Risk Management Procedure
1. The following sections provide guidance to Faculties, Divisions, SIDs and Departments on the procedure for identifying, managing, controlling and reviewing their risks and the production of risk registers using a standard format and terminology that allows alignment of Faculty, SID and Departmental risks using a common format. This also provides for the escalation of risks to the appropriate level.
The Risk Management Cycle
2. The four fundamental steps of the risk management cycle are:
Step 1: Risk Identification
3. Senior managers are generally well aware of the opportunities and threats faced by their organisation. However, these are not always recognised or understood by others in the organisation. Consequently, the actions required to realise the opportunities and minimise the threats may not be implemented and monitored to best effect. Additionally, there may be others within the organisation that may be aware of other opportunities or threats but are unsure or unable to raise them to an appropriate level.
4. After a decade of risk management at Imperial College the consistent feedback from departments is that openly sharing and discussing the known opportunities and threats at management meetings adds value by:
5. Discussion of opportunities and threats during management meetings:
6. It can thus be seen that the identification and mitigation of opportunities and threats is a normal management activity conducted both by individual managers and in conjunction with others during management meetings. The explicit identification of those opportunities and threats allows them to be quantified and the efficacy of measures taken to manage them assessed. During the planning round Departments naturally consider their strategic objectives and the resources and measures necessary to achieve them. This is the essence of risk management and it is thus appropriate that risk registers are updated in conjunction with the planning round process.
Objective: to travel by train from A to B and arrive for a meeting at a specified time.
8. Risks should be identified at a level where a specific impact can be identified and actions to address the risk can be determined. Once identified, risks should be assigned to an owner who is the person with the accountability and authority to be best placed to manage the risk and has responsibility for ensuring that the risk is properly managed and monitored.
9. The most effective means of identifying risks (both opportunities and threats) is to hold an open discussion with colleagues. This is best done in groups of a manageable size by department, section, business area or system and should typically consider the threats and opportunities associated with the Department/Group’s objectives.
10. Each activity performed (e.g. management process, research objective, experimental procedure) should be considered and the risks identified. Consideration in the following contexts may be helpful:
The table below gives examples of categories in which it may be helpful to consider risk.
11. Each major risk identified should be recorded in Empirical
Step 2: Risk Measurement
12. The principles below apply to both opportunities and threats but the controls for an opportunity risk will be targeted at maximising the impact and increasing the likelihood that the opportunity is realised, whereas controls for a threat risk will be targeted at minimising the impact and reducing the likelihood that it is realised.
13. Open consideration of opportunities and threats has the potential to highlight a large number of risks of differing importance. As a result, it is necessary to score the risks in terms of Impact on the owning organisation, should the opportunity or threat be realised, and the Likelihood of the risk being realised. This enables the relative importance of each risk to be assessed and ranked.
14. It is important that the output of the risk assessment exercise is recorded in the College’s risk management tool Empirical
15. This allows a consistency of approach and definition that enables information to be gathered from any level of the College using common definitions and understanding.
16. It is probable that the uncontrolled (raw) risk will already have been mitigated, thus what is being assessed and recorded is the residual risk with some current controls already in place, and these controls should be recorded in Empirical
17. After consideration of the effectiveness of the current controls, risks should be Evaluated,
18. Truly objective assessment of risks is almost impossible and, although the tables below provide guidance, it is inevitable that assessment of the severity and likelihood is, in practice, subjective. However, experience demonstrates that, with open discussion, over time there is a high degree of convergence and consistency of scoring. Remember, the objective of the score is to identify the most significant risks and assess the direction of travel (is the desired outcome improving or worsening) over time. It is probably not helpful or value adding to be overly concerned as to whether the score is absolutely correct.
19. The following tables propose criteria for assessing an appropriate score for an opportunity or threat. The Objective Assessment Criteria provide guidance on the criteria for assessing risk. There may be one or more impacts and the tables suggest possible criteria; it is only necessary for any one of the criteria at a particular level to be met. In order to provide greater flexibility the 5 levels of impact are further subdivided.
Criteria for assessing Impact
20. Empirical will plot all risks on the matrix below and determine whether the risk is Red, Amber or Green
Level of Risk
Score ranges: Green = 64 and above; Amber 26 to 63; Red 0 to 25
Score ranges: Green = 0 to 25; Amber - 26 to 63; Red = 64 and above
21. Only Major risks need to be documented on the risk register. Major is defined as any Red or Amber Risk or any Green risk with an impact or likelihood score of 7 or above as this implies that either rigorous controls are required to manage the likelihood of a significant impact or there is an expectation of a significant number of minor events.
