Opportunity and Risk Policy and Guidelines

Delivering the Higher Education Funding Council for Wales mission

Date: February 2006

Opportunity and Risk Policy and Guidelines

Contents

Higher Education Funding Council for Wales Risk Management Policy

ntroduction

Gaining "ssurance

E$amples of Risks

"nne$ "

%otes on Completion of Risk Registers

"nne$ &

Higher Education Funding Council for Wales Risk Management Policy

'he Higher Education Funding Council for Wales (HEFCW) has adopted a risk *ased approach to internal control +hich is designed to pro,ide reasona*le assurance that +e +ill achie,e our corporate o*-ecti,es and o,erall mission. The approach to risk management, set out in this Policy and Guidelines, has been approved by the Audit and Risk Committee and Higher Education Funding Council or !ales "the Council#$ The approach allocates responsibility or risk management and establishes a rame%ork %ithin %hich risks are identi ied and evaluated so that an appropriate response can be determined and a ected$
Risk management needs to allo% or the e ective assessment and e&ploitation o opportunities %hile also identi ying %hat %ill prevent us rom achieving our ob'ectives, and ensuring %e have in place procedures to minimise, or manage, those risks$ Risk management there ore involves a planned and systematic approach to the identi ication, assessment and mitigation o the risks that could hinder the achievement o strategic ob'ectives$ (t involves the ollo%ing main steps) identi ying the key strategic risks that %ould prevent achievement o ob'ectives assigning o%nership evaluating the signi icance o each risk assessing the Council*s risk appetite identi ying suitable responses to each risk ensuring the internal control system helps manage the risks developing the assurance mechanism to the Chie E&ecutive regular revie%$

To coordinate the risk management process, the approach combines oversight by the Audit + Risk Committee and the ,anagement -oard$ The ,anagement -oard comprises the Chie E&ecutive, the .irector o Finance and Corporate /ervices and all o the HEFC! Heads o Team$ Each Head o Team is responsible or the creation o Risk ,anagement Groups, located %ithin their individual Team$ These Risk ,anagement Groups are tasked %ith preparing a Register o the speci ic risks and controls relating to their areas o responsibility$ The Register orms the basis or action plans designed to address %eaknesses in controls identi ied and mitigate risks %here this is considered to be desirable$

Each Team is e&pected to) Esta*lish clear o*-ecti,es for their area of operations and identify and e,aluate the key risks to achie,ing those o*-ecti,es. 'his task should *e linked to the annual planning process. ncorporate risk responses into a system of internal control that is designed to address opportunities/ facilitate effecti,e and efficient operations/ protect the HEFCW0s interests and ensure compliance +ith applica*le la+s and guidance. Follo+ HEFCW guidelines and standards relating to particular types of risk and ensure that emerging risks are identified and an appropriate response is affected. 1esign/ operate and monitor the system of internal control. Monitor the effecti,eness of the system of risk and internal control management and report significant +eaknesses or non2 compliance to the Management &oard. Ensure that a risk2 *ased approach to internal control is communicated to all their team0s staff and em*edded in operational processes. "ssign responsi*ility for managing risks +ithin *oundaries agreed *y the Management &oard and the "udit and Risk Committee. Pro,ide an annual assurance in the form of a statement of internal control to the Chief E$ecuti,e on the e$tent of compliance +ith this Policy.

(n its broadest sense, responsibility or the ongoing management o risk rests %ith all sta in their respective area o operation$ There ore, all sta should be a%are o our approach to risk management and understand the concepts described in the Guidelines$

%'RO13C' O% What is Risk4 Risk can be de ined as the element o uncertainty o %hich a ects operational decisions and planned outcomes$ Risk actors may be either positive opportunities or negative threats$ Essentially, they are the actors that help or hinder the achievement o our ob'ectives$ "nne$ " sets out e&amples o the di erent types o risks that might a ect us$ -y identi ying the key risks to achieving HEFC!*s ob'ectives, %e are able to consider and plan our response to them$ This helps us to minimise the impact o 0surprises* and to respond more e ectively to possible opportunities$ Risk management is not ne%$ Planning and decision making %ithin HEFC! already includes signi icant elements o risk assessment$ For e&ample, %hen developing corporate and operational plans %e automatically re lect on the threats and opportunities associated %ith meeting our ob'ectives$ (n addition Council papers include a risk assessment section %hich provides detail o any identi ied risks, current o uture, arising rom the issues covered by the paper . The risk management process ormalises a number o these e&isting processes and helps us to ensure that key risks are not overlooked$ Who is this guidance for4 Risk management is a particular responsibility o the Council, the Audit and Risk Committee, the .irectors and all the Heads o Teams$ Ho%ever, management o risk is something that %e all do every day$ (t a ects all aspects o our planning and decision making processes$ Conse1uently, all sta need to be a%are o the HEFC! Risk ,anagement Policy, the mechanisms through %hich it is implemented and their o%n role in identi ying and managing operational risks$
Ris k ,anag e m e nt %ithin the Hig he r Educa tion Funding Council or ! a les
Corpora te Pla nning Hig her Educ ation Fun ding Council or !a les 2pe ra tiona l Planning ,ana g em e nt* -oa rd

Audit + Ris k Com m ittee

(ndividua l 2b'ectives

Risk ,a na g em e nt

.e cision ,a king

2ther HEFC! / ta Pe r orm a nce Re vie % Ris k As s ura nce Te a m For%a rd 3ob Pla ns

Risk Management affects all staff and all aspects of our planning and decision making processes What is the purpose of this guidance4 The key purpose o these guidelines is to) (n orm sta about %hy and ho% %e apply risk management %ithin HEFC! and, thereby, promote a culture o 0risk a%areness* across the organisation$ Assist the development o risk management processes across HEFC! in a consistent manner in line %ith a common understanding$

Gaining "ssurance
'he Risk Management Cycle Risk management is a luid process that a ects all areas o our planning and decision making processes$ 4ey stages in the cycle o risk management are set out belo%)

Risk ,a na g em ent Cycle

(denti y risks Embed and revie%

Evaluate the risks

Ga in assurance on the e ectiveness

#
(denti y suita ble risk responses

Assess risk appetite

This section describes the stages %e go through to integrate risk management into HEFC!*s processes$ Our "pproach
Risks are identi ied and assessed at t%o levels) 8e,el 19 Corporate Risks 8e,el 59 Operational Risks These t%o levels e1uate to our t%o levels o business planning i$e$ corporate and operational planning$ Corporate risks %ill arise rom HEFC!*s overall ob'ectives %ith operational risks arising rom the activities and processes undertaken to achieve those ob'ectives E$ample 2 Human Resource %eeds The right level o e&pertise and e&perience amongst sta is essential i %e are to deliver the ob'ectives set out in our corporate and operational plans$ At the corporate level, %e may ace a risk that %e do not currently have a su icient level and mi& o skills and e&pertise across HEFC! to deliver those ob'ectives$ 2ur response to this risk includes establishing appropriate policies and strategies or training and development and carrying out a broad assessment o our skills needs$ At the operational level, there may be a risk that %e do not have e&pertise in a speci ic area$ 2ur response to this risk %ould include recognising the training need in an individual For%ard 3ob Plan and organising a training course or programme o training to meet it$

Roles and Responsi*ilities The roles and responsibilities o the various groups and individuals %ithin HEFC! are outlined belo%) &ody HEFC! Council :ey Responsi*ilities To approve the risk management strategy and policies and to determine HEFC!*s 0risk appetite* advised by the Audit and Risk Committee, the Chie E&ecutive and the ,anagement -oard$ To monitor and advise the Council on the preparation, implementation and maintenance o the Council*s risk management strategy$ As Accounting 2 icer, the Chie E&ecutive remains ultimately accountable or the organisation and its management o risk$ He must) have a clear understanding and assessment o the risks that could prevent delivery o ob'ectives ensure that the organisation has e ective risk management and control processes be provided %ith assurance that the processes and the key strategic risks are being e ectively managed 2%ners o the Corporate risk register responsible or revie%ing it on a regular basis to ensure that the key risks or HEFC! are recorded and are being e ectively managed$ 2%ners o 2perational risk registers and pro'ect risk registers or their o%n Teams$ Responsible or establishing Risk ,anagement Groups or their team$ Responsible or ensuring that) registers are prepared, covering the key risks that e&ist %ithin the Team or pro'ect5 systems are established to regularly monitor and update the registers5 actions identi ied to manage the key risks are su icient5 and risks that are su iciently signi icant to %arrant inclusion on the Corporate risk register are dra%n to the attention o the ,anagement -oard$

