risk management n.
Skip this Video
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 41

RISK MANAGEMENT - PowerPoint PPT Presentation

  • Uploaded on

RISK MANAGEMENT. Central Queensland University. November 2006. BDO Kendalls’ Role – 2002/3. Guidance to the University in establishing Risk Management Policy and Process Framework Deliver training to key management groups Facilitate process implementation workshops

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'RISK MANAGEMENT' - michel

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
risk management


Central Queensland University

November 2006

bdo kendalls role 2002 3
BDO Kendalls’ Role – 2002/3
  • Guidance to the University in establishing Risk Management Policy and Process Framework
  • Deliver training to key management groups
  • Facilitate process implementation workshops
  • Provide feedback, information and outcomes to Risk Management Committee
  • Management own the process and its key elements
  • Key decision making remains with the University
why risk management
Why Risk Management?
  • CQU is committed to a comprehensive and systematic approach to effective management of potential opportunities and adverse threats
  • Risk management is a key element in improving CQU’s business and services to assist in achieving its objectives
  • CQU aims to achieve best practice in controlling risks which may impact its business
why risk management statutory requirements
Why Risk Management? Statutory Requirements
  • Financial Management Standard

“The University must protect itself from unacceptable costs or losses associated with its operations.”

  • Workplace Health & Safety Act 1995

Imposes obligations on people at workplace to ensure work place health and safety

  • AUQA
  • Common Law

Duty of Care

what is risk
What is Risk?

The exposure to the possibility of something happening that will have an impact of the University’s organisational objectives

  • Objectives: Financial and Non Financial
elements of risk
Elements of Risk

Risk arises out of uncertainty and has two elements:

  • Frequency / likelihood of something happening
  • Severity / impact of the consequences arising from the event.
risk management is
Culture and process

Systematic application of management policies, procedures and practices

Effective management of opportunities and threats

Establishing context







Risk Management Is …
risk management is not
Risk Management is Not …
  • Just accounting controls
  • Another name for insurance
  • About creating risk averse management
  • A label to hide inadequate analysis when something goes wrong
  • A green light for careless enthusiasm
  • An opening for ‘risky management”
risk management objectives
Risk Management Objectives
  • Structured basis for strategic planning
  • Enhance governance and corporate management processes
  • Discharge statutory responsibilities
  • Practical framework for decision making
  • Protect unacceptable costs/losses
  • Minimise missed opportunities
  • Safeguard assets (including people)
university s rm objectives
University’s RM Objectives
  • Implement RM across all areas of the University in accordance with best practice guidelines
  • Integrate RM into the management culture of the University
  • Foster an environment where staff assume responsibility for managing risk
the process to date
The Process to Date …
  • CQU Risk Management Policy promulgated
  • Risk Management Committee and Terms of Reference Established
  • Workshop to identify Key Risk Categories
  • Policy Framework and Guidelines established
  • Templates:

- Risk Mgt Standards - Risk Records

- Risk Treatment Plans - Risk Register

6. Pilot Launch – Health Safety and Security Key Risk Category

the process to date1
The Process to Date …
  • CQU Risk Management Workshops conducted, identifying risks and treatment plans
  • Risk Management Committee and Terms of Reference Established as sub-committee of Audit Committee
  • Significant change and restructure
  • AUQA Audit and Report
  • Risk Management Committee rolled into Audit Committee
  • Risk Management Software acquired
  • Re-launch of Risk Management to Senior Management
key risk categories
Key Risk Categories
  • Corporate Governance & Compliance
  • Financial and Commercial
  • Operations
  • Student
  • Health, Safety & Security
  • Human Resources
  • Data & Information Technology
  • Reputation
  • Asset Maintenance
  • Environmental
risk management process

Risk Management Process

AS/NZ 4360

(Refer Frame 1)

establishing context framework
Internal and external decision makers

Individuals directly and indirectly affected by decisions, actions and inactions

Unions, staff groups

Community groups

Statutory regulators (health, safety, environmental etc)

Politicians (all levels of govt) with electoral or portfolio interest

Non government groups

Users and suppliers of services and facilities

Establishing Context & Framework
  • Identify Internal and External Stakeholders
establishing context framework1
Establishing Context & Framework
  • Purpose of stakeholder analysis is to provide decision makers with a documented profile of stakeholders to better understand needs, issues and responsibilities
  • Framework and Stakeholder Mix subject to constant change
  • Consultation and review process must be continuous and recurrent in the Risk Management process
identifying risks
Identifying Risks
  • Aim to identify risks to be managed
  • Comprehensive identification critical
  • Potential risk not identified at this stage is excluded from further analysis
  • Identification should include all risks whether or not they are under the University’s control
identifying risks1
Audits & physical inspections


Decision trees

Examination of local or oversees experience

Expert judgment

History, incident reports

Interview, focus group discussions

Scenario analysis

SWOT analysis

Surveys, questionnaires etc…

Identifying Risks

Possible Methods of Identifying Key Risks

identifying risks2
Commercial relationships

Legal relationships


Management activities and controls

Natural events


Occupational health and safety

Personnel/human behaviour


Public liability



Etc …

Identifying Risks

Possible Sources of Risk

identifying risks3
Identifying Risks

Documentation of this step

  • For a small process this step may be documented by a simple tabulation
  • More detailed documentation may be required for larger processes
  • List each risk and classify
  • Eg functional groups, exposure profiles etc
analysing risks
Analysing Risks


  • The magnitude of consequencesof an event, should it occur, and the likelihood of the event and the associated consequences, are assessed in the context of no existing controls
  • Consequences and likelihood are combined to produce a level of risk
analyse likelihood considering
How often situation occurs

