Documente Academic
Documente Profesional
Documente Cultură
To Identify Risks
To Evaluate Risks
To Treat (Manage/Action) Risks
To Monitor (Review) Risks
To Report on Risks
To View/Update Validation Rules
Click
Click
Click
Click
Click
Click
Here
Here
Here
Here
Here
Here
sequence of inaction
ns and nations;
onal norms;
10
11
12
13
14
15
16
17
Improve controls;
Effectively allocate and use resources for risk treatment;
Improve operational effectiveness and efficiency;
Enhance health & safety performance and environmental protection;
Improve loss prevention and incident management;
Minimize losses;
Improve organizational learning; and
Improve organizational resilience.
treatment;
vironmental protection;
Communication Consultation
Risk Assessment
Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment
http://www.linkedin.com/groups/ISO-31000-Risk-Management-Standard-1834592?trk=my_groups-b
International Organisation for Standardization
http://www.iso.org/iso/home/standards/iso31000.htm
Standards Australia Risk Management Principles & Guidelines
http://sherq.org/31000.pdf
Concise Guide to Treasury Risk Management
http://www.charteredaccountants.com.au/Industry-Topics/Audit-and-assurance/Current-issues/Audit-
dard-1834592?trk=my_groups-b-grp-v
assurance/Current-issues/Audit-Committee-Guides/Audit-Committee-Guides/Treasury-Management-Guide.aspx
#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Risk
loss of relevance of products to customer base
Risk 2
Risk 3
Risk 4
Risk 5
Risk 6
Risk 7
Risk 8
Risk 9
Risk 10
IDENTIFY
How can it happen
(cause for hazard to occur)
Business Goals/Objectives
impacted by Risk
Business Process
Strategic
Category
Environmental
Link to Document
Document Type
Strategic Plan
Business Continuity Plan
OH&S Policies & Procedures
Other
EVALUATION
Existing Controls
annual review of plans
Consequence
Major
Major
Moderate
Moderate
Minor
Minor
Minor
Minor
Negligible
Negligible
EVALUATION
Cost of Consequence (if
known)
Likelihood
Possible
Almost Certain
Likely
Possible
Possible
Possible
Unlikely
Unlikely
Rare
Rare
Risk Priority
High
V High
High
Medium
Medium
Medium
Low
Low
Low
Low
Risk #
Treatment #
Risk
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Risk 2
Risk 3
Risk 4
Risk 5
Risk 6
Risk 7
Risk 8
Risk 9
Risk 10
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
TREATMENT / AC
Action
Google Analytics daily review
Action Type
Responsibility
By When
01-Jan-15
Monitoring
Residual Risk Rating
Adequate
ONGOING REVIEWS
Monitoring
Reporting/Monitoring
Weekly line graph of total searches for
our products
Last Reviewed
01-Mar-14
G REVIEWS
Next Review Due
Responsibility
01-Mar-15 Marketing
Do Not Misuse Information or Position of Director - The law prohibits Board members from using their positio
themselves or another, or to cause detriment to the entity they are governing
Do Not Abuse an Opportunity if you become aware of an opportunity as a result of your position on a board t
tht opportunity for personal benefit at the expense of the organisation
Duty to Act with Care & Diligence - Board members must exercise their powers and discharge their duties with
"reasonable person" in their position. Board members with a high level of expertise will attract a higher standard
Occupational health and safety must provide a safe workplace for employees, subcontractors, volunteers an
example training on fire evacuation procedures, electrical safety, first aid, no smoking in workplace, etc.
Industry-specific for example child care and safety in schools.
Organisation Constitutional compliance for example rights of members, appointments to the board & their te
Privacy important to understand what data is considered to be private as this is subject to tight regulatory cont
accesibility, accuracy & storage
Information Security
Environmental Sustainability such as EPA compliance
HR for example pay rates, superannuation contribution amounts & frequency, Sick Leave, Overtime, Hiring &
Trade Practices Act for example misleading & deceptive conduct, Third Line Forcing, etc
Anti-Discrimination
Contracts Law
Defamation
Fund Raising
Manufacturing Industry
Are substances used in particular tasks suitable for the tasks?
