Embed Size (px)
Citation preview
Risk Management Policy
and Guidelines
Version 3
November
2017
Table of Contents 1. Introduction .......................................................................................................................................... 2
2 Risk Management in the PSI ................................................................................................................ 3
2.1 Risk Management Objectives ............................................................................................................. 3
2.2 Risk Management Strategy ................................................................................................................. 3
2.3 Risk Appetite Statement ..................................................................................................................... 4
3. Risk Management Framework ............................................................................................................. 6
3.1 Overview .............................................................................................................................................. 6
3.2 Benefits of Risk Management ............................................................................................................. 6
3.3 Roles and Responsibilities ................................................................................................................... 8
3.4 Assurance Arrangements .................................................................................................................. 11
3.5 Risk Register....................................................................................................................................... 12
3.6 Risk Identification .............................................................................................................................. 12
3.7 Risk Assessment ................................................................................................................................ 13
3.8 Risk Mitigation ................................................................................................................................... 14
3.9 Risk Prioritisation ............................................................................................................................... 15
4. Risk Monitoring and Reporting ........................................................................................................... 18
5. External Review .................................................................................................................................. 19
6. Approval of the Risk Management Policy ......................................................................................... 20
7. References .......................................................................................................................................... 21
8. Glossary of Terms ............................................................................................................................... 22
Appendix 1 Considering the Likelihood of the Risk ............................................................................... 23
Appendix 2 Considering the Consequence of the Risk .......................................................................... 24
1
1. Introduction Organisations face a wide range of uncertain internal and external factors that may affect the
achievement of objectives. The effect of this uncertainty on their objectives is called risk and can
be positive (opportunities) or negative (threats). Uncertainty can arise because of many different
factors including cultural and behavioural factors, variability and changes over time within the
operating environment, revisions of mandates and obligations, differing expectations within and
across stakeholder groups as well as inaccurate or incomplete information. Risk management and
internal control, which consist of an ongoing process designed to identify and address significant
risks involved in achieving an organisations objectives, are important and integral parts of a
performance management system and crucial to the achievement of outcomes.
Risk management is a process of clearly defined steps which support better decision making by
contributing a greater insight into risks and their impacts. The process of risk management
involves a cycle of identifying risks, evaluating their potential consequences, and determining the
most effective methods of responding to them. The cycle is completed by a regular system of
monitoring and reporting.
Effective risk management offers an organisation a means of improving its strategic and
operational management and allows for better understanding and more informed decision
making. It can also help to minimise financial losses and service disruption. An integrated and
holistic approach to risk management is one of the cornerstones to achieving effective corporate
governance. Public service organisations, including regulatory bodies, must be able to respond
appropriately to significant business, strategic, reputational, policy, operational, stakeholder,
financial, compliance and other risks that threaten the successful achievement of their strategic
and operational objectives and priorities.
Effective risk management supports good governance within the Pharmaceutical Society of Ireland
(PSI) as it assists in determining priorities and setting objectives, in analysing uncertainties within
decision-making arrangements, in clarifying accountabilities, and in demonstrating how the
mandate of the Council is best served.
2
This document describes the risk management framework in operation in the PSI. The framework
is designed to support the ongoing monitoring, review and management of risks.
2 Risk Management in the PSI
2.1 Risk Management Objectives The PSI wishes to effectively manage its risk, based on a clear understanding of risks and their
likely impact. The objective is to set out a generic framework consisting of a series of steps to
support risk management, and to raise awareness of risk and the need to manage it consistently
and effectively across the organisation. This document sets out how this objective will be fulfilled
while acknowledging the Risk Management Principles outlined by the Department of Public
Expenditure and Reform, which include:
Governance
Each organisation is required to have a pro-active management-led risk management strategy as
part of their governance framework.
Management
The risk management framework and process should be appropriate to the scale, nature, range of
activities and risk appetite and should be subject to continuous improvement.
Structures
Managing risk requires a systematic, timely and structured approach with clearly defined risk
management structures, processes and responsibilities.
Reporting
The risk management systems should provide for monitoring and reporting.
2.2 Risk Management Strategy A risk management strategy helps an organisation achieve its strategic and operational objectives
by managing and mitigating the risks which have the potential to affect the achievement of those
objectives. The objectives of this risk management policy include:
improving the overall risk management arrangements;
providing a level of assurance that the key legal, regulatory, governance and professional
obligations of the PSI are being met;
ensuring that the PSI is meeting the requirements of governance and control processes and
procedures which it has in place;
providing advice on how to address risks and uncertainties; and
protecting the reputation of the PSI.
3
The risk management process in the PSI should:
address any uncertainty around the delivery of objectives;
be based on the best available information;
facilitate continual improvement;
be part of decision making;
be integral to strategic planning;
be structured, systematic and tailored to organisational needs, and
be dynamic, transparent and responsive to change.
2.3 Risk Appetite Statement A risk appetite refers to the amount and type of risk that an organisation is willing to take in order
to meet their strategic objectives. The PSI must accept an element of risk across its activities.
However, as a public interest organisation, the PSI will seek to mitigate risk as far as possible in
carrying out its role in the interests of patient safety and public protection.
In this context, the PSI:
Recognises that it must accept, tolerate and be exposed to a certain level of risk to
successfully deliver on its mission to protect and promote the health, safety and well-being
of patients and the public, while carrying out its role as the pharmacy regulator.
Acknowledges it must be prepared to avail of opportunities where the potential reward
justifies the acceptance of a certain level of additional risk.
Will review its risk appetite at least annually in light of changing circumstances in its wider
environment, its organisational capacity to bear risk and potential rewards associated with
taking on additional risk.
In recognition that risk may arise at multiple levels (from taking strategic decisions, to
implementing supporting actions) and take many forms, the Council has formulated a
number of more detailed guiding risk appetite statements (see table below) to guide its
staff in their actions and support their ability to accept and/or manage risks. The Council
will periodically (at least annually) review its risk appetite in light of changing
circumstances in its wider environment and in its organisational capacity to bear risk.
4
The PSI’s risk appetite will be defined in accordance with the following classifications:
Assessment Description
High Risk
Appetite
The organisation accepts opportunities that have an inherent high risk that may
result in reputation damage, financial loss or exposure, major breakdown in
information system or information integrity.
Medium
Risk
Appetite
The organisation is willing to accept some risks in certain circumstances that may
result in reputation damage, financial loss or exposure, major breakdown in
information system or information integrity.
Low Risk
Appetite
The organisation is not willing to accept risks in most circumstances that may result
in reputation damage, financial loss or exposure, major breakdown in information
system or information integrity.
Zero Risk
Appetite
The organisation is not willing to accept risks under any circumstances that may
result in reputation damage, financial loss or exposure, major breakdown in
information system or information integrity or would compromise the delivery of
the mandate.
The management of risk within the risk appetite of the PSI will be supported by the wider risk
framework set out in this document. In recognition that risks may arise at multiple levels and take
many forms within the organisation, the PSI has developed a number of risk appetite statements
to guide staff members in their actions and support their ability to accept and manage risk. These
guiding risk appetite statements are as follows:
Category Assessment Risk Appetite Guiding Statements
Strategy/Policy
/Stakeholder/
Inter-agency
Medium to
Low Risk
Appetite
The PSI will avail of opportunities where they are considered
justified in pursuance of its corporate and strategic objectives. Its
risk appetite in this regard is medium. The PSI’s risk appetite in
relation to major threats to its strategic objectives is low.
Budgetary and
Financial
Medium to
Low Risk
Appetite
The PSI recognises that it is required to manage its financial
resources effectively, and within government constraints on public
funding and spending. Its appetite for risk in this area is low.
Its appetite for risk in relation to the allocation of resources and
securing additional funding is medium.
5
Category Assessment Risk Appetite Guiding Statements
Operational/
Personnel and
Talent
Management
Medium Risk
Appetite
The PSI has developed a comprehensive framework, including
policies and procedures, performance management, and
performance reporting, to support operational management. Its
appetite for risk in this area is medium.
Governance
and
Compliance
Zero Risk
Appetite
As a public sector body, the PSI is bound by a number of legislative
and compliance frameworks eg. Pharmacy Act 2007, Ethics in
Public Office Acts, Data Protection Acts etc. The Council defines
policies and procedures to support its legal and regulatory
compliance requirements. The Council expects full compliance,
and will avoid any risk or uncertainty in this area. As such its risk
appetite in the category of compliance is generally zero.
3. Risk Management Framework
3.1 Overview The risk management system encompasses regular Unit/Dept meetings; review and updating of
the functional areas Risk Register, in the context of changing priorities, objectives and/or
circumstances; and bringing evolving functional area risks to the attention of the relevant Advisory
Committee.
Risk assessment at functional area level will inform the corporate level risk assessment conducted
by the Senior Management Team, the findings of which, are then reported to the Audit and Risk
Committee and Council.
The risk management process will seek to focus on uncertainties and vulnerabilities faced by the
PSI, and map them against their potential impact on the delivery of the PSI’s strategic objectives
and critical functions.
3.2 Benefits of Risk Management Risk management is a process which provides assurance that:
objectives are more likely to be achieved;
improved decision making, planning and prioritisation as a result of comprehensive and
structured understanding of business activity, volatility and project opportunity/threat
takes place;
beneficial outcomes will be or are more likely to be achieved;
the extent of uncertainty will be assessed and addressed;
threats or damaging things will not happen or are less likely to happen;
resources will be focussed on higher priority areas.
6
The diagram below illustrates the high level risk management framework for the PSI, a more detailed list is provided on the next page.
Council
Approves the risk management policy
Reviews a report from the Audit and Risk Committee at each public Council meeting
Ensures effectiveness of risk management through internal and external review.
Assesses and reports on an annual basis the principal risks facing the PSI
Senior Management (composed of Heads of Departments and headed by
Registrar/CEO)
Guides and oversees compliance with the risk management policy
Reviews the Corporate and Functional Area Risk Registers and takes appropriate action
Reports to the Audit and Risk Committee and Council
Monitors the effectiveness of risk management
Chief Risk Officer
Reports directly to the Audit and Risk Committee and Council
Develops and implements risk management policy
Co-ordinates the identification, prioritisation and management or risks
Provides guidance to risk owners regarding the identification of risks
Risk and Action Owners
Owns and manages the risks delegated in the Risk Register
Complies with controls outlined in the Risk Register and reports on any control gaps or weaknesses
Identifies risks and reports risk incidents
Staff
Complies with controls outlined in the Risk Register and reports on any control gaps or weaknesses
Identifies risks and reports risk incidents
Risk Management Tools
Risk management policy
Risk Register
Risk management reports
Specialist knowledge and guidance
Audit and Risk Committee
Reviews risk reports and monitors the effectiveness of risk management
Liaises with other Committees in relation to key risk issues
Approves risk based internal audit plan
Provides guidance to the internal audit function focussing on key areas for review
Internal Audit
Conducts internal audits on a risk basis
Provides assurance in relation to the adequacy of controls across specific risk areas including risk management
7
3.3 Roles and Responsibilities
PSI Council
The role of the Council is to:
approve the Risk Management policy and monitor its effectiveness. It is assisted in
its monitoring role by the work of the various Committees of the Council who have
oversight on the priorities, work programmes and deliverables of the various
functional areas.
set the PSI’s risk appetite.
report publicly on the effectiveness of the risk management system and confirm in
the Annual Report that the Council has carried out an appropriate assessment of the
PSI’s principal risks. This includes a description of these risks and associated
migration measures or strategies.
ensure risk management is a standing item on the agenda at each Council meeting
and Advisory Committee meeting.
ensure risk management is embedded into PSI processes and culture.
