Professional Documents
Culture Documents
Preface
The Universitys Risk Policy sets out The Universitys approach to risk and its
management together with the means for identifying, analysing and managing risk
in order to minimise its frequency and impact.
The risks considered significant to the ability of UWE to achieve its objectives are
set out in the Corporate section of the Risk Register, which incorporates actions for
dealing with those risks.
Table of Contents
Pages(s)
Introduction and Implementation of Risk Management 3
Risk Policy
Aims of the Policy 4
Approach to Risk Management 4
Roles and Responsibilities 5
Risk Management 5
Reporting Framework 6
Risk and Internal Control 7
Annual Review of Effectiveness 8
2
Introduction
Risk is present throughout an organisation, in its buildings, equipment, policies, systems, processes, staff,
students and visitors. The University recognises that the management of risk is vital to good management
practice. It must be an integral part of all the functions and activities of an organisation.
The purpose of the Universitys Risk Policy is to develop a consistent approach towards risk across the
institution and outline processes for recognising, analysing and dealing with risks as well as assuring the
effectiveness of the identified processes.
The Risk Policy is designed to enable UWE to minimise the frequency and effect of adverse incidents arising
from risks and to identify improvements in procedures and service delivery in order to ensure the efficient
and effective use of public funds.
The management of risks includes the culture, processes and organisational structures, which contribute to
the effective management of potential opportunities, threats and adverse incidents.
Overall responsibility for risk management within UWE lies with the Vice-Chancellor, with responsibility for
implementation delegated to the Deputy Vice-Chancellor (Operations).
The Universitys Memorandum of Understanding with the Funding Council requires governing bodies to take
reasonable steps to ensure that there are sound arrangements for risk management, control and
governance, and for economy, efficiency and effectiveness (value for money), within the HEI.
The Audit Committee is a committee of the Board of Governors and has responsibility for assessing the
effectiveness of risk management.
The Audit Committee reports on the arrangements for risk management to the Board of Governors.
3
Risk Policy
1. Aims of the Policy
1.2 To document the roles and responsibilities of the Board of Governors, the Vice-Chancellors
Executive and other key committees and individuals;
2.1.1 Threat - An uncertain event which if it was to occur would a have a material negative
effect on the likelihood of achieving University, Faculty, Service or project objectives.
2.1.2 Opportunity An uncertain event which if it was to occur would have a favourable
and advantageous effect on the likelihood of achieving University, Faculty, Service
or project objectives.
2.2.2 Faculty & Professional Service/Operational risks that are predominantly related to
the operation of specific areas of the University;
2.2.3 Project/programme risks associated with independent and, usually, time limited
activities.
2.3 The University accepts that total elimination of risk is neither desirable nor achievable. It
expects managers to take all reasonable steps to mitigate risk. The level of risk accepted
should be commensurate with the expected reward. In overall terms it is looking to achieve
a balanced risk portfolio at the University level with net risk averaging out at medium using
the scoring system illustrated within section 5.
2.4 The following key principles outline the Universitys approach to risk and internal control:
2.4.1 the Board of Governors has responsibility for overseeing risk management within
the University as a whole;
2.4.2 the approach adopted to identifying and mitigating risk is an open one, receptive to
input from all Governors and staff at all levels;
2.4.4 the University makes conservative and prudent recognition and disclosure of the
financial and non-financial implications of risks;
2.4.6 risks will be identified through the academic and executive Governance structures
and will be managed at a variety of different levels of the University;
2.4.7 the University will adopt standard reporting processes and frameworks.
4
3. Roles and Responsibilities
3.2 Through approving the Risk Policy the Board of Governors sets the tone and influences the
culture of risk management within the University. This includes determining:
3.2.1 whether the University is risk taking or risk adverse as a whole or on any relevant
issue;
3.2.3 what types of risk are acceptable and which are not;
3.2.4 the standards and expectations of staff with respect to conduct and probity in
relation to risk management;
3.3.1 determining the appropriate level of risk exposure for the University;
3.3.4 assuring itself that risks identified across the University are being actively managed,
with appropriate controls in place which are working effectively;
3.3.5 biennially review the Universitys Risk Policy to ensure it remains fit for purpose.
