Risk Framework/Register and Risk Management Policy
Strategy & Vision
This Policy sets out SOGON’s objectives and strategy for risk management and the arrangements it has
adopted to enable it to manage its risks. Effective risk management enables SOGON to identify, assess and
seize opportunities which assist in the delivery of its objectives and improve its performance, whilst
protecting the reputation and sustainability of the University.
Risk management is central to the achievement of SOGON’s objectives and well-informed decision-making,
whether at strategic, operational or project levels. SOGON is committed to ensuring that it has a robust and
comprehensive system of risk management following good practices in risk management.
Objectives
SOGON’s objectives for risk management are:
a.to align risk management with the SOGON’s objectives (as set out in the Strategic Plan and
elsewhere);
b.to appraise and manage risks and opportunities in a systematic, structured and timely manner, in
accordance with best practice;
c.to strengthen decision-making, prioritisation and planning;
d.to achieve the appropriate balance between stability and innovation; and
e.to assign accountability and responsibility for risk within SOGON.
Standards
This Policy and associated explanatory guidance have been adopted by SOGON’s Executive Council. SOGON
follows best practices in the management of risk and is mindful of international standards on risk
management, and guidance from UNIDO and other relevant sector bodies.
Definitions
These definitions are specified in international standards ISO Practical Guide ISO 31000:2018.
∙Risk is defined as “the effect of uncertainty on objectives”. This may also be expressed as a deviation
from expected outcomes that could be positive (opportunity) or negative (threat).
∙Risk management is defined as “coordinated activities to direct and control an organisation with
regards to risk”.
∙Risk appetite is defined as “the amount of risk that an organisation is willing to pursue or retain”.
∙Risk tolerance is defined as “the degree of variation – the latitude – in the outcome that an
organization is willing to accept with regards to managing the respective risk”.
∙A risk management framework is defined as “a set of components that provide the foundations
and organisational arrangements for designing, implementing, monitoring, reviewing and
continually improving risk management throughout the organization”. This would be expected to
include policy, objectives, mandate and commitment to manage risk; together with plans,
accountabilities, resources, processes and activities for risk management.
Risk Management Framework
The Risk Management Framework will support SOGON in making risk-informed decisions and provide the
basis for evaluating and monitoring the risk profile of SOGON on an ongoing basis. The Framework provides
a shared understanding of and promotes a consistent approach to, risk management within SOGON in line
with its goals and objectives.
Risk management is not about eliminating risks, but about making informed decisions about how to
anticipate uncertain events (i.e. what risks to avoid, how to reduce risk exposure, how to limit potential
negative consequences, how to knowingly accept some risks, etc.). The Risk Management Framework (RMF)
provides a shared understanding of what risk management is about and introduces common language and
minimum
standards and processes.
Components of the Framework
The SOGON Risk Management Framework is based on internationally recognized standards and guidance
and is comprised of:
– A risk appetite statement which provides a high-level indication of how much risk SOGON is willing
to take, accept or tolerate to achieve its goals and objectives;
– The 3-lines of defence model which describes the roles and responsibilities of key stakeholders of
the partnership with regard to risk management;
– A set of risk management processes and tools, as follows:
oFor risk identification – A risk taxonomy which provides an exhaustive list and classification
of all the risks that SOGON is facing at a given point in time.
oFor risk analysis and evaluation
1.A list of corporate risk indicators as part of a corporate risk dashboard. The different
indicators are metrics used to monitor risk exposure over time and ensure a
controlled amount of risk-taking within the risk appetite.
2.An internal operational risk monitoring template is part of grant monitoring. The
operational risk monitoring template ensures that risk in programmes is monitored
and mitigated against objectives.
Statement of Risk Appetite
SOGON’s statement of risk appetite sets out the overarching principles that define its appetite for risk and
guides the University’s approach to the acceptance of risk. In pursuing its objectives, as expressed in its
Strategic Plan and elsewhere, SOGON will generally accept a level of risk proportionate to the expected
benefits to be gained, and the scale or likelihood of damage. SOGON has a high appetite for risk in the context
of encouraging and promoting critical enquiry, freedom of expression, and open debate. SOGON has a very
low appetite for risk where there is a likelihood of significant and lasting reputational damage; significant
and lasting damage to its provision of world-class community health care services, research and advocacy;
significant financial loss or significant negative variations to financial plans; loss of life or harm to staff,
collaborators, or implementation partners; or illegal or unethical activity.
Risk Registers and Risk Management Reports
Risk register – a structured means of identifying and classifying risk consistently and coherently, and for
assigning risk ownership. Risk registers are opened for all SOGON’s activities including sponsored projects.
SOGON’s Strategic Risk Register is a summary of the key risks facing SOGON and is the document used by the
Executive Council to manage risk. The Board would be in charge of SOGON’s risk register.
Risk management reports – a structured approach to managing risk, considering risk appetite, and
recording controls, mitigation and the current and future status of the risk. Risk management reports
provide a means by which to monitor the management of risks in the Strategic Risk Register and other risk
registers, setting out the detail of the particular risk and the controls that are in place to mitigate the risk.
Risk management reports also contain commentary from the owners of each risk, thereby providing a
means by which the body responsible for risk management can ensure the risk owners are taking
appropriate action to manage the risk.
Mitigating & Controlling Risk
Once the risk has been identified, the risk owner should decide on appropriate controls to mitigate the risk.
There are five options to choose from:
1.Terminate – Exit the activities giving rise to the risk as the risk is unacceptable (not always an
option!)
2.Transfer – Reduce the likelihood or impact by transferring or sharing a portion of the risk
3.Treat – Take action to reduce the likelihood and/or impact by implementing additional controls.
And/or establish a contingency to be enacted should the risk materialise.
4.Tolerate – Accept the risk, subject to monitoring. The current risk exposure is accepted.
5.Take the opportunity – Take action to exploit an opportunity
Assuming the option is to treat, consideration should be given to how the risk can be mitigated. Risk
mitigation is about trying to reduce the likelihood of the risk event occurring, or the impact of the risk if it
does occur.
Once further mitigation actions and controls have been identified, appropriate action owners should be
identified to take the work forward. The actions should then be incorporated as part of a work plan that
underpins the relevant objective. Actions should be specific and deliverable.
Measuring, Controlling and Monitoring Risks
Risk reports and risk registers are used to evidence risk management activities or act as a source of risk
reporting. Risks should be assessed and monitored regularly by the risk owner(s) to make sure that
the risk is being managed effectively through the controls that have been put in place. For SOGON, risk
controls and further mitigating actions are reviewed with risk owners at monthly risk update meetings
throughout the year. This supports risk owners in managing their risks and helps to keep SOGON’s Risk
Register a dynamic document.
Responsibilities
The Executive Council is responsible for the advancement of SOGON’s objectives, its administration, and the
management of its finances and property. It will receive regular reports on strategic risks and will seek
assurances over risk management and controls from individuals identified as accountable for risks. It will
make an active contribution to management by challenging accountable individuals. It will define and keep
under review the organization’s risk appetite. The Executive Council is responsible for keeping under review
procedures for identifying and managing risks across all SOGON’s activities. In discharging its responsibility
for procedures for identifying risks across SOGON’s activities, the Executive Council will review and update
regularly SOGON’s strategic risk register and consider the strategic risks identified by staff, collaborators
and partners, as appropriate. To discharge its responsibility for managing risks, the Executive Council will
review risk management reports relating to each of the key risks on SOGON’s Strategic Risk Register. The
Chairman is accountable to the Board for discharging SOGON’s responsibilities for effective risk
management.
The Secretary is responsible for:
a.ensuring that this Policy is implemented and maintained;
b.providing appropriate levels of explanatory guidance and training to support this Policy;
c.defining and implementing procedures for the reporting and escalation of risk to the Executive
Council and Board of Trustees as required;
d.raising awareness of this Policy and its objectives, standards and statements amongst staff and all
others to whom it is relevant.
Every member of staff is responsible for familiarising themselves with this Policy, in particular, any aspects
that have a direct bearing upon the role that they perform for SOGON.
Interaction with Third Parties
To achieve its objectives, SOGON usually works closely with many third parties, including sponsors,
collaborators and partners. Some risks, therefore, are shared with these third parties.
Review
This Policy will be reviewed every three years by the Executive Council, which will ensure it reflects any
changes in best practice.
Approved on behalf of the Executive Council and Board of Trustees of SOGON on Wednesday 31st May 2023
Signature:
Dr Kehinde Okunade
Secretary SOGON Lagos Sector