Audit and Risk Committee The Chie E&ecutive

,anagement -oard

.irector and Heads o Team Team Risk ,anagement Groups

Risk Assurance /ection

Advising on the development and implementation o the risk management policy and guidelines and acilitating implementation$ Providing an annual opinion to the Accounting 2 icer on the e ectiveness o corporate governance, risk

management and internal control$ All 2ther /ta (denti ication and management o operational and pro'ect risks$ .ra%ing the attention o their line manager to key risks, %hich may be su iciently serious to re1uire monitoring at corporate level$

dentifying the Risks ( all key risks are to be identi ied, %e %ill need input rom those %ho are amiliar %ith our processes and procedures as %ell as those involved in determining our strategies$ There ore sta at all levels %ithin HEFC! need to be involved$ Risk management should not be seen simply as a desk exercise to be undertaken only by Directors Heads of !eam or the Risk "ssurance function#
The Corporate Risk Register %ill be developed by the ,anagement -oard$ The ,anagement -oard presently e&tracts its key ob'ectives rom the Corporate /trategy and develops them into a corporate operating plan$ The Corporate Risk Register %ill there ore consist o ) 4ey risks to the achievement o the /trategic 2b'ectives5 and Risks arising rom 2perational Risk Registers that have been evaluated as potentially having a signi icant impact at Corporate level$

2perational Risk Registers %ill be developed or each Team %ith the key risks being identi ied by each Team*s Risk ,anagement Group in parallel %ith the development o 2perating Plan ob'ectives$ The register should be developed by considering each operating plan ob'ective and recording any signi icant risks to achieving that ob'ective$ 3udgement needs to be e&ercised in this process, one ob'ective could have several signi icant risks associated %ith it, and another may have none$ (t is per ectly acceptable to record an ob'ective and note that there are no signi icant risks associated %ith it$ Each Head o Team has a speci ic responsibility or oversight o the identi ication and management o operational risks %ithin their team$ 2versight o the preparation o the 2perational Risk Registers %ill there ore ultimately be the responsibility o the relevant Head o Team$ 6ot%ithstanding this, the precise organisational arrangements or managing operational and pro'ect risks are le t to the discretion o the relevant Head o Team$ Each Head o Team may appoint a Risk ,anagement Champion or Champions to advise on and oversee the risk management process$ These Champions %ould also play a leading role in the Team*s Risk ,anagement Group$ ( the risk management process is to be e ective, the Head o Team together %ith the team*s Risk ,anagement Group %ill need to involve a %ide range o sta in identi ying and managing risks$

Evaluating Risks
Having identi ied our key risks, %e then assess the likelihood o occurrence and the potential impact on the goals o HEFC! should they be realised$ This provides us %ith a hierarchical assessment o the risks as illustrated belo%$
mitigation controls / contingency plans; monitor closely

HIGH

mitigation controls / contingency plans

TA4E 7R GE 6T RE ,E .(A 8 AC T(2 65 ,2 6(T 2R R(G 2R 27 /89

Impact

MEDI M

tolerate; !eep "atc#ing $rie%

mitigation controls / contingency plans

mitigatio n controls $ contingen cy plans% monitor closely

mitigation controls / contingency plans

&'(

tolerate; no action

tolerate; !eep "atc#ing $rie%

&'(

MEDI M

HIGH

Probability This methodology helps us to prioritise our response to risk, to determine %hich risks %e need to manage and %hich are less critical$ As indicated above %e have decided that %e %ill tolerate and take no speci ic actions to manage those risks that all into the 08o%* impact and 08o%* probability category$ "ssess Risk "ppetite
The main ocus o private sector risk management is on maintaining and enhancing pro itability$ (n contrast, the public sector ocuses on the ul ilment o ob'ectives and

delivery o a bene icial outcome in the public interest$ As an Assembly /ponsored Public -ody "A/P-# the 6ational Assembly*s priorities and ob'ectives largely drive our risk appetite$ 2ur understanding o these ob'ectives, in consultation %ith our other key stakeholders, is re lected in our strategic plan$ To deliver these ob'ectives %e need to balance opportunities to innovate and improve %ith our responsibilities in terms o accountability, propriety, regularity and value or money$

