Risk Management Procedure

Introduction

1.  The following sections provide guidance to Faculties, Divisions, SIDs and Departments on the procedure for identifying, managing, controlling and reviewing their risks and the production of risk registers using a standard format and terminology that allows alignment of Faculty, SID and Departmental risks using a common format.  This also provides for the escalation of risks to the appropriate level.

The Risk Management Cycle

2. The four fundamental steps of the risk management cycle are:

  • Step 1: Risk Identification
  • Step 2: Risk Measurement
  • Step 3: Risk Mitigation
  • Step 4: Review & Monitoring

Step 1: Risk Identification

3.  Senior managers are generally well aware of the opportunities and threats faced by their organisation.  However, these are not always recognised or understood by others in the organisation.  Consequently, the actions required to realise the opportunities and minimise the threats may not be implemented and monitored to best effect.  Additionally, there may be others within the organisation that may be aware of other opportunities or threats but are unsure or unable to raise them to an appropriate level.

4. After a decade of risk management at Imperial College the consistent feedback from departments is that openly sharing and discussing the known opportunities and threats at management meetings adds value by: 

  • Identifying or clarifying opportunities and/or threats
  • Clarifying generally known opportunities or threats such that ownership and control of the risk is clear.

5. Discussion of opportunities and threats during management meetings:

  • Socialises the issues and gains buy-in from colleagues affected
  • Gains agreement of the appropriate actions to address the issues to maximise the opportunities and minimise the threats. 
  • Identifies who should undertake those actions and by when
  • Allows monitoring of progress to mitigate the risk

6. It can thus be seen that the identification and mitigation of opportunities and threats is a normal management activity conducted both by individual managers and in conjunction with others during management meetings.  The explicit identification of those opportunities and threats allows them to be quantified and the efficacy of measures taken to manage them assessed.  During the planning round Departments naturally consider their strategic objectives and the resources and measures necessary to achieve them.  This is the essence of risk management and it is thus appropriate that risk registers are updated in conjunction with the planning round process.

Risk description
7. In describing risks, care should be taken to avoid simply stating the converse of the objectives, or identifying impacts that might arise as a result of the risk. A statement of risk should ideally encompass the cause of the impact and the impact on the objective. Please see the simple example below and consider whether or not they are risks.

Example

Objective: to travel by train from A to B and arrive for a meeting at a specified time.

Event

Outcome

Failure to get from A to B on time for the meeting

Not a risk statement: simply the converse of the objective

Being late and missing the meeting

A statement of the impact of the risk, not a risk itself

There is no buffet on the train

This has no impact on the achievement of the objective

Missing the train causes me to be late and miss the meeting

This is a risk that can be controlled by putting in place mitigation to reduce the likelihood and / or the impact of the risk to a point where it is accepted or tolerated - As Low as Reasonably Practicable (ALARP)

Severe weather prevents the train from running and getting you to the meeting on time This is a risk that cannot be controlled, but a contingency plan can be developed

8. Risks should be identified at a level where a specific impact can be identified and actions to address the risk can be determined. Once identified, risks should be assigned to an owner who is the person with the accountability and authority to be best placed to manage the risk and has responsibility for ensuring that the risk is properly managed and monitored.

9. The most effective means of identifying risks (both opportunities and threats) is to hold an open discussion with colleagues. This is best done in groups of a manageable size by department, section, business area or system and should typically consider the threats and opportunities associated with the Department/Group’s objectives.

10. Each activity performed (e.g. management process, research objective, experimental procedure) should be considered and the risks identified. Consideration in the following contexts may be helpful:

  • Consider against College Risk Register and College Strategic Objectives
  • Consider whether Faculty/Division/Department has responsibility for component parts of College/Faculty risks
  • Opportunities and threats to achievement of Faculty/SID/Department objectives
  • Open discussion of departmental/group opportunities and threats  with colleagues
  • Examination of trends
  • Analysis of last year’s problems/issues
  • Awareness of new initiatives, agendas and regulations
  • The impact of change of operating environment or processes
  • Areas of Shared Risk (e.g. Joint ventures, supply chain, service providers)

The table below gives examples of categories in which it may be helpful to consider risk.

