Transcript Slide 1

A PRESENTATION ON
FIJI NATIONAL
UNIVERSITY
Mr. Amitesh Prasad
Manager Risk and Insurance
1
Introduction



FNU - was formed in 2010 by the Government of Fiji.
In 5 yrs - established as the Nation’s premier national
university offering higher education as well as vocational education
and training.

The University considers risk management as a comprehensive
process integrating concepts of strategic planning, operations
management and internal control.

The University’s Mission, Strategies and Objectives’, is committed to
managing risk to maximize opportunities and minimize setbacks.

FNU recognizes the importance of risk management and strongly
believes an effective management of risks among the campuses,
managed on enterprise - wide bases, will assist establishing strategic
priorities and goals directly linked to the FNU objectives.
2
Scope of Risk Management Framework

The framework defines FNU’s risk management process methodology,
appetite, training and reporting, and also establishes the
responsibilities for implementation.

Aim - to ensure organisational capabilities and resources are employed
in an efficient and effective manner to manage both opportunities and
threats.
3
Objectives of Risk Management Framework
To provide a formal process to assist the University in:
1)
Encouraging understanding by managers and their staff of the
implications of risk exposures, opportunities and their risk
management, in their day-to-day work and in strategic and
operational planning activities;
2)
Developing and implementing procedures to ensure that risk are
identified, assessed against accepted criteria and that
appropriate measures are implemented;
3)
Defining and documenting responsibilities and processes.
4
Why is Risk Management Important?

Risk influences every aspect of the operations at the
University.

Managing risks appropriately will enhance our ability to make
better decisions, safeguard our assets enhance our ability to
provide services to our students as well as achieve our
University mission and goals.
5
An effective Risk Management Framework provides organisational
resilience, confidence and benefits, including:

Provides a rigorous decision-making and planning
process;


Provides flexibility to respond to unexpected threats;

Equips managers with tools to anticipate changes and threats
faced by University and to allocate appropriate resources;


stakeholders
Takes advantage of opportunities and provides
competitive advantage;
Enables better business resilience and compliance
management.
6
Benefits of implementing risk management are:

Reduces surprises (Improve control of adverse events,
take action).


Exploitation of opportunities (Seek opportunity).

Positive effect on ‘Reputation’ (Attracts -Investors,
Students, Staff).

Accountability, assurance and governance (Maintain
integrity and confidence).

Documentation for Legal actions, Government Enquiries.
Improved planning, performance, effectiveness and
utilization of resources.
7
What is risk?

Risk is defined as an event that may have an
achievement of the University’s objectives.

Risk may arise from 2 sources which are:

External factors (e.g. risk from impact on the
Global economic crisis, change in student demographics and
numbers, changing legislation)

Internal sources (e.g. New projects, new faculty, infrastructure and
capacity challenges, performances, etc.).
impact
on
the
8
Risk appetite
Risk appetite is the amount of risk, on a broad level, that FNU is
willing to accept in pursuit of value, and should reflect:

Risk management philosophy per location project, process,
etc;


Capacity to take on risk;


Evolving industry and market conditions; and
The University objectives, risk plans and respective
stakeholder demands;
Tolerance for failures with quantitative values, where
applicable.
9
Risk Management Methodology – Standard: ISO31000:2009,as shown below
10
RISK MANAGEMENT PROCESS

Communication and Consultation
Communication and consultation are critical considerations at each step of
the risk management process improving the level of understanding and
treating risks.

Identifies ‘Who’ should be involved in the ‘Risk assessment
process’


How much: Depends on how complex or significant the activity is.

Delivered by: Plans, Workshops, presentations, Risk Progress
Reports, etc.
Regular communication assists create a risk management culture.
11
ESTABLISH CONTEXT
1

The context provides an understanding of the organisation its capability
and goals, objectives and strategies.

Establishing the Universities context defines the basic parameters within
which risks must be managed and sets the scope for the rest of the risk
management process

To identify FNU’s risk context were identified from the strategic Plan 2020
and therefore it is proposed that these be managed on an ‘Enterprisewide basis’.

Within this master category, risks were classified and the University will
focus on the following three main Groups:
Strategic
Financial
Operations
12
Examples –Relation between Grouping and Risk
Area/Description
Master
Category
Risk Grouping Risk Name /Area
Risk Description
Enterprise
Strategic
Business Planning
Long term plan for
Financial and
Business goals
Enterprise
Financial
Budget
Implementation
Budget
development
process is
effective
Enterprise
Operations
IT Infrastructure
Adequate IT
infrastructure and
planning in place
13
IDENTIFY RISKS

It is important to identify all the risks that have a potential effect on the
University’s ability to meet its objectives/goals.

Questions to generate a comprehensive list of potential sources of risk
and possible causes/scenarios are:

What can happen? Where and when?

Why and how can it happen?

Define the types of risk

Methods – These risks can be identified via checklists, based on
experience, process analysis, brainstorming, flow charts, audits &
inspections, surveys etc.
14
HOW DOES THE UNIVERSITY IDENTIFY RISKS?
Risk can be identified through the use of:

Focus groups (using brainstorming approaches, SWOT
analysis techniques, project categories, or broad business
categories);

Workshops;

Interviews with respective management; and

The intranet is also a means of reporting incidents or
risks to the Risk Administrator for consideration.
15
CON’T
Categories of risk used to enable appropriate aggregation are:
Students
Information and communication
technology
Financial
Legal and Regulatory Compliance
Operational
Organisational effectiveness
Environmental
Reputation & Corporate Social
Responsibility
Workplace Health & Safety
Projects
16
ANALYSE RISKS

Risk Analysis is developing an understanding of the risk and assists deciding on the
best approach to ensure the highest risks can be identified and prioritised.

Objective of this step are as follows:

Gather data for the evaluation and treatment steps.

Outcome will be the initial list of risks.

Analyse is in terms of likelihood, and consequence after considering the effect of the
existing controls and how effective are this existing controls.

Are there adequate systems, policies, procedures, delegations, monitoring in place to
support controls?

Do controls represent ‘Good Practice’ and minimising exposure to risks?

Are controls reviewed and maintained? Are the controls easy to use?

Are stakeholders aware of the controls and is adequate
available?
17
training/supervision
DETERMINATION OF LEVEL OF RISK

Using the Consequence and Likelihood table - risk administrator could identify
the best description of the risk after controls are in place.

Secondly, risk calculation via matching the Consequence and Likelihood ratings
on the risk matrix is undertaken.
Consequences
Likelihood
Insignificant
Minor
Moderate
Major
Catastrophic
Almost
certain
High – H1
High – H3
Extreme –E1
Extreme –E4
Extreme –E8
Likely
Medium –M1
High – H2
High – H5
Extreme –
E3
Extreme –E7
Possible
Low – L3
Medium –M2
High – H4
Extreme –E2
Extreme –E6
Unlikely
Low – L2
Low – L5
Medium –
M3
High – H7
Extreme –E5
Rare
Low – L1
Low – L4
Medium –
M4
High – H6
High – H8
18
PRIORITISING RISKS
The purpose of prioritising the risk is to determine the level of action needed
for the identified and assessed risks.
Risk Score
What Should I do?
9-10
Extreme
Immediate action required
7-8
High
Action plan required, senior management
attention needed
5-6
Medium
Specific monitoring or procedures required,
management responsibility must be specified
2-4
Low
Manage through routine procedures.
19
THE RISK REGISTER
The Risk Management Register contains the following information:








Risk Rating / risk score identifying the severity of the risk
Reference Category (Strategic/Operational/Financial)
Risk description and Risk example
Potential consequence(s) of the risk
FNU’s Core Strategic Area(s) at threat
Control Statement
Accountable / Responsible
Timescales for the implementation of action plans
20
RISK EVALUATION
The key risk evaluation steps are as follows:

Determine low risks (acceptable) from more serious risks (not acceptable).

