• No results found

ERM Program. Enterprise Risk Management Guideline

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "ERM Program. Enterprise Risk Management Guideline"

Copied!
24
0
0

Loading.... (view fulltext now)

Download now ( 24 Page )

Full text

(1)

ERM

Program

Enterprise Risk

Management

Guideline

(2)

Table of Contents

PREAMBLE ... 2

When should I refer to this Guideline? ... 3

Why do we need a Guideline? ... 4

How do I use this Guideline? ... 4

Who is responsible for the ERM program? ... 4

ERM PROCESS ... 4

Step 1: Risk Management Communication & Consultation Methods ... 5

Step 2: Establishing the Context ... 5

Step 3 to Step 7 – Performing a Risk Assessment ... 6

Step 3: Risk Identification ... 6

Step 4: Risk Analysis ... 7

Step 4 (a) Impact ... 9

Step 4 (b) Likelihood ... 13

Step 4 (c) Combined Impact/Likelihood Score ... 13

Step 4 (d) Risk Control Response ... 14

Step 5: Risk Evaluation ... 15

Step 6: Risk Treatment ... 16

Step 7: Risk Monitoring and Review ... 18

FINAL NOTE ... 19

APPENDIX 1: RISK REGISTER EXAMPLE ... 20

DEFINITIONS ... 21

REFERENCES ... 23

(3)

Enterprise Risk Management Guideline

PREAMBLE

The College’s Enterprise Risk Management (ERM) Policy sets the tone for risk management throughout the organization and supports the development of an imbedded risk culture. The Enterprise Risk Management (ERM) Guideline provides a best practices approach to guide staff through a logical seven step risk management process. For greater assistance and efficiency, the seven step process has been integrated into a Microsoft Excel working tool to assist with risk identification and assessment. As the College Enterprise Risk Management (ERM) program matures, additional tools will become available. The following 11 principles establish the foundation for the College’s ERM program to manage risk at all levels:

1. Creating and protecting value: risk management contributes to the achievement of College objectives and improves performance in areas such as corporate governance, program and project management, health and safety of staff and students and reputation.

2. An integral part of all organizational processes: risk management is not a stand-alone activity performed in isolation. Rather, it is an integral part of our daily organizational processes, change management process, performance management, planning and reporting processes.

3. Part of decision-making: risk management aids decision-makers to make informed choices, prioritize activities and identify the most effective and efficient course of action.

4. Explicitly addressing uncertainty: risk management identifies the nature of uncertainty and how it can be addressed through a range of mechanisms, for example, implementing risk controls.

5. Systematic, structured and timely: risk management contributes to efficiency and to consistent, comparable and reliable results.

6. Based on the best available information: the risk management process should draw on diverse sources of historical data, expert judgment and stakeholder feedback to result in evidence-based decisions. As decision-makers, we should take account any of the limitations of the data, modelling and divergence among experts.

7. Tailored: risk management and individual assessments are aligned with the College’s internal and external context and risk profile.

(4)

8. Human and cultural factors: risk management recognizes the capabilities, perceptions and intentions of internal and external factors that can aid or hinder the achievement of the College’s objectives.

9. Transparent and inclusive: risk management requires appropriate and timely involvement of stakeholders, in particular, decision makers at all levels of the College to ensure relevance. Involving stakeholders in decision making processes enables diverse views to be taken into account when determining risk criteria.

10. Dynamic, iterative and responsive to change: as internal and external events occur, context and knowledge change, monitoring and review take place, new risks emerge, some change, and others disappear. Therefore, the College should ensure that risk management continually senses and responds to change.

11. Continual improvement of the organization: risk management facilitates continuous improvement of the College’s operations.

Ultimately, an effective ERM program will raise our awareness with respect to uncertainty and decision making.

When should I refer to this Guideline?

Increasingly, organizations, their executive leadership and Boards are seeking to have a better understanding of the risks their organizations are facing and the action plans to manage this risk. Although risk is often viewed negatively, the outcome of assuming risk following a risk assessment can have significant positive results.

Various levels and types of risk impact departments, projects, strategic and business planning and initiatives on a daily basis. This Guideline will provide a College approved process based on an industry standard framework for staff in positions that require them to identify, assess and manage risk.

Enterprise Risk Management Framework Enterprise Risk Management Process

College's Strategy & Objectives Risk Identification Risk Analysis Risk Evaluation Risk Treatment Risk Monitoring & Reporting 3 | P a g e

(5)

Why do we need a Guideline?

