Risk Management. Implementation Guideline

Transcription

1 Internal Audit October 2016 Risk Management Implementation Guideline MADISON AREA TECHNICAL COLLEGE

2 Table of Content Preface 3 Chapter 1 - Risk and Risk Management What is risk? 4 What is risk appetite? 4 What is risk tolerance? 5 What is Risk Management? 5 What benefits will Risk Management deliver? 6 What is control or mitigation action? 6 What is exposure? 7 Chapter 2 Developing a Process Preparing an implementation plan 8 Who should be involved? 9 Identifying risk Techniques 9 Identifying risk Categories 11 Prioritization 12 Exploring the risk 12 Early warning indicators and mechanisms 13 Assessing the risk Impact and likelihood 13 Assessing the risk Techniques 14 Assessing the risk Exposure 15 What is acceptable exposure? 16 Improvement action 16 Chapter 3 - Sustaining the Process Appointing a process owner 18 Ownership of risks 18 Page 1

3 Documentation and reporting 19 Independent assurance 19 Training 20 Communication and guidance 20 Annual review 20 Embedding the process 21 Exhibit A - RM good practice assessment check list 22 Page 2

4 Preface This guide is primarily aimed at those involved in planning, launching and implementing a Risk Management (RM) process. It follows to disclose that there is no one correct process. This guide draws private and public entities and Higher Education Institutions best practices and is not prescriptive. The purpose of this guide is to highlight the key issues that the College needs to consider in planning and developing its RM processes. Whatever stages the College has reached in implementing RM processes, this guide helps taking stock of what has been achieved so far, and to plan ahead effectively. Page 3

5 CHAPTER 1 - RISK AND RISK MANAGEMENT What is Risk? Risks and objectives are directly connected. Objectives are generally set when opportunities to achieve them are present. To seize the opportunities, series of events must occur, and events include uncertainties. The first step in looking at RM is to define what risk is. Many definitions are available. However, this guide focuses on the uncertainty of an event occurrence and its effect on the College ability to achieve its objectives. What is an event? An event is an incident or an occurrence from internal or external sources that affects the College ability to achieve its objectives. Events can have adverse or beneficial impact or consequence. Events with adverse impact erode existing value. On the other hand, management channels events with beneficial impact to strategy to seize the opportunity. Events with beneficial impact offset the adverse impact of other events. Therefore, risk is the uncertainty that emanates from the College inability to precisely determine the severity and the time of impact of events that may adversely or beneficially affect its ability to achieve its objectives. It is rare for a risk to arise as a single event. Multiple events must occur to onset one risk. The severity of impact and the time of occurrence of these events vary. Risks, like objectives, can exist at a number of different levels of the College organizational structure: Strategic People Department Personal What is Risk Appetite? Risk appetite is the amount of risk the College is willing to take or accept in pursuit of achieving its objectives. Risk appetite is directly related to the College strategy, and is considered in strategy setting, as different strategies expose the College to different risks. Page 4

6 High risk strategies present higher risk appetite than moderate or low risk strategies. Management establishes the College risk appetite. The College risk appetite should be cascaded down to all business and operating units. What is Risk Tolerance? Risk tolerance is the acceptable level of variation relative to the achievement of a specific objective. Usually it is around ±5% of the objectives desired outcome. What is Risk Management? RM is a process that: Allows on taking additional risks while growing existing risks more securely because risks: ü Have been identified. ü Are being managed. ü Exposure is identifiable. ü Exposure is acceptable. Provides a balanced risk portfolio. Is effected by people at all levels of the College organizational structure. Is applied in a strategy setting. RM is a process that also provides assurance that: Objectives are more likely to be achieved. Damaging things will not happen or are less likely to happen. Mitigating actions will be or are more likely to be identified Beneficial things will be or are more likely to be achieved. Improvement actions will be or are more likely to be addressed and requested. RM fosters consistent and systematic management behavior. It can be used to complement the College strategic planning; resource allocation; business activities and projects at the unit or function level. RM is not a process for avoiding risk. When used well, it can actively encourage the College to take on activities that have a higher level of risk, because the risks have been identified and are being managed, so the exposure to risk is both identifiable and acceptable. RM is not the management of insurable risks. Insurance is an important way of transferring a risk, but most risks will be managed by other means. RM provides upwards assurance from business activities and administrative functions, from departments to senior management and ultimately to the governing body. During its design stage, a RM process must be able to provide Page 5

