risk management charter en risk management & …...risk management charter and framework v0.9 dd...
TRANSCRIPT
1
Risk Management charter and framework v0.9 dd 15-6-2017
R ISK MANAGEMENT CHARTER EN
RISK MANAGEMENT & INTERNAL CONTROL FRAMEWORK 0.9
Executive Board
Oplage: 1
15-6-2017
2
Risk Management charter and framework v0.9 dd 15-6-2017
Table of Contents 1 TiU Risk Management Strategy ................................................................................................ 6
Law and legislation ........................................................................................................... 6
Mission of the Risk management function (GRC Officer) ................................................ 6
Purpose of the Risk function ............................................................................................. 7
2 Definition ................................................................................................................................... 9
Scope of Risk Management ........................................................................................... 10
3 Risk management responsibilities .......................................................................................... 11
Responsibilities of management ..................................................................................... 11
Responsibilities of every employee ................................................................................ 11
Responsibilities of Governance, Risk & Compliance Officer (GRC officer) ................... 12
Responsibilities of Internal Audit .................................................................................... 12
4 Authority and capabilities of GRC Officer ............................................................................... 13
5 Reporting ................................................................................................................................ 14
1 TiU principles – the foundation of the framework ................................................................... 16
2 Risk Management – 3 lines of defense model ....................................................................... 17
3 The framework within TiU ....................................................................................................... 18
4 The key components of the framework and the key activities of the Risk Management
Framework ..................................................................................................................................... 19
The Risk Management Framework and the five activities ............................................. 19
Risk Appetite ................................................................................................................... 20
Risk Identification: risk mapping ..................................................................................... 21
Risk assessment ............................................................................................................. 23
Risk mitigation................................................................................................................. 25
4.5.1 Assessment of the controls ..................................................................................... 26
Risk monitoring ............................................................................................................... 26
4.6.1 Risk strategy............................................................................................................ 26
4.6.2 Level 1 or level 2 checks ......................................................................................... 27
4.6.3 Action plan management ........................................................................................ 27
Risk management reporting ........................................................................................... 28
5 Incident management ............................................................................................................. 29
Incident detection ............................................................................................................ 29
5.1.1 Incident reporting .................................................................................................... 29
5.1.2 Communication with experts ................................................................................... 30
5.1.3 Audit & control reports............................................................................................. 30
Capturing and analyzing incidents ................................................................................. 30
Incident reporting ............................................................................................................ 31
3
Risk Management charter and framework v0.9 dd 15-6-2017
6 Risk management advisory .................................................................................................... 31
7 Internal Control ....................................................................................................................... 34
Definition ......................................................................................................................... 34
Fundamentals of internal control .................................................................................... 35
8 Internal Control System .......................................................................................................... 36
Control environment ....................................................................................................... 36
Control background ........................................................................................................ 37
8.2.1 Organizational Chart ............................................................................................... 37
8.2.2 Job descriptions ...................................................................................................... 37
8.2.3 Governance, powers and delegations .................................................................... 38
Process and risk mapping .............................................................................................. 38
8.3.1 Process mapping .................................................................................................... 38
8.3.2 Risk mapping........................................................................................................... 39
Control activity system .................................................................................................... 39
8.4.1 Policies / standards / guidelines.............................................................................. 39
8.4.2 Reporting & Communication ................................................................................... 40
8.4.3 Checks & monitoring ............................................................................................... 40
Addendum A : risk categories ........................................................................................................ 41
4
Risk Management charter and framework v0.9 dd 15-6-2017
Tilburg University Risk Management Charter and Risk Management & Internal Control Framework The goal of Tilburg University (TiU) is to actively contribute to society. The university wants to serve society and make it a better place for all citizens. TiU has always actively promoted ways to firmly embed education and research into society. In the strategic plan 2014 five ambitions have been defined in order to achieve the goals:
Quality comes first
Innovation according to a focused method
Connections through networking
Focused International cooperation
One single, effective university.
Good risk management & Internal Control is necessary to meet the
ambitions with regard to a qualitative and effective University. TiU wants
to be a university that the stakeholders and society can trust. Adequate
risk management is part of the license to operate. It builds trust and
protects our good name in society.
Effective risk management means being in control and protecting the
loss of damage. It improves our way of operating for all stakeholders
and is viable for a sustainable operations.
Risk management is therefore strongly linked with internal control. Therefore we have combined the Risk management Framework and internal control framework in this document. In this document we describe the way we have embedded risk management and internal control in TiU with the goal to effectively manage the risks.
Charter: in the charter we describe the roles and responsibilities for risk management
Framework: in the framework we outline the methodology, tools and methods that are used for Risk management and Internal Control.
5
Risk Management charter and framework v0.9 dd 15-6-2017
PART 1 Tilburg University Risk Management Charter
The purpose of the Charter is to define the organization, operation and
governance for risk management for Tilburg University. The charter
applies to all staff.
The charter requires the definition of a good Risk Control Framework
and a GRC officer and describes the roles and responsibilities with
regard to risk management for Tilburg University.
6
Risk Management charter and framework v0.9 dd 15-6-2017
1 TiU Risk Management Strategy
Tilburg University (TiU) is an ambitious university and has the ambition to meet the highest
international standards. One of their core values is that quality exceeds quantity. This can only
be realized if the organization and the internal control are of very high standards. The pressure
on the internal control of Universities is increasing due to internal and external developments.
Examples are (scientific) fraud cases, increasing complexity and dynamics. There is also
pressure on the income due to changes in the financing. This has resulted in more formalized
Codes of Conduct f.e. the Code of Governance that is issued by the Vereniging Samenwerkende
Nederlandse Universiteiten (VSNU).
Effective management of Risk is a key stone in building trust. It enables TiU in protecting its
reputation, reduce losses/costs and helps to minimize the risk on investigations, prosecution and
penalties because we do the right things in the right way.
Law and legislation
The basis for adequate risk management is not clearly defined by law and legislation but can be
derived from the Code of Governance that is issued by the Vereniging Samenwerkende
Nederlandse Universiteiten (VSNU).
This Code is in line with the Dutch Corporate Governance Code ((code Tabaksblat)1. Elements in
this code that reflect to risk management / internal control are:
Code 2.1.4 ‘The executive board will ensure that the activities of the university are
appropriately arranged administratively, legally, organizationally and financially, are
transparent and can be accounted for.
Code 2.1.5: ‘The executive board will submit the internal risk management and
monitoring systems to the Board of Governors 2.’
Code 4.1.3: ‘The executive board is responsible for establishing and maintaining internal procedures (administrative organization and internal control) which ensure that all relevant financial information is known to the executive board, so that the timeliness, completeness and accuracy of the internal and external financial reports are safeguarded. The board of trustees will supervise the establishment and maintenance of these internal procedures’
TiU has implemented a Governance Risk & Compliance Function on request of the Board of
Governors.
Mission of the Risk management function (GRC Officer)
The objective of the Risk management function are to:
Raise awareness of the need for risk management
Minimize loss, disruption, damage and injury and reduce the costs of risks;
Identify and assess all the risks together with the business owners.
The goal is together with the organization embed risk management in the daily operations to
maximize trust and minimize the related risk.
. 2 Bij TiU betreft dit het Stichtingsbestuur
7
Risk Management charter and framework v0.9 dd 15-6-2017
Purpose of the Risk function
The Risk management (Risk Control Framework) is built in line with the COSO ERM3 model.
COSO identifies the relations between the risks and the
internal control system. Within the context of the mission
and vision and the strategic objectives it implements a
process of management, control, report and review.
The internal control is a process that ensures a
reasonable assurance regarding the realization of the
goals with regard to:
Realization of strategic objectives (strategic)
Effectivity and efficiency of processes
(operations)
Reliability of (financial) information (reporting
Compliance with applicable law and legislation.
An effective (risk) control system contains 8 elements that are related to the management
process:
Internal environment: this relates to the culture of the internal organization and contains
the risk management philosophy, risk appetite and the integrity and ethical values of the
organization.
Objective setting: Objects must have been defined in order to define the risks of not
realizing them.
Event identification: internal and external events that influence the realization of the
objectives must be identified. This includes risks and opportunities.
Risk assessments: risks need to be assessed in terms of likelihood and impact.
Risk response: per risk the most appropriate reaction must be selected (avoid, accept,
mitigate or transfer) in order to align the risk with the risk appetite.
Control activities: in order to mitigate the risk controls (policies, procedures checks)
must be identified and implemented.
Information and communication: relevant information must be identified and
communicated.
Monitoring: monitor the effectiveness of risk management and implement changes for
improvement.
Within this framework the purpose of the Governance, Risk & Compliance Officer is to:
Risk Management GRC purpose
Internal Environment Deepen the culture of risk management by partnering with the business to
increase a culture of trust, accountability, transparency and integrity.
Objective setting Support the TiU strategy by clearly defining roles and responsibilities with
regard to risk management and proactively advise TiU with regard to all risks.
Using a risk based approach to align business outcomes with the risk
appetite.
Event identification Understand and advocate the processes and activities in order to identify
3 COSO ERM: The COSO ERM-model the most commonly used framework for the implementation and assessment of risk management and was defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO),
8
Risk Management charter and framework v0.9 dd 15-6-2017
Risk Management GRC purpose
risks and the related events by working together with the business
Risk assessment Assess in cooperation with the organization the risks
Control activities Define and assess effectivity of risk controls in cooperation with the business
in line with the defined risk strategy.
Information and
communication
Develop and enhance tools to detect, communicate report and manage the
risks in order to limit surprises
Monitoring Implement a monitoring and reporting system with regard to the effectiveness
of risk management
9
Risk Management charter and framework v0.9 dd 15-6-2017
2 Definition
In this chapter you will find the definitions of terms used in this document:
Term Definition
Risk An event that has a negative or positive impact on the organizational goals.
Operational
Risk
The risk of loss resulting from the inadequacy or failure of any internal
process, or from external events whether deliberate, accidental or natural.
The risk of loss represents the possible occurrence of an event liable
to lead to a loss or unforeseen cost. The loss is deemed to be ‘the
effect’
The term resulting from introduces the concept of cause
Inadequacy or failure of any internal process: in TiU definition this
includes persons and systems
The external events referred to in this definition cover those of human
or natural origin. External events do not reflect to the so called
financial market risks that relate to counterparty risk, interest risk etc.
The definition introduces 2 fundamental principles:
It is centered on internal processes
It is based upon a caused- event- effect analysis
Strategic
Risk
Strategic risks” are those risks that are most consequential to the
organization’s ability to execute its strategies and achieve its business
objectives.
Legal risk Legal risk arises from the potential that unenforceable contracts, lawsuits, or
adverse judgments can disrupt or otherwise negatively affect the operations
or conditions of TiU.
Regulatory
risk
Regulatory risk is the risk of legal or regulatory sanctions, material financial
loss or loss to reputation, TiU might suffer as a result of its failure to comply
with laws, regulations, rules and branch standards (VSNU) and codes of
conducts applicable to all of the activities.
Reputational
risk
The risk resulting from adverse perception, whether true or not, of the image
of Tilburg University.
Safety risk The risk of staff members or students with regard to injury and death.
Operational
risk
management
Is the mechanisms, tools, policies, procedures and processes, including
management oversight, to identify, assess, monitor, report and control
operational risk.
Internal
Control
Internal control is the mechanism by with TiU is organized to:
Ensure the overall control of risks
Give reasonable assurance that the strategic targets are realized.
The internal control framework) aims to ensure:
The development of high level risk culture
The effectiveness and quality of LSN internal operating mode
The reliability of internal and external information
The security of operations
The compliance to law, legislation and internal policies
10
Risk Management charter and framework v0.9 dd 15-6-2017
Incident Incidents are a real event resulting from inadequate or failed internal
processes, or from external event(s), which has, could or led to a loss, gain or
shortfall in income or leads to a loss of trust (reputation) or sanctions /
penalties issued by a regulator or a serious injury of a staff member or
student
Scope of Risk Management
The scope of risk management applies to all processes, activities of Tilburg University and
applies to all staff members of Tilburg University .
11
Risk Management charter and framework v0.9 dd 15-6-2017
3 Risk management responsibilities
Risk management is the responsibility of all staff members of Tilburg
University.
Responsibilities of management
Management is accountable for all the processes they perform and in that role they are also
responsible for the control of the risks.
They must set a good example with regard to considering the expectations of the stakeholders,
knowing and applying the rules, and defining and encouraging a culture where people are trusted
and accountable for their activities.
The Executive Board is ultimately responsible for risk management for all of the activities of
Tilburg University. The Executive Board will report incidents and report on the risk management
& control systems to the Audit Committee and the Board of Governors (supervisor).
The management of divisions and faculties (directors, deans) are responsible for risk
management for all the activities in their department / faculty.
At all levels management must create an environment of individual and collective accountability
in which the importance of adequate risk management is well understood. Management achieves
this part in providing sufficient resources (training, budget, staffing) to its risk management
function. It is important that the staff members understand the risks and why they need to
execute controls in order to mitigate these risks.
Furthermore the management is important with regard to risk management as they need to
inform the GRC officer in case of operational incidents that occur in their faculty or division: They
need to:
Collect all the information with regard to the incident and report them to the GRC officer
(within 3 working days).
Assist the GRC officer in the analysis of the incidents and take part in the follow up
process by implementing corrective and preventive measures.
The Executive Board has appointed a Governance, Risk and Compliance Officer to embed Risk
management in the organization.
Responsibilities of every employee
Every employee of TiU is responsible for Risk management with regard to the activities. They
must understand how to execute their activities and why they are performing the steps in the
process (risk awareness).