Is there a register of hazardous substances, and an inventory of chemicals purchased or produced and material safety data sheet (MSD
Are hazardous substance containers adequately labelled?
Are hazardous substances stored according to respective MSDS?
Is plant and equipment suitable for the required tasks?
Are all moving parts of plant and equipment guarded to prevent contact with people and property to minimise the risk of injuries and d
stabbing, cutting, puncturing, shearing, and tearing?
Are there systems in place to prevent injury from fragmentation of or flying particles from plant and equipment?
Are there systems in place to prevent injury from falling plant and equipment?
Are there systems in place to prevent injury from performing a task with plant and equipment in a confined space?
Are there systems in place to prevent injury from inadvertent movement of plant and equipment?
Are there systems in place to prevent injury from stored energy' in plant and equipment, for example compressed air or hydraulic pres
Are there systems in place to prevent injury resulting from failure of plant and equipment due to the loss of contents, loss of load, unin
explosion, fragmentation or collapse of parts?
Does plant and equipment have adequate power isolation, noise insulation, ventilation and fume extraction?
Is the noise level of plant, equipment and the surrounding environment within the legislated noise level set down for your particular wo
For people using vibrating hand-held equipment or operating vibrating controls (chain saws, sewing machines, grinders, pneumatic dril
within values recommended by Australian Standard AS2763?
For drivers of vehicles and tractors, and helicopter and airplane pilots, are the vibration exposure levels within values recommended by
For operators of vibrating platforms on manufacturing/construction sites, are exposure levels within values as per Australian Standard
Are occupational exposures to Ionising radiation, such as X-rays, and gamma-rays equipment, within limits set by WorkSafe Australia N
Research Council (National Standard Recommendations for limiting exposure to ionising radiation)?
Is plant and equipment that generates UV radiation, such as photocopiers, lasers, UV cured inks in the printing industry, and welding e
Are radio frequency exposure levels from TV/FM radios transmitters, radio, microwaves, plastic moulders, induction heaters and so on k
Are outdoor workers provided with personal protective equipment and work systems as per WorkSafe Australia - guidance note on the
radiation in sunlight?
Are tasks performed at temperatures between 16C and 24C for sedentary work, 4C and 24C for light work and 7C and 24C for
Are tasks performed for more than 2 hours done so at humidity levels between 40% to 60%?
Is electrical wiring installed according to Australian Standard AS 3900?
Are electrical fixtures provided with adequate earthing or other residual current devices?
Are any signs of damage to either cable isolation or other electrical fixtures rectified?
Are there identified colour coded cable labelled isolators to all switchboards?
Are employees prevented from performing tasks in metal enclosures or damp places using electrical tools?
Is there a regular inspection of portable cords and extension leads?
Are Danger' tags used by electricians when working on plant?
Does electrical equipment comply with Australian Standard AS3100 - General Requirements For Electrical Equipment?
Is adequate lighting provided according to Australian Standard AS1680 lighting levels for different types of work?
Is employees' eyesight assessed every two years to determine their ability to continue performing their tasks?
Are hazardous conditions that are likely to arise during the use of plant and equipment as a result of friction, fire, explosion, moisture,
controlled?
Are access and egress arrangements for doorways, passageways, stairs, gangways and so on clear of obstructions, well lit, free of slip
Has lifting, carrying, pushing, and pulling been eliminated from all tasks?
Has frequent bending, twisting and stretching been eliminated from all tasks?
Has lifting of awkward loads been eliminated from all tasks?
Has repetitive work using awkward or constrained postures been eliminated from all tasks?
Are the current work systems appropriate, for example, whether more or fewer people should be involved and whether work procedure
Do workers hold the required competency requirements, such as licensing, certification and apprenticeships?
Is training and supervision provided to meet the needs of each individual worker?
Insurance Industry
Climate change
Demographic shifts in core markets
Catastrophic events
Emerging markets
Regulatory intervention
Channel distribution
Integration of technology with operations and strategy
Securities markets
Legal risk
Geopolitical or macroeconomic shocks
Small Business
Financial includes cash flow, budgetary requirements, tax obligations, creditor and debtor mana
and other general account management concerns.
Equipment extends to equipment used to conduct the business and includes everyday use, mai
theft, safety and upgrades.
Organisational relates to the internal requirements of a business, extending to the cultural, stru
resources of the business.
Security includes the business premises, assets and people. Also extends to security of company
intellectual property, and technology.
Legal & regulatory compliance includes legislation, regulations, standards, codes of practice a
requirements. Also extends to compliance with additional rules such as policies, procedures or ex
be set by contracts, customers or the social environment.
Reputation entails the threat to the reputation of the business due to the conduct of the entity a
of products/services, or the conduct of employees or others associated with the business.
Operational covers the planning, daily operational activities, resources (including people) and s
the a business that results in the successful development and delivery of products/services.
Commercial includes risks associated with market placement, business growth, product develop
commercial success. Also to the commercial viability of products/services, extending through estab
growth of a customer base and return.
Stakeholder management includes identifying, establishing and maintaining the right relation
and external stakeholders.
Client-customer relationship potential loss of clients due to internal and external factors.
Strategic includes the planning, scoping, resourcing and growth of the business.
Treasury
Market Risk
(the movement in value due to a change in price, creating a positive or negative value for the organisation)
Credit Risk
(the risk that your counter party defaults before or on settlement date)
Liquidity Risk
(risk of not being able to deal in a market due to lack of liquidity, and funding risk, which is not having
adequate funds in place when they are needed)
(risk of not being able to deal in a market due to lack of liquidity, and funding risk, which is not having
adequate funds in place when they are needed)
Operational Risk
(loss due to failure of people, processes and systems, or an external event such
as fire, fraud, flood, earthquake or other natural phenomenom)
Project Risks
Executive Support
Cost Management
Change Management
Stakeholders
Communication
Architecture
Design
Technical
Integration
Requirements
Procurement
Authority
Organizational
External
Project Management
User Acceptance
Commercial
Planning
Purchasing documentation
Evaluating offers
Negotiations
Contract management
Disposals
Are risks identified as early as possible to ensure adequate steps are taken to handle the exposure in a timely manner?
Do risk measurement methodologies measure the risks adequately and in a timely manner?
Are potential stress tests and what if analyses undertaken monthly (eg.measuring sensitivity of exposure to market risk (V
Is there a suitable mix of floating and fixed interest rates?
What is the foreign exchange risk hedging policy?
What percentage of foreign exchange is hedged?
Is the audit committee informed of any breaches of market risk policy or limits?
Is there adequate capacity to measure credit exposure?
Does the organisation have a process for handling and valuing collateral received or paid?
Does the organisation have settlement limits?
What reliance is placed on credit ratings provided by a credit rating agency?
Is credit risk appropriately managed?
Is the audit committee informed of any breaches of credit or settlement limits immediately?
What processes are in place to determine credit limits?
What processes are in place to measure liquidity risk?
What impact do financial instruments have on cash flow?
Are appropriate cash limits in place?
Are secured funding lines in place?
What level of security do these funding lines have?
Is close contact kept with funders, shareholders and bankers?
Are there diversified sources of funds?
Is there a spread of products and maturities so that maturities do not build up?
Is there liquidity in all the various financial instruments eg. any exotic or structure products?
What stress scenarios are run and are they stressful enough?
Is the audit committee informed of liquidity stress issues in a timely manner?
Are all staff who are responsible for monitoring derivative transactions well trained and qualified?
What is the culture of staff and management toward risk and controls?
Have staff adequate expertise for the roles that they perform?
Are bonuses paid based on the results of any risk management or treasury activities?
