Advisers to Growing Businesses
RISK MANAGEMENT RISK MANAGEMENT
Central Queensland UniversityCentral Queensland University
November 2006
Advisers to Growing Businesses
BDO Kendalls’ Role – 2002/3BDO Kendalls’ Role – 2002/3
• Guidance to the University in establishing Risk Management Policy and Process Framework
• Deliver training to key management groups
• Facilitate process implementation workshops
• Provide feedback, information and outcomes to Risk Management Committee
• Management own the process and its key elements
• Key decision making remains with the University
Advisers to Growing Businesses
Why Risk Management?Why Risk Management?• CQU is committed to a comprehensive
and systematic approach to effective management of potential opportunities and adverse threats
• Risk management is a key element in improving CQU’s business and services to assist in achieving its objectives
• CQU aims to achieve best practice in controlling risks which may impact its business
Advisers to Growing Businesses
Why Risk Management? Why Risk Management?
Statutory Requirements Statutory Requirements
Financial Management Standard“The University must protect itself from unacceptable costs or losses associated with its operations.”
Workplace Health & Safety Act 1995Imposes obligations on people at workplace to ensure work place health and safety
• AUQA• Common Law
Duty of Care
Advisers to Growing Businesses
What is Risk?What is Risk?
The exposure to the possibility of
something happening that will have an
impact of the University’s organisational
objectives Objectives: Financial and Non Financial
Advisers to Growing Businesses
Elements of RiskElements of Risk
Risk arises out of uncertainty and has two elements:
1. Frequency / likelihood of something
happening
2. Severity / impact of the consequences
arising from the event.
Advisers to Growing Businesses
Risk Management Risk Management IsIs … …
• Culture and process• Systematic
application of management policies, procedures and practices
• Effective management of opportunities and threats
• Establishing context• Identifying• Analysing• Assessing• Treating• Monitoring • Communicating
Advisers to Growing Businesses
Risk Management is Risk Management is NotNot … …
• Just accounting controls
• Another name for insurance
• About creating risk averse management
• A label to hide inadequate analysis when something goes wrong
• A green light for careless enthusiasm
• An opening for ‘risky management”
Advisers to Growing Businesses
Advisers to Growing Businesses
Risk Management ObjectivesRisk Management Objectives
• Structured basis for strategic planning
• Enhance governance and corporate management processes
• Discharge statutory responsibilities
• Practical framework for decision making
• Protect unacceptable costs/losses
• Minimise missed opportunities
• Safeguard assets (including people)
Advisers to Growing Businesses
University’s RM ObjectivesUniversity’s RM Objectives
• Implement RM across all areas of the University in accordance with best practice guidelines
• Integrate RM into the management culture of the University
• Foster an environment where staff assume responsibility for managing risk
Advisers to Growing Businesses
The Process to Date …The Process to Date …1. CQU Risk Management Policy promulgated
2. Risk Management Committee and Terms of Reference Established
3. Workshop to identify Key Risk Categories
4. Policy Framework and Guidelines established
5. Templates:
- Risk Mgt Standards - Risk Records
- Risk Treatment Plans - Risk Register
6. Pilot Launch – Health Safety and Security Key Risk Category
Advisers to Growing Businesses
The Process to Date …The Process to Date …7. CQU Risk Management Workshops conducted, identifying
risks and treatment plans
8. Risk Management Committee and Terms of Reference Established as sub-committee of Audit Committee
9. Significant change and restructure
10. AUQA Audit and Report
11. Risk Management Committee rolled into Audit Committee
12. Risk Management Software acquired
13. Re-launch of Risk Management to Senior Management
Advisers to Growing Businesses
Key Risk CategoriesKey Risk Categories
1. Corporate Governance & Compliance2. Financial and Commercial3. Operations4. Student5. Health, Safety & Security6. Human Resources7. Data & Information Technology8. Reputation9. Asset Maintenance10. Environmental
Advisers to Growing Businesses
Risk Management ProcessRisk Management Process
AS/NZ 4360 AS/NZ 4360
(Refer Frame 1)
Advisers to Growing Businesses
Establishing Context & FrameworkEstablishing Context & Framework
