1. A PRESENTATION ON FIJI NATIONAL UNIVERSITY 1 Mr. Amitesh Prasad Manager Risk and Insurance

2. Introduction 2  FNU - was formed in 2010 by the Government of Fiji.  In 5 yrs - established as the Nation’s premier national  university offering higher education as well as vocational education and training.  The University considers risk management as a comprehensive process integrating concepts of strategic planning, operations management and internal control.  The University’s Mission, Strategies and Objectives’, is committed to managing risk to maximize opportunities and minimize setbacks.  FNU recognizes the importance of risk management and strongly believes an effective management of risks among the campuses, managed on enterprise - wide bases, will assist establishing strategic priorities and goals directly linked to the FNU objectives..

3. 3 Scope of Risk Management Framework  The framework defines FNU’s risk management process methodology, appetite, training and reporting, and also establishes the responsibilities for implementation.  Aim - to ensure organisational capabilities and resources are employed in an efficient and effective manner to manage both opportunities and threats.

4. 4 Objectives of Risk Management Framework To provide a formal process to assist the University in: 1) Encouraging understanding by managers and their staff of the implications of risk exposures, opportunities and their risk management, in their day-to-day work and in strategic and operational planning activities; 2)Developing and implementing procedures to ensure that risk are identified, assessed against accepted criteria and that appropriate measures are implemented; 3)Defining and documenting responsibilities and processes.

5. Why is Risk Management Important? 5  Risk influences every aspect of the operations at the University.  Managing risks appropriately will enhance our ability to make better decisions, safeguard our assets enhance our ability to provide services to our students as well as achieve our University mission and goals.

6. 6 An effective Risk Management Framework provides organisational resilience, confidence and benefits, including:  Provides a rigorous decision-making and planning process;  Provides flexibility to respond to unexpected threats;  Takes advantage of opportunities and provides competitive advantage;  Equips managers with tools to anticipate changes and threats faced by University and to allocate appropriate resources;  stakeholders  Enables better business resilience and compliance management.

7. 7 Benefits of implementing risk management are:  Reduces surprises (Improve control of adverse events, take action).  Exploitation of opportunities (Seek opportunity).  Improved planning, performance, effectiveness and utilization of resources.  Positive effect on ‘Reputation’ (Attracts -Investors, Students, Staff).  Accountability, assurance and governance (Maintain integrity and confidence).  Documentation for Legal actions, Government Enquiries.

8. 8 What is risk?  Risk is defined as an event that may have an impact on the achievement of the University’s objectives.  Risk may arise from 2 sources which are:  External factors (e.g. risk from impact on the Global economic crisis, change in student demographics and numbers, changing legislation)  Internal sources (e.g. New projects, new faculty, infrastructure and capacity challenges, performances, etc.).

9. Risk appetite 9 Risk appetite is the amount of risk, on a broad level, that FNU is willing to accept in pursuit of value, and should reflect:  Risk management philosophy per location project, process, etc;  Capacity to take on risk;  The University objectives, risk plans and respective stakeholder demands;  Evolving industry and market conditions; and  Tolerance for failures with quantitative values, where applicable.

10. 10 Risk Management Methodology – Standard: ISO31000:2009,as shown below

11. 11 RISK MANAGEMENT PROCESS  Communication and Consultation Communication and consultation are critical considerations at each step of the risk management process improving the level of understanding and treating risks.  Identifies ‘Who’ should be involved in the ‘Risk assessment process’  How much: Depends on how complex or significant the activity is.  Delivered by: Plans, Workshops, presentations, Risk Progress Reports, etc.  Regular communication assists create a risk management culture.

12. ESTABLISH CONTEXT 1  The context provides an understanding of the organisation its capability and goals, objectives and strategies.  Establishing the Universities context defines the basic parameters within which risks must be managed and sets the scope for the rest of the risk management process  To identify FNU’s risk context were identified from the strategic Plan 2020 and therefore it is proposed that these be managed on an ‘Enterprise- wide basis’.  Within this master category, risks were classified and the University will focus on the following three main Groups: 12 StrategicFinancialOperations

13. Examples –Relation between Grouping and Risk Area/Description 13 Master Category Risk GroupingRisk Name /AreaRisk Description EnterpriseStrategicBusiness PlanningLong term plan for Financial and Business goals EnterpriseFinancialBudget Implementation Budget development process is effective EnterpriseOperationsIT InfrastructureAdequate IT infrastructure and planning in place

14. IDENTIFY RISKS  It is important to identify all the risks that have a potential effect on the University’s ability to meet its objectives/goals.  Questions to generate a comprehensive list of potential sources of risk and possible causes/scenarios are:  What can happen? Where and when?  Why and how can it happen?  Define the types of risk  Methods – These risks can be identified via checklists, based on experience, process analysis, brainstorming, flow charts, audits & inspections, surveys etc. 14

15. HOW DOES THE UNIVERSITY IDENTIFY RISKS ? Risk can be identified through the use of:  Focus groups (using brainstorming approaches, SWOT analysis techniques, project categories, or broad business categories);  Workshops;  Interviews with respective management; and  The intranet is also a means of reporting incidents or risks to the Risk Administrator for consideration. 15

16. CON’T 16 Categories of risk used to enable appropriate aggregation are: StudentsInformation and communication technology FinancialLegal and Regulatory Compliance OperationalOrganisational effectiveness EnvironmentalReputation & Corporate Social Responsibility Workplace Health & SafetyProjects