Is there an independent system for calculating and reporting to calculate and report results?
Are treasury operations handled by internal staff with the appropriate treasury skills?
Are front and back office systems adequate and appropriately segregated to ensure the completeness and accuracy of proc
Are valuation and spreadsheet models independently reviewed?
Are all back office staff adequately trained and do they understand the products used?
Are the organisations systems capable of producing adequate disclosure information for users of the financial statements?
Are accounting results routinely calculated and regularly reported?
Do the external auditors have a clear understanding of their role in verifying the financial transactions?
Are the policies and procedures reviewed at least annually?
Risk
Understatement of the need
Insufficient funding
Impractical timeframe
Probity issues
Biased specification
Breaches of security
Breaches of security
Fraud
Risk
Plant, equipment and items (and parts of them) that have the potential to cut, rip, tear, abrade, crush, penetrate, produce pr
Chemicals, compounds, materials, powders, dusts and vapours that have the potential to impair health, have adverse effec
A range of sources of energy that have the potential to cause harm, including electricity, heat, cold, noise, high powered ligh
Activities that cause stress to the muscles and/or skeleton, including manual handling of people, animals, goods or material
Activities that are carried out where a person can fall or an object can fall onto people.
Hazards Events, systems of work or other circumstances that have the potential to lead to psychological and associated illn
to ensure adequate steps are taken to handle the exposure in a timely manner?
easure the risks adequately and in a timely manner?
nalyses undertaken monthly (eg.measuring sensitivity of exposure to market risk (VAR) and scenario analysis?
ed interest rates?
ause of changes
cost overrun
e processes
perationalized
n't available
ess processes
roject issues
party liability
nization's culture
ws the project into chaos
mpacts project
to complete tasks
(measurements of objectives)
Likely consequences
Purchase of unsuitable product or service
Money wasted
Need not satisfied
Greater expense
Poor competition
Totally unacceptable purchase or not most suitable product or service
Time lost
Increased costs
Possible downtime
Delay in making the purchase
Additional costs for re-tender
Inadequate responses from tenderers
Reduced competition
Delivery schedule not met
Increased procurement costs
Misuse of resources
Most suitable product not obtained
Unethical conduct
Fewer alternatives
Most suitable product or service may not be obtained
Increased costs
Need not satisfied
Time lost
Increased costs
Possible downtime
Inadequate responses from tenderers
Claims of unfair dealings
Variety of offers
Insufficient responses
Products offered not meeting needs
Difficult to evaluate
Lack of offers from suitable tenderers
Inconsistent evaluations
Possible complaints from tenderers
Subjective not objective evaluation of offers
Contract disputes
Delivery delays
Cost variations
Reduction in value for money
Purchase of less suitable product
Inefficient use of resources
Delays in delivery
Need to restart procurement
Possible cost of legal action
Inability to finalise contract
Delays in delivery
Variations in cost
Inefficient use of resources
Contract disputes
Invalidity of contract
Legal action
Delays in delivery
Downtime
Liability disputes
Misuse of resources
Legal action
Disruption to procurement activities
Progress on project disrupted
Less expertise
Failure to improve procurement and management processes
Procurement objectives not achieved
Possible failure in the future
of them) that have the potential to cut, rip, tear, abrade, crush, penetrate, produce projectiles or cause sudden impact.
ders, dusts and vapours that have the potential to impair health, have adverse effects on human reproduction, cause disease or have ex
the potential to cause harm, including electricity, heat, cold, noise, high powered light and damaging radioactive sources.
es and/or skeleton, including manual handling of people, animals, goods or materials and things or circumstances that can cause a pers
erson can fall or an object can fall onto people.
er circumstances that have the potential to lead to psychological and associated illness, including work-related stress, bullying, workpla
Action
Analyse need accurately
ces that can cause a person to slip, trip or fall at the same level.