7 the governing body and senior management sufficient evidence and information to support their disclosure of any assurance statements they wish to make. What Benefits will RM Deliver? The benefits of RM vary depending on how it is planned and implemented. Therefore, the College needs to decide what benefits it would like to derive from its RM approach and plans it accordingly, taking into account best practices. Potential benefits of a well-planned RM process include: Align risk appetite and strategy by considering risk when evaluating strategic alternatives and objectives. Support strategic and business planning. Support effective use of resources. Promote continual improvement. Reduce operational surprises. Allow quicker grasp of new opportunities. Enhance communication and accountability. Provide greater awareness of activities and initiatives. Enhance management response. Provide integrated response to multiple risks. Build a balanced risk portfolio across the College. Improve deployment of capital. RM enables management to effectively deal with uncertainties and associated risks and opportunities, and thereby, enhances the College capacity to build value. It helps people to understand risk in the context of the College objectives. RM cannot prevent people from making bad judgements or decisions, or extent the events that can cause the entity to fail achieving objectives. It does however enhance likelihood of management making better decisions. What is Control or Mitigation Action? Control or mitigating action is an action taken to reduce the likelihood of a risk occurring, or to limit its adverse consequences. Control mitigates the impact and the likelihood of a risk. Control comes with a cost, both direct (supervisory staff, information systems, etc.) and indirect (missing an opportunity, less entrepreneurship, etc.). The speed of onset of a risk is a key factor when assessing the quality, efficiency, and effectiveness of a control or mitigation action. Page 6

8 What is Risk Exposure? Risk exposure (a.k.a. residual risk) is the net risk after all controls to mitigate the risk have been taken into account. The College risk exposure reflects the quality, efficiency, and effectiveness of existing controls and mitigation actions. Page 7

9 CHAPTER 2 DEVELOPING A PROCESS Preparing an Implementation Plan The implementation of a RM process may be faced by a range of problems that may be challenging to such a process (figure-1). Figure-1: Potential Problems and Their Causes Potential Problem Cause Misunderstandings and - Risk language is not common confusion - Roles and responsibilities are not clear - Scope is too wide Unfocused process - Too many risks identified - Poor prioritization - End-point and usage are not clear - Implementation of the suggested improvements Uncertain outputs is not clear - No link to budget allocation or business planning - Unexpected problems during the start-up phase Insufficient resources to - Staff is unwilling to commit their time implement - Process is perceived to evaluate performance Creates more paper and generates extra work Lack of senior management support Poor commitment from staff Process not sustained -Other processes (such as strategic planning and budgeting) do not consider RM at the planning stages - Risk philosophy was not developed - Risk philosophy was not approved by the governing body - Process objectives are not clear - Process benefits are not identified - Ongoing roles and responsibilities are not clearly defined - Not linked to existing ongoing processes Good planning can help reduce the likelihood of these problems occurring. Answers to the following planning stage questions will help to determine a philosophy underpinning its approach to RM. There are no right answers. Responses will vary with the College circumstances and requirements. 1. How broad should the process initially be: The top significant risks, only risks with high impact and likelihood, or all identified risks? Page 8

