Risk Management

Session 3
Identifying Risk
 Session 3: Overview
• Setting the Context
–Communication with Stakeholders
–Risk Policy
–Risk Criteria
–Risk Appetite

• Identifying Risk
• Categorizing Risk
Risk Management Framework
• Context Setting • Evaluation
• Stakeholders • Likelihood
• Risk Policy • Impact
• Sources of Risk • Gross (Inherent)
• Internal/External • Net (Residual)
• Risk Appetite • Target

Identify Assess

Monitor
and Mitigate
• Risk Register
• Regular Reviews
Report • Risk Treatment
• Avoid
• Key Risk Indicators
• Transfer
• Incident
• Control / Contain /
Management
Reduce
• Audit
• Accept
• Board
 Setting the Context
• To set the context means to define the external and internal
factors that the University must consider when managing risk.
• The external context includes external stakeholders, (usually on
the governing body) local, national, and international
environment, and any external factors that influence objectives.
• An organization’s internal context includes risk owners &
managers, its approach to governance, contractual relationships,
partnerships, capabilities, culture, and standards.
• Consider context when formulating the risk management
policy.
• In setting the context there will need to be appropriate
communication and consultation with key people, but decisions
are made by senior management.
 A Risk Policy should …

• Be the responsibility of the Executive and

Governing Body.
• Set out the University’s underlying approach
to risk management (Expectations of
management and staff e.g. to accept that
taking risks might result in failure, but not
managing key risks is unacceptable)
• Describe its risk appetite (risk-averse, risk-
taking)
 A Risk Policy should …
• Contain a clear explanation of the roles and
responsibilities of the University’s
committees, Risk Owners and Managers.
• Briefly describe key aspects of the risk
management process
• Explain the main reporting procedures and
schedule.
 Approach to risk – an example …

“ This risk management policy forms part of the University’s

internal control and corporate governance arrangements and exists
to assist the University in achieving its strategic objectives.

The policy is not a process for avoiding risk. It is designed to allow

the University to take on activities that may have a higher level of
risk, because risks have been identified, understood and managed,
within the University’s overall risk appetite. “
 Approach to risk – an example …

• The University’s fundamental approach to risk management is as

follows:
– The University should have a clear, effective and transparent framework
for assessing, managing and reporting on risks that could affect its ability
to deliver on strategic objectives.
– The risk management systems should be incorporated within existing
governance/management arrangements and reporting systems as far as
possible.
– The framework should address the taking of opportunities in the form of
new and emerging risks, as well as effective management of existing risks
or ‘threats’.
Approach to risk – an example …
– There should be a process in place for escalating risks for appropriate
attention and action, i.e. where risks could threaten in a new way the
University’s strategic objectives.
– Risks at University and College/Professional Service level should be
overseen and managed through a clear system of accountabilities and
responsibilities.
– Risks at an operational level should form part of the overall system, as in
some cases and circumstances they can impinge upon strategic
objectives.
– Council should receive reports on risk alongside those on performance so
that clarity of connections between them is achieved.
 Risk Appetite/Attitude

• A description of the University’s general

approach to risk and how much risk it will
accept.
– Risk appetite influences how risks are assessed and
managed - whether they are avoided, transferred,
controlled or accepted and whether or not risk
treatments are implemented.
 Risk Appetite
• Defining Risk Appetite is a job for the
Governing Body & senior management
• Not a single fixed concept. Need a range of
appetites for different risks.
• May vary over time
• Consider variety of topics (finances, credit
rating, reputation, new initiatives,
acquisitions, governance & compliance,
human resources etc)
 Risk Appetite
• Consistent with the University’s culture
• Could contain qualitative and quantitative
elements
• Well-communicated
• May include risk tolerance (i.e. minimum and
maximum levels for each category)
• Not a one-off exercise. Should be reviewed
and updated periodically.
 Risk Appetite

• How much risk do you want to carry?

• Universities at the risk averse end of the spectrum
• Risk appetite often not explicit in universities, but engrained in
culture –supporting culture very important
• Leading edge & entrepreneurial companies see opportunities
in high-risk environments – high loss, high gain
• Managing risk not the same as removing it – removing it
completely has trade-offs too
 Risk Appetite: Cultural Issues
Culture Impact

Extreme Risk Delay in decision-making. Some options ruled out. Risk thresholds so low
Aversion there is no change in institution

Pass the buck Inability to make difficult decisions. Regular discussion with little progress.
Decisions not documented and followed-through

No news is good If you report a risk or issue, you caused it. People report only good news.
news Risks/Issues raised too late to do anything with them.
Knee-jerk Deal with symptoms rather than causes. Deal with immediate and specific
reaction rather than systemic
My mind is Inability to review or reverse earlier decisions in light of new
made up circumstances
Shoot the ‘Don’t bring me problems’ approach. Inability to face risks that are
messenger difficult to solve
Make it so ‘Don’t be so negative’. Sheer force of will considered enough to sort out a
poorly conceived or ill-resourced
Session 1 project.
 Risk tolerance
• Different levels of risk tolerance for
different types of risks
• Legal compliance – might have zero risk
tolerance
• Investment portfolio – might carry
significant risk and expect some things
not to work
 TASK

• Choose 5 Corporate Level risks from the list we

made earlier.

• What should be the risk appetite for these risks?

• Why would you set it at those levels?

 TASK
1. Difficulty of recruiting high quality academic
staff
2. Failure to meet our financial objectives
3. Size of intake leads to deteriorating student
experience
4. Economic climate and effect of oil prices on
university funding
5. Ad hoc development of IT systems impacts on
the quality of academic and student support
Edinburgh’s Risk Policy & Appetite
Edinburgh’s Risk Policy & Appetite
• Reputation – It is regarded as critical that the University preserves its high reputation. The
University therefore has low appetite for risk in the conduct of any of its activities that puts its
reputation in jeopardy, could lead to undue adverse publicity, or could lead to loss of confidence
by the Scottish and UK political establishment, and funders of its activities.

• Compliance – The University places great importance on compliance, and has no appetite for
any breaches in statute, regulation, professional standards, research or medical ethics, bribery or
fraud. It wishes to maintain accreditations related to courses or standards of operation, and has low
appetite for risk relating to actions that may put accreditations in jeopardy

• Financial – The University aims to maintain its long term financial viability and its overall financial
strength. Whilst targets for financial achievement will be higher, the University will aim to manage
its financial risk by not breaching the following minimum criteria:
• It will
- achieve a surplus of a minimum of 2% of gross income over any 3 year period
- operate with a Staff Cost/Total Expenses ratio of less than 60%
- achieve a rate of return of at least 2% above inflation on its endowment investments over
a 3 year period
- ensure long term borrowings never exceed 20% of net assets
- ensure its surplus before interest always exceeds 2 times net interest charge
- ensure that at least three months equivalent spend is held cash or cash equivalents or in
negotiated bank facilities
Edinburgh’s Risk Policy & Appetite
The above statements take priority over the statements of risk appetite below:

• Research – The University wishes to be at the leading edge in the creation of

knowledge and making a difference to society. It wishes to grow its research
activities, and improve its performance in each REF assessment compared to the
previous assessment. It recognises that that this will involve an increased degree
of risk in developing research activities, and is comfortable in accepting this risk
subject to a) limitations imposed by ethical considerations, and b) ensuring that
potential benefits and risks are fully understood before developments are
authorised and that sensible measures to mitigate risk are established.

• Education and Student Experience – The University wishes to stimulate

students to develop a lifelong thirst for knowledge and learning, and encourage a
pioneering innovative and independent attitude and an aspiration to achieve
success. It expects as a minimum to be in the top quartile of surveys related to
student experience. It recognises that this should involve an increased degree of
risk in developing education and the student experience, and is comfortable in
accepting this risk subject always to ensuring that potential benefits and risks are
fully understood before developments are authorised and that sensible measures
to mitigate risk are established.
Edinburgh’s Risk Policy & Appetite
• People and culture – The University aims to
value, support, develop and utilise the full
potential of our staff to make the University a
stimulating and safe place to work. It places
importance on a culture of academic freedom,
equality and diversity, dignity and respect,
collegiality, annual reviews, the development of
staff, and the health and safety of staff, students
and visitors. It has low appetite for any deviation
from its standards in these areas.
Identifying and Categorising Risk
 Identifying Risk:
Words of Caution
• Risk often relate to decisions already taken in
the organisation so don’t ‘shoot the
messenger’. The person who identifies the
risk didn’t cause it!
• Don’t create risks by identifying them.
• Differentiate risks & opportunities:
– Events with negative impact = risks
– Events with positive impact = opportunities
Where opportunities arise, these should be channelled back to strategy setting.
 Identifying Risk

Involves identifying those actions,

events or circumstances occurring
internally or externally, that could
affect strategy and achievement of
objectives.
 Risk Sources
• Government policy and regulation – funding regime
• Competitor activity – growth into your markets
• Economic conditions and market activity – global
economic downturn
• Technological change – MOOCs, social media
• Environmental change – global warming
• Behaviour – student preferences, slowness to adapt,
staff attitudes, management shortcomings
• Natural or man-made disasters or accidents –
Tsunami, fire
• Mistakes – data errors, IT system crash
• Illegal or non-compliant activity - fraud
 How do we identify risks?
• You might consider risk:

• The objectives in the Strategic Plan – what are the risks

associated with achieving these?
• Stakeholders – both internal and external and the risks
associated with them (reputation, for example)
• Resources – have we got enough? Will our strategy and
actions put a strain on them? Financial resources are of
course vital, but also physical and human. People, Money,
Things!
• The internal environment. Is there a risk around the
University’s culture and established practices?
• The external environment. PESTLE
 Categorising Risk
EXTERNAL Topics

 Government/Funding*  Economy*  JV/ Partnering home or  Regulatory*  Terrorism

 Competitor/Market*  Financial Markets* Overseas*  Sovereign/Political*
place  Natural Hazard/Catastrophe*  Technological Innovation*
 Public Relations*

• Start with the following simple

Planning
INTERNAL Topics
Financial

categories:
• Business model*

• Business Portfolio*
• Intake Processing • Business
Process
• Physical Security • Transaction
• Cash flow /Liquidity
• Investments
• Recruit/Retain Interruption • Service Development Processing

– The University’s Objectives

• Outsourcing* • Equipment • Teaching & Service • Transport • Credit risks (supplier and
• Brand Marketing /
• Course Failure/loss Quality • R&D* customer) Interest
Segmentation* Range/Structure • Sourcing
• Student Placement rates
• Org Structure* interruption*

– External Environment
• Student Satisfaction • Exchange rates*
• Utility Interruption
• Cycle Time
• Governance* • Data Control • Fraud/Bribery
Exec/Non Exec Contract/Commercial / • Economic modelling
People Infrastructure Technology
Legal
• BCM*

• Stakeholders
– Internal Environment
• Duty of care
• Safety & Health
• Accountability
• Culture /Change
•
•
Buildings
Equipment
•
•
Security & Virus
Loss of data
• Pensions
• Accounting Practices
Readiness* • Tax

– Stakeholders
(employer’s and public
liability)
• Public health
• Environmental
• Communications
• Competencies/Skills
• Hiring/Retention
• Leadership*
• Vehicles • Data Integrity
• Materials • Sensitive data • Budget & Forecast
• Intellectual property* • E-commerce risks
• Pricing
• Mechanical / • New/ upgraded

– Resources
contamination
• Intellectual Property
• Directors and Officers
• Inadequate liability
transfer – insurance
• Contract
• Performance Incentives structural failure systems • Management Reporting
• Succession Planning*
• Patents • Bespoke software
• Training/Development
• Loss of key personnel • Student • System availability
• Breach of employment Accommodation • Change
law management
• Reliability
• Technological
Capacity
Edinburgh used different categories …
 Risk Log:
Identified Risks & Categories
Category Risk Heading
Cross- University Change in Government Policy
Institutional Sustainability
Education Failure to meet UG student number targets
Reduction in the quality of students admitted
Finance Pension Costs
Financial Strategy
HR Failure to comply with Health and Safety legislation
Risk of receiving Radiation Waste prohibition / improvement notices from
the Environment Agency
Infrastructure Long term investment in IT
Information Security
Research Research Income
PGR Recruitment
PGR Completions
 Identifying Risks

Remember that the risks should be identified at

multiple levels throughout the University...
 Risk Identification at all levels

Corporate Risks

College & Professional

Services Risks

Programme & Project

Risks

Where lower-level risks are common and have major impact, they then find their
way onto the risk register at the next level up.
 Task
1. Consider KSU’s Mission, Vision & Strategic
Objectives
2. Take any three objectives
3. What are the possible risks they face?
4. How would you categorise those risks?
5. What should be their risk appetite for each of
them?
 KSU’s Mission & Vision
• Mission:
– To provide students with a quality education,
conduct valuable research, serve the national
and international societies and contribute to
Saudi Arabia’s knowledge society through
learning, creativity, the use of current and
developing technologies and effective
international partnership.
• Vision:
– To be a world-class university and a leader in
developing Saudi Arabia’s knowledge society.
 KSU’s Strategic Objectives
• Maintain a distinctive faculty possessing the highest
credentials and abilities;
• Provide graduate students with the best education and
opportunities that will enhance their knowledge, skills and
relevant experience;
• Establish excellence in all fields of scholarship and
research;
• Building bridges locally, nationally and internationally;
• Provide a supportive learning environment for faculty, staff
and students;
• Ensuring a sustainable environment for the pursuit of
excellence;
• Establishing flexibility and accountability.
 Possible Risks
Objectives Risks Category Risk Appetite

Distinctive • Attracting high quality staff People High

Faculty • Retaining them
Excellence in • Competition Research High
all fields • Spread too thin
• Rapid development of disciplines
• Levels of investment required Finance Low
Supportive • Increasing expectations Reputation Low
Learning • Technological Development
Environment • Levels of investment required Finance Low
• Capacity & skills of staff People High
• Engagement Culture High
Sustainable • Investment required Finance Low
Environment • Conflicts inherent in the strategy Planning High
• Accountability Cultural High
• Buy in from faculty Cultural High