The level o risk that is acceptable, our Risk Appetite, %ill be determined by the Council %ho are advised by the Audit and Risk Committee and the ,anagement -oard$ Risk appetite may vary on a case by case basis depending on the perceived bene its o the issue being considered$ For e&ample %e may be prepared to accept a higher level o risk in relation to a pro'ect %ith ma'or potential bene its throughout the HE sector in !ales compared to one %ith similar risks but %here the bene its are more tenuous or %ould only apply to a proportion o the sector$ The ,anagement -oard %ill ensure consistency o approach and make sure that cross: unctional risks are considered$

1*

dentifying ;uita*le Risk Responses Having identi ied the key risks aced by HEFC! %e then need to decide ho% they should be managed$ Responses to the risks %ill all into our categories)

'R"%;FER ; !e already trans er some inancial risks in relation to our contracts %ith Higher and Further education institutions because %e can recover unds %here our re1uirements are not met$ 'O8ER"'E ; Accept the risk in vie% o the potential bene its and the cost o mitigating the risk$ 'RE"' ; This is the most likely category$ !e introduce additional internal controls to reduce the risk to an acceptable level$ This could include, or e&ample) monitoring reports to management5 revie%ing authorisation arrangements5 audit revie%s etc$ Alternatively %e might %ish to consider changing the %ay %e deliver aspects o our %ork to reduce the risks$ 'ERM %"'E ; This option is probably limited to the more 0entrepreneurial* aspects o our operations %here %e might decide that the risks are too great and the potential re%ards insu icient or us to engage in the activity at all$ There is unlikely to be an option to terminate activities that all %ithin our core remit$

The responses to the risks %ill orm the basis o a plan setting out the actions, timescales and responsibilities necessary to manage the key risks do%n to an acceptable level$ (t may not al%ays be possible to manage all risks do%n to an acceptable level because o actors that are beyond our control$ For e&ample, %e could be dependent upon the 6ational Assembly or others to take some orm o action$ !hilst there are measures %e could adopt to minimise the chances o the risk being realised, "allo%ing su icient planning time< ensuring clear communication o our needs etc# %e may also need to develop suitable contingency plans$ These should be speci ically identi ied %ithin the Risk Registers ;ystem of internal control A control is any action or procedure per ormed by management to increase the likelihood o activities achieving their ob'ectives$ (n other %ords, control is a response to risk, either to contain the risk to an acceptable level or to increase the likelihood o a desirable outcome$ A system o internal control provides a rame%ork or all processes and activities designed to give reasonable assurance regarding achievement o ob'ectives$ /uch systems should be designed to manage, rather than eliminate, the risk o ailure$ Controls are o ten broken do%n into three categories) 2perational controls) Financial controls) relating to the e ective and e icient use o resources relating to the proper management and oversight o the organisation*s inances, leading to the preparation o reliable published inancial statements relating to compliance %ith applicable la%s and regulations

Compliance controls)

11

2ur system o internal control must also encompass the unds provided by the Council %hich are transmitted to higher and urther education institutions "and related bodies# or education, research and associated purposes$ The /tatement o (nternal Control "/(C# re1uires the Chie E&ecutive to carry out a revie% o the e ectiveness o the Council*s system o internal control and to report on that revie% each year$

The Chie E&ecutive participates in the e&ercise o many o the key internal controls or, through participation in activities, sees evidence o their e&istence and operation$ (n addition the Chie E&ecutive receives con irmation rom the ,anagement -oard and Risk ,anagement Groups that the controls are %orking e ectively$ Monitoring the Risks

