risk management policy and guidelines

8/13/2019 Risk Management Policy and Guidelines

1/22

Opportunity and RiskPolicy and Guidelines


2/22

Opportunity and Risk Policy and Guidelines

Contents

Higher Education Funding Council for Wales RiskManagement Policy

1

ntroduction !


3/22

Higher Education Funding Council for Wales Risk ManagementPolicy

'he Higher Education Funding Council for Wales (HEFCW) has adopted arisk *ased approach to internal control +hich is designed to pro,idereasona*le assurance that +e +ill achie,e our corporate o*-ecti,es ando,erall mission.

The approach to risk management, set out in this Policy and Guidelines, has beenapproved by the Audit and Risk Committee and Higher Education Funding Council or!ales "the Council#$ The approach allocates responsibility or risk management andestablishes a rame%ork %ithin %hich risks are identiied and evaluated so that anappropriate response can be determined and aected$

Risk management needs to allo% or the eective assessment and e&ploitation oopportunities %hile also identiying %hat %ill prevent us rom achieving our ob'ectives,and ensuring %e have in place procedures to minimise, or manage, those risks$ Riskmanagement thereore involves a planned and systematic approach to the identiication,assessment and mitigation o the risks that could hinder the achievement o strategicob'ectives$ (t involves the ollo%ing main steps)

identiying the key strategic risks that %ould prevent achievement o ob'ectives

assigning o%nership evaluating the signiicance o each risk

assessing the Council*s risk appetite

identiying suitable responses to each risk

ensuring the internal control system helps manage the risks

developing the assurance mechanism to the Chie E&ecutive

regular revie%$

To coordinate the risk management process the approach combines oversight by the


4/22

Each Team is e&pected to)

Esta*lish clear o*-ecti,es for their area of operations and identify ande,aluate the key risks to achie,ing those o*-ecti,es. 'his task should*e linked to the annual planning process.

ncorporate risk responses into a system of internal control that isdesigned to address opportunities/ facilitate effecti,e and efficient

operations/ protect the HEFCW0s interests and ensure compliance +ithapplica*le la+s and guidance.

Follo+ HEFCW guidelines and standards relating to particular types ofrisk and ensure that emerging risks are identified and an appropriateresponse is affected.

esign/ operate and monitor the system of internal control.

Monitor the effecti,eness of the system of risk and internal controlmanagement and report significant +eaknesses or non2 compliance tothe Management &oard.

Ensure that a risk *ased approach to internal control is communicated


5/22

%'RO3C'O%

What is Risk4

Risk can be deined as the element o uncertainty o %hich aects operationaldecisions and planned outcomes$ Risk actors may be either positive opportunities ornegative threats$ Essentially, they are the actors that help or hinder theachievement o our ob'ectives$ "nne$ "sets out e&amples o the dierent types orisks that might aect us$

-y identiying the key risks to achieving HEFC!*s ob'ectives, %e are able to consider

and plan our response to them$ This helps us to minimise the impact o 0surprises*and to respond more eectively to possible opportunities$

Risk management is not ne%$ Planning and decision making %ithin HEFC! alreadyincludes signiicant elements o risk assessment$ For e&ample, %hen developingcorporate and operational plans %e automatically relect on the threats andopportunities associated %ith meeting our ob'ectives$ (n addition Council papersinclude a risk assessment section %hich provides detail o any identiied risks, current

o uture, arising rom the issues covered by the paper .The risk management processormalises a number o these e&isting processes and helps us to ensure that key risksare not overlooked$

Who is this guidance for4

Risk management is a particular responsibility o the Council, the Audit and RiskCommittee, the .irectors and all the Heads o Teams$ Ho%ever, management o riskis something that %e all do every day$ (t aects all aspects o our planning and

decision making processes Conse1uently all sta need to be a%are o the HEFC!


