Note:
a) Submitting a UWA Risk Assessment does not guarantee the activity will be approved by UWA.
b) Risk Assessments for complex and high risk activities take many hours of research over a period of time to mature and to produce an acceptable document.
c) Some risk controls require resourcing to be in place prior to the go ahead for the activity being given.
d) Appeals are to be submitted through line management to the Faculty, School or Division.
e) All approvals are based on UWA Risk Assessments at the time of being prepared and are subject to cancelation or additional mitigations being required should the situation change either prior to or during the activity.
f) Any escalation of the risk rating for the activity requires the review of the UWA Risk Assessment. Following this the updated Assessment must be submitted to the Line manager/Senior Research Officerfor review and again go through the approval process.
If you do not feel confident in filling out the UWA Risk Assessment please get help:
-firstly go to the UWA Risk webpage;
-secondly,from your line manager and/or other group members then, if they are unsure;
-thirdlyfrom your Faculty, School or Division.
The UWA Risk Assessment must be filled out by a member of the group undertaking the activity and signed off on by the groupprior to submission.
It is recommended everyone in the group works on the UWA Risk Assessment.
Consider the risks from the perspective of someone without a vested interest in the activity going ahead.
Examples for Specific Risk, Causal Factors and Mitigations can be found on the UWA Risk webpage.
Phase 1
Breakdown the risks
Hint:
Try not to get bogged down on technicalities or perfect wording. It is more important to capture the risks and develop and implement mitigations then to spend time in meetings and completing the template ‘correctly’.
Phase 2
Step 1:Download the UWA Risk Assessment Template from the UWA Risk webpage.
Fill out the 1st row
‘Risk Assessment: Project title, Faculty/ School/ Division, Date completed and full names of Contributors.
Step 2: Number each ‘Specific Risk’ in the first column
Step 3: Write therisks you have identified inthe ‘Specific Risk’ column of the table.
Hint:
In the first instance capture what you believe to be the issue. The wording can be matured at a later date once experience has been gained in completing a Risk Assessment and as time allows.
Step 4: Open the UWA Risk Matrix from the UWA Risk webpage and using the ‘Qualitative measures of Consequence’
review your activity against the seven rows.
Hint:
All staff should be mindful that risk exposures to UWA include Strategic Objectives, Reputation, Health and Safety, Research, Teaching and learning, Legislative compliance and Financial loss.
Step 5: Discuss the risks you have identified with your team, other staff and managers who have undertaken the task to help identify risks you may not have considered.
Hint:
Be open minded, encourage debate and thinking outside the box. There are no right or wrong answers to the question of ‘What are the risks to this task?’.
Step 6:Add any risks identified in the above stepsto the ‘Specific Risk’ column in your Risk Assessment Table.
Step 7: Identifying Consequences is an important task as it allows management and staff to understand what could happen should risks not be managed correctly.
Hint:
Use number and alpha sequencing to identify individual Consequences, Causal Factors, Controls and Actions.
NB All Specific Risks are dealt with in the following manner.
Step 8: Fill out the Causal (Contributing) Factors
Hint:
At times it can be hard to isolate Specific Risks from Causal Factors. Remember it is important not to get fixated on working out what ‘fits’ and where. It is important to capture the risk as you identify it and what contributes to it being a risk to your task (Causal Factors).
Step 9: Now you have got a clearer understanding of what your risks are, select the Categoryand Generic Risks
from the dropdown lists in columns 2 & 3
Hint:
This can be a confusing step and training is recommended. It can be left until the completion of the Assessment once experience has been gained in risk identification,or omit if not required. If there is a requirement to fill in the columns choose the words that most closely describe the Specific Risk as it is unlikely that there will be a perfect ‘fit’ for your task.
Step 10: Using the Risk Matrix definitions for ConsequencesandLikelihood fill in the corresponding columns.
Hint:
When deciding on Likelihood it is to be measured as if the controls / mitigations have not been put in place.
The Consequences descriptions are at university level. Team should scale the quantities back to task / School / Faculty level.
Step 11: To rate the risk in the Risk Matrix use the Consequence and Likelihood ratingsand work across and downuntil the column and row intersect, this is the Risk Rating.
Fill in the Risk Rating column for each Specific Risk.
NB From this point forward the team may decide to only include Specific Risks with a Major or Extreme Risk Rating on the Assessment and level lower level risks off. They may also decide to level some Moderate and Minor rated risks on as the consequences have been known to be Major or Extreme on other sites.
