The September 2021 Risk Review introduces a number of changes to the Risk Management process:
Summary of actions required
• Review risks to verify we have captured the right risks
• Conduct an ‘inherent’ risk assessment for each risk and record this at the end of the risk description in the ‘Risk Description’ field in Empirical
• Review controls ensuring they are measurable, and categorise each control into one of the following categories, ranking them in order of strength by control category:
• Key control
• Medium control
• Minor control
• Base line control
• Conduct a revised ‘residual risk assessment and record this in Empirical
Evolving the Risk Management Framework
To achieve the actions above we need to complete the following:
• To gain an improved understanding of risk sensitivity, it is important to view risks in more than one state:
- Risks are currently only assessed in their ‘residual’ state (sometimes referred to as ‘net’ risk). This is the risk score assessed after evaluating the impact of all existing controls that are implemented and operating to manage down the likelihood of a risk occurring or, in some cases, limit its severity.
- We are introducing risks to be assessed in their ‘inherent’ state (sometimes referred to as ‘gross’ risk). This is an assessed level of raw or untreated risk. This is the natural level of risk inherent in a process or activity without doing anything to reduce the likelihood or mitigate the severity of a risk event from crystalising, or the amount of risk before the application of the risk reduction effects of controls.
- Why do we need to capture risks in their inherent and residual states?
- When comparing risks scored in both the inherent and residual state, it immediately becomes evident the level of reliance management places on the controls managing risk. The greater the difference between inherent and residual risk, the greater reliance management is placing on the controls.
- This helps provide management focus on the right controls that are mitigating our most significant risks
Actions required by Risk Owners
• Confirm we have captured the right risks
- Conduct a review of existing risk descriptions to ensure they are the right risks we are looking to manage. Currently some of the risks identified in Empirical are not risks but are either causes of risk, or consequences of risk, for example reputational damage is a consequence of a risk event, and not a risk itself.
• Assess risk in the ‘inherent’ state
- Using the Empirical Risk Scoring Criteria Matrix, (10 x 10 likelihood/impact assessment model), score each of the risks in their inherent state for ‘likelihood’ (also referred to as probability), and ‘impact’ (also referred to as severity, or consequences).
- Record this score as ‘free text’ at the end of the risk description in the ‘risk description’ field in Empirical.
- We know this is not ideal, and it makes reporting more difficult, however we have to work within the limitations of Empirical until it is replaced, for which a project has started to look for a replacement which is capable of supporting the College as the risk management framework matures.
Control Framework Assessment
- Now that we have reviewed and reassessed our risks, we need to check we have captured the right controls and mitigations that manage risk. It is important to identify the strength of our control framework, as management rely on this to minimise the impact of risks on the organisation:
• Risk controls: Controls include any process, policy, device, practice, or other actions that modify risk. “Controls” are identified as many things, including:
• Policies e.g. HR Policy
• Documented procedures e.g. Documented procedures for paying suppliers
• Actions to fix a broken control e.g. Fixing a broken door lock
• Parts of the inherent risk environment e.g. Fence dividing property boundaries
• Committees e.g. Scrutiny Committee
• Controls modify the ‘likelihood’ (or probability) of risk event from occurring
• Risk mitigations: Risk mitigation can be defined as taking steps to reduce adverse effects, i.e. reduce the impact of a risk event. There are 4 types of risk mitigation – more commonly known as the ‘4 T’s’:
• Tolerate: Accept the level of risk
• Terminate: Avoid the risk – stop the activity that creates the risk
• Transfer: Pass the risk onto someone else, e.g. Insurance
• Treat: Implement further or new controls and strategies to reduce the level or risk exposure
• Assess and understand the strength of our controls
• A review of controls to identify and order them by their strength and effect on modifying the level of risk. To achieve this, controls need to be measurable and then should be grouped into each of the following four categories:
• Key Controls: Non-negotiable, by this we mean these are the strongest of the controls and have the greatest impact on modifying the risk, and therefore must be consistently applied to keep the risk under control;
• Medium Controls: Negotiable but important and also have a positive impact on modifying the risk;
• Minor Controls: Very little effect on the assessment of risk, but are either considered good governance or in place to manage/inform a dependency;
• ‘Base line’ Controls: Natural controls that exist as part of conducting a process or activity.
• Once grouped into control categories, controls should be ranked in order of their strength
Conduct a residual risk assessment
• The most important controls are the ones that have a measurable effect on modifying the level of risk. Typically, these are the controls we have assessed as ‘Key’ and ‘Medium’ controls
• Conducting the residual risk assessment:
• Starting with our ‘inherent’ risk assessment, we need to consider the combined effect of our existing controls and mitigations we have assessed and measured in our controls review exercise
• Controls are ‘likelihood’ (or probability) modifiers
• Mitigations are ‘impact’ (or consequences) modifiers
• Given we have an assessment of our risk in its ‘inherent’ state, and we have considered the strength of our controls and mitigations on modifying the level of ‘inherent’ risk, we can gain a more accurate assessment of the ‘residual’ risk score.
This may well be different to how your had scored the risk before.
This may well be different to how your had scored the risk before.