Risk Management System Guidance Pack

Guidance Pack November 2011 Edition

A step-by-step guide to risk assessment.

This information set will assist you in making a risk assessment. An Introduction to Risk Management PowerPoint presentation is also available to support briefings within your school or department

  1. The Step by Step Method
  2. Appendix A - The Risk Assessment Template
  3. Appendix B - Drawing up Working Data
  4. Appendix C - Guidelines for determining potential severity of risk being realised
  5. Appendix D - Guidelines for determining likelihood of risk being realised
  6. Appendix E - The Residual Risk Matrix
  7. Appendix F - List of Risk Managers and the management levels to which risk is reported
  8. Appendix G - The Risk Appetite Policy and Procedure

Purpose

Risk management is an essential and integral part of effective management and should be undertaken in relation to any significant activity. It is an essential part of the project management. The following method is suitable for the identification and management of significant risks. A standard Risk Register template (Appendix A) has been developed and includes a colour coding system. This template should be used to ensure consistency across the University. The Risk Register Template (Appendix A) should be completed using the following guidelines:

(i) Identify the risk elements. The test of a satisfactorily defined statement of a risk element is that it should be clear how failure to achieve the objective will impact on the University.

Example: There is a risk that the planned new teaching facility will not be completed on time which will mean that the School cannot recruit to the new programme. This would lead to a loss of £300 K income and would also have an adverse effect on the University's reputation.

You may wish to categorise or group the individual risk elements using the HEFCE identified headings of; Reputation, Student Experience, Human Resource, Estates & Facilities, Financial, Commercial, Information and IT, Organisational.

(ii) Identify the controls that are in place and that you plan to put into place: Having identified the risk element, it is necessary to consider the controls which would mitigate the impact and likelihood of the risk being realised. It is essential to distinguish the controls that are already in place from the actions which you plan to put into place. The assessment of residual risk in step (iii and iv) must only be based upon the controls that are in place. The template also enables you to record relevant developments which may impact on the residual assessment of risk. Where appropriate, dates for implementation should be recorded in brackets to clearly distinguish between controls already implemented and actions planned.

(iii) Assess the residual severity and likelihood of risk: Having regard for the controls which are already in place assess the residual severity of the risk (Appendix C) and the likelihood that the risk will happen. (Appendix D). It may be helpful to complete the working data sheet (Appendix B) to record the reasoning behind the assessment of residual severity and likelihood of risk.

(vi) Assess the Residual Risk: Use the Residual Risk Matrix to identify the residual risk for this risk element (Appendix E). This is the rating which should be reported to the Risk Manager within the faculty or department (Appendix F). Having assessed the residual risk it is advisable to check risk elements against the Risk Appetite Matrix (Appendix G). If the risk element plots as unacceptable or borderline unacceptable, senior managers should give consideration as to whether the project or activity should continue. Again, it may be helpful to use Appendix B to record the reasoning behind the assessment of residual risk.

(v) Risk management and ownership: Identify the member of staff who will have responsibility for managing the risk. Risks are normally managed and owned by one department. However, if the risk is regarded as a corporate risk, the risk may be owned by the Corporate Management Team or the Executive but managed by a named department. Risks can also be transferred by agreement between departments but this is rare.

(vi) Authorisation: The Risk Register should be formally authorised and dated.

RISK MONITORING: All acceptable risk elements should be monitored at regular intervals (normally in the range of one to four months) to ensure that the risk is being managed and remains acceptable. Revised and any new text added to a Risk Register should be underlined to highlight any new information.

Where applicable, updates to the Risk Register should indicate direction of movement in residual risk e.g. rising / steady /reducing (or by the use of arrows) .

It is also acceptable (but not compulsory) to use descriptive gradations within categories of residual risk if it is felt this would be helpful (e.g. lower end / middle of / upper end of moderate).

All risks must be formally recorded as realised / not realised (see colour coding) before being removed from the Risk Register.

© Copyright University of Derby 2013 | Accessibility | Privacy and cookies | Site map | Disclaimer | Freedom of Information | Company info | About us as a charity | Trademarks of the University of Derby | Staff admin