1 / 32

November 19 th 2005

Canada. CAURA West & Western Canadian University Risk & Liability Group Australian Universities Risk Management & Risk Registers Keith Old (BPC Canada). November 19 th 2005. AGENDA. Australian Universities – some facts Australian Universities and Government What is Risk Management?

bernad
Download Presentation

November 19 th 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Canada CAURA West & Western Canadian University Risk & Liability Group Australian Universities Risk Management & Risk Registers Keith Old (BPC Canada) November 19th 2005 Copyright 2005 BishopPhillips Consulting (Canada)

  2. AGENDA • Australian Universities – some facts • Australian Universities and Government • What is Risk Management? • Enterprise Risk Management • Challenges for data management • Risk registers • Reporting • Solutions to ERM challenges Copyright 2005 BishopPhillips Consulting (Canada)

  3. Australian Universities - Some Facts • 37 public and three private autonomous and self-accrediting universities. • Total assets of around $30 billion • Consultancy services and the commercialisation of research contributing on average about 5 per cent of a university’s revenue annually. • Expenditure on research and development - $3.4 billion • Student enrolments - 944,977 • In 2004, $43.2 million was provided for capital development projects. • Federal government grants - 59 per cent of the operating revenue. • In 2005/06, the Australian Government will provide $7.8 billion for higher education. Copyright 2005 BishopPhillips Consulting (Canada)

  4. Australian Universities & Government • Federally funded • The Australian Government has significant financial and policy responsibility for higher education, while State and Territory governments retain major legislative responsibilities. • Commonwealth Support for Higher Education is provided largely through: • the Commonwealth Grant Scheme which provides for a specified number of Commonwealth Supported places each year; • the Higher Education Loan Programme (HELP) arrangements providing financial assistance to students; and • research and research training programmes. Copyright 2005 BishopPhillips Consulting (Canada)

  5. Australian Universities & Government Good Governance required as condition of funding • To expedite reform, the Australian Government has tied funding increases under the Commonwealth Grant Scheme to adherence to a set of National Governance Protocols. • NGP Includes the following statement: “The institution’s governing body should adopt a statement of its primary responsibilities, which includes managing risk across the institution, including commercial undertakings.” Copyright 2005 BishopPhillips Consulting (Canada)

  6. Australian Universities & Government • Research projects can be cancelled at whim of minister • Witness this report from the age newspaper (Melbourne) Call for change to uni grant process (By David Rood, Higher Education Reporter (November 16, 2005) “Amid reports that Education Minister Brendan Nelson had again blocked some Australian Research Council grants, the prestigious Group of 8 universities said the grants system was flawed if decisions could be made but not explained.” Copyright 2005 BishopPhillips Consulting (Canada)

  7. Australian Universities & Government • All Australian universities have some sort of ERM process. • Government was the impetus but many universities went down this path prior to the government mandates (eg Deakin University) • Most universities see real benefits from their ERM programs. • Level of implementation varies Copyright 2005 BishopPhillips Consulting (Canada)

  8. What is risk management anyway? “When packing your backpack in hot sunshine, always include gear for a storm” Sir Ranulph Fiennes (Explorer) Copyright 2005 BishopPhillips Consulting (Canada)

  9. What is the Risk Management Process?(3 Questions & 1 Action?) • What can go wrong? • What are We doing about it? • What else do We need to do? • Make sure We do it? Copyright 2005 BishopPhillips Consulting (Canada)

  10. Risk Register The Risk Management Process(A more traditional description) Inherent Risk Identification (What can go wrong?, How likely is it? What are the potential impacts?) Document & Rate Controls (What are we doing about it now? How do we rate the current controls?) Internal Audit Assistance Develop And Implement Action Plans (Is the Risk acceptable? What else are we going to do about it? Who is going to do it and by when?) Monitor (How are we going?, Do we need adjustments?) • Monthly reviews by risk owners • New risks • Re-rating • Progress on action plans Reporting Senior management Audit & Risk owners Copyright 2005 BishopPhillips Consulting (Canada)