As opposed to a standard, this Guideline provides a flexible best practice approach and allows for the College’s various industry types to employ risk management tools that are best suited for their industry group.

A guideline creates a consistent approach, establishes common vocabulary and promotes risk management tools for identifying, assessing, evaluating, mitigating, monitoring, reviewing and reporting risks.

Furthermore, a guideline helps to promote an environment for informed innovation and risk taking, identify both the favourable and unfavourable impacts of risk, improve accountability and transparency through assigned risk owners and integrate ERM into corporate decision making.

How do I use this Guideline?

The Guideline is based on a seven step process. Each step includes a brief description and examples of methods to assist in completing the step. Use of any of the illustrations, definitions, appendices and content is promoted. Users are also encouraged to use methods and tools that may be more relevant to the risk or set of risks being assessed.

Electronic tools have been created and continue to be improved in order to assist users in applying the steps in a more efficient manner. The intention is to have users spend more time in the risk assessment rather than the administration. To remain sustainable, the risk management process must provide value.

Who is responsible for the ERM program?

The College Risk Management Committee (CRMC) is responsible for the College’s ERM program. The Coordinator, Risk Management is responsible for managing the ERM program on a daily basis. Upon request, the Coordinator will assist you in implementing the risk management process, facilitating a risk assessment, or responding to any questions you may have with respect to the ERM Policy and Guideline. For further information, visit the College’s Risk Management webpage.

ERM PROCESS

The process for managing the College’s risks is described in the seven steps below. Many users of this Guideline may skip to Steps 3 to 7 which focus on risk assessment. However, both risk and internal and external environments are continually changing hence the need to return back to Steps 1 & 2.

(6)

Step 1: Risk Management Communication & Consultation Methods

Undertaking communication and consultation with potential external and internal stakeholders prior to and throughout the risk management process establishes a positive foundation in order to engage and obtain an understanding of the stakeholder interest, to build stakeholder consensus, and to ensure informed risk taking. Based on the ERM Framework illustration on page 3, this step is involved in all of the steps.

Depending on the situation, communication and consultation methods vary and could include: • Email / Newsletters • Training and Education Sessions

• Briefing Notes • Risk Reports

• Dashboards • Steering Committee and Working Group Meetings

• Departmental/Cross Departmental Meetings • Regular Employee Meetings

• Awareness Campaigns • Risk Management on-line electronic tools

When working through a risk assessment, it’s important to receive consensus on the communication format during the risk assessment process, including the risk identification, consequences, both positive and negative, and treatment options.

Step 2: Establishing the Context

Prior to initiating a risk assessment, an analysis of the internal and external environment is required to identify the main stakeholders. This would include a determination of the interdepartmental interfaces or relationships within the College. In addition to stakeholder identification, defining both the internal and external environment at the time of risk assessment in relation to the achievement of the College’s strategic priorities and objectives is critical. External context includes the current political, cultural, economic, regulatory and competitive environment. Internal context includes policies, organizational structure, culture, human resource capabilities, contractual relationships and information systems. Since resources are often limited, it’s important to justify the amount of resources required to carry out a risk assessment, to define the goals and objectives, and identify and define responsibilities for managing the risk.

Undertaking the above will ensure that the approach taken is appropriate for the situation or risk assessment, to the College and to the risks impacting on the College’s ability to achieve its strategic priorities and objectives.

Methods include defining:

• Risk monitoring cycles • Vendor relationships • Risk acceptability • Government relationships

• College Risk Owners • Partnerships • Project methodology • Job descriptions using Organizational chart

(7)

Step 3 to Step 7 – Performing a Risk Assessment

The diagram below provides a simplified description of the involvement for Steps 3 to 7 as well as highlights the continuous nature of these steps and their connection to the College’s strategy and objectives. As mentioned, on-line electronic tools have been created to simply the step by step approach.

Step 3: Risk Identification

This step involves the identification of risk sources, events, their causes and their potential impacts that may harm, assist or prevent the achievement of the College’s objectives. Risk encompasses the potential for positive as well as adverse results, for example, there could be a positive strategic risk in pursuing a new business initiative and negative operational risk in not having appropriate policies and procedures in place to regulate the business initiative.

This step should result in a comprehensive list of risks, known as a Risk Universe, which would be documented in the Risk Register template example in Appendix 1.

(8)

Example List of Risks for a College Risk Universe

Methods used to identify and collect risks include the following:

• Risk Universe / Register (Appendix 1) • Facilitations

• Risk Identification/Mitigation Worksheet (see Step 6) • Stakeholder feedback • Interviews & Questionnaires /Surveys • Data analysis

• On-line electronic tools (Risk Management Website) • Scenario planning • Strength, Weakness, Opportunities and Threat (SWOT) analysis • Gap Analysis

• Audits or physical inspections • Workshops

Step 4: Risk Analysis

Risk analysis will determine the importance of a risk, current risk control responses, whether a risk control response is required and whether it will proceed to Step 5, Risk Evaluation and Step 6, Risk Treatment. The risk analysis process allows the College to consider the extent to which potential risks might have a negative impact on the achievement of the College’s strategic priorities and operational objectives.

Internal Conditions Value Chain

Business Environment

• Social/Economic (global and local marketability; demographics) • Political (education policy) • Competition (Colleges, programs offered by other institutions • Technological Advancement Administrative / Operations • General Operations • Policies and Procedures • Process Efficiency &

Effectiveness • Administrative

Cultural

•Goal Alignment •Communication •Ethics, Values &

Diversity •Social Responsibility •Change Management •Accountabilities & Empowerment Strategic / Structural • Governance • Performance Measurement • Organizational Structure • Strategic Alliances, Partnerships & Reciprocal Relationships • Policies • Innovation • Reputation / Brand • Stakeholder Relations • Public Policy Academic • Curriculum • Academic Fraud • Research

• Faculty (resources / skills / interdisciplinary collaboration)

External Conditions

Students

•Recruitment, Enrolment & Retention

•International Students •Program Delivery •Student Satisfaction &

Relationship Management •Grants / Scholarships •Student Services •Student Conduct Financial Management • Financial Reporting • Financial Planning • Financial Policies &

Procedures • Internal Controls • Fraud

• Cashflow and Liquidity • Funding Access (public and

private sources) • Capital Management • Endowment Management • Interest Rates

Facilities Asset Management

• Physical Infrastructure Capacity

• Capital Project Management • Property & Equipment

Maintenance

Compliance & Standards

• Regulatory • AODA

• Federal, Provincial & Municipal Government (funding compliance) • Legal • Employment • Privacy • Procurement Practices

Technology & Information Systems

•Capacity and Availability •IT Disaster Recovery •Security

•Strategy & Architecture •Reliability & Efficiency •Information Systems •Innovation / Emergency

Technology

Human Resources

•Staffing Levels & Skills •Development, Performance & Succession •Recruitment & Retention •Compensation 7 | P a g e

(9)

Once a decision is made to record a risk on the Risk Register, one of the six College Risk Categories should be recorded in the Risk Category column in the Risk Register (Appendix 1):

1. Financial:

The risk of financial loss due to a potential change in market condition.

2. Strategic:

Risks that affect or are created by the College’s business strategy and strategic objectives.

3. Reputational:

The loss of value to the College brand and negative impact in our ability to attract students and investment.

4. International:

Risks outside of Canada which impact the College’s international and Canadian operations.

5. Operational and Hazard:

Risks that affect the College’s ability to execute its strategic plan.

6. Compliance and Legal

Risk of loss arising from non-compliance with internal and external regulatory requirements, legal action and liability claims.

The College uses a 5 x 5, 25-point scale Risk Rating Matrix to assess Impact and Likelihood of risk, with a total risk score of 25 being the highest risk.

Risk Rating Matrix

Impact (I) Lik elih oo d ( L)

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) Almost Certain (5) Moderate Risk (5) Moderate Risk (10) High Risk (15) Critical Risk (20) Critical Risk (25) Likely (4) Low Risk (4) Moderate Risk (8) High Risk

(12) High Risk (16) Critical Risk (20) Possible (3) Low Risk (3) Moderate Risk (6) Moderate Risk (9) High Risk (12) High Risk (15) Unlikely

(2) Low Risk (2) Low Risk (4)

Moderate Risk (6) Moderate Risk (8) Moderate Risk (10) Rare

(1) Low Risk (1) Low Risk (2) Low Risk (3) Low Risk (4)

Moderate Risk

(5)

(10)

For each of the risks identified, determine the inherent risk by rating the impact and likelihood using the respective descriptor and score as further described in Step 4(a) and (b). Multiply both scores to produce a total risk score and enter the total risk into the Risk Register (Appendix 1).

Step 4 (a) Impact

Apply the Descriptors in the Impact Rating Matrix to determine the Impact of the risk and the accompanying Risk Score. The Possible Impact Examples column contains both Key Performance Indicators (KPIs) which is results focused, for example, measuring performance, and Key Risk Indicators (KRIs) which measure or describe the level of risk associated with an activity and is an early warning sign. The examples provided will not apply to the analysis of all risks. In many cases, the risk (possible) impacts will need to be identified for each impact rating.

