Andrew Holt - Swinburne University of Technology - Gearing Up in the new HE Environment to Manage Risk

Swinburne

Andrew Holt

Manager, Risk Management Swinburne University of Technology

September 2014

Gearing up in the new HE environment to manage risk

Science Technology Innovation Business Design

Swinburne

• Background of risk management at Swinburne

• Being pro-active and agile in the management of risk

• Optimising the value of risk management

• The Risk and Strategy relationship

Agenda


Swinburne

Background of risk management at Swinburne

April 2012 – July 2012

- Obtain feedback across University to understand needs

- Develop assessment of current risk management landscape

- Develop Risk Management Design and Implementation Plan

- Commence procurement of Risk Management Information System (RMIS)

August 2012 – November 2012

- Draft Commitment Statement

- Draft Risk Management Policy

- Draft Risk Management Framework

- Seek Council approval of above materials

- Select RMIS

December 2012 – February 2013

- High focus on implementation of RMIS

- Development of face-to-face and online training materials

March 2013 – May 2013

- Training of Executive and Risk Network

- Perform Strategic Risk Assessment

- Commence risk assessments of Organisational Units

June 2013 – August 2013

- Continue risk assessments of Organisational Units

- Trend and theme analyses across the individual risk registers

September 2013 – November 2013

- Embed risk management within strategic planning process

- Refresh Strategic Risk Assessment

- Report trend and theme findings to Council

December 2013 – June 2014

- Perform validation work on design and implementation of the Risk Management Framework

- Use findings from validation work, Internal Audit, regulators and other stakeholders to enhance and continually improve Risk Management at Swinburne

Continuous Improvement

Design

Implement

Monitor & Review

Continuous Improvement

Continuous

improvement of

the framework

Design of

framework for

managing risk

Implementing

risk management

Monitoring and

review of the

framework

Mandate and

commitment

Source: ISO 31000:2009 Risk Management – Principles and Guidelines

Swinburne

- Simple

• Increase in engagement

- Focused

• Risks are more targeted and fewer in number

- Supportive

• Planning and decision-making

- Adaptive

• Recognising the changing internal and external environments

Guiding philosophies


Swinburne

RM D&IP – Risk Management Design and Implementation Plan RMCS – Risk Management Commitment Statement RMP – Risk Management Policy RMF – Risk Management Framework RMIS – Risk Management Information System

Swinburne Risk Management AS / NZS ISO 31000:2009 Traceability Matrix – Extract

AS/NZS ISO

31000: 2009

Reference

AS / NZS ISO 31000:2009

Section

AS / NZS ISO 31000:2009 Concept Summary

Swinburne Risk

Management Reference

Swinburne Approach and Interpretation

4.3.2

Establishing Risk Management Policy

Organisational RM policy is required to ensure a clear and consistent approach to risk management is established. Needs to consider organisation objectives, accountabilities, resourcing, performance measures, continued improvement as well as adequate communication of Policy.

RMCS

RMP

RMF

Swinburne has a RM Commitment Statement and Policy outlining its objectives for, and commitment to, risk management. RM Framework discusses RM in the context of the broader organisational objectives. Accountabilities clearly articulated in RM Framework as well as requirements to measure risk management performance and continue to review and approve RM.

4.3.3 Accountability

Clear accountabilities and authorities relating to risk management should be established including risk owners, responsibility for the development and maintenance of a framework as well as internal and escalation processes.

RMF – Section 2

Dedicated section of RM Framework discusses key responsibilities and accountabilities relating to risk management. This is supported by a “RACI” matrix. Requirement in place to ensure clear ownership of risks and controls exists. Supportive process maps in place.

4.3.4

Integration into organisational processes

Risk management should become part of and not separate from organisational processes this includes strategic planning and policy development processes. There is also a need for enterprise-wide risk management plan to ensure policy is implemented and adequately embedded.

RM D & IP

RMF – Section 6

RMF explicitly references the importance of integration with specific requirements developed for decision making and planning. Risk Champions are in place across all areas of the University to help integrate risk management into day-to-day activity. Risk management framework is now designed to better support strategic planning and review processes. The Risk Management Design and Implementation Plan is forward-looking and enterprise-wide and seeks to implement risk management across all areas of the University.

4.3.5 Resources

The organisation should allocate appropriate resources for risk management with consideration given to skills, experience, competence, information systems and training.

RMIS

RMF – Section 2 RMF - Section 4

There is a dedicated and skilled central risk management function in place. Policies and procedures are available to all staff. Risk Management Information System was implemented in early 2013. Targeted and general training programmes developed to increase capabilities. Risk Champions carry out specified responsibilities pertaining to risk management.