Risk Reporting
Risk Priority
Adequate
V High
High
Medium
Low
Totals
0
0
0
0
0
AS AT
02-Mar-15
Risks - # by Priority
Totals
5
1
2
3
4
10
4
3
Likelihood
Almost Certain
Likely
Possible
Unlikely
Rare
Totals
Colour Code
Catastrophic
0
0
0
0
0
0
V High
High
Medium
Low
Major
1
0
1
0
0
2
Consequence
Moderate
0
1
1
0
0
2
Minor
0
0
2
2
0
4
Negligible
0
0
0
0
2
2
Totals
1
1
4
2
2
10
1
0
V High
High
Medium
Low
262111855.xlsx
Stage2
Communicate and Consult
Development
of Risk Framework
Implementation
of Risk Framework
Risk Assessment
Treat Risks
Checklist Item
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Has the board and executive expressed their support for a risk management programme?
Has the risk committee (or equivalent) and the board reviewed and approved the risk policy/ strategy?
Have you identified a person who will be responsible for implementing risk management?
Does the risk manager, or equivalent, have reasonable access to staff and management across the organisation?
Have you defined categories of risk relevant to your organisation and industry?
Do your risk categories reflect all operational risk areas of the business as well as more strategic risk categories?
Is there a clear organisational strategy (or objectives) articulated for the organisation?
Have you defined and agreed a likelihood scale to assess the potential for the risk to occur throughout the organisation?
Have you defined and agreed a consequence scale to help assess risk impacts across the organisation?
Does the organisation's consequence scale describe both financial and non-financial impacts?
Does the risk Management framework consider the effectiveness of controls or risk treatments?
Is there an agreed template or format for recording risks and risk treatment information (a risk register)?
Has a risk policy been defined?
Does the organisation have a documented risk management strategy?
Do job descriptions of key stakeholders include responsibilities for risk management?
Is a formal project management methodology used to manage projects?
Is a mechanism in place to identify, assess, record and monitor risks on projects?
Has the organisation agreed what types and levels of risk are unacceptable?
Is there an agreed format/ template for reporting on risk?
Is there a process and/or template where new risks can be recorded by the executive and staff?
Is risk management or awareness training provided to all staff?
Does the risk manager (or equivalent) have access to the CEO, board and Audit/ Risk Committee when required?
Do staff know that they have a right and responsibility to assist in risk identification and escalation?
Do staff know who to report/ escalate risks to?
Do managers or supervisors know that they are responsible for managing risk in their area/s of responsibility?
Have the executive and the board provided guidance on what information they would like to see in risk reports?
Is there agreement on when and how often risk reports will be produced?
Have the recipients of risk reports been identified and agreed?
Can different risk reports be produced to meet different needs of stakeholder groups?
Has responsibility for managing/ treating specific risks been assigned and communicated to those responsible?
Are staff encouraged or incentivised to report risk or suggest risk reduction strategies?
Has a risk brainstorming workshop (or workshops) been conducted?
Have you considered the history of events and incidents in your organisation during the risk assessment process?
Has research been performed to understand common risks in the industry?
Has the executive and board considered risks relating to the achievement of key organisational goals and objectives?
Are risks identified during compliance reviews/ audits always added to the risk register?
Have existing controls been identified for risks during the risk assessment process?
Has the perceived effectiveness of controls been assessed by a person who understands the risk and the controls in place?
Has the risk register been updated in the last year?
Is the risk register updated throughout the year to reflect changes in risk and emerging risks?
Does the risk register record the job title of the person responsible for overseeing the risk treatment and monitoring process (the 'risk owner' or 'risk champion')?
Have you identified possible actions/ treatment plans that could help to reduce the risk level?
Have the benefits of a treatment approach been compared to the potential cost of the risk to determine the appropriateness of the treatment strategy?
Have risk treatment or action plans been documented and approved for important risks?
Have due dates/ completion dates been agreed for risk treatment actions and plans?
Is there a clear understanding of who will oversee the risk treatment selection and execution process?
Have key risk indicators (KRIs) been defined and agreed for key risks/ risk areas?
Are the organisation's physical assets appropriately insured?
