248615841.DO Ta!le o" ontents Risk Management Procedure.....................................................................................1 Template...................................................................................................................... 1 Ta!le o" ontents........................................................................................................ 2 #ntroduction................................................................................................................. $ Definitions..................................................................................................................... 3 Objectives of Risk Management...................................................................................4 Benefits of Risk Management.......................................................................................4 Roles and responsi!ilities.......................................................................................... 5 Risk Management Governance Structure.....................................................................5 Relations%ip &it% ot%er processes............................................................................' (e) Process *teps...................................................................................................... 8 One: Communicate an Consu!t..................................................................................." #$o: %stab!is& t&e Conte't......................................................................................... () #&ree: *entif+ Risks................................................................................................... (( ,our: -na!+se Risks.................................................................................................... (. ,ive: %va!uate Risks................................................................................................... (3 Si': #reat Risks........................................................................................................... (4 Seven: Monitor an Revie$........................................................................................ (5 Risk Reporting.......................................................................................................... 18 Risk Management Re/orting Res/onsibi!ities.............................................................(0 Risk %sca!ation........................................................................................................... (" Risk Re/orts an Reci/ients...................................................................................... (" Revie$ an -//rova!.................................................................................................. .) -ccess to Risk Management Re/orting ,rame$ork....................................................) Re"erences................................................................................................................ 2+ ,ppendi-. Risk ontrol /ikeli%ood onse0uence Rating....................................18 Contro! %ffectiveness Rating Criteria..........................................................................(0 1ike!i&oo Rating Criteria............................................................................................ (0 Conse2uence Rating Sca!e........................................................................................ (0 ,ppendi-. Risk assessment templates and %eat map...........................................18 Risk -ssessment #em/!ate......................................................................................... (0 Risk -ssessment #reatment 3!an #em/!ate................................................................(0 ,ppendi-. Risk Reporting potential risk reports...................................................1 #em/!ates 4%'am/!es5................................................................................................ (0 Risk 3rofi!e................................................................................................................. (0 Risk #reatment -ctions Status 6 Detai!e...................................................................(0 -ssurance Coverage of 7e+ Risks.............................................................................(" Risk Management -nnua! -ctivit+ Sc&eu!e an *m/rovement *nitiatives...................) 8e$ an %merging #&reats an O//ortunities............................................................( Detai!e Risk Register................................................................................................ .