A pro'ect management structure has been developed to acilitate input rom all HEFCW sta , as ollo%s)

Pro'ect 2rg a nisa tion

Hig her Education Funding Council for Wales Management &oard

"udit < Ris k Committee Ris k "s s urance ;ection

Ris k Manag ement Groups Consultation +ith all s taff

The main %ork o identi ying and evaluating risks is the responsibility o each team*s Risk ,anagement Group, %ith the ,anagement -oard taking responsibility or corporate level risks$ The Risk ,anagement Groups %ill take the lead in developing registers o the key risks that %e ace and in leading the consultation %ith other sta $ They %ill also lead the development o action plans to highlight the action %hich needs to be taken to manage risks to an acceptable level$ The Audit and Risk Committee has a speci ic responsibility or overseeing the risk management process on an ongoing basis$ ,embers o the Risk Assurance section %ill act as acilitators and advisors to the Risk ,anagement Groups as re1uired$ Em*ed and Re,ie+ Risk Management The assessment and management o risk is not a 0one o * activity$ (t should a ect all key aspects o our planning and decision making processes$
&o changes of strategy or ob'ectives should occur (ithout first considering the potential risks involved

12

Risk registers should be 0live* documents$ 4ey risks %ill change over time and ne% responses to manage them may be re1uired$ /igni icant ne% risks should be recorded and assessed as soon as they become apparent$ All Council, committees and management board papers should include a risk assessment section %hich provides detail o any identi ied risks, current o uture, arising rom the issues covered by the paper. +#e ris! assessments in t#ese papers s#o,l- $e consistent "it# t#e ris!s assesse- in t#e ris! registers. Formal reassessment o the risks recorded in our risk registers %ill be undertaken on an annual basis as part o our corporate and operational planning processes but this must not prevent ongoing re:assessment, recording and monitoring o risks as and %hen they arise$ As a general guide, a ormal ull revie% o potential ne% risks to achieving our operational ob'ectives should be carried out at least 1uarterly %ith ormal monitoring o the actions due or completion being carried out at least once during each 1uarter by each Risk ,anagement Group$

Pro-ect Management
Risk management is a key element in the control rame%ork or running pro'ects$ HEFC!*s Pro'ect ,anagement Guidance re1uires the Pro'ect ,anager to prepare a risk register or approval by the Pro'ect 2%ner %hen proposing a ne% pro'ect$ The register must be prepared in accordance %ith these guidelines and in consultation %ith the Risk Assurance section$ Risk registers or individual pro'ects should be prepared on the same basis as the Corporate and 2perational risk registers e&cept that %hen evaluating the risks you should evaluate the impact as being the impact on the pro'ect rather than the overall impact on HEFC!$ Risks or key pro'ects could potentially be recorded at three di erent levels as illustrated)

Risk Register Hierarchy

Risks Identified Actions Identified
None / Or: Likely to e limited to the monitoring arrangements y the !anagement "oard

Corporate Risk Register

None / Or: Likely to e a single entry relating to the risk of overall failure of the project if it is significant at Corporate level

Operational Risk Register

Likely to e a single entry relating to the risk of overall failure of the project

Likely to e limited to the monitoring arrangements At !anagement "oard/ Project O#ner level

Project Risk Register

A detailed evaluation of the key risks to the success of the project

A detailed action plan to manage the risks and identification of contingency plans as appropriate

'he Higher Education Funding Council for Wales Frame+ork

13

( %e are to achieve HEFC!*s mission, every member o sta %ill need to help by %orking to%ards the achievement o individual operational ob'ectives$ 2ur planning processes help to ensure that %e all understand %hat our individual ob'ectives, set or each member o sta , are and that they are consistent %ith the overall mission$ The 6ational Assembly, the HEFC! Council and the ,anagement -oard need a mechanism through %hich they can gain assurance regarding our ability to meet our ob'ectives$ The risk: based approach to internal control described in these guidelines provides a basis or the provision o assurance regarding our ability to deliver our ob'ectives$

1.

