Risk Management Procedures

ISO 31000:2018 20 Minutes
https://preteshbiswas.com/wp-content/uploads/2024/01/Pretesh-Biswas-Risk-Management-Procedures.wav

1.0 Purpose

The purpose of this process and procedures is to:

  • Support effective decision-making that is guided by the XX’s (XX) Mission, Vision and Values;
  • Adopt systematic and consistent approach to risk management to ensure all key risks across all categories are identifies and effectively managed;
  • Support in ensuring the achievement of XX objectives;
  • Formalize its commitment to the principles of risk management and incorporating these into all areas of the organization;
  • Assist in capturing opportunities and minimize threats;
  • Foster risk management culture;
  • Illustrate the mandate and responsibilities of the Institutional Risk Management Section and XX’s stakeholders.

2.0 Description

To provide guidance regarding the management of risk to support the achievement of XX’s objectives, protect employee and Organizational assets. This process and procedures will be applied on all units of XX. The Managing Director’s Office (MDO) is responsible for overseeing and monitoring the implementation of this process and procedures and accompanying procedures. The EMC is the final approval channel of this process and procedures.

3.0 Definitions

  1. Control or Mitigating Measure: Control or mitigating measures of the treatment plans refer to actions (e.g. operating bylaws, regulations, policies, procedures and best practices) used to reduce the negative impact of a risk and enhance the likelihood of sizing an opportunity and also the level of adherence by employee to such measures.
  2. Inherent Risk: Gross risk is a risk before applying controlling or mitigating measures.
  3. Organizational Risk Register: This is XX’s master risk register where XX’s key strategic risks are recorded.
  4. Key Risk Indicator (KRI): Are metrics that provides information on the level of exposure to a given operational risk, which the institution has at a particular point in time.
  5. Risk: The effect of uncertainty on organization’s objectives pertaining to various aspects (e.g. financial objectives, environmental objectives) and/or different levels (e.g. strategic objectives, project objectives, process objectives).
  6. Risk Analysis: The process of comprehending the nature of risks identified, and determine their magnitude, express in terms of a combination of consequence and likelihood scale.
  7. Risk Appetite: The amount and type of risk that management is willing to accept, prepared to pursue and retain or manage and mitigate to achieve the objectives.
  8. Risk Assessment: The overall process of Risk Identification, Risk Analysis, and Risk Evaluation relevant to the institution’s context and defined by its management.
  9. Risk Champion: An individual (that assigned by Risk Owner) supports the Risk Owner in coordinating risk activities and enhancing the risk culture within the respective
  10. Sector/Unit.Risk Criteria: Are terms of reference and are used to evaluate the significance or importance of your organization’s risks. They are used to determine whether a specified level of risk is acceptable or tolerable.
  11. Risk Evaluation: The process of comparing the results of risk analysis with the organization’s terms of reference (e.g. risk appetite, tolerance levels) to determine whether the risk and/or its magnitude is acceptable or tolerable.
  12. Risk Governance: Organization’s Risk Management structure and arrangements, relative to its context and broader organizational structure.
  13. Risk Identification: The process of finding, recognizing and describing risks at the institution. This involves the identification of risk sources, risk events, as well as their associated causes and potential consequences.
  14. Risk Management: Coordinated activities, taken by management, to direct and control the institution with regard to risk.
  15. Risk Management Framework: Set of components that provide the foundations (e.g. policy, objectives, mandate, and commitment) and organizational arrangements (e.g. plans, relationships, accountabilities, resources, process, and activities) designed by management for managing risks and continually improving risk management throughout the organization.
  16. Risk Management Procedure: Statement of the overall intentions and direction of the organization related to Risk Management. Typically includes the Risk Governance and Risk Appetite.
  17. Risk Management Principles: Risk management principles provide guidance on the characteristic of effective and efficient risk management, communicating its value and explaining its intention and purpose.
  18. Risk Management Process: A systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying analyzing, evaluating, treating, monitoring and reviewing risks.
  19. Risk Owner: An individual within the accountability and authority (which are Senior Management) to manage a given risk or those who own the strategic objectives.
  20. Risk Resilience: It is the ability of an organization’s business operations to rapidly adapt and respond to internal or external dynamic changes (opportunities, demands, disruptions or threats) and continue operations with limited impact to the business.
  21. Residual Risk: Net risk is a risk remaining after applying controlling or mitigating measures.
  22. Risk Register: A document containing a prioritized list of risks together with information on risk identification, risk assessment, and risk treatment
  23. Risk Tolerance:Organization’s readiness to bear the risk after Risk Treatment in order to achieve its objectives. This is the maximum level of risk that the organization is willing to operate within.
  24. Risk Treatment: The process of selecting the best alternative action to respond to and identify risk.
  25. Risk Treatment Owner: An individual within the accountability and authority (which are Senior Management) to manage and implement a given controls or mitigating measures of risk treatment plans and is assigned by Risk Owner.
  26. Subject Entities: Are entities subject to the audit by Risk Auditors.

4.0 Responsibilities

4.1 Internal Audit and Compliance Department

  • Issue the Guidance for Risk Management (The GUIDE).
  • Maintain and update the GUIDE to continue to be aligned with best practices.
  • Request all Subject Entities to submit risk information to the Bureau.
  • Coordinate discussion among Subject Entities of common and shared risks.
  • Perform audits and reviews of risk management practices in Subject Entities.
  • Review the compliance and effectiveness of XX’s RM process and procedures based on the approved XX risk maturity model.
  • Work with IRM Section on reviewing the management of key risks.

4.2 XX Board of Regents (BOR)

  • Notify XX’s organizational risk register, appetite, risk tolerance, and risk profile.
  • Review annual RM reports.

4.3 Executive Management Committee (EMC)

  • Endorse XX’s risk register and RM Process and procedures.
  • Determine XX’s organizational risk appetite, risk tolerance, and risk profile.
  • Identify and endorse XX’s organizational risks, classification, treatment plans, and owners annually.
  • Provide a strategic focus to the management of risk, ensuring that the identification of risk is integrated and aligned to the key strategic objectives
  • Ensure that the BOR is informed of all organizational risks and that appropriate action plans are being implemented through the annual RM report.
  • Review and provide feedback on the annual RM report and advise on how to deal with future risks and propose solutions.
  • Review the XX’s approach to RM and approve changes or improvements to its process annually.
  • Cultivate a risk culture by endorsing policies, behaviors and other supporting documents, which encourage appropriate risk taking.

4.4 Managing Director’s Officer (MD)

  • Determine strategic approach with required resources to RM and ensure the appropriate implementation of XX’s approved RM process, procedures, and any related activities.
  • Review and provide feedback on the annual RM report for EMC’s submission
  • Review reports about XX organizational risks and ongoing risk treatment plans including business continuity plans and provide regular updates to the EMC as required.
  • Review key organizational risk report and inform EMC regarding emerging risks that could expose XX to potential risks.
  • Ensure that there is ownership of RM and treatment plans throughout XX.
  • Ensure appropriate reporting and escalation mechanisms are in place.
  • Ensure that there is adequate training and resources to ensure that the process and procedures can be implemented.

4.5 Organizational Risk Management Section (IRM)

  • Facilitate and ensure XX’s RM process, governance, and any related activities.
  • Advise MD on key organizational risks and emerging risks.
  • Ensure effective communication of RM escalation processes with risk champions across XX.
  • Provide necessary awareness and training sessions to the risk champions and XX wide community to undertake RM process on a continuous basis.
  • Review and discuss key risks and treatment plans with respective risk owners.
  • Prepare reports on key and emerging organizational risks and on-going risk treatment strategies e.g. organizational risk register.
  • Develop, recommend, administer and enhance XX’s RM process and procedures.
  • Report to MD on the effectiveness of RM process and make recommendations for improving RM process and procedures annually.
  • Establish and maintain XX’s organizational risk register.
  • Review XX’s organizational risk appetite, risk tolerance, and risk profile.
  • Foster the culture of RM within XX.
  • Facilitate the identification of risks through risk workshops, brainstorming sessions, interviews etc., using standard/ university approved risk tools where applicable.
  • Stay up to date on RM by communicating with SAB all the developments and updates issues by the Auditor’s team.
  • Exploit possible synergies for risk identification and treatments.