( 248615841.DO #ntroduction The role of this risk management procedure is to provide staff with guidance in how to apply consistent and comprehensive risk management This procedure provides information on how to identify! analyse! evaluate and treat risks In addition! it identifies other key activities needed for an effective risk management approach The risk management process contained in this procedure aligns with the Australian "tandard for #isk $anagement %A"&N'" I"()*+++:,++-. #isk is the chance of something happening that will have an impact on o/0ectives It is important that we manage risks in order that the negative impact of risks upon achievement of our o/0ectives is minimised and our a/ility to realise potential opportunities is ma1imised "et out /elow is a diagram illustrating how this procedure interacts with other key risk management documents: De"initions Risk Management is the culture! processes and structures that are directed towards realising potential opportunities whilst managing adverse effects %A"&N'" I"()*+++:,++-. A risk is the chance of something happening that will have an impact on o/0ectives %A"&N'" I"()*+++:,++-. A control is a process! affected /y an entity2s /oard of directors! management and other personnel! designed to provide reasona/le assurance regarding the achievement of o/0ectives 248615841.DO O!1ecti2es o" Risk Management #isk management is a responsi/ility of all! with specific risk responsi/ilities /eing allocated to different groups and levels within the organisation It is important to have complete and current risk information availa/le as this information assists the to make more informed decisions around /oth strategic direction and operational o/0ectives #isk management is not a stand3alone discipline /ut re4uires integration with e1isting /usiness processes such as /usiness planning and Internal Audit! in order to provide us with the greatest /enefits The o/0ectives of a risk management framework are to: Provide a systematic approach to the early identification and management of risks5 Provide consistent risk assessment criteria5 $ake availa/le accurate and concise risk information that informs decision making including /usiness direction5 Adopt risk treatment strategies that are cost effective and efficient in reducing risk to an accepta/le level5 and $onitor and review risk levels to ensure that risk e1posure remains within an accepta/le level 3ene"its o" Risk Management #isk management will support us in /eing a/le to meet our values and deliver upon our o/0ectives Application of a consistent and comprehensive risk management process will: Increase the likelihood of us achieving our strategic and /usiness o/0ectives5 Encourage a high standard of accounta/ility at all levels of the organisation5 "upport more effective decision making through /etter understanding of risk e1posures5 6reate an environment that ena/les us to deliver timely services and meet performance o/0ectives in an efficient and cost effective manner5 "afeguard our assets 7 human! property and reputation5 and $eet compliance and governance re4uirements 248615841.DO Roles and responsi!ilities An organisation2s a/ility to conduct effective risk management is dependent upon having an appropriate risk governance structure and well3defined roles and responsi/ilities It is important for everyone to /e aware of his or her individual and collective risk management responsi/ilities In order for risks to /e effectively managed! it is essential to have people /ehaving in a way that is consistent with the organisation2s approved approach This indicates that risk management is not merely a/out having a well3defined process /ut also a/out effecting the /ehavioural change necessary for risk management to /e em/edded in all organisational activities "et out /elow is risk management governance structure This structure illustrates that risk management is not the sole responsi/ility of one individual /ut rather occurs and is supported at all organisational levels Risk Management 4o2ernance *tructure # i s k 6 o m m i t t e e " t a f f 8 6 o n t r a c t o r s 3 c o m p l y w i t h r i s k p r o c e d u r e s 3 i d e n t i f y r i s k s E 1 e c u t i v e 8 $ a n a g e m e n t 3 s u p p o r t r i s k c u l t u r e 3 m a n a g e 8 i d e n t i f y r i s k s # i s k 6 o m m i t t e e 3 r e v i e w s r i s k s t a t u s 3 e n d o r s e s r i s k s t r a t e g y ! p o l i c y 6 E ( 3 d r i v e s c u l t u r e o f r i s k 9 o a r d 3 p r o v i d e s o v e r s i g h t a n d r e v i e w 248615841.DO Provide a high level description of the roles of the various people or groups involved in the risk governance structure This will /e e1panded in the procedures Boar Indicate the detailed responsi/ilities of the 9oard %if applica/le. Committee Indicate the detailed responsi/ilities of the relevant committee %if applica/le. C&ief %'ecutive Officer Indicate the detailed responsi/ilities of the relevant 6E( or relevant position %if applica/le. Risk Committee Indicate the detailed responsi/ilities of the relevant internal risk committee or relevant group & forum %if applica/le. Risk Manager Indicate the detailed responsi/ilities of the relevant internal risk committee or relevant risk manager 3 this may /e a specific role or it may /e one role has specific risk oversight respons/ilities for the organisation %if applica/le. Managers Indicate the detailed responsi/ilities of the management team! may include managing risks! fostering risk culture Staff an Contractors Indicate the detailed responsi/ilities of staff $ay include applying risk management within their roles 248615841.DO Relations%ip &it% ot%er processes #isk management is not a stand3alone discipline In order to ma1imi:e risk management /enefits and opportunities! it needs to /e integrated with e1isting /usiness processes "ome of the key /usiness processes with which risk alignment is necessary are: #nternal ,udit 7 Internal Audit reviews the effectiveness of controls Alignment /etween the Internal Audit function and that of the controls within the #isk $anagement process is critical! and the role of #isk 8 6ompliance $anager will seek to align these core processes 3usiness Planning 5including !udget6 7 Identifying risk during the /usiness planning process allows us to set realistic delivery timelines for strategies& activities or to choose to remove a strategy& activity if the associated risks are too high or unmanagea/le The impact of changing risk levels over the year can then /e mapped to the relevant o/0ective! ena/ling us to conduct more timely e1pectation management with key stakeholders