Research Education Translation Resources Organisation Influence
Governance Management Partnerships Academic Reputation Strategic
Support Student Commercial Finance Facilities Teaching
Legal Health & Safety Human Resources ICT  

11. Each major risk identified should be recorded in Empirical

Step 2: Risk Measurement

12. The principles below apply to both opportunities and threats but the controls for an opportunity risk will be targeted at maximising the impact and increasing the likelihood that the opportunity is realised, whereas controls for a threat risk will be targeted at minimising the impact and reducing the likelihood that it is realised.

13. Open consideration of opportunities and threats has the potential to highlight a large number of risks of differing importance. As a result, it is necessary to score the risks in terms of Impact on the owning organisation, should the opportunity or threat be realised, and the Likelihood of the risk being realised. This enables the relative importance of each risk to be assessed and ranked.

14. It is important that the output of the risk assessment exercise is recorded in the College’s risk management tool Empirical

15. This allows a consistency of approach and definition that enables information to be gathered from any level of the College using common definitions and understanding.

16. It is probable that the uncontrolled (raw) risk will already have been mitigated, thus what is being assessed and recorded is the residual risk with some current controls already in place, and these controls should be recorded in Empirical

17. After consideration of the effectiveness of the current controls, risks should be Evaluated,
 on a 10 by 10 matrix in terms of:

  1. The impact if the risk came about – what would be the consequence if the risk occurred?  The benefit or loss of the potential impact of the risk.
  2. The likelihood (probability) of the risk occurring.

18. Truly objective assessment of risks is almost impossible and, although the tables below provide guidance, it is inevitable that assessment of the severity and likelihood is, in practice, subjective.  However, experience demonstrates that, with open discussion, over time there is a high degree of convergence and consistency of scoring. Remember, the objective of the score is to identify the most significant risks and assess the direction of travel (is the desired outcome improving or worsening) over time.  It is probably not helpful or value adding to be overly concerned as to whether the score is absolutely correct.

Assessment Criteria

19. The following tables propose criteria for assessing an appropriate score for an opportunity or threat.  The Objective Assessment Criteria provide guidance on the criteria for assessing risk.  There may be one or more impacts and the tables suggest possible criteria; it is only necessary for any one of the criteria at a particular level to be met.  In order to provide greater flexibility the 5 levels of impact are further subdivided.

Criteria for assessing Impact

 Impact Opportunity Criteria Threat Criteria




10
Critical
9



Extremely favourable impact on College/Faculty/Department/SID aims, objectives and overall performance. Significant increase in income and/or reputation and/or reduction in cost.  Substantial improvement in organisational resilience


Financial gain >40% College/Faculty/Department/SID annual budget

Secures the opening/commencement of an academic department/major research project
Extremely unfavourable  impact on the achievement of College/Faculty/Department/SID aims, objectives and overall performance. Service is seriously affected and/or major loss of income and/or reputation or high increase in costs. Very difficult and long term to rectify. Potential to call into question the long term viability of the activity

Financial loss >40% College/Faculty/Department/SID annual budget

Closure of an academic department/major research project.
     
8
Major
7

Major positive impact on costs, income and certain key organisational objectives. Affects a significant part of the organisation. Substantial positive impact on output, levels of service and external relationships. Medium to long term positive effect on reputation and expensive to recover.

Financial gain 26-40% College/Faculty/Department/Division annual budget

Employment of an additional number of high quality staff

Major negative impact on costs, income and certain key organisational objectives. Affects a significant part of the organisation. Substantial negative impact on output, levels of service and external relationships. Medium to long term negative effect on reputation and expensive to recover.

Financial loss 26-40% College/Faculty/Department/Division annual budget

Loss of a number of high profile staff




     

6
Serious
5

Significant improvement to use of resources and beneficial impact to operational efficiency, output, quality and goals in more than one work area.  External contacts beneficially  affected and reputation enhanced

Financial gain 16-25% College/Faculty/Department/Division annual budget

Employment of a high profile member of staff/research group
 Significant waste of resources and adverse impact on operational efficiency, output, quality and goals in more than one work area. External contacts may be adversely affected and reputation damaged. Medium term effect and may be expensive to recover.

