TESDA CIRCULAR

SUBJECT: Revised Implementing Guidelines on the Use of Page 1 of 1 1 page/s

Register of Relevant Risks and Opportunities Number 133Series of 2019
(RRRO) in TESDA's Risk Management Process

Supersedes:
Date Issued: Effectivity:
December 6, 2019 January 2, 2020

I. Rationale/Background:

The year 2020 marks TESDA's ISO 9001:2015 re-certification year. After
completing the 3-year cycle this 2019, it is the best time to review and revise the
agency's risk management process. The review and revision of the risk
management process was brought about by concerns raised by findings from the
2019 surveillance audit. One of the major concerns was the need for a better risk
criteria to address issues on risk assessment.

This TESDA Circular aims to provide the revised guidelines on the enhanced
Risk Management Process of TESDA.

n. Objectives:

• To reiterate the terms and definitions used and concepts of a Risk

Management Process in support of the QMS.
• To describe the process of populating data and information in the RRRO.
• To describe the revised risk criteria
• To define how the RRRO can be a useful tool for improvement and evidence
for ISO 9001 audits.

III. Scope:

The Risk Management Process, being one of the processes under QMS,
primarily applies to the same scope of the QMS.

In instances where risks from other processes outside the QMS scope affect the
processes within the QMS scope, it can be placed in the RRRO category
"Others".

This is to prepare TESDA for plans on future scope expansion.

IV. Definition of Terms:

Context - the internal and external issues to be taken into account when
managing risk.
 TESDA CIRCULAR
SUBJECT: Revised Implementing Guidelines on the Use of Page 2 of 1 1 page/s
Register of Relevant Risks and Opportunities Number 1331 Series of 2019
(RRRO) in TESDA's Risk Management Process

Supersedes:
Date Issued: Effectivity:
December 6, 2019 January 2, 2020

Internal issues can include:

• Governance, organizational structure
• Capabilities, in terms of resources and knowledge
• Information systems, decision-making processes
• Relationships, perceptions and values of internal
stakeholders
• Organization's culture
• Standards, guidelines and models adapted by the
organization

External issues can include:

• Political
• Economic
• Social
• Technological
• Legal
• Environmental

Risk Profile - description of a set of risks. TESDA applies this to group similar
issues / risks to generate the RRRO based on the following risk profiles:

• Internal — Governance, Policies, Processes (i.e. core and

support processes)
• Internal — People, Culture
• Internal — Infrastructure, IT, other Resources
• Internal — Others
• External — Political, Legal
• External — Economic, Industry related, Stakeholder
• External — Social
• External — Technological
• External — Environmental

Risk - Effect of uncertainty on objectives; characterized in terms of a combination

of the consequences of an event (including changes in circumstances) and the
associated likelihood of occurrence.

Opportunities - can arise as a result of a situation favorable to achieving an

intended result; can be referred to as the positive effects of Risk; can lead to
adoption of new practices, addressing new customers, building partnerships,
using new technology and other desirable and viable possibilities to address the
organization's or its customer's needs.
 TESDA CIRCULAR
SUBJECT: Revised Implementing Guidelines on the Use of Page 3 of 1 1 page/s
Register of Relevant Risks and Opportunities Number ).3, Series of 2019
(RRRO) in TESDA's Risk Management Process

Supersedes:
Date Issued: Effectivity:
December 6, 2019 January 2, 2020

Likelihood (L) —chance of something happening; defined based on historical

data or frequency over a given period of time.

Consequence (C) - outcome of an event affecting objectives (e.g. per GAA and
OPCR) and compliance to legal requirements and set standards (e.g. per
Citizens Charter).

Risk assessment - Overall process of risk identification, risk analysis and risk
evaluation.

Risk identification - process of finding, recognizing and describing risks.

Risk analysis - process to comprehend the nature of risk and to determine the
level / rating of risks.

Risk evaluation - process of comparing the results of risk analysis with risk
criteria; assists in the decision about risk treatment.

Risk criteria - terms of reference against which the significance of a risk is

evaluated.

Risk Rating (R) - magnitude of a risk or combination of risks, expressed in terms

of combination of consequences and their likelihood.

Risk treatment / Action Plan - process to modify a risk; or decision on action

towards a risk. This can involve:

• Avoiding the risk

• Taking or increasing risk in order to pursue an opportunity
• Removing the risk source
• Changing the likelihood
• Changing the consequences
• Sharing the risk
• Retaining the risk
Control — measure that is modifying the risk; include any process, policy,
practices or other actions which modify risk.

Success Indicator - performance level yardsticks consisting of performance

measures and performance targets.
 TESDA CIRCULAR
SUBJECT: Revised Implementing Guidelines on the Use of Page 4 of 1 1 page/s
Register of Relevant Risks and Opportunities Number I R, Series of 2019
(RRRO) in TESDA's Risk Management Process

Supersedes:
Date Issued: Effectivity:
December 6, 2019 January 2, 2020

Interested Party / Stakeholder - person or organization that can affect, be

affected by, or perceive themselves to be affected by the decision or activity of
an organization.

Communication and consultation - continual process that an organization

conducts to provide, share or obtain information and to engage in dialogue with
stakeholder regarding the management of risk.

Residual Risk (R2) - risk remaining after the risk treatment / action plan; also
called 'retained risk'.

Monitoring - continual checking or determining the status of action or activity.

Review - activity undertaken to determine the suitability, adequacy and

effectiveness of the action plan.

Corporate RRROs - is a listing of identified priority issues/risks/opportunities and

action plans approved and prioritized by the NQMC used for reference or
alignment of TESDA COROPO. It is typically released within the 1St — 2nd quarter
of the year.
Note: Higher level issues/risks/opportunities which require long term strategic
planning are discussed in the National Directorate Conference.

COROPO RRROs — is a listing of identified priority issues/risks/opportunities and

action plans at the Central Office (up to Division/Section or process owner)
levels, Regional Office level and Provincial Office level. It is typically done along
the same period as the release of OPCRs.

V. Risk Criteria (Attached as Annex A)

VI. General Process Flow

E=ta.teliSh co,

R isk ass:ez,srri en t

4110111319=0

41.:11117=1100

41.1.119CIMIEW
 TESDA CIRCULAR
SUBJECT: Revised Implementing Guidelines on the Use of Page 5 of 1 1 page/s
Register of Relevant Risks and Opportunities Number /33; Series of 2019
(RRRO) in TESDA's Risk Management Process

Supersedes:
Date Issued: Effectivity:
December 6, 2019 January 2, 2020

VII. Details of the Process

1. Communication and Consultation

This aims to identify who should be involved in the assessment of risk and it
should engage those who will be involved in the treatment, monitoring and
review of risk. It is reflected in each step of the process.

As an initial step, there are two aspects that should be established in order to
support the whole process:

• Eliciting risk information

• Managing stakeholder perception

Therefore, the RRRO cannot be done by only one person. Identify the
internal and external stakeholders who can be sources of your RRRO. Heads
of Operating Units/ process owners/focals should communicate and consult
with them. A focal person can, however, be assigned to collate information
related to risks and opportunities.

The relevance or complexity of an issue can be a guide on how much

communication and consultation is required (i.e. the more relevant or
complex an issue, the more communication and consultation are required).

2. Establish the Context

This involves the following activities:

• Establishing the internal and external context — refer to above

Definition of Terms 'Context' and 'Risk Profile'
• Establishing the risk management context — refer to above Scope
• Developing the risk criteria and risk analysis structure — refer to
attached Risk Criteria and General Process Flow shown above

The information contained in this Circular is to be used as reference for

COROPO in establishing the RRROs. Should there be improvements in this
process in the future, this Circular shall be superseded and communication /
deployment shall be properly implemented.

3. Risk Identification

Risks cannot be managed unless it is first identified. Coming from

communication and consultation and establishment of context, identify as
many risks as possible.
 TESDA CIRCULAR
SUBJECT: Revised Implementing Guidelines on the Use of Page 6 of 1 1 page/s
Register of Relevant Risks and Opportunities Number 133, Series of 2019
(RRRO) in TESDA's Risk Management Process

Supersedes:
Date Issued: Effectivity:
December 6, 2019 January 2, 2020

The aim is to identify possible risks (and/or opportunities) using the following
guide questions: What can happen? How can it happen? Why could it
happen?

Comprehensive identification is critical because risk that is not identified at

early stage will not be included in further analysis.

Generally, there are two main ways to identify risks:

• Identifying retrospective risks
• Identifying prospective risks

Retrospective risks are those that have previously occurred. Identifying

retrospective risks is the common and easier way, because it is easy to
describe something which already happened before.

Sources of retrospective risks include: Audit reports, Complaints, Surveys,

Review / tracking reports, Media, changes in leadership/systems/processes.

Prospective risks are those that have not yet happened, but might happen
sometime in the future. These are harder to identify.

