RISK MANAGEMENT FRAMEWORK

The methodology proposed within this framework is built upon the components of the
Australian and New Zealand Pubic Sector Guideline (AS/NZ Standard), the International
Organization for Standardization (ISO) 31000, and the Risk Management Guideline of the BC
public Sectori.

The University’s risk management process is consistent with the seven elements identified
within IS0 31000:2009 and the AS/NZS 4360:2004. Two elements communicate and consult
and monitor and review, occur continually thorough the process. The remaining elements are
normally undertaken sequentially. Figure 1, illustrates the VIU risk management framework
with typical examples under each heading.

Figure 1 Vancouver Island University Risk Management Frame work

The ERM Process in the Public Sector (adapted from AS/NZS4360:2004)

(determine roles & responsibilities… include

1. COMMUNICATE & CONSULT
stakeholders)

2. ESTABLISH 3. IDENTIFY 4. ANALYZE 6. TREAT RISKS

CONTEXT RISKS RISKS Typical Treatments:

Integrated Plans Probability Accept

Identification of Control
Capital Projects risk Consequence Share
Mitigate
New Programs Categorization of Ranking Score
risk Sample Mitigation
Systems Projects 5. EVALUATE Treatments:
RISKS
Financial Plans Emergency Plan
Adequacy of Contingency Plans
Emergency/Disaster Controls Insurance
Ranking Score Waivers
(As determined by Tolerance Contracts
management) Action

(capture risk information… follow up on treatments…

7. MONITOR & REVIEW
report)

Last Updated: July 12, 2013

1
1. Communication and Consultation

“Communication and consultation with internal and external stakeholders should take
place during all stages of the risk management process.” 1 Communication and
consultation means that risk assessment, response and monitoring is proactive and
inclusive.

2. Establish the Context

Establishing the context for a risk management assessment confirms the subject of the risk
assessment. As identified in Figure 1, examples of “subjects” would include: major
integrated plans, significant capital projects, new programs, major system projects or
financial plans. Note that emergency and disaster plans are specific treatments
(mitigations) within a wider process.

A number of factors can influence the context both internally and externally, including
organizational direction, government policy, budget regulations, economic factors or even
natural events. Executive, Deans, Executive Directors, Directors, Campus Principals and
Managers have the responsibility of deciding when to apply a formal risk assessment
process to support their decision making.

3. Risk Identification

3.1 Risk Definition

Risk2:
The effect of an event or trend, either positive or negative that will have a
significant impact on operations and/or the fulfillment of the University’s
objectives.

3.2 Identification

This phase consists of identifying the possible risks. Various methods can be used to
identify risk such as: interview or focus groups, brainstorming, decision trees, historical
information, incident reports, scenario analysis etc.

1
CAN/ISO 31000, page 14.

2
Australian and New Zealand Public Sector Guidelines for Managing Risk (HB 143:1999) defines risk as the "chance of something
happening that will have an impact on objectives. It is measured in terms of consequences and likelihood."

The Canadian Institute of Chartered Accountants defines risk as "the possibility that one or more individuals or organizations will
experience adverse consequences from an event or circumstance."

The Canadian Standards Association Risk Management: Guidelines for Decision-Makers (CAN/CSA -Q850-97) defines risk as "the
chance of injury or loss as defined as a measure of the probability and severity of an adverse effect to health, property, the
environment or other things of value."

The International Organization for Standardization (ISO) ISO 31000 defines risk as the "effect of uncertainty on objects”. Note 1-
the emphasis is on effect rather than chance, similar to AS/NZS 4360, the definition is neutral in terms of negative and positive
consequences.

Last Updated: July 12, 2013

2
 The ISO recommended method for stating a risk involves considering the three elements:
event, cause and impact. Since we define risk as the “effect of uncertainty, either positive
or negative”, it is helpful define the risk in the context of preventing the achievement of an
organizational objective, milestone or target.

There are several tools located on the website to assist in the identification of risks such as
Fire triangle, bowtie diagram, Five Whys.

3.3 Categorization

Generally, risks can be classified into one of the following four broad categories—strategic,
operational, reporting, and compliance. For Program reviews, risks can be categorized
within the criteria identified in the Summative Assessment Procedure.
 Strategic risks are those risks which by their nature, could impact the achievement
of high-level objectives within the integrated planning framework or the
University’s ability to achieve its purpose or support of its mission. These risks
could be financial, reputational or legal.
 Operational risks, on the other hand, relate to (a) threats from ineffective or
inefficient business processes for supporting, servicing, and marketing programs,
and (b) threats of loss of assets, including reputation.
 Reporting risks relate to the reliability, accuracy, and timeliness of information
systems, and to reliability or completeness of information used for either internal
or external decision-making.
 Finally, compliance risks address the inadequate communication of laws and
regulations, internal behavior codes and contract requirements, and inadequate
information about failure of management or employees to comply with applicable
laws, regulations, contracts, and expected behaviours.

4. Analyze Risk

Risk analysis is the process of calculating the probability of the event and the consequence
if it occurs. The product of these two becomes the Risk Ranking.

4.1 Probability

Probability is the likelihood that the risk event will occur. Probability rarely implies
mathematical certainly rather it is a subjective estimate as demonstrated in Figure 2 or
could be measured in time as demonstrated in Figure 2.

Last Updated: July 12, 2013

3
 Figure 2: Matrix for Probability (consistent with BC Government metrics3)

PROBABILTY = Likelihood of the risk event occurring

Score Descriptor How Likely (%)

1 Rare Less than 5%

2 Unlikely 5 to 25

3 Possible 25 to 55

4 Likely 55 to 90

5 Almost Certain 90 to 99

Figure 3: Probability Alternate

PROBABILTY = Likelihood of the risk event occurring

Score Descriptor Measure

1 Long Term > 36 months

2 Medium Term 18 to 36 months

3 Short Term 12 to 18 months

4.2 Consequence

Consequence is the impact or severity of the effect of the risk on the goal or objective.

3
Risk Management Guide for Public Sector, Feb 21, 2011, page 14.

Last Updated: July 12, 2013

4
 Figure 4: Matrix for Consequence (adapted from BC Government metrics4)

Consequence = impact or severity of the effect

Score Impact Descriptor

1 Insignificant Negligible effects

Strategic View: Normal Difficulties
o Stakeholder faith affected lasting less than 6 months
o Isolated injury
o Financial loss of less than $250K
2 Minor Normal administrative difficulties
Strategic View: Delay will occur in fulfilling objective
o Stakeholder faith affected lasting longer than 6 months
o Isolated injury
o Financial less than $1M
3 Significant Delay in accomplishing program or project
o Stakeholder faith affected lasting longer than 12 months
o Multiple injury
o System interruption
o Dispute that could affect term
o Financial loss greater than $1M less than $2M
4 Major Program or project redesign required, re-approval and or re-do
required.
Strategic View: Integrated Plan timeline affected.
o Stakeholder faith affected lasting longer than 18 months
o Isolated loss of life
o Major system loss at critical time
o Dispute that could affect term
o Financial loss greater than $2M less than $5M
5 Severe/ Project or program irrevocable finished, objective not met.
Strategic View: Mandate or objective not met.
Catastrophic
o Stake holder faith affected lasting longer than 24 months
o Multiple loss of life
o Complete system crash
o Dispute that could cause loss of full term
o Inability to recruit students or staff
o Financial loss greater than $5M

4.3 Risk Ranking

Risk Ranking: is the combined effect of the probability and the consequence. Ranking
score = (Probability Score) times (Consequence Score). A risk ranking matrix is used to
categorize the severity of the risk rating.

4
Risk Management Guide for Public Sector, Feb 21, 2011, page 14.

Last Updated: July 12, 2013

5
 Figure 5: Ranking Heat Map Matrix
HEAT MAP: RANKING SCORE

5 5 10 15 20 25
RANKING = Probability X CONSEQUENCE
4 4 8 12 16 20
Score 0-4 Low
3 3 6 9 12 15
Score 5-10 Medium
2 2 4 6 8 10
Score 12-16 High
1 1 2 3 4 5
score 20-25 Extreme
CONSEQUENCE 1 2 3 4 5
PROBABILITY

4.4 Risk Terms

There are many terms associated with ranking risks. It is not necessary to use all the terms
but it is important to have common understanding of the following terms:

Inherit Risk is the rating of the risk event in the absence of existing controls or mitigation
treatments. The value in assessing the inherent risk is to understand the full potential that
exists.

Current Risk is the rating of the risk event at the time of reporting. This allows you to track
the effect of mitigation treatments that have already been applied.

Residual Risk is the rating of the risk after taking into account the additional mitigation or
treatments strategies. It is important to project the potential residual risk as it will
establish a bench mark for monitoring and reporting.

Risk tolerance is the maximum level of risk that the University is willing to accept for a
particular exposure. The tolerance should defined by Executive or Management, based
upon the nature of the risk, existing controls, and implications of planned mitigations. In
assessing the risk and defining how much risk the University is willing to tolerate, relevant
factors for success should be defined. Factors to consider could include: reputation,
market, resources, quality, financial viability, compliance etc.

5. Evaluation

Evaluation involves looking at the ranked risks in relationship to existing controls in the context
of the tolerance for a particular risk. The outcome from evaluation is to arrive at a decision as to
how to respond to the risks that have been analyzed. A generic heat map is presented in Figure
6, below. The heat map is used as a tool to evaluate the identified risks; the map sorts the risk
events based upon their respective risk score into the various response quadrant.

Last Updated: July 12, 2013

6
 Figure 6 Generic Risk Heat Map

6. Treatment or Mitigation

Risks are plotted on the risk map based upon their respective risk score, as determined
using the method described previously. The treatment strategy selected will be
determined by the risk ranking. An example is presented in Figure 7 below. Due to the
diverse nature of the University’s teaching, research and community services , and, the fact
that not all risks can be transferred to third parties through insurance policies, contracts or
waivers, the management and monitoring effort may be required on residual risk in some
cases.

Risk mitigation treatment strategies tend to fall into one of the following categories -
avoidance (eliminate or not become involved); control (ensure adequate processes are in
place); accept (potential opportunity) or transfer (outsource to external party).

Accept: When the impact and probability of occurrence are low.

Control: When there is a high probability of a risk but its impact would be low: ensure that
appropriate controls are in place.

Share: When there is a high impact but low probability: share the risk with others (e.g.
insurance).

Mitigate and Control (Reduce): When both the probability and the impact are high, design
controls and processes to reduce exposure.

Last Updated: July 12, 2013

7
 Figure 7: Applied Risk Map (Sample)
IMPACT Risk Management Actions
Significant
Financial Loss > $5MM
Stakeholder faith impacted and lasts > 18 months
Considerable Must manage Extensive
Isolated or Multiple Loss of Life
Management and monitor management
Multiple events of fine, fraud or legal action
Required risks essential
Complete system crash with loss of critical data
Inability to recruit, retain staff to operate
Labour disruption that impacts graduation
Moderate
Financial Loss < $5 MM
Stakeholder faith impacted and lasts 6-12 months
Significant injury to one or more Risks may be Management
Management
Isolate incidents of fine, fraud, or legal action worth accepting effort
effort required
System crash during a peak period with monitoring worthwhile
Difficulties in recruit and retain staff
Labour disruption that impacts operations of any
duration
Minor
Financial Loss < $500,000
Stakeholder faith impacted and lasts < 6 months
Accept but Manage and
Isolated injury Accept risks
monitor risks monitor risks
Civil or criminal action threatened
System off-line periodically during non-peak
periods
Low Medium High
> 36 months 18 to 36 months 12 to 18 months
LIKELIHOOD

7. Monitoring & Reporting

Monitoring is about managing your risk information. Monitoring is a follow-up activity,

ensuring that policies and procedures have been carried out as intended. Sometimes
monitoring procedures can be as simple updating of the risk register and the risk map.

The risk register is a management tool which, through a review and updating, provides a
framework in which problems that may arise and adversely affect the delivery of the
anticipated benefits are captured and actions instigated to reduce the probability and the
impact of that particular risk. The Risk Register should be visible to faculty/departmental
stakeholders so they are able to see the risks that concern them being addressed.

An essential tool is the risk register which is a means of recording the identified risks, their
severity, and the actions steps to be taken. The risk register should evolve over time with
potential risks removed and new ones added.

Last Updated: July 12, 2013

8
Supporting Documents:

Risk Register Template

Related Policies and Procedures:

Summative Assessment Procedure 31.15.003

Contract related Policy xxxxxx

Signing Authority Policy 42.09

References

Ministry Advance Education and Labour Market Development: Risk Management Guide

Province Of British Columbia Risk Management Branch Risk Management Guide for The Public
Sector Feb 21, 2011 (http://www.fin.gov.bc.ca/PT/rmb/ref/RMB_ERM_Guideline.pdf)

Government of Canada Framework for the Management of Risk August 27, 2010
(http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=19422&section=text#cha1)

University Regina Enterprise Risk Management Policy 10.105

Australia/New Zealand Standard (ERM)

Deloitte: A New Global Standard for Risk Management Inside ISO 31000:2009
(http://www.deloitte.com/assets/Dcom-
Canada/Local%20Assets/Documents/ERS/ca_en_ers_inside_ISO31000_handout_040310.pdf)

End of document

i
Australian and New Zealand Public Sector Guidelines for Managing Risk (HB 143:1999).

The Canadian Standards Association Risk Management: (CAN/CSA -Q850-97)

International Organization for Standardization (ISO) 31000.

Risk Management Guideline For the Public Sector (http://www.fin.gov.bc.ca/PT/rmb/ref/RMB_ERM_Guideline.pdf)

Last Updated: July 12, 2013

9