Per"ormance Management 7 All risk responsi/ilities! whether a general responsi/ility to use the risk management process or specific responsi/ilities such as risk ownership or implementation of risk treatments should /e included within the relevant individuals2 performance plans 248615841.DO (e) Process *teps #isk management is a continual process that involves the following key steps: 6ommunicate and consult Esta/lish the conte1t Identify risks Analyse risks Evaluate risks Treat risks $onitor and review It is important to follow this process when conducting risk management as this ensures that the approach to risk management is /oth comprehensive and consistent This process is formally conducted across the entire organisation on an annual /asis This occurs in con0unction with the corporate and /usiness planning process and involves the review and update of risk profiles for the enterprise as a whole includes a review for each individual division This illustrates a ;top3down< and a </ottom3up< approach to risk management Although this process is conducted across the entire organisation on an annual /asis! risk management is not solely an annual process It should /e occurring at all times and in relation to all /usiness activities Therefore everyone has a responsi/ility to continually apply this process when making /usiness decisions and when conducting day3to3day management To assist you in completing the risk management process! each process step is descri/ed in further detail Process *tep O2er2ie& Process One. ommunicate and onsult 6ommunication and consultation with internal and e1ternal stakeholders is important throughout the risk management process to ensure the organisation has a comprehensive picture of the risks we face 7-ternal communication and consultation is targeted at informing e1ternal stakeholders of: The organisation2s risk management approach The effectiveness of our risk management approach #e4uesting feed/ack where appropriate #isk management is a key governance and management function! which e1ternal stakeholders! including =overnment and industry! are paying! increased attention to "atisfying these stakeholders that we use appropriate risk management practices will influence their perception of the organisation #nternal communication and consultation is aimed at informing internal stakeholders of: The risk management process "eeking feed/ack in relation to the process >ey risks and their responsi/ilities relating to management of these Process *tep O2er2ie& Process T&o. 7sta!lis% t%e onte-t This means considering: 1. T%e e-ternal conte-t 9uilding an understanding of our e1ternal stakeholders and hence the e1tent to which this e1ternal environment will impact on our a/ility to achieve corporate o/0ectives: 9usiness! "ocial! #egulatory! 6ultural! 6ompetitive! ?inancial and Political Environments in which we operate It also involves considering our strengths! weaknesses! opportunities and threats 2. T%e internal conte-t This is aimed at understanding organisational elements and the way they interact! such as: 6ulture! internal stakeholders! structure! capa/ilities %in terms of resources such as people! systems! processes and capital.! goals and o/0ectives and the strategies in place to achieve these $. T%e risk management conte-t The goals! o/0ectives! strategies! scope and parameters for the risk management process itself must also /e considered 8ote. The ;Esta/lish the 6onte1t< part of the risk management process will only need to /e repeated when there are significant changes to either our e1ternal environment or /usiness operations Process *tep O2er2ie& Process T%ree. #denti") Risks #isk identification is a key step in the risk management process to ensure a complete list of risks is identified #isks can /e identified using various tools and techni4ues including: Part of risk identification also involves identifying risks that may arise ;over the hori:on< "ome e1amples of possi/le considerations could include: @orldwide events #ising pu/lic e1pectations re pu/lic sector entities 6hanging pu/lic attitudes towards =overnment Identifying all risk elements provides a /etter understanding of the risk and assists when considering current controls and identifying further treatment actions It also reduces risk duplication and minimises confusion as to risk meaning Process *tep O2er2ie& Process 9our. ,nal)se Risks (nce a risk is identified! it is important to ade4uately descri/e it The components of a comprehensive risk description are: Event eg Aigh staff turnover5 6ause eg "taff 0o/ dissatisfaction5 and Impact ie Ina/ility to achieve strategic o/0ectives #isk analysis involves: Identifying controls currently in place to manage the risk /y either reducing the conse4uence or likelihood of the risk5 Assessing the effectiveness of current controls5 Identifying the likelihood of the risk occurring5 and Identifying the potential conse4uence or impact that would result if the risk was to occur @hen evaluating the effectiveness of current controls! the factors to consider include consistency of application! understanding of control content and documentation of controls where appropriate 6ontrols are aimed at /ringing the risk within an accepta/le level The evaluation of current controls can occur through several different processes including: 6ontrol self assessment5 Internal Audit reviewing the effectiveness of controls5 and E1ternal Audit reviewing the effectiveness of controls The conse4uence and likelihood ratings! as identified after consideration of current controls! are com/ined to determined the overall risk level Process *tep O2er2ie& Process 9i2e. 72aluate Risks #isk evaluation involves considering the risk2s overall risk level This allows determination of whether further risk treatment actions are re4uired to /ring the risk within a level accepta/le The output of the risk evaluation phase is a prioritised list of risks There may /e times when the action re4uired will differ from that identified a/ove5 however where this is the case! the 6hief E1ecutive (fficer must approve deviation from the a/ove action Process *tep O2er2ie& Process *i-. Treat Risks #isk treatment involves e1amining possi/le treatment options to determine the most appropriate action for managing a risk Treatment actions are re4uired where the current controls are not managing the risk within defined tolerance levels Treatment options could involve improving e1isting controls and implementing additional controls Possi/le risk treatment options include: Avoid the risk 7 change /usiness process or o/0ective so as to avoid the risk5 6hange the likelihood 7 undertake actions aimed at reducing the cause of the risk5 6hange the conse4uence 7 undertake actions aimed at reducing the impact of the risk5 "hare&transfer the risk 7 transfer ownership and lia/ility to a third party5 and #etain the risk 7 accept the impact of the risk @hen determining the preferred treatment option! consideration should /e given to the cost of the treatment as compared to the likely risk reduction that will result %cost /enefit analysis. (n selecting the preferred treatment option! the following should occur: The cost of any actions should /e incorporated into the relevant /udget planning process5 A responsi/le person should /e identified for delivery of the action! with this e1pectation /eing communicated to them5 A realistic due date should /e set5 and Performance measures should /e determined Process *tep O2er2ie& Process *e2en. Monitor and Re2ie& #isk information re4uires regular monitoring and review to ensure currency The environment in which we operate is constantly changing and so therefore are our risks If risk information is inaccurate! we may make poor decisions that could otherwise have /een avoided Therefore #isk (wners and #isk Treatment (wners have key risk and control review and update responsi/ilities to ensure continued currency of information pertaining to their particular risks In addition! on an annual /asis! the entire risk register will /e reviewed! with review participation /eing /roader than solely #isk (wners and #isk Treatment (wners It is also important for the effectiveness of the risk management framework to monitored and reviewed This framework drives the e1tent to which risks will /e ade4uately managed throughout the organisation $onitoring implementation of the #isk $anagement "trategy is one availa/le monitoring mechanism In addition! the risk management framework itself will /e reviewed annually! with results /eing reported to the A#6 and the 9oard As risk management developments are constantly occurring! this review mechanism will provide us with information on current risk management developments! facilitating us making continuous risk management improvements Risk Reporting "et out /elow is a diagram illustrating how the risk management reporting process fits into overall risk management framework #isk management reporting is a key element of the B$onitor and #eview2 phase of the risk management process! and needs to occur at each step of the process This risk management reporting process supports a formalised! structured and comprehensive approach /y to the monitoring and review of its risks! there/y enhancing its risk management process Risk Management Reporting Responsi!ilities 4roup Responsi!ilities 9oard #eview reports 6ommunicate risk information issues /ack to the organisation Identify new and emerging risks Audit and #isk 6ommittee #eview reports 6ommunicate risk information issues /ack to the organisation 6ommunicate key risk issues to the 9oard Identify new and emerging risks 6E( #eview reports 6losely monitor e1treme risks Identify new and emerging risks #isk $anagement E1ecutive 6ommittee #eview reports 6ommunicate key risk issues to the Audit and #isk 6ommittee Identify new and emerging risks =eneral $anagers #eview reports 6ommunicate key risk issues to the #$E6 Identify new and emerging risks #isk (wners $onitor and review the risks which they own Prepare reports for the risks which they own Provide the #isk and 6ompliance $anager with information on the risks which they own Identify new and emerging risks =eneral $anager! ?inance and 6orporate "ervices #eview reports prepared /y the #isk and 6ompliance $anager Provide e1ecutive support to the #isk and 6ompliance $anager! for e1ample! re4uiring timely provision of risk information from the organisation to the #isk and 6ompliance $anager Identify new and emerging risks #isk and 6ompliance $anager Prepare reports =ather risk information from the relevant organisational people! for e1ample! #isk (wners Identify new and emerging risks $anagement and "taff Provide risk information to those that re4uest it $onitor and review risks within their areas 18 6orporate Plan ,++C 3 ,+*+ 9usiness Plan ,++C 3 ,++D #isk Policy #isk $anagement Process #isk Tools #isk $anagement #eporting ?ramework #isk "trategy ,++C 3 ,++D Identify new and emerging risks Risk 7scalation #isk escalation is an important tool for ensuring that risks are known and understood /y the people with the authority to appropriately manage them If a risk poses an e1treme risk and re4uires allocation of su/stantial risk treatment resources! then it would not /e appropriate for this to /e managed at the divisional level The 9oard has overall accounta/ility for managing risks and therefore! where a risk poses such a high threat! the 9oard should /e immediately informed of it Everyone has the a/ility to identify risks at any time of the year @hen these risks are identified outside of the formal annual risk review process! escalation of the risk to the appropriate recipient needs to occur The ta/le set out /elow indicates the appropriate escalation process The will act as the conduit /etween the person who has identified the risk and the relevant escalation recipient Therefore if you identify a risk which re4uires escalation please report it directly to the
The will assess and review the risk information provided to them and escalate the risk in line with the re4uirements set out in the /elow ta/le Risk /e2el 7scalation Recipient Timing Aigh "ignificant $edium Eow Risk Reports and Recipients Report T)pe Recipient T)pe o" Report O2er2ie& Templates for these reports are availa/le in the Appendices 19 Re2ie& and ,ppro2al The #isk $anagement #eporting ?ramework and report templates will /e reviewed annually /y the and approved at least every /y the ,ccess to Risk Management Reporting 9rame&ork The #isk $anagement #eporting ?ramework will /e made availa/le to each employee of
The #isk $anagement #eporting ?ramework will /e availa/le as follows:
Re"erences ?or further information on risk management! the following documents provide a comprehensive and practical overview: A"&N'" I"( )*+++:,++- 7 #isk management 3 Principles and guidelines I"( =uide C):,++- 7 #isk management 3 Foca/ulary IE6&I"( )*+*+:,++- 7 #isk $anagement 3 #isk assessment techni4ues A9 ),C:,+*+ 7 6ommunicating and consulting a/out risk A"&N'" G+G+:,+*+ 7 9usiness continuity 3 $anaging disruption3related risk A9 ,HH:,+*+ 7 =uide for managing risk in not3for3profit organisations 20 ,ppendi-. Risk ontrol /ikeli%ood onse0uence Rating The following were endorsed /y the in for These will /e su/0ect to review in ontrol 7""ecti2eness Rating riteria Rating De"inition #ndicators /ikeli%ood Rating riteria Rating Descriptor 9re0uenc) Description onse0uence Rating *cale Description Rating 9inancial *er2ice :ualit) Reputation People ; (no&ledge *take%olders ompliance< 4o2ernance ; /egal *)stems ; Processes 18 ,ppendi-. Risk assessment templates and %eat map R#*(* 9OR = IPDATED AND END(#"ED 9J TAE O&ner Risk Description Risk ategor) 8o onse0uence/ikeli%ood Risk Rating
#nsurance (R# (# Risk Treatment @ ,ction Plan ,ccounta!ilitie s Timelines Risk Rating Re2ie& @ Monitor #nsurance *tatus Measurement and monitoring Insura/leK InsuredK 19 ,LDH*GDL*D(6 ,ppendi-. Risk Reporting potential risk reports Risk Profile Purpose The #isk Profile #eport provides a graphical representation of the placement of key risks on a heat map This report provides a 4uick reference for Directors and E1ecutives as to the organisation2s risk e1posure It helps to guide the allocation of resources to treat those risks! which pose the /iggest threat! /oth in terms of likelihood and conse4uence This report is a snapshot of the organi:ations current organisational risk profile In addition! the #isk Profile #eport will document the e1tent of risk rating changes that have occurred and e1plain the known or likely reasons for the change The types of reasons that might /e presented include: 6hange in operations Internal Audit findings indicate that controls are less effective than anticipated Implementation of risk treatment actions 6hange in the e1ternal environment! for e1ample! creation of a new stakeholder /ody! and & or >nowledge of events that have occurred which raise either the likelihood of or conse4uence if an event occurs! for e1ample! a competing /usiness has /egun a market poaching e1ercise increasing the likelihood of staff turnover This report can /e used to track the movement of risks and