Method of prospective risks identification include: brainstorming with internal

or external stakeholders, researches, conducting interviews or survey on
anticipated problems, flowcharting a process, reviewing system design.

Risk identification should consider the size of the operating unit and the
variety and extent of TVET clientele vis-a-vis the internal and external issues.

At a minimum, risk identification shall be done at least once a year by

COROPO, typically along the same period as the development of OPCRs.
Further, the RRRO should consider both retrospective and prospective risks.
Additional risks may be identified after the RRRO's regular monitoring and
review and subject to the results of audit/s, customer complaints, changes in
governance, and other sources of risks.

4. Risk Analysis

Identified risks are often too many and not possible to be addressed all at the
same time. The risk analysis step aims to determine which risks are more
relevant than others.
 TESDA CIRCULAR
SUBJECT: Revised Implementing Guidelines on the Use of Page 7 of 1 1 page/s
Register of Relevant Risks and Opportunities Number H.3 ) Series of 2019
(RRRO) in TESDA's Risk Management Process

Supersedes:
Date Issued: Effectivity:
December 6, 2019 January 2, 2020

Risk analysis involves combining the consequence (or possible

consequence) of an event with the likelihood of that event occurring. This
results to the rating / level of risks:

Likelihood (L) x Consequence (C) = Risk Rating (R)

Refer to the attached Risk Criteria to define the parameters of Likelihood

and Consequence.

Note: There is no established Opportunity Criteria, the acceptance of an

Opportunity is the discretion of the Leadership Team.

The initial RRROs for TESDA were done for base-lining purposes in 2017.
The risk analysis was done in the context of existing controls. And, the
current year's RRROs considered the previous years' RRROs (i.e. identified
risks and their respective residual risks from the previous year becomes the
current year's risks and risk rating).

However, in view of the enhancement of the risk criteria, all previously

identified risks shall be reassessed based on the new parameters for
likelihood and consequence. Risks identified starting 2020 onwards shall
also be assessed based on the attached (revised) risk criteria.

5. Risk Evaluation

Risk evaluation involves comparing the level of risks found during the
analysis with the established Risk Criteria, and deciding whether these risks
require treatment or action plans.

Refer to the attached Risk Criteria to define the treatment or actions to be

done based on the Risk Rating.

Note: In some cases where Risk Rating = 'Medium' to 'Very High', which
require action plans, the decision may be to "retain / accept the risk", due to
the following reasons:

• It is outside the control of TESDA

• Cost of action plan exceeds the benefit, acceptance is the only option
• There is no treatment available
However, there should at least be a provision of monitoring and/or
communication/endorsement as the declared action plan.
 TESDA CIRCULAR
SUBJECT: Revised Implementing Guidelines on the Use of Page 8 of 1 1 page/s
Register of Relevant Risks and Opportunities Number WI Series of 2019
(RRRO) in TESDA's Risk Management Process

Supersedes:
Date Issued: Effectivity:
December 6, 2019 January 2, 2020

6. Risk Treatment
Risk treatment involves identifying the action plans for treating or controlling
the risk. The key to managing risks is in implementing effective treatment or
action plans.

Action plans should contain: What, Who, When, How to evaluate the
effectiveness of action/s (indicated under "what"). The statement of 'how to
evaluate the effectiveness of action' should include 'success indicators'. if
there are existing related procedure or policy, it can also be referred to as the
action plan.

Refer to the above Definition of Terms 'Risk Treatment'.

In view of limited resources, identified risks shall be prioritized according to

level of risks with those rated as 'Very High' risks receiving the highest priority
in terms of identification of risk treatment.

For purposes of RRRO, only the top ten (10) priority risks (i.e. from those
rated Very High, High, and Medium) shall require a risk treatment.

In cases that there are more than 10 rated "Very High", then all are
considered prioritized and given a risk treatment.

Declared action plans should be considered in the preparation and monitoring

of the OPCR.

Note: In the case of identified opportunity, the NQMC/RD/PD shall decide

whether to:

• "Opportunity noted but not adopted", and state reason for not
adopting the opportunity; or
• "Opportunity noted for implementation", and indicate action plan to
adopt the opportunity

7. Monitor and Review

There are only very few risks which remain static. The Risk Management
Process and its components need to be regularly monitored and reviewed to
ensure that new risks are captured and effectively managed.

As part of NQMC Management Review, this Risk Management Process shall

be subject to annual review for its adequacy, suitability and effectiveness for
TESDA's Quality Management System.
 TESDA CIRCULAR
SUBJECT: Revised Implementing Guidelines on the Use of Page 9 of 1 1 page/s
Register of Relevant Risks and Opportunities Number I33, Series of 2019
(RRRO) in TESDA's Risk Management Process

Supersedes:
Date Issued: Effectivity:
December 6, 2019 January 2, 2020

The RRROs shall also be subject to regular monitoring and review:

• Monitoring of the 'Status of Action Plans' by the Head / RD / PD /

Assigned Process Owner — on/before the 15th day of the month
succeeding a given quarter for POs; on/before the 15th of the month
succeeding a given semester for ROs; and on /before the 15th of
January for the Corporate RRRO/Process Owner.
• Quarterly review and inclusion of emerging issues/risks/opportunities
(if any) — on/before the 15th day of the month succeeding a given
quarter
• Annual review of 'Residual Risk Rating' and 'Analysis and Evaluation'
— on/before January 15 covering the previous year

Note: Results of the RRRO monitoring are also mandatory inputs to the
Management Review Process of NQMC/RQMC.

VIII. Additional Guidelines on Filling up the RRRO

In addition to the details mentioned in the previous section, the following are
additional guidelines on filling up the RRRO Form (Annex B):

1. Use the Corporate RRRO as inputs to COROPO RRRO. You may copy most
or even all aspects of the Corporate RRRO but remember to consider the
applicability to your Office.

2. Add your identified retrospective and prospective risks. There are obvious
risks which should always be included, e.g. those pertaining to Legal
requirements, those coming from audits, those peculiar to your Office. Refer
to above Risk Identification.

3. The statement in the column 'Affected Objective' should be specific.

Otherwise, your Office will have difficulty in 'Analysis and Evaluation' later on.

4. The identified 'Risk' should be aligned to the 'Issue'. In cases where an Issue
can lead to more than one Risk, separate entry and rating are required.

It is highly encouraged to identify and accept at least one Opportunity per

COROPO, as it shows the positive side of Risk Management. Opportunity
need not be rated.
 TESDA CIRCULAR
SUBJECT: Revised Implementing Guidelines on the Use of Page 10 of 1 1 page/s
Register of Relevant Risks and Opportunities Number X33, Series of 2019
(RRRO) in TESDA's Risk Management Process

Supersedes:
Date Issued: Effectivity:
December 6, 2019 January 2, 2020

5 In Risk Rating, remember that both Likelihood and Consequence are linked to
the Risk, not to the Issue.

6. Action plans should be complete. Refer to above Risk Treatment.

7. To fill up column 'Status of Action Plan' quarterly, the following contents are
considered:

• If Risk Rating is Very High or High: status of action plan should

describe the activities being done / already done, and the results
versus the success indicator
• If Risk Rating is Medium: status of action plan should describe the
activities being done / already done (and the results versus the
success indicator if process owner indicated any)
• If Risk Rating is Low: since no action plan is required, status is `n/a' or
if process owner indicated an action plan, this should describe the
activity being done / already done

8. Use the same Risk Criteria when filling up the 'Residual Risk Rating' column
annually.

9. To fill up column 'Analysis and Evaluation' annually, the following statements

are considered:
• If the Success Indicator is met and the Objectives are met, then the
Residual Risk is lower. Declare that "the Action Plan is effective.
Continue with the Action Plans."
• If the Success Indicator is unmet and the Objectives are unmet, then
the Residual Risk is higher. Declare that "the Action Plan is not
effective". State possible reasons. Change / add Action Plans.
• If the Success Indicator is met but the Objectives are unmet, then the
Residual Risk may be same / lower / higher. Declare that "the Action
Plan may not be aligned to the Risk, or there may be other factors
involved". State factors for unmet objectives. Further analyze the risk.
Change / add Action Plans.
• If Success Indicator is unmet but Objectives are met, then the
Residual Risk may be same / lower / higher. Action Plan may not be
aligned to the Risk, or there may be other factors involved. State
factors for unmet success indicator. Further analyze the risk. Change /
add Action Plans.
10. Always use 'as of date' when filling up the RRROs.
 TESDA CIRCULAR
SUBJECT: Revised Implementing Guidelines on the Use of Page 11 of 1 1 page/s
Register of Relevant Risks and Opportunities Number 133 Series of 2019
(RRRO) in TESDA's Risk Management Process

Supersedes:
Date Issued: Effectivity:
December 6, 2019 January 2, 2020

11. PO RRRO shall be approved by the Provincial Director (copy furnished the
Regional Director); RO RRRO shall be approved by the Regional Director;
Process Owner RRRO shall be approved by the concerned Executive
Director/Director IV; and Corporate RRRO shall be approved by the National
Quality Manager/National Quality Management Committee.

12. Do not show in the current RRRO and store/archive in a separate RRRO
Sheet all risks that have been rated "Low" for two (2) consecutive years.
Indicate in the archived RRRO Sheet all details (i.e. accomplished columns
from 'Issues' to 'Analysis and Evaluation') relative to the concerned risk, from
the year when the risk was first identified leading to the 2 years that said risk
achieved a "Low" risk rating.

For softcopies in excel form, it is also acceptable to "hide" entries and print
only the prioritized risks for signature.

13. An annual calibration on the Risk Management Process shall be conducted

for selected COROPO RRRO focals. ROPO focals are likewise enjoined to
conduct their own RRRO calibration at the regional level.

This Order shall take effect as indicated and supersedes all other
issuances inconsistent herewith.

SEC. ISID/OWAPEKIA, PhD., CSEE

Director Genera*.
 ANNEX A
Q
RISK CRITERIA

CONSEQUENCE

5 10% of requests not 31% and above of

11-30% of requests not
LIKELIHOOD responded according to requests not responded Failure to meet legal
responded according to
PCT/OP/Citizens according to requirements
PCT/OP/Citizens Charter
Charter PCT/OP/Citizens Charter

Lead to less than 10% Lead to 10-19% unmet Lead to 20-29% unmet Lead to 0 or higher
unmet objectives objectives objectives unmet objectives
FOR LARGE ROPO (LOW) 1 (IVIEDIUM) 2 (HIGH) 3 (VERY HIGH) 4
Occurred 0-3 times/year (LOW) 1 LOW -1 LOW - 2 LOW - 3 MEDIUM - 4
Occurred 4 times/ year (MEDIUM) 2 LOW - 2 LOW - 4 MEDIUIV1- 6 HIGH - 8
-
Occurred 5 times/year [ITMI LOW - 3 MEDIUIVI - 6 HIGH - 9 . ,
Occurred 6 times or more/year (VERY HIGH) 4 MEDIUM - 4 HIGH - 8 VERY HIGH - 12 VERY HIGH - 16

(MEDIUM) 2 (HIGH) 3 (VERY HIGH) 4

FOR MEDIUM ROPO (LOW) 1
Occurred 0-2 times/year (LOW) LOW - 1 LOW - 2 LOW - 3 MEDIUM - 4
Occurred 3 times/ year (MEDIUM) LOW - 2 LOW - 4 MEDIUM - 6 HIGH- 8
Occurred 4 times/year LOW - 3 MEDIUM - 6 HIGH - 9 VERY HIGH - 12
Occurred 5 times or moreear (VERY HIGH) 4 MEDIUM - 4 HIGH - 8 VERY HIGH - 12 VERY HIGH - 16

FOR CO/SMALL ROPO (LOW) 1 (MEDIUM) 2 (HIGH) 3 (VERY HIGH) 4

Occurred 0-1 times/year (LOW) Ili LOW - 1 LOW -2 LOW -3 MEDIUM -4

Occurred 2 times/ year (MEDIUM) ini LOW - 2 LOW -4 MEDIUM - 6 HIGH - 8
Occurred 3 times/year 1111331111111111101 LOW - 3 MEDIUM - 6 HIGH - 9 VERY HIGH - 12
VERY HIGH - 16
Occurred 4 times or more/year (VERY HIGH) 4 MEDIUM - 4 HIGH - 8 VERY HIGH- 12

RISK TREATMENT
For 12 - 16 (VERY HIGH) , High priority action plan needed with at least quarterly monitoring
For 8 - 9 (HIGH) Action plan needed with at least annual monitoring
For 4 - 6 (MEDIUM) May consider action plan
For 1 - 3 (LOW) No action plan
 TESDA-QM-F01
Annex B Rev. No. 02-12/06/19
TESDA REGISTRY OF RISKS AND OPPORTUNITIES
as of

Office:

Affected Objective Action Plan Residual Risk

Key Issue/ Risk and/or Risk Rating Status of Action Analysis and
(GAA/OPCR/ OP/ (what, who, when, how to Rating
Issue Opportunity (L,C=R) evaluate effectiveness)
Plan Evaluation
Citizens Charter) (L, C=R2)

Prepared by: Approved by:

(ED for Central Office RRRO /RD for RO RRRO /PD for PO RRRO