OP Business Division Procedure - Risk Management
Read in conjunction with Te Pūkenga Risk Management Framework
Otago Polytechnic Limited (Ltd)’s vision for risk management is to have a culture in which risk is managed in an integrated manner that will enable the Polytechnic to:
- be recognised as having best practice management to achieve its strategic directions.
- improve decision making and enhance outcomes and accountability.
- achieve operational and financial goals.
- manage its risks responsibly and in a timely manner.
- align to AS/NZS ISO 31000: 2009.
- ensure that risk management forms part of Otago Polytechnic Ltd’s internal control and corporate governance arrangements.
The aim of this policy is not to eliminate risk, rather to manage the risks involved in all Otago Polytechnic Ltd activities to maximise opportunities and minimise adversity. Risk management also provides a system for the setting of priorities when there are competing demands on limited resources.
Risk: “The effect of uncertainty on objectives”. An effect is a deviation from the expected. Objectives can have different aspects (e.g. financial, health and safety, environmental) and can apply at different levels (strategic, organisation wide, project, product, and process). Risk is often expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence.
Risk Register: A documented record of each risk identified. It specifies a description of the risk, its causes and impact, an outline of the existing internal and external controls, an assessment of the consequences of the risk should it occur and the likelihood of the consequences occurring given the controls, a risk rating, and an overall priority for the risk. It may also identify future actions or an action plan to remove, lesson or minimise the risk.
1. Risk Management is embedded into the fabric of the Polytechnic’s activities. Risk management strategies are included in several different policies and procedures.
2. Otago Polytechnic Ltd has developed a risk management and compliance framework that determines the process and identifies tools for realising its objectives.
3. The framework scope is Polytechnic-wide; including any Trusts and subsidiaries that may exist. The framework is aligned with key Polytechnic strategic, operational and project plans; together with external demands which includes routine reporting through management reports. The framework will both inform and be informed by these Polytechnic planning documents and requirements.
4. The following key principles outline the Otago Polytechnic Limited’s approach to risk management:
4.1. The identification and management of risk is linked to the achievement of the Polytechnic’s strategic goals.
4.2. Board is responsible for overseeing a sound system of internal control that supports the achievement of its Strategic and Investment Plans.
4.3. The Polytechnic makes conservative and prudent recognition and disclosure of the financial and non-financial implications of risks.
4.4. Review procedures cover reputational, strategic, operational, compliance and financial risk.
4.5. Risk assessment and internal control are embedded in ongoing operations; business as usual.
4.6. The Chief Executive, Executive Leadership Team, Heads of College and Managers of Service Areas are responsible for encouraging and implementing good risk management practice.
4.7. Board will review each year the risk management policy and the risk management framework which includes the risk evaluation criteria and reporting processes.
4.8. All Polytechnic employees have a role to play in the identification and management of risk and are provided with appropriate knowledge to identify, manage, and monitor risk.
5. Responsibility for Risk Management
5.1. General: Every employee of Otago Polytechnic Limited is responsible for the effective management of risk, including the identification and reporting of potential risks. Management is responsible for the development of risk mitigation plans and the implementation of risk reduction strategies including those regulated by statute (e.g. the Health and Safety in Employment Act 1992). Risk management processes should be integrated with other planning processes and management activities.
5.2. Board: has governance responsibility for risk management at the Polytechnic. This includes ensuring the integrity and transparency of risk management and risk reporting at the Polytechnic, providing direction for the Polytechnic’s risk management, and ensuring that appropriate risk mitigation activities are functioning effectively. This includes but is not limited to:
- Reviewing disaster management and business continuity activities.
- Monitoring the robustness of the risk management systems, processes, and practices.
- Reviewing the governance strategic risk register.
- Considering the robustness of mechanisms adopted by management to mitigate key risks.
- Referring financial risks, as appropriate, to the Finance and Audit Committee for its consideration.
- Annual review of the risk management policy and the risk management framework (including the risk evaluation criteria and reporting processes).
5.3. Finance & Audit Committee: As part of its role has oversight of financial risk management at the Polytechnic.
5.4. Chief Executive: is accountable for ensuring a risk management system is established, implemented, and maintained in accordance with the policy. Executive Leadership Team: members are accountable for strategic and operational risk assessment, management, monitoring and reporting areas under their control, including the devolution of the risk management process to operational managers.
5.5. Specific Managerial Roles:
- The Deputy Chief Executive: Corporate Services, will develop and promote risk management within the Polytechnic, and is responsible for the implementation of this policy, maintaining a programme for risk assessment and compiling the governance strategic risk register.
- The Deputy Chief Executive: Corporate Services, will be accountable for the prudent recognition, disclosure, and management of financial and insurance portfolio risks, and will be responsible for providing high quality financial information to senior managers who are responsible for assessing risks in particular contexts.
- The Deputy chief Executive: People, Culture and Safety will be accountable for the prudent recognition disclosure and management of occupational health and safety risks, employment risks, and payroll risks.
- The Chief Information Officer will be accountable for the prudent recognition, disclosure and management of risks associated with the Polytechnic’s information technology, computing systems, plant, buildings, maintenance, building programmes, and use of rooms and physical resources.
- Respective members of the Executive Leadership Team will be accountable for the prudent recognition disclosure and management of risks in their areas of responsibility, particularly of those areas that are peculiar to their areas of responsibility, such as School/College specific academic matters, employment and structural matters, Treaty of Waitangi, and equity risks.
- All other Directors are accountable for the timely and proactive provision of information to allow those responsible for recognising and disclosing risk in particular areas to carry out this task in the most informed way possible.
5.6. Finance, Heads of College and Directors
Heads of College and Directors need to familiarise themselves with this policy so that they can:
- Understand and implement the policy on risk management within their respective areas of responsibility.
- Ensure compliance with risk assessment procedures such as the Internal Audit Programme.
- Embed risk management activities as part of their everyday activities.
6. A governance strategic risk register has been developed and will be reviewed and reported on monthly by portfolio owners and members of the Executive Leadership Team and considered by the Chief Executive and Board.
6.1. In addition, a financial risk register will be completed by the Deputy Chief Executive: Corporate Services and will be reviewed monthly by the Finance and Audit Committee.
7. The Polytechnic will assess risk based on how impact (or consequence) and likelihood ratings apply to each risk. Impact and likelihood are numerically rated from 1-5 as per the following tables.
8. An overall risk rating (Risk Factor RF) will be calculated by multiplying impact rating by likelihood rating. Overall risk ratings are then categorised as low, medium, high, or very high as per the following table.
9. Actions taken will depend on the overall risk rating and need to be in accordance with the risk evaluation table (e.g. very high rated risks require immediate action and low rated risks require noting only).
Risk Evaluation table
10. The Risk Register will include actions to manage the risk through elimination or actions to lesson or minimise the risk where elimination is not possible.
- Legislative Compliance
- Sensitive Expenditure
- Fraud Prevention and Response
- Fraud Prevention and Response - SOP - Fraud Control Plan
- Internal Audit
- Risk Matrix Template