6/22

Gaining "ssurance

'he Risk Management Cycle

Risk management is a luid process that aects all areas o our planning and decisionmaking processes$ 4ey stages in the cycle o risk management are set out belo%)

Risk ,anagement Cycle

(dentiyrisks

Evaluatethe risks

Assess riskappetite

(dentiysuitable riskresponses

Gainassurance

on theeectiveness

Embed andrevie%

15

!#6

7

This section describes the stages %e go through to integrate risk management intoHEFC!*s processes$

Our "pproach

Risks are identiied and assessed at t%o levels)

8e,el 19 Corporate Risks


7/22

Roles and Responsi*ilities

The roles and responsibilities o the various groups and individuals %ithin HEFC! areoutlined belo%)

&ody :ey Responsi*ilitiesHEFC! Council To approve the risk management strategy and policies and

to determine HEFC!*s 0risk appetite* advised by the Auditand Risk Committee, the Chie E&ecutive and theanagement -oard$

Audit and RiskCommittee

To monitor and advise the Council on the preparation,implementation and maintenance o the Council*s riskmanagement strategy$

The Chie E&ecutive As Accounting 2icer, the Chie E&ecutive remains

ultimately accountable or the organisation and its

management o risk$ He must)

have a clear understanding and assessment o the risks

that could prevent delivery o ob'ectives

ensure that the organisation has eective risk

management and control processes

be provided %ith assurance that the processes and the

key strategic risks are being eectively managed


8/22

management and internal control$

All 2ther /ta (dentiication and management o operational and pro'ectrisks$ .ra%ing the attention o their line manager to keyrisks, %hich may be suiciently serious to re1uiremonitoring at corporate level$


9/22

dentifying the Risks

( all key risks are to be identiied, %e %ill need input rom those %ho are amiliar %ithour processes and procedures as %ell as those involved in determining ourstrategies$ Thereore sta at all levels %ithin HEFC! need to be involved$

Risk management should not be seen simply as a desk exerciseto be undertaken only by Directors Heads of !eam or the Risk "ssurancefunction#

The Corporate Risk Register %ill be developed by the anagement -oard$ Theanagement -oard presently e&tracts its key ob'ectives rom the Corporate /trategy anddevelops them into a corporate operating plan$ The Corporate Risk Register %ill thereoreconsist o)

4ey risks to the achievement o the /trategic 2b'ectives5 and

Risks arising rom 2perational Risk Registers that have been evaluated aspotentially having a signiicant impact at Corporate level$

2perational Risk Registers %ill be developed or each Team %ith the key risks beingidentiied by each Team*s Risk anagement Group in parallel %ith the development o2perating Plan ob'ectives$ The register should be developed by considering eachoperating plan ob'ective and recording any signiicant risks to achieving that ob'ective$3udgement needs to be e&ercised in this process, one ob'ective could have severalsigniicant risks associated %ith it, and another may have none$ (t is perectly acceptableto record an ob'ective and note that there are no signiicant risks associated %ith it$

Each Head o Team has a speciic responsibility or oversight o the identiication andt ti l i k ithi th i t 2 i ht th ti th


10/22

Evaluating Risks

Having identiied our key risks, %e then assess the likelihood o occurrence and thepotential impact on the goals o HEFC! should they be realised$ This provides us%ith a hierarchical assessment o the risks as illustrated belo%$

HIGH

mitigation

controls /

contingency

plans

mitigation

controls /

contingency

plans; monitor

closely

TA4E7RGE6T

REE.(A8

ACT(26526(T

2RR(G2R27/89

mpact

MEDIM t l t ! iti ti

mitigatio

t l


11/22

delivery o a beneicial outcome in the public interest$ As an Assembly /ponsored Public

-ody "A/P-# the 6ational Assembly*s priorities and ob'ectives largely drive our risk

appetite$ 2ur understanding o these ob'ectives, in consultation %ith our other key

stakeholders, is relected in our strategic plan$ To deliver these ob'ectives %e need to

balance opportunities to innovate and improve %ith our responsibilities in terms o

accountability, propriety, regularity and value or money$

The level o risk that is acceptable, our Risk Appetite, %ill be determined by theCouncil %ho are advised by the Audit and Risk Committee and the anagement-oard$ Risk appetite may vary on a case by case basis depending on the perceivedbeneits o the issue being considered$ For e&ample %e may be prepared to accept ahigher level o risk in relation to a pro'ect %ith ma'or potential beneits throughoutthe HE sector in !ales compared to one %ith similar risks but %here the beneits aremore tenuous or %ould only apply to a proportion o the sector$ The anagement-oard %ill ensure consistency o approach and make sure that cross: unctional risksare considered$


12/22

dentifying ;uita*le Risk Responses

Having identiied the key risks aced by HEFC! %e then need to decide ho% theyshould be managed$ Responses to the risks %ill all into our categories)