10 2. Considering the breadth of the program, are there sufficient resources to implement and support the process? 3. How will evidence be generated to support disclosure statements on risks and internal controls? 4. Who will own, manage, implement, or facilitate the RM process and maintain it? 5. Should RM operate as a separate managerial process or be integrated into the College existing processes structure? 6. What to do with all the information captured during the process? 7. Will the academic staff support the process? Who should be Involved? Staff members are in the best position to know their own risks. Who is involved, and whether the people who identify risks also assess them, will partly be determined by the type and scope of the department or the assessed area. It is clearly appropriate for strategic reviews to involve senior managers and senior academic staff members. More specific reviews, such as those focusing on a particular department, function or project, may require a group of participants with more direct knowledge and experience of the area. Identifying risk is a good opportunity to involve staff of many disciplines and levels of seniority. There is a balance to be struck between the top-down and bottom-up approaches. For some staff this may be the first time that they have been involved in the College management processes. This, and the fact that RM may be a new concept to even the more experienced managers in the College, will raise some training needs. In general, the same groups of staff are involved in both identifying and assessing risk. A decision is needed on how many and which staff will be involved in assessing risk. This stage of the program tends to generate heated debate (particularly over priorities and acceptance of the net risk, and can be the most difficult to handle effectively. Identifying Risk Techniques Whatever technique is used to identify risks, they must relate to the College strategic objectives, faculty, department, personal, and the function or project in question. If objectives are not already explicit, they will need to be made so. Staff also may not be willing to commit their time and effort because the process is perceived as a performance evaluation project rather than their own. Few staff at any level of seniority or experience will be able to identify risks without some prompting or fear. Page 9

11 It is therefore very important to encourage participants to supply the information required to compile a list of risks. There is no right or wrong way to do this: Many methods have been tried, and each has its benefits and drawbacks (figure-2). The choice may be determined by the time and resources available, and more than one method could be used in the same RM process. Figure-2: Methods of Prompting Staff to Identify Risks Technique Advantages Disadvantages Tips Desk-top review of documentation Questionnaire One-to-one interviews Group interview Workshop, focus group or round table discussion - Limited resources required - Quick - Good background information - Wide coverage - No facilitation skills required - Confidentiality - Facilitation skills not essential - Broader coverage - Stimulation of ideas - May be out of date - Unclear about who was involved in the preparation - Incomplete - Patchy response - No opportunity to pursue detail - Time-consuming - Potential for too much detail - No interaction to bounce ideas off one another - Can get stuck in single area - Some facilitation skills required - Scheduling difficulties - Limited confidentiality - Good coverage - Good facilitation skills required - Scheduling difficulties - Lack of confidentiality -Undertake initial review and then probe during interviews or group sessions - Encourage additional comments to explain answers to questions - Ensure all interviewees have attended a group training session in advance, so that time is not wasted explaining the process individually - Maximum of three interviewees - Participants may be required to be prepared - Time constraints for discussion during the session The following questions are a useful risk discussion starting point: Are you aware of the College strategic objectives? Do you have any personal objectives in addition to those of the College? Page 10

12 Are there any issues that could prevent you from meeting the College or personal objectives? Over the last two years, what problems have affected your work? What problems or changes can you foresee in the short and medium term that may prevent you from achieving the College or personal objectives? If you or your faculty and staff members have performance criteria, do you meet them, and what stops you from meeting them? Identifying Risk Categories Organizing the types of risk into broad categories helps ensuring that key issues are not overlooked, and helps documenting the process. In many cases the risk categories will be determined by the objectives. There is no one right way to define risk categories. Each department may define a different set of risk categories determined by its objectives. Figure-3 illustrates a sample of risk categories: Figure-3: Sample of Risk Categories Political Economic Technology Environment Federal State Regulatory Elections Interruption E-commerce External data Emerging External technology Internal Fundraising Inflation Consumer behavior Demographics Resources Employment Competition Terrorism Entrepreneurship Emission and waste Energy Natural disaster Sustainability development Pandemics Governance Resources Personnel Technology Management and leadership RM Internal controls environment Compliance Information and communication Processes Image perception Availability Allocation Monitoring Reliability of disclosures Employee capability Delegation of duties Employee training Integrity Security Privacy Page 11

13 Prioritization A common problem at this early stage in the process is the identification of too many risks. A monster list of risks is impractical and frightening even if it seems to be comprehensive and thorough. It will inevitably result in the risks being poorly assessed and will lead to a gradual disillusionment with the process. There are unlikely to be more than significant risks of interest to the governing body, so it might be best to focus on these first as a strategic risk review. Ways to produce a more manageable list of risks. Looking first at those risks which potentially have a financial impact above a preset financial threshold. Grouping risks together by category. Grouping by links Risks are often linked, one being a contributing factor to another. Selecting those that are most relevant to the achievement of objectives. Identifying as many significant risks as possible, and then prioritizing them. Risks can be prioritized democratically or autocratically. In the latter case, the duty often falls on the project owner and one or two senior staff such as financial management or internal auditing. The democratic approach may use more resources and deliver the same result. However, it can deliver much greater acceptance of the final result and ownership of subsequent action. In order to remain independent, the project manager or coordinator may ask all or selected participants in the risk identification process to rank the risks by order of priority or importance. This is not the same as asking them to assess the risks, and the difference should be made clear. Exploring the Risk The risks that have been identified need to be fully explored before they are assessed. This involves: Providing a risk clear description and common risk language. Listing contributing factors. Identifying early warning mechanisms. Considering existing controls and mitigating actions. A team of people can waste a great deal of time assessing a risk that they are all interpreting differently. The better the description the more chance there is for an accurate assessment. Page 12

14 Early Warning Indicators and Mechanisms The impact or likelihood of a specific risk can change for many reasons, for example: Nature of the risk is changing. Existing controls are inadequate or not functioning. Current controls were enhanced and improved. New controls are introduced. Early warning indicators and mechanisms are designed to let management know before a risk occurs. In many cases, when considering the risk and its existing controls it is helpful to compile a list of early warning indicators and mechanisms. These may be described or highlighted in monthly reports to management and/or periodic reports to the governing body (figure-4). Key characteristics of such indicators and mechanisms are: Information must accurately and timely reach the person who can make decisions. The frequency of monitoring should be related to how quickly the risk can materialize and its likely impact. Mechanisms must pick up the problem before it happens, or at least before it gets too serious. Figure-4: Samples of Early Warning Indicators and Mechanisms Risk Early warning indicators and mechanisms Quality of services Internal customer survey Availability of facilities Space audit Budget overspend Budget variation analysis IT network security breach Attacks on firewall Assessing the Risk Impact and Likelihood There are two main attributes for assessing risk: Severity of impact How significant might the consequences be? Time of impact How likely is it to happen? There is no right approach to assess these two attributes. To avoid confusion, whatever assessment method is used it should be standardized not necessarily across the whole College but certainly for the whole of an individual department RM process. Different risks have different type of impact. Risk assessors will need to consider all types of impact when making their assessment (figure-5). Page 13

15 Figure-5: Sample Types of Impact Minor Moderate Severe Financial loss Lesser than $X Between $X-Y Greater than $Y Bad publicity Damaging article in student press Damaging article in local press Damaging article in national press Injuries Minor reversible Major reversible Major irreversible Most major losses occur from high impact low probability risks that can be scenario tested. Assessing the likelihood of a risk occurring tends to be more straightforward. For example: All the time Frequently Occasionally Almost certain Possible Unlikely Rarely Never Assessing the Risk Techniques As with risk identification, risk assessment can be conducted in a number of ways, from a paper-based exercise to a workshop. Factors to consider in deciding on a risk assessment technique are summarized in figure-6. Figure-6: Factors Affecting the Techniques for Risk Assessment How widespread will the participation be? Workshops for more than Participation 20 people are difficult to facilitate, and often it is hard to find a suitable date and time. How co-operative the participants will be? There may already be an Co-operation indication of how well they have bought into the process from the response to the risk identification stage. A questionnaire which participants can complete in privacy may Confidentiality reveal more truth about the College. However, not discussing issues in the open may conflict with the objectives of the process. Workshops can be easily dominated by one or two people, especially Domination senior staff, who not only dominate the discussion but can also influence the scoring or voting of the others. Similar to domination, except it may be more subtle. Intimidation Anonymity Can be particularly important for scoring or voting on the impact, likelihood and rating of RM. It is worth considering using anonymous scoring or voting Page 14

16 Using workshops to assess risk has many advantages but can be difficult to run and require good planning. Tips for successful workshops include: Circulate papers to all participants in advance. Encourage participants to make any amendments and corrections to the wording and definitions of risks before the workshop. Choose a venue that accommodates everyone comfortably around a single large table, to encourage discussion and debate. Schedule breaks as necessary. Organize an introductory talk to be given by the most senior or respected participant. Assume that it will take at least 15 minutes to assess each risk this may require a full day to be set aside. Consider using a facilitator. Consider using anonymous voting if consensus voting may be difficult to handle or cause too many disagreements. Capture the outputs of the discussions on a flip chart or, preferably, by using a PC connected to a projector. Assessing the Risk Exposure Having assessed the risk, the next step is to establish the level of exposure. The relationship between objectives, risks, controls and exposure is broadly that high returns require tough objectives which mean greater risks. The exposure that the College faces is then dependent on the effectiveness of controls in place, and this can normally be illustrated by a risk exposure matrix, as shown in figure-6. Figure-6: Risk Exposure EXPOSURE Controls rating Risk attributes rating Tight Satisfactory Light High Medium High High Medium Low Medium High Low Low Low Medium Risk can be assessed without considering existing controls (inherent or gross risk), or with considering existing controls (net risk). This guide focuses on assessing the net risk taking into consideration the effectiveness and efficiency of the existing controls and mitigation actions. For example, inspections by the fire department, installation of fire doors, servicing of fire alarms and extinguishers, and regular fire drills are all mitigating actions that help to reduce the chance of a fire causing a serious threat to life or property. The risk of a fire having a significant impact with these controls in place is the net risk. Page 15

17 Assessing the risk exposure is not an end in itself. Having established the exposure, the College has to decide whether it needs to act to manage risk better. Improvement actions are decided based on the level of exposure the residual or net risk determines. Having assessed the risk, a rough guide to appropriate action would be: High exposure Immediate action. Medium exposure Consider action and have a contingency plan. Low exposure Monitor and keep under periodic review. It is also important to consider whether the overall level of exposure is acceptable to the College. What Is Acceptable Exposure? Exposure is unacceptable if the people involved in RM believe that not enough is being done to manage the risk satisfactorily. Assessing whether exposure is acceptable helps determining how much additional work is required to satisfy the College that the risk is being adequately managed. In effect, this is the point where the RM process starts to translate into an action plan for improvement. What level of exposure is acceptable will vary from between departments. For example, a large department is likely to accept higher risks than a small department. Improvement Action Where exposure to risk is considered unacceptable, action for improvement needs to be planned, developed and implemented. This action, also known as management response to an individual risk, could include the following: Transferring all or part of the risk through insurance or a partnership arrangement. Avoiding the risk by withdrawing from an activity. Managing the risk by improving existing controls or obtaining more information. A combination of the above actions. Often, action for improvement will become obvious during the risk assessment and can be captured at this stage. This makes it easy to monitor progress, as all the participants have agreed what needs to be done to reduce the impact or likelihood of any given risk materializing. Where actions are not identified during risk assessment, generally due to lack of time, both deciding upon and then carrying out the necessary actions must be delegated to the most appropriate individual or group. The proposed action should, however, always be reported back to all participants for completeness. Either way, it is essential that the RM process does not stop before the actions for improvement have been developed and executed. Page 16

18 It might be helpful to think about how to handle the actions for improvement when designing the process. Participants will want to know the details, and particularly if additional resources will be made available. Actions for improvement can be split into: Those to be implemented locally within existing resources. Those requiring additional resources or central co-ordination. It is unlikely that all actions falling into the second category can be done at once so they will need to be prioritized. There is no one scale to prioritize actions for improvements. However, the following scale could be used to assess such actions: Important; needing action; cost effective Provide resources or budget immediately or within the next year. Important; needing action; not cost effective Consider whether resource provision makes sense at this time. Non-critical; review at later date Ensure review takes place. The need for resources to implement actions supports the case for a link between the RM, business planning, and budget allocation processes. Page 17