3.4.1 maintain risk registers for which they are responsible for;
3.4.2 implement policies on risk management within the areas for which they are
responsible;
3.4.3 through the Vice-Chancellors Executive Group, identify and evaluate the significant
risks faced by the University for consideration by the Board of Governors;
3.4.4 provide adequate information in a timely manner to the Board of Governors and its
committees on the status of risks and controls;
3.4.5 undertake an annual review of the effectiveness of the system of internal control and
provide a report to the Audit Committee;
3.5 The Vice-Chancellor has delegated day to day responsibility for risk management to the
Deputy Vice-Chancellor (Operations).
4. Risk Management
4.1 The objective of risk management is to actively support the achievement of the Universitys
agreed objectives and not simply to avoid risk.
4.2 Control of risks generates direct costs and opportunity costs. Risk management involves
determining the acceptable level of exposure to risk which enables the achievement of
University objectives whilst achieving a balance between the level of risk exposure and the
cost of mitigating actions. Risk management is a process which provides assurance that:
5
4.2.1 objectives at all levels are more likely to be achieved;
5. Reporting Framework
5.1 The University uses a single SharePoint based Risk Register which delivers a consistent
format whilst allowing for different views of the information.
5.2 Risks will be categorised as preventable, strategic or external. The category of risk will assist
in determining the appropriate method of managing the risk.
5.3 Risks will be assessed using two elements: impact of the risk occurring and the probability of
occurrence. Each element will be assessed on a 5 point scale.
5.4 The impact of a risk occurring is likely to affect the cost, quality or the timeliness of the
activity. The Impact of a risk will be the determined by the highest score received on the
matrix below.
Financial implications of the risk The impact on quality is high. The impact is high.
are high (25% - <50% of the Risk occurring would Timescales greatly
budget or Faculty/ Service significantly detract from the extended. Outcomes may be
turnover). It is not possible to original desired quality of the later than required in order
4
meet the cost within the outcomes and may reduce the to obtain maximum benefit.
approved budget and further viability of the activity as
funding would be required. outcomes require revision.
The impact on finance is critical The impact on quality is critical. The impact is critical.
(>50%of the budget or Faculty/ Risk occurring would reduce Extended timescales mean
Service turnover). Increased quality of desired outcomes to that outcomes would be too
5
cost would negate benefits of such an extent that it negates late and negate benefits of
activity and may destabilise the benefits of activity. activity
reporting unit.
5.5 Members of the Vice-Chancellors Executive and Project Sponsors are responsible for
determining the impact of a risks for which they are responsible for, using the framework
provided in 5.4 as a guide.
6
5.6 The assessment of the probability of a risk occurring is standard across the University:
5.7 Risks will be scored before and after mitigating actions and at each point of scoring the total
risk will be the multiple of the two elemental scores:
Impact
Probability 1 2 3 4 5
5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5
5.8 Mitigating actions are controls and actions taken to reduce the likelihood of a risk occurring,
or to limit the impact of the risk. Risk exposure is the net risk after all mitigating actions or
factors have been taken into account
5.9.1 the deadline for mitigating actions to be implemented (or embedded) by;
5.9.2 leading edge indicators which may signal that a risk is increasing or decreasing in
response to mitigating actions;
5.9.3 assurance mapping so that Managers can demonstrate that mitigating actions are
both being implemented as designed and delivering the desired effect. The
assurance mapping can be used to further test the assumptions of risk owners.
6.1 The system of internal control is designed to manage and mitigate rather than eliminate the
risk of failure to achieve policies, aims and objectives. It is based on an ongoing process to
identify the principal risks to their achievement, to evaluate the nature and extent of those
risks and to manage them efficiently, effectively and economically.
6.2 Related to significant risks are policies that among other things form part of the internal
control process. The policies are approved by the Board of Governors and implemented by
the Vice-Chancellors Executive.
6.3 Risk Management is addressed on a University-wide basis but individual Faculties, and
Professional Services have an essential role in the identification, assessment, on-going
monitoring and mitigation of risks. Faculty and Professional Service planning documents
should identify mitigating actions that will be taken to reduce significant risks. In some
cases, individual risks will be formally owned by a Faculty or Professional Service where the
function concerned lies wholly or mainly within its remit.
6.4 Reporting arrangements through senior line management are designed to monitor key risks
and their controls. Decisions to rectify problems are made by the member Vice-Chancellors
Executive with responsibility for the risk, with reference to other staff and University
committees and the Board of Governors as and where appropriate to do so.