Financial loss 16-25% College/Faculty/Department/Division annual budget

Loss of a high profile member of staff/research group
     
4 Moderate 3 Medium beneficial impact on output, efficiency, finance or assets, some local improvement to reputation. Short to medium term effect.

Financial gain 6-15% College/Faculty/Department/Division annual budget
Medium adverse impact on output, time lost, finance or assets, some local damage to reputation. Short to medium term effect.

Financial loss 6-15% College/Faculty/Department/Division annual budget
     
2
Minor
1
Minimal financial or other gain or improvement to efficiency. Some minor  enhancement Little or no damage to the College or department  reputation.

Financial gain <5% College/Faculty/Department/Division annual budget
Minimal financial or other loss, delay, interruption or inconvenience. Little or no damage to the College or department  reputation. Can be easily and quickly put right

Financial loss <5% College/Faculty/Department/Division annual budget
 

Criteria for assessing Likelihood

10 Certain: 90 + %
9 Almost certain 80 - 89%
8 Very probable 70 - 79%
7 Probable 60 – 69%
6 Highly likely 50 – 59%
5 Very likely 40 – 49%
4 Likely 30 – 39%
3 Possible 20 – 29%
2 Unlikely 10 – 19%
1 Rare 0 – 9%

20. Empirical will plot all risks on the matrix below and determine whether the risk is Red, Amber or Green

Level of Risk

Opportunity Risk

Score ranges:  Green = 64 and above; Amber  26 to 63; Red 0 to 25

Threat Risk

 Score ranges: Green = 0 to 25; Amber - 26 to 63; Red = 64 and above

21. Only Major risks need to be documented on the risk register. Major is defined as any Red or Amber Risk or any Green risk with an impact or likelihood score of 7 or above as this implies that either rigorous controls are required to manage the likelihood of a significant impact or there is an expectation of a significant number of minor events.

22. Risks then need to be addressed depending on:

  1. Red: Risks falling in this area must be managed as a matter of priority and should be reviewed monthly
  2. Amber: Seek to manage in the medium term and monitor Bimonthly
  3. Green: Live with but should still be reviewed biannually

These timescales apply unless something happens or changes that may affect the risk or its controls or if the risk is realised, in which case the situation needs review.

Step 3: Risk Mitigation:

Inherent Risk, Residual Risk

23. Inherent risk is the exposure arising from a specific risk before action has been taken to control (manage) it. Whereas residual risk is the exposure arising from an individual risk after action has been taken to reduce it to an acceptable level. For all practical purposes Risks identified on risk registers are considered to be residual risks; where some initial  controls are already in place.  In some circumstances these initial controls may be considered insufficient, in which case further controls will be required.

Risk Tolerance

24.  Unless terminated (we cease doing it!) it is not normally practicable to completely mitigate a risk.  It is normal that there is some possibility that a threat risk will come about or an opportunity risk will not be realised; the purpose of risk management is to reduce the consequence and/or likelihood of this occurring to an acceptable level. This ‘acceptable level’ is the level at which the risk is tolerated.

25. Our tolerance or acceptance of risks (also referred to as our risk appetite) is an important concept. It is not a blanket assessment but varies from risk to risk and between organisational entities.  It is defined as the amount of risk an organisation is prepared to tolerate or be exposed to, should the risk or risks be realised. Too great a risk appetite can jeopardise a project, activity or in extreme cases the organisational entity whilst too little could result in the organisation stagnating as opportunities are not realised.

26. When considering opportunities, we need to consider how much resource we are prepared to expend  to obtain the benefits of the opportunity.  In considering threats we need to consider what appropriate mitigation should be in place to reduce the impact and/or the likelihood of the threat being realised.  This aids identification of our level of tolerance for each risk and it is helpful to attribute a score to this.  Opportunity risks below tolerance and threat risks above tolerance require further mitigation to move the risk to an acceptable level.

27. In considering an acceptable level of tolerance, risk owners should take account of the guidance provided in documents such as College financial regulations, procurement guidelines, health and safety regulations and by our ethical standards and policies as well as proportionality and value for money.

28. As discussed in Paragraphs 24 -27 above the tolerance for each risk will vary but as a general guide it is for consideration that opportunity risks might be tolerated at a score of above 64 and threat risks at a score below 25 but risk owners should vary these scores to take account of the actual circumstances pertaining.  For example it may be that some opportunity or threat risks are largely beyond their ability to directly control, (e.g. a change to government policy) resulting in a high tolerance score.

29. If an opportunity risk is scored at or above tolerance or a threat risk at or below tolerance then the controls currently in place are sufficient to manage the risk (i.e. actions already in place).

30. Opportunity risks assessed as being below tolerance or threat risks assessed as being above tolerance will need to be ‘Treated’ with further control measures to mitigate the risk. These should be recorded in Empirical and an action owner and timescale assigned to ensure the controls are implemented.  In order to ensure that action owners are aware of their responsibilities, Empirical will require the action owner to accept that they own the action.

Basic strategies

31. Treating or Controlling Risk It is usually possible to control a risk to an acceptable level and this is achieved by building control mechanisms into operational activities. Whichever strategy is adopted it is important that the controls are proportionate and cost effective. Where the decision is taken to mitigate a risk by introducing control measures it is also important that the operation is not impeded by over controlling in an attempt to completely eliminate a threat risk or realise an opportunity.

32. Transferring or sharing the Risk: Some risks can be transferred to another body or organisation e.g. insurance, contractual arrangements, outsourcing, partnerships etc.  Realistically, transferring all of a risk is extremely difficult to achieve effectively and is often confused with action ownership (where the risk is owned by entity A (who feels the pain if the risk comes about) but action to mitigate or control the risk lies with entity B.  If the risk is Transferred then care needs to be taken that the risk is actually transferred.  However, some risks (e.g. reputation) cannot be transferred.  It is important that how (to whom) the risk has been transferred. e.g. insurance, is recorded.

33. Tolerating or Accepting the Risk: It is rarely possible or economically desirable to remove all risks entirely and, unless Terminated, all risks will eventually be accepted at some level.  In addition, there are some risks over which we have little or no control and some for which any management actions would be prohibitive in terms of resource; yet for valid reasons we will continue with the activity. The important point is that these risks are identified, clearly understood and monitored.  This option is frequently accompanied by a contingency plan for dealing with the impact that will arise if the risk is realised.

34. Terminating or Avoiding the Risk: Although unusual, it may be that a particular risk cannot be adequately controlled or transferred and the consequence or likelihood of such a risk being realised is such that it cannot be accepted. In this case the only course of action may be to eliminate the risk by ending all or part of a particular activity.  In some instances this may involve temporary suspension of an activity until the likelihood and/or impact of the risk has reduced for external reasons.

Risk Owners

35. Every risk must have a nominated owner who is the person with the accountability and authority to be best placed to manage the risk. See RM Management Responsibilities: Risk Owner

 

Step 4: Review and Monitoring

36. Although the procedures and principles of both the College and Faculty/Department risk registers are similar their tempo varies due their differing drivers.  In the case of the College risk register the primary driver is to assure College Council, for the annual report of accounts, that the College is identifying and managing all material risks; whereas in the case of Faculties and Departments it is more appropriate that the risk register is updated in conjunction with the planning round, when departments are naturally considering the opportunities and threats they face.


College Risk Register

37. As identified the paragraph above, the College risk register requires updating prior to the annual report of accounts. Thus the College risk register needs to be updated, for consideration by the Risk Committee in October.

Review Process:

38. The review process commences in August with a Horizon Scanning meeting chaired by the College Secretary.  The meeting discusses any opportunities or threats that may have emerged since the last review and considers whether the previous risks are still appropriate.  The meeting also reviews whether the risk owners remain appropriate and whether the controls should be updated.

39. From this meeting a revised draft risk register is developed and reviewed by the President’s Executive Group, during September, who will also discuss each risk with the risk owners articulating their view as to whether the severity of the risk is improving or worsening, and whether the mitigations are sufficient. The outcome of this is then reviewed by the President’s Board and reported to the Risk Committee in October.

40. The revised College risk register will then be distributed to Heads of Department.

41. The College risk resister will also be reviewed by the President’s Executive Group and President’s Board in February/March each year.