Self-assessed maturity level

Mature

Advanced

Mature

Advanced


Swinburne

Being pro-active and agile in the management of risk

- Understanding and integrating into organisational processes

- Being fit-for-purpose and consider short-form

- Having a suite of user-friendly tools, templates and guidance available

- Resources are appropriately weighted in their support and focus

- Learn from the past, but always be looking forward


Swinburne

Optimising the value of risk management

- Thinking laterally about how the organisation faces risk

- Focus on the benefits that risk management brings. We’re a supporter not a blocker!

- Finding the balance of commercial and technical language to build trust and engagement

- Strategic vs. Operational. An age-old discussion

- Activities beyond “Risk workshops”

• Thought-pieces

• Scenario planning

• Strategy discussions

• Decision-making


Swinburne Risks of proceeding with proposal as presented (Option A)

Risk Description Risk Rating Treatment Plan

Risk Description A1 High • Treatment Plan 1 • Treatment Plan 2

Risk Description A2 Major • Treatment Plan 1 • Treatment Plan 2

Risk Description A3 High • Treatment Plan 1 • Treatment Plan 2

Risk Description A4 Moderate • Treatment Plan 1 • Treatment Plan 2

Risks of not proceeding with proposal (Option B)

Risk Description Risk Rating Comment

Risk Description B1 Moderate • Comment 1

Risk Description B2 Major • Comment 2

Risk Description B3 Low • Comment 3

A1

Minor Disruptive Significant Critical Catastrophic

Almost Certain

Likely

Possible

Unlikely

Rare

A2

A3

A4

B1

B2

B3

A1

A2

A3

A4

B1

B2

B3

Risk consideration in key decision-making

Very High Exposure to this level of risk would normally be discontinued except in extreme circumstances.

High Exposure to this level of risk must be discontinued as soon as practicable.

Major Unnecessary exposure to this level of risk should be discontinued as soon as practicable.

Moderate Exposure to this level of risk may be continued provided an appropriate assessment as been conducted.

Low Exposure to this level of risk is acceptable without additional treatments.

Swinburne

The Risk and Strategy relationship

- Approach to planning and risk management should be complementary

- Opportunity to streamline processes – e.g. combined planning and risk workshops

- Top-down approach, complemented by bottom-up

- Increases the relevance and value that risk management provides

- Ensuring the organisation’s risks and objectives are appropriately linked


Swinburne

162 RISK DESCRIPTION TREND CURRENT TARGET

Risk Description 1 Major Low

RISK OWNER RISK IDENTIFIED ON LAST REVIEWED ON NEXT SCHEDULED REVIEW

Prof. John Smith 01/05/2014 01/08/2014 01/11/2014

RISK CONSEQUENCE RISK SOURCE/CAUSAL FACTOR(S) EXISTING CONTROL(S)

1. Consequence 1

2. Consequence 2

3. Consequence 3

1. Risk Source 1

2. Risk Source 2

3. Risk Source 3

Control: Control 1 Control Effectiveness: 2 – Substantially Effective Control Owner: Prof. Jane Briggs Control: Control 2 Control Effectiveness: 3 – Partially Effective Control Owner: Mr. James Wong Control: Control 3 Control Effectiveness: 1 – Fully Effective Control Owner: Prof. Jane Briggs

PRIMARY STRATEGIC OBJECTIVE AFFECTED BY RISK PRIMARY AFFECTED RISK CATEGORY

Strategic Objective 3 14. Information & Knowledge

TREATMENT PLAN TO ADDRESS THIS RISK

Treatment Option: 1. Reduce the Likelihood

Treatment Plan: Treatment Plan 1

Treatment Owner: Prof. John Smith

Due Date: 31/06/2015

Linking risk to the university’s strategic objectives

Risk ID 13 Risk Description 13 Major

Risk ID 14 Risk Description 14 Moderate



Risk ID 17 Risk Description 17 Low








Strategy 3


Risk ID 8 Risk Description 8 High




Risk ID 12 Risk Description 12 Very High

Strategy 2

Strategy 1

Linking risk to the university’s strategic objectives Swinburne

Objective 1

Objective 2

Objective 3

Objective 1

Objective 2

Objective 3

Objective 1

Objective 2

Objective 3

Strategy 4







Objective 1

Objective 2

Objective 2

Swinburne

Andrew Holt Manager, Risk Management Governance & Assurance Unit Swinburne University of Technology

Ph: (03) 9214 8470 0434 247 022

Email: [email protected]

Contact details