22. Risks then need to be addressed depending on:1. Red: Risks falling in this area must be managed as a matter of priority and should be reviewed monthly
2. Amber: Seek to manage in the medium term and monitor Bimonthly
3. Green: Live with but should still be reviewed biannually
These timescales apply unless something happens or changes that may affect the risk or its controls or if the risk is realised, in which case the situation needs review.
Step 3: Risk Mitigation:
Inherent Risk, Residual Risk
23. Inherent risk is the exposure arising from a specific risk before action has been taken to control (manage) it. Whereas residual risk is the exposure arising from an individual risk after action has been taken to reduce it to an acceptable level. For all practical purposes Risks identified on risk registers are considered to be residual risks; where some initial controls are already in place. In some circumstances these initial controls may be considered insufficient, in which case further controls will be required.
24. Unless terminated (we cease doing it!) it is not normally practicable to completely mitigate a risk. It is normal that there is some possibility that a threat risk will come about or an opportunity risk will not be realised; the purpose of risk management is to reduce the consequence and/or likelihood of this occurring to an acceptable level. This ‘acceptable level’ is the level at which the risk is tolerated.25. Our tolerance or acceptance of risks (also referred to as our risk appetite) is an important concept. It is not a blanket assessment but varies from risk to risk and between organisational entities. It is defined as the amount of risk an organisation is prepared to tolerate or be exposed to, should the risk or risks be realised. Too great a risk appetite can jeopardise a project, activity or in extreme cases the organisational entity whilst too little could result in the organisation stagnating as opportunities are not realised.
26. When considering opportunities, we need to consider how much resource we are prepared to expend to obtain the benefits of the opportunity. In considering threats we need to consider what appropriate mitigation should be in place to reduce the impact and/or the likelihood of the threat being realised. This aids identification of our level of tolerance for each risk and it is helpful to attribute a score to this. Opportunity risks below tolerance and threat risks above tolerance require further mitigation to move the risk to an acceptable level.
27. In considering an acceptable level of tolerance, risk owners should take account of the guidance provided in documents such as College financial regulations, procurement guidelines, health and safety regulations and by our ethical standards and policies as well as proportionality and value for money.
28. As discussed in Paragraphs 24 -27 above the tolerance for each risk will vary but as a general guide it is for consideration that opportunity risks might be tolerated at a score of above 64 and threat risks at a score below 25 but risk owners should vary these scores to take account of the actual circumstances pertaining. For example it may be that some opportunity or threat risks are largely beyond their ability to directly control, (e.g. a change to government policy) resulting in a high tolerance score.
29. If an opportunity risk is scored at or above tolerance or a threat risk at or below tolerance then the controls currently in place are sufficient to manage the risk (i.e. actions already in place).
30. Opportunity risks assessed as being below tolerance or threat risks assessed as being above tolerance will need to be ‘Treated’ with further control measures to mitigate the risk. These should be recorded in Empirical and an action owner and timescale assigned to ensure the controls are implemented. In order to ensure that action owners are aware of their responsibilities, Empirical will require the action owner to accept that they own the action.
31. Treating or Controlling Risk It is usually possible to control a risk to an acceptable level and this is achieved by building control mechanisms into operational activities. Whichever strategy is adopted it is important that the controls are proportionate and cost effective. Where the decision is taken to mitigate a risk by introducing control measures it is also important that the operation is not impeded by over controlling in an attempt to completely eliminate a threat risk or realise an opportunity.
32. Transferring or sharing the Risk: Some risks can be transferred to another body or organisation e.g. insurance, contractual arrangements, outsourcing, partnerships etc. Realistically, transferring all of a risk is extremely difficult to achieve effectively and is often confused with action ownership (where the risk is owned by entity A (who feels the pain if the risk comes about) but action to mitigate or control the risk lies with entity B. If the risk is Transferred then care needs to be taken that the risk is actually transferred. However, some risks (e.g. reputation) cannot be transferred. It is important that how (to whom) the risk has been transferred. e.g. insurance, is recorded.
33. Tolerating or Accepting the Risk: It is rarely possible or economically desirable to remove all risks entirely and, unless Terminated, all risks will eventually be accepted at some level. In addition, there are some risks over which we have little or no control and some for which any management actions would be prohibitive in terms of resource; yet for valid reasons we will continue with the activity. The important point is that these risks are identified, clearly understood and monitored. This option is frequently accompanied by a contingency plan for dealing with the impact that will arise if the risk is realised.
34. Terminating or Avoiding the Risk: Although unusual, it may be that a particular risk cannot be adequately controlled or transferred and the consequence or likelihood of such a risk being realised is such that it cannot be accepted. In this case the only course of action may be to eliminate the risk by ending all or part of a particular activity. In some instances this may involve temporary suspension of an activity until the likelihood and/or impact of the risk has reduced for external reasons.
35. Every risk must have a nominated owner who is the person with the accountability and authority to be best placed to manage the risk. See RM Management Responsibilities: Risk Owner
Step 4: Review and Monitoring
36. Although the procedures and principles of both the College and Faculty/Department risk registers are similar their tempo varies due their differing drivers. In the case of the College risk register the primary driver is to assure College Council, for the annual report of accounts, that the College is identifying and managing all material risks; whereas in the case of Faculties and Departments it is more appropriate that the risk register is updated in conjunction with the planning round, when departments are naturally considering the opportunities and threats they face.
College Risk Register
37. As identified the paragraph above, the College risk register requires updating prior to the annual report of accounts. Thus the College risk register needs to be updated, for consideration by the Risk Committee in October.
38. The review process commences in August with a Horizon Scanning meeting chaired by the College Secretary. The meeting discusses any opportunities or threats that may have emerged since the last review and considers whether the previous risks are still appropriate. The meeting also reviews whether the risk owners remain appropriate and whether the controls should be updated.
39. From this meeting a revised draft risk register is developed and reviewed by the President’s Executive Group, during September, who will also discuss each risk with the risk owners articulating their view as to whether the severity of the risk is improving or worsening, and whether the mitigations are sufficient. The outcome of this is then reviewed by the President’s Board and reported to the Risk Committee in October.
40. The revised College risk register will then be distributed to Heads of Department.
41. The College risk resister will also be reviewed by the President’s Executive Group and President’s Board in February/March each year.
Faculty Department/SID Risk Registers
42. The value added by risk management has several dimensions.
43. Department risk registers are not merely operational subordinates of the College risk register but are considerations of the strategic opportunities and threats at department level. However, these may be informed by the College risk register which should be considered early during department’s consideration of opportunities and threats.
44. During the planning round process departments naturally consider their strategic opportunities and threats and it is thus appropriate that departments update their risk register in conjunction with the planning round process. In order to identify common, systemic and emerging risks, Risk Management will extract all risks from Empirical six weeks after completion of the planning round for analysis and provide this to senior management three weeks later.
45. As some risks are dynamic and warrant updating more frequently than annually, the above process is repeated in November for analysis early in the New Year.
Department Risk Review Process
- Stage 1: The review process starts with the planning round when strategic objectives, opportunities and threats are reviewed and priorities set. Each Faculty, Department and Division should discuss their opportunities and threats during a department management meeting and then update their risk registers in Empirical. It would be expected that Department/Divisional risk registers are informed by Faculty and College risk registers.
- Stage 2: All the updated risk registers in Empirical are then analysed by the Risk Manager, with particular emphasis on emerging and / or systemic risks, and the analysis shared as appropriate.
- Stage 3: As some risks are dynamic and warrant updating more frequently than annually, the above process is repeated in November for analysis early in the new year.
- Stage 4: The updated risk registers are again analysed by the Risk Manager and the analysis shared as appropriate.
The wider application of risk management
46. The College like many organisations has a number of interdependencies with other organisations and the risks associated with these relationships must be considered when completing a risk assessment. The College must adopt a consistent approach to identifying risks within its key partnerships. This includes identifying risks from the perspective of the College when entering into a partnership and from the perspective of all partners once the partnership is set up.
47. The College is committed to identifying and managing the risks within its key partnerships (in line with its approach for all new schemes, investments and projects). The College's Project Management Procedures require that risk registers should also be maintained for all major projects.
48. The College has developed a management tool, Empirical , to assist departments identify and manage their risks. This also allows the Risk management Department to analyse all risk entered in Empirical and provide guidance on common or systemic risks and identify emerging risks
49. The development and utility of Empirical is governed by the Empirical User and Development Group; Terms of reference for which are at Annex A (below).
© Copyright 2016 Imperial College London
Last Review September 2016
EMPIRICAL USER DEVELOPMENT GROUP (EDUG)
TERMS OF REFERENCE
- To review the implementation and give strategic direction to the development of the College’s Empirical Management System and associated documentation.
- To keep under review the Empirical system architecture, change requests, testing and deployment.
- To act as a focus for and co-ordinate responses to development issues.
- To act as an interchange of information, ideas and best practice relating to Empirical and its use.
- To keep its own terms of reference and constitution and those of its subordinate committees under review.
The Director of Risk Management
A minimum of two senior Empirical users from:
- Each of the Faculties
- Support Services
- Academic Services
A senior member of staff from:
- ICT Systems Development
Other advisors may be invited to attend on an ad hoc basis.
The Risk Manager
6. The Empirical Development & User Group is responsible to the Risk and Business Continuity Steering group, via the Director of Risk Management.
7. The Committee shall meet not less than twice times a year.
8. The quorum shall be the Chairman and three other members