Registrar
The Registrar has the overall responsibility for:
ensuring the effectiveness of the risk management system including both
compliance with the risk management policy and the provision of information on key
corporate risks, uncertainties and mitigations in place and proposed;
integrating the process for managing risk into the PSI’s governance, strategy,
planning, management, reporting processes, policies, values, and culture;
monitoring the risk management system and ensuring that the Council has sufficient
information on risk identification, measurement and mitigation strategies, and
establishing and maintaining a sound system of internal control that supports the
achievement of policies, aims and objectives. The system of internal control is
designed to respond to and manage the whole range of risks that the PSI faces.
Senior Management Team
Working in conjunction with the Registrar, the Senior Management Team, should ensure
ongoing compliance with the risk management policy. Specific responsibilities for the SMT,
as a collective, include:
ensuring risk management is a regular agenda item at its meetings;
consider significant functional area and corporate risk issues including the
effectiveness of arrangements to address cross cutting risks;
creating awareness, across the PSI, of the need to identify and manage risk
effectively and engaging staff in all aspects of the risk management process; and
monitoring the management and reporting of risk to Council and Committees.
8
Heads of Functional Area
Heads of Functional Areas are responsible for:
leading the implementation of the risk management process in their area;
working in conjunction with colleagues in identifying, evaluating and signing off on
risks;
ensuring that clear roles and responsibilities for risk identification, management
and reporting are defined within their areas;
ensuring compliance with the formal risk reporting requirements on an on-going
basis;
ensuring risk management awareness throughout the area of responsibility; and
agreeing and taking ownership, as appropriate, for risks within the area’s
organisational or functional remit on a day to day basis.
Chief Risk Officer (CRO)
The CRO is responsible for:
reporting directly to the Council and the Audit and Risk Committee;
coordinating the risk management process, including the identification;
prioritisation and management of risks;
assisting the Heads of Functional areas in the collation of reports for the Senior
Management Team/ Audit and Risk Committee/Council with regard to risk
management; and
ensuring that on-going training is made available to PSI management, staff, and
Committee and Council members, as required.
Staff
Individual members of staff have a key part to play in managing risk by:
being aware of the nature of risks in their day-to-day work;
monitoring the effectiveness of procedures created to mitigate those risks
identified;
being responsive to the changing nature of the risks faced by the functional area
and the wider organisation; and
proactively identifying risk issues and bringing these to the attention of colleagues
and heads of functional areas.
A common responsibility for all of the above is communicating to everyone at all levels in
the organisation, the importance of knowledge, awareness and commitment to identifying,
responding to and addressing individual key risk issues.
9
Internal Audit
Internal Audit acts as an independent assurance and consulting activity within the PSI. In the
context of risk management, Internal Audit is responsible for providing an independent
assurance opinion on the risk management framework, policy and processes. The Internal
Audit function may as part of its work programme, regularly review risk management
arrangements and risk policy implementation and it also adopts a risk-based approach to
the development of its audit plan. The Internal Auditor carries out internal audits on a risk
based sample basis and provides assurance in relation to the adequacy of controls.
Audit and Risk Committee
The Audit and Risk Committee has an independent role in the provision of assurance to the
Council. It includes consideration of the adequacy of the internal control systems, control
environment and control procedures and overseeing the work of Internal Audit. The Audit
and Risk Committee is responsible for:
reviewing risk reports and monitoring the effectiveness of risk management
and reporting to Council on a quarterly basis;
approving the risk based Internal Audit Plan;
reviewing and approving the annual statement of internal financial control;
providing guidance to the Internal Audit function focusing on key areas for
review, and
reviewing corporate level and functional area risk registers.
3.4 Assurance Arrangements The risk management policy and the system outlined will facilitate the provision of
assurance statements in relation to compliance with best practice governance obligations.
The Registrar and the Senior Management Team should receive appropriate and regular
assurance about the management of risk within the business areas and also the
management of corporate level risks. For the corporate risks identified, the Senior
Management Team will evaluate the effectiveness of the existing controls and risk
management responses and report to Council.
The Risk Register and the levels of assurance will inform the work of the Council and various
Committees, including the Audit Committee and the Internal Audit function.
As part of the assurance process, SMT members will complete and submit the following
assurance statement, to the Registrar, on a quarterly basis.
