Download Guide to Risk Assessment and Response and more Study notes Change Management in PDF only on Docsity!
GUIDE TO RISK
ASSESSMENT
AND RESPONSE
Updated January 2018
ABSTRACT
This “Guide to Risk Assessment and Response”
provides users with a practical tool with
instructions, examples and formats for preparing
risk assessments and for preparing and reporting
management response plans (MRPs).
Emily J. Stebbins-Wheelock
and Al Turgeon
The University of Vermont
What is Enterprise Risk Management (ERM)?
Overview
The risk management process—of identifying, analyzing, evaluating, and ultimately responding to and
monitoring risk—is at the heart of enterprise risk management (ERM). Extending this process across an
entire organization, looking at both “upside” opportunities and “downside” risks, and considering risks
and opportunities in the context of strategy is what differentiates “ERM” from ‘traditional’ risk
management.
This abbreviated Guide to Risk & Opportunity Assessment & Response deals with the seven steps in the
risk management process shown in Figure 1: (1) establishing the context, and (2-4) conducting the risk
assessment which includes identifying, analyzing, evaluating, and (5) responding to risks and
opportunities, (6) monitoring and updating the status, and ( 7 ) reporting on those that could materially
affect the institution or a department. The context and assessment steps help decision-makers choose
which risks or opportunities are priorities, what the appropriate response should be, and what resources
should be allocated to manage the risk or opportunity in a way that best supports the organization’s
strategy. The response step involves deciding on and planning for the best way to “treat” or modify the
risk or opportunity, and implement that plan.
Figure 1 : The Risk/Opportunity Management Process
“Enterprise risk management is a structured, consistent, and continuous process across the whole
organization for identifying, assessing, deciding on responses to, and reporting on opportunities
and threats that affect the achievement of its objectives” (Institute of Internal Auditors, 2009).
4. Have there been any recent major changes to your area of responsibility or control (new
regulations, new programs/activities, organizational changes, etc.) that pose new risks or
opportunities?
5. Are there particular programs, activities, internal controls, or legal/regulatory issues, in your area
that worry you or you think may pose significant risk to your unit or the institution?
Steps to Follow
1. Identify all the risks and opportunities (A) you can that might affect your objectives (see
Questions to Spur Thinking & Discussion, above).
2. For each one, give it a short name or title (A).
3. Write a brief “risk/opportunity statement” (B) that describes each risk or opportunity and
provides a little more detail about its sources and causes. Do not include potential impacts or
consequences.
a. Aim for a “Goldilocks” risk/opportunity statement: not too short, not too long; not too
vague, not too detailed; meaningful but not inflammatory
b. Too vague: “IT infrastructure”
c. Too specific/inflammatory: “IT network and hardware is obsolete, resulting in the
potential for loss of institutional business continuity, loss of irreplaceable data, and
privacy breaches”
d. Just right: “IT infrastructure not maintained and/or upgraded to necessary standards
Column A Column B
Proposed
Risk/
Opportunity
Name
Proposed Risk/ Opportunity Statement
Improve
inclusive
excellence
As the University continues to diversify our community, it has an opportunity to
improve inclusive excellence (diversity, inclusion and multicultural competency)
through a more comprehensive institutional effort.
4. Consider whether each statement is either a risk or opportunity (C), and which Strategic Action
Plan (SAP) goal (found at http://www.uvm.edu/president/) it affects or is most closely related to.
5. Consider other strategic goals or initiatives for your Division, College, School, or department
that this risk or opportunity affects.
6. Identify which risk/opportunity category (D) is most closely related to the risk/opportunity.
7. Identify the responsible official (E) for each risk or opportunity. This is the individual at UVM
with the accountability and authority to manage the issue.
Column C Column D Column E
Proposed Nature (Risk or
Opport.)
Proposed Risk/Opportunity
Category
Proposed Responsible Official
Opportunity. SAP Goal II.