17. ANALYSE RISKS  Risk Analysis is developing an understanding of the risk and assists deciding on the best approach to ensure the highest risks can be identified and prioritised.  Objective of this step are as follows:  Gather data for the evaluation and treatment steps.  Outcome will be the initial list of risks.  Analyse is in terms of likelihood, and consequence after considering the effect of the existing controls and how effective are this existing controls.  Are there adequate systems, policies, procedures, delegations, monitoring in place to support controls?  Do controls represent ‘Good Practice’ and minimising exposure to risks?  Are controls reviewed and maintained? Are the controls easy to use?  Are stakeholders aware of the controls and is adequate training/supervision available? 17

18. DETERMINATION OF LEVEL OF RISK  Using the Consequence and Likelihood table - risk administrator could identify the best description of the risk after controls are in place.  Secondly, risk calculation via matching the Consequence and Likelihood ratings on the risk matrix is undertaken. 18 Consequences LikelihoodInsignificantMinorModerateMajorCatastrophic Almost certain High – H1High – H3Extreme –E1Extreme –E4Extreme –E8 LikelyMedium –M1High – H2High – H5Extreme – E3 Extreme –E7 PossibleLow – L3Medium –M2High – H4Extreme –E2Extreme –E6 UnlikelyLow – L2Low – L5Medium – M3 High – H7Extreme –E5 RareLow – L1Low – L4Medium – M4 High – H6High – H8

19. 19 PRIORITISING RISKS The purpose of prioritising the risk is to determine the level of action needed for the identified and assessed risks. Risk ScoreWhat Should I do? 9-10ExtremeImmediate action required 7-8HighAction plan required, senior management attention needed 5-6MediumSpecific monitoring or procedures required, management responsibility must be specified 2-4LowManage through routine procedures.

20. 20 THE RISK REGISTER The Risk Management Register contains the following information:  Risk Rating / risk score identifying the severity of the risk  Reference Category (Strategic/Operational/Financial)  Risk description and Risk example  Potential consequence(s) of the risk  FNU’s Core Strategic Area(s) at threat  Control Statement  Accountable / Responsible  Timescales for the implementation of action plans

21. The key risk evaluation steps are as follows:  Determine low risks (acceptable) from more serious risks (not acceptable).  Compare estimated levels of risk against the pre-established criteria.  In general, the management priorities and the balance between potential benefits and adverse outcomes will have the highest impact on the risk priority.  Based on the outcomes of the risk analysis, decide how to treat the risk.  Acceptable risk would be low risks with adequate controls in place and may require only to be monitored/reviewed to ensure the risk remain acceptable.  Unacceptable risks do not have adequate controls and will be prioritized for further action such as: Develop a treatment plan or Review the treatment plan to ensure controls are appropriate to manage the identified risk.  Result will be a prioritized list or risks which need to be managed. 21 RISK EVALUATION

22.  The objective of this step is to identify how the identified risks will be treated.  Risk treatment involves identifying the options for treating each risk, evaluating those options, assigning accountability (for Extreme, High and Moderate residual risks) and taking relevant action. 22 RISK TREATMENT

23. Avoid the riskNot to proceed with the activity or choosing an alternative approach to achieve the same outcome. Aim is risk management, not aversion. MitigateReduce the consequences – putting in place strategies to minimize adverse consequences, e.g. contingency planning, Business Continuity Plan, liability cover in contracts. Transfer the riskShifting responsibility for a risk to another party by contract or insurance. Accept the riskControls are deemed appropriate. These must be monitored and contingency plans developed where appropriate. 23 Risk Treatment Con’t

24. Systems to monitor/review risks and the risk management process steps require careful selection, targeting and planning. Priority should be given to monitoring:  High risks.  Credible failure of treatment strategies, especially where this would result in high, or frequent, consequences.  Risk-related activities that feature high incidence of change.  Risk tolerance criteria especially where this results in high risk levels.  Technological advances that may offer more effective or lower cost alternatives to current risk treatment. 24 MONITOR AND REVIEW

25. In general terms, monitoring and review practices will be one of the following types (and is recommended should include all three):  Continuous monitoring through routinely measuring or checking particular parameters (for example cash flows).  Periodic review involves investigation of the current situation, usually with a specific focus.  Line management reviews of risks and their treatments which are often selective in scope but typically routine and regular. 25 MONITOR AND REVIEW CON’T

26. 26 Risk Reporting  Documentation of risk management plans is designed to be brief, but with sufficient, key controls and rationale for mitigation strategies. Finance Resource Committee reporting  Key operational risks are discussed at Group and Divisional management meetings on a quarterly basis. The Risk Administrator develops a 6 monthly report.  More frequent reporting against high level risks occurs as deemed necessary, including direct reporting by the manager accountable.

27. 27 The Faculty and Department level risks are collated by the Risk Administrator, and presented to the Finance and Resources Committee. This report will include:  Risk register of top 10 corporate risks;  Executive summary of key changes in risk profile and appetite; and  Commentary on significant residual risks. Risk Reporting Con’t

28. LIKELIHOOD RATING The number of times within a specified period in which a risk may occur either as a consequences of business operations or through failure of operating systems, policies and procedures. 28 RatingDescriptionOccurrenceProbability Almost certain Expected to occur in most circumstance Multiple / 12 months >80% LikelyWill probably occur in most circumstance Once / 12 months 61 - 80% PossibleMight occur within a 5 year time period Once / 12 months - 5 yrs 41 - 60% UnlikelyCould occur during a specified time period Once / 5 -10 yrs21 – 40% RareMay only occur in exceptional circumstance Once / > 10 yrs<20%

29. 29 Consequence Table

30. 30

31. 31 Table of Control levels

32. 32 Risk Register Template

33. 33 Risks and Mitigation Strategies

34. 34

35. 35

36. 36

37. 37

38. 38 THANK YOU