Risk Profiling

How to Guide for Service Division Directors and Managers

Document Description and Usage
This guide provides helpful hints for people who will leada risk profiling process.
Definitions
The term ‘Business Unit’ in this document means any sub-unit within the University such as aDivision, Academic Department or Service Unit.
The term ‘Cost Centre’ is used to refer to individual Academic Departments and Service Units.

1.Introduction and Purpose

1.1.What is risk profiling?

1.2.What is the risk profiling process?

1.3.Who facilitates the risk profiling?

2.Preparation

2.1.Preparatory Material

2.2.Approach to Risk Profiling Exercise

3.Risk Profiling Exercise

3.1.Risk Profiling Introduction

3.2.Risk Identification

3.3.Inherent Risk Identification

3.4.Control Identification

3.5.Control Assessment

3.6.Residual Risk Assessment

3.7.Action Planning

3.8.Final Check

3.9.Next Steps

4.Review

4.1.Monitoring and Reporting

Appendix 1 Roles and Responsibilities

Risk Facilitator

Risk Coordinator

1.Introduction and Purpose

This document provides information on how to facilitate a risk profiling workshop. It is intended to help Heads of Department/and Directors of Service Divisions(or delegates) carry out a risk profiling workshop with their teams as part of the annual budgeting round.

Risk Profiling is used to initially identifythe risks the University and each Business Unit within the Universityfaces in the next 12 months and to assess: the severity and likelihood of those risks; key controls associated with the risks identified; whether the risks are tolerable or will require further action.

1.1.What is risk profiling?

Risk profiling provides a structured approach to the identification and assessment of risk. This guide outlines the process and the expectations placed on Business Units of the University.

The output of the risk identification and assessment process is a completed risk profile (or Risk Register). A completed risk profile contains the following attributes

  • A record of all the key risks and a list of Risk Owners.
  • An assessment of the risk exposure (both before and after the application of controls).
  • Identification of the key controls in place to mitigate the risks.
  • Any further actions that are proposed to reduce the risk and who will complete them
  • A due date for further actions and a review date for each risk.

This Guide and the associated tools have been developed so that:

  • Each Business Unit can have a complete risk profile to ensure a common understanding of the risks the University faces. By assessing risk severity at Divisional and cost centre level, Heads of Division/Departments will knowthe areas of greatest risk,be able to prioritise activities and allocate resources in the upcoming budgeting roundto reduce the most serious risk exposures.
  • An aggregated risk profile can be produced at Corporate Level. To be able to do this is it necessary to have risk profiles done at Cost Centre level and Divisional level and done in a consistent manner.

The overall goal of the process is to help Academic Departments and Service Units achieve their annual financial and operational goals and to prevent disruption fromavoidable problems during the year.

1.2.What is the risk profiling process?

The risk profiling process is comprised of three main phases:

  • Preparation
  • Risk Profiling Exercise
  • Review

These are explored in more detail in the following sections and summarised in the diagram below.

More information on each of these phases is provided in the following sections.

1.3.Who facilitates the risk profiling?

This document refers to the ‘Facilitator’ as the person who facilitates the risk profiling exercise. A detailed description of this role is included in Appendix 1.

2.Preparation

2.1.Preparatory Material

The purpose of preparing material prior to the workshop is to provide a good understanding of the Business Unitand the issues it faces to help the completion of the risk profile. Background knowledge is useful to prompt participants during the workshop on potential areas of risk or issues with controls. The preparation approach taken may vary dependent on the Facilitator.

Prior to the workshop it is suggested that the facilitator gain an understanding of the following areas:

  • The objectives or goals of the area and the main activities/processes it carries out – this information can be used as a basis for brainstorming risks i.e. what events could prevent the Divisions/department/service unit from meeting its objectives. This also helps establish the link between risk management, the budget and day-to-day management activities.
  • The degree of dependency on other University departments for specific services, either with respect to one-off initiatives or generally throughout the year. This information will highlight the potential for problems if the business unit has new initiatives planned which will require support services to be available during a certain period, or if there are activity peaks/staff absences at a certain time of year that support services should be made aware of etc
  • Any risks that have been identified through other reports (e.g. internal audit reports, departmental reviews), issues raised and if possible an understanding of their magnitude. This helps establish some of the key risks that should be raised in the risk profiling workshop.
  • Any controls that are documented in other reports and any indication of their effectiveness, This provides information on some of the key controls that should be noted in the risk profiling exercise and an indication of how effective they are.

2.2.Approach to Risk Profiling Exercise

Forum for conducting the risk profile

The approach to running the risk profiling workshops should be agreed with the Business Unit at the outset. This may be dependent on a number of factors, such as availability of staff, leadership style, conflicting priorities etc.