Promoting a culture of
advancing academic
excellence and cultivating
talent
Strategic VP HR, Diversity, and
Multicultural Affairs, and Vice
Provost for Student Affairs
Key Terms
- Risk/Opportunity: Any issue (positive or negative) that may impact an organization’s ability to
achieve its objectives; the effect of uncertainty on organizational objectives. Often characterized
in reference to potential events, consequences, and the likelihood thereof.
- Identification: Process of finding, recognizing, and describing risks and opportunities.
- Risk/opportunity statement (description): Structured statement of risk or opportunity usually
containing four elements: sources, events, causes, and impacts/consequences.
- Source (of risk or opportunity) : Element or circumstance which alone or in combination has
the intrinsic potential to give rise to risk or opportunity. Can be tangible or intangible.
- Event: Occurrence or change of a particular set of circumstances. Can be one or more
occurrences, can have several causes, and can consist of something not happening.
- Impact (consequences): Outcome of an event affecting objectives, either positively or
negatively. Can be certain or uncertain; can be expressed qualitatively or quantitatively. An
event can lead to a range of consequences, and initial consequences can have escalated effects.
- Responsible official (RO) (risk/opportunity owner): Person or entity with the accountability
and authority to manage a risk or opportunity.
Step 3: Risk & Opportunity Analysis
The purpose of the analysis step is to develop an understanding of the risk or opportunity in order to
inform your evaluation and decision of whether a response is required. Here is where you will assess the
potential impact and likelihood of the risks and opportunities.
Things to Keep in Mind
- Analysis can be qualitative, semi-qualitative, quantitative, or a combination thereof.
- Consider causes and sources, their positive and negative consequences, the likelihood that they
can occur, and other attributes of the risk or opportunity.
- Consider interdependence of different risks or opportunities and their sources.
Steps to Follow
1. Consider the potential impact (column F) of each risk or opportunity by using the risk and
opportunity impact scales shown in Table 3 and 4. If more than one column of the scale relates
to your risk, base your rating on the column that reflects the greatest impact. This will likely be
the column that also corresponds to the category of the risk or opportunity. (For example, if you
categorized your risk as a “financial” issue, you will likely use the financial column of the
impact scale to determine your impact rating.)
2. Consider the likelihood (column G) that each risk or opportunity will occur by using the
likelihood scales shown in Tables 2 and 5.
3. The impact and likelihood scores will be multiplied to produce an overall risk score (H) for each
risk or opportunity.
4. If an issue presents both risk and opportunity (i.e., could have both positive and negative
impacts), rate the positive/opportunity aspects of the issue using the opportunity impact and
likelihood scale. Multiply the impact and likelihood ratings to produce an opportunity score.
Then consider the negative/risk aspects of the issue and rate it using the risk impact and
likelihood scales. Multiply the impact and likelihood ratings to produce a risk score. Compare
your opportunity and risk scores: which is greater? Is there more upside or downside to this
Table 1 : Risk Categories
Category* Description
Compliance &
Privacy
Risks or opportunities related to violations of federal, state or local law, regulation, or University
policy, that creates exposure to fines, penalties, lawsuits, reduced future funding, imposed
compliance settlements, agency scrutiny, injury, etc.
Financial
Risks or opportunities related to physical assets or financial resources, such as: tuition
government support, gifts, research funding, endowment, budget, accounting and reporting,
investments, credit rating, fraud, cash management, insurance, audit, financial exigency plan, long-
term debt, deferred maintenance
Hazard, Safety, or
Legal Liability
Risks or opportunities related to legal liability (negligence), injury, damage, or health and safety of
the campus population or the environment, including impacts caused by accidental or unintentional
acts, errors or omissions, and external events such as natural disasters.
Human Capital
Risks or opportunities related to investing in, maintaining, and supporting a quality workforce, such
as: recruitment, retention, morale, compensation & benefits, change management, workforce
knowledge, skills, and abilities, unionization, employment practices
Operational
Risks or opportunities related to management of day-to-day University programs, processes,
activities, and facilities, and the effective, efficient, and prudent use of the University’s resources.
Strategic
Impacts related to UVM's ability to achieve its strategic goals and objectives, including competitive
market risks, and risks related to mission, mission, values, strategic goals; diversity; academic quality;
research; student experience; business model; market positioning; enrollment management; ethical
conduct; accreditation
Reputational Needs work
*Note: UVM recognizes that many institutions of higher education use another category: “reputational risk.” In UVM’s view,
however, a significant event in any of the above risk categories has the potential to impact the institution’s reputation. UVM
therefore does not classify reputational risks separately, and instead considers reputational impacts in its risk assessment (see
Tables 3 and 4 below).
Table 2: Risk Likelihood Scale
Score Category Name Likelihood
1 Low/Remote Unlikely or rare; could occur at some time in the next 6-10 years
2 Medium/Possible Likely to occur at some time in the next 1-5 years
3 High/Probable Very will likely occur in the next year, or is already occurring
Table 3 : Risk Impact Scale
Impact Score
Short Description
Human Capital Hazard/Safety/Legal Liability
Financial Operational Compliance Strategic Reputational
1 Minor (^) • Affects <5% of employees
- No collective bargaining impacts
- No impact on recruitment or retention - Minor injury - Minor legal liability exposure - Minor, reparable environmental damage - Annual loss of <$ million in current fiscal year - 5 - year cumulative liability/obligation <$10 million - No disruption of critical operations and services - 1 - 2 day disruption of a department - Minor impact on efficiency, client/student programs and services, environmental sustainability, or infrastructure - No effect on leadership effectiveness - Minor audit findings - Minor fines
Slows progress on one UVM strategic goal
- Limited negative publicity
- No effect on UVM reputation/image
2 Moderate (^) • Affects 5-10% of employees
- Collective bargaining required
- <5% employee turnover - Moderate injury - Self-insured workers’ compensation injury/exposure possible - Moderate legal liability exposure - Moderate, reparable environmental damage - Annual loss of $1>$5 million in current fiscal year - 5 - year cumulative liability/obligation $10<50 million - 3 - to 5-day disruption of several departments or one critical service - Moderate impact on efficiency, client/student programs and services, environmental sustainability, or infrastructure - Moderate effect on leadership effectiveness - Moderate audit findings - Moderate fines - Short-term agency scrutiny
Slows progress on more than one UVM strategic goal
- Local/regional negative publicity
- Minor, short-term effect on UVM reputation/image
3 Substantial (^) • Affects 11-25% of employees
- Collective bargaining required
- 6 - 9% employee turnover - Substantial injury - Self-insured workers’ compensation injury/exposure possible - Substantial legal liability exposure - Substantial environmental damage requiring mitigation - Annual loss of $5>$10 million in current fiscal year - 5 - year cumulative liability/obligation $50<100 million - 6 - to 10-day disruption of a College, School, or Division or several critical services - Substantial impact on efficiency, client/student programs and services, environmental sustainability, or infrastructure - Substantial impact on leadership effectiveness - Audit findings requiring programmatic changes - Moderate-term agency scrutiny - Enforcement action likely
Stops progress of one UVM strategic goal
- Local/regional negative publicity
- Pressure for UVM to control the message
- Moderate damage to UVM’s reputation/image
4 Serious (^) • Affects 26-50% of employees
- Collective bargaining required
- 10 - 15% employee turnover - Serious injury - Self-insured workers’ compensation injury/exposure - Serious legal liability exposure - Environmental damage eligible for EPA National Priorities List - Annual loss of $10>$25 million in current fiscal year - 5 - year cumulative liability/obligation $100<150 million - 10 - to 14-day disruption of 2 or more Colleges, Schools, or Divisions or three or more critical services - Serious impact on efficiency, client/student programs and services, environmental sustainability, or infrastructure - Serious effect on leadership effectiveness - Principal investigator debarred - Program funds rescinded - Long-term agency scrutiny - Enforcement action likely
Stops progress on more than one UVM strategic goal
- National negative publicity
- Intense pressure for UVM to control the message
- Significant damage to UVM’s reputation/image 5 Severe (^) • Affects 51-75% of employees
- Collective bargaining required
- 16 - 24% employee turnover
- Severe injury or death
- Self-insured workers’ compensation injury/exposure
- Severe legal liability exposure
- Severe environmental damage eligible for EPA National Priorities List
