Risk Management

Sessions 4 and 5
Assessing Risk
Mitigation, Monitoring and Control
 Sessions 4 & 5: Overview

• Risk Criteria
– Likelihood
– Impact
• Gross, Net and Target Risk
• Risk Treatment or Mitigation
• Monitoring Cycle
• Risk Incidents
Risk Management Framework
• Context Setting • Evaluation
• Stakeholders • Likelihood
• Risk Policy • Impact
• Sources of Risk • Gross (Inherent)
• Internal/External • Net (Residual)
• Risk Appetite • Target

Identify Assess

Monitor
and Mitigate
• Risk Register
• Regular Reviews
Report • Risk Treatment
• Avoid
• Key Risk Indicators
• Transfer
• Incident
• Control / Contain /
Management
Reduce
• Audit
• Accept
• Board
 Risk Criteria
• Risk criteria are terms of reference and are used to evaluate the
significance or importance of the University’s risks. They are
used to determine whether a specified level of risk is
acceptable or tolerable.

• Risk criteria should reflect your university’s values, policies, and

objectives, should be based on its external and internal context,
should consider the views of stakeholders, and should be
derived from standards, laws, policies, and other requirements.

• In some industries complex criteria like ‘vulnerability’ or ‘speed

of onset’ may apply. In HE we usually use two: Impact and
Likelihood.
 Impact

• The outcome of an event which has an effect

on the University or its objectives.
– A single event can generate a range of impacts
which can have both positive and negative effects
on objectives. Initial impact can also escalate
through knock-on effects.

– Also called “consequence”

 Likelihood

• The chance that something might happen.

– Can be defined, determined, or measured

objectively or subjectively and can
be expressed either qualitatively or quantitatively
(using mathematics). In universities, subjective
assessment is usually sufficient.
– Also called “probability”
 Impact and Likelihood Scales
• The more descriptive the scales, the more consistent their
interpretation will be by users.
• The scales are an integral part of the risk policy.
• The trick is to find the right balance between simplicity and
comprehensiveness.
• Scales should allow meaningful differentiation for ranking and
prioritization purposes.
• Five or six point scales yield better dispersion than three point
scales.
• Ten point scales imply precision typically unwarranted in qualitative
analysis, and assessors may waste time trying to differentiate
between a rating of six or seven when the difference is
inconsequential and indefensible
• Usually but not always measured quantitatively – so that the total
risk can be defined as Impact x Likelihood or Impact + Likelihood
Impact Scales
Score 1 2 3 4 5 6
Impact Insignificant Minor Moderate Significant Major Catastrophic
Negligible impact Minor impact on Moderate impact on Significant impact upon Major impact upon Catastrophic impact on
upon achieving objective. Consequences objective. The consequences objective. Threat to objective. No longer objectives. The
General Description

objective. The threaten the efficiency would not threaten the meeting external meets external consequences would affect
consequences are or effectiveness of some provision of key services, but standards. The standards. The the long term provision of
dealt with by services. This will be would have a medium term consequences may consequences would key services, causing major
routine operations. dealt with internally. impact meaning the threaten continued threaten continued problems for the
organisation could be effective provision of effective provision of organisation, and
subject to a significant services and require top- services and require threatening it's existence.
review or change in level management top-level management
operating procedures. intervention. intervention.
< £10,000 Loss of more than 1% Loss of more than 2.5% Loss of more than 6% Loss of more than 15% Loss of more than 20%
Finance

Turnover Turnover Turnover Turnover. Turnover

£3m loss for University; £7.5m loss for University; £18m loss for University; £30m loss for University; £60m loss for University;
£0.3m for a College 750k for a College £1.5m for a College £6.5m for a College £10m for a College
Some service Small fall in service Moderate fall in service Significant fall in service Major fall in service Catastrophic fall in service
interruption but levels, some minor levels. Student and/or levels. Project & grant levels. Major loss or levels. Catastrophic loss or
can be made up quality standards not supplier relationships requirements not reduction in quality of: reduction in quality of:
without students met. Or minor strained. Project & grant achieved. Quality research outputs & research outputs /grant
Services

becoming aware. disruption to supply delays. Quality specifications not met. grant values, values, achievement of 1st
No supply chain chain. requirements partly met. Or Students go elsewhere. achievement of 1st degrees, student
disruption. limited disruption to key Or significant disruption degrees, student satisfaction &
supply chain. to key supply chain satisfaction & employability,
employability, international students.
international students.
Minor injury or Major injury requiring Single major injury, or long A number of major Incidents of death or Negligence resulting in
Health and

illness, first aid medical attention term incapacity / disability injuries, or long term major permanent multiple death or
Safety

treatment needed. and/or causing >3days incapacity / disability, incapacity, widespread permanent incapacity,
absence localised disease disease outbreak. regional/national disease
outbreak. outbreak.
No community Low consequence Some community Significant complaints. Major complaints. Parliamentary questions
response. No politically. Local short complaints. Possible local National short term National short term with National long term
Reputation

media interest. No term media interest. long term media interest and media interest and/or VC media interest and/or media interest.
Reputational Isolated community / or correspondence with has been questioned. Ministry Office have Catastrophic reputational
impact complaints. Reputation VC’s office. Some Loss of credibility- Real been questioned. Major damage
contained. reputational damage. reputational damage. loss of credibility- Major
reputational damage
Another Example … KPP = Key
Performance
parameter
 A non-numeric example…
Level Example Descriptors
High  Critical impact on the achievement of University objectives and performance.
 Critical opportunity to innovate/improve performance missed/wasted.
 Huge impact on costs and/or reputation.
 Very difficult to recover from and possibly requiring a long term recovery period.
 Prolonged and damaging front-page media coverage at a national and/or international level.
 Total financial impact of > £5m (~16% of cash surplus)
Significant  Major impact on the achievement of University objectives and performance.
 Substantial opportunity to innovate/improve performance missed/wasted.
 Serious impact on output and/or quality and reputation.
 Medium to long term effect and expensive to recover from.
 A period of negative national media coverage.
 Total financial impact of £3m to £5m (~10%-16% of cash surplus)
Medium  Intermediate impact on the achievement of University objectives and performance.
 Good opportunity to innovate/improve performance missed/wasted.
 Moderate impact on operational efficiency, output and quality.
 Medium term effect which may be expensive to recover from.
 Some negative media coverage, including at a national level.
 Total financial impact of £1.7m to £3m (up to 10% of our cash surplus)
Low  Minor impact on the achievement of University objectives and performance.
 Opportunity to innovate/make minor improvements to performance missed/wasted.
 Short to medium term effect.
 Some negative media coverage, mainly at a local level.
 Total financial impact of < £1.7m (the External Auditors’ ‘Materiality limit’)
Likelihood Scales
 Likelihood

Likelihood
Definition Guidance
Rating
1 Remote Remote probability (<1%) the risk will occur in the next 5 Years. It may occur only in exceptional
circumstances.
2 Rare Very low probability (1-10%) the risk will occur in the next 5 Years
3 Unlikely to happen Low probability (10-30%) the risks will occur in the next 5 Years
4 Possible to happen Moderate probability (31-60%) the risk will occur in the next 5 Years. Might occur at some time.
5 Likely to happen High probability (61-90%) the risk will occur in the next 5 Years. It will occur in most circumstances
6 Almost Certain to Very high probability (>90%) the risk will occur in the next 5 Years. It is expected to occur.
happen
Another Example …
 A non-numeric example…
Level Example Detail Description

High Almost certain, is expected to occur in most circumstances.

Greater than 80% chance.
Significant Likely, will probably occur in most circumstances. 50% - 80%
chance.
Medium Possible, might occur at some time. 20% - 50% chance.

Low Unlikely, but could occur at some time. Less than 20% chance.
Risk Assessment Matrix
Another Risk Assessment Matrix
High
Significant
LIKELIHOOD

Medium
Low

Low Medium Significant High

IMPACT
 TASK

1. Take 2-3 examples of risks

identified in the previous session
2. assess their impact and likelihood
3. plot it on a 1-5 scale matrix
4. Use the matrix we’ve provided on
your tables
Session 1
 Here’s one we did earlier …
Objectives Risks Category Risk Appetite

Distinctive • Attracting high quality staff People High

Faculty • Retaining them
Excellence in • Competition Research High
all fields • Spread too thin
• Rapid development of disciplines
• Levels of investment required Finance Low
Supportive • Increasing expectations Reputation Low
Learning • Technological Development
Environment • Levels of investment required Finance Low
• Capacity & skills of staff People High
• Engagement Culture High
Sustainable • Investment required Finance Low
Environment • Conflicts inherent in the strategy Planning High
• Accountability Cultural High
• Buy in from faculty Cultural High
 King Saud’s Gross Risk Matrix
5

