You are on page 1of 23

Risk Policy and Risk Management Procedures

The Universitys Risk Policy sets out The Universitys approach to risk and its
management together with the means for identifying, analysing and managing risk
in order to minimise its frequency and impact.

The risks considered significant to the ability of UWE to achieve its objectives are
set out in the Corporate section of the Risk Register, which incorporates actions for
dealing with those risks.

The Corporate section of the Risk Register is monitored by the Vice-Chancellors

Executive on a monthly basis and is updated by nominated groups to take account
of changing environment and circumstances.
UWE Risk Management Policy and Corporate Risk

Table of Contents

Introduction and Implementation of Risk Management 3

Risk Policy
Aims of the Policy 4
Approach to Risk Management 4
Roles and Responsibilities 5
Risk Management 5
Reporting Framework 6
Risk and Internal Control 7
Annual Review of Effectiveness 8

Risk Management Procedures 9

Corporate (Strategic) and Faculty/Service
(Operational) Risk Management
Project Risk Management 11


Risk is present throughout an organisation, in its buildings, equipment, policies, systems, processes, staff,
students and visitors. The University recognises that the management of risk is vital to good management
practice. It must be an integral part of all the functions and activities of an organisation.

The purpose of the Universitys Risk Policy is to develop a consistent approach towards risk across the
institution and outline processes for recognising, analysing and dealing with risks as well as assuring the
effectiveness of the identified processes.

The Risk Policy is designed to enable UWE to minimise the frequency and effect of adverse incidents arising
from risks and to identify improvements in procedures and service delivery in order to ensure the efficient
and effective use of public funds.

The management of risks includes the culture, processes and organisational structures, which contribute to
the effective management of potential opportunities, threats and adverse incidents.

Implementation of Risk Management

Overall responsibility for risk management within UWE lies with the Vice-Chancellor, with responsibility for
implementation delegated to the Deputy Vice-Chancellor (Operations).

The Universitys Memorandum of Understanding with the Funding Council requires governing bodies to take
reasonable steps to ensure that there are sound arrangements for risk management, control and
governance, and for economy, efficiency and effectiveness (value for money), within the HEI.

The Audit Committee is a committee of the Board of Governors and has responsibility for assessing the
effectiveness of risk management.

The Audit Committee reports on the arrangements for risk management to the Board of Governors.

Risk Policy
1. Aims of the Policy

1.1 To outline the Universitys underlying approach to risk assurance;

1.2 To document the roles and responsibilities of the Board of Governors, the Vice-Chancellors
Executive and other key committees and individuals;

1.3 To outline key aspects of the risk management process;

1.4 To identify the main reporting procedures.

2. Approach to Risk Management

2.1 The definition of risk adopted by the University is twofold:

2.1.1 Threat - An uncertain event which if it was to occur would a have a material negative
effect on the likelihood of achieving University, Faculty, Service or project objectives.

2.1.2 Opportunity An uncertain event which if it was to occur would have a favourable
and advantageous effect on the likelihood of achieving University, Faculty, Service
or project objectives.

2.2 Risks are linked to objectives which exist on different planes:

2.2.1 Corporate/strategic risks that affect the institution as a whole;

2.2.2 Faculty & Professional Service/Operational risks that are predominantly related to
the operation of specific areas of the University;

2.2.3 Project/programme risks associated with independent and, usually, time limited

2.3 The University accepts that total elimination of risk is neither desirable nor achievable. It
expects managers to take all reasonable steps to mitigate risk. The level of risk accepted
should be commensurate with the expected reward. In overall terms it is looking to achieve
a balanced risk portfolio at the University level with net risk averaging out at medium using
the scoring system illustrated within section 5.

2.4 The following key principles outline the Universitys approach to risk and internal control:

2.4.1 the Board of Governors has responsibility for overseeing risk management within
the University as a whole;

2.4.2 the approach adopted to identifying and mitigating risk is an open one, receptive to
input from all Governors and staff at all levels;

2.4.3 the Vice-Chancellors Executive supports, advises and implements policies

approved by the Board of Governors;

2.4.4 the University makes conservative and prudent recognition and disclosure of the
financial and non-financial implications of risks;

2.4.5 significant risks will be identified and monitored on a regular basis;

2.4.6 risks will be identified through the academic and executive Governance structures
and will be managed at a variety of different levels of the University;

2.4.7 the University will adopt standard reporting processes and frameworks.