  11. Research projects University Risk Management Security Internal audit OH&S Insurance assessments Construction projects Features of Enterprise Risk Management • Integration of risk existing functions • ERM brings all risk activities together under one control Copyright 2005 BishopPhillips Consulting (Canada)

  12. Features of Enterprise Risk Management • Continuous rather than Ad hoc • Ongoing rather than just when managers consider it necessary • No longer an annual report filed on the shelf • Generally Quarterly updates of risk profiles • Broadly focussed • All business risks considered • Not just insurable and financial risks Copyright 2005 BishopPhillips Consulting (Canada)

  13. ERM poses Challenges for data management • Stakeholders have different data needs • Operational areas & Project groups – want to be able to access detailed data on all their risks and status reports on mitigation action plans • Administrators and Boards – want summarized data showing the spread of all risks, nominating the key risks that require their attention and specific data on the key risks • Internal Audit & Audit Committees – want an assessment of internal controls linked to key risks • Government – often have preset reporting formats that they require Copyright 2005 BishopPhillips Consulting (Canada)

  14. Typical operational level report Copyright 2005 BishopPhillips Consulting (Canada)

  15. Typical management level summary STR-13 STR-2 Copyright 2005 BishopPhillips Consulting (Canada)

  16. Control level decreasing Risk level increasing Typical audit style summary STR-13 Copyright 2005 BishopPhillips Consulting (Canada)

  17. Challenges for data management • Living data • The ‘Management’ in risk management implies ongoing monitoring, treatment and adjustment • Risk data requires regular up dating • Progress on existing risk mitigation plans • New risks • Alterations to existing risk information Copyright 2005 BishopPhillips Consulting (Canada)

  18. Challenges for data management • Common method & terminology • How do we describe our risks? • How do you rate the impact of a research risk against other risks such as financial fraud, IT failure etc? • How do we decide a ‘high risk’ from a ‘low risk’ • Is a high risk for a department necessarily a high risk for the university Copyright 2005 BishopPhillips Consulting (Canada)

  19. Challenges for data management • Flexibility • Reporting requirements can and do change • University structures can and do change • Manual vs. Database Copyright 2005 BishopPhillips Consulting (Canada)

  20. Risk Registers • The central risk document • A Risk Register is developed in order to: • provide a useful tool for managing and reducing the risks identified before and during the project; • document risk mitigation strategies being pursued in response to the identified risks and their grading in terms of likelihood and seriousness; • provide the Project Sponsor, Steering Committee/senior management with a documented framework from which risk status can be reported; • ensure the communication of risk management issues to key stakeholders; • provide a mechanism for seeking and acting on feedback to encourage the involvement of the key stakeholders; and • identify the mitigation actions required for implementation of the risk management plan and associated costs. Copyright 2005 BishopPhillips Consulting (Canada)

  21. At a minimum a risk register should contain the following data: A unique identifier for each risk; A description of each risk and how it will affect the university; An assessment of the likelihood it will occur and the possible seriousness/impact if it does occur Categories A grading of each risk according to a risk assessment table Who is responsible for managing the risk;and An outline of proposed mitigation actions (preventative, detective and contingency). What do they contain? Copyright 2005 BishopPhillips Consulting (Canada)

