APPENDIX D:
Risk Management Procedure Proce dure – Template
255269787. DO
Ta!le o" ontents Risk Management Procedure.....................................................................................# Templat Template....... e.................. ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................................... ........................... # Ta!le o" ontents........................................................................................................2 $ntroduction.................................................................................................................% Definitions.....................................................................................................................3 Objectives of Risk Management...................................................................................4 Benefits of Risk Management.......................................................................................4 Roles and responsi!ilities..........................................................................................5 Risk Management Governance Structure.....................................................................5 Relations&ip 'it& ot&er processes............................................................................7 (e) Process *teps......................................................................................................8 One: Communicate an Consu!t..................................................................................." #$o: %stab!is& t&e Conte't.........................................................................................() #&ree: *entif+ Risks...................................................................................................(( ,our: -na!+se Risks....................................................................................................( ,ive: %va!uate Risks...................................................................................................(3 Si': #reat Risks...........................................................................................................(4 Seven: Monitor an Revie$........................................................................................(5 Risk Reporting. Reporting............ ..................... ..................... ..................... ..................... ..................... ..................... .......................................... ............................... #8 Risk Management Re/orting Res/onsibi!ities.............................................................(0 Risk %sca!ation...........................................................................................................(" Risk Re/orts an Reci/ients......................................................................................("
255269787. DO
Ta!le o" ontents Risk Management Procedure.....................................................................................# Templat Template....... e.................. ..................... ..................... ..................... ..................... ..................... ..................... ..................... ..................................... ........................... # Ta!le o" ontents........................................................................................................2 $ntroduction.................................................................................................................% Definitions.....................................................................................................................3 Objectives of Risk Management...................................................................................4 Benefits of Risk Management.......................................................................................4 Roles and responsi!ilities..........................................................................................5 Risk Management Governance Structure.....................................................................5 Relations&ip 'it& ot&er processes............................................................................7 (e) Process *teps......................................................................................................8 One: Communicate an Consu!t..................................................................................." #$o: %stab!is& t&e Conte't.........................................................................................() #&ree: *entif+ Risks...................................................................................................(( ,our: -na!+se Risks....................................................................................................( ,ive: %va!uate Risks...................................................................................................(3 Si': #reat Risks...........................................................................................................(4 Seven: Monitor an Revie$........................................................................................(5 Risk Reporting. Reporting............ ..................... ..................... ..................... ..................... ..................... ..................... .......................................... ............................... #8 Risk Management Re/orting Res/onsibi!ities.............................................................(0 Risk %sca!ation...........................................................................................................(" Risk Re/orts an Reci/ients......................................................................................("
255269787. DO $ntroduction The role of this risk management management procedure is to provide staff with guidance in how to apply consistent and comprehensive comprehensive risk management This procedure provides provides information on how to identify! analyse! evaluate and treat risks In addition! it identifies other key activities needed for an effective risk management approach The risk management process contained in this procedure aligns with the Australian "tandard "tandard for #isk $anagement $anagement %A"&N'" %A"&N'" I"()*+++:,++-. I"()*+++:,++-. #isk is the chance of something something happening that will will have an impact on o/0ectives o/0ectives It is important that we manage risks in order that the negative impact of risks upon achievement of our o/0ectives is minimised and our a/ility to realise potential opportunities is ma1imised "et out /elow is a diagram illustrating how this procedure interacts with management management documents:
other key risk
De"initions Risk Management is is the culture! processes and structures that are directed
255269787. DO
O!1ecties o" Risk Management #isk management is a responsi/ility of all! with specific risk responsi/ilities /eing allocated to different groups and levels within the organisation It is important to have complete and current risk information availa/le as this information assists the to make more informed decisions around /oth strategic direction and operational o/0ectives #isk management is not a stand3alone discipline /ut re4uires integration with e1isting /usiness processes such as /usiness planning and Internal Audit! in order to provide us with the greatest /enefits The o/0ectives of a risk management framework are to: • • •
•
•
Provide a systematic approach to the early identification and management of risks5 Provide consistent risk assessment criteria5 $ake availa/le accurate and concise risk information that informs decision making including /usiness direction5 Adopt risk treatment strategies that are cost effective and efficient in reducing risk to an accepta/le level5 and $onitor and review risk levels to ensure that risk e1posure remains within an accepta/le level
3ene"its o" Risk Management
255269787. DO
Roles and responsi!ilities An organisation2s a/ility to conduct effective risk management is dependent upon having an appropriate risk governance structure and well3defined roles and responsi/ilities It is important for everyone to /e aware of his or her individual and collective risk management responsi/ilities In order for risks to /e effectively managed! it is essential to have people /ehaving in a way that is consistent with the organisation2s approved approach This indicates that risk management is not merely a/out having a well3defined process /ut also a/out effecting the /ehavioural change necessary for risk management to /e em/edded in all organisational activities "et out /elow is risk management governance structure This structure illustrates that risk management is not the sole responsi/ility of one individual /ut rather occurs and is supported at all organisational levels
Risk Management 4oernance *tructure
9oard 3 p r o v i d e s o v e r s ig h t a n d r e v i e w
255269787. DO Provide a high level description of the roles of the various people or groups involved in the risk governance structure This will /e e1panded in the procedures
Boar •
Indicate the detailed responsi/ilities of the 9oard %i f applica/le. Committee
•
Indicate the detailed responsi/ilities of the relevant committee %if applica/le.
C&ief %'ecutive Officer •
Indicate the detailed responsi/ilities of the relevant 6E( or relevant position %if applica/le.
Risk Committee •
Indicate the detailed responsi/ilities of the relevant internal risk committee or relevant group & forum %if applica/le.
255269787. DO
Relations&ip 'it& ot&er processes
#isk management is not a stand3alone discipline In order to ma1imie risk management /enefits and opportunities! it needs to /e integrated with e1isting /usiness processes
"ome of the key /usiness processes with which risk alignment is necessary are: •
$nternal ,udit 7 Internal Audit reviews the effectiveness of controls Alignment /etween the Internal Audit function and that of the controls within the #isk $anagement process is critical! and the role of #isk 8 6ompliance $anager will seek to align these core processes
•
3usiness Planning including !udget 7 Identifying risk during the /usiness planning process allows us to set realistic delivery timelines for strategies& activities or to choose to remove a strategy& activity if the associated risks are too high or unmanagea/le The impact of changing risk levels over the year can then
