RISK MANAGEMENT POLICY AND 2019

FRAMEWORK

DEFINITION OF TERMS
The following definitions will apply for the purpose of interpretations of this Policy,

TERMS DEFINITION
Commercial Risk Risk associated with the failed of business contract or business relationship.
Compliance Risk Risk associated on failing to meet statutory obligations.
Consequence The impact on College should an event occur.

Contractor An independent entity that agrees to furnish a certain number or quantity of

Employee
Financial & Systems Risk
goods, material, equipment, personnel, and/or services that meet or exceed
stated requirements or specifications, at a mutually agreed upon price and
within a specified timeframe.
Includes all permanent and temporary employees of College within the
meaning of the Industrial Relations Act 1996 and includes the Rector.
Risk posed to College`s financial systems and controls such as fraud.

Hazard It is a source of potential harm or a situation with a potential to cause injury,

damage or loss.
Likelihood The probability of an event occurring.

Monitor To check, supervise, observe critically, or record the progress of an activity,

action or system on a regular basis in order to identify change.
Operational Risk Risk that occurs in hampers or effects an individual Division, Department,
Service Unit or area of the College.
Risk The chance of an event occurring that will have an adverse effect on business
objectives. It is measures in terms of consequences and likelihood. The
consequent liability is usually measure in financial terms, but may involve
bodily injury, financial loss or property damage.
Risk Analysis A systematic use of available information to determine how often specified
events may occur and the magnitude of their consequences.

Risk Appetite The amount and type of risk that an organisation is willing to take in order to
meet its strategic objectives. Risk Appetite is best describes as an
organisation’s pursuit of risk or its willingness to take risks as opposed to
avoiding them.
Risk Assessment The overall processes of risk analysis and risk evaluation.

Risk Control A part of risk treatments involves the implementation of policies, standards,
procedures and physical changes to a things, work processes or system of
works to eliminate or minimise the impact of the risk.
Risk Evaluation The process used to determine risk management priorities by comparing the
Page 1 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

TERMS DEFINITION
level of risk against predetermined standards, target risk levels or other
criteria.
Risk Identification The process of determining what can happen, why and how.

Risk Management The culture processes and structures those are direct towards the effective
management of potential opportunities and adverse effects.
Risk Management process The systematic processes applications of policies, procedures and practices to
the tasks of establishing the context, identifying, and analysing, evaluating,
treating, monitoring and communicating risk.
Risk Management Team Comprise of Risk management Coordinator and Risk Champions

Risk Minimisation A selective application of appropriate control measures, techniques and

management principles to reduce either likelihood of an occurrence or its
consequences, or both.
Risk Rating The level of severity applied to a risk based upon its impact to the
organisation.
Risk Tolerance The level of risk that College is prepared to accept, before action is deemed
necessary to reduce it and represents a balance between the potential benefits
of calculated risk and the threats that it inevitably brings.
Risk to Public Those risks that are creates by the activities, actions or inactions of College in
the delivery of services or works in the public space that may result in bodily
harm or damage to property.
Strategic Risk Risk that effects or hamper across the College its ability to operate or deliver
its policy, strategy or services.
Technical Risk Risk that associates with fails equipment (tangible or intangible) and
managing assets.

Page 2 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

CHAPTER ONE

1. Introduction
This section provides the background on the policy, establishment of the College, its functions, vision,
mission, core values, purpose, scope of applicability, benefits of risk management and rationale for
adoption of Risk Management.

2.0 Background

1.1 The Risk Management Framework

The College`s Risk Management Policy is intended for use by the College community to ensure
consistent application of risk management processes to the wide range of activities undertaken by the
College.

The Risk Management framework brings together information on policies, accountabilities, roles and
responsibilities for all those involved in risk management. The Framework provides a structured
approach to the management of risks that are likely to adversely impact on the performance and
continued growth of the College. The analysis, evaluation and mitigation strategies of risks will
enable the achievement of College`s strategic objectives.

The College`s risk management framework is based on the Guidelines for Risk Management in Public
Sector of 2012 and the International Organization for Standardization’s (ISO) Risk Management
Standard ISO 31000:2009 as revised in 2018, which provides a rigorous approach in communicating,
consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and
reviewing risk. The strategic planning process is integral to identifying, communicating and focusing
on those factors that are critical to the College achieving its fundamental purpose.

The College in the management of various facets of risks will apply the principles and standards set
out in the policy consistently and effectively.

The management of risk is recognising as an integral part of good management practice. Effective
risk management supports informed decision-making and encourages the identification of
opportunities for continuous improvement. Risk Management is no longer acceptable as only a
process of good operating standards but rather, as a critical element of sound governance across an
organisation.

Page 1 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

This Policy and procedure formalises, details College’s approach to the organisational risk
management, and provides a framework for performing risk identification, assessment and
minimisation practices across the organisation.

The College in the management of various facets of risks will apply the principles and standards set
out in the framework consistently and effectively.

1.2 The College

An Act of Parliament No. 8 of 1964 established the College (The College of African Wildlife
Management Act). The Act provides for the creation of the Governing Body that is responsible for
control and administration of the College`s Vision, Mission and Core objectives.

1.3 Vision

CAWM vision is to become a center of excellence for professional and technical training in
addressing the challenges of wildlife sustainability in Africa.

1.4 Mission

To provide the highest standards of technical training by engaging a global community and
undertaking relevant research and consultancies in order to meet the needs of wildlife and tourism
management in Africa.

1.5 Core Values

The operationalisation of the College vision and mission is guides by the following values:
(i) Effective and efficient services; the College is committed to increasing quality of products
and services while minimizing the operation cost;
(ii) Conservation principles; the College is committed to adhere to the conservation principles
and legislations;
(iii) Sustainable tourism principles; the College is committed to adhere to the tourism principles
and legislations;
(iv) Professionalism; the College is committed to adhering to professionalism in all activities;
(v) Client oriented; the College is committed to the cultivation of positive relationships between
community, students, academic and administrative staff and institution owners;
(vi) Creative and innovativeness; always curious and striving to reach out and embrace new
technologies and innovative methods of doing work and contributing to socio-economic
development;

Page 2 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

(vii) Loyalty to the Government; always adhere, implement and be positive to the Government
directives;
(viii) Honesty; An inner part of an individual staff commitment relating to integrity, truthfulness
and straightforwardness on pursuing his/her daily activities.
(ix) Fairness; impartiality and just treatment behavior without favoritism and discrimination to all
of College customers;
(x) Accountability; being accountable to stakeholders and to the community for the mandate and
responsibilities bestowed upon us;
(xi) Transparency: The states of being open in all daily activities or dealings with and stand
ready for public scrutiny.

1.6 Strategic objectives

In the next cycle of five years from 2018/19 to 2022/23 CAWM will endeavour to achieve the
following six strategic objectives.
i) Strengthened initiatives to fight HIV/AIDS and non-communicable diseases
ii) Good governance and national anti-corruption plans promoted
iii) Training in wildlife management and tourism improved
iv) Improved research, short courses and consultancy services
v) Improved working environment, human capital development and staff welfare
vi) Strengthened internally generated revenue mobilization

1.7 Context of Risk Management

The context within which this Policy is prepared is one of ongoing strong governance and leadership.
The determinations and considerations made in this Policy have being based on the legal framework
within which the College exists and operates. It was based on the context that the risk appetite of
College has being established.
As a consequences, College`s Risk Appetite is variable and proportionate with the risk being assessed.
However, College`s appetite to risks that encompasses corruption, fraud, theft or personal harm or
injury is zero. To accommodate this, College is committed to a continuous development and review
of Policies, procedures, organisational structures and systems that are all designs to mitigate the
likelihood and consequence of risk.

Page 3 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

1.8 Purpose

2 The adoption of risk management practices within the CAWM is a response to the constant
search for best practices and need to comply with the National Guidelines for Developing and
Implementing Risk Management Framework in Public Sector Organizations (2012) and its
accompanying Treasury Circular No. 12 of 2012/13.
3 This Framework sets the principles and approach in embedding risk management in the CAWM.
It outlines the College`s risk policy, risk management processes, appetite, and risk governance
structure.
4 The Framework also sets a consistent approach in making sure that all significant risks facing the
College are identifies and their likelihood and potential impact reduced through recognized risk
management tools and techniques, and reported in a timely manner.

1.1 Scope of Applicability

5 This Framework applies to all areas under the CAWM, including departments, units, sections and
projects.
6 The Framework also applies to all individuals employed by the CAWM, including service
providers, volunteers, contractors, temporary staff and any other individual working with College
in any type of arrangements.

1.1 The concept of Risk Management and its Benefits

7 Risk is the possibility of an event or condition occurring that will have an impact on the ability of
the organization to achieve its objectives. Risk is measures in terms of its likelihood and impact.

8 Risk management is a systematic application of management principles, approaches and

processes to the task of identifying and assessing risks, and the planning and implementing risk
responses.

1.1 The key benefits of risk management to the College are:

9 Establishment of a reliable basis for sound risk opposed decision making and planning (strategic
and operational planning).

10 Assurance on the achievement of organization's objectives and performance targets through the
awareness and management of potential events/and situations that work against the objectives.

11 Enhance communication across all management levels within the College.

Page 4 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

12 Effective use of resources; minimize operational surprises and shocks and other costly and time-
consuming litigation and/or unexpected losses.

13 Management will grasp new opportunities in a timely manner.

14 Facilitate compliance with relevant legal and regulatory requirements and international norms.

15 Enhance health and safety performance, as well as environmental protection.

16 Improve stakeholders’ confidence and trust (i.e. reassure stakeholders that the College is
managing its risks efficiently and effectively).

17 Protect and promote the College`s corporate reputation.

Page 5 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

CHAPTER TWO

1. RISK MANAGEMENT POLICY AND APPETITE STATEMENTS

2.0 Risk Policy Statements

COLLEGE OF AFRICAN WILDLIFE MANAGEMENT

RISK MANAGEMENT POLICY STATEMENT

The CAWM is actively committed to the management of risk and reducing its exposure in all facets of
its education services. It endeavours to ensure that all necessary practices and procedures are
effective and fully implemented to control any risks and thereby providing employees and the
academic community with services, facilities and an environment, which are sound, safe and inviting.

With this regards:-

i) The CAWM is committed to embed risk management in it is structure, culture, planning

process and operations so as to obtain a reasonable assurance that risks are managed to the
satisfactory level consistent with the prevailing risk appetite.
ii) The College shall maintain a Risk Register that shall document all the identified and assessed
risks and their proposed responses and action plans.
iii) The College shall regularly review and monitor the implementation and effectiveness of the
risk management processes.
iv) The College is committed to ensure all academic extreme risks are prioritized;
v) All officials, staff and service providers are custodies with the responsibility of adhering and
implementing this risk framework.
vi) For some risks involving hazards and that kind of nature (e.g. fire, major breakdown of ICT
systems etc.), CAWM will cover such risks by developing Contingency Plans, Business
Continuity Plans and/ or Disaster Recovery Plans.

Rector, College of African Wildlife Management, Mweka

Page 6 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

2.0 Risk Appetite Statement

1.1 Level of acceptable risk
The level of acceptable risk constitutes the College`s risk appetite. The Governing Body is
responsible for determining the acceptable level of risk based on the categories (i.e. strategic,
financial, compliance, operational and reputational).
1.2 Cultural
Cultural risk appetite defines behaviours and the principles to be apply across College but are not
necessarily measurable or actionable. The Cultural Risk Appetite is:
i) College has a very low tolerance for reputational risk exposure that negatively influence on its
standing or image. Steps to minimize the likelihood of adverse reputational impact should
always be taken;

ii) College will promptly take action to address students and/ or staff complaints and regulatory
concerns. Regulatory concerns include all the directives from the Central Government and
regulatory body ( NACTE)

iii) College will not engage in any activity that will put its long-term values or reputation at risk.
The College will meet the students and other stakeholders` expectations of providing
efficient, considerate and cost-effective Education, Consultancies and research services; and

iv) College is an equal opportunity employer that employs skilled and experienced employees in
positions with clearly defined roles and responsibilities.

1.3 Outcome
Our outcome risk appetite specifies the limits or maximum impact/outcome within College, which is
consider reasonable and acceptable where such risk is measurable. The Outcome Risk Appetite is
defines by compliances to:
i) College’s Strategic Plan

ii) College’s Medium Term Expenditure Framework

iii) Defined all functional departments, Sections and Unit Plans.

1.4 Expectation
College’s expectation risk appetite defines its tolerance for strategic and operational actions. These
risks, specific to activities or known risks are measurable and supported by mitigation controls and
actions. The Expectation Risk Appetite is:

Page 7 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

i) College has a low tolerance for Strategic Risks. These risks are to be mitigated /transferred or
controlled as far as practicable down to a low or medium risk rating.

ii) College has zero tolerance for harm or injury to its employees or visitors and these harms will
be mitigated and controlled down to a low risk;

iii) College has zero tolerance for internal/external fraud or deception activities;

iv) College has a low tolerance for operational risk. These risks will be mitigated and controlled
to where the cost of control is equal to the marginal cost of the risk;

v) College has a low tolerance for information technology outages. However, there were no
tolerances for outages that exceed a week.

1.5 Liability
College’s liability risk appetite defines the level of liability for which it is prepared to accept using
internal mitigations or management processes before it seeks external support or remedies to resolve
matters. Such risks are measurable and reportable.

Page 8 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

2. CHAPTER THREE

3. RISK MANAGEMENT GOVERNMANCE STRUCTURE AND

RESPONSIBILITIES

2.0 The need for defining roles and responsibilities

There is an ability to conduct effective risk management is dependent upon having an appropriate risk
reporting structure and well-defined roles and responsibilities. In defining and assigning roles and
responsibilities for risk management and formulating the reporting structures.

2.0 Risk Management Reporting Structure

Set out below is risk management reporting structure. This structure illustrates that risk management
is not the sole responsibility of one individual but rather occurs and supported at all organisational
levels.

2.0 Roles and Responsibilities

The following Roles, Responsibilities and related Reporting Structure have been establishes to
support the implementation of Risk Management at the College:

1.1 Governing Body

Act of Parliament No. 8 of 1964 (The College of African Wildlife Management Act) provides that the
Governing Body has the powers to administer the properties, funds and other assets of the College. It
is by enhancing risk management; the Governing Body can effectively exercise this power and ensure
that assets are protected from any un- acceptable losses.
The Governing Body has the responsibility for making all decision on Risk Management of the
College. This includes approving the Risk Management Framework (i.e. Policy, Structure and
Procedures). The College will fulfil its oversight responsibilities through the Audit Committee.
The Specific Roles and responsibilities of the College in relation to risk management are:
i) Shall set the risk appetite that the is willing to accept and influence the culture of Risk
Management within the College by ensuring that risks are considered as part of every College
report decision;
ii) Shall receive and deliberate on recommendations of the Audit Committee regarding the
effectiveness of the risk management processes.
iii) Obtaining assurance that key risks that will affects the College’s strategies are identified,
assessed, properly managed, and discuss quarterly risk management reports.

Page 9 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

iv) Periodically approve the College's approach to Risk Management changes or improvements
to key elements of its processes and procedures.
v) Obtaining assurance that College strategic choices are based on thorough risk assessment

1.2 Audit Committee

The Audit Committee (AC) of the Body assists the Governing Body in fulfilling its oversight
responsibilities for the risk management within the College.
The following are the Committee responsibilities:
i) Oversees the establishment and implementation of the College’s risk management system and
assist the College to formulate, promote and review the ’s risk management objectives,
strategy and policy and monitor the process at strategic, management and operational levels;
ii) Receiving Quarterly Risk Management Reports in relations to compliance with risk treatment
action plans as agreed in the ’s Risk Register;
iii) Shall advise the College on all relevant matters relating to risk management arising from the
Annual Reports;
iv) Oversees management’s overall risk management strategy/framework and ensure the required
actions are appropriately resourced;
v) Reviews the proposed internal audit plan for the coming year; ensure that it covers key risk
areas and/or activities and that there is appropriate co-ordination with the external auditor;
and
vi) Ensure that the Internal and External Audit Plans is in line to the College’s risk profile.
vii) Provide regular feedback to the Accounting Officer and Governing Body on the adequacy and
effectiveness of risk management in the organisation, including recommendations to
improvement

1.3 The Rector

The Rector i.e. the Accounting Officer is accountable for ensuring that a risk management system is
established, implemented and maintained in accordance with this framework.
Specifically, the Rector shall have the following roles and responsibilities:
i) Overall in-charge for the implementation of the ’s Risk Management Framework and Policy;
ii) Setting the tone and ensure that the risk management is availed with appropriate and
sufficient resources for the implementation at the College;
iii) Holding top-level management accountable for designing, implementing, monitoring and
integrating risk management into their day-today activities;
iv) Shall approve the Risk Management Action plan and supervise its implementation;
v) Devoting personal attention to overseeing the management of the significant risks;

Page 10 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

vi) Establish and maintain a climate of risk awareness and intelligence;

vii) Implement risk management governance mechanisms established by the risk management
framework for effectively monitoring of risks and their management;
viii) Considering appropriate action in respect of the advice and recommendations given to
him/her from the Audit Committee, Internal Audit, and External Audit to improve risk
management; and
ix) Providing assurance to relevant stakeholders that key risks facing the College are properly
identifies, assesses, prevents and mitigates.
x) Appoint and delegate responsibilities for risk management to risk management coordinator
and internal formations so that it aligns to the existing College structure, processes, culture
and context.
xi) Set requirements for risk management based on the agreed benchmark and ensure that they
are consistent with business, ethical and professional standards.

1.4 College Management Team (CMT)

CMT is responsible for overseeing the day-to-day operations of the College. The team should bear the
following responsibilities related to risks:
i) Have a standing agenda item on risk at every meeting held and receive feedback from Internal
Audit Unit on the effectiveness of the implementation of the Risk Management Policy and
Framework;
ii) Monitors performance of management in implementing risk management responses and
internal control rectification activities and ensure that there are appropriate systems for
identifying and monitoring risks and that these are operating as intended;
iii) Shall be responsible for the overall oversight of the risk management processes
iv) Shall review the significant risks quarterly faced by the College and take action to ensure
these are reduced as effectively as possible, in line with the risk appetite set by the College
v) Shall enforce the implementation policies on risk management and internal control;
vi) Re-asses periodically the appropriateness of the risk appetite decision;

1.5 Chief Internal Auditor

The College`s Chief Internal Auditor is responsible for providing the Governing Body (through Audit
Committee) and the Rector with an objective assurance (and advice) on the effectiveness of the Risk
Management Processes.
In fulfilling this responsibility, the Head of Internal Audit shall have the following roles and
responsibilities:
i) Develop Risk-based Internal Audit Plans consistent with the College’s risk profile;

Page 11 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

ii) Evaluate the Risk Management Framework (i.e. Policy, Governance Structure, and
Procedures) to ascertain if they support and align with the College’s mission and strategic
objective;
iii) Ascertain whether significant risks on the College’s strategic objectives, targets and functions
are identified and appropriately assessed, and that appropriate risk responses are selected and
implemented, so as to align risks treatments with the College’s risk appetite;
iv) Ascertain if relevant risk information is captured and communicated in a timely manner
across the College, enabling the Rector, the Management and staff to carry out their
responsibilities; and
v) Provide the Audit Committee and Rector with quarterly reports on the effectiveness of the
College’s risk management framework.

1.6 Heads of Department, Heads of Units and Sections (Risk Owners)

These are the “Risk Owners” hence responsible for integrating and implementing risk management
processes into their respective areas of responsibilities and operational routines.
Specifically are responsible for:
i) Manage risks by identifying, evaluating, reporting and treating risks within areas of
responsibility using appropriate tools and as suggested in the ’s Risk Management
Framework;
ii) Empowering officials (risk champions) under their areas of responsibilities to effectively
perform their risk management duties through proper guidance, supervision, communication
of responsibilities and providing opportunities for skills development;
iii) Prepare the Department/Unit’s risk report on a monthly and quarterly basis and to submit
them to the Risk Management Coordinator;
iv) Propose alternative risk management treatments for the identified risks to an acceptable level
and apply techniques and tools indicated in the ’s Risk Management Framework;
v) Act as a point of contact in the Department/Unit for any queries from staff on risk processes;
vi) Make risk management a standalone agenda item in every Departmental/Unit meeting;
vii) Cause proper documentation and filing of risk issues
viii) Review periodically and Maintain risk register and other documents/ reports relating to risk
management within their respective departments in a systematic manner

Page 12 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

1.7 Risk Management Coordinator (RMC)

18 There shall be the College’s Risk Management Coordinator who shall be appointed
among the existing Senior Staff in the College.

19Risk Management Coordinator is responsible for the overall coordination of risk

management activities at the College.

20 The Risk Management Coordinator shall report to the Rector on all matters relating to
Risk Management.

20.1.1 Specifically, the Risk Management Coordinator shall:

i) Co-ordinate and monitor day-to-day the implementation of risk management initiatives within
the College;

ii) Coordinate, consolidate and maintain the development or updating and review of the
College’s Risk Management Framework and Risk Register with input from risk champions
and Heads of Departments/sections/ units;;

iii) Work closely with the “risk owners” (i.e. Heads of Departments, Sections and Units) in
overseeing the identification and treatment of risks falling in their respective areas of
responsibilities;

iv) Ensure that relevant risk information is reported and escalated or cascaded, as the case may
be, in a timely manner that supports the College’s requirements;

v) Attend at CMT and Audit Committee’s meetings when Risk Management issues are
discussed.

vi) To provide specialist, advice, training and tools to staff, management, the Rector, Audit
Committee and College on risk management issues across the College;

vii) Coordinate the drafting of risk reports to ensure consistency in standards and formats;

viii) review risk management implementation and operational effectiveness and provide quarterly
reports and recommendations to the Rector and Audit Committee

1.2 Risk Champions

The Risk Champion is a person with the skills, knowledge, leadership qualities and power of office
required to champion a particular aspect of risk management. A risk champion may hold any position

Page 13 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

within the organisation. Risk champions are working together with the Risk Management Coordinator
and their roles and responsibilities are as follow:
i) Promote risk management across the College, or specifically within a particular department,
section, unit or project;

ii) Help to embed risk management into the College systems and processes;

iii) Help to ensure that functional and project areas are using the organisation’s risk management
processes consistently; and

iv) To prepare department/ section / Unit risks register and submit to the risk Management
Coordinator for onward submission to the CMT.

v) To attend quarterly Risk Champion meetings to discuss and develop best practice by drawing
on recognised Risk Management disciplines.

1.3 Other Staff

21 All staff is responsible for integrating and implementing risk management into their day-today
activities.

22 With this respect, they must:

i) Comply with all rules, regulations and instructions relating to Risk Management;

ii) Work in a manner which is safe and secure for themselves, colleagues and
visitors;

iii) Implement the risk treatment action plans that address specific risks falling in
their areas of responsibilities;

iv) Inform their supervisors and/or the Risk Management Coordinator of new risks
and significant changes on known risks; and

v) Co-operate with other role players in the risk management process and providing
information as required.

Page 14 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

1.1 Service Providers

23 All service providers are responsible for implementing risk management activities as provided in
their respective contracts entered into between them and the College.

24 With this respect, they must:

i) Comply with all the terms and conditions specified in their respective contracts; and

ii) Inform their “contract managers” of new risk (s) and/or any significant changes on
known risks.

Page 15 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

4. CHAPTER FOUR

THE RISK MANAGEMENT PROCESS

2.0 Guidelines and International Standards
i) The College aligns its risk management procedures with the Guidelines for
Developing and Implementing Risk Management Frameworks in PSO of December
2012 or any current updates as issued by the Ministry of Finance through the Internal
Auditor General’s Division (IAGD).

ii) Additionally, at the implementation of the risk management process, adopts the ISO
31000:2009 as revised in 2018 model of Risk Management Process (see Figure 1
below). The guideline shall be put in used across the College to supports Enterprise
Risk Management. This standard comprises a number of logical and distinct steps that
are necessary to not only establish the specifics of the risk but also engage it into the
continuum of control and review.

Figure 1: Risk Management Process (Source: ISO 31000:2009 as revised in 2018)

Page 1 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

* Source ISO AS/NZS 31000 - 2018 Risk Management - Principles and Guidelines

2.0 Risk Management Procedures

The Risk Management process will follow the procedures outlined in the Standard as
follows:
1.1 The Continuum of Assessment and Review
For the Risk Management process to be successful and effective within the College, it
must be:
i) an integral part of management;

ii) embedded in the culture and practices; and

iii) Tailor to the unique processes of the College.

To apply the assessment and review continuum into the College context, the following
flowchart (see Figure 2 below) details the process.

1.2 Communication and Consultation

Communication and consultation with internal and external stakeholders should take place
during all stages of the risk management process.

Risk ownership is integral to its successful management and therefore, all risk creations and
reviews are to involve the areas or key individuals who will effectively manage and control
the risk exposure to College throughout its life cycle. Relevant people will be involved in the
consultation process and contribution into the various aspects of the process will be
encouraged and acknowledged.

1.3 Establishing the Context

The establishment of the context (or parameter of reference) is an integral element within the
process of risk management as it establishes and defines the various environments in which
risk is to be considered necessary, assessed and managed.

The level of contextual relevance should take into accounts on;

i) External context – the external environment in which the organisation seeks to
achieve its objectives;

Page 2 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

ii) Internal context – the internal environment in which the organisation seeks to achieve
its objectives;

iii) Context of the risk management process – the objectives, strategies, scope and
parameters of the organisation should be established; and

iv) Defining the risk criteria – the College should define criteria to be used to evaluate
the significance of risk.

KEY
Cycle
Figure 2: Flowchart details the Risk Management Process
Commences Identifying Risk

Analysis
& Treatment

Monitor & Review

Regular Departmental/ Regular Departmental/ Sections

Training & Awareness

Sections /Divisional / Units Heads /Divisional / Units Staff and risk Reporting

and risk champions meetings to champions meetings to discuss

discuss strategic and operational strategic and operational risks

Quarterly the Risk Management Coordinator

risks

revises the Risk Management Strategy and

Departments / Sections / Divisions / Units advice

Action Plan

Risk Management exposure. Identify, analyse,

evaluate, and provide treatment advice and record in

Quarterly the Audit Committee reviews the Risk
Risk Register.
Management issues presented in the Risk

Management report.
All risks are monitored, reviewed and reassessed as

required (special focus on High and Extreme risks)

Quarterly, the Governing Body review Risk

Management issues presented by the Audit

Risk Management Coordinator operates

Committee

ongoing training and awareness workshops.

Annually, the Risk Management Policy is

Page 3 of 37 reviewed and updated.

Monthly Risk Management reports to the Top

Cycle
Management regarding High and Extreme
Recommences
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

1.4 Identification of Risks

The effective identification of risk exposures to which College may be subjected, is a foundation
element of establishing the basis of effective mitigation, control and review. As various levels of
assumptions are made during this process, it is essential to remain grounded in establishing the
likelihood, consequence and realism of such a risk occurring. This identification may be done through
either a workshop, survey or when a new risk emerges.

Unrealistically assessed events, impacts or consequences undermine the validly and credibility of the
risk management process and its relevance to the College`s business rapidly becomes irrelevant as
people disengage from the process.

The primary questions must be based on;

i) The current environment in which the activity is undertaken (political, financial etc);

ii) The past history or experience of the College;

iii) Any known or suspected threats;

iv) Recent experience of other like industries; or

v) Other relevant knowledge, local or otherwise, to risk exposures that may also influence
College.

The key elements of College’s risk identification processes are:

i) The cyclical ‘whole-of-organisation’ risk assessments undertaken by College’s internal
auditors;

ii) Risk assessments undertaken within individual Departments and Units by key personnel on a
regular basis that are both supported by the Risk Management Coordinator and form part of
College’s Risk Registers (Strategic and Operational); and

iii) Key sector information derived from various sources including Ministerial Circulars and
Government Orders.

iv) In managing organisational risk, College will focus on the following major areas of risk
exposure:

 Human Resources Risks;

Page 4 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

 Health Management Risks;

 Academic Risks(teaching, researches and short courses);
 Compliance Risks ( compliance with Laws and Regulations);
 Internal Controls;
 Procurements and Contract Management;
 Corporate Governance Risks;
 Information Technology Risks;
 Asset Management Risks;
 Security Risks;
 Systems – Efficiency and Effectiveness;
 Financial and Budget Management Risks;
 Reputational exposure; and
This list is not exhaustive and will be complemented through the normal risk review processes
undertaken by the College Management. Identified risks will be recorded on the Risk Register

Each risk that is identified shall be documented in a “Risk Identification Form” shown in Attachment
1 and each risk will have its own form, which will later be summarized into a Risk Register

1.5 Risk Analysis and Evaluation

A full, accurate and objective assessment of any identified risk must be undertaken to:-
i) Evaluate existing controls;

ii) Determine the likelihood of an incident;

iii) Determine the consequences of the risk;

iv) Establish the risk rating;

The College’s Risk owner and Champions shall undertake these assessments with the support of Risk
Management Coordinator.

Risk assessments shall be undertaken using the risk assessment criteria matrix shown in Attachment
2, 3 & 4 for likelihood, impact and overall risks. The risk likelihood and impact will be rated on a
5–band rating scale while the overall risk rating will be on a 3-banding scale as High, Medium or Low
The output of risk assessment shall be documents in risk register shown in Attachment 5. Risk
register shall be used to record, rate, monitor and report risks.

Page 5 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

The key risks shall be presents in Heat map shown in Attachment 6 with identification numbers and
recorded for risk treatment.
An assessment of risks should be carried out three times during the life of the risk:
Stage 1 - Inherent risk (Absolute) – the risk exposure prior to management controls being put
in place
Stage 2 - Managed risk – the risk exposure with the current level of management controls; and
Stage 3 - Residual risk – when no further controls are required and the level of residual risk is
tolerable.

1.6 Treatment
To control a risk, there is a need for it to be correctly and realistically analysed and evaluated to
determine the best option for risk removal or minimisation, with plans prepared and implemented to
rectify or mitigate any problem areas.

Risk control options (which are not necessarily mutually exclusive or appropriate in all
circumstances) include the following:
i) Avoid (also Terminate) the risk – avoid the identified risk by deciding not to proceed with
the activity likely to generate risk (where this is practicable);

ii) Risk Transfer(Share) – reducing exposure by transferring the risk to another party e.g.
contracting to a business that has the requisite qualifications and skills;

iii) Reduce the likelihood of occurrence through measures such as audit compliance programs,
contract conditions, preventative maintenance, engineering controls, inspections, process
policies and procedures; and

iv) Reduce the consequences through measures such as contingency planning, disaster recovery
plans, contractual arrangements, financial management controls and risk exposure
minimisation plans.

v) Retain (also Tolerate) the risk – accept the impact of the risk.

The outcome of the risk treatment process is a list of those risks requiring further treatment, as
determined by the overall level of the risk against the organisation’s risk tolerance levels. The Risk
Treatment Action Plans shall be developed and Implemented as shown in Attachment 7.

Page 6 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

1.7 Implementation
Risk Management across the College shall be implements and managed through effective governance
controls including:
i) Monitoring of adherence to internal controls;

ii) Conducting risk assessments of College assets and activities;

iii) Applying a corporate risk management strategy;

iv) Promoting adherence to this Policy and related Policies by all employees;

v) Providing employee training opportunities on relevant risk issues;

vi) Providing induction training and ongoing workshop sessions;

vii) Providing adequate funding for risk reduction initiatives in College’s budget; and

viii) Undertaking an annual review of identified risks.

Risk controls in the Risk Treatment Plan shall be implements under the supervision of risk owners
and control owners. The owner of a particular risk can be control owner under the same risk as well as
risks owned by others.

1.8 Performance Measuring

The risk management evaluation will be reports through Risk Management Report on quarterly basis.
The report will comprise various components including Key Risk Indicator Report (Risk Profile),
Status of Control Implementation.

The progress of implementing the treatment plans will form part of the reporting structure of the Risk
Management Coordinator on an exception basis.

1.9 Monitoring, Reporting and Review

The risk management planning based on assumptions and decisions based on the operating
environment that is subject to change as result of changing Social, Legal, and Economical, Political
and Technological factors.

1.10 Monitoring

Monitoring of risk is the responsibility of the respective Head of Departments/Units/Sections as an

element of their overall responsibilities. The monitoring process tracks the progress of the action

Page 7 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

plans. Risk management is not a one off exercise. Risks change over time. Monitoring is to consider if
there is anything that has happened which alters or changes the risks, causes, risk scores or actions
identified. It also ensures that action plans remain relevant, up-to-date and effective.

Monitoring of risk, with the support of the Risk Management Coordinator, will include, but not be
limited to:
i) on-going risk assessment and risk minimisation as part of standard management practice;

ii) advice and input into contract specifications and documentation;

iii) advice and input into risk assessments of new College programs;

iv) on-going review of existing College programs and facilities, as required;

v) compliance with all College Policies and Procedures; and

vi) Periodic review of College’s Policies and Procedures.

Risk management performance monitoring process will include statistical data evaluation, audit, and
performance assessment.

There shall be two half-year workshops to discuss the progress in implementing the risk register and
treatment plan. The best timing for these workshops will be towards the end of June and December.

1.11 Risk Reporting

i) Risk reporting will be compiles using the ‘Risk Management Quarterly Implementation
Report (see Attachment 8).

ii) All risk owners will, on quarterly basis, prepare risk management quarterly implementation
report and submit to the Risk Management Coordinator.

iii) The Risk Management Coordinator will compile all reports and prepare a summarized report
on the overall College’s status on implementing risk treatment action plans on quarterly basis.
Significant risk issues to be reports directly to the attention of the Rector, Audit Committee
and College.

Reporting To Items of Report Frequency

Page 8 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

Governing Body Report on High risks with existing control measures and Quarterly
recommendations for further mitigation.

Audit Statistics regarding incidents, activities, analysis of risks Quarterly

Committee trends.
Report on High risks with existing control measures and
recommendations for further mitigation.
Status Report of internal audit recommendations.
College Status Report of College Risk Register (CRR) and all Monthly
Management strategic risks and risk treatment plans
Team

1.12 Review Procedures

This is the oversight and review management system and any changes that might affect it. Reviewing
occurs concurrently throughout the risk management process.
i) The risk management framework shall also be subjects for audit on an annual/bi-annual basis.
ii) Audit may be conducted by internal audit or an external party; with the following objectives:
 Review of the structure and key elements of the Risk Management Framework and
provide assurance that they are all working as intended;
 To review the extent to which material risks are being managed within the Risk
Appetite of the College;
 To review the adequacy of Risk Reporting;
 To review the implementation or application of key risk controls and the
implementation of key risk treatment strategies;
 To review of the adequacy of risk management resourcing and the performance of
key risk management personnel;
 To confirm that material changes to the Risk Management Framework must have
approved by the Board and noted by Internal and External Audit.
iii) The Audit Committee’s recommendation is submitted to Governing Body for consideration
iv) If revisions are recommended and approved, a copy of the revised policy is widely distributed
to all Heads of Departments by the Team Secretariat

1.13 Training

College regards training as being critical to the success of its risk management strategy. This means
that appropriate staff and members identifies for training and that those individuals receive training

Page 9 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

that is appropriate to the type of responsibilities that they hold. Risk Champions play a vital role
within departments/section/units and aid in the identification of training needs. The extent of the
training provided shall be reported to the Management and Audit Committee periodically.

1.14 Attachments

This Policy is support by detailed attachments that further define graphically the methods and process
of risk management.
The attachments are;

 Attachment 1 . Risk Identification Form

 Attachment 2. Likelihood assessment matrix
 Attachment 3. Impact assessment matrix
 Attachment 4. Overall risks assessment matrix
 Attachment 5. Heat map matrix template
 Attachment 6. Risk register template
 Attachment 7. Risk Treatment Action Plans template
 Attachment 8. Risk Treatment Quarterly Implementation Report
 Attachment 9: Sample of risk treatment quarterly implementation report

Page 10 of 37
 RISK MANAGEMENT POLICY AND 2019
FRAMEWORK

Attachment 1: RISK IDENTIFICATION FORM

Risk title: Provide a brief title of the risk Risk ID: provide
a unique identity

Overview
Risk Area Provide department/unit/section affected by this risk
Risk Provide a brief description of the risk
Principal risk owner Include title of the person managing the risk and the area where the risk falls
Supporting owner(s) Provide title of other persons affected by the risk
Risk Category Is it a financial, technical etc.
Objective/plan List the objective impacted by the risk

Details
Contributing Factors (Causes): Outcomes (Consequences):
Provide the causes that may lead to the risk Provide description of what will happen if the risk will
materializing materialize

Existing Controls: currently in place and their weaknesses:

-briefly describe the current controls existing to reduce the inherent risk, also point out the main weaknesses
for the current controls.
Control Strengths: Control Weaknesses:

Page 1 of 37
 RISK MANAGEMENT POLICY AND FRAMEWORK 2019

5. Attachment 2 – RISK LIKELIHOOD ASSESSMENT MATRIX CRITERIA

6.

RATING
LIKELIHOOD RATING CRITERIA

1
RARE Event occurring once after 5 years

2
UNLIKELY Event occurring once after 3 years

3
POSSIBLE Event occurring once after 1 year

4
LIKELY Event occurring once after 6 months

5
ALMOST CERTAIN Event already occurring or occurring once within 6 months

Page 1 of 37
 RISK MANAGEMENT POLICY AND FRAMEWORK 2019

Attachment 3 – COLLEGE - RISK CONSEQUENCE ASSESSMENT MATRIX CRITERIA

Objective
People (impact Service Delivery
RATIN CONSEQUEN (Deviation Outrage &
on staff and Financial Loss Environmental (Teaching and Social Projects
G CE RATING from Media
students) Services)
expectation)
 Objective not  Injury which  Financial  No detrimental  Issue raised by  Failure to deliver  Completion
achieved by do not require loss(less than environmental students local teaching services and delay of up
INSIGNIFICA
1 5% or less medical 0.02% of the effect press social services for to 1% of
NT
treatment budget) or < of hours. time
TZS 5M
 Objective not  First-Aid  financial loss  Environmental  Resident and/or  Non delivery of  Completion
achieved by Treatment of TZS up to discharge media service related to delay of up
more than Only 0.05% of controlled, and concern /local teaching services , to 5% of
2 MINOR
5% but not budget of a minor media coverage social services etc for time
exceeding or 1M-2M nature one day
10%
3 MODERATE  Objective not  Medical  Financial loss  Localised  Embarrassment  Non delivery of  Completion
achieved treatment, of TZS up to environmental for College, service related to delay of up
between Ambulance, 0.5% of the impact, causing including education, social to 7% of
10%-15% or admission budget. Or 2M community adverse media services etc that time
to hospital of –5M annoyance, and coverage affect any strategic
less than 2 requiring objective for a more
days remedial action than one day that
attracts NACTE

Page 2 of 37
 RISK MANAGEMENT POLICY AND FRAMEWORK 2019

intervention
 Objective not  Hospitalisatio  financial loss  Long-term  Reputation of  Non delivery of  Completion
achieved n of more than of TZS Up to detrimental College service related to delay of up
between 16% 2 days, or 3% of the environmental severely education, social to 10% of
4 MAJOR to 25% long term Budget or 5M or social affected in the services etc that time
injury or – 10M impact long-term. affect one strategic
disability objective for more
than a week
 Objective not  Single or  Financial loss  Long-term  Government  Non delivery of  Completion
achieved by multiple of TZS greater environmental intervention service of delay of up
more than fatalities than 3% of or social required education, , social to 20% of
CATASTROP
5 25% Budget or impact on services etc that time
HIC
>10M community affect three or more
for more than a
month

7. Attachment 4 – OVERALL RISK SEVERITY

Gross Risk Score RAG Assessment Remarks

The College feels most concerned about carrying this risk because there are insufficient controls in
16 - 25 High
place to address the cause or source of the risk.
The College feels concerned about carrying this risk because there are few controls in place, which
8 – 15 Medium
are considered substantial and/or effective and address the cause of the risk.
The College is supposed to opt this level of risk. The risk is considered small and there are
1- 7 Low
sufficient controls in place, which address or substantially control the cause of the risk.

Page 3 of 37
 RISK MANAGEMENT POLICY AND FRAMEWORK 2019

Attachment 5 – HEAT MAP MATRIX

Attachment 5-Heat map risk matric template

Likelihood/ Impact/Consequences
Insignificant Minor Moderate Major Severe
Probability
Almost certain
Likely
Possible
Unlikely
Rare
Attachment 6 – SAMPLE OF RISK REGISTER TEMPLATE
Risk Category Assessment Assessment
( Is it an Frequency Frequency
Link to Operational, (Monthly, (Monthly,
Risk
Risk College financial, Risk GP GI Quarterly, Key Risk Quarterly,
Owne GRS Threshold/Tolerance Level
ID Strategic technical Description R R Semi- Indicator Semi-
r
Objective Strategic, Annually, Annually,
Compliance, Annually, Annually,
Political, etc.) Adhoc) Adhoc)

Attachment 7 – SAMPLE OF RISK TREATMENT PLAN

Page 4 of 37
 RISK MANAGEMENT POLICY AND FRAMEWORK 2019

Risk Risk Risk Owner Root Controls Control Key Control Assessment Target Date
ID Description Cause Owner Indicator Frequency
(KCIs) (Monthly,
Quarterly,
Semi-Annually,
Annually,
Adhoc)

Attachment 8: RISK MANAGEMENT PERFORMANCE INDEX TEMPLATE

A: Balanced Scorecard Grid: How effectively level of perceived risk is minimized(0.4)

Cascaded objective Key Risk Indicator Tolerance level/ Target Actual Score

Sub-total(A)

B: Initiative Grid: How effectively recommended control actions are implemented(0.4)

Initiative/Control Action Key Control Indicator Due date Target Actual Score

Sub-total(B)

C: Internal Audit Grid: Assesses compliance with the existing internal control systems(0.2)

Page 5 of 37
 RISK MANAGEMENT POLICY AND FRAMEWORK 2019

Audit process Audit query Audit recommendation Rating Maximum rating Score

Sub-total(C)
Grand Score(A+B+C)
This RMPI will be an integral part of Performance Management System.
Attachment 9: SAMPLE OF RISK TREATMENT QUARTERLY IMPLEMENTATION REPORT

Department/Unit: ..................................................................................................................................
Risk Management Quarterly Implementation Report for the Quarter Ending.........................................
Prepared by: ....................................... Date: ......................................................

Risk title & ID Proposed Control Owner Target Date Status of Remarks and/or Comments
Treatment/Control Implementation
(From Risk Register Options (as in the risk (Give specific start
in priority order) identification sheet) and end dates) (completed, on-going,
(From Risk not done)
Identification Sheet)

Page 6 of 37
RISK MANAGEMENT POLICY AND FRAMEWORK 2019

Page 7 of 37