4 Lack of
money for
investment
LIKELIHOOD

1 2 3 4 5
IMPACT
 Here’s one we did earlier …
Objectives Risks Category Risk Appetite

Distinctive • Attracting high quality staff People High

Faculty • Retaining them
Excellence in • Competition Research High
all fields • Spread too thin
• Rapid development of disciplines
• Levels of investment required Finance Low
Supportive • Increasing expectations Reputation Low
Learning • Technological Development
Environment • Levels of investment required Finance Low
• Capacity & skills of staff People High
• Engagement Culture High
Sustainable • Investment required Finance Low
Environment • Conflicts inherent in the strategy Planning High
• Accountability Cultural High
• Buy in from faculty Cultural High
 King Saud’s Gross Risk Matrix
5

4 Lack of
money for
investment
LIKELIHOOD

3 Spread too
thin

1 2 3 4 5
IMPACT
 Gross and Net Risk
Gross (inherent) and Net (residual) Risk
• Gross risk is the risk inherent in any event or
action before any mitigating actions.
• Net risk is the risk left over after you’ve applied
controls.
– What’s left after you’ve avoided, transferred,
controlled or accepted the risk.
– Takes into account existing controls.
 King Saud’s Gross Risk Matrix
• We decide to target our
5 resources as specific,
prioritised projects
• We are under-taking cost-
4 cutting measures Lack of
money for
investment
LIKELIHOOD

3 Spread too
Net Risk thin

2
• We are already excellent
in 16 of our 20 disciplines
1 • With targeted investment
we assess this is feasible
• No change to net risk
1 2 3 4 5
IMPACT
 Target Risk
Target Risk is the goal for net risk.

• It’s intended to bring net risks within the tolerance

for risk appetite
• Includes an assessment of what is realistic to
manage. May need to accept remaining net risk.
• Risk controls may take time to have impact.
• Provides a way to evaluate the effectiveness of risk
controls.
• Agreed by Executive and Governing Body level.
 King Saud’s Gross Risk Matrix
5
• Bringing this within our
low risk appetite will
4 require further controls Lack of
• We will note this in our money for
risk log under ‘Planned investment
LIKELIHOOD

3 actions’.
Spread too
Net Risk thin

Target Risk
1

1 2 3 4 5
IMPACT
 Gross to Net to Target
Where we started
High
G
Significant

N Where we are
LIKELIHOOD

Medium

Where we want to be
Low

Low Medium Significant High

IMPACT
 Risk Register
Gross Net Change Target

Total (I x Likeli- Total (I x Change this cycle Likeli- Total (I x

Risk Category Risk owner Risk description Impact Likeli-hood L) Impact hood L) (↑↓↔) Impact hood L)
 QUESTIONS

• Who would normally do such an

assessment on the corporate risk
register?
• Who would they agree it with?
• What would be Council’s role?

Session 1
Treatment or Mitigation
 Risk Management Framework
• Context Setting • Likelihood
• Stakeholders • Impact
• Risk Owners • Gross (Inherent)
• Level of Risk • Net (Residual)
• Sources of Risk • Target
• Internal/External
• Risk Appetite
Identify Assess

Monitor
and Mitigate
• Risk Register
• Regular Reviews
Report • Risk Treatment
• Avoid
• Key Risk Indicators
• Transfer
• Incident
• Control / Contain /
Management
Reduce
• Audit
• Accept
• Board
Session 1
 Mitigation
• A risk modification process.
– It involves selecting and implementing one or more
treatment options, such as:
– Avoid
– Transfer
– Control / Contain / Reduce
– Accept
 Controls
• Controls are any measure or
action that modifies risk.
– Once a treatment has been implemented, it becomes
a control. Controls include any policy, procedure,
practice, process, technology, technique, method, or
device that modifies or manages risk. Risk
treatments become controls once they have been
implemented.
 Identifying mitigations
Some questions to start us off…

• What is the likelihood / impact?

– Proportional response
• Can we do anything to reduce the likelihood of the
risk?
• Can we do anything to reduce the impact of the risk?
– Is the source of the risk internal or external?
– Is it too big for us to mitigate?
• Where would the impact of the risk be felt?
– If the risk is local, responsibility is local
 Assessing Mitigations
• What would be the impact of the mitigation?
• Is the action appropriate to risk severity?
• Is cost / effort proportionate?
• Is the action timely enough?
• Is the action realistic within context?
• Is the action agreed by all parties?
• Is the action owned by a responsible person?
 Risk Mitigation Priority
Mitigation Priority
The probability of a major risk occurring is very high, and the impact on the business
could be catastrophic. Immediate action is required and senior management should be
Extreme
involved in all aspects of the remediation process.