- Annual loss of $25>$100 million in current fiscal year
- 5 - year cumulative liability/obligation $150<250 million
- 14 - day to 3-month disruption of 2 or more Colleges, Schools, or Divisions or most critical services
- Severe impact on efficiency, client/student programs and services, environmental sustainability, or infrastructure
- Severe effect on leadership effectiveness
- Imposed settlement or corporate integrity agreement
- Organizational criminal prosecution
- Record financial judgment
Reverses progress on one or more UVM strategic goals
- National negative publicity
- UVM cannot control the message
- Severe, long-term damage to UVM’s reputation/image
6 Business- Critical
- Affects >75% of employees
- Collective bargaining required
25% employee turnover - Business-critical injury or death - Critical legal liability exposure - Major, irreparable environmental damage - Annual loss of >$100 million in current fiscal year - 5 - year cumulative liability/obligation >$250 million - Insolvency - UVM shutdown >3 months - Insolvency - Leadership failure results in long-term damage to the institution - Threatens viability of UVM or its research mission - Loss of all federal research or Title IV funds
University strategic plan failure
- Negative publicity could permanently impair UVM’s image/reputation
- Significant decrease in enrollment or research funding
Table 5 : Opportunity Likelihood Scale
Score Category Name Likelihood Indicators
1 Low/Remote
Some chance of favorable
outcome in 4 or more years
Possible opportunity that has yet to be fully investigated by management. Likelihood
of success is low on the basis of management resources currently being applied.
2 Medium/Possible
Reasonable prospects of
favorable results in 1 to 3
years
Opportunity that may be achievable but that requires careful management.
Opportunity that may arise over and above the plan.
3 High/Probable
Favorable outcome is likely to
be achieved in 1 year
Clear opportunity that can be relied upon with reasonable certainty to be achieved in
the short-term based on current management processes.
Steps 4 and 5: Risk/Opportunity Evaluation & Response
The purpose of the evaluation and response steps is to decide, based on the results of your analysis, which risks and opportunities
require a response and what your recommended response will be.
Things to Keep in Mind
- Each risk or opportunity’s risk score (the product of impact X likelihood) will determine where it falls on UVM’s risk and
opportunity “heat map” (Figure 2) and what level of institutional review each risk or opportunity will receive.
- Risk/opportunity response is a cyclical process of assessing the response, determining whether residual risk levels (after
response) are acceptable, developing a new response if necessary, and assessing the response again.
- There are several standard options for risk/opportunity response, but they are not mutually exclusive; they can be used in
combination.
- A decision can be to not respond to the risk or opportunity other than maintaining existing management or control activities.
- Consider the values of expectations of stakeholders in developing a response.
- Consider whether some responses are not economically justifiable (e.g., an expensive response for a high impact but low
likelihood risk).
- Responding to risks or opportunities can itself introduce risks. Consider how your response plan will deal with any secondary
risks.
Steps to Follow
1. Consider the overall results of your risk/opportunity analysis, especially your rating of the risk or opportunity’s impact and
likelihood and the resulting risk score.
2. Consult the “heat map” shown in Figure 2 to see where your risks and opportunities will fall and what level of institutional
review they will require based on their risk score.
3. Consider which risk or opportunity response (column I) options you will use to manage this risk: accept/ignore, avoid/exploit,
mitigate/enhance, or share.
4. Consider what steps you will take to respond to each risk or opportunity.
5. Consider any costs or special resource needs associated with your response.
6. Consider how long it would take to fully implement your response.
Column I
Proposed Risk/ Opportunity Response
Enhance. Resource and implement the "DRAFT" plan, "A Framework for Building a More Diverse, Inclusive, and Multiculturally
Competent Campus" dated November 19, 2015. This would need to include appropriate change management and
communication strategies that would increase the plan's success. Also central to the plan's success is the requirement and
commitment from each college, school, division, department, unit, center, and program to develop action plans that
incorporate the plan's framework including its 4 pillars (academics, community, environment and operations), areas of
systemic engagement, and strategic priorities identified as emerging needs or concerns as they come to light going forward.
Steps 6 and 7
Key Terms
- Opportunity response (treatment): Process to modify or respond to an opportunity. Opportunity response can involve one or
a combination of: enhancement, exploitation, ignoring, or sharing.
- Enhance: The opportunity equivalent of “mitigating” a risk is to enhance the opportunity. Enhancing seeks to increase the
probability and/or the impact of the opportunity in order to maximize the benefit to the project.
- Exploit: Parallels the “avoid” response, where the general approach is to eliminate uncertainty. For opportunities, the “exploit”
strategy seeks to make the opportunity definitely happen (i.e. increase probability to 100%). Aggressive measures are taken
which seek to ensure that the benefits from this opportunity are realized by the project.
- Ignore: Just as the “acceptance” strategy takes no active measures to deal with a residual risk, opportunities can be ignored ,
adopting a reactive approach without taking explicit actions.
- Sharing (transfer), opportunity: The “share” strategy for opportunities seeks a partner able to manage the opportunity who
can maximize the chance of it happening and/or increase the potential benefits. This will involve sharing any upside in the
same way as risk transfer involves passing penalties.
- Risk response (treatment): Process to modify or respond to a risk. Risk response can involve one or a combination of:
acceptance, avoidance, mitigation, or sharing.
- Accept: Form of risk response, an informed decision to tolerate or take on a particular risk
- Avoid: Form of risk response, an informed decision not to be involved in, or to withdraw from, an activity, in order not to be
exposed to a particular risk.
- Mitigate: Form of risk response involving actions designed to reduce a risk or its consequences.
Appendix A. Blank “Risk Assessment Worksheet”
Title:___________________ Risk Assessment DRAFT
A. Risk Name B. Risk/ opportunity statement
C. Responsible Official D Risk or Opportunity E. Risk or Opportunity Category F. Impact Score and Analysis (determine the impact(s) on the organization's mission, goals and competiveness and existing mitigation efforts already in place)
G. Likelihood Score and Analysis (Determine the likelihood a risk event could occur)
H. Overall score (multiply the impact and likelihood scores to come up with the overall score)
I.
Recommended response (additional mitigation)
Appendix B Management Response Plan (MRP) Template and Instructions
General Instructions:
To develop and maintain a consistent level of MRP development, maintenance and reporting, a blank MRP
template, MRP instructions and MRP example have been developed and are provided here. Responsible Officials
(RO)’s should use the template and instructions to prepare, maintain and report on their portfolio-level MRPs.
BLANK MRP TEMPLATE
No. _, Risk-Opportunity Name _______ Mngt Response Plan (MRP), Responsible Official Name________
1. Date MRP
Prepared/Updat
ed
2. Risk/Oppty
Name
3. Risk/Oppty
Statement
4. Responsible
Official
5. Is this a Risk or Opportunity? 6. Risk or Opport. Category
7. Describe the
impact this risk
or opportunity
could have/has
on UVM’s
mission,
Strategic
Action Plan
(SAP),
competitivenes
s and/or
reputation.
8. Describe the likelihood it will
occur.
9. Impact Score 10. Likelihood Score
11. Management
Response Plan
Risk Response (check most
applicable one)
Opportunity Response (check most applicable one)
Accept Transfer Mitigate Avoid Ignore Exploit Enhance Share
12. Describe
management’s
actions to date
13. Describe
management’s
plan going
Purpose of the management response plan (MRP): Describe UVM’s chosen response to a particular risk or
opportunity that is negatively or positively impacting or could impact the University’s objectives.
Definitions:
1. Residual risk: the risk that will remain (or be retained) even after the management response plan is fully
implemented.
2. Risk/Opportunity response: Process to modify or respond to a risk or opportunity to support
organizational objectives with the general goal of reducing uncertainty. Risk response can involve one or a
combination of: acceptance, avoidance, mitigation, sharing, or transfer to a third party; opportunity
response can involve one or a combination of: enhancement, exploitation, ignoring, sharing, or transfer to a
third party, as shown below:
Risk Responses Opportunity Responses
Accept: An informed decision to tolerate or
take on a particular risk. Take no active
measures.