255269787. DO
(e) Process *teps #isk management is a continual process that involves the following key steps: • • • • • • •
6ommunicate and consult Esta/lish the conte1t Identify risks Analyse risks Evaluate risks Treat risks $onitor and review
It is important to follow this process when conducting risk management as this ensures that the approach to risk management is /oth comprehensive and consistent This process is formally conducted across the entire organisation on an annual /asis This occurs in con0unction with the corporate and /usiness planning process and involves the review and update of risk profiles for the enterprise as a whole includes a review for each individual division This illustrates a ;top3down< and a
Process *tep
Oerie'
One ommunicate and onsult
6ommunication and consultation with internal and e1ternal stakeholders is important throughout the risk management process to ensure the organisation has a comprehensive picture of the risks we face -ternal communication and consultation is targeted at informing e1ternal stakeholders of: The organisation2s risk management approach The effectiveness of our risk management approach #e4uesting feed/ack where appropriate • •
•
#isk management is a key governance and management function! which e1ternal stakeholders! including =overnment and industry! are paying! increased attention to "atisfying these stakeholders that we use appropriate risk management practices will influence their perception of the organisation $nternal communication and consultation is aimed at informing internal stakeholders of: • • •
The risk management process "eeking feed/ack in relation to the process >ey risks and their responsi/ilities relating to management of these
Process
Process *tep T'o sta!lis& t&e onte-t
Oerie' This means considering: #. T&e e-ternal conte-t 9uilding an understanding of our e1ternal stakeholders and hence the e1tent to which this e1ternal environment will impact on our a/ility to achieve corporate o/0ectives: 9usiness! "ocial! #egulatory! 6ultural! 6ompetitive! ?inancial and Political Environments in which we operate It also involves considering our strengths! weaknesses! opportunities and threats •
•
2. T&e internal conte-t This is aimed at understanding organisational elements and the way they interact! such as: 6ulture! internal stakeholders! structure! capa/ilities %in terms of resources such as people! systems! processes and capital.! goals and o/0ectives and the strategies in place to achieve these •
%. T&e risk management conte-t The goals! o/0ectives! strategies! scope and parameters for the risk management process itself must also /e considered ote The ;Esta/lish the 6onte1t< part of the risk management process will only need to /e repeated when there are significant changes to either our e1ternal environment or /usiness operations
Process
Process *tep
Oerie'
T&ree $denti") Risks
#isk identification is a key step in the risk management process to ensure a complete list of risks is identified #isks can /e identified using various tools and techni4ues including:
Part of risk identification also involves identifying risks that may arise ;over the horion< "ome e1amples of possi/le considerations could include: @orldwide events #ising pu/lic e1pectations re pu/lic sector entities 6hanging pu/lic attitudes towards =overnment • •
•
Identifying all risk elements provides a /etter understanding of the risk and assists when considering current controls and identifying further treatment actions It also reduces risk duplication and minimises confusion as to risk meaning
Process
Process *tep our ,nal)se Risks
Oerie' (nce a risk is identified! it is important to ade4uately descri/e it The components of a comprehensive risk description are: Event eg igh staff turnover5 6ause eg "taff 0o/ dissatisfaction5 and Impact ie Ina/ility to achieve strategic o/0ectives • • •
#isk analysis involves: Identifying controls currently in place to manage the risk /y either reducing the conse4uence or likelihood of the risk5 Assessing the effectiveness of current controls5 Identifying the likelihood of the risk occurring5 and Identifying the potential conse4uence or impact that would result if the risk was to occur •
•
•
•
@hen evaluating the effectiveness of current controls! the factors to consider include consistency of application! understanding of control content and documentation of controls where appropriate 6ontrols are aimed at /ringing the risk within an accepta/le level The evaluation of current controls can occur through several different processes including: 6ontrol self assessment5 Internal Audit reviewing the effectiveness of controls5 and E1ternal Audit reviewing the effectiveness of controls • •
•
The conse4uence and likelihood ratings! as identified after consideration of current controls! are com/ined to determined the overall risk level
Process
Process *tep ie aluate Risks
