Identification and Management of Risks

9.6 – Identification and Management of Risks

9.6.1 Purpose

To provide a method of identification and management of potential and actual / realised risks to:

    • conformance with regulatory requirements
    • conformance with legal requirements
    • customer and learner needs
    • business needs


Then track and document the containment and resolution of those risks.

9.6.2 Scope

All risks risks, potential and actual / realised, to TLM business that may reasonably impact on its regulatory, legal, customer or business requirements.

9.6.3 Responsibilities

All Employees – Identifying Risks that may impact on regulatory, customer or business Requirements.

All Employees – To support as required the Chief Moderator in this process

Chief Moderator – Reviewing identified risks and Managing all reasonable mitigation

– Process Owner

9.6.4 Documentation and Forms

Risk Register

9.6.5 Procedure

All TLM staff are required to identify and record risks they become aware of, in the line of their work for TLM, that could or may impact on regulatory, legal, customer or business requirements into the ‘Risk Register’.

Identification of Risks can include but not be limited to the following tools:-

    • Brainstorming in risk identification events
    • Systematic walkthrough of companies processes
    • Review of previous history of failures
    • Experience and knowledge of process owners
    • Monthly Risk Register Review meetings


On entry of a risk onto the ‘Risk Register’, TLM staff are required to enter:

    • the next sequential number under ‘Risk No.’,
    • the entry date under ‘Date Raised’,
    • a detailed but concise description of the risk under ‘Risk Descrition’
    • their name under ‘Risk Raiser’

On entry of a risk onto the ‘Risk Register’, the Chief Moderator is required to:

    • Classify the rating of the risk identified under ‘Risk Rating’.
    • Assign an owner to the risk under ‘Risk Owner’.
    • Agree completion date of containment with ‘Risk Owner’ and enter under ‘3CPlanned Completion Date’.
    • Agree completion date of resolution with ‘Risk Owner’ and enter under ‘Planned Resolution Completion Date’.
    • Review the register on a weekly basis, or as near to this as is practical and prompt staff members for any new risks and review progress of containment and resolution of risks entered.

The classification of severity of Impact or ‘Risk Rating’ of identified risks is selected from a drop-down list in the ‘Risk Register’.

Severity Ratings Being:-

    • High Risk – Inform all senior management, process owners and participants
    • Medium Risk – Inform all process owners and participants
    • Low Risk – Inform specific process owner and participants
    • Reasonable Risk – Monitor status of risk in Monthly Risk Review Meetings. Show as ‘Mitigated’ in Risk Register
    • No Discernable Risk – Demonstrates a risk has been ‘Resolved’ in Risk Register

The delegated ‘Risk Owner’ will follow the 9.7 Risk Resolution Process. The activity will be time bounded and must return the identified risk to an assessment of ‘Reasonable Risk’ as a minimum, or preferably to ‘No Discernable Risk’. The output of the ‘Risk Resolution Report’ will be reviewed by the Chief Moderator.

Following a review of the ‘Risk Resolution Report’ the Chief Moderator is required to reclassify severity of Impact of identified risks, i.e. select a new ‘Risk Rating’ from a drop-down list, based on the output of the Risk Resolution Support.

The Chief Moderator will enter the date of closure once ‘Reasonable Risk’ as a minimum, or preferably to ‘No Discernable Risk’ has been achieved.

(See ‘Identification and Management of Risks Guidance’ for Risk Rating Examples under BMS section 10 – Guidance and Records.)