6.5 The strategic planning and annual budgeting process is used to set key objectives in support
of the 2020 work streams and enablers, agree action plans and allocate resources. Targets
contained in the Faculty and Professional Service planning documents provide mitigating
7
actions which are explicitly linked to risks faced by the University. The annual estimates
(macro budget) presented to the Board of Governors contain an analysis of risks inherent in
them and how these are mitigated.
6.6 Risks associated with major University projects will be managed through the appropriate
project boards adopting project management methodologies such as PRINCE2 and have a
distinct section within the risk management procedures document (see page 13).
6.7 The Corporate section of the Risk Register is compiled by the Vice-Chancellors Executive
and reported to the Audit Committee to help facilitate the identification, assessment and
monitoring of risks of significant importance to the University. The document is normally
discussed monthly by the Vice-Chancellors Executive Group and presented to each
meeting of Audit committee. Emerging risks are added as required, and improvement
actions and risk indicators are monitored on an ongoing basis through line management
structures.
6.8 Audit Committee is required to report to the Board of Governors on internal controls and
alert it to any emerging issues. The Audit Committee oversees internal audit, external audit
and management as required in its review of internal controls. The Committee has
responsibility, delegated by the Board of Governors, for governor oversight of risk
assurance, ensuring that the Risk Policy is appropriately applied. It directly monitors the
management of the most significant risks to the University, as recorded in the Corporate
Section of the Risk Register.
6.9 Internal audit is an important element of the internal control process. In addition to its
programme of probity and value for money work, internal audit is responsible for aspects of
the annual review of the effectiveness of internal control systems. The internal audit plan is
guided by, but not limited to, the assessment of risks identified through the Universitys risk
management procedures.
6.10 External Audit provides feedback to the Audit Committee on the operation of internal
financial controls reviewed as part of the annual audit.
7.1 The Audit Committee is responsible for reviewing the effectiveness of internal control of the
institution, based on information provided by auditors, senior management and the Director
of Finance.
7.2 For each significant risk identified, the Audit Committee will:
7.2.1 review the previous year and examine the institutions track record on risk
management and internal control;
7.2.2 consider the internal and external risk profile of the coming year and consider if
current internal control arrangements are likely to be effective.
7.4 The Vice-Chancellors Executive prepares a report of its review of the effectiveness of the
internal control system annually for consideration by the Audit Committee, normally as part
of the returns submitted to HEFCE in the autumn/winter.
8.1 The Universitys risk management procedures are approved by the Vice-Chancellors
Executive Group. Recognising the different type of risks the procedures are split in to two
sections:
- Preventable risks represent the majority of risks faced by the University; they
originate internally from failure ensure or prevent particular behaviours. There is
rarely, if ever, a benefit to the University of tolerating a preventable risk. Preventable
risks should be mitigated against using a rules or process approach to promote or
prohibit behaviours. Failure to manage these risks might feasibly lead to loss of
reputation or even prosecution. Examples of preventable risk include fraud or failure
to follow process.
- Strategic risks are more acceptable and recognise that pursuing one strategic
direction over another incurs risks (including opportunity risks). These risks should
be managed through reducing the probability of the risk materialising or managing or
containing the impact should it occur. In order to test the assumptions strategy risks
they require greater levels of discussion and challenge than preventable risks.
- External Risks may be foreseeable by the University, but are outside of its control.
These risks should be managed though identifying and assessing the foreseeable
risks and planning how the impact could be mitigated should they occur. They can
be difficult to spot and as a result often fall into the black swan category and
encompass natural or economic disasters, geopolitical or environmental changes or
strong moves by competitor organisations. Scenario planning based on the
outcomes of a PESTLE analysis or even assigning staff to consider the Universitys
vulnerability to disruptive technologies or competitors can also help to identify
external risks. An example of an external risk would be a change to legislation on, or
regulation of, student visas.
8.3 The University maintains a single risk register. The register records all non-project risks.
8.4 Each Faculty and Service is required on a monthly basis to detail what they consider to be
key risks, their gross score (pre mitigation), mitigating actions and the net risk score (post
mitigation) on the risk register.
