Risk Management
- Symone Sheane
PURPOSE
Risk Management is an essential element to support good management practice and effective corporate governance, as it informs decision-making, improves outcomes, and enhances accountability.
The application of risk management will provide the basis for:
More informed decision making leading to improved confidence and trust in decision making;
Improved identification and exploitation of opportunities and management of threats;
Reduction of the likely impact of identified risk;
A clear understanding by all staff of their roles, responsibilities in the risk management process;
Improved corporate governance; and
A more risk aware organisation.
SCOPE
Risk management will be incorporated into the strategic, program, project, and operational planning processes within HIC.
RESPONSIBILITIES
ROLE | RESPONSIBILITY |
Project Manager | Identify the potential events that may have an impact on the organisation’s objectives or on the business as a whole as a result of project activity. |
PROCEDURE
Principles
Steps
Identify
Identify the potential events that may have an impact on the organisation’s objectives or on the business as a whole as a result of project activity. Risk identification should happen as early as possible in the project life cycle and the process should be reiterated throughout the life cycle as the project progresses.
Assess
Quantify impact – Consider that if the risk were to happen how serious the impact would be. It is helpful at this point to consider whether the impact is on time, cost, quality, safety effect on schedule, financial, reputational, number of people affected. Impact should be scored from 1 to 5 based on severity.
Quantify probability – Consider how likely the risk is to occur. Probability should also be scored on a scale of 1 to 5 from remote to almost certain.
Probability and Impact values are defined in Appendix 1.
Risk appetite
The organisation’s risk appetite is shown, using a red line, in Appendix 1.
The organisation considers toleration of risks to the lower and left of the define risk appetite. Where a risk is classified above or to the right of the risk appetite the objective is to migrate this to an acceptable level utilising mitigation measures.
Where possible other risks should also be managed to as small a measure as possible although this should balance using cost benefit analysis.
Red risks are not tolerated and require to be managed to either amber of preferably green level.
Plan
For risks which are above the risk appetite, risk treatment should then be planned. There are several ways to treat risks, and these are listed below in order of desirability:
Remove – Change specification, alternative approach etc…
Transfer – insure against risk occurring, contractual transference
Reduce – put procedures in place to reduce likelihood or impact
Manage – put contingencies in place
Accept –the risk involved is not adequate to warrant the added cost it will take to reduce that risk to below the risk appetite.
Implement
Appropriate and cost-efficient actions taken to manage and control risks.
Decisions documented and the resulting actions implemented through business-as-usual processes.
Re-evaluate
Re-evaluate – Establish whether probability, impact, controls that are in place, mitigation and control maturity are all still applicable or appropriate and within acceptable risk appetite.
Re-evaluation should be held to establish the following:
Identify which risks have occurred and whether contingencies have been successful.
Identify which risks could have occurred but did not.
Monitor effectiveness of mitigation on open risks.
Review risks that might occur in upcoming period and establish whether mitigation strategy remains appropriate.
To go through Risk Management process with any new risks that have been identified.
To update risk records
Report and improve
Reporting on risk where residual risk exceeds the defined risk appetite will occur at the regular HIC Executive Committee
APPLICABLE REFERENCES
For Definitions see ISMS Glossary
DOCUMENT CONTROLS
Process Manager | Point of Contact |
|---|---|
Jenny Johnston |
Revision Number | Revision Date | Revision Made | Revision By | Revision Category | Approved By | Effective Date |
|---|---|---|---|---|---|---|
1.0 | 01/01/24 | Moved SOP to Confluence from SharePoint and updated into new template | Bruce Miller and Symone Sheane | Superficial | Governance Co-Ordinator: Symone Sheane | 10/01/24 |
1.1 | 04/04/24 | Updated Roles and Responsibilities | Bruce Miller | Superficial | Governance Co-Ordinator: Symone Sheane | 5/04/24 |
1.2 | 10/04/24 | Formatted document control table and added in revision category | Symone Sheane | Superficial | Governance Co-Ordinator: Symone Sheane | 10/04/24 |
1.3 | 19/04/24 | Updated Approved by title | Symone Sheane | Superficial | Governance Co-Ordinator: Symone Sheane | 19/04/24 |
1.4 | 10/04/24 | Added in responsibilities section | Symone Sheane | Superficial | Governance Co-Ordinator: Symone Sheane | 19/04/24 |
1.5 | 30/04/24 | Updated Header to conform with BSI guidelines | Bruce Miller | Superficial | Governance Co-Ordinator: Symone | 30/04/24 |
1.6 | 02/05/24 | Updated links to Definitions in ISMS Glossary | Bruce Miller | Superficial | Governance Co-Ordinator: Symone Sheane | 18/11/24 |
1.7 | 19/11/24 | None - Annual Review | Jenny Johnston | N/A | Operational Team Lead: Jenny Johnston | 19/11/24 |
Copyright Health Informatics Centre. All rights reserved. May not be reproduced without permission.
All hard copies should be checked against the current electronic version within current versioning system
prior to use and destroyed promptly thereafter. All hard copies are considered Uncontrolled documents.