Академический Документы
Профессиональный Документы
Культура Документы
FRAMEWORK
DEFINITION OF TERMS
The following definitions will apply for the purpose of interpretations of this Policy,
TERMS DEFINITION
Commercial Risk Risk associated with the failed of business contract or business relationship.
Compliance Risk Risk associated on failing to meet statutory obligations.
Consequence The impact on College should an event occur.
Risk Appetite The amount and type of risk that an organisation is willing to take in order to
meet its strategic objectives. Risk Appetite is best describes as an
organisation’s pursuit of risk or its willingness to take risks as opposed to
avoiding them.
Risk Assessment The overall processes of risk analysis and risk evaluation.
Risk Control A part of risk treatments involves the implementation of policies, standards,
procedures and physical changes to a things, work processes or system of
works to eliminate or minimise the impact of the risk.
Risk Evaluation The process used to determine risk management priorities by comparing the
Page 1 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
TERMS DEFINITION
level of risk against predetermined standards, target risk levels or other
criteria.
Risk Identification The process of determining what can happen, why and how.
Risk Management The culture processes and structures those are direct towards the effective
management of potential opportunities and adverse effects.
Risk Management process The systematic processes applications of policies, procedures and practices to
the tasks of establishing the context, identifying, and analysing, evaluating,
treating, monitoring and communicating risk.
Risk Management Team Comprise of Risk management Coordinator and Risk Champions
Page 2 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
CHAPTER ONE
1. Introduction
This section provides the background on the policy, establishment of the College, its functions, vision,
mission, core values, purpose, scope of applicability, benefits of risk management and rationale for
adoption of Risk Management.
2.0 Background
The College`s Risk Management Policy is intended for use by the College community to ensure
consistent application of risk management processes to the wide range of activities undertaken by the
College.
The Risk Management framework brings together information on policies, accountabilities, roles and
responsibilities for all those involved in risk management. The Framework provides a structured
approach to the management of risks that are likely to adversely impact on the performance and
continued growth of the College. The analysis, evaluation and mitigation strategies of risks will
enable the achievement of College`s strategic objectives.
The College`s risk management framework is based on the Guidelines for Risk Management in Public
Sector of 2012 and the International Organization for Standardization’s (ISO) Risk Management
Standard ISO 31000:2009 as revised in 2018, which provides a rigorous approach in communicating,
consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and
reviewing risk. The strategic planning process is integral to identifying, communicating and focusing
on those factors that are critical to the College achieving its fundamental purpose.
The College in the management of various facets of risks will apply the principles and standards set
out in the policy consistently and effectively.
The management of risk is recognising as an integral part of good management practice. Effective
risk management supports informed decision-making and encourages the identification of
opportunities for continuous improvement. Risk Management is no longer acceptable as only a
process of good operating standards but rather, as a critical element of sound governance across an
organisation.
Page 1 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
This Policy and procedure formalises, details College’s approach to the organisational risk
management, and provides a framework for performing risk identification, assessment and
minimisation practices across the organisation.
The College in the management of various facets of risks will apply the principles and standards set
out in the framework consistently and effectively.
An Act of Parliament No. 8 of 1964 established the College (The College of African Wildlife
Management Act). The Act provides for the creation of the Governing Body that is responsible for
control and administration of the College`s Vision, Mission and Core objectives.
1.3 Vision
CAWM vision is to become a center of excellence for professional and technical training in
addressing the challenges of wildlife sustainability in Africa.
1.4 Mission
To provide the highest standards of technical training by engaging a global community and
undertaking relevant research and consultancies in order to meet the needs of wildlife and tourism
management in Africa.
The operationalisation of the College vision and mission is guides by the following values:
(i) Effective and efficient services; the College is committed to increasing quality of products
and services while minimizing the operation cost;
(ii) Conservation principles; the College is committed to adhere to the conservation principles
and legislations;
(iii) Sustainable tourism principles; the College is committed to adhere to the tourism principles
and legislations;
(iv) Professionalism; the College is committed to adhering to professionalism in all activities;
(v) Client oriented; the College is committed to the cultivation of positive relationships between
community, students, academic and administrative staff and institution owners;
(vi) Creative and innovativeness; always curious and striving to reach out and embrace new
technologies and innovative methods of doing work and contributing to socio-economic
development;
Page 2 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
(vii) Loyalty to the Government; always adhere, implement and be positive to the Government
directives;
(viii) Honesty; An inner part of an individual staff commitment relating to integrity, truthfulness
and straightforwardness on pursuing his/her daily activities.
