a presentation on fiji national university 1 mr. amitesh prasad manager risk and insurance
TRANSCRIPT
A PRESENTATION ON
FIJI NATIONAL UNIVERSITY
1
Mr. Amitesh PrasadManager Risk and Insurance
Introduction
2
FNU - was formed in 2010 by the Government of Fiji. In 5 yrs - established as the Nation’s premier national university offering higher education as well as vocational
education and training.
The University considers risk management as a comprehensive process integrating concepts of strategic planning, operations management and internal control.
The University’s Mission, Strategies and Objectives’, is committed to managing risk to maximize opportunities and minimize setbacks.
FNU recognizes the importance of risk management and strongly believes an effective management of risks among the campuses, managed on enterprise - wide bases, will assist establishing strategic priorities and goals directly linked to the FNU objectives.
.
3
Scope of Risk Management Framework
The framework defines FNU’s risk management process methodology, appetite, training and reporting, and also establishes the
responsibilities for implementation.
Aim - to ensure organisational capabilities and resources are employed in an efficient and effective manner to manage both opportunities and
threats.
4
Objectives of Risk Management Framework
To provide a formal process to assist the University in: 1) Encouraging understanding by managers and their staff of the implications of risk exposures, opportunities and their risk management, in their day-to-day work and in strategic and operational planning activities;
2) Developing and implementing procedures to ensure that risk areidentified, assessed against accepted criteria and that
appropriate measures are implemented;
3) Defining and documenting responsibilities and processes.
Why is Risk Management Important?
5
Risk influences every aspect of the operations at the
University.
Managing risks appropriately will enhance our ability to
make better decisions, safeguard our assets enhance our
ability to provide services to our students as well as achieve
our University mission and goals.
6
An effective Risk Management Framework provides organisational resilience, confidence and benefits, including:
Provides a rigorous decision-making and planning process;
Provides flexibility to respond to unexpected threats;
Takes advantage of opportunities and provides competitive advantage;
Equips managers with tools to anticipate changes and threats faced by University and to allocate appropriate resources;
stakeholders
Enables better business resilience and compliance management.
7
Benefits of implementing risk management are: Reduces surprises (Improve control of adverse events, take action).
Exploitation of opportunities (Seek opportunity).
Improved planning, performance, effectiveness and utilization of resources.
Positive effect on ‘Reputation’ (Attracts -Investors, Students, Staff).
Accountability, assurance and governance (Maintain integrity and confidence).
Documentation for Legal actions, Government Enquiries.
8
What is risk?
Risk is defined as an event that may have an impact on the achievement of the University’s objectives.
Risk may arise from 2 sources which are:
External factors (e.g. risk from impact on the Global economic crisis, change in student demographics and
numbers, changing legislation)
Internal sources (e.g. New projects, new faculty, infrastructure and capacity challenges, performances, etc.).
Risk appetite
9
Risk appetite is the amount of risk, on a broad level, that FNU is willing to accept in pursuit of value, and should reflect: Risk management philosophy per location project, process, etc;
Capacity to take on risk;
The University objectives, risk plans and respective stakeholder demands;
Evolving industry and market conditions; and
Tolerance for failures with quantitative values, where applicable.
10
Risk Management Methodology – Standard: ISO31000:2009,as shown below
11
RISK MANAGEMENT PROCESS
Communication and Consultation Communication and consultation are critical considerations at each step of the risk management process improving the level of understanding and treating risks.
Identifies ‘Who’ should be involved in the ‘Risk assessment process’
How much: Depends on how complex or significant the activity is.
Delivered by: Plans, Workshops, presentations, Risk Progress Reports, etc.
Regular communication assists create a risk management culture.
ESTABLISH CONTEXT1
The context provides an understanding of the organisation its capability and goals, objectives and strategies.
Establishing the Universities context defines the basic parameters within which risks must be managed and sets the scope for the rest of the risk management process
To identify FNU’s risk context were identified from the strategic Plan 2020 and therefore it is proposed that these be managed on an ‘Enterprise- wide basis’.
Within this master category, risks were classified and the University will focus on the following three main Groups:
12Strategic Financial Operations
Examples –Relation between Grouping and Risk Area/Description
13
Master Category
Risk Grouping
Risk Name /Area Risk Description
Enterprise Strategic Business Planning
Long term plan for Financial and Business goals
Enterprise Financial Budget Implementation
Budget development process is effective
Enterprise Operations IT Infrastructure
Adequate IT infrastructure and planning in place
IDENTIFY RISKS
It is important to identify all the risks that have a potential effect on the University’s ability to meet its objectives/goals.
Questions to generate a comprehensive list of potential sources of risk and possible causes/scenarios are:
What can happen? Where and when?
Why and how can it happen?
Define the types of risk
Methods – These risks can be identified via checklists, based on experience, process analysis, brainstorming, flow charts, audits & inspections, surveys etc.
14
HOW DOES THE UNIVERSITY IDENTIFY RISKS?
Risk can be identified through the use of:
Focus groups (using brainstorming approaches, SWOT analysis techniques, project categories, or broad business categories);
Workshops;
Interviews with respective management; and
The intranet is also a means of reporting incidents or risks to the Risk Administrator for consideration.
15
CON’T
16
Categories of risk used to enable appropriate aggregation are:
Students Information and communication technology
Financial Legal and Regulatory Compliance
Operational Organisational effectiveness
Environmental Reputation & Corporate Social Responsibility
Workplace Health & Safety Projects
ANALYSE RISKS
Risk Analysis is developing an understanding of the risk and assists deciding on the best approach to ensure the highest risks can be identified and prioritised.
Objective of this step are as follows:
Gather data for the evaluation and treatment steps.
Outcome will be the initial list of risks.
Analyse is in terms of likelihood, and consequence after considering the effect of the existing controls and how effective are this existing controls.
Are there adequate systems, policies, procedures, delegations, monitoring in place to support controls?
Do controls represent ‘Good Practice’ and minimising exposure to risks?
Are controls reviewed and maintained? Are the controls easy to use?
Are stakeholders aware of the controls and is adequate training/supervision available?
17
DETERMINATION OF LEVEL OF RISK
Using the Consequence and Likelihood table - risk administrator could identify the best description of the risk after controls are in place.
Secondly, risk calculation via matching the Consequence and Likelihood ratings on the risk matrix is undertaken.
18
Consequences
Likelihood Insignificant Minor Moderate Major Catastrophic
Almost certain
High – H1 High – H3 Extreme –E1 Extreme –E4 Extreme –E8
Likely Medium –M1 High – H2 High – H5 Extreme – E3
Extreme –E7
Possible Low – L3 Medium –M2 High – H4 Extreme –E2 Extreme –E6
Unlikely Low – L2 Low – L5 Medium – M3
High – H7 Extreme –E5
Rare Low – L1 Low – L4 Medium – M4
High – H6 High – H8
19
PRIORITISING RISKS
The purpose of prioritising the risk is to determine the level of action needed for the identified and assessed risks.
Risk Score What Should I do?
9-10 Extreme Immediate action required
7-8 High Action plan required, senior management attention needed
5-6 Medium Specific monitoring or procedures required, management responsibility must be specified
2-4 Low Manage through routine procedures.
20
THE RISK REGISTER The Risk Management Register contains the following information: Risk Rating / risk score identifying the severity of the risk
Reference Category (Strategic/Operational/Financial)
Risk description and Risk example
Potential consequence(s) of the risk
FNU’s Core Strategic Area(s) at threat
Control Statement
Accountable / Responsible
Timescales for the implementation of action plans
The key risk evaluation steps are as follows:
Determine low risks (acceptable) from more serious risks (not acceptable).
Compare estimated levels of risk against the pre-established criteria.
In general, the management priorities and the balance between potential benefits and adverse outcomes will have the highest impact on the risk priority.
Based on the outcomes of the risk analysis, decide how to treat the risk.
Acceptable risk would be low risks with adequate controls in place and may require only to be monitored/reviewed to ensure the risk remain acceptable.
Unacceptable risks do not have adequate controls and will be prioritized for further action such as: Develop a treatment plan or Review the treatment plan to ensure controls are appropriate to manage the identified risk.
Result will be a prioritized list or risks which need to be managed.
21
RISK EVALUATION
The objective of this step is to identify how the identified risks will be treated.
Risk treatment involves identifying the options for treating each risk, evaluating those options, assigning accountability (for Extreme, High and Moderate residual risks) and taking relevant action.
22
RISK TREATMENT
Avoid the risk Not to proceed with the activity or choosing an alternative approach to achieve the same outcome.Aim is risk management, not aversion.
Mitigate Reduce the consequences – putting in place strategies to minimize adverse consequences, e.g. contingency planning, Business Continuity Plan, liability cover in contracts.
Transfer the risk Shifting responsibility for a risk to another party by contract or insurance.
Accept the risk Controls are deemed appropriate. These must be monitored and contingency plans developed where appropriate.
23
Risk Treatment Con’t
Systems to monitor/review risks and the risk management process steps require careful selection, targeting and planning. Priority should be given to monitoring:
High risks.
Credible failure of treatment strategies, especially where this would result in high, or frequent, consequences.
Risk-related activities that feature high incidence of change.
Risk tolerance criteria especially where this results in high risk levels.
Technological advances that may offer more effective or lower cost alternatives to current risk treatment.
24
MONITOR AND REVIEW
In general terms, monitoring and review practices will be one of the following types (and is recommended should include all three):
Continuous monitoring through routinely measuring or checking particular parameters (for example cash flows).
Periodic review involves investigation of the current situation, usually with a specific focus.
Line management reviews of risks and their treatments which are often selective in scope but typically routine and regular.
25
MONITOR AND REVIEW CON’T
26
Risk Reporting
Documentation of risk management plans is designed to be brief, but with sufficient, key controls and rationale for mitigation strategies.
Finance Resource Committee reporting
Key operational risks are discussed at Group and Divisional management meetings on a quarterly basis. The Risk Administrator develops a 6 monthly report.
More frequent reporting against high level risks occurs as deemed necessary, including direct reporting by the manager accountable.
27
The Faculty and Department level risks are collated by the Risk Administrator, and presented to the Finance and Resources Committee. This report will include:
Risk register of top 10 corporate risks;
Executive summary of key changes in risk profile and appetite; and
Commentary on significant residual risks.
Risk Reporting Con’t
LIKELIHOOD RATING
The number of times within a specified period in which a risk may occur either as a consequences of business operations or through failure of operating systems, policies and procedures.
28
Rating Description Occurrence Probability
Almost certain
Expected to occur in most circumstance
Multiple / 12 months
>80%
Likely Will probably occur in most circumstance
Once / 12 months
61 - 80%
Possible Might occur within a 5 year time period
Once / 12 months - 5 yrs
41 - 60%
Unlikely Could occur during a specified time period
Once / 5 -10 yrs 21 – 40%
Rare May only occur in exceptional circumstance
Once / > 10 yrs <20%
29
Consequence Table
30
31
Table of Control levels
32
Risk Register Template
33
Risks and Mitigation Strategies
34
35
36
37
38
THANK YOU