Scribd
Upload
16 views

How To Perform Operational Risk Assessments

Ttt

Uploaded by

Mohamed Achour
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
16 views

How To Perform Operational Risk Assessments

Ttt

Uploaded by

Mohamed Achour
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

How to Perform Operational Risk Assessments

A. Purpose of this risk assessment


The Office of Audit & Risk Assessment assists Western Sydney University (WSU) units and projects in establishing or updating their operational risk
registers (Register). This risk assessment exercise can help identify high or other significant risk areas of the units or projects as well as any University's
key operations that could impede the functioning of the business units and projects or endanger the achievement of overall strategic objectives of the
University or the business unit objectives. We focus on those risks that impact the operational units' or projects' business and strategic objectives derived
from the University's "SUSTAINING SUCCESS 2021 - 2026" Strategic Framework.
The Register is designed to obtain your input with minimum effort to conduct a risk self-assessment for your unit or project. The summarised results may
supplement the risk assessment workshops or individual discussions in the later stages. If there are confidential matters that you wish to raise and you do
not wish to record them in the Register, then please communicate directly with Aman Chand, Office of Audit & Risk Assessment (mobile 0404-010-116 or
at aman.chand@westernsydney.edu.au).

B. How to complete the Operational Risk Register?


Fill in the WSU Operational Risk Register in accordance with this guideline and the examples provided. If you are unsure how to respond to a question,
please contact the Office of Audit and Risk Assessment.

C. Risk Assessment
1. Identifying business objectives and risks
Question 1: If we think of risk as a future event or development that could stop or impede your unit or project from achieving
its objectives, what are these matters that concern you the most and what are the possible consequences or impacts if these
events occur to your unit or project and the University?
When formulating your response (put your responses into columns B to H of the Register (Excel worksheet) accordingly) to this question, you may
wish to consider the following:

1
• The objectives of your unit's operational plan that have been or will be impacted by the risks raised (list the associated objectives in column
B)

• Any events or uncertainties that may impact your unit or project from achieving its objectives (Describe the risk in column F, put a short title of
this risk in column E and the consequences or impact of the risk on your unit or project in column H)

• The classification of risks into broad categories (i.e. grouping risks into their risk source in column G) such as:

Political circumstances Infrastructure (facilities and utilities) Academic (research activities)


Reputation (international/local) Legal relationships and contractual risks Academic (course load/ logistics- program
delivery)
Technology and information management Environmental (WH&S, pollution etc) Academic (course curriculum/ quality
assurance)
Organisational (management controls & Legislation and public policy International (overseas programs &
culture) activities)
Behaviour (risk perceptions & responses, Financial and commercial risks Others
corrupt conduct, criminal activities of individuals
etc.)

If you think the risk identified does not fall into these categories, please state the new category in the "others" option from t he list and type the
new
category in the "Description of Risk (D)" column.

2. Assessing risk
Question 2: What do you think the level of risk is for each risk issue identified?
When assessing risk, it is useful to think of risk in terms of the likelihood (probability) of an event occurring and the impact (consequence) that event
will have on your unit or project (refer Likelihood and Impact Rating Scale tag of the Register)
People usually express "assessed risk" as high, moderate or low.
For examples:
• The likelihood of losing all government funding for the University is unlikely (rating= 2) but the impact on income would be catastrophic
(rating= 5). Assessed overall risk might therefore be "moderate" (overall rating=10, please refer to the scale provided).

• The likelihood of negative impact to the University's reputation of closing down its off shore programs is a likely risk (rating= 4) and the
impact on reputation major (rating=4). Assessed overall risk might therefore be "high" (overall rating= 16).

2
Inherent Risk Assessment (for column I to L)

The inherent risk level for the risk issues raised in column F is assessed without considering existing controls (i.e. management strategies, checks &
balances, policies & procedures, etc.). Only the inherent risk (i.e. natural risk inherent in a process or activity without any application of controls to
reduce likelihood and impact) of the issue is assessed using the risk rating scale provided.

Likelihood X Impact = Assessed Risk (Inherent Risk Rating)


For each of the risk issues you identified in Question 1, please consider the likelihood (probability) and the impact (consequence) that each risk
issue could have on your unit or project (before considering the existing controls in place) and record the "assessed risk level" on the Register (column
I & J) accordingly by using the rating scale 1 – 5 for your assessment. The corresponding inherent risk level will automatically be calculated on the
Register.

Residual Risk Assessment (for columns M to Q)

After you have assessed the inherent risk level, state briefly (in column M) if any strategies/controls are already in place to mitigate the corresponding
risks, you then assess the risk issues again by considering the existing controls' effectiveness to arrive at their residual risk level using the scale given.

Likelihood X Impact = Assessed Risk (Residual Risk Rating)


Revise the likelihood (probability) and the impact (consequence) by taking into account the existing controls in place and record the "assessed
risk level" on the Register (columns N & O) accordingly by using the rating scale 1 – 5 for your assessment. The corresponding overall residual risk
level will automatically be calculated on the Register.

3
3. Managing risk
Question 3: What can we do about the risks identified?

The Operational Risk Register allows management staff to manage and monitor the known risks recorded. Suppose individual risk identified and
consolidated in the Register has a residual risk level (assessed in column Q) that is still unacceptable or can be further mitigated. In that case,
additional mitigation actions and control strategies can be proposed and implemented to mitigate the risk (Refer to columns R to U).

• Risk can be managed in a variety of ways. For example, it can be avoided altogether by ceasing to engage in an activity.
• Risk can also be transferred to or shared with somebody else, i.e. through an insurance policy or service contract.
• Most organisations also try to limit or control risk (i.e. via checks and balances over financial transactions or governance processes –
management oversight, policies and procedures) to reduce its likelihood and impact on their operations.

For the risks you identified in Question 1, could you please indicate in the Register what additional management strategies and actions are planned or
proposed to be put into place (column R) to address these risks (if any) and suggest who should be responsible for implementing these strategies and
actions (column T) as well as who is the accountable executive (column U) accordingly.

Please do not spend much time preparing a detailed response to this question – a broad outline/ brief description of how risk is being managed for
each issue will be sufficient at this stage.

4. Post Mitigation Risk Assessment


Question 4
After the additional mitigation actions and control strategies have been implemented and completed, what is the final residual risk rating?

4
We must evaluate the effectiveness of the additional management strategies and mitigation actions applied to risks to ensure that risk issues have been
satisfactorily addressed and managed (refer to columns V to Y). We should also consider escalating particular risks to a higher authority if
additional treatments have failed to bring the risk rating down to an acceptable or comfortable level.

Likelihood X Impact = Assessed Risk (Post Mitigation Residual Risk Rating)


Update the likelihood (probability) and the impact (consequence) after the proposed additional treatment actions or strategies have been
performed and completed. Record the "assessed risk level" on the Register (columns V & W) accordingly by using the rating scale 1 – 5 (refer to
the Likelihood and Impact Rating Scale tag) for your assessment. The corresponding post-mitigation residual risk level will automatically be
calculated on the Register.

You may monitor the progress of the mitigation actions regularly (please provide updates and comments on column Z) to ensure the treatment
strategy has been properly carried out as planned and all stakeholders are informed of the current status of the risk.
---------- End ----------

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy