IIUM RISK MANAGEMENT

[MANUAL]

Version: 01/ Revision: 01/ Effective Date: 26-May-2015 1

I NTERNATIONAL

I ^SLAMIC U ^NIVERSITY M ^ALAYSIA

IIUM RISK MANAGEMENT

POLICY, FRAMEWORK & GUIDELINES

DOCUMENT CONTROL

Approved by IIUM BOARD OF GOVERNORS Effective Date

(Upon approval) 26^th May 2015

Recommended by

IIUM UNIVERSITY MANAGEMENT COMMITTEE

(UMC) Recommendation Date 3^rd December 2015

Version No. 01 Revision No. 01

Revision Date 1^st February 2017 Last Revision Date None

Responsible Office Office of Corporate Strategy (OCS) International Islamic University Malaysia

This document is for International Islamic University Malaysia internal use only

© 2015 IIUM

All rights reserved. This document either in its entirety or in part(s) may NOT be reproduced, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) without the permission of the copyright.

TABLE OF CONTENTS

1.0 INTRODUCTION ... 4

2.0 INTERPRETATION ... 4

3.0 OBJECTIVES ... 5

4.0 SCOPE ... 5

5.0 PRINCIPLES ... 6

SECTION A: POLICY ... 8

6.0 RISK MANAGEMENT POLICY ... 8

SECTION B: FRAMEWORK ... 10

7.0 RISK MANAGEMENT FRAMEWORK ... 10

8.0 OWNERSHIP AND ACCOUNTABILITY ... 13

9.0 THE STRUCTURE AND ADMINISTRATION OF RISK MANAGEMENT ... 14

SECTION C: GUIDELINES ... 21

10.0 THE RISK MANAGEMENT PROCESS ... 21

11.0 RISK AWARENESS TRAINING ... 46

GLOSSARY OF RISK TERMS AND DEFINITIONS ... 47

REFERENCES ON RISK, CONTROL AND GOVERNANCE ... 51

CONTRIBUTORS ... 52

Version: 01/ Revision: 01/ Effective Date: 26-May-2015 3

1.0 INTRODUCTION

1.1 On 16^th July 2014, IIUM has approved on the establishment of Risk Management Unit under the Office of Corporate Strategy is to spearhead the implementation of risk management practices as stipulated in Code of University Good Governance 2011 (CUGG), Malaysian Code of Corporate Governance 2012 (MCGG) and Action Plan for Implementation of the National Integrity Plan of Higher Education 2010 - 2015 (Pelan Tindakan Pelaksanaan Pelan Integriti Nasional Pengajian Tinggi 2010 - 2015).

1.2 Risk is inherent in all academic, administrative and business activities, and every member of the University community continuously manages risk. International Islamic University Malaysia (IIUM) recognises that the aim of risk management is not to eliminate risk totally, but rather to provide the structural means to identify, prioritize and manage the risks involved in all University activities. It requires a balance between the cost of managing and treating risks and the anticipated benefits that will be derived.

1.3 Apart from act of Allah s.w.t., the IIUM Risk Management is an integral part of best management practice and an essential element of good corporate governance, as it improves decision-making and enhances outcomes and accountability. The intent is to embed risk management in a very practical way into business processes and functions via key approval processes, review processes and controls, not to impose risk management as an extra requirement.

1.4 This document consists of three sections in which:

i) SECTION A: Policy ii) SECTION B: Framework iii) SECTION C: Guidelines

2.0 INTERPRETATION

In this document unless the context otherwise requires:-

i) “Centres of studies” and “COS” means the centres that are named as Kulliyyah, School, Institute or Centre that represent a branch or branches of unified concept of knowledge base on the basis concept of Islamic principles and philosophy of knowledge and education as prescribe in IIUM constitution;

ii) “D&O” means the registered offices and divisions for the time being of the university;

iii) “IIUM” means the International Islamic University Malaysia;

iv) “ISO31000:2009” means the ISO31000:2009 Risk Management — Principles and Guidelines;

v) “BOG” means Board of Governors and it is a management and policy making authority of the university;

vi) “Manual” means the IIUM Risk Management Framework, Policy and Guidelines;

vii) “Policy” means the IIUM Risk Management Policy;

viii) “SBU” means the Strategic Business Units; and

ix) “University” means the International Islamic University Malaysia.

3.0 OBJECTIVES

3.1 The objective of this Manual is to ensure that the University makes informed decisions with respect to the activities that it undertakes by appropriately considering both risks and opportunities.

3.2 The Manual is therefore to detail the IIUM Risk Management Framework, Policy and Guidelines to all individuals within the University to enable staff at all levels to have an understanding of the policies and structure adopted within the University to ensure the management of risk on an organization-wide basis.

3.4 The Manual is thus intended as a reference manual for all staff in IIUM on an ongoing basis. The Office of Corporate Strategy is the custodian of this manual and is responsible for ensuring all staff are aware of the IIUM Risk Management Framework.

4.0 SCOPE

4.1 Risk management must be effective at all levels of the University; staff understands what is acceptable risk within the University, and what their individual roles are in relation to the management of risk.

4.2 This Manual amongst others covers:

i) Purpose and Objectives of the Manual ii) IIUM Risk Management Framework iii) Risk Management Policy

iv) Definition of Risk Management and Enterprise Risk Management v) Risk Management Governance and Organisation

Version: 01/ Revision: 01/ Effective Date: 26-May-2015 5

a) Ownership and Accountability

b) Structure and Administration of Risk Management vi) Enterprise Risk Management Guideline

a) Risk Management Process vii) Training and Awareness

viii) Communication and Reporting

4.3 The ISO31000:2009 Risk Management — Principles and Guidelines provides principles and generic guidelines on risk management. This International Standard can be applied throughout IIUM, and to a wide range of activities, including strategy design and decision making, operations, processes, functions, projects, products, services and assets.

4.4 The risk management roles and responsibilities detailed in this Manual will ensure that all staff with risk responsibilities are understand of their role in ensuring significant risks across IIUM are identified, assessed, correlated, consolidated and appropriate mitigation activities undertaken.

5.0 PRINCIPLES

5.1 The risk management is a process that is supported by a set of principles adopted from ISO31000:2009 and for the risk management implementation to be effective, IIUM shall, at all levels, comply with the principles below:

No. Principle

Application

(ISO31000:2009)

1.

2.

3.

No. Principle

Application

(ISO31000:2009)

4.

5.

6.

7.

8.

9.

10.

11.

Version: 01/ Revision: 01/ Effective Date: 26-May-2015 7

SECTION A: POLICY

6.0 RISK MANAGEMENT POLICY

The IIUM Risk Management Policy is established to:

i) Protect the University from those risks of significant likelihood and consequence in the pursuit of the University's stated strategic goals and objectives;

ii) Provide a consistent risk management framework in which the risks concerning office processes and functions of the University will be identified, considered, and addressed in key approval, review and control processes;

iii) Encourage pro-active rather than re-active management;

iv) Provide assistance to, and improve the quality of decision making throughout the University;

v) Meet legal and statutory requirements; and

vi) Assist in safeguarding the University's assets, amongst others people, finance, property, information and reputation.

6.2 Policy Scope

6.2.1 This Policy is applicable to the followings;

i) Centres of studies;

ii) Divisions and offices;

iii) Strategic business units; and

iv) Controlled entities, and entities that are derived from the University's legal status.

6.2.2 All IIUM staff are responsible to manage risks.

6.2.3 The Policy encapsulates the component of IIUM Risk Management Framework which highlights the approach to risk management, all roles and responsibilities, the key aspects of the process and the terms of reference.

6.2.4 The Policy complements the Code of University Good Governance 2011 (CUGG), Malaysian Code of Corporate Governance 2012 (MCGG), Action Plan for Implementation of the National Integrity Plan (NIP) of Higher Education 2010

– 2015 and any relevant policies in committing towards a number of key objectives that requires the Office of Corporate Strategy to be the knowledge resource for managing and mitigating risks across IIUM operations and a leader in the industry.

6.3 Policy Statement

6.3.1 IIUM adopts the risk management approach and general methodology specified in the ISO31000:2009 - Risk Management: Principles and Guidelines on implementation.

6.3.2 All IIUM business processes and functions will adopt a risk management approach consistent with the ISO31000:2009 (Clause 5) - Risk Management Process in their approval, review and control processes. The IIUM risk management approach and methodology for this purpose is as set out in the IIUM Risk Management Policy, Framework and Guidelines.

6.3.3 The responsible risk coordinator for each IIUM business process and function shall develop a form of risk management approach and associated documentation appropriate to their domain.

Version: 01/ Revision: 01/ Effective Date: 26-May-2015 9

SECTION B: FRAMEWORK

7.0 RISK MANAGEMENT FRAMEWORK

7.1 The success of risk management will depend on the effectiveness of the management framework providing the foundations and arrangements that will embed it throughout IIUM at all levels. The framework assists the management of risks effectively through the application of the risk management process at varying levels and within specific contexts of IIUM. The framework ensures that information about risk derived from the risk management process is adequately reported and used as a basis for decision making and accountability at all relevant University levels.

7.2 Figure 1 below illustrates the relationship between the components of the framework for managing risk as described in the Clause 4 of the ISO31000:2009 Standard. It includes the essential steps in the implementation and ongoing support of the risk management process. The components of this framework are:

i) Mandate and commitment

ii) Design of framework for managing risk iii) Implementing risk management

iv) Monitoring and review of the framework v) Continual improvement of the framework

Figure 1: Relationship between the components of the framework for managing risk

7.2.1 Mandate and Commitment

7.2.1.1 The introduction of risk management and ensuring continuous effectiveness require a strong and sustainable commitment by the University’s management, as well as strategic and rigorous planning to achieve commitment at all levels.

7.2.1.2 Management shall:

a) Define and endorse the risk management policy

The BOG shall approve the risk management policy as outlined in Para 5 above, which is to be implemented by IIUM. The policy should be used as the basis for all centres of studies, divisions and offices, strategic business units, and other related entities in designing and implementing the risk management process.

b) Ensure that the culture and risk management policies are aligned Embedding risk management involves an environment that can demonstrate a change in mindset and culture to be more risk-aware from management and staff at all levels. University’s effective leadership can shape culture by encouraging the application of risk management through organisational recognition and reward systems.

This risk-aware culture is to be institutionalised into daily operational and business activities for effective risk management at the university, operational, project or team levels.

c) Align risk management objectives with the objectives and strategies of the University.

The management should align their risk management objectives with the University’s strategies in order to mitigate the risk elements and reduce the adverse consequences to the objectives achievement. The alignment may be conducted during the annual strategic planning process.

d) Determine risk management performance indicators that align with the University performance indicators.

The management may align its risk management performance indicators (PI) with the University’s performance indicators by:

Version: 01/ Revision: 01/ Effective Date: 26-May-2015 11

i) Considering the range of key organisational / business drivers;

ii) Incorporating the risk management into the University’s scorecards;

and

iii) Integrating the risk management performance assessment into the overall organisational performance management system.

e) Ensure legal and regulatory compliance

IIUM shall ensure legal and regulatory compliance within all jurisdictions in which it operates to effectively mitigate legal and regulatory risks.

f) Assign accountabilities and responsibilities at appropriate levels

The management shall assign appropriate levels of authority, accountability and responsibility for managing risks at all levels as defined in this Manual and the University’s approving authority.

g) Ensure that the necessary resources are allocated to risk management The management shall provide and facilitate sufficient resources and infrastructure to implement the risk management framework, consisting of:

i) People and skills;

ii) Documented processes and procedures;

iii) Information systems and databases; and

iv) Financial and any other resources for specific risk treatment activities.

h) Communicate the benefits of risk management to all stakeholders

As part of good governance, an effective risk management enables management to improve outcomes by identifying and analyzing the issues and providing a systematic way to make informed decisions. The risk management provides a reasonable assurance to the stakeholders that the objectives are achievable within its tolerable risk appetite.

i) Ensure that the framework for managing risk continues to remain appropriate

The management shall ensure that the framework is reviewed on a regular basis to ensure its relevancy to changes in the external and internal context.

7.3 The IIUM Risk Management Framework involves three key steps:

i) Setting the corporate strategy on an annual basis, aligning risk management to business objectives;

ii) Adopting a formal and standardised process methodology for risk management across the business; and

iii) Maintaining a structure that assigns ownership and responsibility for monitoring and updating risk management.

7.4 The Framework should be used for the following:

i) Communicate policies and procedures for managing risk on an enterprise wide basis;

ii) Provide guidelines for responsibilities and duties in managing risk;

iii) Create an understanding of the undertaken processes in which contributing to the success of the risk management implementation from the university wide perspective;

iv) Demonstrate how risk relates to the achievement of corporate objectives; and

v) Emphasise the importance of risk management towards IIUM Vision and Mission as well as IIUM strategic direction of becoming a Premier Global Islamic Research University.

8.0 OWNERSHIP AND ACCOUNTABILITY

8.1 All IIUM staff are responsible for the effective identification and management of risks.

8.2 The ownership of the IIUM Risk Management Policy rests with the Office of Corporate Strategy.

8.3 The IIUM Risk Management Committee or any designated committee assumes overall responsibility for measuring and monitoring the risk management performances across IIUM.

8.4 The Office of Corporate Strategy shall be the Secretariat of IIUM Risk Management Committee or any designated committee and IIUM Risk Management Technical Committee with a responsibility to plan, develop, coordinate and communicate risk management programmes and monitor adherence to the Policy.

Version: 01/ Revision: 01/ Effective Date: 26-May-2015 13

8.5 The Policy does not diminish nor supersede the important role that the IIUM line management plays in the overall management of risk.

9.0 THE STRUCTURE AND ADMINISTRATION OF RISK MANAGEMENT

9.1.1 IIUM risk reporting structure is depicted in Figure 2 as follows:

Figure 2: IIUM risk management reporting structure

9.2 Critical Success Factors

9.2.1 The critical success factors to must be considered in ensuring successful implementation of IIUM Risk Management are as follows:

i) Strong and visible support from senior management;

ii) Dedicated group of cross functional staff to drive IIUM Risk Management implementation at operational level;

iii) Closely link IIUM Risk Management to key strategic and financial objectives of the University and to the business process;

iv) Promoting the IIUM Risk Management is a framework to improve the existing processes within the University;

v) Adopting any suitable external ideas or benchmarking any best practice approaches for improving the existing risk management framework; and vi) Continuously make improvement and leveraging on “early wins” initiatives.

9.3 Management Commitment

9.3.1. Commitment from IIUM management is shared with all line managers at all levels by embedding the IIUM Risk Management methodology into the business planning process via the Balance Scorecard, or any other performance measurement tools as determined by the University. Identified risks are managed by applying the Risk Management processes. Vertical and horizontal communications are essential in ensuring pro-active responses to mitigate probable impact and losses.

9.4 Roles and Responsibilities

9.4.1 In embedding the Risk Management Framework, the roles of the various entities within the University are identified as follows:

9.4.1.1 Role of the Board of Governors (BOG)

The BOG as the highest authority of management and policy making of the university is to endorse the IIUM Risk Management Policy and oversee the risk management implementation within the University on the advice of the IIUM risk management committee or any designated committee.

9.4.1.2 Role of the IIUM Management

The role of the University Management Committee and the Heads of Centres of Studies, Divisions and Offices are embedded within the policy statement. As they are responsible and accountable for all the risks that existed within their domain, it is important that all line managers support their superior in ensuring that risk-based approach is fully adopted and embedded in all business processes.

Version: 01/ Revision: 01/ Effective Date: 26-May-2015 15

9.4.1.3 Role of the IIUM Audit and Risk Committee

i) The establishment of the designated IIUM risk management committee (board level) or any equivalent committee as well as the appointment of the chairman and the members of the said committee shall be approved by the BOG on the recommendation of the IIUM-University Management Committee.

ii) Their responsibilities amongst others are:

a) To overview the implementation of the IIUM risk management framework and its mitigation progress;

b) To review the risk management framework and to evaluate its effectiveness;

c) To ensure that the risk management process is embedded into the business decision making, related trainings and awareness programmes;

d) To review the extreme, high and significant risks identified by management and to ensure the mitigation plans are executed;

e) To recommend strategies to control significant ‘downside risks’ and exploit any ‘upside risk opportunities’;

f) To receive, discuss and review group risk management report; and g) To recommend improvement to the IIUM Risk Management

implementation methodology whenever required.

9.4.1.4 Role of the Office of Corporate Strategy

As custodian of the IIUM Risk Management matters, the roles of Office of Corporate Strategy shall include:

i) To establish, formulate, recommend and manage the best practices IIUM Risk Management programmes for the university with the objective to manage and minimize impact of losses to university's financial position and safeguard the IIUM reputation;

ii) To coordinate the various functional activities and advise on any risk management issues within the university;

iii) To ensure all principal risks have been identified and necessary internal control system is in place to manage and control risks in compliance with the Code of University Good Governance 2011 (CUGG), Malaysian Code

of Corporate Governance 2012 (MCGG) and Action Plan for Implementation of the National Integrity Plan of Higher Education 2010 – 2015);

iv) To ensure the implementation of policy and strategy across risk management for the university; and

v) To be a primary champion of risk management at strategic and operational level;

a) To build a risk-aware culture within the university including appropriate education and training;

b) To assist business units in the implementation of risk management programmes;

c) To develop risk response processes, including contingency and business continuity programmes for the university;

d) To act as the secretariat for IIUM Risk Management Committee and IIUM Risk Technical Committee; and

e) To consolidate university-wide risk reporting and preparation for management and stakeholders.

9.4.1.5 Role of the IIUM Risk Management Technical Committee

a) The IIUM Risk Management Technical Committee which acts as a ‘think tank’ group is to be chaired by the Director of Corporate Strategy. The members shall be determined by the chairman in order to facilitate the process of implementing the university risk management programme. The members may be represented from the offices that could provide risk oversight and work as key parts of the integrated risk structure to assist in risk identification, analysis, control management and reporting.

b) Their responsibilities amongst others are to:

i) Assist the process of coordinating the required resources allocation for implementing risk strategies and programmes; and

ii) Give recommendations of improvements to the IIUM Risk Management Committee.

Version: 01/ Revision: 01/ Effective Date: 26-May-2015 17

9.4.1.6 Role of the Head of Center of Studies / Divisions / Offices / Strategic Business Units (COS / D&O / SBU)

a) The role shall be established or to be part of any equivalent administration setup at COS/D&O/SBU and it shall be chaired by the Head of COS/D&O/SBU. The members shall be determined by the Head within the COS/D&O/SBU.

b) Their responsibilities amongst other are:

i) To review the departmental risk registers and ensure appropriate mitigation and action plans are undertaken to ensure that the risk management process is embedded into the business decision process;

ii) To promote and recommend participation of departmental staff in IIUM Risk Management training and awareness programme;

iii) To review all risks identified by management and to have plans for mitigation;

iv) To recommend improvement to the IIUM Risk Management implementation methodology where required; and

v) To promote risk awareness within their operations by introducing risk management objectives into their business and operations;

vi) To incorporate the risk management at the conceptual stage of projects and activities as well as throughout a project and activities implementation; and

vii) To identify a person to be appointed as risk coordinator who is responsible in coordinating risk management policy and strategy for the COS/D&O/SBU. Clearly defined and form part of his/her Key Performance Indicators (KPIs).

9.4.1.7 Role of the Risk Coordinators at COS/D&O/SBU

As the representative or liaising individual for COS/D&O/SBU in the matters of risk management, the risk coordinator are responsible to:

a) Assist the head of COS/D&O/SBU in the management and administration of the office risks portfolios;

b) Arrange, organize and coordinate periodic Enterprise Risk Management review session within COS/D&O/SBU;

c) Monitor action plans through meeting or discussion with individual risk owners or process owners within COS/D&O/SBU’s or with other COS/D&O/SBU Risk Coordinators in managing cross-functional risks;

d) Be responsible to update the risk information in Risk Information Management System (RiMS) on a timely manner;

e) Identify training needs of COS/D&O/SBU in relation to risk management;

f) Provide management report for management consumption as required;

and

g) Liaise with the Office of Corporate Strategy on matters relating to Risk Management and Enterprise Risk Management.

9.4.1.8 Role of the Risk Owner

A risk owner is a person or entity that has been given the authority to manage a particular risk and is accountable for doing so. The roles of the risk owner amongst others are:

a) To determine which risks require mitigation and contingency plans;

b) To generate the risk mitigation and contingency strategies and performs a cost benefit analysis of the proposed strategies;

c) To actualize the mitigation process by allocating adequate resources or budget;

d) To monitor, control and update the status of the risk throughout the project lifecycle in which the risk owner may be a member of the project team.

9.4.1.9 Role of Office of the Internal Audit

As part of the internal control agencies for the university, Office of the Internal Audit is responsible to:

a) Focus the internal audit work on the extreme, high and significant risks, as identified by management, and auditing the risk management processes across the University;

b) Provide assurance on the management of risk;

c) Provide active support and involvement in the risk management process;

and

d) Conduct independent post implementation review of IIUM Risk Management.

Version: 01/ Revision: 01/ Effective Date: 26-May-2015 19

9.4.1.10 Role of University Staff

All IIUM staff have a responsibility to:

a) Inform the management in their own area on an ongoing basis of new and emerging risks;

b) Inform the management immediately when in knowledge of anyone carrying out an activity or any inappropriate actions that could cause a loss to happen and which would be detrimental to the achievement of IIUMs' goals and objectives; and

c) Support and participate in any approved risk management training.

9.5 Resources and Implementation

9.5.1 The resources required to implement the University's risk management policy should be clearly established at each level of management and within each business unit. Those involved in risk management should have their roles in coordinating risk management policy/strategy clearly defined. The same clear definition is also required for those involved in the audit and review of internal controls and facilitating the risk management process.

SECTION C: GUIDELINES

10.0 THE RISK MANAGEMENT PROCESS

10.1 The University shall adopt the ISO31000:2009 Risk Management Process at all levels of the University – strategic, operational and tactical as per Figure 3 below:

Figure 3: ISO31000:2009 Risk Management Process

10.1.1 ESTABLISH THE CONTEXT

10.1.1.1 The process of ‘Establishing the Context’ is to define the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the risk management policy. This is needed in order to:

a) Clarify the organizational objectives;

b) Identify the environment in which objectives are pursued;

Version: 01/ Revision: 01/ Effective Date: 26-May-2015 21

c) Specify the main scope and objectives for risk management, boundary conditions and the outcomes required;

d) Identify a set of criteria against which the risks will be measured; and e) Define a set of key elements for structuring the risk identification and

assessment process.

10.1.1.2 The next important aspect that has to be established is the University’s objectives, which are normally reflected in the mission statement, policies or business plans and strategy. For a division, the objectives may be expressed as performance targets or key business activities.

10.1.1.3 The business objectives should encompass the management principles and operations, and should be specific, measurable, aligned, realistic and within defined time frame (S.M.A.R.T). The objectives can relate to the customer service, product quality, cost control, revenue maximization, regulatory compliance, fraud prevention, safety, reliable business information, and others.

10.1.1.5 The achievement of objectives does not “‘just happened”’. The people must act to achieve objectives in which they need to know what are expected, and who are responsible for what. Thus, the accountability to achieve the objectives shall be clearly assigned to an individual or a team.

10.1.1.6 When defining the risk criteria, factors to be considered should include the following:

a) The nature and types of causes and consequences that can occur and how they will be measured;

b) How likelihood will be defined;

c) The timeframe(s) of the likelihood and/or consequence(s);

d) How the level of risk is to be determined;

e) The views of stakeholders;

f) The level at which risk becomes acceptable or tolerable; and

g) Whether combinations of multiple risks should be taken into account and, if so, how and which combinations should be considered.

10.1.2 RISK IDENTIFICATION

10.1.2.1 The risk identification seeks to identify all potential risks that may have an impact in achieving the specified business objective. It involves the examination of all sources of risk and the perspective inputs of all stakeholders, both internal and external. Some components of risks will be under our control (known as controllable risk), whilst others are not (also known as inherent risks). Hence, both internal and external controls of risk need to be considered when identifying risks.

10.1.2.2 A risk is associated with:

a) A source of risk or hazard.

b) An event or incident – something that occurs such that the source of risk has the impact concerned.

c) A consequence, outcome or impact on a range of stakeholders and assets.

d) A cause (what and why) for the presence of the hazard or the event occurring.

e) Controls and their effectiveness

f) When could the risk occur and where could it occur.

10.1.2.3 Thus, the purpose of risk identification is to generate a comprehensive list of possible loss scenario or opportunities and its potential impacts emanating within the possible sources of risk.

10.1.2.4 The risk identification process will enable the risk owner to create a cause and effect diagram and identification of risk responses.

10.1.2.5 Key questions in risk identification process:

 What might happen?

 How might it happen?

 What are the current risk response mechanisms in place to mitigate this risk?

 What are the consequences of each risk?

 What are the stakeholder expectations of the University’s performance?

 What is the potential cost in time, money, and disruption to customers of each risk?

Version: 01/ Revision: 01/ Effective Date: 26-May-2015 23

10.1.2.6 Possible methods of identifying risks are:

a) Brainstorming.

b) Surveys and questionnaires.

c) Expert judgment.

d) Structured interviews.

e) Focus group discussions.

f) Strategic and business plans including SWOT analysis.

g) Results and reports from audits, inspections and site visits.

h) Historical records, incident databases and analysis of failures.

i) Review selected Key Performance Indicators (KPIs).

10.1.2.7 In writing the risk statement, a good risk statement should consider the following characteristics:

a) Always ‘negative’ in description and ‘relevant’ to the University.

b) Should be clear, concise, specific & easily understood.

c) Based on causes of risks not consequences.

10.1.2.8 A risk owner must be assigned to the risk identified. The risk owner is the person with the accountability and authority to manage the risks identified

10.1.2.9 The identified risks are then summarized into risk categories. The risk categories are a classification system or an approach to summarize the identified risks. The risk categories are not exhaustive and can be reviewed during brainstorming workshops and actual risk evaluation. Changing business conditions and decisions made in the course of running the business will continuously move the risk element such that the risks will be different, each time you look at them. As such, it is important to have frequent and explicit discussion about risk, in order to maintain continuous awareness of which risks are significant.

Table 1: Risk Categories

No. Categories Description

1 Strategy Losses due to error or misjudgment in the selection of strategy or the execution of the strategy or exposure to loss resulting from a strategy that turns out to be defective or inappropriate.

No. Categories Description

2 Operations Risk arising from execution of a company’s business function which focuses on the risks arising from the people, assets, systems and processes through which the University operates

3 Finance Risk associated with the finances of the University, including loan interest charges, exchange rates, taxation, borrowings & credit, government grant, error in asset valuation (over-or undervaluation), liabilities, spending beyond limit, negative cash flows or any other direct and indirect losses affecting other elements of the University’s finances

4 Reputation Risk of impact to the business attributable / related to the trustworthiness of the business and / or the education industry as a whole

5 Information Risk arising from the flow of information and availability of new or existing technology to the business and the impact of it being adopted or not to the business.

6 Regulations Risk due to non-compliance or failure to adhere to sets of rules and regulations as set out by the University, Government or legislation

10.1.3 RISK ANALYSIS

10.1.3.1 The risk analysis is performed by identifying and recognizing the probable causes that contribute to the identified risk. It also involves making estimate of likelihood of the risk event happening and its consequence or impact in the context of the existing internal control measures. The cause and consequences will be necessary in developing the mitigation actions and evaluating the impact or potential loss.

10.1.3.2 The processes involved in the analysis are as follows;

Version: 01/ Revision: 01/ Effective Date: 26-May-2015 25

a) Determine the level of likelihood of the risks event happening from each risk source – whether rare, unlikely, probable, likely and almost certain;

b) Evaluate the level of impact or the consequence of the risks to the business objectives – whether insignificant, minor, moderate, major and catastrophic; and

c) Establish the risk rating that is acceptable or otherwise which then provides the basis in the assessment and responses to risks in line with the existing internal controls mechanism. In other words, it shall be confirmed whether the controls are in place, and are being used to manage those risks.

10.1.3.3 Types of Analysis

The risk analysis can be undertaken with varying degrees of detail, depending on the risk, the purpose of the analysis, and the information, data and resources available. The analysis can be qualitative, semi-quantitative or quantitative, or a combination of these, depending on the circumstances.

In detail, the types of analysis are:

a) Qualitative Analysis

The qualitative analysis uses words to describe the magnitude of potential consequences and the likelihood that those consequences will occur. It defines impact and likelihood and the level of risk by significance level, such as "extreme", “high”, "significant", “medium” and “low”. Generally, qualitative analysis may be used:

i) As an initial screening activity to identify risks which required more detailed analysis;

ii) Where this kind of analysis is appropriate for decisions; or

iii) Where the numerical data or resources are inadequate for a quantitative analysis.

b) Semi-Quantitative Analysis

The semi-quantitative analysis uses numerical rating scales for likelihood and impact and combines them to produce a level of risk by way of formula. The objective is to produce a more expanded raking scale than is usually achieved in qualitative analysis.

It is important to note that since the value allocated to each description may not bear an accurate relationship to the actual magnitude of likelihood and impact, the numbers should only be combined using a formula that recognizes the limitations of the scales used.

c) Quantitative Analysis

The qualitative analysis uses numerical values for both likelihood and impact using data from a variety of reliable sources. The quality of the analysis depends on the accuracy and completeness of the numerical values and the validity of the models used.

Some examples of quantitative methods of risk analysis include:

 Consequence analysis;

  Statistical analysis of historical data;

  Fault tree and event tree analysis;

  Statistical and numerical analysis; or

  Probability analysis.

The qualitative and semi-quantitative methods are used primarily to rank risks in order to decide on a priority for action or budget allocation.

10.1.3.4 Questions to ask during risk analysis:

 What is the potential likelihood of the risks happening?

  What are the potential consequences of the risk happening?

  What are the current risk responses, which may prevent, detect or lower

the consequences of potential or undesirable risks or events?



10.1.3.5 Risk Parameters

Table 2 and Table 3 are the levels to be used for the likelihood and impact:

Table 2: Level of Likelihood

Level Descriptor Probability

1

Rare

< 1%

The event may occur only in exceptional

circumstances – will occur once in every

50 years

Version: 01/ Revision: 01/ Effective Date: 26-May-2015 27

Level

2 Unlikely 1% - 15% The event could occur at some time – will occur once in every 20 years

3 Possible 16% -

The event might occur at some time –

30% will occur once in every 10 years

4

Likely 31% - The event will probably occur in most

50% circumstances – will occur once in every

3 years

5

Almost

> 50%

The event is expected to occur in most

circumstances – will occur on an annual Certain

basis

Table 3: Level of Impact

Level Descriptor

Financial

Project Operation

Reputation Regulations

(KRA/Research/others) (Teaching / HR / Service Delivery / Safety)

Unlikely to impact on The event does not No disruption of critical operations and services No impact to  Unlikely to result in

1

Insignificant budget or funded activities cause any impact on

No disruption of a K/C/D/I reputation adverse regulatory

100% allocated budget

deliverable objective No media coverage response or action

Affects < 5% of total employees

utilization / reports on risk

Minimal impact on efficiency, client/student

programs and services, environmental sustainability incidents

or infrastructure

as according to the projection or less than ± 10%

variance

Some financial loss The event may result in 1 to 2 days disruption of several K/C/D/Is or one Minimal impact on  Minor non

2

Minor

Less than 2% of net profit some delay but does not critical service image / reputation compliances or

affect deliverable





breaches of before tax / > RM1 mil of

Affects 5-10% of employees Minor coverage by

objective contract, Act,

the previous reporting media at national

 Minor impact on efficiency, client/student programs regulations,

period The project may need to arena

and services, environmental sustainability, or consent conditions



be re-planned to remain



Requires monitoring & infrastructure Gain public  May result in

on track

possible corrective action concern at local /

Minor effect on leadership effectiveness

infringement notice

within existing resources town / district level

5-9% employees turnover

± 2%variance of utilization

unavailability between 3 to 5 days)

or PG) as according to the projection

Version: 01/ Revision: 01/ Effective Date:26- May-2015 29

Level Descriptor

Financial

Project Operation

Reputation Regulations

(KRA/Research/others) (Teaching / HR / Service Delivery / Safety)

Significant financial loss The event may result in 3 to 5 days disruption of a K/C/D/I or several critical Adverse impact to  Significant breach 3

Moderate

2% - 10% of net profit minor delay and affect services image / reputation of contract, Act,

some deliverable



over short term regulation or

before tax / RM1 mil – RM5 Affects 11-30% of employees

objectives  consent conditions

mil of the previous

Moderate impact on efficiency, client/student Media coverage at

  Potential for

reporting period The project will not meet national arena

programs and services, environmental sustainability,



its primary target



regulatory action

Impact may be reduced by or infrastructure Gain public

reallocating resources

Substantial impact on leadership effectiveness concern at regional

± 5%variance of utilization

/ state level

10-23% employees turnover

from allocated budget

unavailability between 6 to 7 days)

or PG) as according to the projection

Major financial loss The event may result in 6 to 14 days disruption of 2 or more K/C/D/Is or Serious impact to  Major breach of 4

Major

11% - 30% of net profit major delay and may three or more critical services image / reputation contract, Act,

require project review/



with adverse regulations or

before tax / RM5 mil – Affects 31-74% of employees

re-scoping publicity over consent conditions

RM15 mil of the previous

 Major impact on efficiency, client/student programs medium term  Expected to attract

reporting period The project will not meet

and services, environmental sustainability, or 

Requires significant

all its objectives Extensive media regulatory attention

infrastructure

coverage at

 Investigation,

adjustment to approved/

Major effect on leadership effectiveness international arena

funded projects / programs prosecution and /

_± 10%variance of utilization 16-24% employee turnover or major fine

possible

from allocated budget Incidents that lead to major injury (i.e. staff

unavailability more than 7 days)

 ± 30%variance of student enrolments / retention (UG

or PG) as according to the projection