Impact Rating Matrix

Risk Score Impact Level Descriptors Possible Impacts Examples 1 Insignificant Negative outcomes from risk or lost

opportunities that do not have an effect on the College’s reputation or performance

1. Financial: College revenue loss or gain of <$50K.

2. Financial: College department unit <$5K cash impact.

3. Health & Safety (Compliance): no legal consequences or adverse health effects for any individual.

4. Environment (Compliance): minor harm, clean-up <$25K.

5. Compliance & Legal: not guilty, fines <$25K.

6. Reputational: brief negative or positive attention in local news/social media; prompt resolve.

7. Strategic: achievement of a strategic goal delayed within first year. 8. Human (Hazard): injury, no first aid

required.

9. Business Interruption (Operational) : <1 week; Small number of classes or research projects disrupted for <1 month.

10. Systems and Processes (Operational): minor errors or delay in system (e.g. IT), short term impact.

(11)

Risk Score Impact Level Descriptors Possible Impacts Examples 2 Minor Negative outcomes from risks or lost

opportunities that will not have a permanent or significant effect on the College’s reputation or performance

1. Financial: College revenue loss or gain of over >$50K and < $500K.

2. Financial: College department unit $5K to $50K cash impact.

3. Health & Safety: (Compliance): warning or order to comply from regulatory authority; minor injuries to one or two individuals.

4. Environment (Compliance): clean-up $25K to $250K.

5. Compliance & Legal: minor breach, fine <250K.

6. Reputational: negative or positive attention in local news/social media for up to one week.

7. Strategic: one or more strategic goals not attainable and must be revised. 8. Human (Hazard): first aid required,

injury.

9. Business Interruption (Operational): 1 to 2 weeks; Small number of classes or research projects disrupted for 1 to 4 months.

10. Systems and Processes (Operational): policy / procedure not met, key programs impacted for short term.

3 Moderate Negative outcomes from risks or lost opportunities that will not have a permanent or significant effect on the College’s reputation or performance

1. Financial: College revenue loss or gain of >$500K to <$3M.

2. Financial: College department unit cash impact of $50K to $250K. 3. Health & Safety (Compliance):

statutory charges against one or two employees.

4. Environment (Compliance): short term harm, $250K to $1M clean-up.

5. Compliance & Legal: breach of legislation, fine $250K to $1M 6. Reputational: negative/positive

attention in national news/social media for less than a week, or in local media for 1 to 2 weeks or in

surrounding communities for < 2 10 | P a g e

(12)

Risk Score Impact Level Descriptors Possible Impacts Examples

weeks; heavy local media 7. Strategic: a key strategic goal

underlying an institutional commitment cannot be attained without significant revision and delay of > 1 year.

8. Human (Hazard): injury/hospital; major reversible injury.

9. Business Interruption (Operational): 2 to 4 week interruption; Inability of a substantial portion of an entire department to provide education or perform research for < 1 month or the disruption of a small number of classes or research projects > 4 months.

10. Systems and Processes (Operational): less than 1 KPI not met, service delivery inconvenient to clients, survival/success of key projects impacted.

4 Major Negative outcomes from risks or lost opportunities with a significant effect that will require major effort to manage and resolve in the medium term but do not threaten the existence of the institution in the medium term

1. Financial: College revenue loss or gain of >$3M to <$25M.

2. Financial: College department unit cash impact of

$250K to $500K.

3. Health & Safety (Compliance): statutory charges or civil suits against the College and one or more of its senior administrators; permanently disabling injuries to one or more persons.

4. Environment (Compliance): short term, $1 to $5M clean-up.

5. Compliance & Legal: critical risk reported to ARM, legislation breach, fine $1 to $5M

6. Reputational: negative/positive headlines in international news/social media for < 1 week, or attention in national media for 1 to 2 weeks, or in the local media > 2 weeks or

(13)

Risk Score Impact Level Descriptors Possible Impacts Examples

sustained negative/positive reaction among surrounding communities; adverse media.

7. Strategic: one or more institutional commitments unable to be achieved in planning timeframe.

8. Human: intensive care; irreversible injury or death (one person). 9. Business Interruption: business

interruption 4 to 6 weeks; inability for the substantial portion of an entire department to provide education or perform research for a period between 1 and 4 months.

10. Systems and Processes (Operational): A number of KPIs not met, bad policy advice, degrading service level trends, survival of key programs and projects impacted, IT strategy not aligned with digital college.

5 Catastrophic Negative outcomes from risks or lost opportunities which if not resolved in the medium term will threaten the existence of the institution

1. Financial: College revenue loss or gain of > $25M.

2. Financial: College department unit impact of >$500K.

3. Health & Safety (Compliance): criminal charges and other legal action against the College and one or more senior administrators or directors; one or more fatalities. 4. Environment (Compliance): long term

harm, clean-up >$5M.

5. Compliance & Legal: serious breach of legislation, fine >$5M.

6. Reputational: intense

negative/positive headlines in the international media for > 1 week or in the national media > 2 weeks;

national and international reputation impacted; major negative sanction by MTCU; closure of major part of the College.

7. Strategic: one or more institutional 12 | P a g e

(14)

Risk Score Impact Level Descriptors Possible Impacts Examples

commitments unachievable.

8. Human (Hazard): multiple irreversible injuries or deaths.

9. Business Interruption (Operational): interruption > 6 weeks; Inability for the substantial portion of an entire department to provide education or perform research >1 academic term 10. Systems and Processes (Operational):

critical system failure, significant impact on key programs & projects, significant impact on key

stakeholders.

Step 4 (b) Likelihood

Apply the Descriptors below to determine the Likelihood of the risk and the accompanying Risk Score:

Likelihood Rating Matrix

Risk Score Likelihood Level Descriptors

1 Rare Event may occur only in exceptional circumstances • Unlikely to occur in 5 years 2 Unlikely Event could occur at some time • Likely to occur once in 5 years 3 Possible Event might occur at some time • Likely to occur once in a year 4 Likely Event will probably occur in most circumstances • Likely to occur in a month 5 Certain Almost Event is expected to occur in most circumstances • Likely to occur in a week

Step 4 (c) Combined Impact/Likelihood Score

Refer to the Combined Risk Score Legend in the table in the following page and assign the appropriate combined individual risk score, that is, Low (1-4), Moderate (5-10), High (11-18) or Critical (19-25).

(15)

Risk Rating Matrix and Combined Risk Score Legend

Impact (I) Combined Risk Score Legend

Lik

elih

oo

d (

L)

Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)

Low Risk (1-4) Low level of risk – Manage by routine

procedures and operations; should not require much attention but should be reviewed at least every 18 months. Almost Certain (5) Moderate Risk (5) Moderate Risk (10) High Risk (15) Critical Risk (20) Critical Risk

(25) Moderate Risk (5-10) Moderate level of risk – Manage by specific monitoring or response procedures; should be monitored and reviewed every 12 months. Likely (4) Low Risk (4) Moderate Risk (8) High Risk

(12) High Risk (16) Critical Risk (20) Possible (3) Low Risk (3) Moderate Risk (6) Moderate Risk (9) High Risk (12) High Risk (15)

High Risk (11-18) High level of risk – Requires

escalation to VP and ARM; should be constantly monitored and reviewed every 6 months (May and November). Unlikely

(2) Low Risk (2) Low Risk (4)

Moderate Risk (6) Moderate Risk (8) Moderate Risk

(10) Critical Risk (19-25) Top level of risk – Requires escalation to VP, ARM and Board of Governors responsible for risk management oversight; should be constantly monitored and reviewed monthly. Rare

(1) Low Risk (1) Low Risk (2) Low Risk (3) Low Risk (4)

Moderate Risk

(5)

Step 4 (d) Risk Control Response

Review the effectiveness of the current “Risk Controls” in place and apply the Descriptors below to determine the Response Level and the accompanying Risk Score:

Risk Control Response Rating Matrix Risk Score Response Level Descriptors

1 Weak Activities or controls in place are insufficient or not operating effectively to prevent or mitigate this risk or no activities or controls in place to prevent or mitigate this risk.

2 Moderate Activities or controls moderately reduce the risk, although activities or controls do not manage all potential risk events or are not operating effectively.

3 Strong

Significant attention to the risk and its drivers.

Activities or controls in place provide considerable certainty of control and are operating effectively.

The College has undertaken all economically feasible controls and is maintaining an ongoing monitoring system.

(16)

Enter the “Existing /Planned Risk Responses” and the rating Level from the Risk Response Rating Matrix into the “Effectiveness of Current Risk Responses” in column H in the Risk Register.

A B C D E F F F G H I I Strategic Objective Risk Category Risk Name

Risk Description Observations, Root

Causes, Impacts Imp ac t Lik elih oo d Ri sk S co re

Existing / Planned Risk Control Responses Effectiveness of Current Risk Control Responses Imp ac t Lik elih oo d

Inherent Risk Residual

Risk

Taking into consideration the “Effectiveness of the Current Risk Response” column H, refer again to Steps 4 (a) and (b), and enter the impact and likelihood ratings into “Residual Risk” column I.

Step 5: Risk Evaluation

Once risks have been identified and analyzed, that is, columns A through to I in the Risk Register, an evaluation of the risks is performed to determine which risks require risk treatment. The Risk Evaluation is based on a current period of time and as a result, a risk that may appear to be treated in one period, may not be needed to be treated in another. It is also necessary to prioritize the treatment implementation in the Action Plan (column J). A B C D E F F F G H I I I J Strategic Objective Risk Category Risk Name Risk Description Observations, Root Causes, Impacts Impa ct Li ke lih ood Ris k S co re Existing / Planned Risk Control Responses Effectiveness of Current Risk Control Responses Im pa ct Li ke lih ood Ris k S co re Action Plan Inherent Risk Residual

Risk

Reasons for the change in risk may include:

• The risk criteria when the context was being considered in Step 2, may have changed.

• The College’s changing risk appetite and tolerance levels, for example, the likelihood and/or impact of risk is low enough that specific mitigation plans are not required or alternatively, there is no mitigation plan available.

(17)

• Cost of mitigation plan is excessive as compared to the benefit such that acceptance of the risk is the only option.

• The risk is being driven by an external event/organization and therefore outside of the control of the College.

At this stage, the Risk Owner will have gained a complete understanding of the risk which will allow them to identify risk treatment plans to reduce the level of risk as well as apply indicators, such as key performance and key risk indicators to respond to changes in risk prior to a negative outcome.

Step 6: Risk Treatment

Risk treatment options fall into the following:

Avoidance: Taking action to exit the activities that give risk to the risks.

Reduction: Reducing the risk likelihood, impact or both. Acceptance: Taking no action to affect likelihood or impact. Transfer: Reducing risk likelihood or impact by transferring

or sharing a portion of the risk.

The College may benefit from the adoption of a combination of treatment options, for example, both accepting and transferring percentages of risk.

Action Plans (column J) are required for Critical, High and Moderate rated risks. Action plans for Low rated risks are not required although they should be monitored in the event their risk level increases. Action Plans should have a Risk Owner which is recorded in column K.

A B C D E F F F G H I I I J K Strategic Objective Risk Category Risk Name Risk Description Observations, Root Causes, Impacts Impa ct Li ke lih ood Ris k S co re Existing / Planned Risk Control Responses Effectiveness of Current Risk Control Responses Im pa ct Li ke lih ood Ris k S co re Action Plan Risk Owner Inherent Risk Residual

Risk

Examples of action plans could include: the creation or amendment of a policy and procedure; identifying and addressing a management or employee gap; developing KPI’s or introducing current KPIs, for example, the provincial government requires all colleges to gather and report on five (5) KPIs: 16 | P a g e

(18)

student satisfaction, graduate satisfaction, employer satisfaction, graduate employment rate, and graduation rate; and developing KRI’s or introducing current KRIs which will provide an early warning and opportunity to mitigate the risk at an earlier stage.

Section 2, in the Risk Identification/Mitigation Worksheet is an efficient tool for determining the appropriate action plan. Section 1 (Risk Identification) would have been completed in Step 1 to Step 4.

Risk/Mitigation Identification Worksheet

Section 1: Risk Identification

Risk #: Risk Category: Description of Risk: Unit Team: Risk Factors: Risk Impacts:

Existing Control Procedures:

Risk Rating

Inherent Risk Residual Risk

Likelihood Impact Risk Level Likelihood Impact Risk Level

Section 2: Risk Control Response

Possible Treatment Options Analysis Result (Accept/Reject)

Risk Control Response Plan

Action Item Action By Timeline

Resource Requirement:

Reporting and Monitoring Required:

Completed By: Date:

(19)

Action plans should be integrated with the management processes of the College operations. The ultimate intent is to move the risk rating to within the College’s Risk Appetite. Once that is accomplished the residual risk rating will equal the Target Risk rating, refer to diagram below.

Step 7: Risk Monitoring and Review

Risk monitoring and review provides Risk Owners with a consistent and timely opportunity to identify new emerging risks and revise existing risk ratings as well as to review the effectiveness of risk treatment plans in place. Although ad hoc reviews could be beneficial, particularly in a period of rapid change, planned review periods should be determined.

Monitoring:

Risk Owners are responsible for monitoring, reviewing and reporting on High and Critical rated risks, their Risk Treatment and Residual Risk status semiannually in March and September.

Review:

The High and Critical Risk Report will be provided annually to the ARM and Presidents Council in May and November for review and comment.

The College wide Risk Register (see Risk Register Template on next page) will be presented annually to the ARM and Presidents Council in July.

The Risk Register template will be used as the main reporting tool. At the request of ARM or Presidents Council, the register is subject to change. The tool may also be expanded at a business unit, department or project level. For example, a department may want to add an additional column to record a Business Plan Reference.

Aim for Target Risk

(20)

Risk Register Template A B C D E F F F G H I I I J K L Strategic Objective Risk Category Risk Name Risk Description Observations, Root Causes, Impacts Impa ct Li ke lih ood Ris k S co re Existing / Planned Risk Control Responses Effectiveness of Current Risk Control Responses Im pa ct Li ke lih ood Ris k S co re Action Plan Risk Owner Imp lem ent at io n Ti m el in e

Inherent Risk Residual Risk

FINAL NOTE

Throughout the College, and until such time an efficient enterprise data management system is implemented to share and store ERM program related information, all ERM program files should be maintained in accordance with the College Directive, IT05: Information Sensitivity and Security.

(21)

APPENDIX 1: RISK REGISTER EXAMPLE

St ra te gi c Ob je ct iv e Ri sk C at eg or y Ri sk N am e Risk Description Observations, Root Causes, Impacts Im pa ct Li ke lih ood Ris k S co re Existing / Planned Risk Responses Ef fe ct iv en ess o f C ur re nt Ri sk R esp ons es Im pa ct Li ke lih ood Ris k S co re

Action Plan Risk Owner

Imp lem ent at io n Ti m el in e Inher ent Risk Residual Risk Student and Client Success Str ate gi c St ud en t R et en tion The risk of an inability to retain students. Observations: Some students do not complete their full program. Upward trend showing a difficulty in retaining international students. Root Causes: • Personal circumstances • International students receive limited training on Canadian culture Impact: • Difficulty maintaining revenue as students are not completing their studies • Negative impact on the College’s reputation (3 ) M od er at e (4 ) L ike ly (1 2) H ig h Ri

sk The College has recently introduced three new programs which train students to work in growing industries. The College offers a selection of evening and online courses, as well as a fulsome internship program in select programs, in order to accommodate students that balance courses with employment, and to provide valuable employment experience to students. (2 ) M od er at e (2) M in or (2) U nl ik el y (4) Low • Measure retention rates to determine any emerging trends • Survey students that did not complete their program to determine any key issues or trends • Develop and implement a peer mentorship program that pairs international students with domestic counterparts to assist with integration Director, International Education 12 – 2 4 m ont hs 20 | P a g e

(22)

DEFINITIONS

Word/Term Definition

Risk Risk describes the probability of loss (financial / property, human, liability) or other negative event. At an enterprise level it describes the effect that uncertainty can have on the College’s ability to execute its strategies and/or achieve its business objectives. Risk encompasses the potential for positive as well as adverse results.

Enterprise Refers to integrating risk management into the entire College operation. Enterprise Risk

Management A coordinated set of activities and methods that is used to direct the College and to control the many risks that can affect its ability to achieve objectives. Used interchangeably with the term risk management.

Enterprise Risk

Management Framework A set of components that provides the foundations and organizational arrangement for designing, implementing, monitoring, reviewing, communicating and continually improving risk management throughout the College. There are two types of components: the Enterprise Risk Management Policy and the process, also known as the Enterprise Risk Management Guideline.

Enterprise Risk

Management Policy Expresses the College’s commitment to risk management and clarifies its general direction or intention. Enterprise Risk

Management Guideline Identifies the activities we apply to manage our risk.

Risk Analysis A process used to understand the nature, sources, and causes of the risks identified and to estimate the level of risk. It is also used to study impacts and consequences and to examine the controls that currently exist. Risk Evaluation The process of comparing the results of risk analysis with Risk Criteria to

determine whether the risk and/or its magnitude are acceptable or tolerable. Risk evaluation assists in risk treatment decision making.

Risk Criteria Terms of reference used to evaluate the significance or importance of the College’s risks. They are used to determine whether a specified level of risk is acceptable or tolerable.

(23)

Word/Term Definition

Risk Treatment The policies, procedures, processes and controls implemented by management to modify risk, taking into consideration the College’s risk tolerances, and the cost to modify and the benefit of the modification, including the effect on risk likelihood and impact.

Risk Appetite Statement A continually reviewed statement that expresses the amount and type of risk that the College is willing to pursue or retain to achieve its mission and strategic objectives. The College statement is updated at a minimum once every three (3) years.

Risk Tolerance Represents the application of Risk Appetite to specific objectives and implemented by Risk Owners and/or their personnel. It describes the level of risk the College is willing to accept in relation to a threat that may cause loss or an opportunity in the day-to-day business activities. The Risk Tolerance of the College may be different for different departments and business units.

Risk Profile A written description of a set of risks that are managed and addressed on a College wide basis or only by those that are responsible for a particular function or department of the organization. The College Risk Profile is updated at a minimum once every three (3) years.

Risk Owner A College employee who has been given the authority to manage a particular risk and is accountable for doing so.

Risk Culture The system of values and behaviors present throughout the College that shape risk decisions. Risk culture influences the decisions of management and employees, even if they are not consciously weighing risks and benefits. Risk Culture also describes the degree to which individuals understand that risk and compliance rules apply to everyone as they pursue their business goals and that this requires a common understanding of the organization and its business purpose.

Risk Control An activity or management action to mitigate risk. It includes the policies, procedures, reporting and initiatives performed by the College to ensure that the desired risk response is carried out. These activities take place at all levels and functions of the College.

Likelihood The probability of an event occurring. Likelihood of an event occurring is rated as rare, unlikely, possible, likely, or almost certain.

Impact The severity of an event. Impact or severity of an event is rated as insignificant, minor, moderate, major or catastrophic.

Risk Communication The process of identifying risk and communicating broadly to enable all personnel to deliver on their responsibilities.

(24)

Word/Term Definition

Risk Register The official recording and assessment (with Impact and Likelihood) of the identified risks facing the College at a given period.

Risk Report A report delivered to the Audit & Risk Management Committee (ARM) at least every six (6) months in May and November that provides ongoing monitoring and reporting on the progress of risk mitigation activities and results.

Risk Gap The risk of outcomes not meeting expectations. Other terms used more specifically to the type of risk include performance gap and legitimacy gap that emerges when the interests or values, for example, of funders, Board of Directors and college representatives are not meeting expectations. Inherent Risk The Likelihood and Impact scores following a risk assessment and before

the application of Risk Response. Also known as risk without controls. Residual Risk The Likelihood and Impact scores after the application of the Risk

Response. Risk that remains after controls or treatment is implemented (partially or fully).

Target Risk Risk that management desires after existing and future actions and treatments.

Risk Response One or more risk modifications methods to control risk. Risk Universe All risks that could impact the College.

REFERENCES

1. Enterprise Risk Management Policy

2. Colleges Ontario-Integrated Risk Management Framework (February 2014) Webinars - Produced by MNP LLP

3. International Standard CSA/ISO 31000; 2009 Risk Management Principles and Guidelines

References

Download now ( PDF - 24 Page - 651.23 KB )

Related documents

Alabama Technology Plan: Transform. Haleyville Middle School

Academic Support Program 09/18/2013 05/23/2014 $0 No Funding Required Classroom Teachers, Support Personnel, and Principals Activity - Tier II Math Instruction Activity Type Begin

Does lumbar spinal degeneration begin with the anterior structures? A study of the observed epidemiology in a community based population

Many prior studies of the degenerative cascade that have concluded that disk degeneration uniformly precedes facet degeneration have been based on convenience samples of

Transfer Equivalency Matrix A B C D E F G H I J K L

but there is no ACT = physical for credit not have an exact POLS 1301 &amp; 2302; Level; Courses exact equivalent education activity * * * take both courses MUAP = MUSA

Revised cloud processes to improve the mean and intraseasonal variability of Indian summer monsoon in climate forecast system: Part 1

Additionally, a revised convective parameteriza- tion is employed to improve the performance of the model in simulating the boreal summer mean climate and intraseasonal variability

About the Quartet:

orchestral musician. As the founding violist of the Larchmere String Quartet, she is currently a member of the Eykamp String Quartet-in-Residence with the Evansville Philharmonic

Running head: WRITING RESEARCH PAPERS 1. A Guide for Writing APA Style Research Papers. Susan B. Smith. Capital Community College

This paper will serve as a general guide only, and as always, your instructor has the final word on the format and style required for the assigned

AN823. Analog Design in a Digital World Using Mixed Signal Controllers INTRODUCTION NOISE AND MIXED SIGNAL DESIGN IDENTIFYING NOISE SOURCES

To scale large negative voltages into the Common mode range of the comparator, connecting a resistor divider to V DD instead of V SS can provide a positive offset to the