Guideline - Risk Register

1. Introduction
The Risk Management Framework is a component of the Risk and Business Management suite. The suite
includes:

Risk Management including risk registers

Business Continuity Plans including business impact analysis
Emergency Response Plans
Health and Safety Plans

This document defines commonly used risk management terms and sets out the risk register format that
Victoria has adopted. This document should be read in conjunction with our Risk Management Policy and
provides a process to help us better manage and minimise the risks associated with our work.

All decisions involve risk management. Risk should be considered throughout the development and
implementation of any business process or project. Risk management is a structured and systematic
process which is part of business as usual (BAU). Managers need to consider the risk in delivering
business, how to manage that risk effectively through implementing strategies based on the amount of risk
the University considers is tolerable. This document broadly considers risk as anything that could prevent us
from achieving our goals or an outcome resulting in loss.

2. Definitions:

Risk 1
Is defined as the effect of uncertainty on objectives .

Risk is measured in terms of likelihood and consequence.

Raw Risk The risk before anything is done to mitigate or manage it, i.e. before controls are put in
place.

Residual Risk The risk faced after putting in place controls or mitigation actions.

3. Organisational Scope
All Managers are responsible for identifying, assessing and managing the risk within their areas of control
and for ensuring that appropriate risk management activities are functioning effectively.

4. Framework Content and Guidelines

The Risk Management Plan is made of four stages:

Identifying and managing risks - Risk Register;
Identifying key or priority risks Risk Report Summary;
Reporting and escalating risks at the appropriate time; and
Reviewing risk in an on-going cycle.

1
1. AS/NZS ISO 31000:2009 Risk management principles and guidelines

1
This document provides guidance on completing a risk register and the risk report summary. Managers are
required to report key risks to their managers and escalate as appropriate to SMT. This is a key component
of a managers responsibilities. For guidance on the formal reporting cycle refer to the Risk Management
Programme: Operational Risk.

4.1 Identifying and Managing Risks Risk Registers

Risks are identified and assessed on a risk register. Appendix 3 contains a sample risk register using the
Universitys standard template. Copies of blank templates are available from Safety and Risk (email
safety@vuw.ac.nz).

4.1.1 Identifying risks

Risks are identified through environmental scanning (keeping ourselves updated on our operating
environment), planning processes, major projects, investigating incidents (risk assessment and mitigation
actions are essential elements), internal monitoring (regular audit and inspection) and throughout the change
management process. Managers should identify sources of risk, their causes and their consequences.

Managers should consider all sources of and contributors to risk associated with delivery of their business.
From this we can determine the effect on our objectives from uncertainty associated with these factors.
Consideration should be made of factors including:

Health & Safety

Service delivery
Legal and regulatory
Finance
Reputation
Adverse media coverage
Environmental impact
Product quality
Human Resources
Information

4.1.2 Assessing the effects

Risks are assessed by considering the consequences of an event and the likelihood of the outcome
occurring. The risk assessment is carried out by the manager responsible for the work area or process being
assessed.

The table in Appendix 1 provides guidance for calculating risk levels.

The likelihood scale is based on the event occurring in the next year. This process provides information to
help us decide whether the risks need to be treated and the most appropriate control .

4.1.3 Managing risk controls and assurance

Victoria University has developed an integrated assurance framework to bring together mitigating practices
such as the reporting framework, statutes, policies, procedures, and guidelines or physical controls that the
University uses to govern its work. This approach provides clarity over any areas where there is an
assurance gap, helps to avoid duplication, and focuses assurance on strategic drivers and initiatives.

Further internal controls that support the management of risk are business continuity plans, emergency
response plans, health and safety plans and internal audit and academic reviews. The Universitys policies
are kept current and indexed by function in an accessible, well-maintained website and an internal audit
reviews the effectiveness of the internal control system within the University. Independent audit is also
carried out in line with our ACC workplace H&S accreditation.

Managers should implement their own assurance programme to check the risk controls in their areas and
develop a realistic actionable mitigation plan for each major risk including whether/how a risk is currently
managed , such as business as usual (BAU) processes or other internal controls already in place. It is
important that, where possible, mitigations dovetail with existing plans.

The impact of all mitigating actions and sources of assurance are considered before calculating the residual
risk. Therefore, theoretically, either likelihood or consequences or both likelihood and consequences of risk
can be reduced. It really depends on the nature of the risk, the underlying subject matter and what specific
treatment plan or controls have been identified. If a control system has been listed but is not performing as
well as originally intended, then the managers mitigation plan will include the improvements to
implementation, application or structure of the risk control in this case.

2
Examples:
1. The risk of key university systems and processes being immobilised or disrupted in the event of an
earthquake.
Control: An effective business continuity and disaster recovery plan.
Comment: This does not reduce the likelihood of an earthquake occurring, but it does reduce
the impact on essential operations.

2. The risk of the University not complying with key legislation.

Control: A robust legislative compliance framework which clearly identifies key legislation and
ensures there are processes.
Comment: It may not however, be able to influence the impact if non-compliance was to occur.

3. The risk that VUW staff incur expenditure that is not in line with University goals.
Control 1: Systems that enforce segregation between purchase order creation and approval.
Comment: This reduces the likelihood of such expenditure occurring.

Control 2: Systems that require sign-off from appropriate staff depending on the value of the
transaction, e.g. delegated financial authorities.
Comment: This reduces the impact, i.e. dollar value, of the risk.

Both controls working in combination (fairly typical in most financial systems) will reduce both
the likelihood and impact of the risk.

The table in Appendix 2 provides managers with guidance on how to evaluate the effectiveness of risk
controls. The controls are ranked level 1 3. A level 1 control is the most robust. A level 3 control is
the least robust. Managers should consider also how well the control (already in place) is implemented
or complied with. For example if a procedure is listed as part of the control mechanism but our audit
process identifies that it is not complied with, the control is considered to be weak, therefore the
manager will not reduce the assessed risk value significantly. A mitigation plan should be developed to
address poor compliance.

If multiple controls are in place and a good level of compliance is verified by our audit process, then the
control effectiveness is considered to be robust and the manager can reduce the residual risk.

4.2 Identifying Key or Priority Risks - the Risk Report Summary

Once the register has been complete, the risks should be populated in a risk heat map using the
residual risk rating and identifying the risk by a numeric record number. The manager should review the
heat map and provide a report summary to their manager on the following basis:
Identifying high and key risks
Assessing the level of effectiveness of controls;
Identifying issues or areas for improvement; and
Making recommendations for improving the controls or addressing the risk in some other way.

A sample heat map is attached in Appendix 4.

A sample Risk Report Summary is attached in Appendix 5.

The Risk Report Summary must be reviewed and provided to line managers at least once a year, and at
any other time should the risk rating change significantly or when new key risks arise, or when the
environment and other contextual changes occur. For further guidance refer to the Risk Management
Programme Operational Risk.

3
 Appendix 1 Table for assessing risk levels

Likelihood Consequence Risk

(Likelihood x consequence)
1 Very low 1 Insignificant. 15 Very low
Extremely unlikely Consequences are very low, minor Manage within existing controls.
Less than 5% chance of occurring disruption. Monitor annually

2 Low 2 Minor 6 10 Low

Unlikely Losses may disrupt services for a Manage within existing controls.
5% - 25% chance of occurring short period. Financial losses may Monitor 6 monthly
be in the region of $10,000
Disruption to a single area of the
business.
3 Medium 3 Moderate 11 15 Medium
Possible Service lost for period 1 5 days. Evaluate efficiency of existing
25%-60% chance of occurring Financial loss $10,000 - $100,000. controls.
Internal event review required. Develop and implement additional
Moderate injury equivalent to staff control mechanisms
requiring time < 5 days away from Monitor quarterly
work. Adverse media coverage for
1 day.
4 High. 4 Serious 16 20 High
Likely. Service lost for period exceeding 1 Implement mitigation plan
60% - 80% chance of occurring week. Financial loss $100,000 Escalate/report to senior
$1M. management
Adverse media coverage for 1 Monitor monthly
week. Internal investigation or by
an external source/regulator. Staff
contractor or visitor suffers serious
injury.
Impact to multiple and diverse
areas of the business. Significant
senior management intervention
required including external
assistance.
5 Very high. 5 Very serious Over 20 Very high
Almost certain. Significant resources required to Implement mitigation immediately
80%-100% chance of occurring recover from impact. Legal Escalate to senior management
consequences resulting in Monitor weekly
prosecution. Financial loss >$10M.
Staff, contractor or visitor involved
in a fatal event. Adverse media
coverage for an extended period.
Complete loss of service delivery
affecting all VUW critical functions.
Immediate SMT and Council
intervention required.

The values identified above for financial loss reflect those which may be experienced at an organisational level.
Divide the value by 10 for potential losses at directorate, school or service level.

4
Appendix 2 - Table for assessing controls

Control level Example of control mechanism

1 For H&S, substitute with alternative equipment, substance.
Off site storage (data files)
Back up equipment/assets E.G. multiple servers, generators
Fire prevention E.G. appropriate materials, good housekeeping
Management/supervision
2 Maintenance regime, programmed inspection.
Fully enclose process, guarding, fencing, locked doors
Policy, procedure, guideline
Technical/industry standards
Contract
Training/ development programme
Competent staff
Specialist advice (internal & external)
IT data storage & retrieval systems
Business/service planning
Alternative suppliers
Fire detection equipment
Communication with stakeholders
Recruitment and selection processes
Approval process
3 Information
Warn signs
Personal protective equipment
Monitoring
CCTV
Key performance indicators
Contract monitoring
Compliance with risk controls should be measured with audit processes.

5
Appendix 3 - Sample Risk Register

Risks Residual Risk (RR)

Raw Risk
numbered (after mitigation actions and
1= lowest 5=highest
for Risk description controls)
Risk Consequences Mitigations/contro Sources of
reference
ls Assurance
and Raw
Likelihood Consequence L Consequence RR
mapping Risk
(L) 1-5 (C) 1-5 1-5 1-5 (L x C)
(L x C)
1 Unable to deliver classes Up to $100,000 in repairs 3 3 9 Building Supplier 2 3 6
due to building services to services and other maintenance audit
Financial failure losses programme
Planned
Early notification general
fault reporting inspection
process process

Alternative venue
(BCP)

SAM plan

2 Failure to adhere to Cancellation of 4 4 16 Maintenance Contract 2 4 8

maintenance programme experiments or classes programme management
Service resulting in unreliable impacting tutorial protocols.
delivery laboratory equipment programme and delayed Pre use
research projects inspection
process

Fault reporting
process

Spare equipment

Programming of
classes

6
3 Failure to comply with H&S Staff serious injury, lost 5 4 20 Staff training Planned 2 4 8
practices correct storage time, prosecution by DoL general
H&S and handling when using and environmental Bunding inspection
chemicals damage
Appropriate H&S Audit
storage
Linked to
Information SDS hazard
register
Product labelling

Supervision

Written
procedures

Personal
Protective
Equipment

Fume extraction
(LEV)

Hazard
assessment

4 Loss of essential Unable to access data or 3 3 9 Maintenance System tests 2 3 6

information due to IT failure provide regime and auditing
Reputation reports/information to data
external Systems backed protection
regulators/stakeholders. up and systems
Unable to monitor information stored
performance off site

5 The project delivery is Project overrun resulting 5 4 20 Project manager Audit of 3 4 12

delayed in excess of $150,000 in appointed project
Finance additional rent or hire controls
payments Project planning

7
 process

Contract
monitoring

Contract
identifying
timeline and
penalties

6 Unable to provide secure University premises not 4 4 16 Equipment 3 4 12

campus due to unavailability secured due to servicing
Service of security equipment on inoperative electronic
delivery demand security equipment. Theft, Early notification
unauthorised access. fault reporting
system

