A PRESENTATION ON

FIJI NATIONAL UNIVERSITY

1

Mr. Amitesh PrasadManager Risk and Insurance

Introduction

2

FNU - was formed in 2010 by the Government of Fiji. In 5 yrs - established as the Nation’s premier national university offering higher education as well as vocational

education and training.

The University considers risk management as a comprehensive process integrating concepts of strategic planning, operations management and internal control.

The University’s Mission, Strategies and Objectives’, is committed to managing risk to maximize opportunities and minimize setbacks.

FNU recognizes the importance of risk management and strongly believes an effective management of risks among the campuses, managed on enterprise - wide bases, will assist establishing strategic priorities and goals directly linked to the FNU objectives.

.

3

Scope of Risk Management Framework

The framework defines FNU’s risk management process methodology, appetite, training and reporting, and also establishes the

responsibilities for implementation.

Aim - to ensure organisational capabilities and resources are employed in an efficient and effective manner to manage both opportunities and

threats.

4

Objectives of Risk Management Framework 

To provide a formal process to assist the University in: 1) Encouraging understanding by managers and their staff of the implications of risk exposures, opportunities and their risk management, in their day-to-day work and in strategic and operational planning activities;

2) Developing and implementing procedures to ensure that risk areidentified, assessed against accepted criteria and that

appropriate measures are implemented;

3) Defining and documenting responsibilities and processes. 

Why is Risk Management Important?

5

Risk influences every aspect of the operations at the

University.

Managing risks appropriately will enhance our ability to

make better decisions, safeguard our assets enhance our

ability to provide services to our students as well as achieve

our University mission and goals.

6

An effective Risk Management Framework provides organisational resilience, confidence and benefits, including:

  Provides a rigorous decision-making and planning process;

Provides flexibility to respond to unexpected threats;

Takes advantage of opportunities and provides competitive advantage;

Equips managers with tools to anticipate changes and threats faced by University and to allocate appropriate resources;

stakeholders

Enables better business resilience and compliance management.

7

Benefits of implementing risk management are:  Reduces surprises (Improve control of adverse events, take action).

Exploitation of opportunities (Seek opportunity).

Improved planning, performance, effectiveness and utilization of resources.

Positive effect on ‘Reputation’ (Attracts -Investors, Students, Staff).

Accountability, assurance and governance (Maintain integrity and confidence).

Documentation for Legal actions, Government Enquiries.

8

What is risk?

Risk is defined as an event that may have an impact on the achievement of the University’s objectives.

Risk may arise from 2 sources which are:

External factors (e.g. risk from impact on the Global economic crisis, change in student demographics and

numbers, changing legislation)

Internal sources (e.g. New projects, new faculty, infrastructure and capacity challenges, performances, etc.).

Risk appetite

9

Risk appetite is the amount of risk, on a broad level, that FNU is willing to accept in pursuit of value, and should reflect:  Risk management philosophy per location project, process, etc;

Capacity to take on risk;

The University objectives, risk plans and respective stakeholder demands;

Evolving industry and market conditions; and

Tolerance for failures with quantitative values, where applicable.

10

Risk Management Methodology – Standard: ISO31000:2009,as shown below

11

RISK MANAGEMENT PROCESS

Communication and Consultation  Communication and consultation are critical considerations at each step of the risk management process improving the level of understanding and treating risks.

Identifies ‘Who’ should be involved in the ‘Risk assessment process’

How much: Depends on how complex or significant the activity is.

Delivered by: Plans, Workshops, presentations, Risk Progress Reports, etc.

Regular communication assists create a risk management culture.

ESTABLISH CONTEXT1

The context provides an understanding of the organisation its capability and goals, objectives and strategies.

Establishing the Universities context defines the basic parameters within which risks must be managed and sets the scope for the rest of the risk management process

To identify FNU’s risk context were identified from the strategic Plan 2020 and therefore it is proposed that these be managed on an ‘Enterprise- wide basis’.

Within this master category, risks were classified and the University will focus on the following three main Groups:

12Strategic Financial Operations

Examples –Relation between Grouping and Risk Area/Description

13

Master Category

Risk Grouping

Risk Name /Area Risk Description

Enterprise Strategic Business Planning

Long term plan for Financial and Business goals

Enterprise Financial Budget Implementation

Budget development process is effective

Enterprise Operations IT Infrastructure

Adequate IT infrastructure and planning in place

IDENTIFY RISKS

It is important to identify all the risks that have a potential effect on the University’s ability to meet its objectives/goals.

Questions to generate a comprehensive list of potential sources of risk and possible causes/scenarios are:

What can happen? Where and when?

Why and how can it happen?

Define the types of risk

Methods – These risks can be identified via checklists, based on experience, process analysis, brainstorming, flow charts, audits & inspections, surveys etc.

14

HOW DOES THE UNIVERSITY IDENTIFY RISKS?

Risk can be identified through the use of:

Focus groups (using brainstorming approaches, SWOT analysis techniques, project categories, or broad business categories);  

Workshops;

Interviews with respective management; and

The intranet is also a means of reporting incidents or risks to the Risk Administrator for consideration.

15

CON’T

16

Categories of risk used to enable appropriate aggregation are:

Students Information and communication technology

Financial Legal and Regulatory Compliance

Operational Organisational effectiveness

Environmental Reputation & Corporate Social Responsibility

Workplace Health & Safety Projects

ANALYSE RISKS

Risk Analysis is developing an understanding of the risk and assists deciding on the best approach to ensure the highest risks can be identified and prioritised.

Objective of this step are as follows:

Gather data for the evaluation and treatment steps.

