.
Sheila Fraser, Auditor General of Canada

You only find out who is swimming naked when the tide goes out.
WARREN BUFFETT, Chairman’s Letter to shareholders of Berkshire Hathaway Inc, 2001
Why do we need Risk Management?
• Increases risk awareness – What could affect
the achievement of objectives? What could
change? What could go wrong? What could
go right?
• Increases understanding of sensitivities. What
makes my risks increase/decrease/disappear?
• Promotes an open and transparent risk
culture – It’s safe to talk about risk.
• Develops a common and consistent approach
to risk - not intuition-based.
24
Why do we need Risk Management?
• Allows intelligent “informed” risk-taking
• Focuses efforts – helps prioritize. Top 10 list.
Or top 3. Or…
• Proactive not reactive – Prepare before things
happen.
• Helps achieve objectives (corporate, college,
unit etc)
• Enables accountability, transparency and
responsibility
• Can reduce the impact and provide assurance
if things do go wrong – we were responsible
not blind
• It’s good management …
25
 Why do we need Risk Management?

Risk Management is now an integral part of

business planning in private and public-sector
organizations throughout the world
“Risk assessment and management should be an
integral component of planning strategies with
appropriate mechanisms developed for risk
assessment and minimization”
NCAAA Standard 2 Paragraph 2.29
 Why do we need Risk Management?
…and it’s not just necessary at the institutional
level. Risk needs to be embedded throughout the
University since we have many risks specific to the
nature of our endeavours.

For example:

• Students undertaking projects off-campus

• Who are not yet legally adults
• Who, if they are women, could be pregnant
• And who could carry out practical work in labs
or with machinery.
 Understanding the basics

• A few definitions

• A typical Risk Management process

• Who’s involved?
Understanding the Basics: Definitions

Risk Source

• A risk source has the intrinsic potential to give

rise to risk. It is the place from which a risk
originates - where it comes from.
– There are many potential sources of risk. All of
these elements could potentially generate a risk
that must be managed.
 Sources of Risk
• Government policy and regulation – funding regime
• Competitor activity – growth into your markets
• Economic conditions and market activity – global
economic downturn
• Technological change – MOOCs, social media
• Environmental change – global warming
• Behaviour – student preferences, slowness to adapt,
staff attitudes, management shortcomings
• Natural or man-made disasters or accidents –
Tsunami, fire
• Mistakes – data errors, IT system crash
• Illegal or non-compliant activity - fraud
Understanding the Basics: Definitions

Risk Levels

• The level of risk is its magnitude. It is

estimated by considering and combining
Impact and likelihood.
– A level of risk can be assigned to a single risk or a
combination of risks. It can be determined either
qualitatively (e.g. Low-Medium-High) or
numerically on an agreed scale.
– Impact can itself be on multiple levels …..
 Risk Levels
• Systemic Risk – affects whole sector (e.g. funding
regime change)
• Strategic Risk – affects the strategic objectives of
the organisation (e.g student recruitment or
research activity)
• Operational Risk – inherent in doing business
(data quality)
• Programme or Project Risk – bounded and should
be managed within project
• Local Risk – bounded, local impact only (staff
sickness)
Understanding the Basics: Definitions
Risk Management Framework

• A set of components that support and sustain risk

management throughout the University.
• We can group them into two parts:
– Foundations: e.g. risk
management policy, objectives, appetite and tolerance.
– Organizational arrangements e.g. plans, relationships,
accountabilities, resources, processes, templates,
registers and activities used to manage the University’s
risks.
Understanding the Basics: Definitions

Risk Management Policy

• A document which expresses the University’s

commitment to risk management and
clarifies its general direction or intention.

– Typically it includes a description of the risk

management framework, roles and responsibilities,
annual cycle, definitions etc.
Understanding the Basics: Definitions
Risk Appetite/Attitude

• A description of the University’s general

approach to risk and how much risk it will
accept.
– Risk appetite influences how risks are assessed and
managed - whether they are taken, tolerated,
retained, shared, reduced, or avoided, and whether
or not risk treatments are
implemented or postponed
Understanding the Basics: Definitions

Risk Owner

• The person who has responsibility for

ensuring a risk is managed.

– In some cases the risk owner and risk manager are

one and the same, but not necessarily. With major
corporate risks they are often different people.
Understanding the Basics: Definitions

Risk Manager

• The person who has responsibility managing a

risk on a day-to-day basis.

– The risk manager operates the controls which

mitigate risk.
Understanding the Basics: Definitions
Risk Assessment

• A process made up of three other processes: risk

identification, risk analysis, and risk evaluation.

