Professional Documents
Culture Documents
1. Introduction
The Risk Management Framework is a component of the Risk and Business Management suite. The suite
includes:
This document defines commonly used risk management terms and sets out the risk register format that
Victoria has adopted. This document should be read in conjunction with our Risk Management Policy and
provides a process to help us better manage and minimise the risks associated with our work.
All decisions involve risk management. Risk should be considered throughout the development and
implementation of any business process or project. Risk management is a structured and systematic
process which is part of business as usual (BAU). Managers need to consider the risk in delivering
business, how to manage that risk effectively through implementing strategies based on the amount of risk
the University considers is tolerable. This document broadly considers risk as anything that could prevent us
from achieving our goals or an outcome resulting in loss.
2. Definitions:
Risk
Raw Risk
The risk before anything is done to mitigate or manage it, i.e. before controls are put in
place.
Residual Risk
3. Organisational Scope
All Managers are responsible for identifying, assessing and managing the risk within their areas of control
and for ensuring that appropriate risk management activities are functioning effectively.
4.
of a managers responsibilities. For guidance on the formal reporting cycle refer to the Risk Management
Programme: Operational Risk.
4.1 Identifying and Managing Risks Risk Registers
Risks are identified and assessed on a risk register. Appendix 3 contains a sample risk register using the
Universitys standard template. Copies of blank templates are available from Safety and Risk (email
safety@vuw.ac.nz).
4.1.1 Identifying risks
Risks are identified through environmental scanning (keeping ourselves updated on our operating
environment), planning processes, major projects, investigating incidents (risk assessment and mitigation
actions are essential elements), internal monitoring (regular audit and inspection) and throughout the change
management process. Managers should identify sources of risk, their causes and their consequences.
Managers should consider all sources of and contributors to risk associated with delivery of their business.
From this we can determine the effect on our objectives from uncertainty associated with these factors.
Consideration should be made of factors including:
Examples:
1.
The risk of key university systems and processes being immobilised or disrupted in the event of an
earthquake.
Control: An effective business continuity and disaster recovery plan.
Comment: This does not reduce the likelihood of an earthquake occurring, but it does reduce
the impact on essential operations.
2.
3.
The risk that VUW staff incur expenditure that is not in line with University goals.
Control 1: Systems that enforce segregation between purchase order creation and approval.
Comment: This reduces the likelihood of such expenditure occurring.
Control 2: Systems that require sign-off from appropriate staff depending on the value of the
transaction, e.g. delegated financial authorities.
Comment: This reduces the impact, i.e. dollar value, of the risk.
Both controls working in combination (fairly typical in most financial systems) will reduce both
the likelihood and impact of the risk.
The table in Appendix 2 provides managers with guidance on how to evaluate the effectiveness of risk
controls. The controls are ranked level 1 3. A level 1 control is the most robust. A level 3 control is
the least robust. Managers should consider also how well the control (already in place) is implemented
or complied with. For example if a procedure is listed as part of the control mechanism but our audit
process identifies that it is not complied with, the control is considered to be weak, therefore the
manager will not reduce the assessed risk value significantly. A mitigation plan should be developed to
address poor compliance.
If multiple controls are in place and a good level of compliance is verified by our audit process, then the
control effectiveness is considered to be robust and the manager can reduce the residual risk.
Making recommendations for improving the controls or addressing the risk in some other way.
A sample heat map is attached in Appendix 4.
A sample Risk Report Summary is attached in Appendix 5.
The Risk Report Summary must be reviewed and provided to line managers at least once a year, and at
any other time should the risk rating change significantly or when new key risks arise, or when the
environment and other contextual changes occur. For further guidance refer to the Risk Management
Programme Operational Risk.
Consequence
Risk
(Likelihood x consequence)
1 Very low
Extremely unlikely
Less than 5% chance of occurring
1 Insignificant.
Consequences are very low, minor
disruption.
15
Very low
Manage within existing controls.
Monitor annually
2 Low
Unlikely
5% - 25% chance of occurring
2 Minor
Losses may disrupt services for a
short period. Financial losses may
be in the region of $10,000
Disruption to a single area of the
business.
6 10 Low
Manage within existing controls.
Monitor 6 monthly
3 Medium
Possible
25%-60% chance of occurring
3 Moderate
Service lost for period 1 5 days.
Financial loss $10,000 - $100,000.
Internal event review required.
Moderate injury equivalent to staff
requiring time < 5 days away from
work. Adverse media coverage for
1 day.
11 15 Medium
Evaluate efficiency of existing
controls.
Develop and implement additional
control mechanisms
Monitor quarterly
4 High.
Likely.
60% - 80% chance of occurring
4 Serious
Service lost for period exceeding 1
week. Financial loss $100,000
$1M.
Adverse media coverage for 1
week. Internal investigation or by
an external source/regulator. Staff
contractor or visitor suffers serious
injury.
Impact to multiple and diverse
areas of the business. Significant
senior management intervention
required including external
assistance.
16 20 High
Implement mitigation plan
Escalate/report to senior
management
Monitor monthly
5 Very high.
Almost certain.
80%-100% chance of occurring
5 Very serious
Significant resources required to
recover from impact. Legal
consequences resulting in
prosecution. Financial loss
>$10M.
Staff, contractor or visitor involved
in a fatal event. Adverse media
coverage for an extended period.
Complete loss of service delivery
affecting all VUW critical functions.
Immediate SMT and Council
intervention required.
The values identified above for financial loss reflect those which may be experienced at an organisational level.
Divide the value by 10 for potential losses at directorate, school or service level.
Raw Risk
1= lowest 5=highest
Risk description
Risk Consequences
Up to $100,000 in repairs
to services and other
losses
Likelihoo
d (L) 1-5
Consequenc
e (C) 1-5
Raw
Risk
(L x C)
Mitigations/contro
ls
Building
maintenance
programme
Early notification
fault reporting
process
Sources of
Assurance
Supplier
audit
Consequence
RR
1-5
1-5
(L x C)
Contract
management
protocols.
Planned
general
inspection
Planned
general
inspection
process
Alternative venue
(BCP)
SAM plan
2
Service
delivery
Failure to adhere to
maintenance programme
resulting in unreliable
laboratory equipment
Cancellation of
experiments or classes
impacting tutorial
programme and delayed
research projects
16
Maintenance
programme
Pre use
inspection
process
Fault reporting
process
Spare equipment
Programming of
classes
3
H&S
20
Staff training
Bunding
Appropriate
storage
Information SDS
Product labelling
H&S Audit
Linked to
hazard
Supervision
register
Written
procedures
Personal
Protective
Equipment
Fume extraction
(LEV)
Hazard
assessment
4
Reputation
5
Finance
Loss of essential
information due to IT failure
Maintenance
regime
Systems backed
up and
information stored
off site
20
Project manager
appointed
Project planning
process
System tests
and auditing
data
protection
systems
Audit of
project
controls
12
12
Contract
monitoring
Contract
identifying
timeline and
penalties
6
Service
delivery
16
Equipment
servicing
Early notification
fault reporting
system
Software upgrade
Manual lock up
when electronic
system fails
Security patrols
7
Service
delivery
Electronic monitoring
equipment unavailable on
demand
Unable to monitor
premises resulting in
potential for
loss/theft/vandalism
Equipment
servicing
Supplier
audit
10
Project manager
in place
Supplier
audit
Adherence to
building
standards
Contract
evaluation
process
Regular
monitoring
Early notification
fault reporting
Security patrols
8
Service
delivery
Reliance on contractors to
provide essential services
15
Alternative
suppliers
Loss of
institutional/corporate
knowledge
9
Legal &
regulatory
Robust contract
management
processes
12
Legal advice
Contract
management
processes
10
Adverse
media
coverage
16
Advice and
management
from VUW
Communications
team.
Communications
protocols
Operations team
providing security
plan and security
staff.
11
Product
quality
Inaccurate information
presented during a lecture
or incorrect instructions
given when using
equipment
20
NZQA
TEC standards
Regulators and
industry
standards
Regulators
inspections
and audit
10
10
10
Recruitment and
selection
Professional
indemnity
insurance
12
Product
quality
Student unable to
continue with course
because of poor
performance
12
Course manager
appointed.
Electronic
information/media
systems available
Personal/group
tutors appointed
13
Reputation
14
Finance
Students unable to
access courses
20
Marketing
Study at Vic day
Conferring
ceremony
Student
recruitment
process
20
NZQA
TEC standards
Regulators and
industry
standards
Regulators
inspections
and audit
Recruitment and
selection process
Continuous
professional and
technical
development
15
HR
20
Staff support
PDCP
Staff
development
Recruitment and
selection
Succession
management
programmes
Communication
and news letters
10
811,13,14
5
2,
3,10,12,15
5,6
1,4,7,9
3
Consequenc
e
2
1
1
Likelihood
11
Records and identifies the base line for risk management activities
Identifies problems and successes in risk management activities
Provides an input for informed decision making
Analysis of the effectiveness of various risk control mechanisms
Describes and defines a plan of action for implementing improvements
Provides a mechanism for escalating risks where a manager does not have the delegated authority to
act or implement certain risk reduction methodologies
2.
High or Priority risks
The highest risks assessed within this site specific assessment are described below.
PROVIDE A DESCRIPTION OF THE SITE SPECIFIC RISKS CLARIFYING WHY THE RISK IS HIGH EG.
The Fire Safety & Evacuation of Buildings Regulations 2006 requires:
3.
Details of the High or Priority Risks
The highest assessed risks recorded on the risk register associated with this summary are as follows:
LIST THE RISKS AND THE RISK RATING
4.
Recommendations
12