Outcome will be the initial list of risks.

Analyse is in terms of likelihood, and consequence after considering the effect of the existing controls and how effective are this existing controls.

Are there adequate systems, policies, procedures, delegations, monitoring in place to support controls?

Do controls represent ‘Good Practice’ and minimising exposure to risks?

Are controls reviewed and maintained? Are the controls easy to use?

Are stakeholders aware of the controls and is adequate training/supervision available?

17

 DETERMINATION OF LEVEL OF RISK

Using the Consequence and Likelihood table - risk administrator could identify the best description of the risk after controls are in place.

Secondly, risk calculation via matching the Consequence and Likelihood ratings on the risk matrix is undertaken.

18

Consequences

Likelihood Insignificant Minor Moderate Major Catastrophic

Almost certain

High – H1 High – H3 Extreme –E1 Extreme –E4 Extreme –E8

Likely Medium –M1 High – H2 High – H5 Extreme – E3

Extreme –E7

Possible Low – L3 Medium –M2 High – H4 Extreme –E2 Extreme –E6

Unlikely Low – L2 Low – L5 Medium – M3

High – H7 Extreme –E5

Rare Low – L1 Low – L4 Medium – M4

High – H6 High – H8

19

PRIORITISING RISKS

The purpose of prioritising the risk is to determine the level of action needed for the identified and assessed risks.

Risk Score What Should I do?

9-10 Extreme Immediate action required

7-8 High Action plan required, senior management attention needed

5-6 Medium Specific monitoring or procedures required, management responsibility must be specified

2-4 Low Manage through routine procedures.

20

THE RISK REGISTER  The Risk Management Register contains the following information:  Risk Rating / risk score identifying the severity of the risk

Reference Category (Strategic/Operational/Financial)

Risk description and Risk example

Potential consequence(s) of the risk

FNU’s Core Strategic Area(s) at threat

Control Statement

Accountable / Responsible

Timescales for the implementation of action plans

The key risk evaluation steps are as follows:

Determine low risks (acceptable) from more serious risks (not acceptable).

Compare estimated levels of risk against the pre-established criteria.

In general, the management priorities and the balance between potential benefits and adverse outcomes will have the highest impact on the risk priority.

Based on the outcomes of the risk analysis, decide how to treat the risk.

Acceptable risk would be low risks with adequate controls in place and may require only to be monitored/reviewed to ensure the risk remain acceptable.

Unacceptable risks do not have adequate controls and will be prioritized for further action such as: Develop a treatment plan or Review the treatment plan to ensure controls are appropriate to manage the identified risk.

Result will be a prioritized list or risks which need to be managed.

  21

RISK EVALUATION

The objective of this step is to identify how the identified risks will be treated.

Risk treatment involves identifying the options for treating each risk, evaluating those options, assigning accountability (for Extreme, High and Moderate residual risks) and taking relevant action.

22

RISK TREATMENT

Avoid the risk Not to proceed with the activity or choosing an alternative approach to achieve the same outcome.Aim is risk management, not aversion.

Mitigate Reduce the consequences – putting in place strategies to minimize adverse consequences, e.g. contingency planning, Business Continuity Plan, liability cover in contracts.

Transfer the risk Shifting responsibility for a risk to another party by contract or insurance.

Accept the risk Controls are deemed appropriate. These must be monitored and contingency plans developed where appropriate.

23

Risk Treatment Con’t

Systems to monitor/review risks and the risk management process steps require careful selection, targeting and planning. Priority should be given to monitoring:

High risks.

Credible failure of treatment strategies, especially where this would result in high, or frequent, consequences.

Risk-related activities that feature high incidence of change.

Risk tolerance criteria especially where this results in high risk levels.

Technological advances that may offer more effective or lower cost alternatives to current risk treatment.

24

MONITOR AND REVIEW

In general terms, monitoring and review practices will be one of the following types (and is recommended should include all three):

Continuous monitoring through routinely measuring or checking particular parameters (for example cash flows).

Periodic review involves investigation of the current situation, usually with a specific focus.

Line management reviews of risks and their treatments which are often selective in scope but typically routine and regular.

25

MONITOR AND REVIEW CON’T

26

Risk Reporting

Documentation of risk management plans is designed to be brief, but with sufficient, key controls and rationale for mitigation strategies.

Finance Resource Committee reporting

Key operational risks are discussed at Group and Divisional management meetings on a quarterly basis. The Risk Administrator develops a 6 monthly report.

More frequent reporting against high level risks occurs as deemed necessary, including direct reporting by the manager accountable.

27

The Faculty and Department level risks are collated by the Risk Administrator, and presented to the Finance and Resources Committee. This report will include:

Risk register of top 10 corporate risks;

Executive summary of key changes in risk profile and appetite; and

Commentary on significant residual risks.

Risk Reporting Con’t

LIKELIHOOD RATING

The number of times within a specified period in which a risk may occur either as a consequences of business operations or through failure of operating systems, policies and procedures.

28

Rating Description Occurrence Probability

Almost certain

Expected to occur in most circumstance

Multiple / 12 months

>80%

Likely Will probably occur in most circumstance

Once / 12 months

61 - 80%

Possible Might occur within a 5 year time period

Once / 12 months - 5 yrs

41 - 60%

Unlikely Could occur during a specified time period

Once / 5 -10 yrs 21 – 40%

Rare May only occur in exceptional circumstance

Once / > 10 yrs <20%

29

Consequence Table

30

31

Table of Control levels

32

Risk Register Template

33

Risks and Mitigation Strategies

34

35

36

37

38

THANK YOU