(ix) Fairness; impartiality and just treatment behavior without favoritism and discrimination to all
of College customers;
(x) Accountability; being accountable to stakeholders and to the community for the mandate and
responsibilities bestowed upon us;
(xi) Transparency: The states of being open in all daily activities or dealings with and stand
ready for public scrutiny.
In the next cycle of five years from 2018/19 to 2022/23 CAWM will endeavour to achieve the
following six strategic objectives.
i) Strengthened initiatives to fight HIV/AIDS and non-communicable diseases
ii) Good governance and national anti-corruption plans promoted
iii) Training in wildlife management and tourism improved
iv) Improved research, short courses and consultancy services
v) Improved working environment, human capital development and staff welfare
vi) Strengthened internally generated revenue mobilization
The context within which this Policy is prepared is one of ongoing strong governance and leadership.
The determinations and considerations made in this Policy have being based on the legal framework
within which the College exists and operates. It was based on the context that the risk appetite of
College has being established.
As a consequences, College`s Risk Appetite is variable and proportionate with the risk being assessed.
However, College`s appetite to risks that encompasses corruption, fraud, theft or personal harm or
injury is zero. To accommodate this, College is committed to a continuous development and review
of Policies, procedures, organisational structures and systems that are all designs to mitigate the
likelihood and consequence of risk.
Page 3 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
1.8 Purpose
2 The adoption of risk management practices within the CAWM is a response to the constant
search for best practices and need to comply with the National Guidelines for Developing and
Implementing Risk Management Framework in Public Sector Organizations (2012) and its
accompanying Treasury Circular No. 12 of 2012/13.
3 This Framework sets the principles and approach in embedding risk management in the CAWM.
It outlines the College`s risk policy, risk management processes, appetite, and risk governance
structure.
4 The Framework also sets a consistent approach in making sure that all significant risks facing the
College are identifies and their likelihood and potential impact reduced through recognized risk
management tools and techniques, and reported in a timely manner.
5 This Framework applies to all areas under the CAWM, including departments, units, sections and
projects.
6 The Framework also applies to all individuals employed by the CAWM, including service
providers, volunteers, contractors, temporary staff and any other individual working with College
in any type of arrangements.
7 Risk is the possibility of an event or condition occurring that will have an impact on the ability of
the organization to achieve its objectives. Risk is measures in terms of its likelihood and impact.
9 Establishment of a reliable basis for sound risk opposed decision making and planning (strategic
and operational planning).
10 Assurance on the achievement of organization's objectives and performance targets through the
awareness and management of potential events/and situations that work against the objectives.
Page 4 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
12 Effective use of resources; minimize operational surprises and shocks and other costly and time-
consuming litigation and/or unexpected losses.
14 Facilitate compliance with relevant legal and regulatory requirements and international norms.
16 Improve stakeholders’ confidence and trust (i.e. reassure stakeholders that the College is
managing its risks efficiently and effectively).
Page 5 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
CHAPTER TWO
The CAWM is actively committed to the management of risk and reducing its exposure in all facets of
its education services. It endeavours to ensure that all necessary practices and procedures are
effective and fully implemented to control any risks and thereby providing employees and the
academic community with services, facilities and an environment, which are sound, safe and inviting.
Page 6 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
ii) College will promptly take action to address students and/ or staff complaints and regulatory
concerns. Regulatory concerns include all the directives from the Central Government and
regulatory body ( NACTE)
iii) College will not engage in any activity that will put its long-term values or reputation at risk.
The College will meet the students and other stakeholders` expectations of providing
efficient, considerate and cost-effective Education, Consultancies and research services; and
iv) College is an equal opportunity employer that employs skilled and experienced employees in
positions with clearly defined roles and responsibilities.
1.3 Outcome
Our outcome risk appetite specifies the limits or maximum impact/outcome within College, which is
consider reasonable and acceptable where such risk is measurable. The Outcome Risk Appetite is
defines by compliances to:
i) College’s Strategic Plan
1.4 Expectation
College’s expectation risk appetite defines its tolerance for strategic and operational actions. These
risks, specific to activities or known risks are measurable and supported by mitigation controls and
actions. The Expectation Risk Appetite is:
Page 7 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
i) College has a low tolerance for Strategic Risks. These risks are to be mitigated /transferred or
controlled as far as practicable down to a low or medium risk rating.
ii) College has zero tolerance for harm or injury to its employees or visitors and these harms will
be mitigated and controlled down to a low risk;
iii) College has zero tolerance for internal/external fraud or deception activities;
iv) College has a low tolerance for operational risk. These risks will be mitigated and controlled
to where the cost of control is equal to the marginal cost of the risk;
v) College has a low tolerance for information technology outages. However, there were no
tolerances for outages that exceed a week.
1.5 Liability
College’s liability risk appetite defines the level of liability for which it is prepared to accept using
internal mitigations or management processes before it seeks external support or remedies to resolve
matters. Such risks are measurable and reportable.
Page 8 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
2. CHAPTER THREE
Page 9 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
iv) Periodically approve the College's approach to Risk Management changes or improvements
to key elements of its processes and procedures.
v) Obtaining assurance that College strategic choices are based on thorough risk assessment
The Audit Committee (AC) of the Body assists the Governing Body in fulfilling its oversight
responsibilities for the risk management within the College.
The following are the Committee responsibilities:
i) Oversees the establishment and implementation of the College’s risk management system and
assist the College to formulate, promote and review the ’s risk management objectives,
strategy and policy and monitor the process at strategic, management and operational levels;
ii) Receiving Quarterly Risk Management Reports in relations to compliance with risk treatment
action plans as agreed in the ’s Risk Register;
iii) Shall advise the College on all relevant matters relating to risk management arising from the
Annual Reports;
iv) Oversees management’s overall risk management strategy/framework and ensure the required
actions are appropriately resourced;
v) Reviews the proposed internal audit plan for the coming year; ensure that it covers key risk
areas and/or activities and that there is appropriate co-ordination with the external auditor;
and
vi) Ensure that the Internal and External Audit Plans is in line to the College’s risk profile.
vii) Provide regular feedback to the Accounting Officer and Governing Body on the adequacy and
effectiveness of risk management in the organisation, including recommendations to
improvement
The Rector i.e. the Accounting Officer is accountable for ensuring that a risk management system is
established, implemented and maintained in accordance with this framework.
Specifically, the Rector shall have the following roles and responsibilities:
i) Overall in-charge for the implementation of the ’s Risk Management Framework and Policy;
ii) Setting the tone and ensure that the risk management is availed with appropriate and
sufficient resources for the implementation at the College;
iii) Holding top-level management accountable for designing, implementing, monitoring and
integrating risk management into their day-today activities;
iv) Shall approve the Risk Management Action plan and supervise its implementation;
v) Devoting personal attention to overseeing the management of the significant risks;
Page 10 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
CMT is responsible for overseeing the day-to-day operations of the College. The team should bear the
following responsibilities related to risks:
i) Have a standing agenda item on risk at every meeting held and receive feedback from Internal
Audit Unit on the effectiveness of the implementation of the Risk Management Policy and
Framework;
ii) Monitors performance of management in implementing risk management responses and
internal control rectification activities and ensure that there are appropriate systems for
identifying and monitoring risks and that these are operating as intended;
iii) Shall be responsible for the overall oversight of the risk management processes
iv) Shall review the significant risks quarterly faced by the College and take action to ensure
these are reduced as effectively as possible, in line with the risk appetite set by the College
v) Shall enforce the implementation policies on risk management and internal control;
vi) Re-asses periodically the appropriateness of the risk appetite decision;
The College`s Chief Internal Auditor is responsible for providing the Governing Body (through Audit
Committee) and the Rector with an objective assurance (and advice) on the effectiveness of the Risk
Management Processes.
In fulfilling this responsibility, the Head of Internal Audit shall have the following roles and
responsibilities:
i) Develop Risk-based Internal Audit Plans consistent with the College’s risk profile;
Page 11 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
ii) Evaluate the Risk Management Framework (i.e. Policy, Governance Structure, and
Procedures) to ascertain if they support and align with the College’s mission and strategic
objective;
iii) Ascertain whether significant risks on the College’s strategic objectives, targets and functions
are identified and appropriately assessed, and that appropriate risk responses are selected and
implemented, so as to align risks treatments with the College’s risk appetite;
iv) Ascertain if relevant risk information is captured and communicated in a timely manner
across the College, enabling the Rector, the Management and staff to carry out their
responsibilities; and
v) Provide the Audit Committee and Rector with quarterly reports on the effectiveness of the
College’s risk management framework.
These are the “Risk Owners” hence responsible for integrating and implementing risk management
processes into their respective areas of responsibilities and operational routines.
Specifically are responsible for:
i) Manage risks by identifying, evaluating, reporting and treating risks within areas of
responsibility using appropriate tools and as suggested in the ’s Risk Management
Framework;
ii) Empowering officials (risk champions) under their areas of responsibilities to effectively
perform their risk management duties through proper guidance, supervision, communication
of responsibilities and providing opportunities for skills development;
iii) Prepare the Department/Unit’s risk report on a monthly and quarterly basis and to submit
them to the Risk Management Coordinator;
iv) Propose alternative risk management treatments for the identified risks to an acceptable level
and apply techniques and tools indicated in the ’s Risk Management Framework;
v) Act as a point of contact in the Department/Unit for any queries from staff on risk processes;
vi) Make risk management a standalone agenda item in every Departmental/Unit meeting;
vii) Cause proper documentation and filing of risk issues
viii) Review periodically and Maintain risk register and other documents/ reports relating to risk
management within their respective departments in a systematic manner
Page 12 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
18 There shall be the College’s Risk Management Coordinator who shall be appointed
among the existing Senior Staff in the College.
20 The Risk Management Coordinator shall report to the Rector on all matters relating to
Risk Management.
i) Co-ordinate and monitor day-to-day the implementation of risk management initiatives within
the College;
ii) Coordinate, consolidate and maintain the development or updating and review of the
College’s Risk Management Framework and Risk Register with input from risk champions
and Heads of Departments/sections/ units;;
iii) Work closely with the “risk owners” (i.e. Heads of Departments, Sections and Units) in
overseeing the identification and treatment of risks falling in their respective areas of
responsibilities;
iv) Ensure that relevant risk information is reported and escalated or cascaded, as the case may
be, in a timely manner that supports the College’s requirements;
v) Attend at CMT and Audit Committee’s meetings when Risk Management issues are
discussed.
vi) To provide specialist, advice, training and tools to staff, management, the Rector, Audit
Committee and College on risk management issues across the College;
vii) Coordinate the drafting of risk reports to ensure consistency in standards and formats;
viii) review risk management implementation and operational effectiveness and provide quarterly
reports and recommendations to the Rector and Audit Committee
The Risk Champion is a person with the skills, knowledge, leadership qualities and power of office
required to champion a particular aspect of risk management. A risk champion may hold any position
Page 13 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
within the organisation. Risk champions are working together with the Risk Management Coordinator
and their roles and responsibilities are as follow:
i) Promote risk management across the College, or specifically within a particular department,
section, unit or project;
ii) Help to embed risk management into the College systems and processes;
iii) Help to ensure that functional and project areas are using the organisation’s risk management
processes consistently; and
iv) To prepare department/ section / Unit risks register and submit to the risk Management
Coordinator for onward submission to the CMT.
v) To attend quarterly Risk Champion meetings to discuss and develop best practice by drawing
on recognised Risk Management disciplines.
21 All staff is responsible for integrating and implementing risk management into their day-today
activities.
i) Comply with all rules, regulations and instructions relating to Risk Management;
ii) Work in a manner which is safe and secure for themselves, colleagues and
visitors;
iii) Implement the risk treatment action plans that address specific risks falling in
their areas of responsibilities;
iv) Inform their supervisors and/or the Risk Management Coordinator of new risks
and significant changes on known risks; and
v) Co-operate with other role players in the risk management process and providing
information as required.
Page 14 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
23 All service providers are responsible for implementing risk management activities as provided in
their respective contracts entered into between them and the College.
i) Comply with all the terms and conditions specified in their respective contracts; and
ii) Inform their “contract managers” of new risk (s) and/or any significant changes on
known risks.
Page 15 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
4. CHAPTER FOUR
ii) Additionally, at the implementation of the risk management process, adopts the ISO
31000:2009 as revised in 2018 model of Risk Management Process (see Figure 1
below). The guideline shall be put in used across the College to supports Enterprise
Risk Management. This standard comprises a number of logical and distinct steps that
are necessary to not only establish the specifics of the risk but also engage it into the
continuum of control and review.
Page 1 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
* Source ISO AS/NZS 31000 - 2018 Risk Management - Principles and Guidelines
To apply the assessment and review continuum into the College context, the following
flowchart (see Figure 2 below) details the process.
Risk ownership is integral to its successful management and therefore, all risk creations and
reviews are to involve the areas or key individuals who will effectively manage and control
the risk exposure to College throughout its life cycle. Relevant people will be involved in the
consultation process and contribution into the various aspects of the process will be
encouraged and acknowledged.
Page 2 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
ii) Internal context – the internal environment in which the organisation seeks to achieve
its objectives;
iii) Context of the risk management process – the objectives, strategies, scope and
parameters of the organisation should be established; and
iv) Defining the risk criteria – the College should define criteria to be used to evaluate
the significance of risk.
KEY
Cycle
Figure 2: Flowchart details the Risk Management Process
Commences Identifying Risk
Analysis
& Treatment
Sections /Divisional / Units Heads /Divisional / Units Staff and risk Reporting
Management report.
All risks are monitored, reviewed and reassessed as
Cycle
Management regarding High and Extreme
Recommences
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
Unrealistically assessed events, impacts or consequences undermine the validly and credibility of the
risk management process and its relevance to the College`s business rapidly becomes irrelevant as
people disengage from the process.
v) Other relevant knowledge, local or otherwise, to risk exposures that may also influence
College.
ii) Risk assessments undertaken within individual Departments and Units by key personnel on a
regular basis that are both supported by the Risk Management Coordinator and form part of
College’s Risk Registers (Strategic and Operational); and
iii) Key sector information derived from various sources including Ministerial Circulars and
Government Orders.
iv) In managing organisational risk, College will focus on the following major areas of risk
exposure:
Page 4 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
Each risk that is identified shall be documented in a “Risk Identification Form” shown in Attachment
1 and each risk will have its own form, which will later be summarized into a Risk Register
The College’s Risk owner and Champions shall undertake these assessments with the support of Risk
Management Coordinator.
Risk assessments shall be undertaken using the risk assessment criteria matrix shown in Attachment
2, 3 & 4 for likelihood, impact and overall risks. The risk likelihood and impact will be rated on a
5–band rating scale while the overall risk rating will be on a 3-banding scale as High, Medium or Low
The output of risk assessment shall be documents in risk register shown in Attachment 5. Risk
register shall be used to record, rate, monitor and report risks.
Page 5 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
The key risks shall be presents in Heat map shown in Attachment 6 with identification numbers and
recorded for risk treatment.
An assessment of risks should be carried out three times during the life of the risk:
Stage 1 - Inherent risk (Absolute) – the risk exposure prior to management controls being put
in place
Stage 2 - Managed risk – the risk exposure with the current level of management controls; and
Stage 3 - Residual risk – when no further controls are required and the level of residual risk is
tolerable.
1.6 Treatment
To control a risk, there is a need for it to be correctly and realistically analysed and evaluated to
determine the best option for risk removal or minimisation, with plans prepared and implemented to
rectify or mitigate any problem areas.
Risk control options (which are not necessarily mutually exclusive or appropriate in all
circumstances) include the following:
i) Avoid (also Terminate) the risk – avoid the identified risk by deciding not to proceed with
the activity likely to generate risk (where this is practicable);
ii) Risk Transfer(Share) – reducing exposure by transferring the risk to another party e.g.
contracting to a business that has the requisite qualifications and skills;
iii) Reduce the likelihood of occurrence through measures such as audit compliance programs,
contract conditions, preventative maintenance, engineering controls, inspections, process
policies and procedures; and
iv) Reduce the consequences through measures such as contingency planning, disaster recovery
plans, contractual arrangements, financial management controls and risk exposure
minimisation plans.
v) Retain (also Tolerate) the risk – accept the impact of the risk.
The outcome of the risk treatment process is a list of those risks requiring further treatment, as
determined by the overall level of the risk against the organisation’s risk tolerance levels. The Risk
Treatment Action Plans shall be developed and Implemented as shown in Attachment 7.
Page 6 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
1.7 Implementation
Risk Management across the College shall be implements and managed through effective governance
controls including:
i) Monitoring of adherence to internal controls;
iv) Promoting adherence to this Policy and related Policies by all employees;
vii) Providing adequate funding for risk reduction initiatives in College’s budget; and
Risk controls in the Risk Treatment Plan shall be implements under the supervision of risk owners
and control owners. The owner of a particular risk can be control owner under the same risk as well as
risks owned by others.
The progress of implementing the treatment plans will form part of the reporting structure of the Risk
Management Coordinator on an exception basis.
1.10 Monitoring
Page 7 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
plans. Risk management is not a one off exercise. Risks change over time. Monitoring is to consider if
there is anything that has happened which alters or changes the risks, causes, risk scores or actions
identified. It also ensures that action plans remain relevant, up-to-date and effective.
Monitoring of risk, with the support of the Risk Management Coordinator, will include, but not be
limited to:
i) on-going risk assessment and risk minimisation as part of standard management practice;
iii) advice and input into risk assessments of new College programs;
Risk management performance monitoring process will include statistical data evaluation, audit, and
performance assessment.
There shall be two half-year workshops to discuss the progress in implementing the risk register and
treatment plan. The best timing for these workshops will be towards the end of June and December.
i) Risk reporting will be compiles using the ‘Risk Management Quarterly Implementation
Report (see Attachment 8).
ii) All risk owners will, on quarterly basis, prepare risk management quarterly implementation
report and submit to the Risk Management Coordinator.
iii) The Risk Management Coordinator will compile all reports and prepare a summarized report
on the overall College’s status on implementing risk treatment action plans on quarterly basis.
Significant risk issues to be reports directly to the attention of the Rector, Audit Committee
and College.
Page 8 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
Governing Body Report on High risks with existing control measures and Quarterly
recommendations for further mitigation.
This is the oversight and review management system and any changes that might affect it. Reviewing
occurs concurrently throughout the risk management process.
i) The risk management framework shall also be subjects for audit on an annual/bi-annual basis.
ii) Audit may be conducted by internal audit or an external party; with the following objectives:
Review of the structure and key elements of the Risk Management Framework and
provide assurance that they are all working as intended;
To review the extent to which material risks are being managed within the Risk
Appetite of the College;
To review the adequacy of Risk Reporting;
To review the implementation or application of key risk controls and the
implementation of key risk treatment strategies;
To review of the adequacy of risk management resourcing and the performance of
key risk management personnel;
To confirm that material changes to the Risk Management Framework must have
approved by the Board and noted by Internal and External Audit.
iii) The Audit Committee’s recommendation is submitted to Governing Body for consideration
iv) If revisions are recommended and approved, a copy of the revised policy is widely distributed
to all Heads of Departments by the Team Secretariat
1.13 Training
College regards training as being critical to the success of its risk management strategy. This means
that appropriate staff and members identifies for training and that those individuals receive training
Page 9 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
that is appropriate to the type of responsibilities that they hold. Risk Champions play a vital role
within departments/section/units and aid in the identification of training needs. The extent of the
training provided shall be reported to the Management and Audit Committee periodically.
1.14 Attachments
This Policy is support by detailed attachments that further define graphically the methods and process
of risk management.