Ignore: An informed decision to take no active measures
regarding an opportunity.
Avoid: An informed decision not to be
involved in, or to withdraw from, an activity,
in order not to be exposed to a particular risk.
Eliminates uncertainty.
Exploit: An informed decision to make an opportunity
definitely happen (i.e., increase probability to 100%).
Aggressive measures are taken which seek to ensure that the
benefits from this opportunity are realized by the project.
Mitigate: Take actions designed to reduce
either the likelihood and/or impacts
(consequences) of a risk.
Enhance: Take actions designed to increase the likelihood
and/or impacts (consequences) of an opportunity.
Sharing (transfer): Contractual risk transfer
to other parties, including insurance. Risk
financing: Form of risk sharing, involving
contingent arrangements for the provision of
funds to meet or modify the financial
consequences should they occur.
Sharing (transfer), opportunity: Seek a partner able to
manage the opportunity that can maximize the chance of it
happening and/or increase the potential benefits. Involves
sharing any upside.
3. Management response plan (MRP): A plan used to implement and communicate the chosen risk or
opportunity response.
Detailed Instructions:
Header No. , Risk-Opportunity Name _ Management Response Plan (MRP), Responsible Official Name
The header information is provided by the CRO. He/she creates the initial DRAFT MRP and fills in
information about the risk or opportunity from interview notes and/or the preliminary risk inventory. The CRO
assigns a MRP No., and names the risk or opportunity, the RO’s name should include first and last name.
Line 1. List the date the management plan was originally prepared or the date of this report.
Line 2. List the Risk/Opportunity Name from UVM’s risk-opportunity portfolio
Line 3. Insert the Risk/Opportunity Statement from UVM’s risk-opportunity portfolio; only modify the
statement if it helps clarity.
Line 4. List the name of the Responsible Official from UVM’s risk-opportunity portfolio
Line 5. State whether this is a Risk or an Opportunity (from UVM’s risk-opportunity portfolio)
Line 6. List the risk or opportunity category from UVM’s risk-opportunity portfolio, categories include:
Risk categories:
- Human Capital,
- Hazard/Safety/Legal Liability,
- Financial,
- Operational,
- Compliance,
- Strategic, and
- Reputational.
Opportunity categories:
- Strategic,
- Reputational,
- Enrollment Management and Student Success,
- Financial,
- Operational.
Lines 7 & 9. Describe current Impact (line 7); score the current impact as either [high, medium or low] (line 9)
Lines 8 & 10 Describe current likelihood (line 8); score current likelihood as either [high, medium or low] (line
10) from UVM’s risk-opportunity portfolio
Line 11. For a risk, place an “X” in the box that corresponds with your planned risk response; for an
opportunity, place an “X” in the box that corresponds with your planned opportunity response
(SEE Risk Response or Opportunity Response choices in the box above.
Line 12. Briefly describe management’s actions to date.
Line 13. Briefly describe management’s plan going forward.
Line 14. Briefly describe any key dependencies (what critical actions must occur to ensure management’s
response will be successful).
Line 15. Give the estimated target year your MRP will be completed.
Line 16. Place an “X” in the box that best describes the current status of your plan’s implementation.
- On track or
- Needs attention
Line 17. Give the date, Board committee, and name of the presenter for the last Board of Trustees
presentation on this topic (if any).
Line 18. Place an “X” in the box that best describes the Responsible Official’s Board Presentation plan.
- Annually,
- Semi-annually,
- Other (if other, describe i.e., quarterly, monthly, etc.)
Line 19. Give the date, Board committee, and name of the presenter for the next BOT presentation on this
topic (if there is one).
Line 20. Describe any residual (any remaining risk after the MRP has been implemented) risk that remains.
Line 21. Please add additional comments here.
Please include below a permanent record of:
- Date the MRP was originally created: Give the original date the MRP was prepared.
- Date the MRP was revised on: Give the date the MRP was updated.
- Dates of subsequent MRP revisions: List each on its own separate line