4.6 Risk Owner

  • Ensure risks are identified, assessed, treated and monitored.
  • Determine appropriate level of risk tolerance.
  • Select the risk treatment owner.
  • Ensure RM activities are integrated into operational activities.
  • Observe internal and external environments for emerging threats and opportunities.

4.7 Risk Champion

  • Develop, maintain, review and update risk register in coordination with their respective risk owner at the unit level for each sector.
  • Communicate unit’s risk register with IRM section.
  • Report to risk owner on the progress of RM process, risk treatment actions, and any emerging risks.
  • Documenting good practices and risk events.
  • Encourage RM culture within the unit.

4.8 Risk Treatment Owner

  • Implement and monitor progress on Treatment plans actions or mitigating measures.
  • Provide information, reports and updates to the Risk Owner.

5.0 Process statement

XX is committed to applying appropriate RM practices in its activities to minimize the unfavorable effect of risks and to seize different opportunities.

6.0 Risk Management Principles

Key Principles of Risk ManagementDescriptionHow is it going to be applied to XX
1. Is integrated into all Organizational processesRisk management is not a stand-alone activity that is separate from the main activities and processes of the institution. It is part of the responsibilities of Organization’s management and integrates into its activities and processes, including strategic planning and change management process.Risk management will be part of the university governance, strategic plan processes, policies, values and culture.
2. Is structured and comprehensiveA systematic, timely, structured and comprehensive approach to risk management contributes to organizational efficiency and to consistent, comparable and reliable results.XX’s approach to risk will be systematic, timely and structured to achieve consistent, comparable and reliable results through principals, framework and process.
3. Is customizedThe risk management practices that executive leadership is encouraged to put in place should be aligned within the Organization’s strategic objectives, consistent with its culture, compliant with its legal obligations and takes into consideration the adequacy of the allocated resources.Executive leadership takes into account when developing RM system that is best aligned to XX’s strategic plan and higher education sector.
4. Is inclusive of all relevant stakeholders, mainly decision makersAppropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the institution, ensures that risk management remains relevant and up-to-date. The risk management framework should identify the scope and method for risk monitoring and reporting to relevant stakeholders, as well as their respective roles in the risk management process. This in turn enables the consideration of their knowledge, views and perceptions and results in improved awareness and informed risk managementDecision-makers (e.g. BOR, EMC and MD) will ensure that risk management is relevant and up-to- date. In addition, involving stakeholders and take their views in determining risk profile.
5. Is dynamic, and agileRisks are uncertain in nature, and this can emerge, change or disappear as Organization’s external and internal context changes. To cope with this nature, risk management should anticipate, detect, acknowledge and respond to those changes and events in an appropriate and timely manner. XX will respond to change occurs from internal and external events, systematic monitor and review of risks take place, and identify new and emerging risks.
6. Is based on best available informationThe inputs to risk management should be based on historical and current information, as well as on future expectations. Risk management explicitly takes into account any limitations and uncertainties associated with such information and expectations and constantly rely on timely, clear and available inputs to relevant stakeholders.XX will analyze identified risks based on the available data provided by units such as assessment, survey, reports, self-assessment, independent reports, accreditation, external examiners, internal and external auditing recommendations, activities results and forecasting.
7. Takes into account the human and cultural factorsHuman behavior and culture significantly influence all aspects of risk management at each level and stage and affects the overall maturity of risk management activities in an institution.
Management is encouraged to build risk management capabilities with time, in line with
its existing resources’ capacities, to gradually and surely increase its overall maturity.		XX will recognize the capabilities, perceptions and intentions of external and internal stakeholders and community that can facilitate or hinder the achievement of the university’s goals.
8. Requires continuous improvementRisk management is not a one-off or ad hoc process. To be fully effective and improve management’s capabilities, it needs to be continually improved through learning, investments and capitalizing on institutions’
collective experience.		XX will develop and implement strategies to improve its risk maturity alongside all other aspects of the university.

7.0 Risk Management Framework

XX has referenced SAB’s guide in developing and implementing its RM framework and process to oversee and manage risks at the institution . The purpose of RM framework is to assist XX in integrating risk management into significant activities and functions. This framework enables information about organizational risks derived from the RM process to be adequately reported and used as a basis for decision-making and accountability across XX. The Risk Management Framework consists of eight major components and applied to XX as follows:

The proposed framework implementation in XX is illustrated in Table below.

Framework RequirementProposed Framework Implementation
1. Executive LeadershipBoard of Regents, MD is considered to be in the Executive Leadership Management.
2. Establishment of RM Process and proceduresRisk Management process and procedures draft has been developed and under review.
3. Defining Responsibility for Managing RiskRoles and responsibilities as seen in section 2.
4. Embedding Systematic RM into Business ProcessesCurrently, it’s being done for those units which are undergoing ISO 9001 QMS certification and it will be linked to XX’s strategic objectives.
5. Developing a Positive Risk CultureRM culture is to be integrated with XX values and introduced via trainings and broadcasts. XX will introduce positive behaviour, inspire, enable, support and reinforce their adaptation through its risk culture model.
6. Communicating and Consulting about RiskCommunication plan of Risk Management Procedure has been developed as part of implementation.
7. Maintaining Risk Management CapabilityTo maintain RM capability and enhance monitoring Risk Champions will be assigned from all XX sectors. In addition, IRM Section has been developed and RM implementation (budget, human capital and technical) requirements until 2022 have been identified as descripted in s Risk Management Procedure.
8. Reviewing and Continuously Improving the Management of RiskDynamic amendments to the RM activities may be required after implementation and defining the appetite. Reviews will be conducted annually to improve the RM activities when necessary.

8.0 Risk Management Scope

RM will be applied on strategic levels prior to Enterprise Risk Management (ERM) implementation, which will be applied to all units in XX.

9.0 Risk Management Process

RM is a continuous improvement process to assess, treat, monitor and communicate key risk to the Executive Leadership. The risk management process and procedures will be consistent with ISO 31000:2018 Risk Management – Guidelines.

1.      Scope, Context, Criteria

By establishing the scope, context and criteria, XX will be able to articulate its objectives and define the external and internal parameters to be considered when managing risk. This can be performed by the following:

  • Setting the scope for the RM activities, which can be applied at different levels such as strategic, operational, project or any other activities.
  • Defining the broad objectives.
  • Identifying the relevant stakeholders.
  • Appropriate risk assessment tools and techniques.
  • Resources required, responsibilities and records to be kept.
  • Relationships with other projects, processes and activities.

Risk Assessment: The overall process of Risk Identification, Risk Analysis, and Risk Evaluation relevant to XX’s context and defined by management.

2.      Risk Identification

Risk identification requires reasonably foreseeable risks that have the potential to have a meaningful impact on the university to be identified. A risk is any event or action that has an uncertain effect that may impact XX’s objectives. Risks arise as much from the possibility that opportunities will not be realized as they do from the possibility that threats will materialize, errors be made, or damage/injury occurs. In this step, risks need to be categorized using XX’s risk categories. Please refer to table 13. Within the university, risk identification occurs at various levels:

  • Organizational Level: All key strategic and operational risks, which are related to an inability to meet XX’s objectives. Best addressed by the Executive Leadership.
  • Strategic Level: Risks that affect each sector’s strategy or strategic objectives. Best addressed by VP level.
  • Operational Level: Risks, which are related to an existing, broken process. Best addressed by Unit level.

Risk Identification Techniques

There are two types of risk identification techniques:

  • Individual techniques that an individual can do it on their own.
  • Group techniques where people gather together and discuss.

Since risk identification is also a time focus where, some techniques are focused in the past, some are focused in the present and some in future. It is recommended to use techniques from various time focus such as checklists, assumptions analysis and brainstorming. The best practice to identify risks is to use at least one technique from each category.There are several techniques used for risk identification. Although, these techniques are used to identify threats and opportunities due to their similar characteristics, opportunities can be identified by using Fault Tree Analysis (FTA): Is a risk management tool which takes positive or negative events and represents them in a tree like structure by a process of simple logic and graphical design. This technique can be used to capture opportunities and instead it can be called Benefit Tree Analysis. Any uncertainties could strengthen those drivers and help us to deliver early those would the opportunities. In addition, SWOT analysis, force field analysis can also be used to identify opportunities.Table below illustrates some of the techniques used for identifying threats and opportunities.

Past Focused TechniquesPresent Focused TechniquesFuture Focused Techniques
ChecklistsExperience of previous projects, strategic plans, or previous operationsLessons learned databasesAssumptions/constraints analysisCurrent contracts, projects working onDocument reviewsConstraints analysisSWOT analysisFault/benefit analysisRoot cause analysis (bow tie)BrainstormingFramework of thinking about futureForecastingStrategic planning scenario analysisVisualizationFuture thinking
Some techniques used for identifying threats and opportunities

3. Risk Analysis

Risk analysis involves developing an understanding of the risk and provides an input to risk evaluation and to decide on whether risks need to be treated, and if so, on the most appropriate risk treatment methods. This analysis can also provide input into the options to address risks and inform the decision-maker across different types and levels of risk. This can be performed by the following but not limited to:

  • Identifying residual risks
  • Identifying the existing controls
  • Identifying the inherent risks
  • Assessing the likelihood of the risk occurring
  • Assessing the consequences or potential impact
  • Rating the level of risk

4.0 Risk Evaluation

Decisions should take into account the comparison of risk analysis overall results into Organizational risk appetite and tolerances by comparing the results from the risk assessment with the overall risk rating (Likelihood x Consequences) to determine the level of risk. Also, the actual and perceived consequences to external and internal stakeholders, and whether the risk is acceptable or not. As part of the evaluation of risks, it is essential for XX to reflect that risk can be an integral part of what they do given their vision, mission, and strategy.

Risk Treatment
Controls and mitigating actions are required for all risks. Where risk treatment is required, it involves selecting one or more options for modifying the risk and implementing those options. Risk treatment is required when the residual risks remain unacceptably high, or where there is a desire to bring this risk down, with regard to the risk appetite. Once implemented, treatments provide or modify the controls by Develop Alternatives and Respond to Risks.

5. Develop Alternatives

Systematically identifying and assessing a range of response alternatives or strategies to risks based on the risk appetite. The aim of this step is to compare the impact of risk with the
potential losses/, and determine how to allocate resources accordingly.as below:

Threat Alternatives/Strategies

  1. Avoid: Is a form of treatment, where the treatment plan or action is to decline a transaction, offer, project or activity that generates the threat.
  2. Transfer: Is a form of treatment, where the treatment plan or action is to share or transfer the risk with another party via contracts or insurance.
  3. Reduce: Is a form of preventive treatment, where the treatment plan or action aims to reduce the likelihood or the consequence/severity or both of a threat.
  4. Accept: The units shall select this option when the threat is within its tolerance limits and existing controls are sufficient; or there is no further action which management intends to implement or the cost of mitigating the threat is higher than the cost of the threat itself; or the threat and its current residual level is accepted by management as part of its overall strategy.
  5. Escalate: Is a form of treatment, which ensures that threat is passed on to the right owner to ensure that it is recognized, understood and managed appropriately

Opportunity Alternatives/Strategies

  1. Exploit: Is a form of treatment, which ensures that the opportunity arising definitely occurs.
  2. Share: Is a form of treatment, which involves a third party in managing the arising opportunity.
  3. Enhance: Is a form of treatment, which increases the impact of an opportunity.
  4. Accept: Is a form of treatment, where the treatment plan or action is to take or accept the opportunity in order to pursue it.
  5. Escalate: Is a form of treatment, which ensures that opportunity is passed on to the right owner to ensure that it is recognized, understood and managed appropriately

6.      Respond to Risks

Executive Leadership to evaluate the alternatives and decide how to allocate resources to address major risks facing XX. Once decisions have been made on how to respond to risks and ownership allocated, treatment plans should be properly documented.

7.      Monitoring and Reviewing

Ensure regular reviews and reporting as well as continuous update on all kinds of risk information related to XX’s risk profile to identify any changes and determine whether the previously agreed on risk responses and mitigations are managing risks as intended. Given the diverse and dynamic nature of XX environment, it is important to be ready to emerging threats and opportunities as well as monitoring. If a risk has been identified but outside of the scope of the unit, then it is essential to escalate, deescalate or inform the respective unit across.

8.      Communication, Consultation, Learning

Effective communication and consultation is essential to ensure that those responsible for implementing RM understand the basis on which decisions are made and the reasons why particular treatment options are selected. RM is enhanced through effective communication and consultation when all XX units understand each other’s perspective. This step occurs from step 1 to step 6.

9.      Records maintenance and reporting

RM process and its outcomes are continuous effort that is integral to XX’s governance, which improves the communication among stakeholders. As RM activities reported to the IRM Section and the Executive Management Committee (EMC), regular updates and evaluation methods need to be adopted in order to make it efficient and effective. Outcomes are also made available to employees where appropriate. This assists with decision-making, improving risk management activities, transparency and the monitoring of risks against XX’s stated organizational risk appetite.

Risk Appetite and Tolerance

Risk Appetite is the amount and type of risk that Institution’s management is willing to accept, prepared to pursue and retain or manage and mitigate to achieve the objectives. Where Risk Tolerance is the Organization’s readiness to bear the risk after Risk Treatment in order to achieve its objectives. This is the maximum level of risk that the organization is willing to operate within. .The framework consists of four stages:

  1. Understand your strategic objective initiatives. (This can be also at operational/individual level.
  2. Establish risk appetite framework.
  3. Develop risk appetite statement.
  4. Develop KRIs

Moreover, there are four different levels of Risk Appetite as shown on the table below:

10.0 Risk Matrix

Use of the Risk Matrix is intended to assist faculty, staff and students with applying risk management principles to proposed activities held on or off campus. Use of the matrix will assist in identifying major risks, assessing the likelihood and consequences of the risk and mitigating the risk to the lowest possible level of likelihood and consequences. In addition, it determines cost versus the benefit of the risk and evaluating and analyzing the outcome of the proposed risks. Ultimately reaching a decision to either accept or reject the risk. Likelihood refers to the possibility of the risk potential occurring measured in qualitative values such as low, medium, or high. Consequence is the outcome of an event and has an effect on objectives. A single event can generate a range of consequences, which can have both positive or negative effects on objectives.

Description of Likelihood Levels
Likelihood LevelDescription
5 Almost CertainHighly likely to happen, possibly frequently (example: once a month)
4 LikelyWill probably happen several times, but not a persistent issue (example: 4 times a years)
3 PossibleMay happen occasionally (example: once in 1-5 years)
2 UnlikelyNot expected to happen, but is a possibility (example: once in 5-10 years)
1 RareVery unlikely this will ever happen (example: not likely to occur in 10 years)
Likelihood levels description
Description of Consequence levels
Consequence LevelDescription
1 InsignificantActivity continues, reputation intact, no injury to persons and revenue is unaffected
2 MinorActivity continues with slight difficulty, reputation internally affected, injury required first aid only, revenue is insignificantly affected
3 ModerateActivity disrupted, considerable cost losses, injury to persons needing medical treatment, reputation damaged and revenue affected slightly
4 MajorActivity seriously disrupted, serious cost loss, injury requiring hospital admission, reputation seriously damaged and revenue is considerably affected
5 SevereActivity stopped, large cost losses, reputation very seriously damaged, serious injury (death or permanent injury) to persons, unable to resume activity and revenue is greatly affected
Consequence levels description

As illustrated in Table below, a 5 by 5-risk score matrix is used to assess risks. Risk assessment score can be calculated once likelihood and consequences are defined by (Likelihood x Consequences) and then using the result to find out the risk rating from the Risk Rating Table . Risk rating determines if the risk can be accepted or tolerable based on risk assessment results compared to institution risk appetite and tolerance level. This table can be used only for threats, opportunity description, management action and tolerability will be considered when the opportunity arises.