Software upgrade

Manual lock up
when electronic
system fails

Security patrols

7 Electronic monitoring Unable to monitor 3 3 9 Equipment 2 3 6

equipment unavailable on premises resulting in servicing
Service demand potential for
delivery loss/theft/vandalism Regular
monitoring

Early notification
fault reporting

Security patrols

8 Reliance on contractors to Lower level of institutional 3 5 15 Robust contract Supplier 2 5 10

provide essential services knowledge resulting in management audit
Service inflexible models of

8
delivery service delivery. processes

Loss of Alternative
institutional/corporate suppliers
knowledge

9 Breach of building act Delay to project and 4 3 12 Project manager Supplier 2 3 6

prosecution in place audit
Legal &
regulatory Adherence to Contract
building evaluation
standards process

Legal advice

Contract
management
processes

10 Poorly presented high Media coverage resulting 4 4 16 Advice and 2 4 8

profile event in poor reports in national management
Adverse press publications and from VUW
media national TV Communications
coverage team.

Communications
protocols

Operations team
providing security
plan and security
staff.

11 Inaccurate information Poor performance when 4 5 20 NZQA Regulators 2 5 10

presented during a lecture graduate leaves VUW inspections
Product or incorrect instructions and is employed in TEC standards and audit
quality given when using industry.
equipment Regulators and
industry

9
 Also poor reputation standards

Recruitment and
selection

Professional
indemnity
insurance

12 Poor student experience Student unable to 3 4 12 Course manager 2 4 8

due to course material not continue with course appointed.
Product available due to bad because of poor
quality planning performance Electronic
information/media
systems available

Personal/group
tutors appointed

13 Poor student experience Students unable to 4 5 20 Marketing 2 5 10

due to inadequate access courses
Reputation information/administrative Study at Vic day
systems. Courses not
properly marketed. Conferring
ceremony

Student
recruitment
process

14 Loss of funding from Unable to run Post 4 5 20 NZQA Regulators 2 5 10

external agencies for Graduate programmes. inspections
Finance research because of Also impacting upon TEC standards and audit
inability to produce high VUW reputation. Unable
calibre Post Graduates. to service premises in Regulators and
which to deliver industry
programmes. standards

Recruitment and

10
 selection process

Continuous
professional and
technical
development

15 Unable to deliver quality Unable to deliver and 4 5 20 Staff support PDCP 2 4 8

services due to our inability support high quality
HR to attract and retain high teaching programmes Staff
calibre staff development

Recruitment and
selection

Succession
management
programmes

Communication
and news letters

11
Appendix 4 Sample Heat Map

Record the reference number of the risk on the risk heat map, using the residual risk value.

811,13,14
5

2, 5,6
4 3,10,12,15

1,4,7,9
3

Consequence 2

1 2 3 4 5

Likelihood

12
Appendix 5 Sample Risk Report Summary

Risk Report Summary - Campus Operations: Safety and Risk

1. Introduction
This risk report summary is part of the Campus Services process for managing our risks. The report provides a
description of risks and management activities within the directorate, more specifically the Safety and Risk Unit of
Campus Operations. The summary relates to the risks and controls associated with some aspects of the
management of our building security/emergency arrangements particularly those which occur outside of office
hours.

This risk report serves the following important functions:

Records and identifies the base line for risk management activities
Identifies problems and successes in risk management activities
Provides an input for informed decision making
Analysis of the effectiveness of various risk control mechanisms
Describes and defines a plan of action for implementing improvements
Provides a mechanism for escalating risks where a manager does not have the delegated authority to
act or implement certain risk reduction methodologies

2. High or Priority risks

The highest risks assessed within this site specific assessment are described below.

PROVIDE A DESCRIPTION OF THE SITE SPECIFIC RISKS CLARIFYING WHY THE RISK IS HIGH EG.

The Fire Safety & Evacuation of Buildings Regulations 2006 requires:

3. Details of the High or Priority Risks

The highest assessed risks recorded on the risk register associated with this summary are as follows:

LIST THE RISKS AND THE RISK RATING

4. Recommendations

LIST THE RECOMMENDED ACTIONS

13