Professional Documents
Culture Documents
07 OK2SF 07 Risk Management Imp. Gui. OK2SF CRD 017
07 OK2SF 07 Risk Management Imp. Gui. OK2SF CRD 017
07 OK2SF 07 Risk Management Imp. Gui. OK2SF CRD 017
፡
OMO KURAZ SUGAR FACTORY II
ኦሞ ኩራዝ ሁለት ስኳር ፋብሪካ OK2SF-CRD-XXX
Document Title: Issue No. Page No.:
Risk Management Implementation Guidelines 1 1 of 16
ISSUE HISTORY
Issue Description of change Originator Effective Date
Management
1 Initial release
Representative
REFERENCE DOCUMENTS
Document Number Document Title
ISO 9001:2015
ISO 9000:2015
CONTENTS PAGE
OA ISSUE HISTORY..........................................................1
OB REFERENCE DOCUMENTS..........................................1
OC CONTENTS.................................................................1
Risk Management Guidelines...........................................2
1 PURPOSE......................................................................2
2 SCOPE..........................................................................2
3 INVOLVED....................................................................2
4 DEFINITIONS................................................................2
4.1 RISK............................................................................................................2
5 CRITERION...................................................................3
5.1 THE RISK MANAGEMENT PROCESS...................................................................3
7 DIFFUSIONS................................................................20
PLEASE MAKE SURE THAT THIS IS THE CORRECT ISSUE BEFORE USE
RISK MANAGEMENT GUIDELINES
1 PURPOSE
2 SCOPE
These guidelines are prepared to describe the risk management process and the methodology, which will be applied to
conduct the operational risk reviews across the Organization. The guidelines are based on the Organization's risk policy
& strategy, with the approach taken from experience of other countries, which have already implemented risk
management system. These guidelines are draft and will be developed in the future as we learn from our practical
experiences of operational risk reviews.
3 INVOLVED
4 DEFINITIONS
4.1 Risk
Risk is the chance of something happening that will have an impact upon objectives. Risk is the chance or possibility of
loss, damage or injury or failure to achieve objectives caused by an unwanted or uncertain action or event.
4.2 Risk Management
Risk management is the planned and systematic approach to the identification, evaluation and control of risk.
4.3 Strategic Risk
Strategic risks are the risks that need to be taken into account in judgments about the medium to long-term goals and
objectives of the Organization.
4.4 Operational Risk
Operational risks are the risks that managers and staff will encounter and deal with in the daily course of their work.
4.5 Risk Measurement
Risk is measured in terms of consequences and likelihood.
4.6 Gross Risk
Gross risk, or inherent risk, is the status of the risk without taking account of any risk management activities that the
business unit may already have in place. Gross risk is the assessed likelihood and impact of an event in the absence of
any controls.
4.7 Net Risk
Net risk, or residual risk, is the status of the risk after taking account of any risk management activities that the
business unit may have in place. Net risk is a reassessment of the gross risk taking into account existing controls, which
may reduce the likelihood or impact of an event.
5 CRITERION
5.1 The Risk Management Process
The Risk Management Process steps are described as follows:
5.1.1Risk Identification
This means Identifying the service/operation's exposure to uncertainty, by determining what can happen, why and how.
The aim will be to produce a comprehensive list of events, which might affect the service/operation. Risk identification
will be approached in a methodical way to ensure that all significant activities within the service/operational unit have
been identified and all the risks flowing from these activities are defined.
The key elements for the identification and recording of operational risks are:
Division of the organization into Operational Units
Setting Objectives
Categorization of Risks
Assign Risk owners
The risks are identified by breaking down each of the Organization's Services into a number of “Operational units ". The
risks identified for each "Operational unit" will be recorded and described in a Risk Register. The Risk Register will be
compiled and maintained.
It is important that proper emphasis is given to the identification of Service / Operational Unit objectives and that a clear
link is made between objectives and risks. Accordingly, each identified risk will relate to a specific objective, which in
turn is linked to the Organization's Corporate Plan.
Strategic and operational risks will also be categorized as defined below in the risk management methodology.
Responsibility for managing risk needs to be spread across those responsible for managing the different business
activities. Risks cannot be effectively managed unless they are owned. Accordingly, each risk identified and recorded in
the risk register will have a risk owner. Each risk owner will ultimately be responsible for risk action plans and
correcting control weaknesses.
The risk identification should consider not only risks in cost, time and product quality but also understands and identify
the risks associated with:
- Technological trends
- Availability of resources
- The capabilities needed to realize objectives
- Security,
- Professional liability
- Information technology
- Environment, etc.
Answering the following questions identifies the risk:
– What can happen?
Risk Register
You should document all identified risks in a Risk Register.
• What can happen;
• When and where can it happen;
• How and why it occurs; and existing controls.
The first stage in risk analysis is to determine "gross risk" which is the combined likelihood and impact of an event in the
absence of any controls or mitigations.
The second stage is to identify and record those controls or mitigations, which have been put in place to reduce the
likelihood or impact of an event, resulting in an assessment of the "net risk". The combination of likelihood and
consequence will determine the position of each risk in a risk matrix or risk profile.
The result of the risk analysis process for each business unit or service will be a risk profile, presenting risks in a 6 X 4
matrix, which will highlight the most significant risks, which need to be addressed. As an example, a simplistic risk
profile is shown below, using High / Medium / Low indicators to prioritize risks.
Likelihood 1 2 3 4
Those risks falling in the top right hand corner are significant and immediate or urgent action needs to be
HIGH
taken to reduce exposure
The risks falling in the top left and bottom right quarters are medium and under control, but need to be
MEDIUM
kept under managerial and audit review
The risks falling in the bottom left quarter are likely to be managed by routine procedures or are trivial
LOW
and unlikely to need any specific application of resources.