Oerie' #isk evaluation involves considering the risk2s overall risk level This allows determination of whether further risk treatment actions are re4uired to /ring the risk within a level accepta/le The output of the risk evaluation phase is a prioritised list of risks There may /e times when the action re4uired will differ from that identified a/ove5 however where this is the case! the 6hief E1ecutive (fficer must approve deviation from the a/ove action
Process
Process *tep *i- Treat Risks
Oerie' #isk treatment involves e1amining possi/le treatment options to determine the most appropriate action for managing a risk Treatment actions are re4uired where the current controls are not managing the risk within defined tolerance levels Treatment options could involve improving e1isting controls and implementing additional controls Possi/le risk treatment options include: Avoid the risk 7 change /usiness process or o/0ective so as to avoid the risk5 6hange the likelihood 7 undertake actions aimed at reducing the cause of the risk5 6hange the conse4uence 7 undertake actions aimed at reducing the impact of the risk5 "hare&transfer the risk 7 transfer ownership and lia/ility to a third party5 and #etain the risk 7 accept the impact of the risk •
•
•
•
•
@hen determining the preferred treatment option! consideration should /e given to the cost of the treatment as compared to the likely risk reduction that will result %cost /enefit analysis. (n selecting the preferred treatment option! the following should occur: The cost of any actions should /e incorporated into the relevant /udget planning process5 A responsi/le person should /e identified for delivery of the action! with this e1pectation /eing communicated to them5 A realistic due date should /e set5 and Performance measures should /e determined •
•
• •
Process
Process *tep *een Monitor and Reie'
Oerie' #isk information re4uires regular monitoring and review to ensure currency The environment in which we operate is constantly changing and so therefore are our risks If risk information is inaccurate! we may make poor decisions that could otherwise have /een avoided Therefore #isk (wners and #isk Treatment (wners have key risk and control review and update responsi/ilities to ensure continued currency of information pertaining to their particular risks In addition! on an annual /asis! the entire risk register will /e reviewed! with review participation /eing /roader than solely #isk (wners and #isk Treatment (wners It is also important for the effectiveness of the risk management framework to monitored and reviewed This framework drives the e1tent to which risks will /e ade4uately managed throughout the organisation $onitoring implementation of the #isk $anagement "trategy is one availa/le monitoring mechanism In addition! the risk management framework itself will /e reviewed annually! with results /eing reported to the A#6 and the 9oard As risk management developments are constantly occurring! this review mechanism will provide us with information on current risk management developments! facilitating us making continuous risk management improvements
Process
Risk Reporting "et out /elow is a diagram illustrating how the risk management reporting process fits into overall risk management framework #isk management reporting is a key element of the B$onitor and #eview2 phase of the risk management process! and needs to occur at each step of the process This risk management reporting process supports a formalised! structured and comprehensive approach /y to the monitoring and review of its risks! there/y enhancing its risk management process
6orporatePlan,++C3 ,+*+
9usinessPlan,++C3 ,++D
#isk"trategy,++C 3,++D
#iskPolicy
#isk$anagementProcess #isk$anagement #eporting?ramework #isk Tools
Risk Management Reporting Responsi!ilities 4roup 9oard
Responsi!ilities • • •
Audit and #isk 6ommittee
• • • •
6E(
•
#eview reports 6ommunicate risk information issues /ack to the organisation Identify new and emerging risks #eview reports 6ommunicate risk information issues /ack to the organisation 6ommunicate key risk issues to the 9oard Identify new and emerging risks #eview reports 6losely monitor e1treme risks
•
Identify new and emerging risks
Risk scalation #isk escalation is an important tool for ensuring that risks are known and understood /y the people with the authority to appropriately manage them If a risk poses an e1treme risk and re4uires allocation of su/stantial risk treatment resources! then it would not /e appropriate for this to /e managed at the divisional level The 9oard has overall accounta/ility for managing risks and therefore! where a risk poses such a high threat! the 9oard should /e immediately informed of it Everyone has the a/ility to identify risks at any time of the year @hen these risks are identified outside of the formal annual risk review process! escalation of the risk t o the appropriate recipient needs to occur The ta/le set out /elow indicates the appropriate escalation process The will act as the conduit /etween the person who has identified the risk and the relevant escalation recipient Therefore if you identify a risk which re4uires escalation please report it directly to the The will assess and review the risk information provided to them and escalate the risk in line with the re4uirements set out in the /elow ta/le
