Identification, Assessment and Management of Risks
Risks will be identified, assessed, managed and reported by responsible officers. Risks will be assessed with reference to the University’s strategic objectives and priorities.One of the key objectives of undertaking a risk assessment is the differentiation of minor and acceptable operational risk from major strategic and operational risks that require considered assessment and active management, and to provide data that assists in both the evaluation and treatment of risks.
Risk assessment requires the consideration of the sources of risk, their likelihood and possible consequences in the context of the control environment. Control can affect the likelihood or probability of an event occurring as well as the extent of the consequences or impact. To be able to adequately assess risk, the strengths and weakness of the controls also need to be assessed.
Step 1
Identify and clarify objectives
As risks are events that influence the achievement of strategic and operational objectives it is important to ensure that key objectives are defined.
Step 2
Identify risks
Risk can relate to any aspect of the University and should include those risks not under the direct control or influence of the University. Risk can be identified through utilisation of brainstorming, recall of experience (including previous project outcomes), SWOT analysis, process mapping.
Step 3
Assess risks
A key objective of risk assessment is differentiating minor and acceptable operational risks from those major risks that require active management or intervention and to provide qualitative or quantitative data that assists in risk evaluation and determination of treatment strategies. Risks should be considered in the context of the existing control environment i.e. governance, legislation, policies, procedures, delegations and values.
Consequence and likelihood can be assessed against a risk matrix to provide an overall risk rating (see example risk matrices below).
Risk Matrix
Consequence
|
Likelihood
|
Insignificant
|
Minor
|
Moderate
|
Major
|
Catastrophic
|
|
Rare
|
L
|
L
|
M
|
H
|
H
|
|
Unlikely
|
L
|
L
|
M
|
H
|
E
|
|
Possible
|
L
|
M
|
H
|
E
|
E
|
|
Likely
|
M
|
H
|
H
|
E
|
E
|
|
Almost certain
|
H
|
H
|
E
|
E
|
E
|
Low risk (L) – managed by routine activities
Moderate risk (M) – management responsibility should be specified
High risk (H) – senior management notified
Extreme risk (E) – immediate action
|
|
|
Strategic
|
Operational
|
Routine
|
|
Rare
|
May only occur in exceptional circumstances
|
Less than once in every 50 years
|
Less than once every 10 years
|
Less than once every 5 years
|
|
Unlikely
|
Could occur at some time
|
At least once in 20 years
|
At least once in 5 years
|
At least once in 3 years
|
|
Possible
|
Might occur at some time
|
At least once in 5 years
|
At least once per year
|
At least once per year
|
|
Likely
|
Will probably occur in most circumstances
|
At least once per year
|
At least once per quarter
|
At least once per month
|
|
Almost Certain
|
Expected to occur in most circumstances
|
More than once per year
|
At least once per month
|
At least once per week
|
Measures of Consequence
|
|
Reputation & Image
|
Financial Loss
|
Safety & Injury
|
Operation loss
|
Legislative compliance
|
|
Insignificant
|
Low impact, no media coverage
|
<$50k
|
No injuries
|
Minor or no damage to assets. Minor or no interruption to daily activities.
|
Compliant
|
|
Minor
|
News item with low impact or is unsubstantiated
|
$50k-$500k
|
Minor injuries/first aid required
|
Minor damage. Loss of operation no more than one day.
|
Minor breach of statute/ regulation.
|
|
Moderate
|
Substantiated news item, moderate news profile with embarrassment
|
$500k-$10m
|
First aid and ongoing medical treatment. Probable lost time
|
Significant damage to assets. Loss of operation 1 day to 1 week
|
Formal warning from regulator
|
|
Major
|
Substantiated news item, high impact news profile with embarrassment, possible 2nd or 3rd part involvement
|
$10m -$100m
|
Extensive injuries/possible multiple injuries or single fatality
|
Major damage to assets. Loss of operation 1 week to 1 month
|
Suspension of activity and prosecution/financial penalty.
|
|
Catastrophic
|
Substantiated widespread news item, significant reputation damage, third party actions, impact on ability to achieve research and education strategic objectives
|
>$100m
|
Fatalities
|
Significant loss of assets. Loss of operations >1 month
|
Prosecution, financial penalty, cessation of activity
|
Step 4
Responding to the Risk Assessment Outcomes
Not all risk requires detailed consideration or treatment. The objective at this step is to identify the most appropriate risk treatment options to obtain the preferred residual risk level. This may involve identification of all options, assessment of these options, preparation of risk management plans (area or project specific) and their implementation taking into account assignment of ownership and responsibility.
Responses to risk assessment may utilise some or all of the following strategies – Share, Transfer, Avoid, Accept, Reduce (STAAR). It is recognised that many risks cannot be avoided or practically and affordably reduced to a likelihood/consequence score of zero. However, whenever risk taking is deemed as significant to the ‘local area’ and the broader University it should be assessed documented and approved by the appropriate delegate.
Step 5
Monitoring & Review
It should be recognised that risk causes and/or controls may change in terms of likelihood and consequence. Changes in risks and controls can occur as changes in business models occur. There should be at least an annual review of the operating environment (internal and external) to ensure risks are being adequately identified, assessed and managed.
Key Definitions
Risk appetite is simply defined as how much risk the University is prepared to take.
Risk assessment is the process of risk identification, analysis and evaluation.
Inherent risk refers to the level of risk that exists without the mitigating effect of controls.
Residual risk refers to the level of risk that remains after the mitigating effects of existing controls are applied.
Consequence is the outcome of an event that is expressed qualitatively or quantitatively.
Likelihood is the qualitative description of probability or frequency.
Risk controls are those elements of the organisation that support people within the organisation to achieve the organisation’s objectives. They include but are not limited to structures, governance arrangements, policies, delegations, processes and procedures.
Business Continuity is a limited return to business operations following a significant and disruptive natural or man-made event.
Risk types
Strategic – These risks relate to the overall objectives and long-term viability of the university. An example may include the ability to acquire adequate funding or the ability to maintain the integrity of the University’s reputation and relevance;
Business and operational – These are risks concerned with ‘day to day’ business practices that assist the University to meet its strategic objectives and would include risks associated with contract management, financial and asset management, stakeholder management (internal/external);
Enterprise–wide – These risks have a systemic focus such as knowledge and information management, HR management and facilities management;
Specialist - Relates to areas of risk that are often externally regulated and require specialist expertise but relate to the whole of the university. Examples would include OH&S, security and fraud.
|