12
Risk Management charter and framework v0.9 dd 15-6-2017
Responsibilities of Governance, Risk & Compliance Officer (GRC officer)
The GRC officer is responsible for the following:
Manage day-to-day activities with regard to risk management
Define and implement the Risk Control framework. Drive the ongoing evolution of the
Risk Control Framework.
Facilitate, advice and support the faculties and department in defining the Risk Control
Framework for their activities including training and communication support.
Oversee Risk management activities in all faculties and divisions. Advise and support the
faculties and divisions with this respect.
Advise and support the organization in in changes and processes with respect to Risk
management. F.e. by participating in projects.
Ensure adequate and timely reporting with regard to incidents and Risk management.
Responsibilities of Internal Audit
Internal Audit is responsible for the provision of independent, objective assurance on the overall
effectiveness of the Risk management and internal control process.
13
Risk Management charter and framework v0.9 dd 15-6-2017
4 Authority and capabilities of GRC Officer
The Governance Risk & Compliance requires some rules with respect to the authority of the
GRC function with regard to:
Independence To avoid potential conflicts of interest the GRC Officer must be
independent of the business activities and report directly to the
Chairman of the College van Bestuur of Tilburg University.
Investigate and
challenge
When GRC officer perceive a Risk or when a Management Decision
may give or has given rise to a significant financial or reputational risk
for TiU they must investigate and challenge any actions or concerns
without influence form the business. If the matter is not promptly
resolved, the GRC Officer must follow the escalation process
Escalation When a matter is escalated the GRC officer, he/she must decide
whether to advise the College van Bestuur that the course of an action
would result in an unacceptable risk and that the action cannot
proceed. Management must postpone the execution of the action until
a decision has been taken by the College van Bestuur.
Access The GRC officer must, at all times, have unfettered and direct access
(in accordance with applicable law and legislation) to all activities in
their area of responsibilities. This includes all documentation, systems
(e.g. complaints registers, whistleblower reports and files), employees,
the Chairman of the Executive Board, directors, staff members etc,
that the GRC officer reasonably believes are necessary to execute
their responsibilities effectively. The GRC officer must have the
opportunity to attend (relevant) meetings to raise any matters that are
reasonable and necessary.
Liaison and
partnering
The GRC officer must work closely together with management of
faculties and divisions, employees, management to ensure knowledge
exchange about Risk & Control.
Capabilities,
evaluation and
remuneration
The GRC officer must have the necessary qualifications, experience
and professional and personal skills to enable him/her to carry out the
responsibilities effectively. He/she must have an overall understanding
of the activities and governance of Tilburg University. He/she must
understand the obligations, legislation and standards that impact the
activities. The GRC must coach and train new management regarding
risk management.
The GRC officer must have the opportunity to develop his/her skills.
The remuneration of the GRC Officer will be in line with the Collective
Labour Agreements.
Recruitment and
termination
The President of the Executive Board will decide whether to appoint or
terminate the GRC Officer.
14
Risk Management charter and framework v0.9 dd 15-6-2017
5 Reporting The GRC officer will report at least quarterly to the President of the Executive Board on the effectiveness of implementation and embedding of risk management in Tilburg University. This report will contain:
Status-update on risk management implementation;
Key Risks;
Incidents reported;
Status action plan implementation. All incidents that meet the defined threshold will be reported within 5 working days after detection by the GRC officer to the President. Incidents that are reported in the whistleblower regulation or with regard to the scientific integrity are excluded from this reporting. In the regulations with regard to whistleblowing and scientific integrity separate reporting is defined. In this reporting an advice is provided. The GRC officer will receive these advises and based upon this they will analyze the advice and in cooperation with the accountable departments will define an action plan. The monitoring of the follow up of this action plan will be included in the standard process. The Executive Board will ensure the reporting to the Board of Governors via the standard process.
15
Risk Management charter and framework v0.9 dd 15-6-2017
PART 2 Tilburg University Risk Management Framework
The Tilburg University (TiU) risk management framework (framework) comprises the principles,
processes and tools that the organization uses to manage Risk. It is essentially a risk
management program.
The framework is a key tool for the organization and all of its employees
and supervisors to understand – and apply – our approach to risk
management. It also creates transparency to our external stakeholders.
The important topics for Risk Management are:
1. The business principles of Tilburg University – the foundation for the framework
2. The three line of defense model to manage risk
3. The framework in Tilburg University
4. The key components and the key activities of the chart.
This framework complements, and should be read with the Charter. Modifications in the
Framework must be aligned with the scope of the charter.
16
Risk Management charter and framework v0.9 dd 15-6-2017
1 TiU principles – the foundation of the framework
The Business principles of Tilburg University express what the
University holds dear, what we believe and what we aim for. Individually
each principle is equally important and taken as a whole they define our
collective conscience. As such they are the foundation of everything we
do.
The principles are defined in our code of conduct (rules of behavior) that can be found on the
intranet and are: Those who work or study at Tilburg University.
Behave appropriately and are conscientious and trustworthy
Show respct for each other
Use their expertise in their field of study/activity to contribute to an inspiring working environment
Are involved with both individuals and society
17
Risk Management charter and framework v0.9 dd 15-6-2017
2 Risk Management – 3 lines of defense model
The 3 line of defense model that Tilburg University has implemented helps us to mitigate the
risks – it applies to all faculties and divisions within the University. This model is essential for the
effective operation of the Risk Control Framework.
Tilburg University has implemented risk management based upon the 3 lines of defense model.
Executive Board and Management, the Risk management functions and the Internal Audit
department. The three line of defense model distinguishes among functions that own and
manage risks, functions that monitor and oversee risks and functions that provide independent
assurance.
Defense line 1: Management
The first line of defense, develops and implements mitigation activities, including monitoring and
reporting, for managing risks in business activities. The directors and management manages
risks day-to-day and they are affected by the consequences of the risks.
Defense line 2: Risk management function
The second line of defense assist the management to identify their risks. They help the
management to identify activities that mitigate the risks (controls) within the risk appetite of the
University. They monitor the control of the risks and advise on risk related manners. They work
together with other second line of defense functions (f.e. finance & control) to provide objective
challenge and support, escalating matters when necessary to help optimize the tradeoff between
risk and reward. The second line of defense serves in an advisory and validation role as the
organization designs, implements and embeds policies and guidelines, tracks internal mitigation
activities (action plan management) and executes training on risk related subjects.
Defense line 3: Internal Audit
The third line of defense, provides management with independent, objective assurance on the
overall effectiveness of the design and operation of internal controls (mitigation activities).
Executive
Board
First line of defense:
management
Second line of defense:
staff departments (Governance, Risk & Compliance, Finance &
Control)
Third line of defense:
Internal Audit (independent)
18
Risk Management charter and framework v0.9 dd 15-6-2017
3 The framework within TiU
The University operates in a complex environment governed by law and legislation in which the
reputation is one of the key assets for the organization.