3. Roles and Responsibilities

Role of the Board of Governors

3.1 The Board of Governors has responsibility for the oversight of the management of risk, part
of which it may delegate to its Audit Committee

3.2 Through approving the Risk Policy the Board of Governors sets the tone and influences the
culture of risk management within the University. This includes determining:

3.2.1 whether the University is risk taking or risk adverse as a whole or on any relevant

3.2.2 the risk appetite of the University;

3.2.3 what types of risk are acceptable and which are not;

3.2.4 the standards and expectations of staff with respect to conduct and probity in
relation to risk management;

3.3 The Board of Governors is also responsible for:

3.3.1 determining the appropriate level of risk exposure for the University;

3.3.2 taking major decisions affecting the Universitys risk exposure;

3.3.3 monitoring the management of the most significant corporate risks;

3.3.4 assuring itself that risks identified across the University are being actively managed,
with appropriate controls in place which are working effectively;

3.3.5 biennially review the Universitys Risk Policy to ensure it remains fit for purpose.

Role of the Vice-Chancellors Executive

3.4 The key roles of the Vice-Chancellors Executive is to:

3.4.1 maintain risk registers for which they are responsible for;

3.4.2 implement policies on risk management within the areas for which they are

3.4.3 through the Vice-Chancellors Executive Group, identify and evaluate the significant
risks faced by the University for consideration by the Board of Governors;

3.4.4 provide adequate information in a timely manner to the Board of Governors and its
committees on the status of risks and controls;

3.4.5 undertake an annual review of the effectiveness of the system of internal control and
provide a report to the Audit Committee;

3.5 The Vice-Chancellor has delegated day to day responsibility for risk management to the
Deputy Vice-Chancellor (Operations).

4. Risk Management

4.1 The objective of risk management is to actively support the achievement of the Universitys
agreed objectives and not simply to avoid risk.

4.2 Control of risks generates direct costs and opportunity costs. Risk management involves
determining the acceptable level of exposure to risk which enables the achievement of
University objectives whilst achieving a balance between the level of risk exposure and the
cost of mitigating actions. Risk management is a process which provides assurance that:
4.2.1 objectives at all levels are more likely to be achieved;

4.2.2 damaging events are less likely to occur;

4.2.3 beneficial events are more likely to occur.

5. Reporting Framework

5.1 The University uses a single SharePoint based Risk Register which delivers a consistent
format whilst allowing for different views of the information.

5.2 Risks will be categorised as preventable, strategic or external. The category of risk will assist
in determining the appropriate method of managing the risk.

5.3 Risks will be assessed using two elements: impact of the risk occurring and the probability of
occurrence. Each element will be assessed on a 5 point scale.

5.4 The impact of a risk occurring is likely to affect the cost, quality or the timeliness of the
activity. The Impact of a risk will be the determined by the highest score received on the
matrix below.

Impact Financial Quality Time

Financial implications of the risk The impact on quality is very The impact is very low. It
are very low and are low. Risk occurring would will have little effect on
1 comfortably within the ability of represent a minor revision to timescales.
the risk owner to manage planned outcomes.
Financial implications of the risk The impact on quality is low. The impact is low, It may
are low (<10% of the budget or Risk occurring would may delay one or more elements
2 Faculty/ Service turnover). It detract slightly from the desired of the activity but not the
remains within any quality of the outcomes. overall timescale.
contingencies set.
Financial implications of the risk The impact on quality is The impact is medium.
are medium (10% - <25% of medium. Risk occurring would Overall timescale slightly
the budget or Faculty/ Service detract from the desired quality extend but it is unlikely to
turnover). It may exhaust or be of the outcomes but not detract materially affect desired
larger than contingencies made from the overall purpose of the outcomes.
but can be managed without activity.
additional funds.

Financial implications of the risk The impact on quality is high. The impact is high.
are high (25% - <50% of the Risk occurring would Timescales greatly
budget or Faculty/ Service significantly detract from the extended. Outcomes may be
turnover). It is not possible to original desired quality of the later than required in order
meet the cost within the outcomes and may reduce the to obtain maximum benefit.
approved budget and further viability of the activity as
funding would be required. outcomes require revision.

The impact on finance is critical The impact on quality is critical. The impact is critical.
(>50%of the budget or Faculty/ Risk occurring would reduce Extended timescales mean
Service turnover). Increased quality of desired outcomes to that outcomes would be too
cost would negate benefits of such an extent that it negates late and negate benefits of
activity and may destabilise the benefits of activity. activity
reporting unit.

5.5 Members of the Vice-Chancellors Executive and Project Sponsors are responsible for
determining the impact of a risks for which they are responsible for, using the framework
provided in 5.4 as a guide.