Risk /eel igh "ignificant $edium ow
scalation Recipient
Timing
Reie' and ,pproal The #isk $anagement #eporting ?ramework and report templates will /e reviewed annually /y the and approved at least every /y the ,ccess to Risk Management Reporting rame'ork The #isk $anagement #eporting ?ramework will /e made availa/le to each employee of The #isk $anagement #eporting ?ramework will /e availa/le as follows: • •
Re"erences ?or further information on risk management! the following documents provide a comprehensive and practical overview: • • •
A"&N'" I"( )*+++:,++- 7 #isk management 3 Principles and guidelines I"( =uide C):,++- 7 #isk management 3 Foca/ulary IE6&I"( )*+*+:,++- 7 #isk $anagement 3 #isk assessment techni4ues
,ppendi-
Risk ontrol /ikeli&ood onse0uence Rating
The following were endorsed /y the
in
for
These will /e su/0ect to review in
ontrol ""ectieness Rating riteria Rating
De"inition
$ndicators
/ikeli&ood Rating riteria Rating
Descriptor
re0uenc)
Description
onse0uence Rating *cale Description Rating
inancial
*erice :ualit)
Reputation
People ; (no'ledge
*take&olders
ompliance< 4oernance ; /egal
*)stems ; Processes
18
,ppendi- Risk assessment templates and &eat map
R$*(* OR = PDATED AND END(#"ED O'ner
,lmost
Risk Description
9J TE Risk ategor)
o onse0uence/ikeli&ood
Risk Rating
Risk ,ssessment Template Risk ,ssessment ompleted 3) Date ,ssessed
Title ategor) $denti") Risks Risk – Description @ $mpact
ause
,nal)se Risks -isting ontrols ontrol ,ssessment
Risk ,ssessment
onse0uence /ikeli&ood Risk Rating
aluate ,ction
Treat RiskA
Avoid #isk Accept #isk #educe #isk Transfer #isk Increase #isk
Risk ,ssessment Treatment Plan Template Risk O'ner Pre"erred Risk Treatment and O!1ectie
18
Treat Risks
Risk Treatment @ ,ction Plan
Monitor ; Reie' ,ccounta!ilitie s
Timelines Risk Rating
Reie' @ Monitor
$nsurance
$nsurance *tatus
(R$
($
Measurement and monitoring
Insura/leK InsuredK
19
,GG,H-CC D(6
,ppendi- Risk Reporting – potential risk reports
Risk Profile Purpose The #isk Profile #eport provides a graphical representation of the placement of key risks on a heat map This report provides a 4uick reference for Directors and E1ecutives as to the organisation2s risk e1posure It helps to guide the allocation of resources to treat those risks! which pose the /iggest threat! /oth in terms of likelihood and conse4uence This report is a snapshot of the organiations current organisational risk profile In addition! the #isk Profile #eport will document the e1tent of risk rating changes that have occurred and e1plain the known or likely reasons for the change The types of reasons that might /e presented include: 6hange in operations Internal Audit findings indicate that controls are less effective than anticipated Implementation of risk treatment actions 6hange in the e1ternal environment! for e1ample! creation of a new stakeholder /ody! and & or >nowledge of events that have occurred which raise either the likelihood of or conse4uence if an event occurs! for e1ample! a competing /usiness has /egun a market poaching e1ercise increasing the likelihood of staff turnover • • • • •
,GG,H-CC D(6
Risk treatment actions status - detailed Purpose The #isk Treatment Actions #eport contains a status update on progress against approved risk treatment actions People are more likely to deliver upon what they are measured against Therefore this report increases accounta/ility for delivery against agreed risk management actions It also provides comfort to Directors and E1ecutives that risks are /eing treated as anticipated Information included #isk description #isk rating Description of the risk treatment action Date for completion of risk treatment Person%s. responsi/le "tatus %eg in progress! completed. Additional comments %eg specific detail around the status. • • • • • • •
Assurance coverage of key risks Purpose
,GG,H-CC D(6
Risk management annual activity schedule and improvement Initiatives Purpose The #isk $anagement Improvement Initiatives #eport tracks progress against the risk management improvement initiatives approved to /e implemented over the coming year It provides assurance around the continual improvement of the risk management processes and practices
Information included Description of the initiative5 Description of the risk management activity5 Person%s. responsi/le5 Date for completion5 "tatus %eg in progress! completed.5 and Additional comments %eg specific detail around the status. • • • • • •
New and emerging risks Purpose The New and Emerging #isks #eport provides an opportunity to highlight emerging risks or add new risks to the risk register throughout the year It is important to retain the risk register curre
,GG,H-CC D(6
Information included #isk description5 #isk category5 #isk owner5 "hared responsi/ility5 Description of the cause & contri/uting factors5 Description of the impact5 Description of current controls5 and Description of risk treatment information including action! responsi/le person! due date and status • • • • • • • •
,GG,H-CCD(6
Templates -amples Risk Pro"ile ,lmost ertain
H
/ikel)
,!)
-!G!*+
Possi!le
*
*G
>nlikel)
C
*)
Remote
*L
/$(/$?OOD@ O*:>
Rank
Re"
#
H
2
%
-
C 5
$nsigni"icant
Risk ategor)
*,!L
**
Minor
Moderate
Risk Description
Ma1or
-treme
Rating
Trend
Reason "or &ange
?ig&
Mreason for change
Bes
Mreason for change
Bes
*igni"icant
Mreason for change
Bes
G
*igni"icant
Mreason for change
Bes
*+
*igni"icant
Mreason for change
No
?ig&
P A=E * (? )
$mproement Re0uiredA
$mproement *tatus
,GG,H-CCD(6 Rank
Re"
6
Risk ategor)
Risk Description
Rating
Trend
Reason "or &ange
*,
*igni"icant
Mreason for change
No
7
L
*igni"icant
Mreason for change
Bes
8
,
*igni"icant
Mreason for change
Bes
9
)
*igni"icant
Mreason for change
Bes
#+
*)
Medium
Mreason for change
Bes
##
*
Medium
Mreason for change
No
#2
**
/o'
Mreason for change
Bes
#%
C
/o'
Mreason for change
No
#C
*L
/o'
Mreason for change
No
#5
*G
Medium
Mreason for change
Bes
(e) • •
Risks in red are ne'@ emerging risks Ro's &ig&lig&ted contain opportunities
Completed In Pro gre ss verdue
$mproement *tatus
Not Ap plic a!l e P A=E *- (? )
$mproement Re0uiredA
$mproement *tatus
255269787.DO Risk Treatment ,ctions *tatus – Detailed Re" H
-
Risk Description
Rating ?ig&
*igni"icant
Treatment ,ctions
Due Date
Responsi!le Person
*tatus
*
Mdate
Mperson responsi/le
In progress
,
Mdate
Mperson responsi/le
6ompleted
)
Mdate
Mperson responsi/le
In progress
L
Mdate
Mperson responsi/le
6ompleted
*
Mdate
Mperson responsi/le
In progress
,
Mdate
Mperson responsi/le
In progress
)
Mdate
Mperson responsi/le
6ompleted
L
Mdate
Mperson responsi/le
In progress
omments -GO complete %e1ample.
Completed In Progress verdue
255269787.DO ,ssurance oerage o" (e) Risks Rank
Risk Description
ontrol @ Treatment
Risk Rating
Trend
,ssurance ,ctiities – Preious Bear ,ssurance ,ctiities – e-t Bear i.e. internal audit< e-ternal audit i.e. internal audit< e-ternal audit
#
?ig&
None
Internal Audit
9
*igni"icant
None
Internal Audit
5
*igni"icant
None
Internal Audit
6
*igni"icant
Internal Audit
E1ternal Audit
C
*igni"icant
Internal Audit
None
8
*igni"icant
Internal Audit
None
255269787.DO
Risk Management ,nnual ,ctiit) *c&edule and $mproement $nitiaties $mproement $nitiatie
,ction
Responsi!le Person
Due date
,c&ieed
omments
255269787.DO e' and merging T&reats and Opportunities Risk ,ssessment ompleted 3) Date ,ssessed
Title ategor) $denti") Risks Risk – Description @ $mpact
ause
,nal)se Risks -isting ontrols
ontrol ,ssessment
aluate ,ction
Risk ,ssessment
Treat RiskA
onse0uence
/ikeli&ood
Risk Rating
Detailed Risk Register
Avoid #isk. Accept #isk #educe #isk Transfer #isk Increase #isk