SPU Surigao RISK MANAGEMENT Guidelines

Academic Year 2017-2018

These guidelines outline the way St. Paul University Surigao operates its Risk Management Program and are to
assist the organization, its departments and units in the development of risk management plans. These guidelines
have been adapted from the principles, framework & process of ISO 3100:2009 on RISK MANAGEMENT and ISO
9001:2015 requirements on risk management.

Risk management is a vital component of good management practice and, to be most effective, should become part
of an organization’s culture. Rather than being viewed as a separate program, risk management needs to be
integrated into an organization’s philosophy, practice and plans. The integration of risk management into the
organization’s operations ensures that risk becomes the responsibility of every employee.

Risk management is a necessary to consider every time decision is to be made – whether to develop a relationship,
start a project or conduct an activity. The risk management practically aligns activities and decision-making with
objectives and outcomes that helps an organization in achieving strategic goals or successfully execute operational
plans. Guidelines and standards are applied in order to manage risk.

The risk management process includes:

Figure 1. Risk management model (from AS/NZS 4360: 2004 risk management standards)

1|P a g e
St. Paul University Surigao
1 Establish the Context
The first step in a risk management plan is to establish the context of the environment within which the organization,
department or unit operates. The environment in which educational services operate is an exceptionally multifaceted
one and a number of factors need to be considered when determining the parameters within which risks must be
managed.
The Process:
 Set the scope for the risk assessment by identifying what you are assessing – is it a new partnership,
program, project or perhaps an event?
 Define the broad objectives. Identify the reason for the risk assessment – perhaps a change in law, a request
from an external auditor or regulator, an operational change or review.
 Identify the relevant stakeholders. Aim for an appropriately inclusive process from the outset: be sure to
identify the areas that are, or might be, impacted and seek their input. Make sure that appropriate delegations
are being exercised even at this early stage.
 Gather background information. Having proper information is important. Ask the right people and identify the
information that is available. Sometimes it is useful to identify information that is not available (immediately)
but may be necessary. Consider:

2 Risk Identification
Each department or unit of the University is required to assess itself at least annually against the relevant risk context.

Identify sources of the risk, areas of impact, events (including changes in circumstances) and their causes and potential
consequences. Describe those factors that might create, enhance, prevent, degrade, accelerate or delay the
achievement of your objectives. Identify also the issues associated with not pursuing an opportunity; that is, the risk of
doing nothing and missing an opportunity.

In identifying the risk guide questions:

 What could happen: what might go wrong, or what might prevent the achievement of the relevant goals?
What events or occurrences could threaten the intended outcomes?
 How could it happen: is the risk likely to occur at all or happen again? If so, what could cause the risk event
to recur or contribute to it happening again?
 Where could it happen: is the risk likely to occur anywhere or in any environment/place? Or is it a risk that is
dependent on the location, physical area or activity?
 What might be the impact: if the risk were to eventuate, what impact or consequences would or might this
have? Will the impact be felt locally or will it impact on the whole University? Areas of impact to consider
include: education or research program/activity; human impact; service delivery; financial consequences;
compromise to legal or contract compliance; and adverse impact on brand and reputation for failure to meet or
achieve our strategic objectives.

Provide quantitative and/or qualitative data to assist in describing the risk or to support the risk rating. Sources of
information may include past records, staff expertise, industry practice, literature and expert opinion.

3 Risk Analysis (See Risk Matrix)

Develop a detailed understanding of the risk.

After identifying the risk and the context, causes, contributing factors and consequences have been described, look at
the strengths and weaknesses of existing systems and processes designed to help control the risk. Understanding and
analyzing what controls are needed and whether they are effective, assist further action is needed.

The Process:
 Identify the existing controls – determine what controls are already in place to mitigate the impact of the
risk. Controls may be strong or weak; they can be measureable and repeatable. Controls may include
legislation, policies or procedures, staff training, segregation of duties, personal protective measures and
2|P a g e
St. Paul University Surigao
 equipment, and structural or physical barriers (e.g. setting up IT firewalls or guards around machinery). Once
the controls have been identified, and their effectiveness analyzed, an assessment is made of the likelihood of
the risk occurring and the consequence if the risk were to occur. This produces an accurate, albeit subjective,
assessment of the level of risk - or risk rating - and helps in the next step to determine whether risks are
acceptable or need further treatment.
 Assess the likelihood – the likelihood of the risk occurring is described as rare, unlikely, possible, likely, or
almost certain to occur.
 Assess the consequence – the consequences or potential impact if the risk event occurred are described as
insignificant, minor, moderate, major or extreme.
The assessment of likelihood and consequence is mostly subjective, but can be informed by data or
information collected, audits, inspections, personal experience, corporate knowledge or institutional memory
of previous events, insurance claims, surveys and a range of other available internal and external information.

 Rate the level of risk: Assess the likelihood and consequence levels; the risk matrix then determines
whether the risk rating is low, medium, high or extreme. The Risk Matrix also identifies the management
action required for the various risk ratings.