'R"%;FER ; !e already transer some inancial risks in relation to ourcontracts %ith Higher and Further education institutions because %e can recoverunds %here our re1uirements are not met$

'O8ER"'E; Accept the risk in vie% o the potential beneits and the cost o

mitigating the risk$

'RE"' ; This is the most likely category$ !e introduce additional internalcontrols to reduce the risk to an acceptable level$ This could include, ore&ample) monitoring reports to management5 revie%ing authorisationarrangements5 audit revie%s etc$ Alternatively %e might %ish to considerchanging the %ay %e deliver aspects o our %ork to reduce the risks$

'ERM%"'E; This option is probably limited to the more 0entrepreneurial*

aspects o our operations %here %e might decide that the risks are too greatand the potential re%ards insuicient or us to engage in the activity at all$There is unlikely to be an option to terminate activities that all %ithin our coreremit$

The responses to the risks %ill orm the basis o a plan setting out the actions, timescalesand responsibilities necessary to manage the key risks do%n to an acceptable level$

(t t l b ibl t ll i k d t t bl l l b


13/22

2ur system o internal control must also encompass the unds provided by the Council%hich are transmitted to higher and urther education institutions "and related bodies# oreducation, research and associated purposes$

The /tatement o (nternal Control "/(C# re1uires the Chie E&ecutive to carry out a revie%o the eectiveness o the Council*s system o internal control and to report on thatrevie% each year$

The Chie E&ecutive participates in the e&ercise o many o the key internal controls or,

through participation in activities, sees evidence o their e&istence and operation$ (naddition the Chie E&ecutive receives conirmation rom the anagement -oard and Riskanagement Groups that the controls are %orking eectively$

Monitoring the Risks

A pro'ect management structure has been developed to acilitate input rom allHEFCW sta, as ollo%s)

Pro'ect 2rganisation

Higher EducationFunding Council for Wales

"udit < RiskCommittee

Management&oard


14/22

Risk registers should be 0live* documents$ 4ey risks %ill change over time and ne%responses to manage them may be re1uired$ /igniicant ne% risks should be recordedand assessed as soon as they become apparent$ All Council, committees andmanagement board papers should include a risk assessment section %hich providesdetail o any identiied risks, current o uture, arising rom the issues covered by thepaper. +#e ris! assessments in t#ese papers s#o,l- $e consistent "it# t#e ris!s assesse- in t#e ris! registers.

Formal reassessment o the risks recorded in our risk registers %ill be undertaken on anannual basis as part o our corporate and operational planning processes but this mustnot prevent ongoing re:assessment, recording and monitoring o risks as and %hen theyarise$ As a general guide, a ormal ull revie% o potential ne% risks to achieving our

operational ob'ectives should be carried out at least 1uarterly %ith ormal monitoring othe actions due or completion being carried out at least once during each 1uarter byeach Risk anagement Group$

Pro-ect Management

Risk management is a key element in the control rame%ork or running pro'ects$HEFC!*s Pro'ect anagement Guidance re1uires the Pro'ect anager to prepare a risk

register or approval by the Pro'ect 2%ner %hen proposing a ne% pro'ect$ The registermust be prepared in accordance %ith these guidelines and in consultation %ith the RiskAssurance section$

Risk registers or individual pro'ects should be prepared on the same basis as theCorporate and 2perational risk registers e&cept that %hen evaluating the risks you shouldevaluate the impact as being the impact on the pro'ect rather than the overall impact onHEFC!$ Risks or key pro'ects could potentially be recorded at three dierent levels asillustrated)


15/22

( %e are to achieve HEFC!*s mission, every member o sta %ill need to help by%orking to%ards the achievement o individual operational ob'ectives$ 2ur planning

processes help to ensure that %e all understand %hat our individual ob'ectives, setor each member o sta, are and that they are consistent %ith the overall mission$The 6ational Assembly, the HEFC! Council and the anagement -oard need amechanism through %hich they can gain assurance regarding our ability to meet ourob'ectives$

The risk: based approach to internal control described in these guidelines provides abasis or the provision o assurance regarding our ability to deliver ourob'ectives$


16/22

HEFCW0s o*ligation to make an annual ;tatement of nternal Control

The Combined Code and the subse1uent Turnbull report both emphasise the need ormore ocused and open %ays o managing risks$ To relect this approach, corporategovernance statements have been %idened to include internal controls "not 'ustinancial controls#$ This has let to the inclusion o a ne% /tatement o (nternal Control"/(C# %ithin inancial statements, premised on strategic risk management processesbeing embedded in the operation o the organisation$ The /(C is a narrativestatement that e&plains ho% the Council has applied the internal control principle$

This should cover risk management and all controls, including inancial, operational

and compliance controls$

/ince April =>>= the Chie E&ecutive as the HEFC! Accounting 2icer has beenre1uired by the 6ational Assembly to provide a /tatement o (nternal Control "/(C#%ithin the Accounts o the Higher Education Funding Council or !ales$ This includesa commentary on)

The Council*s risk management strategy$

Audit arrangements established by the Council$

onitoring procedures or subsidiary bodies ; institutions and third partyproviders$

Procedures established to ensure that aspects o risk management andinternal control are regularly revie%ed and reported on$

The Chie E&ecutive thereore re1uires assurance that the processes and the key

i i k b i i l d i d i h hi


17/22

Annex A

E$amples of Risks

E&amples o the types o risks that %e may ace in meeting our ob'ectives aresuggested belo%$ The e&amples are intended to be illustrative only, not a deinitivelist o all possible risks)

Fraud7nauthorised use,isrepresentation

Thet, Hacking

/ t

anagement.ecision making?ision, Fle&ibility

/kills

@

Health + /aety8itigation

( ' . th

6atural EventsFire, Flood

!eather, ?erminPolicy.evelopment

.elivery

PeopleCommunications

.irection/kills

Reputation

Public Perceptions6ational Assembly

E$amples of Risks


18/22

Annex B

Notes on completion of risk registers

Column Heading uidance

$ RI!"Risk reference linked tostrategic aim and descriptionof risk

Cross reference the risk to the Corporate andteam plan ojective to #hich it relates%

&ach ojective should e recorded' even if

there are no significant risks associated #ithit% (his #ill act as a reminder #hen revie#ingthe register% (he ojectives should appear inthe same order as in the Corporate andoperational plan%

Risks could relate to more than one ojective%

(o identify the risk:

$% Ask #hat is the ojective)

*% Ask #hat #ill prevent the ojectiveeing achieved)

+ou do not have to identify a risk/risks forevery ojective provided you have #orkedthrough all ojectives systematically in

d t i i h t d t d d


19/22

* PR#BABI$I%&

Assess probability of riskbeing realised

(his assessment of a 3igh' !edium or Lo#

proaility of the risk eing realised shoulde efore taking account of any controls inplace to manage the risk

4 C#N!'()'NC' (his should e a statement of the impact thatthe risk #ould have on the organisation5sojectives if realised

6 IMPAC% (his is an assessment of 3igh' !edium orLo# as to the severity of the impact of theconse,uence of the risk eing realised

7 RI!" RA%IN *R#!!+ (his is the comined risk of the assessedproaility and impact from 3igh/3igh do#nto Lo#/Lo# efore taking account of anycontrols in place to manage the risk-sometimes referred to as the gross risk0

8 %#$'RA%'R#!! RI!"

Is this risktolerable,acceptable-

*&es or No+

(his is a judgement%

9n general any risk #ith a 3igh proaility -i%e%certain or almost certain to e realised0 or3igh 9mpact -i%e% a fundamental impact0 isunlikely to e acceptale together #ith risksthat have oth a !edium proaility and

! di i t i k


20/22

(he Risk Assurance =ection can provide

further guidance on the identification ofcontrols if re,uired%

AC%I#N! R'()IR'/ %#!%R'N%H'N C#N%R#$!

9dentify the actions re,uired if any to enhancethe control measures currently in place%

(hese actions must e specific tasksallocated to a 3ead of (eam and their (eam5sRisk !anagement roup #ith a specifiedtimetale for completion of the task%

> RI!" RA%IN *N'%+ (his is the revised comined risk of theassessed proaility and impact after takingaccount of controls in place -or controlsidentified to e put in place in the action planaove0 to manage the risk -sometimesreferred to as the net risk0

? %#$'RA%'N'% R'!I/)A$ RI!"

Is the residual risk no.tolerable,acceptable-

*&es or No+

(his is a forecast of the residual risk once thecontrol actions identified aove have eentaken%

3ave you done' or are planning to do' all thatyou reasonaly can do to manage the riskdo#n to an acceptale level) 9f so can3&@C< accept the risk that remains)


21/22


22/22

risk management policy and guidelines

Documents