Step 12: Confirm the level of management is attributed to the correct Risk Owner by reviewing the Ratings against the Risk Management levels.
Hint:
This step gives an opportunity to see if the level of the current management of the risk is adequate or if it should be allocatedup or down the line of management.
NB The person attributed the role of Risk Owner must be informed of this decision and be involved with the proceeding steps. They may delegate the Actions and associated tasks to other staff but will need to keep abreast of the management of the risks and sign off on them. If this person believesthe task or associated risks do not reside with them they will need to have discussions with the team and also with the person they believe should be responsible for the ownership of the risk and controls. A Risk Owner must be identified and have the correct delegated level of authority to accept the Risk Owner role.
Step 13: The Risk Owner works with the team and completes the Risk Controls (Mitigations)column.
Hint:
Be conscious that enough detail has been given for the person reviewing the Assessment to be comfortable that thelevel of management is adequate or better.
Step 14:It is now time to reassess the Risk Rating against the Controls that are in place or will be in place prior to the risk being realised. This is called the Residual Risk.
Hint:
Universities traditionally work within reasonably high risk parameters (with high level controls) due to their research and teaching responsibilities.
Step 15:The question is now asked ‘Given the Residual Risk rating are the Existing Controls at an acceptable level to the Risk Owner (Risk Appetite)?’
A dropdown list will give you a selection of Excellent, Adequate, Inadequate and Unable to rate.
Hint:
At this point it is essential to be honest and try to remove subjectivity from the decision. If the Risk Owner and team are unsure or not confident to fill in this field they should get advice from their line management or experts in the field.
Step 16:The Actions / Comments column is for detail and instructions.
Hint:These should be clear, consice and give comfort that Risk Controls are to be kept or put in place to lower the exposure of high and extreme risk ratings to a level that falls below the university’s risk appetite for that activity. If the team is unsure they are to ask the Project lead’s line manager or relevant Shared Services area for assistance e.g. finance.
NB If the Residual Risk Rating cannot be lowered to a level that will be signed off on by the relevant Risk Owner (given the controls that are to be in place) then the Specific Risk has to be escalated to a higher level of delegation. At this level the task can be signed off on as being allowed to proceed or approval is not given and the project cannot go forward. If approval is withheld the task cannot progress until adequate Risk Controls have been negotiated, put in place and the Assessment signed off on by the Project Lead’s Line Manager. At this time the Specific Risk can be reviewed against the increased mitigations and a new decision arrived at.
Step 17: The Action Owner must be informed of the details of any workload they are responsible for. Dates must be included with all actions.
Hint:
If critical dates are attributed to the person by the Project Lead it is the responsibility of the Project Lead to assure adequate resources are made available to the Action Owner to allow them to complete the action.
Hint:
These dates can be pushed out if there are reasonable grounds. To indicate this on the spreadsheet strike out the old dates and write in new ones above. In the Comments section state the reason why the dates have had to move and the remedy for meeting the next proposed date.
Step 18: After this version is agreed on by the team, everyone in the group must send an email to the project lead stating that they sign off on the statements and agree to any Actions as described on the final version.
Suggested text: I accept the risks identified in the UWA Risk Assessment version XXX for ‘XYZ’project and/or Activity YYY, as submitted by ‘ABC’to be true, correct and inclusive of therisks that would be reasonable to have been identified. Furthermore I agree to abide by thecontrolsas stated in the UWA Risk Assessment.
The first row is updated to V 1.0 Final.
Step 19: The final version of the Risk Assessment is sent to the Project/Task Leads Line Manager for formal sign off. If the Line Manager does not sign off on the Assessment it is either sent back to the team for further work and/or the introduction of increased controls or is rejected.
In the case of updating the Assessment the first row goes to v1.1 and the team proceed to developing and maturing the document with guidance from their Line Manager. The Assessment then follows the above process until accepted or rejected.
If the Assessment is rejected outright and the project/task is not abandoned then the Line Manager and/or relevant parties need to work together to review the planning and premise of the project/task.
If Specific Risks, with high to extreme Residual Risk Ratings, are not formally signed off on then a review must take place and the Assessment submitted up the line to where the delegated authority sits.
Step 20: Risk Assessments are to be integrated into the overall management of projects and tasks with high and extreme Risk Rated Specific Risks. The document is classed as ‘live’ and is to be updated and reviewed regularly.
It can be used as a basis for resource applications and business plans and assists managers at all levels in their decision making.
Page 1 of 5