4 Risk Evaluation
Decide whether the risk is acceptable or unacceptable. Use your understanding of the risk to make decisions on
intended preventive mechanism.

Decisions about the future actions may include: (1) not to undertake or proceed with the event, activity, project or
initiative; (3) actively treat the risk; (3) prioritizing the actions needed, if the risk is complex and treatment is required;
and (4) accepting the risk

Whether a risk is acceptable or unacceptable relates to a willingness to tolerate the risk; that is, the willingness to bear
the risk after it is treated in order to achieve the desired objectives.

The ways in evaluating or handling risk is likely to vary over time, across the University as a whole and for individual
Dept./Unit Head, Faculty and Staff.

A risk may be acceptable or tolerable in the following circumstances:

 No treatment is available
 Treatment costs are prohibitive (particularly relevant with lower ranked risks)
 The level of risk is low and does not warrant using resources to treat it
 The opportunities involved significantly outweigh the threats

When conducting a risk assessment which includes the risk identification, risk analysis and risk evaluation, there
are generally lots of potential consequences identified. This is not necessarily a problem as a number of these can be
addressed by the risk treatments, or they may not need any specific action.

5 Risk Treatment
Ensure that effective strategies are in place to minimize the frequency and severity of the identified risk. Develop actions
– intended preventive mechanism and implement treatments that aim to control the risk.

Once the risk assessment phase is complete, identify the options for treatment if there are any; otherwise tolerate the
risk. Where preventive mechanism intended are available and appropriate, record such options as part of the risk
management and analysis form.

Treatment options not applied to the source or root cause of a risk are likely to be ineffective and promote a false belief
within the organization that the risk is controlled.

3|P a g e
St. Paul University Surigao
Monitoring and Reviews
Monitor changes to the source and context of risks, the tolerance for certain risks and the adequacy of controls. Ensure
processes are in place to review and report on risks regularly by answering the following review and monitoring processes:
 Are the planned control measures sufficient and effective in minimizing the level of risk?
 Have there been any changes to the planned control measures?
 Are further control measures required in future?

Additionally, the unit/dept. identify the date of review/monitoring and remarks on the template. To ensure reviews and regular
monitoring each unit/dept is encouraged to identify a process that allows key risks within their area to be monitored at least twice
a school year – once every semester.

Risk reporting is an important part of being able to demonstrate the effectiveness of the risk management program of the
University. Therefore, unit/dept. is required to report to various internal and external stakeholders through Management review;
President’s Council Meetings, the Academic Council Meetings, the Department/Unit Heads’ Meeting or even during the Extended
President’s Council Meetings at the end of every semester or as the need arises.

To ensure that risk management is effective, and to provide evidence of a demonstrable risk management system, it is important
to have a documented formal record of the risk management process and outcomes through the department/unit risk
management and analysis form (QMO-F-013).

QMO-F-013 is a documented record of the identified risks, their significance or rating, and how they are managed or treated.
Additionally, all units or offices are encouraged to formally record and document their risks using the form.

Communication and Consultation

Effective communication and consultation is essential to ensure that those responsible for implementing risk management, and
those with a vested interest, understand the basis on which decisions are made and the reasons why particular treatment options
are selected.

Communicate and consult with internal and external stakeholders during any and all stages of the risk management process,
particularly when plans are being first considered and when significant decisions need to be made.
Risk management is enhanced through effective communication and consultation when all parties understand each other's
perspectives and, where appropriate, are actively involved in decision-making.

Methods of communication and consultation may include: meetings; distribution of minutes; reports; newsletters and orientation
sessions (trainings). This is to ensure that the interests of all stakeholders are understood and considered.

Resources
 ISO 3100:2009 on RISK MANAGEMENT - AS/NZS 4360:1990 – “Risk Management”
 ISO 9001:2015 Standard
 Risk Management Handbook – University of Adelaide
 Risk Management Guidelines - South West Healthcare

4|P a g e
St. Paul University Surigao
 Risk Matrix
Table 1. CONSEQUENCE OF RISKS
AREA OF IMPACT – description of consequence
Rating Generic Description Educational/Research Services Support Services Financial Regulatory/Statutory/ Brand/Image & Human/Injury
Delivery Legal Compliance Reputation
Event or circumstance • Huge loss / reduction in student enrolments / Cessation of critical • Huge financial loss • Serious breach of contract • Long term damage to • Serious injury or death
with potentially retention support systems or • Significant budget or legislation reputation or status • Loss of significant number of key staff
disastrous impact on • Loss of a Faculty programs for an overrun with no • Significant prosecution & • Sustained negative impacting on skills, knowledge &
business or significant
material adverse • Serious reduction in research activity / output intolerable period and / or capacity to adjust fines likely media attention; expertise
5 - Extreme impact on a key area • Serious problems reaching a number of at a critical time in the within existing budget • Potential for litigation • Brand / image affected • Staff industrial action
student, teaching or research targets University calendar / resources including class actions nationally and / or • Student unrest / protest /violence
• Irreparable impact on relationship with • May attract adverse • Future funding /approvals internationally
partners /collaborators findings from external / registration /licensing in
regulators or auditors jeopardy
Critical event or • Significant loss / reduction in student Cessation of support • Major financial loss • Major breach of contract, • Sustained damage to • Serious injury
circumstance that can enrolment / retention systems or programs for an • Requires significant Act, regulations or consent brand / image or • Dangerous near miss
be endured with proper unacceptable period and / conditions reputation nationally or
• Loss of a key School adjustment to • Loss of some key staff resulting in
management
• Major impact on research activity over a or at a critical time in the approved/ funded • Expected to attract locally skills, knowledge & expertise deficits
4 - Major sustained period University calendar projects /programs regulatory/statutory • Adverse national or • Threat of industrial action
• Major problems meeting teaching or research attention local media coverage • Threat of student protest / activity
targets • Investigation, prosecution
• Serious long term damage to partnership / and / or major fine possible
collaboration
Significant event or • Significant loss / reduction of number of • Major service delivery • Significant financial • Significant breach of • Significant but short • Staff injury, lost time or penalty notice
circumstance that can students in a course targets cannot be met loss contract, Act, regulation or term damage to due to unsafe act, plant or equipment
be managed under consent conditions reputation
• Loss of a key academic course • Loss / interruption / • Impact may be • Short term loss of skills, knowledge,
normal circumstances
• Significant impact on research activity over a compromise of support reduced by • Potential for • Student / stakeholder expertise
3 - Moderate sustained period systems or program for a reallocating resources regulatory/statutory action and / or community • Severe staff morale or increase in
• Significant problem meeting teaching or protracted period of time concern workforce absentee rate
research targets • Sustained / prominent • Student dissatisfaction
• Significant but short term damage to local media coverage
partnership
Event with • Moderate reduction in student enrolments / • Local service or • Some financial loss • Minor non compliances or • Some short term • Health & safety requirements
consequences that can retention Education/ Research • Requires monitoring breaches of contract, Act, negative media compromised
be readily absorbed but program delivery regulations, consent coverage
• Minor impact on research activity & possible corrective • Lost time or potential for public
2 - Minor requires management
• Temporary problems meeting some teaching / problems action within existing conditions • Concern raised by liability claim
effort to minimize the
impact research targets • Loss / interruption resources • May result in infringement students / stakeholders • Some loss of staff members with
/compromise of support notice tolerable loss / deficit in skills
systems or program for • Dialogue required with industrial
tolerable period but at an groups or student body
inconvenient time
Some loss but not • Minor reduction in student enrolments / Negligible impact on delivery Unlikely to impact on Unlikely to result in adverse Minor damage to brand, • Incident with or without minor injury
material; existing retention of service budget or funded regulatory/statutory image or reputation • Negligible skills or knowledge loss
1- Insignificant controls and • Negligible impact on research activity or activities response or action • Dialogue with industrial groups /
procedures should cope
with event or achievement of teaching / research targets students may be required
circumstance

5|P a g e
St. Paul University Surigao
 Table 2. LIKELIHOOD OF RISKS

LIKELIHOOD Description of Likelihood

5 – Almost Certain (frequent) Almost certain to occur within the foreseeable future or within the project lifecycle
4 – Likely (probable) Likely to occur within the foreseeable future, or within the project lifecycle
3 – Possible (occasional) May occur within the foreseeable future, or within the project lifecycle

2 – Unlikely (uncommon) Not likely to occur within the foreseeable future, or within the project/process lifecycle

1 – Rare (remote) Will only occur in exceptional circumstances

Table 3. RISK LEVELS

CONSEQUENCE of an incident occurring

LIKELIHOOD of an 1- INSIGNIFICANT 2 - MINOR 3 -MODERATE 4 -MAJOR 5 - EXTREME
incident occurring

5 - ALMOST CERTAIN Medium Medium High Extreme Extreme

4 - LIKELY Low Medium High High Extreme

3 - POSSIBLE Low Medium High High High

2 - UNLIKELY Low Low Medium Medium High

1 - RARE Low Low Low Low Medium

Assessed Risk Level Description of Risk Level Actions

If an incident were to occur, there would be little Undertake the activity with the existing controls in
1 Low
likelihood that an injury would result. place.
If an incident were to occur, there would be some chance
2 Medium Additional controls may be needed.
that an injury requiring First Aid would result.
If an incident were to occur, it would be likely that an Controls will need to be in place before the activity
3 High
injury requiring medical treatment would result. is undertaken.

If an incident were to occur, it would be likely that a Consider alternatives to doing the activity.
4 Extreme Significant control measures will need to be
permanent, debilitating injury or death would result.
implemented to ensure safety.

6|P a g e
St. Paul University Surigao