The attachments are;
Page 10 of 37
RISK MANAGEMENT POLICY AND 2019
FRAMEWORK
Overview
Risk Area Provide department/unit/section affected by this risk
Risk Provide a brief description of the risk
Principal risk owner Include title of the person managing the risk and the area where the risk falls
Supporting owner(s) Provide title of other persons affected by the risk
Risk Category Is it a financial, technical etc.
Objective/plan List the objective impacted by the risk
Details
Contributing Factors (Causes): Outcomes (Consequences):
Provide the causes that may lead to the risk Provide description of what will happen if the risk will
materializing materialize
Page 1 of 37
RISK MANAGEMENT POLICY AND FRAMEWORK 2019
6.
RATING
LIKELIHOOD RATING CRITERIA
1
RARE Event occurring once after 5 years
2
UNLIKELY Event occurring once after 3 years
3
POSSIBLE Event occurring once after 1 year
4
LIKELY Event occurring once after 6 months
5
ALMOST CERTAIN Event already occurring or occurring once within 6 months
Page 1 of 37
RISK MANAGEMENT POLICY AND FRAMEWORK 2019
Page 2 of 37
RISK MANAGEMENT POLICY AND FRAMEWORK 2019
intervention
Objective not Hospitalisatio financial loss Long-term Reputation of Non delivery of Completion
achieved n of more than of TZS Up to detrimental College service related to delay of up
between 16% 2 days, or 3% of the environmental severely education, social to 10% of
4 MAJOR to 25% long term Budget or 5M or social affected in the services etc that time
injury or – 10M impact long-term. affect one strategic
disability objective for more
than a week
Objective not Single or Financial loss Long-term Government Non delivery of Completion
achieved by multiple of TZS greater environmental intervention service of delay of up
more than fatalities than 3% of or social required education, , social to 20% of
CATASTROP
5 25% Budget or impact on services etc that time
HIC
>10M community affect three or more
for more than a
month
Page 3 of 37
RISK MANAGEMENT POLICY AND FRAMEWORK 2019
Likelihood/ Impact/Consequences
Insignificant Minor Moderate Major Severe
Probability
Almost certain
Likely
Possible
Unlikely
Rare
Attachment 6 – SAMPLE OF RISK REGISTER TEMPLATE
Risk Category Assessment Assessment
( Is it an Frequency Frequency
Link to Operational, (Monthly, (Monthly,
Risk
Risk College financial, Risk GP GI Quarterly, Key Risk Quarterly,
Owne GRS Threshold/Tolerance Level
ID Strategic technical Description R R Semi- Indicator Semi-
r
Objective Strategic, Annually, Annually,
Compliance, Annually, Annually,
Political, etc.) Adhoc) Adhoc)
Page 4 of 37
RISK MANAGEMENT POLICY AND FRAMEWORK 2019
Risk Risk Risk Owner Root Controls Control Key Control Assessment Target Date
ID Description Cause Owner Indicator Frequency
(KCIs) (Monthly,
Quarterly,
Semi-Annually,
Annually,
Adhoc)
Sub-total(A)
Sub-total(B)
C: Internal Audit Grid: Assesses compliance with the existing internal control systems(0.2)
Page 5 of 37
RISK MANAGEMENT POLICY AND FRAMEWORK 2019
Audit process Audit query Audit recommendation Rating Maximum rating Score
Sub-total(C)
Grand Score(A+B+C)
This RMPI will be an integral part of Performance Management System.
Attachment 9: SAMPLE OF RISK TREATMENT QUARTERLY IMPLEMENTATION REPORT
Department/Unit: ..................................................................................................................................
Risk Management Quarterly Implementation Report for the Quarter Ending.........................................
Prepared by: ....................................... Date: ......................................................
Risk title & ID Proposed Control Owner Target Date Status of Remarks and/or Comments
Treatment/Control Implementation
(From Risk Register Options (as in the risk (Give specific start
in priority order) identification sheet) and end dates) (completed, on-going,
(From Risk not done)
Identification Sheet)
Page 6 of 37
RISK MANAGEMENT POLICY AND FRAMEWORK 2019
Page 7 of 37