Professional Documents
Culture Documents
Session 3
Identifying Risk
Session 3: Overview
• Setting the Context
–Communication with Stakeholders
–Risk Policy
–Risk Criteria
–Risk Appetite
• Identifying Risk
• Categorizing Risk
Risk Management Framework
• Context Setting • Evaluation
• Stakeholders • Likelihood
• Risk Policy • Impact
• Sources of Risk • Gross (Inherent)
• Internal/External • Net (Residual)
• Risk Appetite • Target
Identify Assess
Monitor
and Mitigate
• Risk Register
• Regular Reviews
Report • Risk Treatment
• Avoid
• Key Risk Indicators
• Transfer
• Incident
• Control / Contain /
Management
Reduce
• Audit
• Accept
• Board
Setting the Context
• To set the context means to define the external and internal
factors that the University must consider when managing risk.
• The external context includes external stakeholders, (usually on
the governing body) local, national, and international
environment, and any external factors that influence objectives.
• An organization’s internal context includes risk owners &
managers, its approach to governance, contractual relationships,
partnerships, capabilities, culture, and standards.
• Consider context when formulating the risk management
policy.
• In setting the context there will need to be appropriate
communication and consultation with key people, but decisions
are made by senior management.
A Risk Policy should …
Extreme Risk Delay in decision-making. Some options ruled out. Risk thresholds so low
Aversion there is no change in institution
Pass the buck Inability to make difficult decisions. Regular discussion with little progress.
Decisions not documented and followed-through
No news is good If you report a risk or issue, you caused it. People report only good news.
news Risks/Issues raised too late to do anything with them.
Knee-jerk Deal with symptoms rather than causes. Deal with immediate and specific
reaction rather than systemic
My mind is Inability to review or reverse earlier decisions in light of new
made up circumstances
Shoot the ‘Don’t bring me problems’ approach. Inability to face risks that are
messenger difficult to solve
Make it so ‘Don’t be so negative’. Sheer force of will considered enough to sort out a
poorly conceived or ill-resourced
Session 1 project.
Risk tolerance
• Different levels of risk tolerance for
different types of risks
• Legal compliance – might have zero risk
tolerance
• Investment portfolio – might carry
significant risk and expect some things
not to work
TASK
• Compliance – The University places great importance on compliance, and has no appetite for
any breaches in statute, regulation, professional standards, research or medical ethics, bribery or
fraud. It wishes to maintain accreditations related to courses or standards of operation, and has low
appetite for risk relating to actions that may put accreditations in jeopardy
• Financial – The University aims to maintain its long term financial viability and its overall financial
strength. Whilst targets for financial achievement will be higher, the University will aim to manage
its financial risk by not breaching the following minimum criteria:
• It will
- achieve a surplus of a minimum of 2% of gross income over any 3 year period
- operate with a Staff Cost/Total Expenses ratio of less than 60%
- achieve a rate of return of at least 2% above inflation on its endowment investments over
a 3 year period
- ensure long term borrowings never exceed 20% of net assets
- ensure its surplus before interest always exceeds 2 times net interest charge
- ensure that at least three months equivalent spend is held cash or cash equivalents or in
negotiated bank facilities
Edinburgh’s Risk Policy & Appetite
The above statements take priority over the statements of risk appetite below:
categories:
• Business model*
• Business Portfolio*
• Intake Processing • Business
Process
• Physical Security • Transaction
• Cash flow /Liquidity
• Investments
• Recruit/Retain Interruption • Service Development Processing
– External Environment
• Student Satisfaction • Exchange rates*
• Utility Interruption
• Cycle Time
• Governance* • Data Control • Fraud/Bribery
Exec/Non Exec Contract/Commercial / • Economic modelling
People Infrastructure Technology
Legal
• BCM*
• Stakeholders
– Internal Environment
• Duty of care
• Safety & Health
• Accountability
• Culture /Change
•
•
Buildings
Equipment
•
•
Security & Virus
Loss of data
• Pensions
• Accounting Practices
Readiness* • Tax
– Stakeholders
(employer’s and public • Vehicles • Data Integrity
• Communications
liability) • Competencies/Skills • Materials • Sensitive data • Budget & Forecast
• Public health • Hiring/Retention • Intellectual property* • E-commerce risks
• Pricing
• Leadership* • Mechanical / • New/ upgraded
• Environmental
– Resources
• Performance Incentives structural failure systems • Management Reporting
contamination • Succession Planning*
• Patents • Bespoke software
• Intellectual Property • Training/Development
• Loss of key personnel • Student • System availability
• Directors and Officers
• Breach of employment Accommodation • Change
• Inadequate liability law management
transfer – insurance • Reliability
• Contract • Technological
Capacity
Edinburgh used different categories …
Risk Log:
Identified Risks & Categories
Category Risk Heading
Cross- University Change in Government Policy
Institutional Sustainability
Education Failure to meet UG student number targets
Reduction in the quality of students admitted
Finance Pension Costs
Financial Strategy
HR Failure to comply with Health and Safety legislation
Risk of receiving Radiation Waste prohibition / improvement notices from
the Environment Agency
Infrastructure Long term investment in IT
Information Security
Research Research Income
PGR Recruitment
PGR Completions
Identifying Risks
Corporate Risks
Where lower-level risks are common and have major impact, they then find their
way onto the risk register at the next level up.
Task
1. Consider KSU’s Mission, Vision & Strategic
Objectives
2. Take any three objectives
3. What are the possible risks they face?
4. How would you categorise those risks?
5. What should be their risk appetite for each of
them?
KSU’s Mission & Vision
• Mission:
– To provide students with a quality education,
conduct valuable research, serve the national
and international societies and contribute to
Saudi Arabia’s knowledge society through
learning, creativity, the use of current and
developing technologies and effective
international partnership.
• Vision:
– To be a world-class university and a leader in
developing Saudi Arabia’s knowledge society.
KSU’s Strategic Objectives
• Maintain a distinctive faculty possessing the highest
credentials and abilities;
• Provide graduate students with the best education and
opportunities that will enhance their knowledge, skills and
relevant experience;
• Establish excellence in all fields of scholarship and
research;
• Building bridges locally, nationally and internationally;
• Provide a supportive learning environment for faculty, staff
and students;
• Ensuring a sustainable environment for the pursuit of
excellence;
• Establishing flexibility and accountability.
Possible Risks
Objectives Risks Category Risk Appetite