Is a business continuity plan (BCP) in place for critical organisational functions/ processes?
Does your risk process follow the steps described in the AS/NZS: 4360 2004 Standard?
Does the Internal Audit function or equivalent review risk management processes?
Is an Internal Audit function/ process in place?
Do your internal auditors focus their time and effort on the most critical risks recorded in the risk register?
Does the organisation track changes in risk levels over time in order to understand trends/ changes in risk levels?
Has the risk policy been reviewed and approved in the last year?
Has the board and/or risk management committee (or equivalent) made an attestation in the annual report in accordance with the Victorian Government Risk Management Framework (if applicable)
Is the risk process integrated with other organisational planning processes - for example is risk considered during the strategic planning, budgeting and audit planning processes?
Page 67 of 72
Term
Definition
Risk
Effect of uncertainty on objectives (either positive or negative deviation from what is expected). Often expressed as a combination of the consequences of an event & associated likelihood of occurrence
Any measure or action that modifies risk. Includes any policy, procedure, practice, process, technology, technique, method or device that modifies or managed risk.
Risk treatments become Controls or modify existing Controls once they have been implemented.
Risk left over after youve implemented a risk treatment option.
Source of potential harm. Present condition, event, object, or circumstance that could lead to or contribute to an unplanned or undesired event such as an accident.
Risk with probability of 100%. Ie. it has eventualised into an existing issue.
Process of finding, recognising and describing risks involving identification of risk sources, events, causes and potential consequences
Process to comprehend the nature of risk and to determine the level of risk
Risk with probability of 100%. Ie. it has eventualised into an existing issue.
Control
Residual Risk
Hazard
Issue
Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment
Residual Risk
Note: Risk is different to a Hazard in that Risk is the future impact of a hazard that is not controlled - it can be viewed as future uncertainty created by the hazard.
Opportunities
Description
Indicators
High (probable)
Medium (possible)
Likely to occur in a 10 year time period or less than 25% chance of occurrence
Low (remote)
Potential of it occuring several times ithin the time period (eg. 10 years). Has occurred recently.
Could occur more than once within time period (eg. 10 years). Could be difficult to control due to some external influences. Is there a history of
occurrence?
Has not occurred. Unlikely to occur.
High (probable)
Favourable outcome is likely to be achieved in 1 year or better than 75% chance of occurrence
Clear opportunity which can be relied on with reasonable certainty, to be achieved in the short term based on current management processes
Medium (possible)
Opportunities which may be achievable but which require careful management. Opportunities which may arise over and above the plan.
Low (remote)
Some chance of favourable outcome in the medium term or less than 25% chance of occurrence
Possible opportunity which has yet to be fully investigated by management. Opportunity for which the likelihood of success is low on the basis of
management resources currently being applied.
Treatment
1
2
3
4
5
6
Avoid
Accept
Avoid
Mitigate
Transfer
Accept
Business Category
Asset Management
Infrastructure Management
Finance
Clinical Governance
Regulatory Compliance
Service Delivery
Corporate Governance
Operational
Market / Environmental
Strategic
Risk Category
Business Continuity
Liability
Environmental
Financial
Political
OH&S
Infrastructure, Assets & Systems
Reputation
Controls
Adequate
Opportunities for Improvement
Inadequate
Document Type
Strategic Plan
Business Continuity Plan
OH&S Policies & Procedures
Other
Action Type
Avoided (eg. don't do risky activity)
Accepted
Removed (risk source removed)
Reduce Likelihood (eg. P&P, Training)
Reduce Consequences
Shared/Transferred (eg. Insurance)
Retained (by informed decision)
Likelihood
Almost Certain
Likely
Possible
Unlikely
Rare
Consequence
Negligible Minor
Medium
Medium
Medium
Medium
Low
Medium
Low
Low
Low
Low
Moderate
High
High
Medium
Medium
Medium
Major
V High
High
High
Medium
Medium
Catastrophic
V High
V High
High
High
High