  22. Teaching & Learning Teaching & Learning Teaching & Learning Teaching & Learning Management processes Management processes Management processes Management processes Project Management Project Management Financial Financial Project Management Project Management Financial Financial • • Curriculum Management Curriculum Management • • Course Material (Updating / Course Material (Updating / • • Management Information ( timeliness / accuracy / Management Information ( timeliness / accuracy / • • Scheduling Scheduling • • Provision for write offs Provision for write offs developing) developing) right information to the right people) right information to the right people) • • Technology evolution Technology evolution • • Funding Funding • • Delivery of Courses Delivery of Courses • • Communication Communication • • Missing milestones Missing milestones • • Operating Costs Operating Costs • • Preparation of Exams Preparation of Exams • • Responsiveness & Flexibility Responsiveness & Flexibility • • Exceeding funding Exceeding funding • • Duplicated Payments Duplicated Payments • • Assessment of grades etc Assessment of grades etc • • Documentation / Record Keeping Documentation / Record Keeping • • Developing inappropriate solutions Developing inappropriate solutions • • Frauds of Assets & Cash Frauds of Assets & Cash • • Reviews and Grievance Reviews and Grievance • • Corporate Culture Corporate Culture • • Loss of stakeholder support Loss of stakeholder support • • Theft Theft management management • • Policies and Procedures Policies and Procedures • • Resource issues Resource issues • • Collusion Collusion • • Student experience Student experience • • Public Relations, Image & Branding Public Relations, Image & Branding • • Staff skills Staff skills • • Forgery Forgery • • Staff availability Staff availability • • Delegations Delegations • • Accommodation Accommodation • • Invoicing / Accounts Receivable Invoicing / Accounts Receivable Political Sensitivities Political Sensitivities Political Sensitivities Political Sensitivities Joint Ventures Joint Ventures Joint Ventures Joint Ventures • • Intellectual Property Intellectual Property • • Ownership disputes Ownership disputes • • Security of IP Security of IP • • Political Instability Political Instability Human Resource Human Resource • • Corporate Partners Corporate Partners Human Resource Human Resource • • Contracts Contracts • • Government policy changes Government policy changes • • Institutional Partners Institutional Partners • • Investments Investments • • Major disasters Major disasters • • International Partners International Partners Civil Disturbance • • Acquisitions Acquisitions • • Staff Requirements / Needs / Wants Staff Requirements / Needs / Wants • • Local Partnerships Local Partnerships • • Vehicles & Plant Vehicles & Plant • • Staff Selection / Retention Staff Selection / Retention • • Commercial Contracts Commercial Contracts • • Property Property • • External Staff (Adjunct Professors) External Staff (Adjunct Professors) • • Conflicting Interest Conflicting Interest • • Buildings Buildings • • Correct skill mix Correct skill mix • • Records Records • • Downsizing / Right Downsizing / Right - - sizing / Capsizing sizing / Capsizing Information Technology Research Research Research Research Research Research Research • • Other assets Other assets • • Accessibility of key staff Accessibility of key staff Facilities /Infrastructure Infrastructure Infrastructure Infrastructure • • Leased properties Leased properties • • Industrial disputes Industrial disputes • • Conflicts of Interest / Ethics Conflicts of Interest / Ethics • “In – house” applications • Application support • Core applications • Data protection and back up • Data security • Disaster recovery • Evergreening • Recruitment & Retention (Students/Staff) • Funding (Commercial/Government) • Integrity of Research • Conflicts of Interest • Partnerships with industry • • Casual Staff Casual Staff • • Equipment (Faulty/Theft/Quality) Equipment (Faulty/Theft/Quality) • • Grievance Procedures Grievance Procedures • • Ageing Infrastructure Ageing Infrastructure • • Succession Planning Succession Planning • • Maintenance Maintenance • • Personal Development Personal Development • • Acquisition Acquisition Legal / Regulatory Legal / Regulatory Legal / Regulatory Legal / Regulatory • • Large Infrastructure Project Management Large Infrastructure Project Management • • Compliance with Legislation & Policy: Compliance with Legislation & Policy: Environment, Health & Safety Environment, Health & Safety Environment, Health & Safety Environment, Health & Safety Technology Technology Technology • • Privacy Act, Trade Practices, OH&S, Privacy Act, Trade Practices, OH&S, Students & Student Admin Students & Student Admin Students & Student Admin Students & Student Admin • • EEO, Unfair dismissal, Sexual harassment EEO, Unfair dismissal, Sexual harassment • • Hazardous substances Hazardous substances • • Defamation, Discrimination Defamation, Discrimination • • Student records Student records • • OH&S issues OH&S issues • • Contracting liabilities, indemnity, exclusion Contracting liabilities, indemnity, exclusion • • Conducting examinations Conducting examinations • • Environmental Environmental licences licences clauses clauses • • Meeting Student Expectations Meeting Student Expectations • • Legionella Legionella etc. etc. • • Legal Liability: Legal Liability: • • Fee Paying / Government Funded Fee Paying / Government Funded • • Laboratory Explosion Laboratory Explosion • • Third parties / Agents Third parties / Agents • • Local / International Students Local / International Students • • Environmental Contamination Environmental Contamination • • Insurance Cover Insurance Cover • • Enrolments / Re Enrolments / Re - - enrolments enrolments • • Natural Disasters Natural Disasters • • Public liability Public liability • • Recognition Prior Learning Recognition Prior Learning • • Disaster Recovery Disaster Recovery • • Professional indemnity Professional indemnity • • Needs of tailored programs Needs of tailored programs • • Fire & Emergency control Fire & Emergency control • • Medical malpractice Medical malpractice • • Student appeals Student appeals • • Travel Travel • • Vehicles Vehicles Typical University Risk Map(High level Risks) Copyright 2005 BishopPhillips Consulting (Canada)

  23. Recruitment & Retention (Students/Staff) Funding (Commercial/Government) Integrity of Research Conflicts of Interest Partnerships with industry Quality of research Quality of publication Plagiarism Data security Cost Management Attraction of research projects Project management (time and money) Safety in Labs Breaches in Ethics Controls over dangerous substances Disease control Security Research Research High level Research Risks Copyright 2005 BishopPhillips Consulting (Canada)

  24. “In – house” applications Application support Core applications Data protection and back up Data security Disaster recovery Evergreening Future capacity and functionality Implementations and upgrades Network Use of new technology It suppliers High level IT Risks Information Technology Copyright 2005 BishopPhillips Consulting (Canada)

  25. Recruitment & Retention (Students/Staff) Funding (Commercial/Government) Integrity of Research Conflicts of Interest Partnerships with industry Quality of research Quality of publication Plagiarism Data security Cost Management Attraction of research projects Project management (time and money) Safety in Labs Breaches in Ethics Controls over dangerous substances Disease control Security Organizational structure Faculty of Science Research Finance Department Category of risk Financial - Fraud OH&S – Chemical IT – Data back up and recovery Safety committee Building Grant Application Strategic Plan One risk Many risk groupings Research Risks Copyright 2005 BishopPhillips Consulting (Canada)

  26. Assessing different types of impacts Copyright 2005 BishopPhillips Consulting (Canada)

  27. Impact Likelihood Very High Risk High Risk Medium Risk Low Risk Very Low Risk Inherent Risk Rating Copyright 2005 BishopPhillips Consulting (Canada)

  28. Risk Reporting Process (example) Risk Owner 1 Base Level Risk Registers Risk Owner 2 Risk Owner 3 Departmental / Faculty Risk Register Department / Faculty Heads Risk Committee Strategic Risk Register University “Management” Stakeholders (Audit Committee, Board of Governors, Government) Copyright 2005 BishopPhillips Consulting (Canada)

  29. Solutions to ERM challenges • Ensure that you have the highest level support for implementing ERM prior to commencement. • Document a detailed project plan for implementing ERM within the university • Document a risk policy and methodology for the university • Ensure that you can provide flexible Reporting Options for all risk stakeholders • Gather risk data in such a way to foster ‘Ownership’ of risks and subsequent maintenance of the risk data • Ensure that the risk mitigation plans are being completed and are working. Copyright 2005 BishopPhillips Consulting (Canada)

  30. Simple Solutions Get the boss on board Have a plan Have a method Give stakeholders what they want Spread the risk ownership Make a difference Copyright 2005 BishopPhillips Consulting (Canada)

  31. Project Steps • Establish the infrastructure • Reporting Structure, Risk Committee, Method, Resources • Draft a plan • Where, Who, When • Establish a good start • 1-2 months to cover Key admin areas + One academic • Roll-out • Additional registers each month • Quarterly reviews Copyright 2005 BishopPhillips Consulting (Canada)

  32. Contact Details Keith Old (BPC Canada) • Phone 604 – 899 1750 • Cell 778 – 386 0756 oldk@bishopphillips.com Copyright 2005 BishopPhillips Consulting (Canada)

More Related