Compare estimated levels of risk against the pre-established criteria.

In general, the management priorities and the balance between potential benefits
and adverse outcomes will have the highest impact on the risk priority.

Based on the outcomes of the risk analysis, decide how to treat the risk.

Acceptable risk would be low risks with adequate controls in place and may
require only to be monitored/reviewed to ensure the risk remain acceptable.

Unacceptable risks do not have adequate controls and will be prioritized for further
action such as: Develop a treatment plan or Review the treatment plan to ensure
controls are appropriate to manage the identified risk.

Result will be a prioritized list or risks which need to be managed.
21
RISK TREATMENT

The objective of this step is to identify how the identified risks
will be treated.

Risk treatment involves identifying the options for treating each
risk, evaluating those options, assigning accountability (for Extreme,
High and Moderate residual risks) and taking relevant action.
22
Risk Treatment Con’t
Avoid the risk
Not to proceed with the activity or choosing an
alternative approach to achieve the same
outcome.
Aim is risk management, not aversion.
Mitigate
Reduce the consequences – putting in place
strategies to minimize adverse consequences,
e.g. contingency planning, Business Continuity
Plan, liability cover in contracts.
Transfer the risk
Shifting responsibility for a risk to another party
by contract or insurance.
Accept the risk
Controls are deemed appropriate. These must
be monitored and contingency plans developed
where appropriate.
23
MONITOR AND REVIEW
Systems to monitor/review risks and the risk management process
steps require careful selection, targeting and planning. Priority should
be given to monitoring:

High risks.

Credible failure of treatment strategies, especially where this would
result in high, or frequent, consequences.

Risk-related activities that feature high incidence of change.

Risk tolerance criteria especially where this results in high risk levels.

Technological advances that may offer more effective or lower cost
alternatives to current risk treatment.
24
MONITOR AND REVIEW CON’T
In general terms, monitoring and review practices will be one of the
following types (and is recommended should include all three):

Continuous monitoring through routinely measuring or checking
particular parameters (for example cash flows).

Periodic review involves investigation of the current situation, usually
with a specific focus.

Line management reviews of risks and their treatments which are often
selective in scope but typically routine and regular.
25
Risk Reporting

Documentation of risk management plans is designed to be brief,
but with sufficient, key controls and rationale for mitigation
strategies.
Finance Resource Committee reporting

Key operational risks are discussed at Group and Divisional
management meetings on a quarterly basis. The Risk Administrator
develops a 6 monthly report.

More frequent reporting against high level risks occurs as deemed
necessary, including direct reporting by the manager accountable.
26
Risk Reporting Con’t
The Faculty and Department level risks are collated by the Risk
Administrator, and presented to the Finance and Resources
Committee. This report will include:

Risk register of top 10 corporate risks;

Executive summary of key changes in risk profile and appetite; and

Commentary on significant residual risks.
27
LIKELIHOOD RATING
The number of times within a specified period in which a risk may occur either as
a consequences of business operations or through failure of operating systems,
policies and procedures.
Rating
Description
Occurrence
Probability
Almost
certain
Expected to occur in most
circumstance
Multiple / 12
months
>80%
Likely
Will probably occur in most
circumstance
Once / 12
months
61 - 80%
Possible Might occur within a 5 year time
period
Once / 12
months - 5 yrs
41 - 60%
Unlikely
Could occur during a specified time
period
Once / 5 -10 yrs
21 – 40%
Rare
May only occur in exceptional
circumstance
Once / > 10 yrs
<20%
28
Consequence Table
29
30
Table of Control levels
31
Risk Register Template
32
Risks and Mitigation Strategies
33
34
35
36
37
THANK YOU
38