5.6 The assessment of the probability of a risk occurring is standard across the University:

Probability Score All Risks

1 Highly unlikely to occur (< 20% probability)
2 Unlikely to occur (20% - <40% probability)
3 Likely to occur (40% - <60% probability)
4 Very likely to occur (60% - <80% probability)
5 Extremely to occur (> 80% probability)

5.7 Risks will be scored before and after mitigating actions and at each point of scoring the total
risk will be the multiple of the two elemental scores:

Probability 1 2 3 4 5
5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5

5.8 Mitigating actions are controls and actions taken to reduce the likelihood of a risk occurring,
or to limit the impact of the risk. Risk exposure is the net risk after all mitigating actions or
factors have been taken into account

5.9 The risk register also captures:

5.9.1 the deadline for mitigating actions to be implemented (or embedded) by;
5.9.2 leading edge indicators which may signal that a risk is increasing or decreasing in
response to mitigating actions;
5.9.3 assurance mapping so that Managers can demonstrate that mitigating actions are
both being implemented as designed and delivering the desired effect. The
assurance mapping can be used to further test the assumptions of risk owners.

6. Risk and Internal Control

6.1 The system of internal control is designed to manage and mitigate rather than eliminate the
risk of failure to achieve policies, aims and objectives. It is based on an ongoing process to
identify the principal risks to their achievement, to evaluate the nature and extent of those
risks and to manage them efficiently, effectively and economically.

6.2 Related to significant risks are policies that among other things form part of the internal
control process. The policies are approved by the Board of Governors and implemented by
the Vice-Chancellors Executive.

6.3 Risk Management is addressed on a University-wide basis but individual Faculties, and
Professional Services have an essential role in the identification, assessment, on-going
monitoring and mitigation of risks. Faculty and Professional Service planning documents
should identify mitigating actions that will be taken to reduce significant risks. In some
cases, individual risks will be formally owned by a Faculty or Professional Service where the
function concerned lies wholly or mainly within its remit.
6.4 Reporting arrangements through senior line management are designed to monitor key risks
and their controls. Decisions to rectify problems are made by the member Vice-Chancellors
Executive with responsibility for the risk, with reference to other staff and University
committees and the Board of Governors as and where appropriate to do so.

6.5 The strategic planning and annual budgeting process is used to set key objectives in support
of the 2020 work streams and enablers, agree action plans and allocate resources. Targets
contained in the Faculty and Professional Service planning documents provide mitigating
actions which are explicitly linked to risks faced by the University. The annual estimates
(macro budget) presented to the Board of Governors contain an analysis of risks inherent in
them and how these are mitigated.

6.6 Risks associated with major University projects will be managed through the appropriate
project boards adopting project management methodologies such as PRINCE2 and have a
distinct section within the risk management procedures document (see page 13).

6.7 The Corporate section of the Risk Register is compiled by the Vice-Chancellors Executive
and reported to the Audit Committee to help facilitate the identification, assessment and
monitoring of risks of significant importance to the University. The document is normally
discussed monthly by the Vice-Chancellors Executive Group and presented to each
meeting of Audit committee. Emerging risks are added as required, and improvement
actions and risk indicators are monitored on an ongoing basis through line management

6.8 Audit Committee is required to report to the Board of Governors on internal controls and
alert it to any emerging issues. The Audit Committee oversees internal audit, external audit
and management as required in its review of internal controls. The Committee has
responsibility, delegated by the Board of Governors, for governor oversight of risk
assurance, ensuring that the Risk Policy is appropriately applied. It directly monitors the
management of the most significant risks to the University, as recorded in the Corporate
Section of the Risk Register.

6.9 Internal audit is an important element of the internal control process. In addition to its
programme of probity and value for money work, internal audit is responsible for aspects of
the annual review of the effectiveness of internal control systems. The internal audit plan is
guided by, but not limited to, the assessment of risks identified through the Universitys risk
management procedures.

6.10 External Audit provides feedback to the Audit Committee on the operation of internal
financial controls reviewed as part of the annual audit.

7. Annual Review of Effectiveness

7.1 The Audit Committee is responsible for reviewing the effectiveness of internal control of the
institution, based on information provided by auditors, senior management and the Director
of Finance.

7.2 For each significant risk identified, the Audit Committee will:

7.2.1 review the previous year and examine the institutions track record on risk
management and internal control;

7.2.2 consider the internal and external risk profile of the coming year and consider if
current internal control arrangements are likely to be effective.

7.3 In so doing, the Audit Committee will consider:

7.3.1 Control environment:

- the Universitys objectives and its financial and non-financial targets;
- organisational structure and calibre of the Senior Management Team;
- culture, approach and resources with respect to the management of risk;
- delegation of authority;
- public reporting.

7.3.2 On-going identification and evaluation of significant risks:

- timely identification and assessment of significant risks;
- prioritisation of risks and the allocation of resources to address areas of high

7.3.3 Information and communication:

- quality and timeliness of information on significant risks;
- time it takes for control breakdowns to be recognised or new risks to be

7.3.4 Monitoring and corrective action:

- ability of the institution to learn from its problems;
- commitment and speed with which corrective actions are implemented.

7.4 The Vice-Chancellors Executive prepares a report of its review of the effectiveness of the
internal control system annually for consideration by the Audit Committee, normally as part
of the returns submitted to HEFCE in the autumn/winter.

8. Risk Management Procedures

8.1 The Universitys risk management procedures are approved by the Vice-Chancellors
Executive Group. Recognising the different type of risks the procedures are split in to two

8.1.1 Preventable, Strategic and External risk management

8.1.2 Project risk management (section 9)

Preventable, Strategic and External Risk Management Risk Management

8.2 Categorising risks as either Preventable, Strategic and External risks helps managers
consider why the risk is occurring and what can feasibly done to mitigate the risk. The
definition of the categories as well as mitigation tactics are set out below:

- Preventable risks represent the majority of risks faced by the University; they
originate internally from failure ensure or prevent particular behaviours. There is
rarely, if ever, a benefit to the University of tolerating a preventable risk. Preventable
risks should be mitigated against using a rules or process approach to promote or
prohibit behaviours. Failure to manage these risks might feasibly lead to loss of
reputation or even prosecution. Examples of preventable risk include fraud or failure
to follow process.

- Strategic risks are more acceptable and recognise that pursuing one strategic
direction over another incurs risks (including opportunity risks). These risks should
be managed through reducing the probability of the risk materialising or managing or
containing the impact should it occur. In order to test the assumptions strategy risks
they require greater levels of discussion and challenge than preventable risks.

- External Risks may be foreseeable by the University, but are outside of its control.
These risks should be managed though identifying and assessing the foreseeable
risks and planning how the impact could be mitigated should they occur. They can
be difficult to spot and as a result often fall into the black swan category and
encompass natural or economic disasters, geopolitical or environmental changes or
strong moves by competitor organisations. Scenario planning based on the
outcomes of a PESTLE analysis or even assigning staff to consider the Universitys
vulnerability to disruptive technologies or competitors can also help to identify
external risks. An example of an external risk would be a change to legislation on, or
regulation of, student visas.

8.3 The University maintains a single risk register. The register records all non-project risks.

8.4 Each Faculty and Service is required on a monthly basis to detail what they consider to be
key risks, their gross score (pre mitigation), mitigating actions and the net risk score (post
mitigation) on the risk register.

8.5 All risks must be specific (i.e. what it is a risk in relation to) and provide mitigating actions,
and a date by which they will be implemented (or become embedded within core activities)
and who is responsible for managing the risk. They must also indicate lead indicators, a
change to which might signal a positive or negative moment in the Universitys exposure to a
particular risk.
8.6 Where the risk, mitigating actions or the assurance of mitigating actions has not changed,
Faculties and Services are required to indicate that they have reviewed the risk by entering
the date of review. When reviewing risks they are responsible for, a commentary should be
provided on the level of assurance that can be taken in the mitigating actions in that they are
being implemented and are also effective.

8.7 The Head of Service or Executive Dean is responsible for the Faculty/Service section of the
risk register but may delegate the maintenance of the register to another member of the
management team.
8.8 Where appropriate, risks identified by Faculties and Services should be mapped to the
workstreams and enablers supporting the 2020 Strategy or the Faculty Business Plan.

Strategic Workstreams Executive Lead

Outstanding Learning Prof Paul Gough supported by Prof Julie
Research with Impact Prof Paul Gough supported by Prof Martin
Ready and Able Graduates Prof Paul Gough supported by Prof Julie
Strategic partnerships, connections and John Rushforth supported by Prof Martin
networks Boddy and Prof Julie Mcleod
People: Performance and Development Vice-Chancellor supported by John Rushforth
and Debbie England
Place: Resources, Estate and John Rushforth and William Marshall
Infrastructure supported by William Liew and Chris Abbott
Health and Safety Vice-Chancellor Supported by John Rushforth
and Alison Weeks
Reputational and Market Vice-Chancellor Supported by John Rushforth

8.9 From the review of risks identified by Faculties and Services and their own horizon scanning
members of the Vice-Chancellors Executive, or their nominee, are responsible for updating
relevant risks in the corporate section of the Risk Register at each meeting.

8.10 The Deputy Vice-Chancellor (Operations) is responsible for presenting the Corporate section
of the Risk Register to the Vice-Chancellors Executive for review, and based on an analysis
of the risk profile illustrated by the whole Risk Register, will identify where additional
thematic discussion of risks and their management is necessary.

8.11 The Corporate section of the Risk Register will be provided to each meeting of the Board of
Governors Audit Committee for monitoring purposes and may allow for discussion of the risk
management practices employed by an individual Faculty or Service.

Process Overview

Faculties/Services identify risks to their objectives and successful operation as well as the
appropriate mitigating actions and the assurance that can be taken in those actions.
Stage 1 Identified risks aligned to headings of the University's Strategic Plan.

Executive Groups or Academic Board Committees review risks identified under the corporate
headings delegated to them by the Vice-Chancellors Executive.
Using the information from Faculties/Service, combined with knowledge of the external context,
Stage 2 each member of the Vice-Chancellor's Executive (or nominee) updates risks under the headings
of the corporate section of the risk register for which they are responsible.

Vice-Chancellor's Executive review the Corporate section of the Risk Register on a monthly
basis to monitor management of risks and determine any ancillary actions required to manage
identified risks.

Stage 3 From the accompanying analysis of the whole register Vice-Chancellor's Executive determine
where further thematic discussion or additonal resources may be required.

Corporate section of the Risk Register provided to each Board of Governors Audit Committee for

Stage 4 Audit Committee report to the Board of Governors on Risk Management at the University.

9. Project Risk Management Strategy

Document Title: UWE PMO Projects Risk Management Strategy

Author: Chris Little

Version 0.4

Status: For Review and Approval

The source of this printed document can be found in the Transformation Services Documents in

Version History
Revision Version
Summary of Changes Changes Marked
Date Number
22/12/11 0.1 Initial Draft N
4/01/12 0.2 2.4.4 & 3.2 N
1/02/12 0.3 Figure 1 & Appendix A N
6/06/13 0.4 Updated refs to PMO

Reviewed by
This document (or its component) parts have been reviewed by the following:

Name Title Issue Date Version

Lee Norris PMO, ITS 22/12/11 0.1/0.3
Alastair Osborn Deputy to Clerk of Governors 22/12/11 0.1/0.3
Senior Project Manager, 6/6/13 0.3/0.4
Chris Little
Transformation Services

This document requires the following approvals:

Name Title Date

Lee Norris Head of PMO ITS 01/02/12
VCEG Vice Chancellors Exec group

This document has been distributed to:

Name Title Date

VCEG Vice Chancellors Exec group 06/02/12


Section Heading

1 Purpose of Document
1.1 Introduction
1.2 Scope Inclusions
1.3 Scope Exclusions
1.4 Ownership

2 Risk Management Framework

2.1 Introduction
2.2 Aims of the Risk Management Framework
2.3 Objectives
2.4 Risk Assessment
2.5 Mitigation Strategy

3 Risk Management Process

3.1 Overview
3.2 Risk Analysis
3.3 Risk Management
3.4 Risk reporting
Figure 1 Process Flow Risk Management Process
3.5 Roles and Responsibilities

Appendix 1 Matrix of Roles and Responsibilities

1. Purpose of Document
1.1 Introduction

The purpose of this document is to provide a consistent process for the management, of
risks for all Projects and Programmes within UWE. This document defines Risk
Management in respect of the standards, processes and procedures to be employed in the
identification, analysis, quantification, mitigation, escalation and documentation of risks.

The audience of this document is all members of Transformation Services, Project

Managers, Project and Programme Boards, Project Team members.

1.2 Scope Inclusions;

This document describes the process for resolving:

Project Risks. Risks that can be resolved within a project team.

Programme Risks. Risks that cannot be managed at the project level or affect
multiple projects within a programme

Project Board Risks. Risks that are either of a strategic nature, have a major
impact on service operations or project milestones, or require senior stakeholder
direction or action.

1.3 Scope Exclusions.

The scope of this document excludes the management of corporate strategic and
operational risks which is detailed in the corporate Risk Policy and Risk Management
Procedures at

1.4 Ownership

The Project Risk Management Strategy is owned and controlled by Transformation Services.

2 The Risk Management Framework

2.1 Aims of the Risk Management Framework

The aim of risk management is to improve the likelihood of the organisation, programme or
project achieving its stated objectives and safeguarding assets and investments.

The Risk Management Strategy is designed to;

Focus the Project Board and senior management on the major risks that threaten
Project delivery and objectives.
Provide a clear picture of the major risks facing the Project, their nature, potential
impact and their likelihood.
Establish a shared and unambiguous understanding of what risks will be tolerated
Actively involve all those responsible for the planning and delivery of Project key
deliverables objectives and benefits.
Embed risk awareness and management in planning and decision-making
Clarify and establish roles, responsibilities and processes
Enable and empower managers to manage those risks in their area of responsibility

Programme in this context is a group of projects and/or related activities which are designed to deliver a strategic
benefit to the organisation
Include regular risk monitoring and review of the effectiveness of internal control

2.2 Objectives of the Risk Management Strategy

The objectives of an effective RMS are to ensure;

Early identification and management of risks

Proper analysis, evaluation and quantification of risks
Clear and consistent assignment of ownership and management of risks
Comprehensive identification, definition and evaluation of appropriate mitigation
Clearly defined policy, standards, processes and procedures
Proper documentation and storage of information for audit and quality purposes.

2.3 Risk Assessment

2.3.1 Risk Assessment Matrix

The Assessment matrix provides a framework for assessing and measuring

identified Risks, which will be reviewed at various points within the Governance
structure to ensure appropriate priority and visibility is assigned to it

Whilst Risks will occur from various diverse routes, it is essential that the standards
for assessing the probability and impact of occurrence of each Risk should be
subject to the same criteria across the whole Project. This will allow the Risks to be
managed consistently, at the appropriate level and given the appropriate attention
and visibility.

Risk evaluation and quantification comprises of scores of four types;

Impact - The level of impact on objectives and business service that would
arise should the risk materialise

Probability - The likelihood of the risk arising

Proximity - This is when the risk is likely to occur and assists with
prioritisation and urgency associated with managing risks.

Trend This records the direction of travel of the level of a risk.

The scores and associated description are shown in the tables below;

2.3.2 Scoring Impact

The Risk Owner allocates a score based in the severity of the impact assessment
see table 1

Table 1 Levels of Risk Impact

Impact Impact Description Impact on cost /

Rating loss of benefit.
1 It will have little effect on Programme / Project No additional cost
Negligible milestones, timescales, or achievement of
overall goals or benefits.
2 It may delay delivery or quality of one or more No additional cost
Minor deliverables but not delay the overall Project,
or affect achievement of overall goals or
3 A Project milestone is delayed which could Additional costs by
Moderate extend timescales, but it is unlikely to up to 5%
materially affect successful delivery of the
programme / project objectives and benefits.
4 It is likely to delay the achievement of a Additional costs by
Significant number of Programme / project milestones or 6% to 10%
a major milestone which could significantly
extend timescales or costs. Successful
delivery of the Programme / Project benefits
could also be materially impacted
5 Programme/ Project objectives no longer Additional costs over
Critical achievable or major reduction of benefits due 10%
to significant time, cost or quality issues

** The amount of risk which is judged to be tolerable is the risk tolerance and is the maximum overall
exposure to risk that should be accepted based upon the benefits and costs involved. This level will
be determined on a Project by Project basis by the respective Boards and will be influenced by the
scale (time, cost, benefits) and complexity of each Project

2.3.3 Scoring Probability

This allows an assessment of the probability that the risk will materialise. The Risk
Owner allocates a score based on the probability assessment, see Table 2

Table 2 Levels of Risk Probability

Value Description
1 Unlikely / Rarely happens. It is highly unlikely that the risk will materialise.
Less than 20% chance
2 Likely. Could happen with a chance 20% to < 40% chance
3 Very Likely 40% to < 60% chance of occurring
4 Highly Likely 60% < 80% chance of happening, difficult to prevent because
outside of direct control or influence. There will be strong evidence to back-up
the assessment
5 Extremely Likely. 80+% chance

2.3.4 Overall Risk Score

The Impact multiplied by the Probability gives an overall risk score

Table 3 Risk Score
Negligible Minor Moderate Significant Critical
Probability 1 2 3 4 5
Extremely Likely 5 5 10 15 20 25
Highly Likely 4 4 8 12 16 20
Very Likely 3 3 6 9 12 15
Likely 2 2 4 6 8 10
Unlikely 1 1 2 3 4 5

Project risks can be summarised in a heat map. A template is available at:

These risk scores will determine the amount and urgency of mitigation action and monitoring to manage the
associated risks. Table 4 below provides some guidance as to what the scores can represent in
management terms.

Table 4 Definition underpinning Risk Scores

Close monitoring by Project Board

High or very high exposure
Risk Score Beyond risk appetite
16-25 Urgent need to consider additional risk mitigation action
Contingency plan required

Close Monitoring/management by Project manager and Workstream leads

Borderline risk appetite
Risk Score Urgent need to consider additional risk mitigation action
12-15 Contingency plan required
Exception reporting on increasing severity to red

Medium exposure
Within risk appetite
Risk Score Need to consider additional risk mitigation measures
5 - 10 Close monitoring/management by risk owner
Review by Workstream lead/Project manager

Low exposure
Well within risk appetite
Risk Score Monthly monitoring by Risk Owner
1-4 Risk owner should give consideration to relaxation of control

2.3.5 Risk Proximity

All risks must also include an entry for the Proximity, ie the time period in which the
risk is expected to occur. This provides another dimension for prioritising mitigation
and actions for effective risk management

There are 3 levels of proximity added to the risk log for all risks and in risk reporting.

0 - 3 Months
3 - 6 Months
6 9 Months
9 Months +

2.3.6 Risk Trend

The risk trend provides another dimension to the assessment and management of
risk by indicating the direction of travel of a risk, which with proximity help prioritise
management attention where more than one risk share the same risk scores.

There are 3 trends;


2.4 Mitigation Strategy

A risk mitigation strategy is a plan which seeks to mitigate the risks and safeguard
investment and service delivery activities. This is achieved through proactive actions that
reduce either: a) the probability of a risk occurring or b) the impact of the risk.

The Mitigation Strategy comprises of 3 approaches to deal with the risk

Acceptance: Accept the risk but take no pre-emptive action to resolve it (unable to
address the risk or not cost effective to do so), but consider contingency
plans should the risk materialise.

Treat: Develop a mitigation plan to reduce probability and or impact

Transfer: The Risk is moved to another Individual, Department or Function, to deal


The risk mitigation plan - will detail the specific risks that will have to be dealt with and the
action that has to be taken to carry out the risk mitigation strategy. This provides team
members, and managers with clarity of the action that is expected from them while the
senior management and the Partnership Board has the knowledge of the steps being taken
on their behalf to reduce the risk.

2.4.1 Risk Status

The Team manager updates the issue status depending on progress with
management and resolution.

New A newly reported risk in the month

WIP The risk has been assessed, and is being actively managed
Escalated The risk has been escalated to the Project Board or other
governance body for review and advice
Transfer The risk has become an issue and transferred to the project issues
log, or has been transferred out of the project to another management
Closed The risk has been resolved or its consequences accepted

3 Risk Management Process

3.1 Overview

Risk analysis and management are ongoing processes incorporated throughout the life of a
Programme or Project and is the responsibility of all staff involved with a project. The
responsible managers will keep stakeholders informed of risks identified, action taken where
appropriate and the success of those actions.

There are three parts to the risk management process:

Analysis: Identification, definition, and assessment of probability and impact.

Management: Risk mitigation strategy and plan, monitoring and control of actions
employed to deal with the threat, and problems identified in analysis.

Reporting: All risks raised will be recorded on the Project Risk Log and will be owned
by the Project Manager. Reporting of risks will be carried out on a regular
basis in accordance with the agreed governance structure and terms of

3.2 The Risk Analysis Process

Identification of risks is an ongoing process but gets the best results when done on a
group basis at key intervals such as the initial business case development stage,
and again during project initiation
Identify risks that could adversely affect the impact and efficient delivery of project
and programme objectives and benefits.
A risk should be defined in a brief and clear sentence. A recommended structure is:
IF <the anticipated event happens> THEN <impact on the project objective occurs>.
It is helpful if risks and objectives are considered together this can help clarify
project objectives.
Assess the importance, probability and the impact of each risk
Decide whether the level of risk is acceptable (see 2.3.4)
Identify possible actions to be taken to reduce the probability or impact of the risk

3.3 Risk management process

3.3.1 Mitigation strategy and monitoring.

Based upon the level of concern and controllability for each risk, the Risk Owner will
decide on the risk mitigation strategy and associated actions i.e. whether to accept,
treat, or transfer the risk, and ensure those actions are carried out as required. The
Risk Owner at least monthly (more frequently for red and amber/red risks), will
review and monitor progress and consider the effect on the overall risk rating and
those changes and updates are reflected in the Risk log.

3.3.2 Contingency planning

Where the risk has a high risk rating (red) contingency plans will need to be
developed to address the consequences of the risk materialising.

3.3.3 Escalation

Risks will need to be escalated to the next level of seniority (ie individual or group)
and the escalation recorded in the risk log where;

The risk is of significant concern (ie red) - escalate to the Board

Where the risk is outside of the boundaries of authority responsibility, or
control of the Risk Owner or
The risk relates to more than one managers area of responsibility or
Actions to manage the risk require additional resources or requires approval

3.3.4 Transfer

When the risk actually happens it becomes an issue and should be transferred to
the issues log. If a risk affects the project but is outside of the remit of the Project
Team or Project Board it should be transferred to the most appropriate corporate
governance body and managed therein. A watching brief within the project will be

3.4 Reporting

Up to date risk reports are provided for team meetings and governance meetings on a timely
basis for review, with a focus on amber and red/amber risks within the Project Team, and
red or strategic risks at the Project Board.

See Figure 1 for Process Flow

3.5 Roles and Responsibilities

3.5.1 The Project Manager

The Project Manager is responsible for ensuring that all Risks have been assigned a
RO and are actively being managed. The Project Manager is specifically responsible

Ensuring all Programme/Project risks are identified and captured on the risk
Check the assessment (RAG) and mitigation strategy and category for all
Ensure all risks are assigned with the most appropriate Risk Owner with the
authority and responsibility to manage them.
Review any with risks increasing severity (Amber to Red based on pre-
mitigation score)
Escalate risks to the Project Board for consideration when mitigation is
outside the Programme/Project managers jurisdiction, or additional support
outside of the Programme/Project is needed
Consider if there are new unidentified risks
Ensure the top 3 risks are reported on the weekly Project highlight reports
Note: in a project, it is normally the Project Manager who is the risk owner, as the
PM will be managing the risk, but others will be Action Owners, including the
sponsor and Board members where their authority is needed.

3.5.2 Project Board

The Project Board is accountable for the overall management of the Project Risks
and is required to review the Board level risks as a standing agenda item.

Review and monitor all Red risks on the register and as a minimum examine
in detail all risks with a score of 16 to 25.
Identify strategic risks and mitigation
Allocate as necessary resource to support the risk management process
Agree the overall risk tolerance level (risk appetite)

Provide direction to the Project Manager as required for management of

3.5.3 All staff

To be alert to possible risks and raise risks with the Project Manager

Appendix 1 shows a summary matrix of roles and responsibilities.

Figure 1 Risk Management Process

1. Risk Identified- Records Risk description &

Risk Raiser category in Risk Log, or notifies RO by email

Responsible for notifying the RO of a new risk

2. Assesses & validates 3. Creates mitigation 6. R.O updates Risk 7. Decides if risk is
Risk Owner risk, ownership & plan, assigns actions & Log with progress and mitigated sufficiently or
mitigation strategy updates risk log new mitigation if reqd resolved

Responsible for managing assigned risks and updating risk log Y

8. Closes, Transfers or
Escalates risk

4. Action Owner 5. Action Owner

Action Owner executes actions Updates Risk Owner
with Progress

Responsible for executing assigned actions & updating risk log

Reviews Log, chases updates and

Project Manager produces updates for Governance

Appendix 1
Roles and Responsibilities for Risk Management Process

Task Proj Work Risk Action Project Senior Project Frequency Tool
Mngr stream lead Owner Owner Team Project Board
Notify the PM or Workstream Y As they arise, or at least Via Email
lead of any new risks as they on a weekly basis prior to /meetings/
arise the project update process or phone
Ensure all known risks are Y Y As they arise, or at least Risk Log
entered on the Risk Log. on a weekly basis prior to
Assess Risk, decides mitigation the project update process
strategy and category & inform
relevant Risk Owner
Assign and notifies Risk Owner Y Y When risk arises Risk Log

Develop Risk Mitigation plan Y When assigned Risk Risk Log

and assigns Action Owners
Executes mitigation actions and Y When assigned actions. Email
updates RO with progress Updates fortnightly
Updates Risk log with progress Y At least monthly more Risk Log
and reassesses risk & status etc frequently for red or
amber/red risks
Enter Top 3 risks in Highlight Y Weekly Highlight
Report Report
Review Risk log, chase RO for Y At least Monthly Risk Log
Review Highlight reports for Y Weekly Highlight
Risks report
Prepare Risk Report for Board Y For Governance meetings Risk Log,
Review Risk Report Y Y At all Governance Risk Report