The probability of a major risk occurring is high and the impact on the business could be
significant. The appropriate action should be incorporated into current activities.
High
Management should allocate the appropriate responsibility for the remediation and
actively monitor the progress.
The probability of a major risk occurring is moderate, as is the potential impact on the
business. Management should ensure the appropriate response actions are being
Medium
planned, and should monitor the outcomes.

Key risks are adequately addressed. The probability of a major risk occurring is low, and
the impact on the business will be minimised. Risk will be managed through routine
Low
operational procedures. No senior management attention is required.
 Mitigation Strategies
Avoid Pro: Total risk reduction
Cons: May be expensive or
• Eliminate the cause
have opportunity cost
• Remove task/activity causing risk from plan

Transfer Pro: Frees management

• pass risk to another party time
– commercial agreement, insurance Con: Loss of control

Control / Contain / Reduce

Most common approach
• add actions to plan to reduce likelihood
Includes some acceptance
• add actions to plan to reduce impact and some avoidance
– set aside contingency

Accept
Pros: Low cost, may be the
• do nothing, accept consequences only thing you can do
• “Take the risk” Con: If things go wrong the
impact could be substantial
 Focus of the Mitigation Reduce
Impact
React to
effects
Detect risk
Reduce events
Likelihood Prevent
risk causes

• A good mitigation plan may have controls at multiple levels to

prevent, detect and react to risks.
• For instance, a fire safety strategy will seek to stop fire occurring
through training and removal of obvious fire hazards (cause); it will
ensure that smoke detectors are working and fire extinguishers are
available to put out any fires that start (events); and it will ensure
that fire escape routes are clear, people know how to exit the
building, fire alarms are active and fire and rescue will be called
(effects).
Consider the risk of student
recruitment.

What could you do to mitigate the

causes?
Detect problems?
Mitigate the effect?
 Focus of Controls
6

REPEAT
SEVERE THREATS
High Frequency Low Impact
5

(require immediate
Reduce Likelihood
risk reduction)
Likelihood

(if cost-effective)
4
3
2

MINOR CONTINGENCY
(absorb or manage)
(require response plans)
1
0

0 1 2 3 4 5 6

Impact
 TASK

Consider which strategy is most

appropriate for each quadrant.
 Focus of Controls

CONTROL AVOID
6

REPEAT
SEVERE THREATS
High Frequency Low Impact
5

(require immediate
Reduce Likelihood
risk reduction)
Likelihood

(if cost-effective)
4
3

ACCEPT TRANSFER
2

MINOR CONTINGENCY
(absorb or manage)
(require response plans)
1
0

0 1 2 3 4 5 6

Impact
 Another approach
5
AVOID
CONTROL
4 TRANSFER
LIKELIHOOD

3 AVOID
CONTROL
TRANSFER
2

1 ACCEPT

1 2 3 4 5
IMPACT
 Mitigations and Risk Policy
• The approach to mitigation will vary with the risk tolerance –
and the appetite may vary with the type of risk.

Edinburgh Risk
Tolerance

• The policy will define risk owners and managers, and these
people are responsible for mitigation. The executive body and
the governing body review the appropriateness, sufficiency,
and effectiveness of the actions.
• The policy will also define the review cycle – but mitigation
and control is a continual, proactive activity and should not
only occur at the refresh point of the cycle.
 Assessment and Mitigation:
when and how?
• Risk owners and managers must own the
process
• Much of it is continual
– Strategy development
– Competitor analysis
– Suggestion boxes (email addresses)
– Business as usual
• Other approaches
– Workshops
– Scenario planning
– Risk incidents and audits – always lead to learning and
often change risk assessments
 TASK
1. Take the 4 examples of KSU’s gross
risks that follow.
2. Identify 2-3 mitigations for each
one.
3. Assess the net risk, and target risk
against the risk appetite
4. Determine if there is more distance
to travel?
 King Saud’s Gross Risk Matrix
5

4 Lack of
money for
investment
3 Increasing Attract high
LIKELIHOOD

expectations quality staff

‘Buy-in’
2

1 2 3 4 5
IMPACT
 Here’s one we did earlier …
Objectives Risks Category Risk Appetite

Distinctive • Attracting high quality staff People High

Faculty • Retaining them
Excellence in • Competition Research High
all fields • Spread too thin
• Rapid development of disciplines
• Levels of investment required Finance Moderate
Supportive • Increasing expectations Reputation Low
Learning • Technological Development
Environment • Levels of investment required Finance Moderate
• Capacity & skills of staff People High
• Engagement Culture High
Sustainable • Investment required Finance Moderate
Environment • Conflicts inherent in the strategy Planning High
• Accountability Cultural High
• Buy in from faculty Cultural High
Monitoring
 Monitoring
Monitoring is the process whereby risks and mitigations are reviewed and
risk owners are held accountable.