How many operations/people exposed

Skills/experience of people exposed

Special characteristics of people exposed

Duration of exposure

Proximity of hazard to people exposed


Quantity of materials or multiple exposure points involved

Environmental conditions

Condition of facilities, equipment

Effectiveness of existing control measures

Analyse LIKELIHOOD considering:
analysing risks1
Analysing Risks

Analyse EXISTING CONTROLS considering:

  • Do controls represent good practice?
  • Are controls minimising exposure to risks?
  • Do stakeholders know about controls?
  • Are there adequate systems and procedures in place to support controls?
  • Is there adequate training/supervision in relations to controls?
  • Is there adequate maintenance of controls?
  • How easy is to to use, or work with, controls?
analysing risks2
Potential for “chain reaction”

Concentration of risk exposures

Direct/indirect financial impact

Fines, penalties, rectification costs

Other regulatory impact

Business interruption

Position of stakeholders relative to exposure

Human impact

Analysing Risks

Analyse CONSEQEUENCE considering:

analysing risks3
Analysing Risks


Qualitative Methods Used:

  • Where level of risk does not justify time and resources for numerical or detailed scientific analysis
  • For initial screening of risks
  • Where Numerical data inadequate
  • Valuable when analysis shared across range of people, backgrounds & interests
analysing risks4
Analysing Risks


Semi-Qualitative MethodsAllocates a qualitative word ranking to likelihood (eg Almost Certain – Rare) high, medium or low and consequence (eg Extreme – Insignificant)

  • Rankings are shown against a word scale for ranking the level of risk (eg V.High – V.Low)
  • Avoid overcomplicating analysis. Relatively straightforward methods can be effective
  • Method, rationale and results should be documented
evaluating and ranking risks
Evaluating and Ranking Risks
  • Risk evaluation involves comparing the level of risk determined during analysis with previously established criteria
  • Decides whether risks are acceptable or unacceptable
  • Output of risk evaluation is a prioritised list of risks for further action (ranking)
evaluating ranking risks

Degree of control over risk

Cost impact, benefits and opportunities presented by risk

Significance of risk & importance of policy, program, process or activity

Risk may be accepted if consequence & likelihood is consistent with established criteria

Acceptance may follow risk reduction measures

Regularly review and monitor for changing circumstances

Process and rationale should be documented

Evaluating & Ranking Risks

Acceptable and Unacceptable Risk

evaluating ranking risks1
Evaluating & Ranking Risks

Reasons a risk may be accepted:

  • Level of risk so low that specific treatment not appropriate within available resources
  • Cost of treatment is so excessive compared to benefit that acceptance is only option
  • Opportunities presented outweigh threats to such a degree that risk is justified
  • No treatment is available
evaluating ranking risks2
Evaluating & Ranking Risks

Unacceptable risks:

  • Risks not considered acceptable are those which will be treated in some way
  • These are prioritised for subsequent management action as a component of the management’s and the University’s Risk Actions Plans and Risk Register
risk treatment
Risk Treatment

Risk Treatment involves

  • Identifying and considering the range of Optionsfor Treatment
  • Assessing those options
  • Preparing Risk Treatment Plans
  • Implementing Risk Treatment Plans
risk treatment1
Risk Treatment

OPTIONS to Manage the Risk

  • ELIMINATE the risk
  • TRANSFER the risk
  • PREVENT or MINIMISE the consequences and/or likelihood of the risk
    • Substitution
    • Redesign
    • Isolation
  • RETAIN the risk - when exposure is not or cannot be minimised by other means:
    • Eg Administrative controls
    • Eg Personal protection

(Refer Frame 4 – Risk Treatment Process)

risk treatment2
Risk Treatment

Preparing Risk Treatment Plans

  • Plans document how chosen options will be implemented
  • Plans identify:
    • Responsibilities
    • Schedules
    • Expected outcome of treatments
    • Budgeting,
    • Performance measures
    • Review, assessment and monitoring processes
risk treatment3
Risk Treatment

Implementing Risk Treatment Plans

  • Developing Standards and Procedures
  • Communicating
  • Training and instruction
  • Supervision
  • Maintenance
risk treatment4
Risk Treatment

Monitoring and Reviewing Risk Treatment

  • Chosen controls have been implemented as planned:
    • Are chosen control in place?
    • Are controls being used?
    • Are controls used correctly?
  • Control controls are working:
    • Have changes made to control exposure resulted in planned outcome?
    • Has exposure to risk been diminished or adequately reduced?
  • Are they any new problems?
    • Have implemented control measures resulted in introduction of new problems?
    • Have implemented control measures resulted in worsening of existing problems?
  • Each stage of the Risk Management Process should be documented:
    • Demonstrate the process
    • Evidence of systematic process
    • Record to develop risk database
    • Provide decision makers with RM plan for approval and implementation
    • Accountability mechanism and tool
    • Facilitate continuing monitoring and review
    • Provide audit trail
    • Share and communicate information
  • Risk Register
  • Risk Management Standards for Specific Risk Category
  • For RM to be effective it must be implemented by every person within the organisation
    • Council, VC, DVC,
    • Directors, Deans, HODS,
    • Line Management,
    • Staff, Students and 3rd Parties
  • RM is not just the responsibility of management
  • RM must become and integral part of the University’s culture
managing risk
Managing Risk
  • Managing risk means forward thinking
  • Managing risk means responsible thinking
  • Managing risk means balanced thinking
  • RM provides a framework to facilitate more effective decision making
  • RM is all about maximising opportunity by managing risk

Daniel Nolan

Acting Internal Audit Manager

Extension 6932