HEFCW0s o*ligation to make an annual ;tatement of nternal Control The Combined Code and the subse1uent Turnbull report both emphasise the need or more ocused and open %ays o managing risks$ To re lect this approach, corporate governance statements have been %idened to include internal controls "not 'ust inancial controls#$ This has let to the inclusion o a ne% /tatement o (nternal Control "/(C# %ithin inancial statements, premised on strategic risk management processes being embedded in the operation o the organisation$ The /(C is a narrative statement that e&plains ho% the Council has applied the internal control principle$ This should cover risk management and all controls, including inancial, operational and compliance controls$ /ince April =>>= the Chie E&ecutive as the HEFC! Accounting 2 icer has been re1uired by the 6ational Assembly to provide a /tatement o (nternal Control "/(C# %ithin the Accounts o the Higher Education Funding Council or !ales$ This includes a commentary on) The Council*s risk management strategy$ Audit arrangements established by the Council$ ,onitoring procedures or subsidiary bodies ; institutions and third party providers$ Procedures established to ensure that aspects o risk management and internal control are regularly revie%ed and reported on$
The Chie E&ecutive there ore re1uires assurance that the processes and the key strategic risks are being e ectively managed in order to sign o the /(C$ As part o this process the Chie E&ecutive must undertake an annual revie% o the e ectiveness o the system o internal control, %hich %ill enable the appropriate statement to be made in the Council*s annual accounts$

The approach to internal control described in these guidelines, combined %ith our e&isting monitoring and audit arrangements, enables us to meet these re1uirements$

15

Annex A
E$amples of Risks E&amples o the types o risks that %e may ace in meeting our ob'ectives are suggested belo%$ The e&amples are intended to be illustrative only, not a de initive list o all possible risks)

E$amples of Risks
Reputation
Public Perceptions 6ational Assem bly

6atural Events Policy

.evelopment .elivery Fire, Flood !eather, ?ermin

People
Comm unications .irection /kills

Fraud
7nauthorised use, ,isrepresentation The t, Hacking

@
Health + /a ety
8itig ation (n'ury, .eath

,anag ement
.ecision making ?ision, Fle&ibility /kills

2rg anisation
Governance Risk ,anagement Culture

/upport
/ervice levels Reliance on other bodies

Financia l
Accounting + Audit Programm e Costs -udg eting

(n ormation
(nteg rity, Accura cy Tim eliness

Technology
Failure, (nnovation Pro'ect ,anag ement

4no%ledg e
,arket Research 8iaison, .eception /ta Turnover

16

Annex B

Notes on completion of risk registers Column Heading $ RI!" Risk reference linked to strategic aim and description of risk uidance Cross reference the risk to the Corporate and team plan o jective to #hich it relates% &ach o jective should e recorded' even if there are no significant risks associated #ith it% (his #ill act as a reminder #hen revie#ing the register% (he o jectives should appear in the same order as in the Corporate and operational plan% Risks could relate to more than one o jective% (o identify the risk: $% Ask #hat is the o jective) *% Ask #hat #ill prevent the o jective eing achieved) +ou do not have to identify a risk/risks for every o jective provided you have #orked through all o jectives systematically in determining #hat needs to e recorded% Remem er only key risks that re,uire monitoring should e recorded in the Corporate risk register% Care is needed here to: Avoid defining risks #ith statements #hich are simply the converse of the o jectives Avoid stating impacts as risks themselves eing the

Avoid stating risks #hich do not impact on o jectives

A statement of a risk should encompass the cause of the impact' and the impact to the o jective -.cause and conse,uence/0 #hich might arise 1See HM Treasury Orange Book October 2004 Page 15 for further guidance and exa !"es2

17

PR#BABI$I%& Assess probability of risk being realised C#N!'()'NC'

(his assessment of a 3igh' !edium or Lo# pro a ility of the risk eing realised should e efore taking account of any controls in place to manage the risk (his should e a statement of the impact that the risk #ould have on the organisation5s o jectives if realised (his is an assessment of 3igh' !edium or Lo# as to the severity of the impact of the conse,uence of the risk eing realised

