Risk Management

PURPOSE

Risk Management is an essential element to support good management practice and effective corporate governance, as it informs decision-making, improves outcomes, and enhances accountability.

The application of risk management will provide the basis for:

More informed decision making leading to improved confidence and trust in decision making;
Improved identification and exploitation of opportunities and management of threats;
Reduction of the likely impact of identified risk;
A clear understanding by all staff of their roles, responsibilities in the risk management process;
Improved corporate governance; and
A more risk aware organisation.

SCOPE

Risk management will be incorporated into the strategic, program, project, and operational planning processes within HIC.

RESPONSIBILITIES

ROLE	RESPONSIBILITY
Project Manager	Identify the potential events that may have an impact on the organisation’s objectives or on the business as a whole as a result of project activity.

PROCEDURE

Principles

Steps

Identify
1. Identify the potential events that may have an impact on the organisation’s objectives or on the business as a whole as a result of project activity. Risk identification should happen as early as possible in the project life cycle and the process should be reiterated throughout the life cycle as the project progresses.
Assess
1. Quantify impact – Consider that if the risk were to happen how serious the impact would be. It is helpful at this point to consider whether the impact is on time, cost, quality, safety effect on schedule, financial, reputational, number of people affected. Impact should be scored from 1 to 5 based on severity.
2. Quantify probability – Consider how likely the risk is to occur. Probability should also be scored on a scale of 1 to 5 from remote to almost certain.
3. Probability and Impact values are defined in Appendix 1.
Risk appetite
1. The organisation’s risk appetite is shown, using a red line, in Appendix 1.
2. The organisation considers toleration of risks to the lower and left of the define risk appetite. Where a risk is classified above or to the right of the risk appetite the objective is to migrate this to an acceptable level utilising mitigation measures.
3. Where possible other risks should also be managed to as small a measure as possible although this should balance using cost benefit analysis.
4. Red risks are not tolerated and require to be managed to either amber of preferably green level.
Plan
1. For risks which are above the risk appetite, risk treatment should then be planned. There are several ways to treat risks, and these are listed below in order of desirability:
  - Remove – Change specification, alternative approach etc…
  - Transfer – insure against risk occurring, contractual transference
  - Reduce – put procedures in place to reduce likelihood or impact
  - Manage – put contingencies in place
  - Accept –the risk involved is not adequate to warrant the added cost it will take to reduce that risk to below the risk appetite.
Implement
1. Appropriate and cost-efficient actions taken to manage and control risks.
2. Decisions documented and the resulting actions implemented through business-as-usual processes.
Re-evaluate
1. Re-evaluate – Establish whether probability, impact, controls that are in place, mitigation and control maturity are all still applicable or appropriate and within acceptable risk appetite.
2. Re-evaluation should be held to establish the following:
  - Identify which risks have occurred and whether contingencies have been successful.
  - Identify which risks could have occurred but did not.
  - Monitor effectiveness of mitigation on open risks.
  - Review risks that might occur in upcoming period and establish whether mitigation strategy remains appropriate.
  - To go through Risk Management process with any new risks that have been identified.
  - To update risk records

Report and improve
1. Reporting on risk where residual risk exceeds the defined risk appetite will occur at the regular HIC Executive Committee

APPLICABLE REFERENCES

For Definitions see ISMS Glossary

DOCUMENT CONTROLS

Process Manager	Point of Contact

Process Manager	Point of Contact
Jenny Johnston	hicbusiness-support@dundee.ac.uk

Revision Number	Revision Date	Revision Made	Revision By	Revision Category	Approved By	Effective Date

Revision Number	Revision Date	Revision Made	Revision By	Revision Category	Approved By	Effective Date
1.0	01/01/24	Moved SOP to Confluence from SharePoint and updated into new template	Bruce Miller and Symone Sheane	Superficial	Governance Co-Ordinator: Symone Sheane	10/01/24
1.1	04/04/24	Updated Roles and Responsibilities	Bruce Miller	Superficial	Governance Co-Ordinator: Symone Sheane	5/04/24
1.2	10/04/24	Formatted document control table and added in revision category	Symone Sheane	Superficial	Governance Co-Ordinator: Symone Sheane	10/04/24
1.3	19/04/24	Updated Approved by title	Symone Sheane	Superficial	Governance Co-Ordinator: Symone Sheane	19/04/24
1.4	10/04/24	Added in responsibilities section	Symone Sheane	Superficial	Governance Co-Ordinator: Symone Sheane	19/04/24
1.5	30/04/24	Updated Header to conform with BSI guidelines	Bruce Miller	Superficial	Governance Co-Ordinator: Symone	30/04/24
1.6	02/05/24	Updated links to Definitions in ISMS Glossary	Bruce Miller	Superficial	Governance Co-Ordinator: Symone Sheane	18/11/24
1.7	19/11/24	None - Annual Review	Jenny Johnston	N/A	Operational Team Lead: Jenny Johnston	19/11/24

Copyright Health Informatics Centre. All rights reserved. May not be reproduced without permission.
All hard copies should be checked against the current electronic version within current versioning system
prior to use and destroyed promptly thereafter. All hard copies are considered Uncontrolled documents.

HIC Policies and Standard Operating Procedures