It is therefore important that we have embedded Risk management in the organization as a good
level of control of the risk secures the reputation, the continuity and the realization of the goals as
defined in the Strategic Plan.
The Framework consists of the following components:
The Risk Management Framework
Incident management
Advisory Services
The Risk Management Framework (RMF) reflects the key activities that need to be performed in
order to understand and manage the Strategic and Operational risks. These are activities that the
first line of defense must implement.
Advisory service is the specialized support and advise that the first line of defense receives to
help to manage the compliance risks more effectively.
19
Risk Management charter and framework v0.9 dd 15-6-2017
4 The key components of the framework and the key activities of the Risk Management Framework
The Risk Management Framework and the five activities
The risk management is a vital part of the framework as it provides an overview of the
compliance obligations and the risks arising from law and legislation and the implementation in
Tilburg University. The Chart is the outcome of a continuous process and exists of 5 key
activities that are listed in the chart:
1. Risk Identification
2. Risk Assessment
3. Risk Mitigation (incl. training and education)
4. Risk Monitoring (incl. Action Tracking)
5. Risk Reporting (incl. incident management)
The risk management framework provides an overview of the
risks related to activities (processes) and an assessment of
the impact, the mitigation measures. In other words how is
the control of risks embedded and ensured? It helps the
business in the awareness of the risks and it helps to provide
assurance about risk management to stakeholders like
regulators, auditors and employees as all information is
centralized.
The Risk Management Framework must contain the following:
1. Clear description of the risks
2. Risk assessment of these risks (impact assessment) without and with the current controls
in place (gross and net risk assessment)
3. The process to which the risks is/are linked
4. The implemented controls that mitigate the risk.
5. The process owner (accountable) is also responsible for the risks and the related
controls.
The chart must be as practical, brief and concise as possible, and must link to existing and newly
identified activities.
Management must: Governance, Risk & Compliance Officer
must:
1. Help the GRC officer develop and update
the risk Management by clearly identifying
the principle business activities and
relevant processes affected by the risks.
1. Develop and maintain a Risk
Management Framework for the
University (entities) with the assistance of
management
2. Identify the employees that have
managerial accountability for and are
accountable for execution of an activity
outlined in the Risk Management
Framework.
1 Risk Identifcation
2 Risk Assessment
3 risk Mitigation
4 Risk Monitoring
5 Risk Reporting
20
Risk Management charter and framework v0.9 dd 15-6-2017
Management must: Governance, Risk & Compliance Officer
must:
3. Formally approve the Risk Management
Framework for their activity / entity
2. Demonstrate that all the elements of the
chart have been discussed and approved
by the accountable management. 4. Notify GRC immediately of any changes
in activities that have an effect on the Risk
Management Framework.
Risk Appetite
The risk appetite is the risk that Tilburg University is willing to accept in order to achieve its
objectives. Organizations can have a prudent (defensive) or a more offensive position towards
the risks they are willing to take. It is important that the risk appetite is defined and formalized
although it is difficult to quantify it. Questions that help to define the risk appetite are:
What is our growth or innovation strategy?
What are our main risks?
What is the worst case scenario financially?
How much risk can we bear (risk tolerance)?
o Which risk buffer is available?
o How agile is the organization?
What can absolutely never be in the news?
How effective is our current internal control system?
In most circumstances when identifying risk appetite only the financial component is defined,
what is the capital at risk?
Within Tilburg University we are using the following risk appetite scale (based upon Kaplan4).
Rating Philosophy Tolerance for
uncertainty
Choice Trade off
Overall risk taking
philosophy
Willingness to
accept uncertain
outcomes or period
to period variation
When faced multiple options,
willingness to select an
option that puts objectives at
risk
Willingness to trade off
against achievement of
other objectives
1 - Averse Avoidance of risk
is a core objective
Extremely low Will select the lowest risk
option, always
never
2 -
Minimalist
Extremely
conservative
Low Will accept only if
essential, and limited
possibility/extent to
failure
With extreme
reluctance
3 -
Cautious
Preference for
safe delivery
Limited Will accept if limited, and
heavily outweighed by
benefits
Prefer to avoid
4 -
Flexible
Will take strongly
justified risks
Expect some Will choose to put at risk,
but manage the impact
Willing under right
conditions
4 Kaplan, Robert S. and Mikes, Anette, Risk Management — The Revealing Hand (March 4, 2016). Harvard Business School Accounting & Management Unit Working Paper No. 16-102. Available at SSRN: https://ssrn.com/abstract=2744133
21
Risk Management charter and framework v0.9 dd 15-6-2017
Rating Philosophy Tolerance for
uncertainty
Choice Trade off
5 - Open Will take justified
risks
Fully anticipated Will choose option with
the highest return,
accept possibility of
failure
Willing
The risk appetite is defined for the following categories:
Image
Students
Safety
Technical innovation
Employee relation ship
Revenue growth
Profit & Loss
Environment
Management must: Governance, Risk & Compliance Officer
must:
1. Identify and decide on the risk appetite
that Tilburg University is willing to accept
1. Facilitate the definition of the risk appetite
Risk Identification: risk mapping
The Risk Management Framework must be kept up-to-date. It must at all times reflect the
strategic and operational risks that apply to the activities of Tilburg University. The risk mapping
is defined based upon 4 goals:
Ensure that all activities are processed correct ,complete and timely
Ensure adequate (= effective) and efficient processing with the goal to realize the
strategic goals
Ensure that the processes are compliant with law and legislation
Ensure that the processes / activities does not harm the reputation of Tilburg
University.
The risk mapping is prepared by the GRC Officer together with the manager accountable for the
process. Workshops are organized to define the risks per process and activity.
Management must GRC officer must:
1. Identify together with the GRC officer,
risks that arise from the activities in their
faculty, division, and department.
1. Identify with management the Risks and
update the Risk Management
Framework.
Example
22
Risk Management charter and framework v0.9 dd 15-6-2017
For all risks we define:
The risks (events) are categorized using a standard categorization. We distinguish the following
risk types:
Strategic risk: risks that result from strategic or tactical decision process.
Operational Risk: risks that result from failure or omission in internal processes, human
error or technological error or unexpected external events.
Financial Risk: risks that result from the deviations in valuation of financial assets due to
interest, currencies etc.
Regulatory risk: risk on sanctions / penalties due to non-compliance with law and
legislation.
These risk categories are diversified further in more detail in which we use a methodology that is
common practice in the market for example for strategic risks the DEPEST categories and for
Operational risk the BASEL II categories (used in financial institutions). In addendum A we have
the overview.
Completeness of risk mapping is an important issue. We must ensure (for as far as possible) that
the risk mapping is exhaustive. In order to realize this we have implemented the following
method:
Cross reference with historical incidents (see incident management)
Review of management reports.
Responsibility Governance, Risk & Compliance Officer in cooperation with the
accountable managers.
Requirements Risk Mapping should be updated at least every year.
All risks should be clearly described (cause, risk and effect) and
linked to process and accountable department
Risk mapping should be validated and approved by:
o Business owner for their risks
o Executive Board for the overall risk mapping
Publication The master-document for risk mapping is managed by the GRC Officer.
It is stored at GRC - Sharepoint
Cause
f.e. fraud / input error / power outage
Risk (event)
f.e non availability of system
Effect
f.e. additional costs / reputation
• What causes the risk? there can be mulitpple causes linked to one risk
Inducer / cause
• The description of the risk
Risk
• What is/are the effects of the risk? This is often linked to financial, reputational, regulatory or safety impact. One risk can have multiple effects
Effect
23
Risk Management charter and framework v0.9 dd 15-6-2017
Risk assessment
The risks that are defined in the risk mapping will be assessed by the business owner
accountable (assisted by the GRC Officer).
Management must: Governance, Risk & Compliance Officer
must:
1. Participate and contribute to the risk
assessment sessions to define the risks
and assess the impact.
1. Ensure that the risks are integrated in the
assessment process.
2. Work with GRC to identify the high risks
(risk assessments).
2. Participate (facilitate) all Risk assessments
3. Work with GRC identify the controls that
mitigate the (high) risks
3. Rate and rank in cooperation with
management the current and anticipated
critical and high residual risks and
determine the mitigation measures
4. Validate and approve the outcome of the
risk assessment
4. Ensure that the reporting regarding risk
contain the information regarding risk
assessments
5. Inform the GRC officer in case of any
changes that impact the risks
5. At least review and update the risk
mapping on an annual basis in cooperation
with management.
This impact assessment is performed based upon a standard methodology that identifies the
following impact types:
Financial impact: risk with impact on additional costs or loss of income related;
Regulatory impact: Risk with sanctions issued by regulators
Reputational impact: undermining of the reputation and image of Tilburg University.
Health and safety impact: risk impacting with health and safety of the employees and / or
students.
The risk assessment will be executed based upon the most likely case, i.e. not on a worst case
scenario.
The impact of the risk is defined in:
Frequency /chance : probability of the risk occurring (most likely case)
Severity: impact of the risk (most likely case)
A risk may have one or more effects and therefore related impact types. It is important that
all impacts are assesses to have a comprehensive view of the resulting effect in the event the
risk occurs.
The risk assessment is done using a standardized grid:
Frequency Severity Impact
24
Risk Management charter and framework v0.9 dd 15-6-2017
Frequency / chance Description
0 – Rare Once in 100 years or less
1 – Unlikely Once in 25 years up to once in 100 years
2 – Possible Once in 5 years up to 25 years
3 – Likely Once in 1 to 5 years
4 – Frequent Up to once a year or more
Severity /
impact
Financial Regulatory Reputation Health and safety
Costs or missing
income
Sanctions / fines Impact on image Impact on health of staff or
students
1 –
incidental
< €5.000 not to be reported
regulator
Hardly any effect
on reputation: no
impact TiU
very small impact /
injury
2 - minor > €5.000 en <
€50.000
To be reported to
regulator: no
follow up
Loss of trust or
complaints: short
term impact on
TiU
Limited impact / injury.
Necessary to have
medical treatment
3 -
moderate
> €50.000 en <
€100.000
Reported to
regulator: follow
up by regulator
(corrective action
plan)
Medium term
impact and
investigation
started
Large impact / injury :
one or more
hospitalized
4 - major > €100.000 Sanctions and
fines issued by
regulator
Long term impact
on reputation /
effect on core
activities.
high impact: casualties
or long term handicap
Impact assessment grid:
kans / impact 0 - rare 1- unlikely 2 – possible 3 – likely 4 - frequent
1 – incidental laag laag laag gemiddeld gemiddeld
2 - minor laag laag gemiddeld gemiddeld hoog
3 - moderate laag gemiddeld gemiddeld hoog hoog
4 - major hoog hoog hoog hoog hoog
For every risk we will assess 2 situations:
Gross risk / inherent risk: risk with impact without implementation of mitigating controls
(what is the impact when there are no measures implemented to mitigate the risk?)
Net risk / residual risk: impact of risk with taking into account the measures that control
the risk.
Responsibility Governance, Risk & Compliance Officer in cooperation with the
accountable managers.
Requirements Risk Assessment should be updated at least every year.
All risks should be asses using the standardized GRID
Risk assessment should be validated and approved by:
25
Risk Management charter and framework v0.9 dd 15-6-2017
o Business owner for their risks
o Executive Board for the overall risk mapping
Publication The master document for risk assessed is managed by the GRC
Officer. It is stored at SharePoint - GRC
Risk mitigation
Risk mitigation is the process of developing and implementing controls that mitigate the risk. In
general the Internal Control Framework defines set of measures that is implemented to control
the organization in order to realize its strategy. We refer to part 3 for the internal control
framework as it has such a link with the Risk Management Framework and more specific the risk
mitigation. The Internal Control standard provides more insight in the building stones of internal
control, that also play a very important role in risk management.
For risk management the following categories are implemented to mitigate the risk:
For the risk that are identified as gross risk with impact high (hoog) according to the GRID that is
mentioned in chapter 4.3 the mitigating controls will be defined and formalized.
Responsibility Governance, Risk & Compliance Officer in cooperation with the
accountable managers.
Requirements For all gross risks with impact high (hoog) the mitigating controls
will be identified and described.
Risk mitigations should be validated and approved by:
o Business owner for their risks
•Formalised documentation such as:
•Processes and working instructions
•Policies and standards
•Contract / service level agreements
Documentation & procedures
•Physical security: f.e. access control, measures for water or firedamage etc
•Business continuity (BCP): disaster recovery, back ups, crisis team, evacuaction etc
•Security of information: login procedures, passwords, system authorisations
•Risk / finance: insurances
Access and security
•meetings
•monitoring processes (f.e. budget and forecast)
•training and awareness activities
Organization
•dedicated check or monitoring (level 1 or level 2)
Checks
26
Risk Management charter and framework v0.9 dd 15-6-2017
Publication The master document for risk mitigation is managed by the GRC
Officer. It is stored at SharePoint - GRC
4.5.1 Assessment of the controls
For all controls that are listed in the RCS the effectivity must be assessed: They can have the
following assessment:
Adequate: the control is described and implemented
Inadequate: the control is not described / formalized
Non-existent: de control does not exist.
For every control this assessment must be formalized. In case of inadequate or non-existing
controls a follow up action must be defined.
Responsibility Governance, Risk & Compliance Officer in cooperation with the accountable
managers.
Requirements The RCF assessment must be validated in case of significant changes
or at least every year.
In case of assessment inadequate or non-existent a follow up action
plan (monitored by GRC officer) must be formalized.
Publication The master document for risk mitigation is managed by the GRC Officer. It
is stored at SharePoint - GRC
Risk monitoring
4.6.1 Risk strategy
Based upon the risk appetite the strategy related to the residual (net) risk must be defined. What
is the strategy related to the risk? In general controls need investment (cost money) and
therefore it should be balanced. Therefore per risk we need to define the risk strategy:
An action plan must be implemented in case of all strategies except for ‘accept’.
•Avoid the risk by stopping the activity
Avoid :
•Accept the residual risk as it is and take no additional mitigation measures (controls)
Accept
•take additional measures to mitigate the risk further ==> implement more controls
Mitigate
•Transfer the risk to another party f.e. insurance company
Transfer
•In certain cases the accepted risk can be higher than it currently is ==> eliminate controls
Increase
27
Risk Management charter and framework v0.9 dd 15-6-2017
4.6.2 Level 1 or level 2 checks
The monitoring of risks makes it possible for the business to verify whether the risk mitigation
activities are working adequately and to identify new or changed risks. This is done via so-called
checks. We distinguish 2 levels of checks:
Level 1 checks: these are checks performed by the accountable department (lines of
defense level 1)
Level 2 checks: independent checks performed by another department f.e. GRC, Finance
& Control.
All checks are formalized in a check plan. The Check plan must be documented and updated on
an annual basis (more frequently when required and should describe:
Risk(s)
Goal of the check
Check methodology and sample size
Selection criteria
Responsible
Check items (what do we check and how)
Assessment criteria (when OK and when not)
Reporting (how and to whom)
Management must: Governance, Risk & Compliance Officer
must:
1. Establish a first line of defense tracking
and report deficiencies to the GRC officer.
1. Work with the business to document the
necessary check plans and validate them
after preparation.
2. Provide to the GRC Officer the check plan
that outlines the first line tracking activities
and the person accountable for the
execution.
2. Establish second line of defense monitoring
activities via level 2 checks. Formalizing
these checks in a check plan. Execution
and reporting of the findings. Define
recommendations if needed to mitigate
risk.
3. Work with the GRC officer to ensure
appropriate evaluation of the first line
checks.
4. Within the time agreed with the GRC
Officer to address issues that arise from
the first line and second line checks (action
plan follow up)
3. Report on a quarterly basis on the checks
result to the President of the Executive
Board.
5. Ensure adequate resources (quantity and
quality to execute the checks.
4.6.3 Action plan management
Action plan management is a process to ensure the visibility on risk related findings and issues
(so including the checks performed). Risk related findings should include:
Actions related to strategy based upon the risk assessment process
Actions identified by management in its day to day operations and from the first line of
defense checks.
28
Risk Management charter and framework v0.9 dd 15-6-2017
Actions resulting from recommendations made by the second line of defense monitoring
and other framework activities.
Actions resulting from incidents as part of the risk management process (formalized in
the risk management charter and framework).
Actions resulting from recommendations made by internal / external audit (3rd line of
defense).
Actions resulting from recommendations / findings from supervision by authorities.
Management must: Governance, Risk & Compliance Officer
must:
1. Ensure risk related actions are recorded in
the action plan database managed by GRC
officer
1. Monitor all risk related findings and issues
until they are resolved (by processing and
managing action plan database).
2. Resolve identified issues in a sustainable
manner within the agreed deadline.
2. Create and execute a process for tracking
and managing the actions and the
adequate execution of the actions.
3. Provide the GRC officer of a status update
on open actions until the issue is resolved
3. Incorporate with management lessons
learned in the activities (translated into
actions that are monitored)
4. Incorporate (in cooperation with GRC
officer) of lessons learned in the activities
4. Report to the President of the Executive
Board the unaddressed (open) and
overdue actions via the Risk Management
Dashboard (quarterly)
All actions are logged for monitoring in the action plan database of the GRC department and
must include:
Finding or risk
Recommendation (if applicable)
Action to be taken (mitigation measure)
Accountable for action
Deadline.
Risk management reporting
Risk Management reporting allows the management and the GRC to assess whether risk exceed
the risk appetite. Reporting also allows for communication and discussion of potential risks.
Management and GRC are responsible for gathering information, and then analyzing and
communicating the result so that informed, timely decisions can be made.
Reports will be issued at least on a quarterly basis.
29
Risk Management charter and framework v0.9 dd 15-6-2017
5 Incident management
Incidents are a real event resulting from inadequate or failed internal
processes, or from external event(s), which has, could or led to a loss,
gain or shortfall in income or leads to a loss of trust (reputation) or
sanctions / penalties issued by a regulator or a serious injury of a staff
member or student or visitor.
This definition applies to the internal processes of all activities (core and supporting processes. In
other words all processes, activities and departments).
Incident detection
Incidents can be detected via several ways:
Reported by the accountable management (as described in chapter 5.1.1)
In communication with experts:
o Director Finance & Control
o Director HRM
o Director LIS
o Director Facilities
By reports from internal audits / internal controls
5.1.1 Incident reporting
The directors of the faculties / divisions should report incidents to the GRC Officer within 3
working days after detection in case the impact of the incident is expected to be:
Financial
impact
Reputational
impact
Regulatory
impact
Health and
safety impact
Incident to be
reported to
GRC Officer
Larger than
€10.000
And/ or
At least: Short
term impact on
reputation
And / or
Has regulatory
impact
(sanction/ fines
by regulator)
And / or
At least an
Incident in which
there is an injury
with one or more
employees or
students
admitted to
hospital
This report should be send via e-mail and should at least contain:
Description of the incident (what happened, why could it happen, what is the effect)
30
Risk Management charter and framework v0.9 dd 15-6-2017
In case not all the information is present as much as possible will be provided. Additional
information can be added in a later stage.
Management must:
1. Ensure that any suspected incident is reported to the GRC Officer as described
in the threshold within 3 working days after detection
5.1.2 Communication with experts
Incidents are often related to staff, IT or premises or have a financial impact. Therefore the
directors responsible for the divisions HRM, LIS, Facilities and Finance & Control and Legal
Affairs are often aware about incidents. The GRC officer has regular meetings with these
directors to discuss risks and incidents or will be added to the mailing list in which these incidents
are reported.
5.1.3 Audit & control reports
The GRC officer will receive the internal control and the internal and external audit reports in
order to review whether there are (potential) incidents.
Internal Audit must: Finance & Control
Manager must:
Governance, Risk &
Compliance Officer must:
1. Provide GRC officer with
the Internal Audit reports
1. Provide GRC officer
with external audit
reports as well as
internal control
reports.
1. Review internal control and
(internal and external) audit
reports to identify (potential)
incidents and risks
Capturing and analyzing incidents
The GRC officer collects all the information regarding the incidents and starts the analyzing of
the incident in cooperation with the responsible business owner.
For all incidents we capture:
The following initial incident is captured:
Identification date
Reported by
Occurrence date
Summary of the incident
Detailed description
Cause of incident
Effect of incident
Cause
f.e. fraud / input error / power outage
Incident
f.e non availability of system
Effect
f.e. additional costs / reputation
31
Risk Management charter and framework v0.9 dd 15-6-2017
Risk related
Impact
Status of the incident : under investigation, finalized etc
Actions defined
Incident reporting
Ad hoc reporting
Incidents that meet certain thresholds must be reported to the (President of) the Executive
Board, or the Board of Governors in case it meets the following thresholds within 5 working days
after reporting to the GRC Officer:
Financial
impact
Reputational
impact
Regulatory
impact
Health and
safety impact
Incident to be
reported to
President of the
Executive
Board
Larger then
€10.000
And/ or
At least: Short
term impact on
reputation
And / or
Has regulatory
impact
(sanction/ fines
by regulator)
And / or
At least an
Incident in which
there is an injury
with one or more
employees or
students
admitted to
hospital
Incident
reported to the
Executive
Board
Larger than
€20.000
And/ or
At least: Short
term impact on
reputation
And / or
Has regulatory
impact
(sanction/ fines
by regulator)
And / or
At least an
Incident in which
there is an injury
with one or more
employees or
students
admitted to
hospital
Incident
reported to the
Board of
Governors
Larger than
€50.000
And/ or
At least: Short
term impact on
reputation
And / or
Has regulatory
impact
(sanction/ fines
by regulator)
And / or
casualties or
long term
handicap
Periodical reporting
All incidents will be reported in the quarterly risk management dashboard. (see 4.7)
6 Risk management advisory
The GRC department plays a very important pro-active advisory role: they advise Executive
Board, management, departments, committees and employees. They provide advice on risk,
32
Risk Management charter and framework v0.9 dd 15-6-2017
responsibilities, obligations and concerns on risk management issues while taking into account
the business practices and operational constraints.
In the event that a significant risk is identified and management planned course of action may put
Tilburg University at risk, the GRC officer must, unless circumstances otherwise prevent,
immediately escalate the manner to the President of the Executive Board and the Audit
Committee for an opinion.
Together a decision will be made whether to advise management in writing that the course of the
action would result in an unacceptable compliance risk. If management is advised NOT to
proceed, but nonetheless wishes to proceed, management must, in writing advice the Board of
Governors (Stichtingsbestuur) and get approval from that level. In the advice the opinion of the
GRC officer must be presented.
Management must: Governance, Risk & Compliance Officer
must:
1. Create and maintain an environment that
supports the GRC Officer in their role as
advisor
1. Responds to requests from employees
and management for guidance on risks
and reporting of risks
2. Seek advice from the GRC officer when
developing new activities, cooperation’s
and changing the governance of the
organization
2. Assess whether particular conduct or
activities (including governance, new
activities, new cooperation’s or changes
to existing) have an effect on the risks of
TiU.
3. Work closely with the GRC Officer to find
solutions based on business practices and
operational constraints
3. Advise (requested and unrequested) on
risk issues
4. Maintain records of significant advises
given.
33
Risk Management charter and framework v0.9 dd 15-6-2017
PART 3 Tilburg University Internal control standard
The Tilburg University (TiU) Internal Control standard comprises the principles, processes and
tools that the organization uses to embed internal control in the organization. It details the roles
and responsibilities with regard to internal control, which is very important for the management &
control of the organization including the way Tilburg University manages risks
Internal control is a management system by which the business is
organized to:
Ensure overall coverage of risk (= risk management)
Give reasonable assurance that the strategic targets are realized.
34
Risk Management charter and framework v0.9 dd 15-6-2017
7 Internal Control
Definition
Internal control is a management system by which the business is organized to:
Ensure overall coverage of risk (= risk management)
Give reasonable assurance that the strategic targets are realized.
This system is employed by all involved in Tilburg University, whatever their level with practices
that ensure:
Effectiveness, performance and security of the Internal operations:
o Reliability of internal and external information (including financial)
o Compliance with law, regulations and internal standards / policies.
o Effectiveness, performance and security of the operations.
In this context implementing an internal control system should contribute to:
Protecting and
safeguarding assets
The term assets includes the following:
Tangible items and property (buildings, hardware, software)
Intangible items (intellectual property)
Consequently protecting and safeguarding (and hence availability) the
assets requires:
The monitoring and analysis of events that might adversely
affect their integrity (f.e. accident, intrusion, illicit access, theft)
By a set of measures prevent the occurrence of incidents or
limit the impact.
Consistent application
of targets defined by
Executive Board and
Faculty / division
management
The internal control system should ensure:
That the targets defined by faculties / departments etc are in
line with TIU’s strategy
Department organization is suited to the achievement of the
targets
Processes employed are optimized
Appropriate controls are introduced and employed
Efficient use of
resources
As processes should meet an optimal performance target, it is
necessary to:
Monitor prudent use of resources in processes
Implement on-going and preventive and corrective actions on
default factors.
Protecting the interest
of the student / social
environment
It is necessary protect the interest of the students and the social
environment as part of the public sector :
Verifying that the practices used are compliant to laws and
legislation with regard to public financing and students /
research.
Set up an organization with adapted resources to embed this
in organization
Set up permanent preventive and corrective actions on default
factors.
Reliability of internal The quality of information is evaluated in 3 ways:
35
Risk Management charter and framework v0.9 dd 15-6-2017
Segregation of function is an
important instrument in internal control
Risk management is the responsibility of all
staff members
Scope concerns all activities, organization
units and risks
Management (business owners) are entirely
responsible of implementing means and for effectiveness
of internal control system
and external information
Reliability (accurate, justified, relevant, representative)
Traceability (responsibility, origin: audit trail, nature,
destination)
Availability (accessibility, security, retained).
Reliability must be guaranteed by:
Implement a set of measures to ensure the reliability of internal
and external information
Compliance with law
and legislation
Internal control must ensure that:
TiU complies with laws and regulations they are subject to
Complies with the standard and rules by all those involved.
For more detail we refer to the Compliance Risk management charter
and framework.
Fundamentals of internal control
The fundamentals of internal control are:
36
Risk Management charter and framework v0.9 dd 15-6-2017
8 Internal Control System
An effective, consistent internal control system can only be realized when the following
guarantees exist to ensure the effectiveness and consistency:
Close and ongoing involvement of the management of Tilburg University (tone at the top)
Consistency of the organization
Compliance with the instructions given
Optimizing resources (HRM)
Segregation of function
Security
The internal control system is organized around 2 blocks:
Control background
Control Activity System
There are 7 building stones of a good internal control:
Business owners must ensure the implementation of these prerequisites (building stones) and
ensure that they are up to date.
Control environment
The control environment is a very important element for internal control as it defines the
awareness of the need for controls. It is a very important cornerstone of all the elements for
internal control, including the discipline and organization. It is defined by:
Regulatory environment: if control is ‘imposed’ by law in general the culture for control is
strong. F.e the control culture in financial companies is stronger than in e-commerce.
Organization environment: if the management is a strong supporter of control the
implementation of control is much easier then when it is not the case.
Control background
Organisation chart
Job descriptions
Governance, power and delegations
Process & risk mapping
Process descriptions
Risk mapping
Control activity system
Policies
Reports & Communication
Checks & Monitoring
Control environment
37
Risk Management charter and framework v0.9 dd 15-6-2017
Documentary environment: if the organization is well documented and there is an urge
for documentation then the control system will also be stronger (as it is formalized).
(Management) culture: if there is a strong culture (integrity / professional ethics) then
there is more focus on control.
If the control environment is not strong, this will impact the
effectiveness and consistency of the internal control system.
Control background
The control background exist of 3 items:
8.2.1 Organizational Chart
The organization chart defines the hierarchical overview of the departments and functions with
regard to Tilburg University. The organization chart is presented on the intranet and describes
besides the hierarchical structure also the responsibilities and main tasks of the faculties /
divisions.
Responsible HRM department
Publication intranet
8.2.2 Job descriptions
For the university branch so-called UFO profiles have been defined. These are general profiles
used the university branch in the Netherlands. Every employee is linked to a certain job profile
that matches their function in the best way. . In the function profile it is defined what:
The goal of the function
The context
The results
The Tasks, responsibilities and authorizations
For each function the competences are defined (standard matrix) and the functions are weighted
based upon standard methodology.
NB: the UFO profiles are generic. For certain specialist functions they are too generic and do not
describe the real tasks, responsibilities and authorizations. Internal profiles must be defined.
Organization chart
Job Descriptions
Governance, power &
delegations
38
Risk Management charter and framework v0.9 dd 15-6-2017
Responsible HRM department
Publication intranet
8.2.3 Governance, powers and delegations
GOVERNANCE
With governance in this context we refer to the meeting organization that is implemented in
Tilburg University. For each standard meeting it is formalized:
Goal of the meeting
Participants and role
Quorum
Frequency
Decision power : what can be decided in the meeting
Standard agenda
Responsible GRC Officer
Approval Executive Board
Publication intranet
POWERS & DELEGATIONS
The powers and delegations must be described and are high level described in the job
descriptions (mandate part). However, this does not contain details like limits (f.e to what amount
can somebody approve an invoice). This is formalized in the delegation matrix and proxy
overview.
Responsible GRC Officer
Approval Executive Board
Publication intranet
Process and risk mapping
8.3.1 Process mapping
All the activities of TiU are linked to processes, for which a process model is defined. This is an
overview of all the processes within the university. The process model is managed by the GRC
officer.
For every process a high level process description must be available. What are the major steps /
activities within the process in order to secure it. A process description is a workflow in which you
see who does what and can be extended with the when, where (and why). All processes must be
formalized in a process description. Preferably in the standard tool called MAVIM. Because of the
strong link between processes, risks and controls the process flows must be validated by the
GRC officer.
For some processes it is important that employees have information on how to perform it. These
are called working instructions. When it is a complex task it is recommended to have working
instruction. Working instructions are not mandatory.
39
Risk Management charter and framework v0.9 dd 15-6-2017
Responsible Process mapping GRC Officer
Process flow Accountable manager
Working instruction Accountable manager
Validation Process flow GRC Officer
Publication intranet
For all the processes a so called RASCI matrix must be completed. RASCI stands for:
Responsible: the one who is responsible for the execution of the process/ activity.
He reports to the one accountable. There is typically one responsible, but he can be
supported by others (supportive).
Accountable: This is the one who is ultimately accountable and approves the result. He
can make decisions. There must be only one accountable.
Supportive: Those that help the responsible with the realization of the result.
Consulted: This is the person that needs to be consulted, provides approval and delivers
the input of the process. This role has influence on the realization of the result. It is 2-way
communication.
Informed: those who are kept informed on progress, decision and results, so that a next
step can be made. It is just 1-way communication.
8.3.2 Risk mapping
All risks must be identified, assessed and formalized. For more detail we refer to chapter 4.
Control activity system
The control activity system consists of:
8.4.1 Policies / standards / guidelines
The rules, policies and guidelines of TiU are defined in policies. The decision process with regard
to policies / standards are formalized and managed by the Secretary to the Board
(bestuurssecretarissen). They manage the decision process and secure the consultations that
are necessary and the information and decision process taking into account the participation
body (University Council).
Responsible Accountable manager
Approval Executive Board
Publication intranet
Policies, standards , guidelines
Reports & Communication
Checks & Monitoring
40
Risk Management charter and framework v0.9 dd 15-6-2017
8.4.2 Reporting & Communication
For all activities there must be reports and communication about the performance via the main
performance indicators (KPI).
Responsible Accountable manager
Publication Department drive
8.4.3 Checks & monitoring
The last part of the internal control system is the checks and monitoring. We distinguish 3 levels
of checks/monitoring
The checks & monitoring are repressive controls. They are performed after the activity mainly
based upon exception reports (= monitoring) and sample checks (checks).
The checks and monitoring must be formalized in a document that describes the goal, method
and workplan.
Responsible Accountable manager
Publication Department drive
Level 1
• Performed by department responsible for activity
• Periodical checks (repressive) with high interval
Level 2
• Performed by other department (risk based)
• Finance & Control, GRC etc
• Periodical checks (risk based) with regular interval
Level 3
• Performed by independent department : Internal Audit
• Less frequent check (audit plan)
41
Risk Management charter and framework v0.9 dd 15-6-2017
Addendum A : risk categories
Strategic
Risk arising from strategical or
tactical decision process
Political:
risks resulting from changes in law and
legislation
Demographic:
Risks from developments in the
size, or composition of population
Economic:
risks from economic factors f.e.
unemployment, inflation
social
not take into account social environment or
comply to social norms
Ecology
not taken into account ecological factors and
developments
Technology
not taken into account technological
developments (f.e IT)
Regulatory
Operational
Integrity
Financial
Operational
Risk arising from inadequacy or failure due to a process, human
factor or external event
Internal fraudunauthorised activity,
theft and fraud
External Fraud
theft, fraud, system security (virus attack,
intrusion ..)
Employment practises & workplace safety:
employee relation, safe environment, discriminationetc.
Student, products & business practises : suitability, fiduciary
and disclosure, impropoer market
practise, quality flaws
Damage to physical assets:
disasters and other events (f.e. fire, water)
Business disruption and system failures
system disruptions, other business
disruptions)
Execution, delivery and process
management : student management, supporting processes,
documentation etc
Financial
Risk of changes in the value of
financial assets
Counterparty risk: credit risk
related to failure of
creditor or counterparty
market risk;
risk resulting from the
development of ratings, stock
exchange rates
Interest rate:
variation of interest rates
Foreign exchange risk:
variation of currencies
Regulatory
risk on sanctions or fines from
regulators
REgulatory: sanctions or fines from regulators
Reputation
42
Risk Management charter and framework v0.9 dd 15-6-2017