Internal and external
decision makers Individuals directly and
indirectly affected by
decisions, actions and
inactions Unions, staff groups Community groups
Statutory regulators (health,
safety, environmental etc)
Politicians (all levels of govt)
with electoral or portfolio
interest
Non government groups
Users and suppliers of services
and facilities
Identify Internal and External Stakeholders
Advisers to Growing Businesses
Establishing Context & FrameworkEstablishing Context & Framework
Purpose of stakeholder analysis is to provide decision makers with a documented profile of stakeholders to better understand needs, issues and responsibilities
Framework and Stakeholder Mix subject to constant change
Consultation and review process must be continuous and recurrent in the Risk Management process
Advisers to Growing Businesses
Identifying RisksIdentifying Risks
Aim to identify risks to be managedComprehensive identification criticalPotential risk not identified at this stage
is excluded from further analysisIdentification should include all risks
whether or not they are under the University’s control
Advisers to Growing Businesses
Identifying RisksIdentifying Risks
Audits & physical inspections
Brainstorming Decision trees Examination of local
or oversees experience
Expert judgment
History, incident reports
Interview, focus group discussions
Scenario analysis SWOT analysis Surveys,
questionnaires etc…
Possible Methods of Identifying Key Risks
Advisers to Growing Businesses
Identifying Risks Identifying Risks
Commercial relationships
Legal relationships Custody Management
activities and controls
Natural events Political/legal
Occupational health and safety
Personnel/human behaviour
Property/facilities Public liability Security Socio-economic Etc …
Possible Sources of Risk
Advisers to Growing Businesses
Identifying Risks Identifying Risks Documentation of this step
For a small process this step may be documented by a simple tabulation
More detailed documentation may be required for larger processes
List each risk and classify Eg functional groups, exposure profiles
etc
Advisers to Growing Businesses
Analysing RisksAnalysing Risks
The magnitude of consequences of an event, should it occur, and the likelihood of the event and the associated consequences, are assessed in the context of no existing controls
Consequences and likelihood are combined to produce a level of risk
CONSQUENCES AND LIKELIHOOD
Advisers to Growing Businesses
How often situation occurs
How many operations/people exposed
Skills/experience of people exposed
Special characteristics of people exposed
Duration of exposure Proximity of hazard to
people exposed
Distractions Quantity of materials or
multiple exposure points involved
Environmental conditions
Condition of facilities, equipment
Effectiveness of existing control measures
Analyse LIKELIHOOD considering:
Advisers to Growing Businesses
Analysing Risks Analysing Risks
Do controls represent good practice? Are controls minimising exposure to risks? Do stakeholders know about controls? Are there adequate systems and procedures
in place to support controls? Is there adequate training/supervision in
relations to controls? Is there adequate maintenance of controls? How easy is to to use, or work with, controls?
Analyse EXISTING CONTROLS considering:
Advisers to Growing Businesses
Analysing Risks Analysing Risks
• Potential for “chain reaction”
• Concentration of risk exposures
• Direct/indirect financial impact
• Fines, penalties, rectification costs
• Other regulatory impact
• Business interruption
• Position of stakeholders relative to exposure
• Human impact
Analyse CONSEQEUENCE considering:
Advisers to Growing Businesses
Analysing RisksAnalysing Risks
Qualitative Methods Used: Where level of risk does not justify time and
resources for numerical or detailed scientific analysis
For initial screening of risks Where Numerical data inadequate Valuable when analysis shared across range
of people, backgrounds & interests
TOOLS FOR ANALYSIS
Advisers to Growing Businesses
Analysing RisksAnalysing Risks
Semi-Qualitative Methods Allocates a qualitative word ranking to likelihood (eg Almost Certain – Rare) high, medium or low and consequence (eg Extreme – Insignificant)
Rankings are shown against a word scale for ranking the level of risk (eg V.High – V.Low)
Avoid overcomplicating analysis. Relatively straightforward methods can be effective
Method, rationale and results should be documented
TOOLS FOR ANALYSIS
Advisers to Growing Businesses