10
SAMPLE ASSURANCE STATEMENT IN RELATION TO RISK MANAGEMENT
As Head of Department, with responsibility for <insert name >, I confirm that the risk register
completed in <insert date / month > as part of the risk management process, reflects the
principal risks and proposed mitigations within the Department.
I acknowledge my responsibility for the ongoing update, monitoring and review of the risk
register in the Department and for ensuring the implementation of the Risk Management
Policy.
3.5 Risk Register The Risk Register is central to the risk management process. The Register serves as a tool to
track and manage risks which impact on the objectives and performance of the
organisation. It is used to record risks, establish whether they are high, medium or low,
allocate ownership of the risk, and identify the controls in place and actions required to
mitigate each risk.
Ref.
Ris
k C
ate
gory
Ris
k A
ppeti
te
Description
of Risk
Existing
Controls
Risk Rating Control
Effectivenes
s
Total
Risk
Rating
Additional
Controls
Risk
Owner
Dates
Consequence
Lik
elihood
Rati
ng
3.6 Risk Identification
Risk identification attempts to identify an organisation’s exposure to uncertainty. This
requires a detailed knowledge of the organisation, the legal, social, political and cultural
environment in which it operates, as well as the development of a sound understanding of
its strategic and operational objectives, including factors critical to its success and the
threats and opportunities related to the achievement of these objectives. Reactive and
proactive sources of information can be used to identify risk. Information from sources such
as incidents, complaints and audit reports highlight some risk to which the organisation
should react.
11
Risk statements should be understandable to anyone reading the Risk Register and should
be set out to ensure risks are clear eg there is a risk of…....due to……resulting in……..When
drafting a risk statement:
1. Assess whether the risk will impact on the PSI achieving strategic or operational
objectives.
2. Assess what has led to the identification of the risk eg previous experience, research,
a gap analysis, third party notification, audit finding etc
3. Assess any quantifiable impact to the organisation either monetarily, legally or
operationally of failing to mitigate the risk.
3.7 Risk Assessment
A key feature of the risk management process is the assessment of risk. It is important to
conduct a proper analysis of risk (i.e. the causes, likelihood and consequence of a risk not
being effectively managed). The PSI has agreed a common system for assessing risk, which is
documented within this policy. In assessing risks or threats, there is a judgement about the
risk appetite, acceptable tolerance or exposure.
Risk analysis involves consideration of the causes and sources of risk, their positive and
negative consequences, and the likelihood that those consequences can occur. Factors that
affect consequences and likelihood should be identified. In accordance with the ISO 31000
standard risks are assessed and prioritised through consideration of:
Likelihood (Appendix 1): The likelihood of occurrence is estimated on a scale of 1 to
5 where 1 is rare, if ever and 5 is very high (unavoidable or already happening).
Consequence (Appendix 2): The consequence of a risk not being effectively
managed is estimated using a scale of 1 to 5, where 1 is equivalent to having
negligible consequence and 5 is equivalent to having a substantial consequence.
12
Risk scores are based on the consequence rating, multiplied by the likelihood rating, which
establish the priority level for addressing the risk. The risk scores are defined using a traffic
light system, as follows:
High Priority (H) Red, Risk score of 12 to 25
Medium Priority (M) Amber, Risk score of 5 to 10
Low Priority (L) Green, Risk score of 1 to 4
3.8 Risk Mitigation
When risks have been identified, and assessed, the next stage is to consider and outline
appropriate risk mitigation.
Treat
By far the greater number of risks will be addressed in this way. The purpose of treatment is
to allow the organisation to continue with the activity giving rise to the risk, but also to
ensure mitigations, action or controls are put in place, to constrain the risk to an acceptable
level.
Tolerate
The exposure to the risk may be tolerable without any further action being taken. Even if it
is not tolerable, the ability to do anything about some risks may be limited, or the cost of
taking action may be disproportionate to the potential benefit gained. In these cases the
response may be to tolerate the existing level of risk.
Consequence
Low High
1 2 3 4 5
Likeliho
od
Low High
1 1 2 3 4 5
2 2 4 6 8 10
3 3 6 9 12 15
4 4 8 12 16 20
5 5 10 15 20 25
Risk criteria used by the PSI, based on the ISO Standards, are as follows:
Consequence Rating
1 Negligible
2 Minor
3 Moderate
4 Significant
5 Substantial
Likelihood Rating
1 Rare
2 Low
3 Medium
4 High
5 Very High
13
Transfer
For some risks the best response may be to transfer them. This might be done by
conventional insurance, or it might be done by paying a third party to take the risk. It is
important to note that some risks are not (fully) transferable
Terminate
Some risks will only be treatable, or containable to acceptable levels, by terminating the
activity. It should be noted that the option of termination of activities is limited in a
statutory regulator, state agencies and government bodies generally when compared to the
private sector.
Control Effectiveness After identifying the risk mitigation measures and documenting the consequence and
likelihood of the risk it is necessary to identify how effective the controls are in addressing
the risk. The effectiveness of existing controls is estimated using a scale of 1 to 3 where “1”
is “highly effective” and 3 is “no controls/controls ineffective”. This is then multiplied by the
total net risk score to determine the overall risk score. Using this multiplier effect changes
the risk scores and therefore also criteria for ranking under the traffic light system, as
follows:
Using Multiplier Effect Risk Scores:
Low = 12 or less Medium = 13 to 24 High = 25+
3.9 Risk Prioritisation The risk register identifies the risk priorities, and facilitates the review and monitoring of all
risks, and justifies mitigating action.
Functional area risk registers are the key source documents for the Corporate Risk Register.
They each provide
a description of the risk also known as a risk statement;
the risk appetite;
the category or type of risk;
the current mitigations and actions in place to address the risk;
an assessment of the likelihood it will occur and the possible consequence
based on the ISO numerical scoring scale (1-5);
an assessment of the effectiveness of the controls;
an outline of additional proposed mitigation actions; and
who is accountable and responsible for managing that risk.
14
The format of the Register is sequential. The completion of the Register is linked to the
objectives and functions of each functional area.
The following table explains the rationale and content of each of the columns in the
Register.
Column Rationale Content
(1)
Risk Category
The purpose of this column is to categorise the risks identified under the headings in the main categories.
The risks are classified appropriately.
E.g. operational, legal, regulatory etc.
(2)
Principal Risks
The purpose of this column is to specify the principal risks / opportunities related to the objectives.
Short explanations and comments on the principal risks identified.
(3)
Mitigations / Controls /
Management Actions
The purpose of this column is to identify the actions being undertaken to mitigate the risk identified in column (2).
Short explanation of what is being done to manage the risk.
(4)
Risk Rating
The purpose of this column is to allow for an assessment or ranking of the risk. i.e. consequence and likelihood.
For each of the risks, its ranking will reflect the scoring scale of 1 -5 for consequence and 1-5 for likelihood.
(5)
Control Effectiveness
The purpose of this column is to assess how effective the control is in addressing the risk.
For each collective set of control actions a scoring scale of 1-3 will apply. This is then multiplied by the risk rating to get the total risk rating.
(6)
Additional controls
The purpose of this column is to identify additional controls/mitigating measures to further address the risk.
The suggestions should reflect feasible and appropriate responses that address the risks.
15
Column Rationale Content
(7)
Accountable / Responsible
The purpose of this column if to identify the owner of each risk.
This will be a single named individual within each functional area or on the Senior Management Team.
16
4. Risk Monitoring and Reporting Each functional area will maintain a Risk Register, relating to the business objectives and
priorities for that area. A Corporate Risk Register will consolidate the risks from the
functional area risk registers. It will be informed by deliberations at Senior Management
Team level and key strategic issues outside the direct role of individual Departments.
This will form the basis for implementing and monitoring risk management activities. Major
external policy changes and issues emanating from the health reform programme would be
examples of where Senior Management Team input to key corporate issues would be
essential.
Any risk with a ranking of 25 or over (RED) should be considered for inclusion in the
Corporate Risk Register by the Registrar and the Chief Risk Officer. It may be that if a similar
risk is appearing across a number of functional areas an amalgamated risk would appear in
the Corporate Risk Register eg risks relating to availability of resources.
Functional area Risk Registers and associated mitigations and controls will be reviewed on a
quarterly basis and a risk report provided to the SMT. Quarterly Reports of Functional area
Risk Registers will also be provided to relevant Advisory Committees. .
The Corporate Risk Register will be reviewed by the Senior Management Team every two
months. Quarterly reports on the status of the Corporate Risk Register and of key mitigating
actions to address risks will also be provided to the Council.
The Audit and Risk Committee will be provided with quarterly reports on the Corporate
Register and on each of the Functional areas Risk Registers. It will provide a report on risk
management to Council on a quarterly basis. The Audit and Risk Committee will also review
on a cyclical basis the Risk Register from a functional area and receive a presentation from
the relevant Senior Manager.
The role of the Audit and Risk Committee and Council is to appraise the Corporate Risk
Register and assess whether it is fit for purpose by considering the following criteria:
risks included represent an organisation wide risk that threatens the achievement of
one or more of the PSI’s objectives;
risks included have significant potential to impact on the operational or financial
ability of the PSI to deliver services and core functions or may adversely affect the
PSI’s reputation;
risks included cannot be addressed at Department/local management level or by a
single Department or functional area;
17
control measures required in respect of included risks call for a shared Senior
Management Team response, and
management of the risks are likely to require considerable input of additional
resources (financial, people, time etc.).
Oversight for risks rests with the Council and the Audit and Risk Committee, who are
required to review the outputs of management and gain assurance that risks are being
managed appropriately.
The following are the minimum formal monitoring and reporting requirements required by
the PSI.
Risk identification and management will be incorporated in the annual business
planning process to ensure that risk is formally considered and integrated with
the business planning process.
Risk will be a standing agenda item for Department, Senior Management Team,
Committee and Council meetings. Decisions of meetings should be checked to
assess if any risks arise from decisions taken.
The PSI will formally identify risk and review its Functional area Risk Registers on
a quarterly basis and Corporate Risk Register at 2 month intervals.
All major projects will include a risk template to capture major project risks. It is
the responsibility of all project managers to ensure that all risks are identified
and managed appropriately throughout project implementation. Risks which
require escalation to the Functional area Risk Registers and Corporate Risk
Registers must be included in the Functional areas Risk Register and should be
assessed for inclusion on the Corporate Risk Register.
Risk management will be included in all job descriptions and addressed as part of
performance management.
Actions taken to mitigate risks will be monitored on an ongoing basis by senior
managers to ensure that planned actions are implemented.
Ongoing review of the number of high, medium, and low risks facing the
organisation by category and division.
5. External Review Risk management will be reviewed externally to provide assurance that risk is being
properly and effectively managed in the organisation. This review will be a combination of:
Internal Audit review (based on the internal audit work programme as agreed with
the Audit and Risk Committee from time to time);
External Audit by the External Auditors during their annual audit programme;
Other external reviews commissioned by the Registrar/CEO/CRO, as required
18
6. Approval of the Risk Management Policy This risk management policy will be reviewed on an annual basis by the Council of the PSI.
Revision Date Description Approved by
1 May 2009 First Introduced Council
2 March 2016 - Update of roles and responsibilities
- Update of risk appetite statement
- Update of risk assessment and
identification processes
- Changes to structure and sequencing of
document
Council
3 November
2017
Review following consultation with Mazars Council
19
7. References
Risk Management Guidance for Government Departments and Offices, Department of
Public Expenditure and Reform, February 2016
Draft Code of Practice for the Governance of State Bodies, Department of Public
Expenditure and Reform, December 2015
Corporate Governance Standard for the Civil Service, Department of Public Expenditure and
Reform, November 2015
United Kingdom Corporate Governance Code, Financial Reporting Council, September 2014
Guidance on Risk Management, Internal Control and Related Financial and Business
Reporting, Financial Reporting Council, September 2014
The International Framework: Good Governance in the Public Sector - Chartered Institute of
Public Finance and Accountancy (CIPFA) and the International Federation of Accountants ®
(IFAC). July 2014
Framework for Corporate and Financial Governance, Department of Health and Children
April 2006
Report of the Working Group on the Accountability of Secretaries General and Accounting
Officers, Mullarkey Report July 2002
Local Authority Risk, Excellence in governance through best practice risk management, Irish
Public Bodies Mutual Insurance Ltd, 2005.
20
8. Glossary of Terms
Inherent Risk
The exposure arising from a specific risk before any action
has been taken to manage it.
Residual Risk The exposure arising from a specific risk after action has
been taken to manage it and making the assumption that
the action is effective.
Risk The effect of uncertainty on objectives, and the effect can
be positive or negative. Risk is scored or ranked based on
the combination of likelihood and consequence.
Risk Assessment The evaluation of risk with regard to the consequence if the
risk is realised and the likelihood of the risk being realised
Risk Management All the processes involved in identifying, assessing, and
judging risks, assigning ownership, taking actions to
mitigate or anticipate them, and monitoring and reviewing
progress.
Risk Register The documented and prioritised overall assessment of the
range of specific risks faced by the PSI
Risk Appetite The amount of risk that the PSI is prepared to accept,
tolerate or be exposed to in the pursuit of priorities and
objectives.
Internal Control Any action within the organisation taken to manage risk.
These actions may be taken to manage either the
consequence if the risk is realised, or the likelihood of the
realisation of the risk.
21
Appendix 1 Considering the Likelihood of the Risk
Rating Category Description % Likelihood
1 Rare May only occur in exceptional circumstances; simple process; no previous incidence of non-compliance.
Up to 5% chance next year or once
every 20 years.
2 Low Could occur at some time but doubtful; chance of occurring; non-complex process and/or existence of checks and balances.
Up to 20% chance next year or up to 4 out of every
20 years.
3 Medium Might occur at some time; chance of occurring; complex process with extensive checks and balances; impacting factors outside control of organisations.
Up to 50% chance next year or up to
10 out of every 20
years.
4 High Will probably occur in most circumstances; chance of occurring; complex process with some checks and balances; impacting factors outside control of organisation.
Up to 75% chance next year or up to
15 out of every 20
years.
5 Very High
Can be expected to occur in most circumstances; complex process with minimal checks and balances; impacting factors outside control of organisation.
Over 75% chance next
year or at least 16 out of every 20
years.
22
Appendix 2 Considering the Consequence of the Risk Description 1
Negligible 2
Minor 3
Moderate 4
Significant 5
Substantial
Operational
/Policy
Minor errors in systems or processes requiring corrective action
Minor procedural rules occasionally not complied with and subsequently identified and corrected
One key accountability requirement not complied with or bypassed
Non-compliance with several key control requirements
Ongoing non-compliance with several key control requirements
Budgetary
and Financial
1% of Budget or <€5k
2.5% of Budget or <€50k
7.5% of Budget or <€500k
15% of Budget or <€5m
25% of Budget or >€5m
Strategic Little impact Inconvenient delays
Material delays, marginal under-achievement of target performance
Significant delays Performance significantly under target
Non-achievement of objective/outcome Performance failure
Governance
and
Compliance
Procedural breach Little impact
Minor breach resulting in investigation
Negligent breach Review initiated
Deliberate breach or gross negligence
Serious, willful breach Ongoing non-compliance with key legal obligations
Stakeholder/
Inter-agency
Minor disputes with other bodies and agencies
Minor disputes with other bodies and agencies requiring senior management time to rectify
Limited co-operation by key stakeholders/agencies on priority areas
Lack of co-operation by key stakeholders/agencies on some priority areas
Serious non-collaboration by stakeholders
Personnel/ Talent Management
Normal or expected rate of staff movement across, into and out of the organisation
Some capacity gaps in selected business areas which can be accommodated
Significant capacity gaps in selected business areas and in specialist topics
Significant capability gaps at leadership and management levels
Serious lack of knowledge, skills and competencies to deliver key objectives
23