8.5 All risks must be specific (i.e. what it is a risk in relation to) and provide mitigating actions,
and a date by which they will be implemented (or become embedded within core activities)
and who is responsible for managing the risk. They must also indicate lead indicators, a
change to which might signal a positive or negative moment in the Universitys exposure to a
particular risk.
9
8.6 Where the risk, mitigating actions or the assurance of mitigating actions has not changed,
Faculties and Services are required to indicate that they have reviewed the risk by entering
the date of review. When reviewing risks they are responsible for, a commentary should be
provided on the level of assurance that can be taken in the mitigating actions in that they are
being implemented and are also effective.
8.7 The Head of Service or Executive Dean is responsible for the Faculty/Service section of the
risk register but may delegate the maintenance of the register to another member of the
management team.
8.8 Where appropriate, risks identified by Faculties and Services should be mapped to the
workstreams and enablers supporting the 2020 Strategy or the Faculty Business Plan.
8.9 From the review of risks identified by Faculties and Services and their own horizon scanning
members of the Vice-Chancellors Executive, or their nominee, are responsible for updating
relevant risks in the corporate section of the Risk Register at each meeting.
8.10 The Deputy Vice-Chancellor (Operations) is responsible for presenting the Corporate section
of the Risk Register to the Vice-Chancellors Executive for review, and based on an analysis
of the risk profile illustrated by the whole Risk Register, will identify where additional
thematic discussion of risks and their management is necessary.
8.11 The Corporate section of the Risk Register will be provided to each meeting of the Board of
Governors Audit Committee for monitoring purposes and may allow for discussion of the risk
management practices employed by an individual Faculty or Service.
10
Process Overview
Faculties/Services identify risks to their objectives and successful operation as well as the
appropriate mitigating actions and the assurance that can be taken in those actions.
Stage 1 Identified risks aligned to headings of the University's Strategic Plan.
Executive Groups or Academic Board Committees review risks identified under the corporate
headings delegated to them by the Vice-Chancellors Executive.
Using the information from Faculties/Service, combined with knowledge of the external context,
Stage 2 each member of the Vice-Chancellor's Executive (or nominee) updates risks under the headings
of the corporate section of the risk register for which they are responsible.
Vice-Chancellor's Executive review the Corporate section of the Risk Register on a monthly
basis to monitor management of risks and determine any ancillary actions required to manage
identified risks.
Stage 3 From the accompanying analysis of the whole register Vice-Chancellor's Executive determine
where further thematic discussion or additonal resources may be required.
Corporate section of the Risk Register provided to each Board of Governors Audit Committee for
monitoring.
Stage 4 Audit Committee report to the Board of Governors on Risk Management at the University.
Version 0.4
The source of this printed document can be found in the Transformation Services Documents in
SharePoint.
Version History
Revision Version
Summary of Changes Changes Marked
Date Number
22/12/11 0.1 Initial Draft N
4/01/12 0.2 2.4.4 & 3.2 N
1/02/12 0.3 Figure 1 & Appendix A N
6/06/13 0.4 Updated refs to PMO
11
Reviewed by
This document (or its component) parts have been reviewed by the following:
Approvals
This document requires the following approvals:
Distribution
This document has been distributed to:
12
Contents
Section Heading
1 Purpose of Document
1.1 Introduction
1.2 Scope Inclusions
1.3 Scope Exclusions
1.4 Ownership
13
1. Purpose of Document
1.1 Introduction
The purpose of this document is to provide a consistent process for the management, of
1
risks for all Projects and Programmes within UWE. This document defines Risk
Management in respect of the standards, processes and procedures to be employed in the
identification, analysis, quantification, mitigation, escalation and documentation of risks.
Programme Risks. Risks that cannot be managed at the project level or affect
multiple projects within a programme
Project Board Risks. Risks that are either of a strategic nature, have a major
impact on service operations or project milestones, or require senior stakeholder
direction or action.
The scope of this document excludes the management of corporate strategic and
operational risks which is detailed in the corporate Risk Policy and Risk Management
Procedures at http://www1.uwe.ac.uk/aboutus/policies
1.4 Ownership
The Project Risk Management Strategy is owned and controlled by Transformation Services.
The aim of risk management is to improve the likelihood of the organisation, programme or
project achieving its stated objectives and safeguarding assets and investments.
Focus the Project Board and senior management on the major risks that threaten
Project delivery and objectives.
Provide a clear picture of the major risks facing the Project, their nature, potential
impact and their likelihood.
Establish a shared and unambiguous understanding of what risks will be tolerated
Actively involve all those responsible for the planning and delivery of Project key
deliverables objectives and benefits.
Embed risk awareness and management in planning and decision-making
processes
Clarify and establish roles, responsibilities and processes
Enable and empower managers to manage those risks in their area of responsibility
1
Programme in this context is a group of projects and/or related activities which are designed to deliver a strategic
benefit to the organisation
14
Include regular risk monitoring and review of the effectiveness of internal control
Whilst Risks will occur from various diverse routes, it is essential that the standards
for assessing the probability and impact of occurrence of each Risk should be
subject to the same criteria across the whole Project. This will allow the Risks to be
managed consistently, at the appropriate level and given the appropriate attention
and visibility.
Impact - The level of impact on objectives and business service that would
arise should the risk materialise
Proximity - This is when the risk is likely to occur and assists with
prioritisation and urgency associated with managing risks.
The scores and associated description are shown in the tables below;
The Risk Owner allocates a score based in the severity of the impact assessment
see table 1
15
Table 1 Levels of Risk Impact
** The amount of risk which is judged to be tolerable is the risk tolerance and is the maximum overall
exposure to risk that should be accepted based upon the benefits and costs involved. This level will
be determined on a Project by Project basis by the respective Boards and will be influenced by the
scale (time, cost, benefits) and complexity of each Project
This allows an assessment of the probability that the risk will materialise. The Risk
Owner allocates a score based on the probability assessment, see Table 2
Value Description
1 Unlikely / Rarely happens. It is highly unlikely that the risk will materialise.
Less than 20% chance
2 Likely. Could happen with a chance 20% to < 40% chance
3 Very Likely 40% to < 60% chance of occurring
4 Highly Likely 60% < 80% chance of happening, difficult to prevent because
outside of direct control or influence. There will be strong evidence to back-up
the assessment
5 Extremely Likely. 80+% chance
16
Table 3 Risk Score
Impact
Negligible Minor Moderate Significant Critical
Probability 1 2 3 4 5
Extremely Likely 5 5 10 15 20 25
Highly Likely 4 4 8 12 16 20
Very Likely 3 3 6 9 12 15
Likely 2 2 4 6 8 10
Unlikely 1 1 2 3 4 5
These risk scores will determine the amount and urgency of mitigation action and monitoring to manage the
associated risks. Table 4 below provides some guidance as to what the scores can represent in
management terms.
Medium exposure
Within risk appetite
Risk Score Need to consider additional risk mitigation measures
5 - 10 Close monitoring/management by risk owner
Review by Workstream lead/Project manager
Low exposure
Well within risk appetite
Risk Score Monthly monitoring by Risk Owner
1-4 Risk owner should give consideration to relaxation of control
17
2.3.5 Risk Proximity
All risks must also include an entry for the Proximity, ie the time period in which the
risk is expected to occur. This provides another dimension for prioritising mitigation
and actions for effective risk management
There are 3 levels of proximity added to the risk log for all risks and in risk reporting.
0 - 3 Months
3 - 6 Months
6 9 Months
9 Months +
The risk trend provides another dimension to the assessment and management of
risk by indicating the direction of travel of a risk, which with proximity help prioritise
management attention where more than one risk share the same risk scores.
Static
Increasing
Decreasing
A risk mitigation strategy is a plan which seeks to mitigate the risks and safeguard
investment and service delivery activities. This is achieved through proactive actions that
reduce either: a) the probability of a risk occurring or b) the impact of the risk.
Acceptance: Accept the risk but take no pre-emptive action to resolve it (unable to
address the risk or not cost effective to do so), but consider contingency
plans should the risk materialise.
The risk mitigation plan - will detail the specific risks that will have to be dealt with and the
action that has to be taken to carry out the risk mitigation strategy. This provides team
members, and managers with clarity of the action that is expected from them while the
senior management and the Partnership Board has the knowledge of the steps being taken
on their behalf to reduce the risk.
The Team manager updates the issue status depending on progress with
management and resolution.
Risk analysis and management are ongoing processes incorporated throughout the life of a
Programme or Project and is the responsibility of all staff involved with a project. The
responsible managers will keep stakeholders informed of risks identified, action taken where
appropriate and the success of those actions.
Management: Risk mitigation strategy and plan, monitoring and control of actions
employed to deal with the threat, and problems identified in analysis.
Reporting: All risks raised will be recorded on the Project Risk Log and will be owned
by the Project Manager. Reporting of risks will be carried out on a regular
basis in accordance with the agreed governance structure and terms of
reference.
Identification of risks is an ongoing process but gets the best results when done on a
group basis at key intervals such as the initial business case development stage,
and again during project initiation
Identify risks that could adversely affect the impact and efficient delivery of project
and programme objectives and benefits.
A risk should be defined in a brief and clear sentence. A recommended structure is:
IF <the anticipated event happens> THEN <impact on the project objective occurs>.
It is helpful if risks and objectives are considered together this can help clarify
project objectives.
Assess the importance, probability and the impact of each risk
Decide whether the level of risk is acceptable (see 2.3.4)
Identify possible actions to be taken to reduce the probability or impact of the risk
materialising.
Based upon the level of concern and controllability for each risk, the Risk Owner will
decide on the risk mitigation strategy and associated actions i.e. whether to accept,
treat, or transfer the risk, and ensure those actions are carried out as required. The
Risk Owner at least monthly (more frequently for red and amber/red risks), will
review and monitor progress and consider the effect on the overall risk rating and
those changes and updates are reflected in the Risk log.
Where the risk has a high risk rating (red) contingency plans will need to be
developed to address the consequences of the risk materialising.
3.3.3 Escalation
Risks will need to be escalated to the next level of seniority (ie individual or group)
and the escalation recorded in the risk log where;
3.3.4 Transfer
When the risk actually happens it becomes an issue and should be transferred to
the issues log. If a risk affects the project but is outside of the remit of the Project
Team or Project Board it should be transferred to the most appropriate corporate
governance body and managed therein. A watching brief within the project will be
required.
3.4 Reporting
Up to date risk reports are provided for team meetings and governance meetings on a timely
basis for review, with a focus on amber and red/amber risks within the Project Team, and
red or strategic risks at the Project Board.
The Project Manager is responsible for ensuring that all Risks have been assigned a
RO and are actively being managed. The Project Manager is specifically responsible
for;
Ensuring all Programme/Project risks are identified and captured on the risk
log
Check the assessment (RAG) and mitigation strategy and category for all
risks
Ensure all risks are assigned with the most appropriate Risk Owner with the
authority and responsibility to manage them.
Review any with risks increasing severity (Amber to Red based on pre-
mitigation score)
Escalate risks to the Project Board for consideration when mitigation is
outside the Programme/Project managers jurisdiction, or additional support
outside of the Programme/Project is needed
Consider if there are new unidentified risks
Ensure the top 3 risks are reported on the weekly Project highlight reports
Note: in a project, it is normally the Project Manager who is the risk owner, as the
PM will be managing the risk, but others will be Action Owners, including the
sponsor and Board members where their authority is needed.
The Project Board is accountable for the overall management of the Project Risks
and is required to review the Board level risks as a standing agenda item.
Review and monitor all Red risks on the register and as a minimum examine
in detail all risks with a score of 16 to 25.
Identify strategic risks and mitigation
Allocate as necessary resource to support the risk management process
Agree the overall risk tolerance level (risk appetite)
20
Provide direction to the Project Manager as required for management of
risks
To be alert to possible risks and raise risks with the Project Manager
21
Figure 1 Risk Management Process
2. Assesses & validates 3. Creates mitigation 6. R.O updates Risk 7. Decides if risk is
Risk Owner risk, ownership & plan, assigns actions & Log with progress and mitigated sufficiently or
mitigation strategy updates risk log new mitigation if reqd resolved
22
Appendix 1
Roles and Responsibilities for Risk Management Process
Task Proj Work Risk Action Project Senior Project Frequency Tool
Mngr stream lead Owner Owner Team Project Board
Team
Notify the PM or Workstream Y As they arise, or at least Via Email
lead of any new risks as they on a weekly basis prior to /meetings/
arise the project update process or phone
Ensure all known risks are Y Y As they arise, or at least Risk Log
entered on the Risk Log. on a weekly basis prior to
Assess Risk, decides mitigation the project update process
strategy and category & inform
relevant Risk Owner
Assign and notifies Risk Owner Y Y When risk arises Risk Log
23