2. Risk Response Prioritization Process should be used to assist in
determining the risk response priority i.e. where should limited
funds to mitigate risks be directed to first. To complete this,
we’ll leave the Assessment tab and go to the Prioritization tab.
3. The Risk Response Prioritization Calculation
methodology is used to calculate the Mitigated and
Residual Risk Score for your risk.
The step by step process
can be followed by using
Appendix A of the Risk
Management Procedure.
5. Next determine the
following parameters:
1. Risk Impact
2. Time to Impact
3. Risk Synergies
4. Scope of Consequences
5. Risk Context
5. Response Feasibility
Options to select for each
parameter are available from
drop down menu’s. These
are discussed in more detail
in the subsequent slides.
6. 1. Risk Impact:
Strategic: Risks that can affect the greater the organization or the long-term
objectives of the organization and calls for a calculated planning approach that
often requires a long-term view of two to three (or more) years and high levels of
Sr. Leadership involvement;
Tactical: Risks that affect a smaller portion of the organization over a moderate
period of time or in a broader scope than routine activities. Tactical risks are often
addressed by capital projects, new program development, or organizational
changes and generally require some level of integrated management effort, often
with some level of Sr. Leadership involvement;
Operational: Risks that affect the routine activities of the
organization in the near- and medium-term. These risks are
often capable of being managed at lower levels of the
organization without requiring broad integration of multiple
leadership positions. Operational risks usually do not require
long-term planning; goals for completion of mitigation efforts
seldom extend beyond 12-18 months.
7. 2. Time to Impact:
Define the time it will it take for the impact of the risk to start
to affect the organization (Note: This is as per your Risk Described)
• Very Fast: Very rapid onset, little or no warning, instantaneous;
• Fast: Onset occurs in a matter of days to a few weeks;
• Medium: Onset occurs in a matter of a few months;
• Slow: Onset occurs in a matter of several months to a year;
• Very Slow: Slow onset, occurs over a year or more.
3. Risk Synergies:
Define the amount of synergy the risk impact will
receive from other work groups (High: 5+, Med:
2-4, Low: 0-1 Work Groups affected)
8. 4. Scope of Consequences:
Define how widely the impact
will be felt by the organization
(Wide: 4-5 Contexts, Medium: 2-3
Contexts, Narrow: 1 Context).
Simply count the non-negligible
severity ratings in the Assessment
tab
5. Risk Context:
Internal or External (refer to the
Initiating Event category in the
Assessment tab)
6. Response Feasibility
Estimated practicability to
implement risk mitigations that
will acceptably manage the risk
considering the resources needed
(e.g., personnel, funding,
technical expertise, etc.).
Very High (days/weeks), High
(months), Moderate (months to a
year), Low (1-2 years), Very Low
(> 2 years)
9. The final steps
involve the
calculations. Items
are multiplied to give
a Mitigated Risk
Score and Class. The
ERAT does this for
you
We also want to show
a Proposed Residual
Risk Class. To do this,
we’ll relate to your
Proposed Residual Risk
Rank Level from the
ERAT Worksheet here
to give a Proposed
Residual Risk Score.
The Sheet then
calculates your
Residual Score
by multiplying
the variables
together.
10. Note: The Proposed Residual Score is simply a useful tool for
the ERM Champion to predict the Scoring and Class expected
after work is complete (for “finishing work” assessment). It
should be used with caution, as previously noted, the
effectiveness of proposed actions can in most instances only
be verified after it has been implemented and tested.
11. NOTE: The Risk Priority Class for both Existing Mitigated and
Proposed Residual Risks is automatically calculated by the
ERAT. The Risk Priority Class serves only as the initial basis
for assigning a ranked priority to a risk.
13. Prioritized Risk Governance
Once complete with Work Group Registers, the
Champion will need to:
1. Determine funding required for future mitigations and
ensure these are documented in the Proposed Risk
Mitigations description.
2. Await feedback from OREC and EREC Committees while
you proceed forward with WG risk reduction plans.
3. Update the Assessment and Prioritization tabs as new
information becomes available or actions are completed.
4. Once all Proposed Mitigations are completed, the risk may
now be in a position to be closed.
15. Closing Risks
Once all Proposed Mitigating Actions
have been completed, the risk should
be re-assessed to determine if the
Mitigated Risk level is tolerable.
In practice this means a risk rank of 2
or 1, though a risk rank of 2* or higher
may be accepted if it is demonstrated
that the risk is ALARP
16. Closing Risks
To confirm the Mitigated risk level,
move all Completed Proposed
Mitigations to the Existing Mitigations
section and rate assess the mitigation
measure.
17. Closing Risks
If the new Mitigated Risk rank is
tolerable and all proposed mitigations
have been completed, the risk may then
be closed.
If not, add additional Proposed
Mitigations, to further lower the risk.
18. Closing Risks
To close a risk, select the
Closure tab in ERAT. Any
closure comments maybe added.
Note that Tactical and Enterprise
risks will need ERM Manager
approval for closure, while Work
Group level risks will only need
the WG Supervisors approval.
To check the risk category, refer
to the Prioritization tab, under
the Prioritization Details Section
19. Closing Risks
Closed risks do not disappear, but are
merely archived and can be referred to
as required. They may even be re-
opened if necessary. To do this, consult
with the ERM Manager.
21. In line with ERM Calendar communicated by
the ERM Manager each year, the WG Risk
Champion shall provide updated and
prioritized risks in ERAT including
mitigations selected for funding to the ERM
Manager.
The updated ERAT register will be the
formal documentation repository for your
WG Risks.
To facilitate this, a new Risk Identification
Sheet will need to be created by the WG
Champion for that year, and the ERM
Manager will reset all ‘Open’ risks to
‘Assessment’ status.
Both newly identified credible risks and
existing risks from previous years will need
to move to ‘Open’ status. Risks that are
ready to be Closed can also be Closed at this
time
‘Open’ risks from
previous years will be
reset to ‘Assessment’
Status and should be
moved back down to
‘Open’ status
‘New’ risks must also be
identified in the Risk ID
form and then Screened,
Assessed and Prioritized to
‘Open’ status
23. Schedule as Published in Risk
Management Procedure, App. II.
Note this is indicative and will
be confirmed each year by the
ERM Manager
24. Activity Time Period
After EREC Reviews,
Enterprise Risk Register
developed.
Prior to 30th April
Budget Cycles Completed
CAPEX before end of March
(*check)
OPEX before mid July
Final ERM Cycle Annual Report
Issued by ERM Manager Prior to end of July.
Cycle Begins again with 3rd Quarter Reminder to Work Groups.
26. Each Work Group has a prioritized risks to manage on an
on-going basis.
◦ Risk is reduced as a continual effort of the group.
Some work group risks get moved to a higher level of Risk
(Tactical) for the site leadership to manage.
◦ Risk is managed where it needs to be managed.
Some Work Group Risks/Operational Risks get moved to an
Enterprise Risk level.
◦ True risks to the company are filtered upward for appropriate
oversight.
Risks and resources necessary for mitigation are managed
in the capital/expense budget planning process.
◦ “Risk Management” becomes an identifiable part of the
standard business control processes.
27. ERM is about taking the time to identify and
analyze the top business critical risks and then
to communicate this through organization to
ensure that is appropriately monitored and
mitigated.
28. ISO 31000:2009, Risk Management – Principles
and Guidelines
COSO, Developing Key Risk Indicators to
Strengthen Enterprise Risk Management
COSO, Enterprise Risk Management – Integrated
Framework