Swinburne
Andrew Holt
Manager, Risk Management Swinburne University of Technology
September 2014
Gearing up in the new HE environment to manage risk
Science Technology Innovation Business Design
Swinburne
• Background of risk management at Swinburne
• Being pro-active and agile in the management of risk
• Optimising the value of risk management
• The Risk and Strategy relationship
Agenda
Science Technology Innovation Business Design
Swinburne
Background of risk management at Swinburne
April 2012 – July 2012
- Obtain feedback across University to understand needs
- Develop assessment of current risk management landscape
- Develop Risk Management Design and Implementation Plan
- Commence procurement of Risk Management Information System (RMIS)
August 2012 – November 2012
- Draft Commitment Statement
- Draft Risk Management Policy
- Draft Risk Management Framework
- Seek Council approval of above materials
- Select RMIS
December 2012 – February 2013
- High focus on implementation of RMIS
- Development of face-to-face and online training materials
March 2013 – May 2013
- Training of Executive and Risk Network
- Perform Strategic Risk Assessment
- Commence risk assessments of Organisational Units
June 2013 – August 2013
- Continue risk assessments of Organisational Units
- Trend and theme analyses across the individual risk registers
September 2013 – November 2013
- Embed risk management within strategic planning process
- Refresh Strategic Risk Assessment
- Report trend and theme findings to Council
December 2013 – June 2014
- Perform validation work on design and implementation of the Risk Management Framework
- Use findings from validation work, Internal Audit, regulators and other stakeholders to enhance and continually improve Risk Management at Swinburne
Continuous Improvement
Design
Implement
Monitor & Review
Continuous Improvement
Continuous
improvement of
the framework
Design of
framework for
managing risk
Implementing
risk management
Monitoring and
review of the
framework
Mandate and
commitment
Source: ISO 31000:2009 Risk Management – Principles and Guidelines
Swinburne
- Simple
• Increase in engagement
- Focused
• Risks are more targeted and fewer in number
- Supportive
• Planning and decision-making
- Adaptive
• Recognising the changing internal and external environments
Guiding philosophies
Science Technology Innovation Business Design
Swinburne
RM D&IP – Risk Management Design and Implementation Plan RMCS – Risk Management Commitment Statement RMP – Risk Management Policy RMF – Risk Management Framework RMIS – Risk Management Information System
Swinburne Risk Management AS / NZS ISO 31000:2009 Traceability Matrix – Extract
AS/NZS ISO
31000: 2009
Reference
AS / NZS ISO 31000:2009
Section
AS / NZS ISO 31000:2009 Concept Summary
Swinburne Risk
Management Reference
Swinburne Approach and Interpretation
4.3.2
Establishing Risk Management Policy
Organisational RM policy is required to ensure a clear and consistent approach to risk management is established. Needs to consider organisation objectives, accountabilities, resourcing, performance measures, continued improvement as well as adequate communication of Policy.
RMCS
RMP
RMF
Swinburne has a RM Commitment Statement and Policy outlining its objectives for, and commitment to, risk management. RM Framework discusses RM in the context of the broader organisational objectives. Accountabilities clearly articulated in RM Framework as well as requirements to measure risk management performance and continue to review and approve RM.
4.3.3 Accountability
Clear accountabilities and authorities relating to risk management should be established including risk owners, responsibility for the development and maintenance of a framework as well as internal and escalation processes.
RMF – Section 2
Dedicated section of RM Framework discusses key responsibilities and accountabilities relating to risk management. This is supported by a “RACI” matrix. Requirement in place to ensure clear ownership of risks and controls exists. Supportive process maps in place.
4.3.4
Integration into organisational processes
Risk management should become part of and not separate from organisational processes this includes strategic planning and policy development processes. There is also a need for enterprise-wide risk management plan to ensure policy is implemented and adequately embedded.
RM D & IP
RMF – Section 6
RMF explicitly references the importance of integration with specific requirements developed for decision making and planning. Risk Champions are in place across all areas of the University to help integrate risk management into day-to-day activity. Risk management framework is now designed to better support strategic planning and review processes. The Risk Management Design and Implementation Plan is forward-looking and enterprise-wide and seeks to implement risk management across all areas of the University.
4.3.5 Resources
The organisation should allocate appropriate resources for risk management with consideration given to skills, experience, competence, information systems and training.
RMIS
RMF – Section 2 RMF - Section 4
There is a dedicated and skilled central risk management function in place. Policies and procedures are available to all staff. Risk Management Information System was implemented in early 2013. Targeted and general training programmes developed to increase capabilities. Risk Champions carry out specified responsibilities pertaining to risk management.
Self-assessed maturity level
Mature
Advanced
Mature
Advanced
Science Technology Innovation Business Design
Swinburne
Being pro-active and agile in the management of risk
- Understanding and integrating into organisational processes
- Being fit-for-purpose and consider short-form
- Having a suite of user-friendly tools, templates and guidance available
- Resources are appropriately weighted in their support and focus
- Learn from the past, but always be looking forward
Science Technology Innovation Business Design
Swinburne
Optimising the value of risk management
- Thinking laterally about how the organisation faces risk
- Focus on the benefits that risk management brings. We’re a supporter not a blocker!
- Finding the balance of commercial and technical language to build trust and engagement
- Strategic vs. Operational. An age-old discussion
- Activities beyond “Risk workshops”
• Thought-pieces
• Scenario planning
• Strategy discussions
• Decision-making
Science Technology Innovation Business Design
Swinburne Risks of proceeding with proposal as presented (Option A)
Risk Description Risk Rating Treatment Plan
Risk Description A1 High • Treatment Plan 1 • Treatment Plan 2
Risk Description A2 Major • Treatment Plan 1 • Treatment Plan 2
Risk Description A3 High • Treatment Plan 1 • Treatment Plan 2
Risk Description A4 Moderate • Treatment Plan 1 • Treatment Plan 2
Risks of not proceeding with proposal (Option B)
Risk Description Risk Rating Comment
Risk Description B1 Moderate • Comment 1
Risk Description B2 Major • Comment 2
Risk Description B3 Low • Comment 3
A1
Minor Disruptive Significant Critical Catastrophic
Almost Certain
Likely
Possible
Unlikely
Rare
A2
A3
A4
B1
B2
B3
A1
A2
A3
A4
B1
B2
B3
Risk consideration in key decision-making
Very High Exposure to this level of risk would normally be discontinued except in extreme circumstances.
High Exposure to this level of risk must be discontinued as soon as practicable.
Major Unnecessary exposure to this level of risk should be discontinued as soon as practicable.
Moderate Exposure to this level of risk may be continued provided an appropriate assessment as been conducted.
Low Exposure to this level of risk is acceptable without additional treatments.
Swinburne
The Risk and Strategy relationship
- Approach to planning and risk management should be complementary
- Opportunity to streamline processes – e.g. combined planning and risk workshops
- Top-down approach, complemented by bottom-up
- Increases the relevance and value that risk management provides
- Ensuring the organisation’s risks and objectives are appropriately linked
Science Technology Innovation Business Design
Swinburne
162 RISK DESCRIPTION TREND CURRENT TARGET
Risk Description 1 Major Low
RISK OWNER RISK IDENTIFIED ON LAST REVIEWED ON NEXT SCHEDULED REVIEW
Prof. John Smith 01/05/2014 01/08/2014 01/11/2014
RISK CONSEQUENCE RISK SOURCE/CAUSAL FACTOR(S) EXISTING CONTROL(S)
1. Consequence 1
2. Consequence 2
3. Consequence 3
1. Risk Source 1
2. Risk Source 2
3. Risk Source 3
Control: Control 1 Control Effectiveness: 2 – Substantially Effective Control Owner: Prof. Jane Briggs Control: Control 2 Control Effectiveness: 3 – Partially Effective Control Owner: Mr. James Wong Control: Control 3 Control Effectiveness: 1 – Fully Effective Control Owner: Prof. Jane Briggs
PRIMARY STRATEGIC OBJECTIVE AFFECTED BY RISK PRIMARY AFFECTED RISK CATEGORY
Strategic Objective 3 14. Information & Knowledge
TREATMENT PLAN TO ADDRESS THIS RISK
Treatment Option: 1. Reduce the Likelihood
Treatment Plan: Treatment Plan 1
Treatment Owner: Prof. John Smith
Due Date: 31/06/2015
Linking risk to the university’s strategic objectives
Risk ID 13 Risk Description 13 Major
Risk ID 14 Risk Description 14 Moderate
Risk ID 15 Risk Description 15 Major
Risk ID 16 Risk Description 16 Moderate
Risk ID 17 Risk Description 17 Low
Risk ID 18 Risk Description 18 Major
Risk ID 1 Risk Description 1 Moderate
Risk ID 2 Risk Description 2 Moderate
Risk ID 3 Risk Description 3 Low
Risk ID 4 Risk Description 4 Major
Risk ID 5 Risk Description 5 Moderate
Risk ID 6 Risk Description 6 Moderate
Strategy 3
Risk ID 7 Risk Description 7 Major
Risk ID 8 Risk Description 8 High
Risk ID 9 Risk Description 9 Moderate
Risk ID 10 Risk Description 10 Major
Risk ID 11 Risk Description 11 High
Risk ID 12 Risk Description 12 Very High
Strategy 2
Strategy 1
Linking risk to the university’s strategic objectives Swinburne
Objective 1
Objective 2
Objective 3
Objective 1
Objective 2
Objective 3
Objective 1
Objective 2
Objective 3
Strategy 4
Risk ID 19 Risk Description 19 High
Risk ID 20 Risk Description 20 Major
Risk ID 21 Risk Description 21 Major
Risk ID 22 Risk Description 22 Major
Risk ID 23 Risk Description 23 Moderate
Risk ID 24 Risk Description 24 Low
Objective 1
Objective 2
Objective 2
Swinburne
Andrew Holt Manager, Risk Management Governance & Assurance Unit Swinburne University of Technology
Ph: (03) 9214 8470 0434 247 022
Email: [email protected]
Contact details
Science Technology Innovation Business Design