Risk Management

Owned by Bruce Miller (Staff)
Apr 30, 2024
3 min read

PURPOSE

Risk Management is an essential element to support good management practice and effective corporate governance, as it informs decision-making, improves outcomes, and enhances accountability. 

 

The application of risk management will provide the basis for: 

  • More informed decision making leading to improved confidence and trust in decision making; 

  • Improved identification and exploitation of opportunities and management of threats; 

  • Reduction of the likely impact of identified risk; 

  • A clear understanding by all staff of their roles, responsibilities in the risk management process; 

  • Improved corporate governance; and 

  • A more risk aware organisation. 

SCOPE

Risk management will be incorporated into the strategic, program, project, and operational planning processes within HIC. 

RESPONSIBILITIES

ROLE

RESPONSIBILITY

Project Manager

Identify the potential events that may have an impact on the organisation’s objectives or on the business as a whole as a result of project activity.

PROCEDURE

Principles

RiskMangement 1.1.JPG

Steps

  1.  Identify 

    1. Identify the potential events that may have an impact on the organisation’s objectives or on the business as a whole as a result of project activity. Risk identification should happen as early as possible in the project life cycle and the process should be reiterated throughout the life cycle as the project progresses. 

  2. Assess 

    1. Quantify impact – Consider that if the risk were to happen how serious the impact would be. It is helpful at this point to consider whether the impact is on time, cost, quality, safety effect on schedule, financial, reputational, number of people affected. Impact should be scored from 1 to 5 based on severity.  

    2. Quantify probability – Consider how likely the risk is to occur. Probability should also be scored on a scale of 1 to 5 from remote to almost certain.  

    3. Probability and Impact values are defined in Appendix 1. 

  3. Risk appetite 

    1. The organisation’s risk appetite is shown, using a red line, in Appendix 1.  

    2. The organisation considers toleration of risks to the lower and left of the define risk appetite.  Where a risk is classified above or to the right of the risk appetite the objective is to migrate this to an acceptable level utilising mitigation measures. 

    3. Where possible other risks should also be managed to as small a measure as possible although this should balance using cost benefit analysis. 

    4. Red risks are not tolerated and require to be managed to either amber of preferably green level. 

  4. Plan 

    1. For risks which are above the risk appetite, risk treatment should then be planned. There are several ways to treat risks, and these are listed below in order of desirability:  

      • Remove – Change specification, alternative approach etc…  

      • Transfer – insure against risk occurring, contractual transference  

      • Reduce – put procedures in place to reduce likelihood or impact  

      • Manage – put contingencies in place  

      • Accept –the risk involved is not adequate to warrant the added cost it will take to reduce that risk to below the risk appetite. 

  5. Implement 

    1. Appropriate and cost-efficient actions taken to manage and control risks. 

    2. Decisions documented and the resulting actions implemented through business-as-usual processes. 

  6. Re-evaluate 

    1. Re-evaluate – Establish whether probability, impact, controls that are in place, mitigation and control maturity are all still applicable or appropriate and within acceptable risk appetite. 

    2. Re-evaluation should be held to establish the following:  

      • Identify which risks have occurred and whether contingencies have been successful.  

      • Identify which risks could have occurred but did not.  

      • Monitor effectiveness of mitigation on open risks.  

      • Review risks that might occur in upcoming period and establish whether mitigation strategy remains appropriate.  

      • To go through Risk Management process with any new risks that have been identified.  

      • To update risk records  

  1. Report and improve 

    1. Reporting on risk where residual risk exceeds the defined risk appetite will occur at the regular HIC Executive Committee 

APPLICABLE REFERENCES

RiskMangement 1.2.JPG

  • For Definitions see ISMS Glossary

DOCUMENT CONTROLS

Process Manager

Point of Contact

Process Manager

Point of Contact

Jenny Johnston

hicbusiness-support@dundee.ac.uk

Revision Number

Revision Date

Revision Made

Revision By

Revision Category

Approved By

Effective Date

Revision Number

Revision Date

Revision Made

Revision By

Revision Category

Approved By

Effective Date

1.0

01/01/24

Moved SOP to Confluence from SharePoint and updated into new template

Bruce Miller and Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

10/01/24

1.1

04/04/24

Updated Roles and Responsibilities

Bruce Miller

Superficial

Governance Co-Ordinator: Symone Sheane

5/04/24

1.2

10/04/24

Formatted document control table and added in revision category

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

10/04/24

1.3

19/04/24

Updated Approved by title

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

19/04/24

1.4

10/04/24

Added in responsibilities section

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

19/04/24

1.5

30/04/24

Updated Header to conform with BSI guidelines

Bruce Miller

Superficial

Governance Co-Ordinator: Symone

30/04/24

 

Copyright Health Informatics Centre. All rights reserved. May not be reproduced without permission.
All hard copies should be checked against the current electronic version within current versioning system
prior to use and destroyed promptly thereafter. All hard copies are considered Uncontrolled documents.