Risk Review Process College

 

 Faculty Department/SID Risk Registers

42. The value added by risk management has several dimensions. 

  • Firstly, the open discussion of opportunities and threats and the controls required to best manage those enables wider understanding, ownership and management of these issue.  This is most effectively achieved by discussion during normal department meetings. 
  • Secondly, the clear articulation of the opportunities and threats faced by the department and the controls required to manage those opportunities and threats allows easy and consistent delivery of these in a broad range of scenarios from say, visits by President, Provost or Faculty Dean to the role played by individual members of the department in contributing to departmental goals.
  • Thirdly, analysis of opportunities and threats, by the risk management department, allows identification of common themes and potential systemic issues, which can then be appropriately addressed.
  • Finally, the sharing of that information broadens the knowledge of the College as a whole and facilitates improved management of similar issues.

43. Department risk registers are not merely operational subordinates of the College risk register but are considerations of the strategic opportunities and threats at department level.  However, these may be informed by the College risk register which should be considered early during department’s consideration of opportunities and threats.

44. During the planning round process departments naturally consider their strategic opportunities and threats and it is thus appropriate that departments update their risk register in conjunction with the planning round process.  In order to identify common, systemic and emerging risks, Risk Management will extract all risks from Empirical six weeks after completion of the planning round for analysis and provide this to senior management three weeks later.

45. As some risks are dynamic and warrant updating more frequently than annually, the above process is repeated in November for analysis early in the New Year.

Department Risk Review Process

  • Stage 1: The review process starts with the planning round when strategic objectives, opportunities and threats are reviewed and priorities set. Each Faculty, Department and Division should discuss their opportunities and threats during a department management meeting and then update their risk registers in Empirical. It would be expected that Department/Divisional risk registers are informed by Faculty and College risk registers.
  • Stage 2: All the updated risk registers in Empirical are then analysed by the Risk Manager, with particular emphasis on emerging and / or systemic risks, and the analysis shared as appropriate.
  • Stage 3: As some risks are dynamic and warrant updating more frequently than annually, the above process is repeated in November for analysis early in the new year.
  • Stage 4: The updated risk registers are again analysed by the Risk Manager and the analysis shared as appropriate.

Risk Review Process Faculty and SIDs

 

 

 

 

 

 

 

 

 

 

 

 

 

The wider application of risk management

46. The College like many organisations has a number of interdependencies with other organisations and the risks associated with these relationships must be considered when completing a risk assessment. The College must adopt a consistent approach to identifying risks within its key partnerships. This includes identifying risks from the perspective of the College when entering into a partnership and from the perspective of all partners once the partnership is set up.

 47. The College is committed to identifying and managing the risks within its key partnerships (in line with its approach for all new schemes, investments and projects). The College's Project Management Procedures require that risk registers should also be maintained for all major projects.

Empirical

48. The College has developed a management tool, Empirical , to assist departments identify and manage their risks.  This also allows the Risk management Department to analyse all risk entered in Empirical and provide guidance on common or systemic risks and identify emerging risks

 

 49. The development and utility of Empirical is governed by the Empirical User and Development Group; Terms of reference for which are at Annex A (below).

 

© Copyright 2016 Imperial College London
Last Review September 2016

Annex A

EMPIRICAL USER DEVELOPMENT GROUP (EDUG)

TERMS OF REFERENCE

  1. To review the implementation and give strategic direction to the development of the College’s Empirical Management System and associated documentation.
  2. To keep under review the Empirical system architecture, change requests, testing and deployment.
  3. To act as a focus for and co-ordinate responses to development issues.
  4. To act as an interchange of information, ideas and best practice relating to Empirical and its use.
  5. To keep its own terms of reference and constitution and those of its subordinate committees under review.

Constitution

Chairman

The Director of Risk Management

Membership

A minimum of two senior Empirical users from:

  • Each of the Faculties
  • Support Services
  • Academic Services

A senior member of staff from:

  • ICT Systems Development

Other advisors may be invited to attend on an ad hoc basis.

Secretary:

The Risk Manager

Reporting

6. The Empirical Development & User Group is responsible to the Risk and Business Continuity Steering group, via the Director of Risk Management.

Meetings

7. The Committee shall meet not less than twice times a year.

Quorum

8. The quorum shall be the Chairman and three other members