Monitoring:
• Determines the effectiveness of risk management processes.
• Identifies where target risk has been achieved and where there is still
distance to travel.
• Ensures that controls are implemented and assesses their effectiveness.
• Gathers feedback from owners of existing risks about changes to
likelihood / impact / trend / controls.
• Reviews trends and changes risk assessments or targets in light of new
information.
• Enables issues to be escalated to improve mitigation – don’t wait until it
becomes an issue.
• Considers new risks as the situation changes.
 Risk Register
• The Risk Register enables structured monitoring by
reporting on risks, risk owners, changes to risks, risk
assessments (gross, net, target), and risk controls.
• Local risk registers support the Corporate or Strategic
Risk Register which is viewed by the Executive and
Governing Body.

• But remember… monitoring of risks should be

continual and not tied to the Risk Register.
• Risks can also be identified and insight on risk gathered
through monitoring of strategic objectives, reports on
internal and external environment, project or
programme reports, and financial reporting.
 Red - existing controls not working/adequate (to escalate)
Amber - existing controls in danger of failing
Green - controls are working

All captured in a risk register

Project name of project
PI ANO1 Date this revision 03/07/2009
Project Manager ANO9 Date next revision 03/08/2009
Prob-
ID RAG Owner Description & Impact ability Impact Trend Controls/Actions Action By Action Due
1. maintain holiday plans
there is a risk that insufficient resources will be available 2. ensure working instructions documented for all regular services 1. all team members 1. ongoing
Identification due to sickness, unplanned absences, etc. to deliver
committed Project activity which will impact the delivery
3. create deputy cover plan and conduct training
4. conduct regular reviews of Project commitments and secure
2. all team members
3. all team members
2. Oct 2009
3. Aug 2009
001 Green PI of Project outputs M H No change increased funding when required 4. PI 4. ongoing
there is a risk that the space and office facilities
necessary to support Project team members is 1. PM
inadequate which will impact the delivery of Project 1. assign responsibility for Estates interface to a single team member 2. PM and individual 1. July 2009
002 Amber PM outputs and staff morale M H Increasing 2. gather feedback in individual reviews team members 2. ongoing
there is a risk that xxxxxxxxxxxxxx are not supportive of
achieving xxxxxxxxxxx which will impact the ability to
003 Red PM xxxxxxxxxxxxxxxxx H M Increasing involve xxxxxxx in delivery of xxxxxxxxxxxxxxx PM 1. Jul 2009
there is a risk that timescales are not achievable due to
delays with pre-requisite activities which will impact the 1. create Project plan of all outputs 1. PI 1. Aug 2009
004 Green PI timely delivery of plans and other outputs M M No change 2. establish and communicate all leadtimes for Project deliverables 2. all team members 2. Oct 2009
Evaluation
1. liaise with xxxxxxxxxxx to ensure that data is made readily available
2. timetable of available data published for xxxxxxxxxxxxxxx 1. ano3 1. ongoing
there is a risk that timely, relevant, up-to-date data isn't 3. create timescales for all deliverables to allow time to gather 2. PI 2. Quarterly
005 Green ANO3 available to create Project deliverables L M No change relevant information 3. all team members 3. Every 6 months
there is a risk that priorities from higher management will
change during the Project, which will impact the Project 1. create a change process by which new priorities are assessed for
006 Green PI workload and achievement of outputs H M Decreasing impact, have agreement and implementation plans 1. PM 1. Aug 2009
Mitigation 1. formalise a clear communications channel between xxxxxxxxxx on
there is a risk that relationships with external partners existing relationships with external partners
could be jeopardised strategically due to issues relating 2. Assign a liaison(s) for each external partner and use them to help 1. PM 1. Aug 2009
007 Amber PI to xxxxxxxxxxxxxxx M M Increasing address project issues 2. all team members 2. Aug 2009
 … and the detailed assessment which
underpins it for a full review
Description of controls to
mitigate risk Contextual information
regarding the risk

Scores for Gross and Net

Risks for last and current
assessments
Explanation of changes
since last review
 Risk Register
Gross Net Change Target

Likeli- Total (I Likeli- Total (I Change this Likeli- Total (I

Risk Category Risk owner Risk description Impact hood x L) Impact hood x L) cycle (↑↓↔) Impact hood x L)
 A monitoring cycle
• Quarterly refresh of Risk
Register
• Quarterly to Executive
Strategy Refresh Annual Review 1 • Biannually to Council and
Audit Committee
• Annual refresh to all
Quarter
4
Quarter
1
• Full review with new
Quarter Quarter
strategy
3 2

Annual Quarter Quarter Quarter Quarter

Annual
Review 5 4 1 4 1 Review 2
Quarter Quarter Quarter Quarter
3 2 3 2

Quarter Quarter Quarter Quarter

4 1 4 1

Quarter Quarter Quarter Quarter

3 2 3 2

Annual Annual Review

Review 4 3
 Register Updates
Senior Management
Corporate Risk
Discussions Colleges Full Review of
Facilitators Full Review
Risk Registers
of Risk
Oct / Nov Executive Risk Discussion
Focus on Corporate and College Risk Reviews

PS Full Review of Risk Corporate Risk

December Council Risk Paper
Registers Exception Reports Only

Feb / March Executive Risk Discussion

Focus on Professional Services Risk Reviews
Corporate Risk exception reports only Corporate Risk
Exception Reports Only

March Executive Risk Discussion

Corporate Risk exception reports only

Corporate Risk
Colleges Full Review of
Facilitators Full Review
Risk Registers
of Risk
June Executive Performance and Risk Discussion
Focus on all updated registers (College, Corporate and PS) PS Full Review of Risk
Registers

July Council Performance and Risk Paper

 Another model with suggested timing (HEFCE)
Top-Down Integrated Board / Executive Reporting
Strategic Risk (monthly/quarterly) ‘Watch List’ of risky business
initiatives
Assessment
Key
KeyRisk
Risk&
&Mitigation
Mitigation
(annual) Reporting Key overall risks &
Reporting
adequacy of mitigation
Centre

Risk
Riskembedded
embeddedinin
Strategic
StrategicPlanning
Planning
Current & Future Risk Profile Feedback &
(monthly / quarterly) Actions
High-level SWOT/STEP
& Strategic Risk Integration
Integration of
ofStrategic
Strategic&
& Action
Action
Register Operation-wide
Operation-wideReviews
Reviews Planning
Planning
Coordinated
Board understanding of Level of risk, mitigation effectiveness, mitigation plan &
risk appetite Assessment of impact on overall risk profile action tracking

Bottom-Up Collated operational risk reporting

Operations, Projects

Operation-wide Risk with mitigating actions (monthly / quarterly)

Assessment
& Functions

Collation
Collation of
of
Operational
Operational RiskReviews
Risk Reviews

Operations
Operations Programme
Programme& &Project
Project Functional
FunctionalSupport
Support
Risk
RiskReview
Review Risk
RiskReview
Review Risk
RiskReview
Review

Operations risk reporting Programme & project risk reporting Functional risk reporting
with mitigating actions (quarterly) with mitigating actions (monthly) with mitigating actions (quarterly)
 Risk Identification at all levels
The Risk Registers and
Matrices tie all of these
together and provide a
means of communication Corporate Risks
between the different
levels
College & Professional
Services Risks

Programme & Project

Risks

Where lower-level risks are common and have major impact, they then find their
way onto the risk register at the next level up.
Risk Incidents
 Definition: Risk Incident
• A risk incident is when a risk occurs, especially if it
will lead to a negative consequence.
– Objective won’t be achieved
– Cost incurred
– Legal claim
– “Near miss”
What if a Risk Incident occurs?
• Can’t mitigate against the likelihood of a risk incident, but can
minimize impact through effective planned action
– Insurance
– Emergency management plans
• It is important a risk incident is reported and investigated as soon
as possible.
– Can minimize impact
– Learn from mistakes
• Identify risk (may have been unknown)
• Better assessment of risk
• Improved controls
– Increase risk awareness
• Depending on the level of the incident, reporting may be local or
may be to executive or governing body.
• Internal Audit plays a role in investigation and learning.
• How an institution deals with risk incidents reflects its culture.