Evaluating and Ranking RisksEvaluating and Ranking Risks
Risk evaluation involves comparing the level of risk determined during analysis with previously established criteria
Decides whether risks are acceptable or unacceptable
Output of risk evaluation is a prioritised list of risks for further action (ranking)
Advisers to Growing Businesses
Evaluating & Ranking RisksEvaluating & Ranking Risks
Consider: Degree of control over
risk Cost impact, benefits
and opportunities presented by risk
Significance of risk & importance of policy, program, process or activity
Risk may be accepted if consequence & likelihood is consistent with established criteria
Acceptance may follow risk reduction measures
Regularly review and monitor for changing circumstances
Process and rationale should be documented
Acceptable and Unacceptable Risk
Advisers to Growing Businesses
Evaluating & Ranking RisksEvaluating & Ranking Risks
Level of risk so low that specific treatment not
appropriate within available resources
Cost of treatment is so excessive compared
to benefit that acceptance is only option
Opportunities presented outweigh threats to
such a degree that risk is justified
No treatment is available
Reasons a risk may be accepted:
Advisers to Growing Businesses
Risks not considered acceptable are those
which will be treated in some way
These are prioritised for subsequent
management action as a component of the
management’s and the University’s Risk
Actions Plans and Risk Register
Evaluating & Ranking RisksEvaluating & Ranking RisksUnacceptable risks:
Advisers to Growing Businesses
Risk TreatmentRisk Treatment
Risk Treatment involves
Identifying and considering the range of
Options for Treatment
Assessing those options
Preparing Risk Treatment Plans
Implementing Risk Treatment Plans
Advisers to Growing Businesses
Risk TreatmentRisk Treatment
ELIMINATE the risk TRANSFER the risk PREVENT or MINIMISE the consequences and/or
likelihood of the risk Substitution Redesign Isolation
RETAIN the risk - when exposure is not or cannot be minimised by other means: Eg Administrative controls Eg Personal protection(Refer Frame 4 – Risk Treatment Process)
OPTIONS to Manage the Risk
Advisers to Growing Businesses
Risk TreatmentRisk Treatment
Plans document how chosen options will be implemented
Plans identify: Responsibilities Schedules Expected outcome of treatments Budgeting, Performance measures Review, assessment and monitoring processes
Preparing Risk Treatment Plans
Advisers to Growing Businesses
Risk TreatmentRisk Treatment
Developing Standards and Procedures Communicating Training and instruction Supervision Maintenance
Implementing Risk Treatment Plans
Advisers to Growing Businesses
Risk TreatmentRisk TreatmentMonitoring and Reviewing Risk Treatment Chosen controls have been implemented as planned:
Are chosen control in place? Are controls being used? Are controls used correctly?
Control controls are working: Have changes made to control exposure resulted in planned
outcome? Has exposure to risk been diminished or adequately
reduced?
Are they any new problems? Have implemented control measures resulted in introduction
of new problems? Have implemented control measures resulted in worsening
of existing problems?
Advisers to Growing Businesses
DocumentationDocumentation Each stage of the Risk Management Process
should be documented: Demonstrate the process Evidence of systematic process Record to develop risk database Provide decision makers with RM plan for approval and
implementation Accountability mechanism and tool Facilitate continuing monitoring and review Provide audit trail Share and communicate information
Advisers to Growing Businesses
DocumentationDocumentation
Risk Register
Risk Management Standards for Specific Risk Category
Advisers to Growing Businesses
Responsibility Responsibility For RM to be effective it must be implemented
by every person within the organisation Council, VC, DVC, Directors, Deans, HODS, Line Management, Staff, Students and 3rd Parties
RM is not just the responsibility of management RM must become and integral part of the
University’s culture
Advisers to Growing Businesses
Managing RiskManaging Risk
Managing risk means forward thinking Managing risk means responsible
thinking Managing risk means balanced thinking RM provides a framework to facilitate
more effective decision making RM is all about maximising opportunity
by managing risk
Advisers to Growing Businesses
ContactContact
Daniel Nolan
Acting Internal Audit Manager
Extension 6932
Top Related