The risk conundrum

• Do they spend money to control the risk by trying to prevent it’s occurrence or minimise it’s impacts?
• Do they spend money in order to transfer the risk via insurance?
• Do they forgo a business opportunity and the potential to earn money in order to avoid the risk?
• Do they ignore the risk and accept the consequences?

The more risks that can be ignored, and the more right that decision proves to be, has a direct impact on the profitability of the company.

Trying to control ALL Risks will put you out of business

Trying to ignore ALL Risk will put you out of business.

Before an organization can make decisions as to what to do about their risks, they need to be reliably informed as to what risks they are facing, what are the consequences of each decision. They need this information to be accurate, timely and understandable.

We approach all risk management assignments with this requirement foremost in our minds.

The benefits of risk management

• Increasing the chance of achieving strategic objectives
• Reducing the likelihood of negative events
• Reducing the instances of insurance claims
• Protecting the organizations key assets
• Enhancing communication between the various groups within an organization (departments, boards, management teams etc)
• Focusing resources on ‘higher risk’ activities
• Providing audit committees with a targeting and monitoring mechanism for internal audit activities
• Strongly assisting compliance with legislation and regulation
• Providing a regulator-friendly audit trail of business decisions etc
• Informing procedural development
• Reducing the “surprise” factor
• Providing reassurance to stakeholders interested in good governance practices

Our risk management principles

1. Provide the risk information to all organizational levels and stakeholders in the form that best suits their individual requirements;

Each of the following groups generally has different reporting requirements.

• Heads of operational areas
• Internal Audit
• Risk manager
• Audit Committee
• Boards
• Government & Regulatory Bodies

We can fulfill all these requirements due to the exclusive use of the ‘RiskManager’ database on all of our risk projects.

2. Assist you to identify and describe your own risks

You know your business better than we do. Unlike some, we wont TELL you what we think your risks are. We have found that by assisting you to identify and clarify the risk information then your chances of managing that risk are greatly increased.

3. Promote people within your organisation to own the risks.

The processes and tools that we employ to identify the risk information promotes ownership of the risks by your people. If your people own the risks then the chances of them managing those risks is maximised.

We always insist on have a nominated position within an organisation to own the risk process and undertake to pass on knowledge to that person.

4. Ensure something happens to mitigate the High risks.

If you go to all the time and expense to conduct a risk assessment for your organisation and then fail to follow up and ensure that the high risks are addressed then you have missed a golden opportunity to maximise your chances of success.

We put in place an agreed action plan and ensure that it gets enacted successfully. We undertake as part of our projects to return on quarterly intervals to review and report to you on the progress made by your organisation until such time that you have mature review processes in place internally.

Our risk management services

Assisting you to develop a risk policy for your business. A risk policy documents the attitude of your organization toward risk and steps out the intended mitigation approach.

Developing a risk framework/methodology document for your organization. This essentially is the ‘road map’ for risk management and is essential in order to provide consistency within the various risk management approaches that occur in every organization. Such a document will typically include the following:

• Key accountabilities
• Reporting frameworks
• Explanation of risk assessment method
• Risk ranking criteria
• Templates and pro-formas

Advising on the setting up of Risk Committees. Many organizations set up such committees to oversee the risk process. Risk committees adopt an ‘audit committee’ approach to all risk management activities.

Development of risk-based internal audit plans. Internal audit departments are often faced with resourcing issues and a risk-based approach to development of their audit plans is accepted practice. At BPC Canada we have a strong awareness of the issues facing modern internal audit departments.

Providing advice on the role of internal audit department. Internal audit (IA) have a key role in the risk management process within a typical organization.

Planning and facilitating strategic and/or operational risk assessments:

• Facilitate risk assessment workshops
• Conduct interviews with relevant stakeholders
• Develop and deliver on-line risk assessment reviews
• Create initial risk registers

Assisting in the development of risk treatment plans. Identification of risk is not enough. The “management” in risk management implies that something is done in order to mitigate the key risks. We can assist organisations to develop treatment plans.

These plans can include measures that:

• Prevent the risk occurring
• Detect whether or not the risk has occurred
• Assist you to respond appropriately to the risk and thereby reduce the impacts

Designing and implementing risk reporting frameworks for:

• Risk owners
• Managers
• Audit committees
• Risk committees
• Governing bodies and Boards

Risk management training . As part of all our assignments we undertake to transfer knowledge to those responsible for the on-going management of risks.

Providing ongoing risk management support services:

• Review and maintain existing risk registers
• Monitor and review progress in enacting risk treatment plans
• Provide management reporting

Customizing, installing and supporting our BPC Enterprise ‘RiskManager’ software.

Risk Management for Higher Education Institutions

One of a University’s prime assets is its reputation. Anything affecting the reputation of a university could and most probably will manifest itself as a reduction in students wanting to attend that institution or of the research dollars attracted to that institution. One of the governing bodies prime role is the protection of the institutions reputation.

Consider the effect on your Institution’s reputation of the following risks occurring:

• Your Student administration system goes down during the very critical enrolment period.
• Questions from the science exam appear in the newspaper a week prior to the exam.
• A foreign student from one of your prime overseas target markets claims they were harassed by a university staff member.
• One of your professors defames an ethnic group in an article on your website.
• A student crashes their car whilst intoxicated following a university sponsored social occasion where alcohol was provided.

Many Universities address only what they consider to be the key strategic risks such as loss of research grants or government funding but in our experience, a failure to review ALL the risks can leave them exposed to a major loss of reputation.

Our Approach to implementing risk management into Higher Education Institutions.

Our experience tells us that there are nuances related to working within a University environment that need to be managed to ensure a successful risk management implementation outcome for Higher Education Institutions.

We at BPC Canada, have been working within University environments for over 10 years and have learnt a great deal during that time. On each project, we endeavour to:

1. Work within the many deadlines, that university staff have to meet.

Workloads vary greatly during various periods of the year and within semesters. Staff, especially senior staff can be difficult to contact and especially difficult to meet with during certain periods. A typical consulting attitude of “I am only here for a few weeks and need to see you now” will not work in a university environment.

2. Understand the differences between the needs of Faculty and Administration staff.

An understanding of the roles of these two groups within a university, of the different personality types generally involved and of the different pressures placed on each group is essential to a successful risk management implementation project.

3. Understand the complexity and range of risks facing Universities.

Every University is different, despite sharing many common risks. Therefore at BPC we tailor our risk approach to assist each of our Higher education clients to define their particular universe of risks for consideration. We achieve this by defining a unique risk map for each client and then by using that map to inform all discussions and workshops. The areas of risk on each risk map are to prompt discussion only and do not preclude other risk areas being raised.

In this way all the appropriate risk areas are discussed and a decision made as to whether they are applicable in each instance.

Just some of the risk area categories that might be included on a typical HEI risk map are:

• Facilities
• Student life
• Teaching
• Legal / regulatory compliance
• Emergencies
• Human resources
• Financial operations
• Governance & decision-making
• OH&S
• Research ethics and work