– Identification: a process used to find, recognize, and

describe risks
– Analysis: a process used to understand the nature,
sources, causes and level of risks. It is also used to study impacts
and to examine existing controls.
– Evaluation: a process used to compare risk analysis results with
risk appetite in order to determine whether or not a
specified level of risk is acceptable or tolerable.
Understanding the Basics: Definitions

Impact

• The outcome of an event which has an effect

on the University or its objectives.
– A single event can generate a range of impacts
which can have both positive and negative effects
on objectives. Initial impact can also escalate
through knock-on effects.
Understanding the Basics: Definitions

Likelihood

• The chance that something might happen.

– can be defined, determined, or measured

objectively or subjectively and can
be expressed either qualitatively or quantitatively
(using mathematics). In universities, subjective
assessment is usually sufficient
 Understanding the Basics: Definitions
Treatment

• A risk modification process.

– It involves selecting and implementing one or more
treatment options, such as:
– Avoid
– Transfer
– Control
– Accept
 Understanding the Basics: Definitions
Controls

• Controls are any measure or

action that modifies risk.
– Once a treatment has been implemented, it becomes
a control. Controls include any policy, procedure,
practice, process, technology, technique, method, or
device that modifies or manages risk. Risk
treatments become controls once they have been
implemented
 Understanding the Basics: Definitions
Gross and Net Risk
• Gross risk is the risk inherent in any event or
action before any mitigating actions.
• Net risk is the risk left over after you’ve applied
controls.
– What’s left after you’ve avoided, transferred,
controlled or accepted the risk.
 Risk Management process

1. Establish the context – objectives for risk

management and any assessment criteria
2. Identify risks
3. Analyse and evaluate risks – likelihood and
impact = “size” of the risk and do we need to
manage
4. Risk treatment – acceptance, controls
5. Monitor and review
6. Record the risk management process
Risk Management Framework
• Context Setting • Likelihood
• Stakeholders • Impact
• Risk Policy • Gross (Inherent)
• Sources of Risk • Net (Residual)
• Internal/External • Target
• Risk Appetite

Identify Assess

Monitor
and Mitigate
• Risk Register
• Regular Reviews
Report • Risk Treatment
• Avoid
• Key Risk Indicators
• Transfer
• Incident
• Control / Contain /
Management
Reduce
• Audit
• Accept
• Board
Who is involved in Risk Management
in Universities?
Board
Senior Management / Executive
Planning Office
Finance Office
Middle Managers
Programme and Project Managers
Everyone
But with different responsibilities
depending on the risk level
 Risk owners and risk managers
• Risk owners
– Usually members of executive
– Regular review of risk, receiving information from risk
managers
– Place risk in context of risk policy, audit advice
– Proactively manages changes to risk likelihood, impact,
appetite for their risks
• Risk managers
– Usually senior/middle management
– Closer to operational activity – see changes in risk in
daily work
– Identify mitigating activities – ensure they occur
– Advise risk owners
 Elements of Risk Management Framework
Board Top-Down Integrated Board / Executive Reporting
Strategic Risk (monthly/quarterly) ‘Watch List’ of risky business
initiatives
Assessment
Key
KeyRisk
Risk&
&Mitigation
Mitigation
(annual) Reporting Key overall risks &
Reporting
adequacy of mitigation
Centre

Risk
Riskembedded
embeddedinin
Strategic
StrategicPlanning
Planning
Current & Future Risk Profile Feedback &
(monthly / quarterly) Actions
Executive High-level SWOT/STEP
Integration Action
& Strategic Risk Integration of
ofStrategic
Strategic&
& Action
Register Operation-wide
Operation-wideReviews
Reviews Planning
Planning
Planning Board understanding of Level of risk, mitigation effectiveness,
Coordinated
mitigation plan &
Office risk appetite Assessment of impact on overall risk profile action tracking

Senior
Managers Bottom-Up Collated operational risk reporting
Operations, Projects

Operation-wide Risk with mitigating actions (monthly / quarterly)

Assessment
& Functions

Collation
Collation of
of
Operational
Operational RiskReviews
Risk Reviews

Middle
Managers
Operations
Operations Programme
Programme& &Project
Project Functional
FunctionalSupport
Support
Risk
RiskReview
Review Risk
RiskReview
Review Risk
RiskReview
Review

Operations risk reporting Programme & project risk reporting Functional risk reporting
with mitigating actions (quarterly) with mitigating actions (monthly) with mitigating actions (quarterly)
 What makes for effective Risk
Management?
• Commitment from Senior Staff
• Integral to management practices
• Embedded in strategic and operational planning
• Open communication
• Appropriate ERM system
• Clear responsibility & accountability
• Normal part of program & project management
Note:
These are all characteristics of a mature
organization.
 Have you been listening?

1. What is the difference between Gross and

Net Risk?
2. What is meant by Risk Appetite?
3. Name three critical success factors for
effective Risk Management.
4. How do you calculate the level of risk?
5. What is the difference between a risk owner
and a risk manager?