Risk Assessment Score Matrix
 Risk Rating Details
Risk Assessment ScoreRisk RatingColor CodeDescriptionManagement Action RequiredTolerability
        1,2,3&4      Low (L)      GreenMinor or little harm, activity undisrupted or slightly disrupted. Minimum costs loss or slight financial loss. Impact can be recovered within daysManage by routine procedures; report to local managers; monitor & review locally as necessary      Acceptable
              5,6,8,9&10              Medium (M)              YellowModerate damages, activity is marginally disrupted, moderate financial losses and/or reputation may be damaged. Expected difficulties in achieving in operational objective. Could be recovered within months.Assess the risk; determine whether current controls are adequate or if further action or treatment is needed; monitor & review locally, e.g. through regular business practices or local area meetings              Tolerable
          12,15&16    High (H)    OrangeSignificant damages, activity is disrupted, large financial loses and/or reputation is badly affected. Considerable operational difficulties in achieving objectives. Strategic objectives are affected in partRisk to be given appropriate attention & demonstrably managed; reported to President and EMC    Unacceptable
20,&25Extreme (E)RedVery serious damages, activity is severely disrupted, heavy financial losses and/or reputation is severely damaged. If not treated it will impact on operational and strategic objectiveImmediate attention & response needed; requires a risk assessment & management plan prepared by relevant senior managers for President; risk oversight by EMC            Unacceptable
: Risk Rating Details

Risk Procedure

Send Risk Register Development Request: RM-01-01

DescriptionRequest the development of risk register with the respective sector risk champion and facilitate Risk Management (RM) process, governance and related activities. Process and Procedures will be shared with the respective sector along with Risk Register template
RoleOrganizational Risk Management (IRM) Section

Develop Risk Register: RM-01-02

DescriptionDevelop, maintain, review and update risk register in coordination with the respective risk owner. In most cases, Risk Owner is the same person as the Objective Owner
RoleRisk Champion

Consult Risk Owner: RM-01-03

DescriptionCommunicate and explain the requirements of the risk management process
and Risk Register to the respective Risk Owner
RoleRisk Champion

Identify Risk(s): RM-01-04

DescriptionIdentify and manage all Sector related risk(s)
Determine appropriate level of risk appetite and tolerance
Assign Risk Treatment Owner
RoleRisk Owner

Implement Treatment Plans: RM-01-05

DescriptionRisk Owner may choose to implement treatment plan by him/herself with the support of Risk Champion
RoleRisk Owner

Implement Treatment Plan: RM-01-06

DescriptionIf delegated by Risk Owner, Risk Treatment Owner is to implement treatment plan with the support of Risk Champion
RoleRisk Treatment Owner

Ensure Risk(s) are Assessed and Treated: RM-01-07

DescriptionReview and monitor the risk treatment plan along with its effectiveness and feasibility in coordination with the Risk Champion
RoleRisk Owner

Review and Update Risk Register: RM-01-08

DescriptionReview Risk Register to ensure all information have been provided and report to Risk Owner the progress of risk treatment and any emerging risks when applicable.
Ensure all information provided in the Risk Register are in correct format
Prior submitting Risk Register to IRM, attain Risk Owner’s approval.
If approval not granted. Repeat from RM-01-04 step
RoleRisk Champion

Send Risk Register: RM-01-09

DescriptionSend the completed and approved Risk Register to IRM Section
RoleRisk Champion

Review Risk Register Data: RM-01-10

DescriptionReview Risk Register for risk management process steps accuracy and format
If amendment not required, end process
RoleOrganizational Risk Management (IRM) Section

Contact Risk Champion and Return Risk Register: RM-01-11

DescriptionIf amendment required and data is invalid, then contact Risk Champion and request the necessary changes at RM-01-08 step
RoleOrganizational Risk Management (IRM) Section

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply