Recording and scoring of risks
It is important that we have a common vocabulary and methodology for evaluating risk. A definition of terms follows below and a prescriptive scoring methodology is provided.
"The threat or possibility that an action or event will adversely or beneficially affect an organisation's ability to achieve its objectives." (HEFCE, 2001)
Risk = Likelihood × Impact
Both Likelihood and Impact are scored on a scale of 1-5
Maximum risk score is therefore 25
The level of risk faced by an organisation before any internal controls are applied.
The level of risk faced by an organisation after internal controls have been applied.
The processes, policies and procedures used to govern the University's work or any additional controls or mitigating actions taken to deal with a particular situation. A judgement has to be made by the risk owner as to the numerical reduction to the raw risk score to produce the net risk score.
A named individual staff member, who is closely involved with the risk, is able to monitor it, initiate action if the risk becomes more serious, or escalate to senior management if necessary.
The amount of risk an organisation is prepared to tolerate before action is required. The concept of risk tolerance is best represented graphically (see Table 1: Risk Assessment Model). Risks beyond the tolerance line require particularly close scrutiny.
Provide the risk owner with early warning that action may be required to mitigate that risk through stronger control measures or, if it is outside the University's control, to be aware of it and closely monitor.
Likelihood is the probability of an occurrence considering the control measures that you have in place. For consistency, it is suggested that this is within five years.
Your assessment of probability should depend on factors such as past history, current circumstances and the nature of controls in place. The following descriptors are recommended:
|1||Rare. 0-5% Extremely unlikely or virtually impossible|
|2||Possible. 6-20% Low but not impossible|
|3||Likely. 21-50% Fairly likely to occur|
|4||Very likely. More likely to occur than not|
|5||Almost certain. >80% Almost certainly will occur|
Impact should be considered from the perspective of your School. Your assessment should follow the guidance below.
|1||Financial net impact of less than 1% of turnover.
No other significant impacts.
|2||Financial net impact of 1-2% of turnover.
No regulatory consequences.
Adverse publicity locally or in THES.
|3||Financial net impact of 3-5% of turnover.
Addressable regulatory consequences.
Adverse publicity in national papers.
|4||Financial net impact of 6-20% of turnover.
Substantial regulatory consequences.
Major negative sanction by HEFCE.
Major international adverse publicity.
Death of an individual or several major injuries.
|5||University forced to cease business or loss of a substantial part of the University (net > 20% turnover).
Multiple major injuries or deaths.