19 CHAPTER 3 - SUSTAINING THE PROCESS If the process of RM is to be sustained there are a number of key attributes that need to be in place: Appointing a process owner. Ownership of risks. Documentation and reporting. Independent assurance. Training. Communication and guidance. Annual review. Embedding the process. Assessing the process. Appointing a Process Owner Any process needs someone who ensures that it is running smoothly and delivering what it was set up to deliver. Who is appointed as the owner of RM will depend on how the process has been set up. The danger of calling someone a risk manager is that other people may perceive him or her to be a manager of risk, which is very different from a manager of the process. The real managers of risk are the governors, senior management and staff of the College. Risk is the responsibility of everyone in the College. If the RM process is clearly distinguishable, as opposed to fully embedded, then appointing a process owner can be helpful. The role of the process owner would be to support the process, provide advice and support to management in undertaking RM, manage the compiled information, and produce an annual report for the governing body. Ownership of Risks A key element of RM is to allocate ownership of risks. This makes it much more likely that the problem will be addressed and rectified. The natural owner may be one individual, a group of individuals or a specific committee. The allocation should always be to a staff member of the College, even when the risk is generated outside the College. It is not usually difficult to determine who owns a risk. Acknowledging ownership is not the same as shouldering the entire burden of the risk. The owner should see himself or herself as the person in the best position to oversee the management of the risk. This may or may not Page 18

20 involve delegation to others, liaison with other bodies (internal or external), and coordination of the College efforts. Documentation and Reporting It is worth considering what information to keep and what reports need to be generated. Different people may wish to review the information including: Governing body. Senior management. Staff. Internal and external auditors. One simple way to present the information, particularly for workshops, is in a table format. The risk scores can later be summarized by plotting them in a chart for example. If the College risk have been identified, then the early warning indicators and mechanisms will need to be reported to the right group or person. The governing body or a particular committee may request information on certain risks and specify the frequency of reporting (figure-7). Figure-7: Example of Risk Reporting Health and Safety Committee Risk Contributing Factors Early Warning Indicators and Mechanisms Laboratory accidents Incidents per month labelled by minor and major Open fire doors Monthly inspection figures Explosive gas storage Annual fire department inspection These indicators and mechanisms are important to alert management that additional action needs to be taken with respect to a certain risk. Often risk early warning indicators and mechanisms have triggers and are used with exception reporting. For example, if the number of laboratory incidents is above a certain level then the Health and Safety Committee is alerted and it can then decide on the appropriate action. Independent Assurance How can continuity be assured and how will the governing body know that it is working effectively? This is a function that could usefully be undertaken in Colleges Internal Audit (IA), given its specialized knowledge and independence. In doing so, IA could be guided by the College RM philosophy and their knowledge of the College to validate the risk assessments. A report to the governing body would help give the assurance the latter needs for its disclosures. However, this would have resource implications for IA. Page 19

21 Training Training can help embed the culture of RM and support the launch and continuation of the RM process. Risk awareness training is a helpful way of ensuring that management and other staff members understand the concept and benefits of RM. It will bring the level of knowledge up to a certain standard and can be used to embed a common language of risk so terminology does not become confusing. Training is also useful to support the RM process itself. If senior managers are confident and comfortable with the process, and understand how it benefits them, they are more likely to sustain it. One approach is to run an initial series of RM training sessions to get the majority of key staff on board. This will help to ensure continuity and improve the quality of output. Communication and Guidance Supporting information on launch and ongoing communication about RM, can help bring the initiative to life and encourage continuity. A quarterly RM bulletin highlighting emerging risks and changes in the management of certain types of risk can help to keep the profile of RM high and maintain interest. Annual Review The need and focus for RM will change from year to year. An annual review is a good opportunity to reflect on the success of RM in the previous year, and to recommend improvements for the forthcoming year. It will help to ensure the process continually improves and delivers the expected benefits. The annual review might include: Reflection on the management of significant risks during the previous year. Any controls that failed during the year, and why. Unforeseen risks; why they occurred and why they were not previously identified. Changes to the external and internal environments that will change the risk profile. Risks expected to emerge during the forthcoming year. New controls that should be put in place. Changes or improvements to the process recommended for next year. The annual review could be undertaken by the project owner or by internal audit, and its results presented to the governing body and senior management. Page 20

22 Embedding the Process Embedding the RM process within existing processes has many advantages: RM is not seen as a separate process but as part of existing management practice. It reduces administration by using existing reporting procedures. It encourages continuity as existing processes are less likely to fail. Practical aspects of RM are easier to see, thereby encouraging participation. Examples of how to embed the process include: Sponsorship by the governing body. Annual risk identification and assessment are undertaken as part of the business planning exercise. Personal objectives and appraisals include a link to the management of certain risks. Emerging risks are discussed and recorded at management meetings. Key risk indicators are reported on in monthly reports with other performance information. Follow up on improvement actions by head of departments or by internal audit throughout the year. The annual review should also enable the governing body to reflect on the status of the process, which should help focus the minds of senior management. Page 21

23 EXHIBIT A Risk Management Good Practice Assessment Checklist TASK Yes No REQUIRED ACTION Is risk clearly defined? -Define what is risk -Define the connection between risk and objectives Is risk appetite clearly defined? -Define what is risk appetite -Define how risk appetite is connected to strategy setting Is risk tolerance clearly defined? -Define what is risk tolerance -Define how risk appetite is connected to operational setting and risk appetite Is RM clearly defined? -Define what is RM -Define what assurance RM provides at the strategic level Are the potential benefits a RM process provides identified and known by management and staff? Is control and mitigation action clearly defined? -Identify the potential benefits a RM process provides -List these benefits and promote them to help acceptance of the process -Identify what benefits your department desires to derive from RM -Define what is control and mitigation action -Identify how control and mitigation action affect the impact and likelihood of a risk -Identify the potential cost associated with control Is risk exposure clearly defined? -Define what is risk exposure -Define what is acceptable risk exposure -Identify and promote what is acceptable exposure cross the institution Did your institution develop a risk philosophy? -Disclose the underlying approach to RM -Define the role and responsibility of the governing body and senior management -Get the process the authority to be sustained within the department processes structure Page 22

24 TASK Yes No REQUIRED ACTION Has an implementation plan been prepared? Plan an implementation plan that includes answers to the following questions: -Are you aware of the potential problems RM presents? -How broad should the process be? -Are there sufficient resources to implement/support the process? -How will evidence be generated to support disclosure statements? -Who will own the RM process? -Should RM operate as a separate process or be imbedded into your existing process structure? -Will the academic staff support the process? Have the risk identification techniques been determined? Answer the following questions to determine the techniques and methods that best help you: -Who should be involved? -What techniques to use; group or one-to-one interview; questionnaire or desk top review? -What are the advantages and disadvantages of each technique? --What are the risk categories that best fit the department risk culture? -How the identified risk will be prioritized and explored? -How the risk contributing factors will be identified and explored? -How the existing controls and mitigation actions will be identified and assessed? -How the risk early warning indicators and mechanisms will be identified and explored? Page 23

25 TASK Yes No REQUIRED ACTION Have the risk assessment methods been determined? Answer the following questions to determine the techniques and methods that best help you: -What are the factors that affect a risk assessment technique? -Is the risk impact will be assessed in a qualitative or quantitative way? -Is the risk likelihood will be assessed in a qualitative or quantitative way? -What are the different types of impacts that will be considered during the assessment of a risk? -What will be the key components of a qualitative or quantitative assessment method? -What type of scoring sheets and tables? -How the risk assessment will be displayed and reported? -What is the acceptable exposure for your institution? -When an improvement action is to be taken? -How the reporting structure will be designed? -How the final report will be drafted and presented? Has the how to sustain the RM process within the department s processes structure been determined? Answer the following questions to determine the techniques and methods that best help you: -Who is the owner of the process? -How will risk be presented and reported -Is there a need for training? How information will be communicated and shared? -How the process annual review will be performed? Page 24

26 TASK Yes No REQUIRED ACTION -Will the process be imbedded in the department processes or it will be a standalone process? How the entire process will be assessed? Page 25