IMPAC%

RI!" RA%IN

* R#!!+

(his is the com ined risk of the assessed pro a ility and impact from 3igh/3igh do#n to Lo#/Lo# efore taking account of any controls in place to manage the risk -sometimes referred to as the gross risk0 (his is a judgement% 9n general any risk #ith a 3igh pro a ility -i%e% certain or almost certain to e realised0 or 3igh 9mpact -i%e% a fundamental impact0 is unlikely to e accepta le together #ith risks that have oth a !edium pro a ility and !edium impact risk score% "ased on the guidance a ove' risks #ith a high impact ut lo# pro a ility are therefore likely to re,uire action% (o illustrate the distinction et#een pro a ility and impact consider a risk to health and safety #here the likelihood of occurrence -i%e% pro a ility0 may e very small' ut the impact could e a threat to life -fundamental0% (his #ould clearly re,uire more attention than a risk #here the impact is minimal even if very likely% !em ers of the !anagement "oard and the Risk !anagement :roups are responsi le for ensuring that actions proposed are sufficient and proportional to the risk identified%

%#$'RA%' R#!! RI!" Is this risk tolerable,acceptable*&es or No+

C#N%R#$! Control measures in place no.

<hat controls are already in place to mitigate the risk) Controls could consist of authorisation and approval mechanisms' monitoring mechanisms' physical controls' segregation of duties' organisational' personnel' management and supervisory controls' or arithmetic and accounting controls%

18

(he Risk Assurance =ection can provide further guidance on the identification of controls if re,uired% AC%I#N! R'()IR'/ %# !%R'N %H'N C#N%R#$! 9dentify the actions re,uired if any to enhance the control measures currently in place% (hese actions must e specific tasks allocated to a 3ead of (eam and their (eam5s Risk !anagement :roup #ith a specified timeta le for completion of the task% (his is the revised com ined risk of the assessed pro a ility and impact after taking account of controls in place -or controls identified to e put in place in the action plan a ove0 to manage the risk -sometimes referred to as the net risk0 (his is a forecast of the residual risk once the control actions identified a ove have een taken% 3ave you done' or are planning to do' all that you reasona ly can do to manage the risk do#n to an accepta le level) 9f so can 3&@C< accept the risk that remains) 9f not you first need to revisit column ; to consider #hether additional actions are re,uired or' if nothing more can reasona ly e done' you need to identify a contingency plan to manage the situation #here the risk is realised% 9n considering the need for a contingency plan' you #ill also need to take into account the timescales for completion of the actions% 9f it #ill take some time to manage the risk do#n to a reasona le level' you may need a contingency plan for #hat #ill happen if the risk is realised in the meantime% $A C#N%IN 'NC& P$AN R'()IR'/ I0 R'!I/)A$ RI!" I! !%I$$ N#% ACC'P%AB$' By .hom- By .hen@or eBample' adverse #eather is a risk outside our control that could have an adverse impact on the a ility of staff to attend the #orkplace' meetings' seminars etc% Possi le contingency plans #ould e to increase remote access to 9( facilities' video conferencing facilities etc% =ome risks #ill e outside our direct control% <here such risks are still deemed to e high then a contingency plan needs to e esta lished%

>

RI!" RA%IN

*N'%+

%#$'RA%' N'% R'!I/)A$ RI!" Is the residual risk no. tolerable,acceptable*&es or No+

1)

<here further contingency plans are identified as eing re,uired to address the risk the responsi ility for the action plan should e allocated to a 3ead of (eam and their (eam5s Risk !anagement :roup #ith a set timeta le% $$ N'1% R'2I'3 /A%' 3hat date .ill you re4ie. the risk$* R'2I'3 /id the re4ie. take place&es 5 date of re4ie. or No 5 .hy $4 C)RR'N% !%A%)! Please pro4ide a brief indication of the current status of the risk6 =ome risks re,uire #eekly or monthly monitoring' others #ill only need to e revisited follo#ing the proposed date for completion of the action% Cocument the revie# and update the register accordingly% Actions' once taken' are likely to give rise to ne# controls that can then e recorded in column ; possi ly reducing the assessment of the residual risk -column >0% (his records progress against the actions identified% =hould progress e unsatisfactory' this could give rise to the need for ne# actions or contingency plans%

2*