their specific ratings across the organisation and to develop an understanding of what factors %e1ternal & internal. can influence changes in risk ratings It ena/les tracking of the effectiveness of risk treatment actions in reducing risks! while also supporting awareness of risk increases so that proactive management of these may occur Information included The organisational risks plotted on its risk heat map 9eneath the heat map in the report! the following summary information is provided for each risk: #isk description Prior risk rating %E1treme! Aigh! $edium! Eow. 6urrent risk rating %E1treme! Aigh! $edium! Eow. Any trend & movement that has occurred #easons for change in risk rating Any improvements re4uired The status of any approved treatment actions PA=E * (? )D ,LDH*GDL*D(6 Risk treatment actions status - detailed Purpose The #isk Treatment Actions #eport contains a status update on progress against approved risk treatment actions People are more likely to deliver upon what they are measured against Therefore this report increases accounta/ility for delivery against agreed risk management actions It also provides comfort to Directors and E1ecutives that risks are /eing treated as anticipated Information included #isk description #isk rating Description of the risk treatment action Date for completion of risk treatment Person%s. responsi/le "tatus %eg in progress! completed. Additional comments %eg specific detail around the status. Assurance coverage of key risks Purpose The Assurance 6overage of >ey #isks #eport indicates which risks have /een covered /y assurance activities in the previous year and which are proposed to /e covered over the coming year This assurance can cover reviewing current control e1istence and effectiveness! as well as treatment action completion =aining assurance around key risks provides an o/0ective review of self3assessed risk and control effectiveness ratings "ometimes perceptions a/out a given risk may /e incorrect This o/0ective assessment of risks provides comfort that the risk information! as contained in the risk register! is reflective of the actual situation Information included #isk description 6ontrols & treatments /eing covered /y assurance activities #isk rating Trend %increase & decrease. Description of the assurance activities 7 Previous year Description of the assurance activities 7 6urrent year The key findings of assurance activities! as they influence risk! would /e reflected in the organisation2s #isk Profile #eport within the Breason for change2 column PA=E , (? )D ,LDH*GDL*D(6 Risk management annual activity schedule and improvement Initiatives Purpose The #isk $anagement Improvement Initiatives #eport tracks progress against the risk management improvement initiatives approved to /e implemented over the coming year It provides assurance around the continual improvement of the risk management processes and practices Information included Description of the initiative5 Description of the risk management activity5 Person%s. responsi/le5 Date for completion5 "tatus %eg in progress! completed.5 and Additional comments %eg specific detail around the status. New and emerging risks Purpose The New and Emerging #isks #eport provides an opportunity to highlight emerging risks or add new risks to the risk register throughout the year It is important to retain the risk register currency outside of the formal annual risk review process Personnel from within the organisation would notify the #isk and 6ompliance (fficer of any new or emerging risks They would then need to /e source the information for inclusion in this report This report helps to develop awareness and understanding of the importance of managing new and emerging risks and provides a formalised structure for the reporting of these risks Information included This report is a summary risk register that includes the following information: #isk description5 #isk category5 #isk rating5 6auses5 Impacts5 and 6urrent controls The would then determine whether the risks contained in this report warranted inclusion in the risk register @here risks are included in the risk register! the Audit and #isk 6ommittee and the 9oard would have visi/ility of the new risk information in the #isk Profile #eport Detailed risk register Purpose The Detailed #isk #egister #eport contains all information contained in the risk register All information provided in other risk reports should /e reflected in the risk register This report is only produced at completion of the annual risk review process unless otherwise specifically re4uested /y the 9oard! Audit and #isk 6ommittee or the PA=E ) (? )D ,LDH*GDL*D(6 Information included #isk description5 #isk category5 #isk owner5 "hared responsi/ility5 Description of the cause & contri/uting factors5 Description of the impact5 Description of current controls5 and Description of risk treatment information including action! responsi/le person! due date and status PA=E L (? )D ,LDH*GDL*D(6 Templates 57-amples6 Risk Pro"ile ,lmost ertain H /ikel) ,!) D Possi!le * *G -!G!*+ >nlikel) C *) *,!L Remote *L ** /#(7/#?OOD@ O8*7:>787 #nsigni"icant Minor Moderate Ma1or 7-treme Rank Re" Risk ategor) Risk Description Rating Trend Reason "or %ange #mpro2ement Re0uiredA #mpro2ement *tatus 1 H ?ig%