The risk profiling exercise can either be run as a workshop or through a series of meetings with individuals or groups to discuss the risks and controls. The advantage of holding a workshop is that it promotes:

  • Discussion and challenge amongst participants which helps refine the profile in the workshop.
  • It provides an ideal forum to focus on risks that could impact on the business unit’s annual objectives, and any resources that may be required to address the risks (particularly those that will need to be factored into the budget).

Attendees

  • It is recommended that no more than 15 people attend the risk profiling exercise (if it is to be run as a workshop). With more attendees it can prove difficult to facilitate the meeting and time can be spent discussing details which may not be important to the outcome of the workshop.
  • Participants should represent a level of seniority with a good level of knowledge of activities/processes to be able to identify related risks and controls.
  • One option that could be considered is to hold an initial workshop with academics/management to identify and assess the risks and another workshop with their internal support staff/reports to discuss the controls and their effectiveness. This process may benefit from having only the appropriate individuals in each workshop. If this approach is followed it is important that management validate the controls identified and residual risk rating.

Meeting logistics

  • Appoint a support person to arrange the workshop, invite participants and send out relevant materials. This person will also be capturing information during the workshop. (See Appendix 1 for the role of theRisk Coordinator)
  • Consider the need / applicability of sending pre-reading material to attendees
  • Consider having the following available at the workshop:
  • Copies of the Risk Matrix
  • Copies of the impact definitions / examples
  • Copies of the previous risk matrix (if available)
  • When this Risk Profiling methodology is first used workshops should last approximatelytwo hours, to allow sufficient time to discuss the risks in the business unit. If this proves to be insufficient time to cover all the risks then follow up one-on-one meetings may need to be organised (the approach should be agreed with the participants at the end of the first meeting or workshop), ideally within a week of the initial workshop. This ensures momentum is maintained to complete the profile.

Pre-population of risk register

When the risk profile is completed for the first time it may be beneficial to pre-populate the risk register) prior to the workshop to help stimulate ideas on the risks from the preparatory material.

Outlined below are a number of sources that can be used to help pre-populate the risk register and prepare for risk profiling workshops

Previous Risk Assessment Reports – These can include previous risk profiles or other specific risk assessments such as Project Status report and/or risk & issue logs, H&S reports, etc. If these other specific risk assessments have been done recently, it may be possible to save time in the workshop workshops by presenting the results of these risk assessments for confirmation.

Academic Review Findings and Recommendations –Typically illustrate how well the Department/Service Unithas been performingagainst objectives based on feedback from subject experts and key stakeholders. Review the issues/recommendations raised within the report and consider what the risk is.

Student Opinion and Graduate Opinion Surveys

Student issues - Review any student complaints or issues, these can highlight actual or potential risks that result in an impact on the student experience.

Regulatory breaches/fines - The underlying cause of the breach or fine may provide an indication of the risk event that caused the regulatory impact.

External Audit points / Internal Audit points - The findings of audit reports can provide an indication of the risks that are or may occur within the Business Unit. Review the issues/findings raised within the reports and consider what the risk is.

Issues arising from other Academic Departments/Service Units - Consider whether other areas within the University have experienced risk events or issues that could potential occur within your Department/Service Unit.

Business Plans - The risks associated to achieving objectives/growth aspirations/development can be considered.

Previous failures/losses/issues

Note:

On an ongoing basis the previous risk profile should be used as a starting point for the annual risk profiling exercise, where the business unit can amend as appropriate.

The Financial scales to be used

The financial scale used for each Business Unit is a University scale and should not be adjusted to reflect Cost Centre/Divisional revenue. Assessing risks on a University scale allows the Risk Manager to identify risks that are common to a number of departments which, when viewed collectively, could pose a significant risk to the University or indicate that there is a service-related problem impacting a number academic departments that needs to be addressed.

Data Capture

An important part of running the risk profiling exercise is to ensure the output of the discussion is documented. It is suggested that information is captured ‘on the spot’ in either the RiskData Capture form or directly into the Risk Register Template. It can be helpful to project this to all the participants to provide a structure to the process and also to gain agreement during the workshop on the way in which the risks have been captured and assessed.

3.Risk Profiling Exercise

The main role of the risk Facilitator during the risk profiling exercise is to provide leadership and assist the business unit to complete the exercise.

Note: the Business Unit is responsible for managing risk within their area.

3.1.Risk Profiling Introduction

At the opening of the risk profiling exercise it is useful to provide an introduction and context to the workshop. The nature of the introduction given will vary dependent on the experience and knowledge of the participants (for example, the background provided during the first risk profile exercise may be different from subsequent revisions). Potential material to cover during an introduction includes the following information:

  • The objectives of the exercise – i.e. to identify and assess risks and controls that may prevent the Business Unit from achieving its objectives, and that may need to be budgeted for
  • Purpose of performing the exercise – i.e. to help Council and University management have a consistent understanding of the key risks the University faces
  • An introduction to risk – i.e. definition, categories, differentiation between cause, risk and consequence, difference between inherent and residual risk.
  • A walkthrough of an example – i.e. how it the risk profiling process fits together.

It is also useful to provide hard copy handouts of the impact definitions, risk matrix and control effectiveness criteria to provide a reference for the business during risk assessment activity. These are available from the Risk Manager or can be downloaded from the University’s website under Risk Management.

3.2.Risk Identification

If the template has been pre-populated prior to the workshop then the risks can be discussed in the order they appear on the template and any additions, changes or deletions can be covered.

If the workshop is being run from a ‘blank’ template, then the facilitator should ensure all risks are identified first, documented and then considered in turn to: assess them inherently (impact and likelihood), identify controls and score the risks residually.

Helpful hints for facilitating the identification of risks

The guidance below is useful to consider when facilitating the identification of risks:

  • The risk profiling exercise should consider plausible key risks to the business unit, i.e. over the next 12 months what risks could conceivably occur to prevent the business unit from achieving its objectives, or what are the risks associated with important processes in the department/service unit. If the business unit identifies risks that are not plausible these should be challenged.It is important not to waste time on risks that don’t/won’t matter.
  • It is important to differentiate between causes, risk events and consequences. In some instances it may be difficult to identify whether a ‘risk’ is a cause or consequence. The following may provide helpful guidance:

A cause could occur but a operational loss may not necessarily follow, for example ‘power failure’, ‘staff workload’, ‘manual processes’, ‘human error’ in their own right may not have an impact, e.g. youcould be reliant on manual processes but it is only if they go wrong that a loss may be incurred. On the other hand, a risk event usually has a defined impact e.g. financial loss etc.

A risk event is something with a defined outcome or impact e.g. systems failure, late or incorrect payments etc. Dependent on the division/ unit these may or may not be relevant key risks and the impact and likelihood of these will be different.

A consequence is the impact that occurs as a result of a risk event occurring e.g. regulatory fines, customer service, reputational impact, cost of rectification etc.

The following diagram provides an illustrative example. There may be additional causes and consequences of the risk event. Causes and consequences should be specific to the business undertaking the risk profile.

  • Participants may also identify control failures as a risk. The facilitator can question the participants to help identify the underlying risk which the control mitigates. For example, ‘lack of Business Continuity Plan (BCP)’. The risk event could be ‘Business Interruption’, one of the controls being a BCP which may not effective.
  • It is important to ensure that the risk is appropriately defined to ensure there is common understanding of the risk across the University. The facilitator should ensure that sufficient details are captured in order that the risk event is fully defined. This not only helps the Risk Manager identify common and potentially serious institutional risks but it also means that subsequent risk profiling exercises will be easier.

For example, with the risk of systems failure; what systems are being considered, what is the nature of the failure (5 minutes vs. 2 weeks) etc. Defining the risk makes the assessment process easier to measure, monitor and control.

  • Consideration should be given to whether certain risks can be consolidated on the risk profile. In deciding whether there is the potential to consolidate risks that appear to identify the same risk, consider:

Would the impacts be the same for the different risks identified?

Are the controls in place for each risk the same?

If the answer to both of the above points is yes, then there may be good grounds to consolidate the risks.

3.3.Control Identification

A control is a process the University uses to minimise either the likelihood or impact of a risk event occurring. When considering the controls for the purpose of the risk profiling exercise, the following may prove useful:

  • Only the main or key controls should be documented.
  • Controls shouldbe ‘tangible’, i.e. ‘management oversight’ is not a tangible control, where as ‘monthly exception reporting provided to management’ is. A tangible control could be thought of as something that could be tested by an independent party, i.e. review evidence of how it is designed and is performed.
  • When identifying and documenting the controls, a control can be assigned to more than one risk as appropriate.
  • Internal and external audits should not be captured as a control on the template. Although these mechanisms provide a degree of assurance over the process, they are not ‘close’ enough to the underlying risk event.

It may help the discussion to outline the four main types of controls the business could have in place to mitigate the identified risks:

  • Preventative Controls – Controls in place to prevent or stop a risk event from occurring e.g. system security, automatic system shutdowns, regular maintenance alarms, etc. (these controls mitigate the ‘likelihood’ of the risk occurring)
  • Detective Controls – Controls in place to identify an event has occurred e.g. management reporting, quality reviews etc.
  • Recovery Controls – Control in place to help the University/department/service unit recover after an event has occurred, e.g. data backups, insurance coverage, etc. (these controls mitigate the ‘impact’ should these risks occur)
  • Administrative Controls – Controls in place that provide passive guidance, e.g. Policies, procedures, training, warning signs, etc.

Of these four types, the ‘Administrative’ controls are not considered to be key controls due to their passive nature. It is however possible to have any of the other three types of controls based on an administrative control where there is active monitoring and action taken by people with clear responsibilities.