S6.5.5

=Institutional risk assessments and mitigation strategies are regularly updated to reflect changing student digital information use and support needs. =

Evidence
Merna and Al-Thani (2008, p2) define risk management as "a formal process that enables that enables the identification, assessment, planning and management of risks." There must be a formal structure and framework in place if the risk management system is to be successful. The approach used to manage risks must be transparent and the identification and priotisation of risks must be shared across all key stakeholders. They cite the Turnbull Report (1999) and list (p61) the following activities as necessary for risk management to be embedded in the organisation:


 * Risk identification
 * Risk assessment/measurement
 * Risk management profiling
 * Risk reporting
 * Risk monitoring
 * Maintainance of the risk profile

Resources
Policies, strategies and an overall plan ensure that these risk management activities are undertaken continuously rather than sporadically and in response to significant organisational failures. Merna and Al-Thani suggest (2008, p61-62) that a risk management plan should formally address:


 * assignment of risk management responsibility
 * the corporate risk management policy
 * risk identification documentation - risk register, initial response options
 * risk analysis outputs - risk exposure distribution within the project, most significant risks, variation of project outcome values with risk occurrences, probability distributions of project outcome values
 * selected risk response options - risk allocation among project parties, provisions, procurement and contractural arrangements concerning risk, contingency plans, insurance and other transfer arrangements
 * monitoring and controlling - comparison of actual with anticipated risk occurrences, control of the project with regard to the RMP
 * maintenance of the risk management system - measures to update and maintain the RMP continuously and refine it *evaluation - recording risk information for further RMP cycles within the project and for future projects.