Sessions 4 and 5
Assessing Risk
Mitigation, Monitoring and Control
Sessions 4 & 5: Overview
• Risk Criteria
– Likelihood
– Impact
• Gross, Net and Target Risk
• Risk Treatment or Mitigation
• Monitoring Cycle
• Risk Incidents
Risk Management Framework
• Context Setting • Evaluation
• Stakeholders • Likelihood
• Risk Policy • Impact
• Sources of Risk • Gross (Inherent)
• Internal/External • Net (Residual)
• Risk Appetite • Target
Identify Assess
Monitor
and Mitigate
• Risk Register
• Regular Reviews
Report • Risk Treatment
• Avoid
• Key Risk Indicators
• Transfer
• Incident
• Control / Contain /
Management
Reduce
• Audit
• Accept
• Board
Risk Criteria
• Risk criteria are terms of reference and are used to evaluate the
significance or importance of the University’s risks. They are
used to determine whether a specified level of risk is
acceptable or tolerable.
objective. The threaten the efficiency would not threaten the meeting external meets external consequences would affect
consequences are or effectiveness of some provision of key services, but standards. The standards. The the long term provision of
dealt with by services. This will be would have a medium term consequences may consequences would key services, causing major
routine operations. dealt with internally. impact meaning the threaten continued threaten continued problems for the
organisation could be effective provision of effective provision of organisation, and
subject to a significant services and require top- services and require threatening it's existence.
review or change in level management top-level management
operating procedures. intervention. intervention.
< £10,000 Loss of more than 1% Loss of more than 2.5% Loss of more than 6% Loss of more than 15% Loss of more than 20%
Finance
becoming aware. disruption to supply delays. Quality specifications not met. grant values, values, achievement of 1st
No supply chain chain. requirements partly met. Or Students go elsewhere. achievement of 1st degrees, student
disruption. limited disruption to key Or significant disruption degrees, student satisfaction &
supply chain. to key supply chain satisfaction & employability,
employability, international students.
international students.
Minor injury or Major injury requiring Single major injury, or long A number of major Incidents of death or Negligence resulting in
Health and
illness, first aid medical attention term incapacity / disability injuries, or long term major permanent multiple death or
Safety
treatment needed. and/or causing >3days incapacity / disability, incapacity, widespread permanent incapacity,
absence localised disease disease outbreak. regional/national disease
outbreak. outbreak.
No community Low consequence Some community Significant complaints. Major complaints. Parliamentary questions
response. No politically. Local short complaints. Possible local National short term National short term with National long term
Reputation
media interest. No term media interest. long term media interest and media interest and/or VC media interest and/or media interest.
Reputational Isolated community / or correspondence with has been questioned. Ministry Office have Catastrophic reputational
impact complaints. Reputation VC’s office. Some Loss of credibility- Real been questioned. Major damage
contained. reputational damage. reputational damage. loss of credibility- Major
reputational damage
Another Example … KPP = Key
Performance
parameter
A non-numeric example…
Level Example Descriptors
High Critical impact on the achievement of University objectives and performance.
Critical opportunity to innovate/improve performance missed/wasted.
Huge impact on costs and/or reputation.
Very difficult to recover from and possibly requiring a long term recovery period.
Prolonged and damaging front-page media coverage at a national and/or international level.
Total financial impact of > £5m (~16% of cash surplus)
Significant Major impact on the achievement of University objectives and performance.
Substantial opportunity to innovate/improve performance missed/wasted.
Serious impact on output and/or quality and reputation.
Medium to long term effect and expensive to recover from.
A period of negative national media coverage.
Total financial impact of £3m to £5m (~10%-16% of cash surplus)
Medium Intermediate impact on the achievement of University objectives and performance.
Good opportunity to innovate/improve performance missed/wasted.
Moderate impact on operational efficiency, output and quality.
Medium term effect which may be expensive to recover from.
Some negative media coverage, including at a national level.
Total financial impact of £1.7m to £3m (up to 10% of our cash surplus)
Low Minor impact on the achievement of University objectives and performance.
Opportunity to innovate/make minor improvements to performance missed/wasted.
Short to medium term effect.
Some negative media coverage, mainly at a local level.
Total financial impact of < £1.7m (the External Auditors’ ‘Materiality limit’)
Likelihood Scales
Likelihood
Likelihood
Definition Guidance
Rating
1 Remote Remote probability (<1%) the risk will occur in the next 5 Years. It may occur only in exceptional
circumstances.
2 Rare Very low probability (1-10%) the risk will occur in the next 5 Years
3 Unlikely to happen Low probability (10-30%) the risks will occur in the next 5 Years
4 Possible to happen Moderate probability (31-60%) the risk will occur in the next 5 Years. Might occur at some time.
5 Likely to happen High probability (61-90%) the risk will occur in the next 5 Years. It will occur in most circumstances
6 Almost Certain to Very high probability (>90%) the risk will occur in the next 5 Years. It is expected to occur.
happen
Another Example …
A non-numeric example…
Level Example Detail Description
Low Unlikely, but could occur at some time. Less than 20% chance.
Risk Assessment Matrix
Another Risk Assessment Matrix
High
Significant
LIKELIHOOD
Medium
Low
IMPACT
TASK
4 Lack of
money for
investment
LIKELIHOOD
1 2 3 4 5
IMPACT
Here’s one we did earlier …
Objectives Risks Category Risk Appetite
4 Lack of
money for
investment
LIKELIHOOD
3 Spread too
thin
1 2 3 4 5
IMPACT
Gross and Net Risk
Gross (inherent) and Net (residual) Risk
• Gross risk is the risk inherent in any event or
action before any mitigating actions.
• Net risk is the risk left over after you’ve applied
controls.
– What’s left after you’ve avoided, transferred,
controlled or accepted the risk.
– Takes into account existing controls.
King Saud’s Gross Risk Matrix
• We decide to target our
5 resources as specific,
prioritised projects
• We are under-taking cost-
4 cutting measures Lack of
money for
investment
LIKELIHOOD
3 Spread too
Net Risk thin
2
• We are already excellent
in 16 of our 20 disciplines
1 • With targeted investment
we assess this is feasible
• No change to net risk
1 2 3 4 5
IMPACT
Target Risk
Target Risk is the goal for net risk.
3 actions’.
Spread too
Net Risk thin
Target Risk
1
1 2 3 4 5
IMPACT
Gross to Net to Target
Where we started
High
G
Significant
N Where we are
LIKELIHOOD
Medium
Where we want to be
Low
IMPACT
Risk Register
Gross Net Change Target
Session 1
Treatment or Mitigation
Risk Management Framework
• Context Setting • Likelihood
• Stakeholders • Impact
• Risk Owners • Gross (Inherent)
• Level of Risk • Net (Residual)
• Sources of Risk • Target
• Internal/External
• Risk Appetite
Identify Assess
Monitor
and Mitigate
• Risk Register
• Regular Reviews
Report • Risk Treatment
• Avoid
• Key Risk Indicators
• Transfer
• Incident
• Control / Contain /
Management
Reduce
• Audit
• Accept
• Board
Session 1
Mitigation
• A risk modification process.
– It involves selecting and implementing one or more
treatment options, such as:
– Avoid
– Transfer
– Control / Contain / Reduce
– Accept
Controls
• Controls are any measure or
action that modifies risk.
– Once a treatment has been implemented, it becomes
a control. Controls include any policy, procedure,
practice, process, technology, technique, method, or
device that modifies or manages risk. Risk
treatments become controls once they have been
implemented.
Identifying mitigations
Some questions to start us off…
The probability of a major risk occurring is high and the impact on the business could be
significant. The appropriate action should be incorporated into current activities.
High
Management should allocate the appropriate responsibility for the remediation and
actively monitor the progress.
The probability of a major risk occurring is moderate, as is the potential impact on the
business. Management should ensure the appropriate response actions are being
Medium
planned, and should monitor the outcomes.
Key risks are adequately addressed. The probability of a major risk occurring is low, and
the impact on the business will be minimised. Risk will be managed through routine
Low
operational procedures. No senior management attention is required.
Mitigation Strategies
Avoid Pro: Total risk reduction
Cons: May be expensive or
• Eliminate the cause
have opportunity cost
• Remove task/activity causing risk from plan
Accept
Pros: Low cost, may be the
• do nothing, accept consequences only thing you can do
• “Take the risk” Con: If things go wrong the
impact could be substantial
Focus of the Mitigation Reduce
Impact
React to
effects
Detect risk
Reduce events
Likelihood Prevent
risk causes
REPEAT
SEVERE THREATS
High Frequency Low Impact
5
(require immediate
Reduce Likelihood
risk reduction)
Likelihood
(if cost-effective)
4
3
2
MINOR CONTINGENCY
(absorb or manage)
(require response plans)
1
0
0 1 2 3 4 5 6
Impact
TASK
CONTROL AVOID
6
REPEAT
SEVERE THREATS
High Frequency Low Impact
5
(require immediate
Reduce Likelihood
risk reduction)
Likelihood
(if cost-effective)
4
3
ACCEPT TRANSFER
2
MINOR CONTINGENCY
(absorb or manage)
(require response plans)
1
0
0 1 2 3 4 5 6
Impact
Another approach
5
AVOID
CONTROL
4 TRANSFER
LIKELIHOOD
3 AVOID
CONTROL
TRANSFER
2
1 ACCEPT
1 2 3 4 5
IMPACT
Mitigations and Risk Policy
• The approach to mitigation will vary with the risk tolerance –
and the appetite may vary with the type of risk.
Edinburgh Risk
Tolerance
• The policy will define risk owners and managers, and these
people are responsible for mitigation. The executive body and
the governing body review the appropriateness, sufficiency,
and effectiveness of the actions.
• The policy will also define the review cycle – but mitigation
and control is a continual, proactive activity and should not
only occur at the refresh point of the cycle.
Assessment and Mitigation:
when and how?
• Risk owners and managers must own the
process
• Much of it is continual
– Strategy development
– Competitor analysis
– Suggestion boxes (email addresses)
– Business as usual
• Other approaches
– Workshops
– Scenario planning
– Risk incidents and audits – always lead to learning and
often change risk assessments
TASK
1. Take the 4 examples of KSU’s gross
risks that follow.
2. Identify 2-3 mitigations for each
one.
3. Assess the net risk, and target risk
against the risk appetite
4. Determine if there is more distance
to travel?
King Saud’s Gross Risk Matrix
5
4 Lack of
money for
investment
3 Increasing Attract high
LIKELIHOOD
‘Buy-in’
2
1 2 3 4 5
IMPACT
Here’s one we did earlier …
Objectives Risks Category Risk Appetite
Monitoring:
• Determines the effectiveness of risk management processes.
• Identifies where target risk has been achieved and where there is still
distance to travel.
• Ensures that controls are implemented and assesses their effectiveness.
• Gathers feedback from owners of existing risks about changes to
likelihood / impact / trend / controls.
• Reviews trends and changes risk assessments or targets in light of new
information.
• Enables issues to be escalated to improve mitigation – don’t wait until it
becomes an issue.
• Considers new risks as the situation changes.
Risk Register
• The Risk Register enables structured monitoring by
reporting on risks, risk owners, changes to risks, risk
assessments (gross, net, target), and risk controls.
• Local risk registers support the Corporate or Strategic
Risk Register which is viewed by the Executive and
Governing Body.
Corporate Risk
Colleges Full Review of
Facilitators Full Review
Risk Registers
of Risk
June Executive Performance and Risk Discussion
Focus on all updated registers (College, Corporate and PS) PS Full Review of Risk
Registers
Risk
Riskembedded
embeddedinin
Strategic
StrategicPlanning
Planning
Current & Future Risk Profile Feedback &
(monthly / quarterly) Actions
High-level SWOT/STEP
& Strategic Risk Integration
Integration of
ofStrategic
Strategic&
& Action
Action
Register Operation-wide
Operation-wideReviews
Reviews Planning
Planning
Coordinated
Board understanding of Level of risk, mitigation effectiveness, mitigation plan &
risk appetite Assessment of impact on overall risk profile action tracking
Collation
Collation of
of
Operational
Operational RiskReviews
Risk Reviews
Operations
Operations Programme
Programme& &Project
Project Functional
FunctionalSupport
Support
Risk
RiskReview
Review Risk
RiskReview
Review Risk
RiskReview
Review
Operations risk reporting Programme & project risk reporting Functional risk reporting
with mitigating actions (quarterly) with mitigating actions (monthly) with mitigating actions (quarterly)
Risk Identification at all levels
The Risk Registers and
Matrices tie all of these
together and provide a
means of communication Corporate Risks
between the different
levels
College & Professional
Services Risks
Where lower-level risks are common and have major impact, they then find their
way onto the risk register at the next level up.
Risk Incidents
Definition: Risk Incident
• A risk incident is when a risk occurs, especially if it
will lead to a negative consequence.
– Objective won’t be achieved
– Cost incurred
– Legal claim
– “Near miss”
What if a Risk Incident occurs?
• Can’t mitigate against the likelihood of a risk incident, but can
minimize impact through effective planned action
– Insurance
– Emergency management plans
• It is important a risk incident is reported and investigated as soon
as possible.
– Can minimize impact
– Learn from mistakes
• Identify risk (may have been unknown)
• Better assessment of risk
• Improved controls
– Increase risk awareness
• Depending on the level of the incident, reporting may be local or
may be to executive or governing body.
• Internal Audit plays a role in investigation and learning.
• How an institution deals with risk incidents reflects its culture.