The qualitative measures of consequence and likelihood which will be applied in the conduct of the Organization's
operational risk assessments are detailed below in the risk management methodology, along with the risk profile and
priority parameters set up.
5.1.3 Risk Evaluation
This step is about deciding whether risks are acceptable or unacceptable.
Risk evaluation is the process used to determine risk management priorities by comparing the level of risk against the
risk appetite or tolerance to decide whether risks are acceptable or unacceptable. Each business unit or service will
determine its own tolerance line, which defines the appetite for risk and indicates whether each specific risk should be
accepted or treated. An example is shown in the following chart.
5.1.3.1 Risk Matrix / Profile
Impact
Likelihood 1 2 3 4
Where a risk is accepted it will still be subject to periodic review to ensure that changing circumstances do not alter its
priority level.
Risks in the red area above the tolerance line are not considered acceptable. The risk can be terminated or avoided by
not proceeding with the activity likely to generate risk.
Those associated with a failure to deliver either local or central government policy or failure to meet
1 Political
commitments
2 Economic Those affecting the ability of the organization to meet its financial commitments.
Those relating to the effects of changes in socio-economic trends on the organization's ability to
3 Social
deliver its objectives
Those associated with the capacity of the organization to deal with the pace/scale of technological
change, or its ability to use technology to address changing demands. They may also include the
4 Technological consequences of internal technological failures on the organization's ability to deliver its objectives.
Those relating to a reliance on operational equipment (for example, IT systems or equipment and
machinery).
5 Environmental Those relating to the environmental consequences of progressing the organization's strategic
objectives (for example in terms of energy efficiency, pollution, recycling, emissions etc.)
Those relating to pollution, noise or the energy efficiency of ongoing service operations
6 Legislative Those associated with current or potential changes in national or international law.
7 Competitive Those affecting the competitiveness of the service and/or its ability to deliver best value
Those associated with the failure of contractors to deliver services or products to the agreed cost and
8 Contractual
specification
Those associated with the failure to meet the current and changing needs and expectations of
9 Stakeholder
customers, citizens and staff.
11 Financial Those associated with financial planning and control and the adequacy of insurance cover
Those related to fire, security, accident prevention and health and safety (for example, hazards /
13 Physical
risks associated with buildings, vehicles, plant and equipment etc.)
4 Catastrophic Disastrous. A great and sudden disaster, an accident or event causing great grief or destruction.
Almost certain / inevitable: Is expected to occur in most circumstances. Will occur once a
6 Very High
year or more frequently.
Medium /
4 Possible: Quite likely to occur some time
Significant
2 Very Low Remote; Not much chance that this would happen
Very Rare: Very little chance and only in exceptional circumstances. Have never known of
1 Almost Impossible
this to happen.
The following impact and likelihood may be used to facilitate the assessment of risks at section / service level.
5.4.3Likelihood – Examples
Probability Timing
Health and Loss of Life / Serious Major loss of life / large scale
first aid Broken bones/ Illness
Safety Illness outbreak of serious illness
Objectives at
Objectives of one Objectives of one Organizational level objectives
Objectives operational level not
section not met service/department not met not met
met
By combining these assessments of likelihood and consequence, the risks can be prioritized as follows:
5.4.5Risk Priorities
Impact Likelihood Score Priority
Negligible Low 3 VL
Negligible Significant 5 L
Negligible High 6 L
Marginal Low 9 L
Marginal Significant 11 M
Marginal High 12 M
Critical Low 15 M
Critical Significant 17 H
Critical High 18 H
Catastrophic Low 21 H
Catastrophic Significant 22 C
Catastrophic High 23 C
5 6 12 18 23
Likelihood
4 5 11 17 22
3 3 9 15 21
2 2 8 14 20
1 1 4 10 16
1 2 3 4
Impact
10 - 15 M Medium Risk - under control, but keep under managerial / audit review. -
4-9 L Low risk - easily and effectively managed by routine operating procedures
Very Low Risk - Trivial and unlikely to require any specific application of resources. Common
1-3 VL
sense.
The risk reviews will apply the risk management process and methodology set out in these guidelines. It is envisaged
that this will involve risk identification and assessment training operational level similar to the way that was conducted
in December 2007 for management group.
Thereafter, the objective will be to set in operational risk management planning and control arrangements at Service
level.
Internal audit will incorporate risk assessment in the audit planning process and will adopt a risk-based approach to
audit work where appropriate.
5.6.2
2007/2008 2009
Ref. RISK RIVIEW TIMETABLE
Feb Mar April May June July Aug Sep Oct Nov Dec Jan Feb
100 General Manager’s Office
101 Internal Audit Service
103 QMS
302 FEMD
Management
Representative
RM
realization
adhoc
committee
Procurement Agricultural
Plantation RM Finance RM Expansion Project
RM realization Factory RM
realization team realization team RM realization
tem realization team team
Estate Service
Human Factory Expansion
RM LPCD RM Inventory RM
resource RM Project RM
management realization team realization team realization team
realization team
realization tem
Other services
Harvesting RM
RM realization
realization team
team
Irrigation
&Civil RM
realization team
6.1 Responsibilities
6.1.1Responsibilities of Risk Management Steering Committee
Plan & determine the scope of the Risk Management
Identify the basis upon which risks will be evaluated
Approval of the Risk Management Policy
Assign chairman to Risk Management Realization Team
Review & Approval of Risk Response Plan
Allocate budget to request
Assign Risk Management Auditors
Follow up the Implementation Progress
Ensure audits & reviews are undertaken
7 DIFFUSIONS
General Manager
Management team members
All Department & Service Heads
Approval:
Name Signature: Date: